000021459 - How to implement centralized logon from an SSL encrypted server to server non SSL content

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021459
Applies ToMicrosoft Windows 2000 SP4
RSA ClearTrust 5.5.2
Sun Solaris 2.9
Sun ONE Web Server 6.1
RSA ClearTrust Agent 4.6 for Sun ONE Web Server
IssueHow to implement centralized logon from an SSL encrypted server to server non SSL content
Once authenticated, the user is presented with the Cleartrust login screen again and the login fields are blanked out.  The agent debug log shows:

Oct 22, 2004 10:53:13 AM PDT - [76] - <Debug> - Cookie is not set in svrhdrs

Cause

The ClearTrust logon form was modified to explicitly redirect the user from a non-SSL page to the SSL logon page. 

<META HTTP-EQUIV="REFRESH" CONTENT="10;URL=https://<machine_name>:443/cleartrust/ct_logon_en.html">

This configuration is not required nor recommended.

Resolution

The ClearTrust webagent.conf file can be configured to use a full URI for the logon form location:

cleartrust.agent.login_form_location_basic=https://<machine_name>:443/cleartrust/ct_logon_en.html.

This achieves the login to be redirected to port 443 via SSL connection and once authenticated, the user is redirected back to the port 80 web resource.

NotesThe following settings also need to be correct for redirection to work between the SSL enabled logon page and non ssl enable content pages:

Ensure also that your webagent.conf file has:

# Specifies that the browser should accept and send cookies only via secure
# methods. Used to restrict cookies to SSL connections.
#
# Allowed Values:
#   True     Mark cookies generated from this agent for secure use only.
#   False    Mark cookies generated from this agent not only for secure use.
#
cleartrust.agent.secure=False

and

<VirtualHost address=* name=* port=443>
cleartrust.agent.enabled=true
</VirtualHost>

Your server.xml file should contain:

  <LS id="ls1" port="80" servername="vdc-support6s.na.rsa.net" defaultvs="https-vdc-support6s.na.rsa.net" security="off" ip="any" blocking="false" acceptorthreads="1"/>
  <LS id="ls2" port="443" servername="vdc-support6s.na.rsa.net" defaultvs="https-vdc-support6s.na.rsa.net" security="on" ip="any" blocking="false" acceptorthreads="1">
    <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>
  </LS>

Your webserver should also be appropriately configured to serve pages with SSL connections enabled.

Legacy Article IDa23072

Attachments

    Outcomes