The configuration instructions assume that the SSL virtual servers have been created for Access Gateways and Identity Servers on the SSL terminator. This sample configuration uses the logical name of “Access Manager Access Gateway” for Access Gateway virtual server, and “Access Manager Identity Server” for the Identity Sever virtual server. For information about the virtual server setup, see Section 20.1.4, Using an SSL Terminator.
To enable the rewrite functionality:
Configure the SSL terminator to rewrite information in the HTTP header to be HTTPS:
The string used within the quotes is the virtual server name of the SSL virtual server. Each Access Manager component set has a different name for the virtual server.
At the command line, enter the following command for Access Gateway:
set ssl vserver "Access Manager Access Gateway" -sslRedirect ENABLED -redirectPortRewrite ENABLED
The "Access Manager Access Gateway" string needs to be replaced with the name you have specified for the Access Gateway virtual server.
Enabling SSL Redirect (-sslRedirect) causes the SSL terminator to convert any HTTP 302 redirect responses from back-end servers to HTTPS redirects.
At the command line, enter the following command for Identity Server.
set ssl vserver "Access Manager Identity Server" -sslRedirect ENABLED -redirectPortRewrite ENABLED
The "Access Manager Identity Server" string needs to be replaced with the name you have specified for the Identity Server virtual server.
Create a policy to scan the HTTP data (as opposed to headers) as it passes through the SSL terminator and replace references to http:// with references to https://.
At the command line, enter the following commands:
add rewrite action httpRewriteAction replace_all "http.res.body(50000)" "\"https://\"" -pattern "http://"
add rewrite policy HttpToHttpsRewrite "http.res.body(50000).contains(\"http://\")" httpRewriteAction
The (50000) value references the number of bytes to scan. This number can be tweaked for the size of the page; 50000 was from the Citrix support examples.
Bind the policy to the Identity Server virtual server.
At the command line, enter the following command:
bind lb vserver "Access Manager Identity Server" -policyName HttpToHttpsRewrite -priority 100 -gotoPriorityExpression END -type RESPONSE
This command rewrites all Identity Server generated references of http to the https scheme. For example, the following entry in the default login (login.jsp) page includes an HTML form with an action tag that indicates where the credentials are to be posted. The page includes the following line:
<form name="IDPLogin" enctype="application/x-www-form-urlencoded" method="POST" action="<%= (String) request.getAttribute("url") %>" AUTOCOMPLETE="off">
When the JSP is executed, the following is sent to the browser by Identity Server:
<form name="IDPLogin" enctype="application/x-www-form-urlencoded" method="POST" action="http://idp126.lab.novell.com/nidp/idff/sso?sid=4" AUTOCOMPLETE="off">
With the policy defined above, the action tag is rewritten to the following:
<form name="IDPLogin" enctype="application/x-www-form-urlencoded" method="POST" action="https://idp126.lab.novell.com/nidp/idff/sso?sid=4" AUTOCOMPLETE="off">