000029190 - SSL Offloading with Access Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029190
Applies ToRSA Access Manager 4.7.0.64, 4.8.0.46, 4.9.x, 5.0.x  agents
IssueThe underlying objective of this is to facilitate the offload of SSL to a load balancer in front of the server running the RSA Agent, while ensuring that all communication between the browser and the load balancer use SSL.   If not set up correctly the redirect will go to HTTP not the loadbalanced original https request  as it came into the agent as HTTP. 
ResolutionThe solution is to have URL rewrite logic which changes the protocol from http to https based on the Location header. Having this rewrite rule applied at the load balancer is the recommended and the most used solution. The F5 LB has inbuilt support to achieve the same through iRules.
Alternatively, one can also try to rewrite at the web server level. Web servers like Apache support rewriting the response headers.
The third method is using  the agent to redirect through the hoem page  and rewrite the url there for https. 
 
1.    Rewrite at load balancer:
We do not have any working experience on F5. But based on what we have explored there is an easy way of doing it using iRules.  
 
One such example is the following: 
when HTTP_REQUEST {
  # save hostname for use in response
  set fqdn_name [HTTP::host]
}
when HTTP_RESPONSE {
  if { [HTTP::is_redirect] }{
    if { [HTTP::header Location] starts_with "/" }{
      HTTP::header replace Location "https://$fqdn_name[HTTP::header Location]"
    } else {
      HTTP::header replace Location "[string map {"http://" "https://"} [HTTP::header Location]]"
    }
  }
}

We can also have this rewrite rule applicable specific to some redirects. More information on the same can be found in this link.
2.    Rewrite at Apache:
Apache web server provides a way to rewrite the Location header which contains the redirection URL. This requires the “mod_headers” module to be loaded. 
For example; the following  command  in Apache’s httpd.conf will force all the 302 redirects using http protocol to use https:
                Header edit Location ^http://(.*)$ https://$1
         
                 Refer to the following links for more information:
                 http://httpd.apache.org/docs/2.2/mod/mod_headers.html
                 http://blog.delouw.ch/2009/10/29/302-redirect-behind-ssl-terminating-proxies/

NOTE: This solution works only in versions Apache 2.2.4 and above. This command documented in some sites as failing to work for  specific configurations of Apache.  
3.)   Rewrite URL through home page.
Utilize the mode switch in webagent.conf.  
cleartrust.agent.retain_url.redirect_to_ct_home=Mode3
#     Mode 3      Agent uses ct_home.asp|jsp to redirect user to the original.
#              URL for both Cookie based and Query based URL Retention.
NotesThere are additional settings in the agents to accomadate ssl offloading.
1.)   Don't include port number in retention.
cleartrust.agent.exclude_port_for_retained_url=True
2.)   Set CTSESSION cookie for secure use only.
cleartrust.agent.secure=True
# Specifies that the browser should accept and send cookies only via secure
# methods. Used to restrict cookies to SSL connections.
3.)  Allow secure cookies over HTTP    
cleartrust.agent.set_cookie_secure=True
# Specifies that cookies should be marked as secure over a
# non-SSL connection. This will accommodate situations where
# the agent is running behind an ssl offloading device. 
 

Attachments

    Outcomes