Approaches #

There are at least two possible approaches to get your portal secured using HTTPS transport:

  • arrange an external front-end server like Apache HTTP Server to take care of HTTPS; this is advisable for heavy-duty configurations and has an advantage that a specialized front-end server is likely to be better suited for handling inconsistent requests, hacker attacks, etc; it looks also like this approach allows better flexibility regarding which content to be secured using HTTPS and which not;
  • enable HTTPS immediately on Tomcat or another servlet container you may be using.

Different options are also available about server SSL certificate to be used:

  • a certificate issued by one of certificate authorities that are pre-registered with standard browsers; this is definitely advisable for production portal configurations to avoid browsers complaining about unknown/suspicious certificate;
  • a self-signed certificate that is easy to create for everyone and that is a free reasonable solution for development/testing configurations.
   

Using Apache HTTP Server #

This topic has been covered at the forum:

  • http://www.liferay.com/web/guest/community/forums/-/message_boards/message/488097#_19_message_530734
  • http://www.liferay.com/web/guest/community/forums/-/message_boards/message/197061#_19_message_719584

Enabling HTTPS with a self-signed certificate on non-APR Tomcat #

  • stop the Tomcat if still running :)
  • make your decision about location of the key store; the default location is user home directory, but you may wish something different;
  • prepare the keystore and certificate: type the following command and enter the certificate owner details as prompted (if using java tools prior to Java SE 6 use '-genkey' instead of '-genkeypair'):
 <path_to_java_tools>/keytool -genkeypair -alias tomcat -keyalg RSA \
 -keystore <path_to_key_store>/.keystore \
 -storepass changeit -keypass changeit
  • uncomment the 'Connector' element for port 8443 (and optionally change port to 443) in the file <path_to_tomcat>/conf/server.xml ; add 'keystoreFile=".../.keystore"' attribute to this element if using non-default key store location;
  • look for the <security-constraint> element and its <user-data-constraint> child in the file <path_to_tomcat>/webapps/ROOT/WEB-INF/web.xml and configure their <transport-guarantee> child as
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  • consider adding
 company.security.auth.requires.https=true

: property to file <path_to_tomcat>/webapps/ROOT/WEB-INF/classes/portal-ext.properties ;

  • start the Tomcat and watch Tomcat’s log files in <path_to_tomcat>/logs ;
  • test the application using the URL: https://localhost:8443/ (or https://localhost/).
0 Attachments
59310 Views
Average (1 Vote)
The average rating is 4.0 stars out of 5.
Comments
Threaded Replies Author Date
When I enabled https on non-APR Tomcat as... Miles Huang October 5, 2009 9:30 AM
Hi, I have exactly the same problem. When I set... Stephane Jidouard April 15, 2010 5:45 AM
I am using Liferay 5.3.6 using tomcat 6.0 now... Faisal K October 21, 2009 8:30 AM
if it was redirected to... Faisal K October 21, 2009 8:42 AM
Hi Faisal, I want to integrate SSL in liferay,... Dhandapani S October 30, 2009 6:49 AM
Hi, I have very few knowledge about https, but... Faisal K November 2, 2009 7:19 PM

When I enabled https on non-APR Tomcat as described here, I simply couldn't login any user. I'm using LP 5.2.3.
Yes, the login page is redirected to https channel, and user is successfully login via https channel. But the problem is the browser will be redirected back to http channel immediately, after successful login. Thus the user lost secure session cookie and back to not logon status. I don't want set "session.enable.phishing.protection=false" since this solution opens a security hole which make https login protection meanningless.
Is there any way to prevent the LP from redirecting user browser back to http channel after successful login?
Posted on 10/5/09 9:30 AM.
I am using Liferay 5.3.6 using tomcat 6.0 now activated ssl also- i am facing problem logging usin http://localhost:8080, it is opening the login page up on login it is redirecting to https://localhost:8080/web/guest, which is not a valid url only so how to resolve this issue.
Posted on 10/21/09 8:30 AM.
if it was redirected to https://localhost:8443/weeb/guest/home then it will work, so is it a problem with tomcat configuration or liferay configuration
Posted on 10/21/09 8:42 AM in reply to Faisal K.
Hi Faisal,

I want to integrate SSL in liferay, can you plz guide me how to do,

Whether can we configure SSL for portlet lever or not? plz let me know

Thanks in advance

Dhans006
Posted on 10/30/09 6:49 AM in reply to Faisal K.
Hi,

I have very few knowledge about https, but the above article was good enough to configure the https activated for my website.

the above article helped me to configure https in both Windows and Linux machine.

Links provided is also very useful.
Posted on 11/2/09 7:19 PM in reply to Dhandapani Shanmugam.
Hi, I have exactly the same problem. When I set the "session.enable.phishing.protection=false" the login are in https ant it works but I don't want set false for this option.
Have you a solution for this problem?
Posted on 4/15/10 5:45 AM in reply to Miles Huang.