Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) redirects to HTTP when deployed on Apache Tomcat with a load balancer doing SSL/TLS offloading

Last updated Apr 22, 2021

The purpose of this article is to provide assistance if AM redirects to a URL using the http protocol instead of the expected https protocol. This issue occurs when AM is deployed on Apache Tomcat™ with a load balancer or proxy (such as HAProxy) doing SSL/TLS offloading. In particular, this affects deployments where the load balancer or proxy sets the X-Forwarded-Proto header.

2 readers recommend this article

Symptoms

After logging into AM (using a URL with the https protocol), you are redirected to a URL that uses the http protocol.

You may also see this behavior when moving between newer XUI JavaScript®-based administration pages and old JATO console pages. Upon switching back to XUI pages from an old console page, the protocol changes to http.

You will see a 302 redirect response with the wrong protocol, for example:

HTTP/1.1 302 Found Location: http://host1.example.com:8080/openam

Recent Changes

Configured a load balancer or proxy in front of AM to offload SSL/TLS.

Causes

Tomcat is not honoring the X-Forwarded-Proto header set by the load balancer or proxy, or has not been configured for SSL offloading:

  • Tomcat needs to honor the X-Forwarded-Proto header set by the load balancer or proxy to ensure that all the client redirect calls are made using the https protocol; otherwise it will switch the protocol to the one associated with the port AM listens on (http).
  • Tomcat needs to be configured for SSL offloading else it will receive a Location-Header from AM with protocol http instead of https since the load balancer or proxy is doing SSL offloading.

Solution

You can resolve this issue by making the following changes:

  1. Configure Tomcat using one of the following options (fixes redirection for SAML2 federation and/or WS-Federation):
    • Configure Tomcat to honor the X-Forwarded-Proto header.
    • Configure Tomcat for SSL offloading.
  2. Configure the Base URL Source Service (fixes redirection for OAuth2 and other redirection issues).

Configure Tomcat to honor the X-Forwarded-Proto header

You can configure Tomcat to honor the X-Forwarded-Proto header by adding the following to the server.xml file:

<Valve className="org.apache.catalina.valves.RemoteIpValve"    remoteIpHeader="x-forwarded-for"     remoteIpProxiesHeader="x-forwarded-by"     protocolHeader="x-forwarded-proto"     protocolHeaderHttpsValue="https" />

See Apache Tomcat API > Class RemoteIpValve for further information.

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyPort and proxyName attributes in the <Connector> element in the server.xml file, for example:

<Connector port="8080" protocol="HTTP/1.1"    maxThreads="150" clientAuth="false"     SSLEnabled="false"     scheme="https" secure="true"     proxyPort="443" proxyName="proxy.example.com" />

Configure the Base URL Source Service

Note

You may need to add the Base URL Source service if it is not listed under Services by clicking Add a Service or Add and then selecting Base URL Source. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.

The Base URL Source Service applies to all XUI pages and the OpenID Base URL. You can set the Base URL Source Service using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Services > Base URL Source and select Host/protocol from incoming request.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s amRealmBaseURL -e [realmname] -u [adminID] -f [passwordfile] -a base-url-source=REQUEST_VALUES replacing [realmname], [adminID] and [passwordfile] with appropriate values.

You may want to use a different option for the Base URL Source if it's more appropriate to your setup, for example, Fixed value. See Security Guide › Configuring the Base URL Source Service for further information.

The following table provides the corresponding values to use for the base-url-source attribute if you want to configure this via ssoadm along with the attribute name for other required fields:

Option ssoadm value Other attributes
Extension class EXTENSION_CLASS Extension class name field: base-url-extension-class attribute.
Fixed value FIXED_VALUE Fixed value base URL field: base-url-fixed-value attribute.
Forwarded header FORWARDED_HEADER  
Host/protocol from incoming request REQUEST_VALUES  
X-Forwarded-* headers X_FORWARDED_HEADERS  

See Also

How do I configure SSL offloading at the Agent (All versions) for virtual hosts?

How do I configure a Web Agent (All versions) for SSL offloading?

How do I configure a Java Agent (All versions) for SSL offloading?

Security Guide › Configuring the Base URL Source Service

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.