|Skip Navigation Links|
|Exit Print View|
|Oracle GlassFish Server 3.1-3.1.1 High Availability Administration Guide|
The GlassFish Loadbalancer Configurator automatically performs the necessary configurations for the Apache HTTP Server. The Loadbalancer Plug-In supports Apache HTTP Server 2.2.x.
You must compile Apache HTTP Server with SSL support if you plan on using the load balancer Auto Apply feature. SSL configuration must be performed on the web server prior to installing the Loadbalancer Plug-In. The Auto Apply feature enables changes made to a configuration through the GlassFish Server Administration Console or from the command line with the apply-http-lb-changes(1) subcommand to be automatically sent over the wire to the web server configuration directory. If you will not be using the load balancer Auto Apply feature, you can skip the SSL configuration portions of these procedures.
The following topics are addressed here:
To use SSL mode in Apache, you must compile and build your Apache installation from the Apache source files with SSL enabled. This section describes the minimum requirements and high-level steps needed to successfully compile Apache HTTP Server to run the Loadbalancer Plug-In. These requirements and steps only apply to the Solaris and Linux versions of the software. The Windows version of Apache is not supported.
There are two tasks that you need to perform here to configure Apache with SSL support before installing the Loadbalancer Plug-In:
Note - The instructions included here are adapted from the Apache HTTP Server documentation at http://httpd.apache.org/docs. For more detailed instructions on building and installing Apache HTTP Server with SSL support, please refer to the Apache documentation.
The procedure explains how to download OpenSSL and Apache HTTP Server 2.2.x software, and then how to build Apache HTTP Server with SSL support.
OpenSSL software for Windows and Linux is available from http://www.openssl.org/source/.
OpenSSL for Solaris is available from http://www.sunfreeware.com/.
Note that 32–bit OpenSSL is needed when running 32–bit Apache HTTP server.
For full installation instructions, see the file named INSTALL in the directory where you uncompressed OpenSSL. That file has information on installing OpenSSL in a user-specified location.
For more information about OpenSSL, see the OpenSSL Web site.
Apache is available from http://httpd.apache.org.
Be sure to enter the entire “./configure ...” command on a single line.
cd http-2.2_x export CFLAGS="-m32" ./configure --with-mpm=worker --with-included-apr --with-ssl=open-ssl-install-path --prefix=apache-install-path --enable-ssl --enable-so
cd http-2.2_x export CFLAGS="-m64" export LDFLAGS="-m64" export LD_LIBRARY_PATH=/usr/lib/64:/usr/sfw/lib/64 ./configure --with-mpm=worker --with-included-apr --with-ssl=open-ssl-install-path --prefix=apache-install-path --enable-ssl --enable-so CC=/usr/dist/share/sunstudio_sparc/SUNWspro/bin/cc
In the above commands:
Apache package name including version number; replace x with the actual dot release number of the package you are using
Enable multithreading support
Also build the Apache Portable Runtime (APR)
Full path to the directory in which OpenSSL is installed
Full path the directory in which Apache will be built
Enable support for SSL/TLS
Enable Dynamic Shared Object (DSO) module capability
Note that you only need to use the --enable-ssl, --enable-so, and --with-ssl options if your Apache server will be accepting HTTPS requests or using the Auto Apply feature.
For more information, see the Apache Web site.
In general, the steps are:
These steps are required to support HTTPS requests and the Auto Apply feature on the Apache HTTP Server.
For detailed information on setting up a security certificate on Apache, see the instructions on http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html and http://www.modssl.org/docs/2.8/ssl_faq.html. The following procedure is adapted from those web sites.
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 365
When asked for a common name, give the host name on which you plan to run Apache. For all other prompts, enter values that meet any specific requirements you have.
This command creates newreq.pem.
-----BEGIN CERTIFICATE----- .... ... -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- ... ... ... -----END RSA PRIVATE KEY-----
The ServerName should be the actual host name where Apache will run, matching the Common Name you entered when creating the server certificate and key.
The following topics are addressed here:
The Loadbalancer Plug-In requires access to NSS libraries. To enable this access, append the name of the directory that contains the NSS libraries to the LD_LIBRARY_PATH in the apache-install-dir/bin/envvars file. On most UNIX platforms, the NSS libraries are located in the /usr/lib/mps directory.
You may also need to add the following lines to the apache-install-dir/bin/envvars file if GlassFish Server reports that the HTTPS listeners are not healthy.
NSS_STRICT_NOFORK=DISABLED export NSS_STRICT_NOFORK
These lines may be required because the latest NSS libraries do not allow NSS forking. Adding these lines enables NSS forking.
Ensure that the Apache user has the required access permissions to the apache-install-location/conf/ directory and files in this directory. The Apache user is the UNIX user under which the Apache server responds to requests. This user is defined in the file httpd.conf. If you installed Apache as a root user, read the note about configuring the Apache user and group in apache-install-location/conf/httpd.conf.
Note - Ensure that your configuration of users and groups meets the security requirements for this directory. For example, to restrict access to this directory, add the Apache user to the same user group as the owner of the directory.
To ensure that the Loadbalancer Plug-In is initialized when Apache is started, grant the Apache user read access and write access to the following files:
To ensure that the Auto Apply feature operates correctly, grant the Apache user read access, write access, and execute access to the apache-install-location/conf/ directory.
If the Apache user is in the same group as the owner of this directory, change the mode to 775.
See Auto Apply for more information about this feature.
In general, you should start Apache with the same user ID that was used when installing GlassFish Server. You must start Apache as root under the following circumstances:
If you are using port numbers below 1024
If Apache runs as a different user than the user that starts GlassFish Server
Use the following command to start Apache 2.2.x:
If necessary, check the Apache web site for the latest information on starting the Apache server.