test

Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

7.3 Configuring the Distributed Authentication User Interface Load Balancer

The Distributed Authentication User Interface Load Balancer 3 sends the user and agent requests to the OpenSSO Enterprise server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the Distributed Authentication User Interface servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 3 is capable of the following types of load balancing:

Cookie-based 

The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. 

IP-based 

This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. 

TCP 

The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 3 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. 

Note –

In this Deployment Example, we use BIG-IP and it's supported passive-cookie mechanism to address session persistence with the backend OpenSSO Enterprise servers. The intent is to enable persistence of requests to the backend servers depending upon the value of amlbcookie, the OpenSSO Enterprise cookie. Stickiness can then be maintained for all OpenSSO Enterprise related requests from browsers or agents. Different load balancers might support different mechanisms to achieve session persistence. It is the responsibility of the end users to determine and map this functionality to their own choice of load balancer.

This section assumes that you have already installed a load balancer. Before you begin, note the following:

Use the following list of procedures as a checklist for completing the task.

  1. To Request a Certificate for the Distributed Authentication User Interface Load Balancer

  2. To Import a Root Certificate to the Distributed Authentication User Interface Load Balancer

  3. To Import a Certificate to the Distributed Authentication User Interface Load Balancer

  4. To Configure the Distributed Authentication User Interface Load Balancer

  5. To Configure a Proxy for SSL Termination at the Distributed Authentication User Interface Load Balancer

ProcedureTo Request a Certificate for the Distributed Authentication User Interface Load Balancer

Generate a certificate signing request to send to a CA.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, from a web browser.

  2. Log in to the BIG-IP console using the following information.

    User Name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane of the console, click Proxies.

  5. Click the Cert-Admin tab.

  6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

  7. On the Create Certificate Request page, provide the following information:

    Key Identifier:

    lb-3.example.com

    Organizational Unit Name:

    Deployment

    Domain Name:

    lb-3.example.com

    Challenge Password:

    password

    Retype Password:

    password

  8. Click Generate Key Pair/Certificate Request.

    On the SSL Certificate Request page, the request is generated in the Certificate Request field.

  9. Save the text contained in the Certificate Request field to a text file named lb-3.csr.

  10. Log out of the console and close the browser.

  11. Send lb-3.csr to the CA of your choice.

ProcedureTo Import a Root Certificate to the Distributed Authentication User Interface Load Balancer

The CA root certificate proves that the particular CA did, in fact, issue a particular certificate. For this purpose, import the root certificate of the CA that issued the Load Balancer 3 server certificate into the Load Balancer 3 certificate store.

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

  2. Log in using the following information:

    User name:

    username

    Password:

    password

  3. In the left pane of the console, click Proxies.

  4. Click the Cert-Admin tab.

  5. Click Import.

  6. In the Import Type field, choose Certificate, and click Continue.

  7. Click Browse in the Certificate File field on the Install SSL Certificate page.

  8. In the Choose File dialog, choose Browser.

  9. Navigate to the file that contains the CA root certificate and click Open.

  10. In the Certificate Identifier field, enter OpenSSL_CA_cert.

  11. Click Install Certificate.

  12. On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

    The root certificate OpenSSL_CA_Cert is now included in the Certificate ID list.

ProcedureTo Import a Certificate to the Distributed Authentication User Interface Load Balancer

Before You Begin

This procedure assumes you have received a certificate from a CA, just completed To Import a Root Certificate to the Distributed Authentication User Interface Load Balancer, and are still logged into the load balancer console.

  1. In the BIG-IP load balancer console, click Proxies.

  2. Click the Cert-Admin tab.

    The key lb-3.example.com is in the Key List. This was generated in To Request a Certificate for the Distributed Authentication User Interface Load Balancer.

  3. In the Certificate ID column, click the Install button for lb-3.example.com.

  4. In the Certificate File field, click Browse.

  5. In the Choose File dialog, navigate to the file that contains the certificate text sent to you by the CA and click Open.

