test

Sun GlassFish Enterprise Server v2.1.1 High Availability Administration Guide

ProcedureTo Set Up the HTTP Load Balancer in SSL Mode for Sun Web Server 6.1

Note –

You need to perform the steps in this section only if you want to use the Auto Apply feature of the load balancer plug-in. This feature helps to send the load balancer configuration automatically over the wire to the web server configuration directory.

  1. Using a browser, access the Admin GUI of Web Server and login.

  2. Select your server instance and click on Manage.

  3. Click on the Security tab.

  4. Initialize the trust database by giving the username and password. This could be done using either the certutil command or the GUI. The following options of the certutil command could be used to initialize the trust database:

    certutil -N -P  "https-instance-name-hostname-" -d .

    • When prompted by certutil, enter the password to encrypt your keys. Enter a password, which will be used to encrypt your keys. The password should be at least eight characters long, and should contain at least one non-alphabetic character.

    • When prompted to enter a new password, specify your password.

  5. Create a sample local Certificate Authority (CA) using the following command:

    certutil -S -P "https-boqueron.virkki.com-boqueron-" 
-d . 
-n SelfCA -s "CN=Self CA,OU=virkki.com,C=US" 
-x -t "CT,CT,CT" 
-m 101 -v 99 -5

    1. When prompted to enter 0-7 for the type of certificate, type 5 for SSL CA. When the prompt reappears, specify 9.

    2. When queried “Is this a critical extension [y/n]?,” specify “y.”

  6. Use the above sample CA to generate a certificate

    certutil -S -P "https-instance-name-hostname-"
-d . -n MyServerCert -s "CN=boqueron.virkki.com,C=US"
-c SelfCA -t "u,u,u" -m 102 -v 99 -5

    1. When prompted to enter 0-7 for the type of certificate, type 1 for SSL Server. When the prompt reappears, specify 9.

    2. When queried “Is this a critical extension [y/n]?,” specify “y.”

  7. Edit the current HTTP Listener socket by clicking on Preferences->Edit Listen Socket. Enable the security and choose the certificate created in the previous step.

    If you wish to not use the GUI, change the entry to read as follows : Change the tag so that the value of security is "true." The tag must be altered to contain additional body content and a closing tag. Be sure to remove carriage returns when adding the tag. 

    LS id="ls1" port="80" servername="$DEPLOY-INSTANCE" 
defaultvs="https-$DEPLOY-INSTANCE" ip="any" security="true" 
acceptorthreads="1" blocking="false"> 
<SSLPARAMS servercertnickname="$HOST-DOMAIN" ssl2="off"
ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" 
ssl3="on"
tls="on"
ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5
+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,
-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,
+fips_3des_sha,-fips_des_sha" tlsrollback="on" 
clientauth="off"/>
</LS>