Solutions

AM/OpenAM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading

Last updated Sep 24, 2019

The purpose of this article is to provide assistance if AM/OpenAM redirects to a URL using the http protocol instead of the expected https protocol. This issue occurs when AM/OpenAM is deployed on Apache Tomcat™ with a load balancer or proxy (such as HAProxy) doing SSL/TLS offloading. In particular, this affects deployments where the load balancer or proxy sets the X-Forwarded-Proto header.


2 readers recommend this article

Symptoms

After logging into AM/OpenAM (using a URL with the https protocol), you are redirected to a URL that uses the http protocol.

You may also see this behavior when moving between newer XUI JavaScript®-based administration pages and old JATO console pages. Upon switching back to XUI pages from an old console page, the protocol changes to http.

You will see a 302 redirect response with the wrong protocol, for example:

HTTP/1.1 302 Found
Location: http://host1.example.com:8080/openam

Recent Changes

Configured a load balancer or proxy in front of AM/OpenAM to offload SSL/TLS.

Causes

Tomcat is not honoring the X-Forwarded-Proto header set by the load balancer or proxy, or has not been configured for SSL offloading:

  • Tomcat needs to honor the X-Forwarded-Proto header set by the load balancer or proxy to ensure that all the client redirect calls are made using the https protocol; otherwise it will switch the protocol to the one associated with the port AM/OpenAM listens on (http).
  • Tomcat needs to be configured for SSL offloading else it will receive a Location-Header from AM/OpenAM with protocol http instead of https since the load balancer or proxy is doing SSL offloading.

Solution

You can resolve this issue by making the following changes:

  1. Configure Tomcat using one of the following options (fixes redirection for SAML2 federation and/or WS-Federation):
    • Configure Tomcat to honor the X-Forwarded-Proto header.
    • Configure Tomcat for SSL offloading.
  2. Configure the Base URL Source Service (OpenAM 12.0.1 and later) (fixes redirection for OAuth2 and other redirection issues).

Configure Tomcat to honor the X-Forwarded-Proto header

You can configure Tomcat to honor the X-Forwarded-Proto header by adding the following to the server.xml file:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
    remoteIpHeader="x-forwarded-for"
    remoteIpProxiesHeader="x-forwarded-by"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https"
/>

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyPort and proxyName attributes in the <Connector> element in the server.xml file, for example:

<Connector port="8080" protocol="HTTP/1.1"
    maxThreads="150" clientAuth="false"
    SSLEnabled="false"
    scheme="https" secure="true"
    proxyPort="443" proxyName="proxy.example.com"
/>

Configure the Base URL Source Service

Note

You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.

The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console or ssoadm:

  • AM / OpenAM 13.x console: navigate to: Realms > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
  • Pre-OpenAM 13 console: navigate to: Access Control > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
  • ssoadm: enter the following command:
    $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=REQUEST_VALUES
    replacing [realmname], [adminID] and [passwordfile] with appropriate values.

You may want to use a different option for the Base URL Source if it's more appropriate to your setup, for example, Fixed value. See OpenID Connect 1.0 Guide › Configuring the Base URL Source Service for further information.

The following table provides the corresponding values to use for the base-url-source attribute if you want to configure this via ssoadm along with the attribute name for other required fields:

Option ssoadm value Other attributes
Extension class EXTENSION_CLASS Extension class name field: base-url-extension-class attribute.
Fixed value FIXED_VALUE Fixed value base URL field: base-url-fixed-value attribute.
Forwarded header FORWARDED_HEADER  
Host/protocol from incoming request REQUEST_VALUES  
X-Forwarded-* headers X_FORWARDED_HEADERS  

See Also

How do I set up Realm DNS Aliases in AM/OpenAM (All versions)?

How do I configure SSL offloading at the Policy Agent (All versions) for virtual hosts?

How do I configure a Web Policy Agent (All versions) for SSL offloading?

How do I configure a Java Policy Agent (All versions) for SSL offloading?

OpenID Connect 1.0 Guide › Configuring the Base URL Source Service

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5534 (OAuth2/OIDC SSL connection is based on incoming request not on the site configuration)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.

Recommended Books

Loading...