Issue

After applying AEM 6.3 SP1 + CFP1 or later patch on systems where "SSL is terminated at the load balancer" [1] (or web server), users are no longer able to log into AEM.

[1] SSL being terminated at the load balancer or dispatcher means that AEM is accessed via http:// but when accessing via load balancer you use https://.

Environment

AEM 6.3 or later version

Cause

This is a known issue, after applying the CFP, the SslFilter from Apache Felix no longer works before authentication.

Now Apache Felix provides a different mechanism of configuring this via Jetty servlet engine, for technical details, see FELIX-5207.

Resolution

After installing AEM 6.3 SP1 + CFP1 or a later service pack / CFP, make the following configuration changes:

  1. Log in to http://aem-host:port/system/console/configMgr.
  2. Search for Apache Felix Jetty Based Http Service and open the configuration.
  3. Enable the setting Enable Proxy/Load Balancer Connection and save it.
  4. Search for Sling Authentication Service and open the configuration.
  5. Uncheck Allow Anonymous Access and save the configuration.

This setting works only for the X-Forwarded-Proto: https header.  Make sure that your load balancer or web server is sending this to AEM when users are connecting via https.

Users should be able to log in via the load balancer / dispatcher after changing these settings.

Tato práce podléhá licenci Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.  Na příspěvky ze služeb Twitter™ a Facebook se nevztahují podmínky licence Creative Commons.

Právní upozornění   |   Zásady ochrany osobních údajů online