Redirect crowd to https

Hello,

I know this question is semi-old, but it's a top hit on google and wanted to provide some more guidance here

This "works" but only for when you visit the actual crowd webapp at http://<server>/crowd

It does not apply to the main landing page of crowd (i.e. the tomcat ROOT page) at http://<server>/

This is because the Crowd root page, as well as the openidserver and openidclient applications are each considered a separate webapp by Tomcat, and therefore each one has its own web.xml which you have to edit and add this block of configuration text into.

So, in total you have to edit a whole bunch of web.xml files if you want to ensure that all Crowd pages are always served over HTTPS:

• ${CROWD_DIR}/apache-tomcat/webapps/ROOT/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-webapp/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-openidclient-webapp/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-openidserver-webapp/WEB-INF/web.xml

You also need to ensure that in your tomcat Connectors in ${CROWD_DIR}/apache-tomcat/conf/server.xml has valid values for redirectPort (typically 443 or 8443 for HTTPS).

I'm trying to run Crowd 2.12.0 on HTTPS per the instructions below, but am not having any success:

https://confluence.atlassian.com/crowd0212/configuring-crowd-to-work-with-ssl-935372574.html

In addition to the steps in the link, I also updated the four web.xml files, putting in what Ann recommended (although I was wondering if I needed to replace the "Restricted URLs" and "CONFIDENTIAL" strings with something else).

After doing this and restarting Crowd, I was not able to sucessfully log into either Confluence or Jira (which are using Crowd). Whether I had the information in the web.xml files, I'm getting a message that "your connection is not private" when I go to https://{localhost}:8443/crowd/console.

I'm running all of my Atlassian Apps on Linux. Both Jira and Confluence are on the latest/greatest (6.8.2 for Confluence, 7.9.2 for Jira).

Is there something simple that I'm missing?

Thanks,
Matt

Hi Matt,

Are you using a self signed certificate and getting the insecure connection message from Firefox, similar to this:

If so, the browser may be alerting you that the redirection is working but the cert is not in the browser's trusted certificates. If you cancel the error can you still log in? What if you use a different browser?

Thanks,
Ann

Ann,

I'm using Chrome, but the underlying issue is very similar. I'm getting the "Your connection is not private" message. I am able to log in, but the https portion of the address has a strikethrough and the big "Not secure" warning is showing up next to the URL. I am able to log in to the Crowd console.

Going through IE gives me the "There is a problem with this webite's security certificate", but I can go past that and log in. The "Certificate error" warning shows up next to the URL in that case.

So it looks like the problem is that I'm not trusting the certificate. I followed the steps as written in my previous post, but I guess I'm not sure how to make sure that the certificate is trusted. I was under the impression that doing a self-signed basically did that for you, so maybe there's another step that I missed?

Thanks,
Matt

Hi Matt,

Browsers trust established Certificate Aauthorities like Versign by default, but you have to "tell" the browsers to trust your self signed certificate. Please try these instructions: Configure Your Browser to Trust a Self-Signed Certificate

Later on, if you integrate Confluence and Jira for example, the Java Trust stores of the applications will have to be setup to trust each other's certificates, as in Connecting to SSL services: 

Java will normally use a system-wide keystore in $JAVA_HOME/jre/lib/security/cacerts, 

I look forward to hearing how it goes.

Thanks,
Ann

Ann,

I had originally saved the self-signed into the path you specified above (../../security/cacerts).

After following the steps in the link you provided, I'm still getting the same message. Do I need to clear my cache or anything else?

I'm not sure if this matters, but I had set up https for both Jira and Confluence previously, using a self-signed cert, and didn't have to do any additional steps at the browser level. Is there something different with Crowd that would require it?

Thanks,
Matt

HI Matt,

As far as the Java keystore, I was giving you a heads up about integrating the other apps later on. It does not impact the connection between Crowd and your browser. For your Chrome issue did you follow these steps?

1. When you see a message saying your connection is not private, click Advanced, then click the Proceed to link log in.

2. Save the presented certificate to a file. To do this:

3. Click the View site information icon (a padlock) in the address bar:

4. Click Certificate Information.

5. On the Details tab, click Copy to File and save the file using defaults.

6. Locate and double-click the certificate file you just saved.

7. On the certificate General tab, click Install Certificate.

8. In the Install Certificate Wizard, select Place all certificates in the following store.

9. Click Browse and select Trusted Root Certification Authorities, then continue through the remaining steps to install the certificate.

If so, the connection should appear as safe/private/SSL. If not, please post a screen shot of the message you are seeing afterward.

Thanks,

Ann

Ann,

I apologize for the confusion. I did execute those steps and it still looks the same per the screenshot below:

Some of the other instructions I am finding do include clearing the cache, I also wonder if antivirus is a factor or if the procedure would work on an incognito window.

1. Clear all browsing data ( cache, cookies, hosted app data and so on). Then restart your browser.

2. Restore your browser default settings. Restart your browser. ...

3. Navigate to your browser “settings” →”change proxy”.

4. In Security and Privacy Tab, adjust the level to “medium”.

5. Clear and restart your browser.

Ann,

Thanks for all of your help on this. I guess my big question is not necessarily whether logging into the crowd console is secure, but whether the traffic going between Crowd and Jira/Confluence for authentication purposes is secure. Are the steps I'm taking working toward that end or am I going down the wrong path?

Matt

If the base URLs are SSL and you used the https URLs to configure the application links and user directories to integrate the applications, the traffic between the apps will be encrypted. If the certificates have problems the connections will fail with conspicuous errors in the logs.

All three apps (Jira/Confluence/Crowd) were originally set up with HTTP. Several months ago, we reconfigured Jira/Confluence to use HTTPS both for themselves and the Application Links to each other. All of that has been working without a problem.

We are using Crowd to authenticate logins from Active Directory.

Then, we wanted to configure Crowd to use HTTPS as well. After running the configuration steps, I tried to access the crowd console to make sure it was using HTTPS and I encountered the behavior I've explained here.

At no time have I seen any problems logging in while everything was configured correctly (I made some early mistakes in the Crowd HTTPS configuration and then started over with a new snapshot, but it's fine now). So, is there anything else I need to do, or are the browser changes just necessary if I want to log into the console securely?

The browser changes are just for convenience - after you click continue the browser trusts the cert and encrypts the session.

The https URLs in the application links and user directories ensure that in-between-app traffic is encrypted.

So it sounds like apart from the nuisance factor you are all set.

Ann,

After following the instructions to install the certificate on IE and clearing the cache, I am no longer seeing the certificate error. It looks like everything is working perfectly.

Thank you very much for your assistance and patience.

Matt