SSL/Tomcat Security Alert

Question

We have a website that is hosted on Tomcat (v5.5) web servers and uses an SSL certificate configured on our (v9.1.2) F5's.&nbsp;
&nbsp;There is an iRule in place for the http vs that redirects all requests to https:&nbsp;
&nbsp;   Redirects all to HTTPS keeps URI intact
&nbsp;   
&nbsp;   when HTTP_REQUEST {
&nbsp;      HTTP::redirect https://[HTTP::host][HTTP::uri]
&nbsp;   }&nbsp;
&nbsp;After a user enters login information for the site and attempts to login, this pop-up message appears:&nbsp;
&nbsp;   Security Alert
&nbsp;   You are about to be redirected to a connection that is not secure.
&nbsp;   The information you are sending to the current site might be retransmitted to a nonsecure site. Do you wish to continue?&nbsp;
&nbsp;If you select Yes to continue you're redirected to the correct page using https.&nbsp;
&nbsp;We don't see this message with our IIS sites. How can I get rid of this message?

jeff_c_42204 · Answer

Have you verified that the certificate is completely valid including chaining as defined in your ssl profile? &nbsp;
&nbsp;If you have something similar setup against IIS sites I would verify your setup of the virtual servers and ssl profiles to ensure they are identical and valid.&nbsp;&nbsp;

kim_busho · Answer

I have checked these items and everything looks good (including the chained intermediate certificate). The pop-up only occurs during the login process and the cert seems to otherwise be fine. Thanks!

kykong_107132 · Answer

Hi Kim,&nbsp;
&nbsp;the error message indicate that certain link is not using https. can you try to use fiddler http debugger to capture the HTTP header while you are accessing the login page. you can get fiddler package from http://www.fiddlertool.com/fiddler/.&nbsp;
&nbsp;Fiddler will tell you which link not using HTTPS.&nbsp;
&nbsp;regards,
&nbsp;KY&nbsp;

dennypayne · Answer

To further elaborate on what KY is saying, most likely what is happening is that your Tomcat server is sending back http redirects to the client rather than https.  Because you are decrypting SSL at the BIG-IP, the Tomcat server is running on port 80 and doesn't realize that it needs to send redirects as https instead of http.  &nbsp;
&nbsp;The best way to fix this is to make sure your Tomcat server doesn't improperly send back http redirects, but if that is not possible, then you can use the Rewrite Redirects feature in the http profile on the BIG-IP to "catch" those http redirects on the way back out to the client and change them to https as they should be.  &nbsp;&nbsp;Click here for the manual on Rewrite Redirects for 9.1.2.&nbsp;
&nbsp;Denny

Forum Discussion

SSL/Tomcat Security Alert

Recent Discussions

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

How to Renew F5 Device Certificate

Related Content

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

AppWorld 2025 Security Insights - ADC 3.0, AI Security, and more

Advent Calendar, IPA alert, Active Cyber Defense, call ChatGPT

Securing Model Serving in Red Hat OpenShift AI (on ROSA) with F5 Distributed Cloud API Security

Certificate Expiry Email alert configuration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS