Chapter 9 Setting Up Load Balancers for the Policy Agents

Two load balancers are configured for the policy agents in this deployment example. Load Balancer 4 balances traffic passing through the web policy agents. Load Balancer 5 balances traffic passing through the J2EE policy agents. Both load balancers are configured for simple persistence. Simple persistence guarantees that requests from the same user session will always be sent to the same policy agent that initially validated the user session and evaluated the applicable policies. This chapter contains the following sections.

• 9.1 Configuring the Web Policy Agents Load Balancer

• 9.2 Configuring the J2EE Policy Agents Load Balancer

9.1 Configuring the Web Policy Agents Load Balancer

Load Balancer 4 handles traffic for the web policy agents, and is configured for simple persistence.

From a performance perspective, each policy agent validates user sessions and evaluates applicable policies. The results of those actions are cached by the policy agent that performed them. If simple persistence is not set, each agent builds its own cache, effectively doubling the workload on the OpenSSO Enterprise servers, and cutting overall system capacity. The problem will become more acute as the number of policy agents increases. In situations where each web policy agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for these reasons. Although the actual type of persistence may vary when a different load balancer is used, it should achieve the goal of sending requests from the same user session to the same policy agent.

When firewalls are configured, Load Balancer 4 can be located in a less secure zone.

Use the following list of procedures as a checklist for configuring the web policy agents' load balancer:

1. To Configure the Web Policy Agents Load Balancer

2. To Create a Monitoring File on Each Host Machine for Load Balancer 4

3. To Add Load Balancer 4 as a Virtual Host by Modifying the Web Policy Agent Properties

4. To Configure Policy for the Web Policy Agents

5. To Verify the Web Policy Agents Load Balancer Configuration is Working Properly

To Configure the Web Policy Agents Load Balancer

Before You Begin

The load balancer hardware and software used for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

2. Log in using the following credentials:

   User name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. In the left pane, click Pools.

   2. On the Pools tab, click Add.

   3. In the Add Pool dialog, provide the following information:

      Pool Name

      WebAgent-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address and port number of both Protected Resource host machines: pr-1:1080 and pr-2:1080.

   4. Click Done.

5. Add a Virtual Server.

   The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

   ---

   Tip –

   If you encounter JavaScript^TM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

   ---

   1. In the left frame, click Virtual Servers.

   2. On the Virtual Servers tab, click Add.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb-4.example.com

      Service

      90

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the WebAgent-Pool Pool.

   6. Click Done.

6. Add Monitors.

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click Add.

      In the Add Monitor dialog provide the following information:

      Name:

      WebAgent-http

      Inherits From:

      Choose http.

   3. Click Next.

   4. On the resulting Configure Basic Properties page, click Next.

   5. In the Send String field under Configure ECV HTTP Monitor, enter GET /monitor.html and click Next.

   6. On the Destination Address and Service (Alias) page, click Done.

      The monitor just added is in the list of monitors under the Monitors tab.

   7. Click the Basic Associations tab.

   8. Mark the Add checkbox next to the IP addresses for pr-1:1080 and pr-2:1080.

   9. At the top of the Node column, choose the monitor that you just added, WebAgent-http.

   10. Click Apply.

7. Configure the load balancer for simple persistence.

   All requests sent within a specified interval from the same user are routed to the same agent. This significantly reduces the number of agent requests sent to OpenSSO Enterprise for validation thus reducing the load on the servers.

   ---

   Note –

   Simple persistence tracks connections based on the client IP address only, returning a client to the same node to which it connected previously.

   ---

   1. In the left frame, click Pools.

   2. Click the WebAgent-Pool link.

   3. Click the Persistence tab.

   4. Under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

   6. Click Apply.

8. Log out of the console.

To Create a Monitoring File on Each Host Machine for Load Balancer 4

In order to configure the web policy agents to point to Load Balancer 4, create a file to be used by Load Balancer 4 for monitoring and modify the web agent properties — adding Load Balancer 4 as the virtual host. Instructions on how to create a monitoring file are in the following procedure. Instructions on how to modify the web agent properties are in To Add Load Balancer 4 as a Virtual Host by Modifying the Web Policy Agent Properties.

We can alternately use the default Web Server index.html rather than create monitor.html but in this deployment, index.html is used to represent the resource protected by the web policy agent.

1. As a root user, log in to the pr–1 host machine.

2. Change to the config directory.

   # cd /opt/SUNWwbsvr/https-pr-1.example.com/docs

3. Create a monitor.html file to be used by the load balancer.

   # cat > monitor.html <HTML> </HTML> Hit Control D to terminate the command ^D

4. Run the tail command.

   # cd /opt/SUNWwbsvr/https-pr-1.example.com/logs # tail -f access

   If you see frequent entries similar to the one below, the custom monitor is configured properly.

   IP_address - - [30/Jul/2008:13:59:48 -0700] "GET /monitor.html" 200 15

   ---

   Tip –

   If you do not see "GET /monitor.html", troubleshoot the load balancer configuration.

   ---

5. Log out of the pr–1 host machine.

6. As a root user, log in to the pr–2 host machine.

7. Change to the config directory.

   # cd /opt/SUNWwbsvr/https-pr-2.example.com/docs

8. Create a monitor.html file to be used by the load balancer.

   # cat > monitor.html <HTML> </HTML> Hit Control D to terminate the command ^D

9. Run the tail command.

   # cd /opt/SUNWwbsvr/https-pr-2.example.com/logs # tail -f access

   If you see frequent entries similar to the one below, the custom monitor is configured properly.

   IP_address - - [30/Jul/2008:13:59:48 -0700] "GET /monitor.html" 200 15

   ---

   Tip –

   If you do not see "GET /monitor.html", troubleshoot the load balancer configuration.

   ---

10. Log out of the pr–2 host machine.

To Add Load Balancer 4 as a Virtual Host by Modifying the Web Policy Agent Properties

In order to configure the web policy agents to point to Load Balancer 4, create a file to be used by Load Balancer 4 for monitoring and modify the web agent properties — adding Load Balancer 4 as the virtual host.

Before You Begin

This procedure assumes you have completed To Create a Monitoring File on Each Host Machine for Load Balancer 4.

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the Web tab.

   webagent-1 and webagent-2 is displayed under the Agent table.

6. Click webagent-1

   The Global tab is displayed.

7. Enter a value for the FQDN Virtual Host Map and click Add.

   The value is the name of the host machine in which Load Balancer 4 is installed.

   Map Key

   valid

   Corresponding Map Value

   lb-4.example.com

8. Click Save.

9. Click the Application tab.

   The Application properties page is displayed.

10. On the resulting page, provide values for Not Enforced URL Processing.

    Enter each of the following and click Add.

    http://lb-4.example.com:90/monitor.html http://pr-1.example.com:1080/monitor.html

11. Click Save.

12. Click Back to Main Page.

13. Click webagent-2

    The Global tab is displayed.

14. Enter a value for the FQDN Virtual Host Map and click Add.

    The value is the name of the host machine in which Load Balancer 4 is installed.

    Map Key

    valid.

    Corresponding Map Value

    lb-4.example.com

15. Click Save.

16. Click the Application tab.

    The Application properties page is displayed.

17. On the resulting page, provide values for Not Enforced URL Processing.

    Enter each of the following and click Add.

    http://lb-4.example.com:90/monitor.html http://pr-2.example.com:1080/monitor.html

18. Click Save.

19. Click Back to Main Page.

20. Log out of the OpenSSO Enterprise console and close the browser.

To Configure Policy for the Web Policy Agents

Use the OpenSSO Enterprise console to configure policy for the web policy agents. The policies you create here are used in To Verify the Web Policy Agents Load Balancer Configuration is Working Properly.

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

5. Click New Policy.

   The New Policy page is displayed.

6. On the New Policy page, enter URL Policy for LoadBalancer-4 in the Name field.

7. Click New under Rules.

   The New Rules page is displayed.

8. On the New Rules page, accept the default URL Policy Agent (with resource name) and click Next.

9. On the resulting page, provide the following information.

   Name:

   Rule for LoadBalancer-4.

   Resource Name:

   http://lb-4.example.com:90/*

   GET

   Mark this checkbox and verify that Allow is selected.

   POST

   Mark this checkbox and verify that Allow is selected.

10. Click Finish.

    The New Policy page is displayed again.

11. On the New Policy page, click New under Subjects.

    The New Subjects page is displayed.

12. On the New Subjects page, verify that Access Manager Identity Subject is selected and click Next.

13. On the resulting page, provide the following information.

    Name

    Subject for LoadBalancer-4.

    Filter

    From the drop-down list, select User and click Search. The search returns a list of available users.

    Available

    From the generated User list, select testuser1 and click Add. testuser1 is displayed in the Selected List.

14. Click Finish.

    The New Policy page is displayed again.

15. On the New Policy page, click OK.

    The completed policy is now included in the list of Policies.

16. Log out of the OpenSSO Enterprise console and close the browser.

To Verify the Web Policy Agents Load Balancer Configuration is Working Properly

1. Access http://lb-4.example.com:90/index.html, the OpenSSO Enterprise load balancer, from a web browser.

2. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   If the default Web Server index.html page is displayed, the load balancer is configured properly.

3. Close the browser.

4. Access the OpenSSO Enterprise load balancer at http://lb-4.example.com:90/index.html from a web browser again.

   ---

   Tip –

   If not redirected to the OpenSSO Enterprise login page for authentication, clear your browser's cache and cookies and try again.

   ---

5. Log in to OpenSSO Enterprise as testuser2.

   Username

   testuser2

   Password

   password

   You should see the message You're not authorized to view this page or Your client is not allowed to access the requested object as testuser2 was not included in the test policy.

9.2 Configuring the J2EE Policy Agents Load Balancer

From a performance perspective, each policy agent validates user sessions and evaluates applicable policies. The results of those actions are cached by the policy agent that performed them. If simple persistence is not set, each agent builds its own cache, effectively doubling the workload on the OpenSSO Enterprise servers, and cutting overall system capacity. The problem will become more acute as the number of policy agents increases. In situations where each web policy agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for these reasons. Although the actual type of persistence may vary when a different load balancer is used, it should achieve the goal of sending requests from the same user session to the same policy agent. Thus we deploy Load Balancer 5 to handle traffic for the J2EE policy agents, and configure the Load Balancer for simple persistence. Use the following list of procedures as a checklist for configuring the J2EE policy agents' load balancer.

1. To Configure the J2EE Policy Agents Load Balancer

2. To Add Load Balancer 5 as a Virtual Host by Modifying the J2EE Policy Agent Properties

3. To Configure Policy for the J2EE Policy Agents

4. To Verify the J2EE Policy Agent Load Balancer Configuration is Working Properly

To Configure the J2EE Policy Agents Load Balancer

Before You Begin

The load balancer hardware and software used for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

2. Log in using the following information:

   User name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. In the left pane, click Pools.

   2. On the Pools tab, click Add.

   3. In the Add Pool dialog, provide the following information:

      Pool Name

      J2EEAgent-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the Application Server IP addresses and port numbers: pr-1:1081 and pr-2:1081.

   4. Click Done.

   5. In the List of Pools, click J2EEAgent-Pool.

   6. Click the Persistence tab and provide the following information:

      Persistence Type:

      Choose Active Http Cookie

      ---

      Note –

      Active Http Cookie persistence uses an HTTP cookie stored on a client computer to allow the client to reconnect to the same server previously visited.

      ---

      Method:

      Choose Insert

   7. Click Apply.

5. Add a Virtual Server.

   The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

   ---

   Note –

   If you encounter JavaScript errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer for this step.

   ---

   1. In the left frame, click Virtual Servers.

   2. On the Virtual Servers tab, click Add.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb-5.example.com

      Services Port

      91

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the J2EEAgent-Pool pool.

   6. Click Done.

6. Add Monitors.

   Monitors are required for the load balancer to detect the backend server failures.

