To fully secure the login request with credentials, enable SSL on the login only. This step is necessary to prevent someone from stealing a users credentials.
Verify that the following settings are correct in your installation:
- File: ConfigService located in the local administrative console in a standalone environment or in the Deployment Manager console in a cluster environment:
See Setting configuration properties
for information about locating the ConfigService
information in the administrative console.
- Setting: redirect.login.ssl=false
- Setting: host.port.http = alias_port_for_HTTP
- Setting: host.port.https = alias_port_for_HTTPS
are the port numbers that are specified in Setting up SSL
. The parameter redirect.logout.ssl
determines the protocol that is used when the logout button is clicked. If this parameter is set to true
, https is used. If this parameter is set to false
, http is used. This setting is not affected by the protocol that is used to access the main page.
Set the host.port.http
if you are using a port other than the default 80.
- File: web.xml located at
If changes have to be made to this file, you will need to export and expand wps.ear. Refer to the topic Deploying themes and skins in a production environment
for information about updating and deploying the EAR file.
Choose one of the following methods to only encrypt the login process to Lotus Quickr and allow subsequent requests via HTTP:
Before you configure SSL for the login process using the Login via Screen, ensure that you completed the first three Setting up SSL
- Follow these steps if using Login via Screen:
Follow these steps if using the Login Portlet:
- Enable Login via Screen.
- Modify the login.jsp <portal:urlcommand="LoginUser" ssl="true"/> file located at directory/wps_expanded/wps.war/screens/html/Login.jsp.
- Stop and restart the Lotus Quickr server. Specific instructions are found in this topic Starting the server.
- The Login portlet uses the UseSecureLoginActionUrl parameter to control the generation of the login action URL. Set this parameter to true to use a secure URL for login.
- Use the Portlets administration portlet to do the following:
- Go to Advanced Administration -> Portlet Management -> Portlets.
- Search for Title start with = "Login".
- Select the Configure portlet icon.
- Edit parameter UseSecureLoginActionUrl and set the parameter to true.
You can test the SSL login using the unprotected following URL: http://portalserver.com/lotus/myquickr
and submitting your credentials. You will notice that the URL does not change to https.
Confirm the login was encrypted by monitoring the packets via a network utility such as Ethereal or by reviewing the source code of the login form when accessed through an unprotected HTTP URL. The login form should have an action URL that is secured, for example <form method="post" action="https://....">
. Set your browser to warn you when changing between secure and insecure modes to see the behavior on the client-side.
Parent topic: Installing: qp85