test

Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

5.2 Configuring Load Balancer 2 for OpenSSO Enterprise

The two instances of OpenSSO Enterprise are fronted by one load balancer (Load Balancer 2). Users will access OpenSSO Enterprise through the secure port 1081. Users external to the company will access the Distributed Authentication User Interface which, in turn, routes the request through the secure port 1081.

Load Balancer 2 sends the user and agent requests to the server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the OpenSSO Enterprise servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 2 is capable of the following types of load balancing:

Cookie-based 

The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. 

IP-based 

This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. 

TCP 

The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 2 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. 

Note –

In this Deployment Example, we use BIG-IP and it's supported passive-cookie mechanism to address session persistence with the backend OpenSSO Enterprise servers. The intent is to enable persistence of requests to the backend servers depending upon the value of amlbcookie, the OpenSSO Enterprise cookie. Stickiness can then be maintained for all OpenSSO Enterprise related requests from browsers or agents. Different load balancers might support different mechanisms to achieve session persistence. It is the responsibility of the end users to determine and map this functionality to their own choice of load balancer.

This section assumes that you have already installed a load balancer. Before you begin, note the following:

Use the following list of procedures as a checklist for completing the task.

  1. To Request a Certificate for the OpenSSO Enterprise Load Balancer

  2. To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer

  3. To Install the Server Certificate to the OpenSSO Enterprise Load Balancer

  4. To Configure the OpenSSO Enterprise Load Balancer

  5. To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer

ProcedureTo Request a Certificate for the OpenSSO Enterprise Load Balancer

Generate a request for a server certificate to send to a CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console using the following information.

    Username

    username

    Password

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Click the Cert-Admin tab.

  6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

  7. In the Create Certificate Request page, provide the following information.

    Key Identifier:

    lb-2.example.com

    Organizational Unit Name:

    Deployment

    Domain Name:

    lb-2.example.com

    Challenge Password:

    password

    Retype Password:

    password

  8. Click Generate Key Pair/Certificate Request.

    On the SSL Certificate Request page, the request is generated in the Certificate Request field.

  9. Save the text contained in the Certificate Request field to a file named lb-2.csr.

  10. Log out of the console and close the browser.

  11. Send lb-2.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named lb-2.cer.

ProcedureTo Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer

Install the CA root certificate on Load Balancer 2 to ensure that a link between the Load Balancer 2 can be maintained with the CA. Use the same root certificate that you imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in with the following information.

    User name:

    username

    Password:

    password

  3. In the BIG-IP load balancer console, click Proxies.

  4. Click the Cert-Admin tab.

  5. Click Import.

  6. In the Import Type field, choose Certificate, and click Continue.

  7. Click Browse in the Certificate File field on the Install SSL Certificate page.

  8. In the Choose File dialog, choose Browser.

  9. Navigate to ca.cer and click Open.

  10. In the Certificate Identifier field, enter OpenSSL_CA_cert.

  11. Click Install Certificate.

  12. On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

    The root certificate named OpenSSL_CA_Cert is now included in the Certificate ID list.

ProcedureTo Install the Server Certificate to the OpenSSO Enterprise Load Balancer

Before You Begin

This procedure assumes you have received the server certificate requested in To Request a Certificate for the OpenSSO Enterprise Load Balancer and just completed To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer.

  1. In the BIG-IP load balancer console, click Proxies.

  2. Click the Cert-Admin tab.

    The key lb-2.example.com is in the Key List.

  3. In the Certificate ID column, click Install for lb-2.example.com.

  4. In the Certificate File field, click Browse.

  5. In the Choose File dialog, navigate to lb-2.cer, the server certificate, and click Open.

  6. Click Install Certificate.

  7. On the Certificate lb-2.example.com page, click Return to Certificate Administration Information.

    Verify that the Certificate ID indicates lb-2.example.com on the SSL Certificate Administration page.