   1. Click Monitors in the left frame.

   2. Click the Basic Associations tab.

   3. Mark the Add checkbox for the IP address for pr–1:1081 and pr–2:1081.

   4. At the top of the Node column, select tcp.

   5. Click Apply.

7. Log out of the load balancer console.

To Add Load Balancer 5 as a Virtual Host by Modifying the J2EE Policy Agent Properties

In order to configure the J2EE policy agents to point to Load Balancer 5, modify the J2EE agent properties — adding Load Balancer 5 as the virtual host.

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-1 and j2eeagent-2 are displayed under the Agent table.

6. Click j2eeagent-1

   The Global tab is displayed.

7. Enter a key and value for the FQDN Virtual Host Map and click Add.

   The key and the value is the name of the host machine in which Load Balancer 5 is installed.

   Map Key

   lb-5.example.com.

   Corresponding Map Value

   lb-5.example.com

8. Click Save.

9. Click Back to Main Page.

10. Click j2eeagent-2

    The Global tab is displayed.

11. Enter a key and value for the FQDN Virtual Host Map and click Add.

    The key and the value is the name of the host machine in which Load Balancer 5 is installed.

    Map Key

    lb-5.example.com.

    Corresponding Map Value

    lb-5.example.com

12. Click Save.

13. Click Back to Main Page.

To Configure Policy for the J2EE Policy Agents

The policies you create here are used in To Verify the J2EE Policy Agent Load Balancer Configuration is Working Properly.

Before You Begin

This procedure assumes that you have just completed To Add Load Balancer 5 as a Virtual Host by Modifying the J2EE Policy Agent Properties and are still logged into the OpenSSO Enterprise console.

1. Under the Access Control tab, click / (Top Level Realm).

2. Click the Policies tab.

3. Click New Policy.

   The New Policy page is displayed.

4. On the New Policy page, enter URL Policy for LoadBalancer-5 in the Name field.

5. Click New under Rules.

   The New Rules page is displayed.

6. On the New Rules page, accept the default URL Policy Agent (with resource name) and click Next.

7. On the resulting page, provide the following information.

   Name:

   Rule for LoadBalancer-5.

   Resource Name:

   http://lb-5.example.com:91/*

   GET

   Mark this checkbox and verify that Allow is selected.

   POST

   Mark this checkbox and verify that Allow is selected.

8. Click Finish.

9. On the New Policy page again, under Subjects, click New.

10. On the resulting page, verify that Access Manager Identity Subject is selected, and click Next.

11. On the resulting page, provide the following information:

    Name:

    LoadBalancer-5_Groups

    Filter:

    In the drop-down list, select Group and click Search.

    The search returns a list of available groups.

12. Select Employee-Group and Manager-Group and click Add.

    The Employee-Group and Manager-Group groups are in the Selected List.

13. Click Finish.

14. On the resulting page, click OK.

    The created policy is displayed in the list of Policies.

15. Log out of the OpenSSO Enterprise console and close the browser.

To Verify the J2EE Policy Agent Load Balancer Configuration is Working Properly

1. Access http://lb-5.example.com:91/agentsample/index.html from a web browser.

   The Sample Application welcome page is displayed.

2. Click the J2EE Declarative Security link.

3. On the resulting page click Invoke the Protected Servlet.

   The policy agent redirects to the OpenSSO Enterprise login page.

4. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, this first part of the test succeeded and authentication is working as expected.

5. Click the J2EE Declarative Security link to return.

6. On the resulting page, click Invoke the Protected Servlet.

   If the Successful Invocation message is displayed, this second part of the test has succeeded and the sample policy for the employee role has been enforced as expected.

7. Close the browser.

8. Open a new browser and access http://lb-5.example.com:91/agentsample/index.html.

   The Sample Application welcome page is displayed.

9. Click the J2EE Declarative Security link.

10. On the resulting page click Invoke the Protected Servlet.

    The policy agent redirects to the OpenSSO Enterprise login page.

11. Log in to OpenSSO Enterprise as testuser2.

    Username

    testuser2

    Password

    password

    If the Access to Requested Resource Denied message is displayed, this third part of the test succeeded and the sample policy for the manager role has been enforced as expected.

12. Click the J2EE Declarative Security link to return.

13. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    If the Successful Invocation message is displayed, the sample policy for the employee role has been enforced as expected.

14. Close the browser.