  6. Click Install Certificate.

  7. On the Certificate lb-3.example.com page, click Return to Certificate Administration Information.

    Verify that the Certificate ID indicates lb-3.example.com on the SSL Certificate Administration page.

  8. Log out of the load balancer console.

ProcedureTo Configure the Distributed Authentication User Interface Load Balancer

  1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

  2. Log in using the following information.

    User name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. Create a Pool.

    A pool contains all the backend server instances.

    1. In the left pane, click Pools.

    2. On the Pools tab, click Add.

    3. In the Add Pool dialog, provide the following information:

      Pool Name

      AuthenticationUI-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address and port number of both Distributed Authentication User Interface host machines: da-1:1443 and da-2:1443.

    4. Click Done.

  5. Add a Virtual Server.

    The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

    Tip –

    If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

    1. In the left frame, Click Virtual Servers.

    2. On the Virtual Servers tab, click Add.

    3. In the Add Virtual Server wizard, enter the virtual server IP address and port number.

      Address

      Enter the IP address for lb-3.example.com

      Service

      9443

    4. Continue to click Next until you reach the Pool Selection dialog box.

    5. In the Pool Selection dialog box, assign the AuthenticationUI-Pool Pool.

    6. Click Done.

  6. Add Monitors.

    Monitors are required for the load balancer to detect backend server failures.

    1. In the left frame, click Monitors.

    2. Click the Basic Associations tab.

    3. Add a TCP monitor to each Web Server node.

      In the Node list, locate the IP address and port number for da-1:1443 and da-2:1443, and select the Add checkbox.

    4. Click Apply.

  7. Configure the load balancer for persistence.

    1. In the left frame, click Pools.

    2. Click the AuthenticationUI-Pool link.

    3. Click the Persistence tab.

    4. Under Persistence Type, select Passive HTTP Cookie.

    5. Under Cookie Name, enter DistAuthLBCookie.

    6. Click Apply.

  8. In the left frame, click BIGpipe.

  9. In the BIGpipe command window, type makecookie IP-address:port.

    IP-address is the IP address of the da-1 host machine and port is the same machine's port number; in this case, 1443.

  10. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=4131721920.41733.0000; path=/ is displayed. Save the numbered value (in this case, 4131721920.41733.0000) for use in To Configure Load Balancer Cookies for the Distributed Authentication User Interface.

  11. In the left frame, click BIGpipe again.

  12. In the BIGpipe command window, type makecookie IP-address:port.

    IP-address is the IP address of the da-2 host machine and port is the same machine's port number; in this case, 1443.

  13. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=4148499136.41733.0000; path=/ is displayed. Save the numbered value (in this case, 4148499136.41733.0000) for use in To Configure Load Balancer Cookies for the Distributed Authentication User Interface.

  14. Log out of the load balancer console.

ProcedureTo Configure a Proxy for SSL Termination at the Distributed Authentication User Interface Load Balancer

Secure communication is terminated and regenerated at the load balancer before forwarding a request to the Distributed Authentication User Interface.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in using the following information:

    Username

    username

    Password

    password

  3. Click Configure your BIG-IP using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Under the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information:

    Proxy Type:

    Check SSL and ServerSSL.

    Proxy Address:

    The IP address of Load Balancer 3.

    Proxy Service:

    1443

    The secure port number

    Destination Address:

    The IP address of Load Balancer 3.

    Destination Service:

    9443

    The secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose lb-3.example.com.

    SSL Key:

    Choose lb-3.example.com.

    Enable ARP:

    Check this box.

  7. Click Next.

    The Insert HTTP Header String page is displayed.

  8. Choose Matching for Rewrite Redirects.

  9. Click Next.

    The Client Cipher List String page is displayed.

  10. Accept the defaults and click Next.

    The Server Chain File page is displayed.

  11. Select OpenSSL_CA_Cert.crt from the drop-down list.

  12. Click Done.

    The new proxy server is now added to the Proxy Server list.

  13. Log out of the load balancer console.

  14. Access https://lb-3.example.com:1443/index.html from a web browser to verify the configuration.

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

  15. Close the browser.