  8. Log out of the load balancer console.

ProcedureTo Configure the OpenSSO Enterprise Load Balancer

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in using the following information:

    User name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. Create a Pool.

    A pool contains all the backend server instances.

    1. In the left pane, click Pools.

    2. On the Pools tab, click Add.

    3. In the Add Pool dialog, provide the following information.

      Pool Name

      OSSO-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP addresses and port numbers for the OpenSSO Enterprise servers: osso-1:1081 and osso-2:1081.

    4. Click Done.

  5. Add a Virtual Server.

    The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

    Note –

    If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

    1. In the left frame, click Virtual Servers.

    2. On the Virtual Servers tab, click Add.

    3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb-2.example.com

      Service

      1082

    4. Continue to click Next until you reach the Pool Selection dialog box.

    5. In the Pool Selection dialog box, assign the OSSO-Pool Pool.

    6. Click Done.

  6. Add Monitors.

    OpenSSO Enterprise comes with a JSP file named isAlive.jsp that can be contacted to determine if the server is down. Since we have not yet deployed OpenSSO Enterprise, isAlive.jsp cannot be used. In the following sub procedure, create a custom monitor that periodically accesses the Application server instance(s). If desired, the monitor can be changed later to use isAlive.jsp.

    1. Click the Monitors tab

    2. Click the Basic Associations tab

    3. Find the IP address for osso-1:1081 and osso-2:1081.

    4. Mark the Add checkbox for OSSO-1 and OSSO-2.

    5. At the top of the Node column, choose the tcp monitor.

    6. Click Apply.

  7. Configure the load balancer for persistence.

    1. In the left pane, click Pools.

    2. Click the name of the pool you want to configure; in this case, OSSO-Pool.

    3. Click the Persistence tab.

    4. Under Persistence Type, select Passive HTTP Cookie.

    5. Under Cookie Name, enter amlbcookie.

    6. Click Apply.

  8. In the left pane, click BIGpipe.

  9. In the BIGpipe command window, type the following:


    makecookie ip-address:port

    ip-address is the IP address of the OSSO-1 host machine and port is the same machine's port number; in this case, 1081.

  10. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.36895.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.36895.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  11. In the left pane, click BIGpipe again.

  12. In the BIGpipe command window, type the following:


    makecookie ip-address:port

    ip-address is the IP address of the OSSO-2 host machine and port is the same machine's port number; in this case, 1081.

  13. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.12345.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.12345.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  14. Log out of the load balancer console.

ProcedureTo Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer

SSL communication is terminated at Load Balancer 2. The request is then re-encrypted and securely forwarded to OpenSSO Enterprise. When clients send an SSL-encrypted request to Load Balancer 2, it decrypts the request and re-encrypts it before sending it on to the OpenSSO Enterprise SSL port. Load Balancer 2 also encrypts the responses it receives back from OpenSSO Enterprise, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.

Before You Begin

You should have a root certificate issued by a recognized CA.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in with the following information.

    User name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Under the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information.

    Proxy Type:

    Check the SSL and ServerSSL checkbox.

    Proxy Address:

    The IP address of Load Balancer 2.

    Proxy Service:

    1081

    The secure port number

    Destination Address:

    The IP address of Load Balancer 2.

    Destination Service:

    1082

    The non-secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose lb-2.example.com.

    SSL Key:

    Choose lb-2.example.com.

    Enable ARP:

    Check this checkbox.

  7. Click Next.

  8. On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.

  9. Click Next.

  10. On the page starting with “Client Cipher List String”, accept the defaults.

  11. Click Next.

  12. On the page starting with “Server Chain File,” change to Server Trusted CA's File, select “OpenSSL_CA_Cert.crt” from the drop-down list.

  13. Click Done.

    The new proxy server is added to the Proxy Server list.

  14. Log out of the load balancer console.

  15. Access https://lb-2.example.com:1081/index.html from a web browser.

    If the Application Server index page is displayed, you can access it using the new proxy server port number and the load balancer is configured properly.

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

  16. Close the browser.