Targeted SSL Login in a Mixed SSL and Non-SSL Environment

Document ID : KB000050446
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

You can use web director for a targeted SSL login in a mixed SSL/non-SSL web environment, so that every web-login request is redirected to and serviced by the SSL web engine(s) with all other requests being redirected to and serviced by the non-SSL web engine(s). This can be done in an environment with or without secondary servers. When this setup is in place, the HTTPS protocol must be used for all communications between the web client and the SSL web engines.

Solution:

How to Implement an SSL Login Environment

To implement an SSL login environment, do the following:

  1. Verify that the SSL-enabled web server has successfully imported an SSL certificate.

  2. Create a copy (including subdirectories) of the directory $NX_ROOT/bopcfg/www/wwwroot, and rename it as follows: $NX_ROOT/bopcfg/www/ wwwrootsec.

  3. Add a new virtual directory for the web server named CAisdsec. Point this virtual directory to the following physical directory: $NX_ROOT/bopcfg/www/wwwrootsec

  4. Verify that the virtual directory permissions for CAisdsec match the CAisd virtual directory permissions for script execution. Enforce SSL for the CAisdsec virtual directory.

**Note: In this example, CAisdsec is user-defined and can be renamed.

After you have run the pdm_perl pdm_edit utility to add the additional webengine and web-director, followed all the steps in the pdm_edit checklist, and have verified that it was given HTTPS and the appropriate port (normally 443 for IIS, or 8443 for tomcat), follow the next set of steps configure the webengines' configuration files appropriately to set the stage for the targeted SSL login.

  1. For Secure Login Web engines, edit the <Host_Name>-web[#].cfg as follows:

    1. Change the CAisd parameter value from /CAisd to /CAisdsec.

    2. Change the UseDirector parameter value from Yes to AfterLogin.

    3. Change the Willingness parameter value from 5 to 0.

    4. Verify that the RedirectingURL value protocol is listed as https.

    5. Change the RedirectingURL <cgi directory> value from CAisd to CAisdsec.

    6. Save the changes.

  2. For non-secure engines handling all other activity, edit the <Host_Name>-web[#].cfg files for the non-secure web engines that you want to handle the non-login activity. Verify that the CAisd parameter value is /CAisd.

    1. Change the UseDirector parameter value from Yes to BeforeLogin.

    2. Maintain the Willingness value of 5 (or set it to any integer value from 5 to 10, depending on the particular loading weight desired)

    3. Verify that the RedirectingURL value protocol is listed as http.

    4. Verify that the RedirectingURL <cgi directory> value is CAisd.

    5. Save the changes.

Now that everything is configured correctly, please do a full recycle of Service Desk, and once it comes back up, test the login by attempting to access the non-ssl webengine using HTTP, and see if it automatically redirects you to the HTTPS secure webengine for login. Once you are logged in, it should automatically redirect you back to the non-ssl HTTP webengine for normal Service Desk activity.