With the SSL terminator rewriting HTTP to HTTPS for Identity Server, the only changes required on the Access Manager side are for Access Gateway. There are three particular cases where Access Gateway must have its scheme rewritten:
All web pages rendered through Access Gateway must have their schemes rewritten from HTTP to HTTPS.
Because of the complexity of web pages, many SSL terminators have issues rewriting all references in a web page from HTTP to HTTPS. Access Gateway must take responsibility for this work.
By default, Access Gateway rewriter does not rewrite the scheme if the proxy service and back-end web servers use the same protocol. In this case, all traffic into the proxy is HTTP and all traffic to the back-end web servers is also HTTP, which implies that no scheme rewriting takes place. Because the browser expects all links to reference HTTPS schemes, Access Gateway must be configured to automatically rewrite all HTTP references on web pages to HTTPS.
The Liberty Authentication request generated by Access Gateway must have the target URL rewritten to HTTPS.
When a user accesses an Access Gateway protected resource, a corresponding Liberty authentication request is generated by the Embedded Service Provider and is sent to Identity Server via the browser. This authentication request includes multiple attributes, including information about the trusted Liberty service provider generating the request, a target URL where the user must be redirected to post authentication, and the contract to be executed at Identity Server. The target URL is embedded in this authentication request and references an HTTP resource. Access Gateway must be able to rewrite this HTTP request to HTTPS. The following example was sent by Access Gateway to Identity Server via the browser.
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=AF5484F1CD4D218C5404A17A0DA86E5A; Path=/nesp; secure Location: http://idp126.lab.novell.com/nidp/idff/sso?RequestID=idQgvQqocG6fgFrkeiUG6jlRD.LMk&MajorVersion=1&MinorVersion=2&IssueInstant=2010-05-18T13%3A53%3A26Z&ProviderID=https%3A%2F%2Flag129.lab.novell.com%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=http%3A%2F%2Flag129.lab.novell.com%3A443%2Fformfill%2Fphpinfo.phpentRef=u&AuthnContextStatemscell%2Fsecure%2Fname%2Fpassword%2Furi Date: Tue, 18 May 2010 13:53:26 GMT Content-Length: 0 Via: 1.1 lag129.lab.novell.com (Access Gateway 3.1.1-265_eng_600589-7AA324FFCBA4D4ED)
The target parameter embedded within the authentication request references HTTP in the following line:
http%3A%2F%2Flag129.lab.novell.com%3A443%2Fformfill%2Fphpinfo.php
This needs to be rewritten to use the HTTPS scheme, for example:
https%3A%2F%2Flag129.lab.novell.com%3A443%2Fformfill%2Fphpinfo.phpThe Location HTTP header in the 302 redirects must have its scheme rewritten from HTTP to HTTPS. There are two cases where Access Gateway sends 302 redirects back to the browser:
When a non-authenticated user tries to access a protected resource, a series of HTTP redirects are generated by Access Gateway that redirect the user to the Embedded Service Provider or to Identity Server server requesting the user’s credentials. Browsers execute on these 302 redirect status codes and generate corresponding requests to the URL defined in the Location HTTP header. The scheme on the Location header must be HTTPS and not the default HTTP.
When the back-end web server sends a 302 redirect to the browser, Access Gateway must interpret the URL and make any rewrites it deems necessary (such as scheme and path-based multi-homing path injection). Because the proxy and back-end web server schemes are both HTTP in the setup, the Location header is not rewritten by default.
The Location header rewriting is handled by the SSL terminator. You have already enabled this rewriting in Step 1.a.
To configure Access Gateway to rewrite web page references and the target URL:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
In the Proxy Settings section, select Behind Third Party SSL Terminator, then click OK.
Click OK, then update Access Gateway.