Issue
After applying AEM 6.3 SP1 + CFP1 or later patch on systems where "SSL is terminated at the load balancer" [1] (or web server), users are no longer able to log into AEM.
[1] SSL being terminated at the load balancer or dispatcher means that AEM is accessed via http:// but when accessing via load balancer you use https://.
Environment
AEM 6.3 or later version
Cause
This is a known issue, after applying the CFP, the SslFilter from Apache Felix no longer works before authentication.
Now Apache Felix provides a different mechanism of configuring this via Jetty servlet engine, for technical details, see FELIX-5207.
Resolution
After installing AEM 6.3 SP1 + CFP1 or a later service pack / CFP, make the following configuration changes:
- Log in to http://aem-host:port/system/console/configMgr.
- Search for Apache Felix Jetty Based Http Service and open the configuration.
- Enable the setting Enable Proxy/Load Balancer Connection and save it.
- Search for Sling Authentication Service and open the configuration.
- Uncheck Allow Anonymous Access and save the configuration.
This setting works only for the X-Forwarded-Proto: https header. Make sure that your load balancer or web server is sending this to AEM when users are connecting via https.
Users should be able to log in via the load balancer / dispatcher after changing these settings.