test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

8.2 Configuring the OpenSSO Enterprise Load Balancer

The two instances of OpenSSO Enterprise are fronted by one load balancer (Load Balancer 2). Users will access OpenSSO Enterprise through the secure port 1081. Load Balancer 2 sends the user and agent requests to the server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the OpenSSO Enterprise servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 2 is capable of the following types of load balancing:

Cookie-based 

The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. 

IP-based 

This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. 

TCP 

The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 2 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. 

This section assumes that you have already installed a load balancer. Before you begin, note the following:

Use the following list of procedures as a checklist for completing the task.

  1. To Request a Certificate for OpenSSO Enterprise Load Balancer 2

  2. To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2

  3. To Install the Server Certificate to OpenSSO Enterprise Load Balancer 2

  4. To Configure OpenSSO Enterprise Load Balancer 2

  5. To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2

ProcedureTo Request a Certificate for OpenSSO Enterprise Load Balancer 2

You should already have a root certificate from the CA of your choice. Generate a request for a server certificate to send to the CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.siroe.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Click the Cert-Admin tab.

  6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

  7. In the Create Certificate Request page, provide the following information.

    Key Identifier:

    lb2.sp-example.com

    Organizational Unit Name:

    Deployment

    Domain Name:

    lb2.sp-example.com

    Challenge Password:

    password

    Retype Password:

    password

  8. Click Generate Key Pair/Certificate Request.

    On the SSL Certificate Request page, the request is generated in the Certificate Request field.

  9. Save the text contained in the Certificate Request field to a file named lb-2.csr.

  10. Log out of the console and close the browser.

  11. Send lb-2.csr to the CA of your choice.

    The CA issues and returns a signed server certificate named lb-2.cer.

ProcedureTo Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2

Install the CA root certificate on Load Balancer 2 to ensure that a link between it and the CA can be maintained. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. In the BIG-IP load balancer console, click Proxies.

  4. Click the Cert-Admin tab.

  5. Click Import.

  6. In the Import Type field, choose Certificate, and click Continue.

  7. Click Browse in the Certificate File field on the Install SSL Certificate page.

  8. In the Choose File dialog, choose Browser.

  9. Navigate to ca.cer and click Open.

  10. In the Certificate Identifier field, enter openSSLCA.

  11. Click Install Certificate.

  12. On the Certificate openSSLCA page, click Return to Certificate Administration.

    The root certificate named openSSLCA is now included in the Certificate ID list.

ProcedureTo Install the Server Certificate to OpenSSO Enterprise Load Balancer 2

Before You Begin

This procedure assumes you have received the CA-signed server certificate requested in To Request a Certificate for OpenSSO Enterprise Load Balancer 2, just completed To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2, and are still logged into the load balancer console.

  1. In the BIG-IP load balancer console, click Proxies.

  2. Click the Cert-Admin tab.

    The key lb2.sp-example.com is in the Key List.

  3. In the Certificate ID column, click Install for lb2.sp-example.com.

  4. In the Certificate File field, click Browse.

  5. In the Choose File dialog, navigate to lb-2.cer, the CA-signed server certificate, and click Open.

  6. Click Install Certificate.

  7. On the Certificate lb2.sp-example.com page, click Return to Certificate Administration Information.

    Verify that the Certificate ID indicates lb2.sp-example.com on the SSL Certificate Administration page.

  8. Log out of the load balancer console.

ProcedureTo Configure OpenSSO Enterprise Load Balancer 2

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. Create a Pool.

    A pool contains all the backend server instances.

    1. In the left pane, click Pools.

    2. On the Pools tab, click Add.

    3. In the Add Pool dialog, provide the following information.

      Pool Name

      OpenSSO-SP-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP addresses and port numbers for both OpenSSO Enterprise host machines.

      Note –

      Use port number 1081.

    4. Click Done.

  5. Add a Virtual Server.

    The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

    Note –

    If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

    1. In the left frame, click Virtual Servers.

    2. On the Virtual Servers tab, click Add.

    3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb2.sp-example.com

      Service

      1082

    4. Continue to click Next until you reach the Pool Selection dialog box.

    5. In the Pool Selection dialog box, assign the OpenSSO-SP-Pool Pool.

    6. Click Done.

  6. Add Monitors.

    OpenSSO Enterprise comes with a JSP file named isAlive.jsp that can be contacted to determine if the server is down. Since we have not yet deployed OpenSSO Enterprise, isAlive.jsp cannot be used. In the following sub procedure, create a custom monitor that periodically accesses the Application Server instance(s). If desired, the monitor can be changed later to use isAlive.jsp.

    1. Click the Monitors tab

    2. Click the Basic Associations tab

    3. Find the IP address for osso1.sp-example.com:1080 and osso2.sp-example.com:1080.

    4. Mark the Add checkbox that corresponds to the IP address for both osso1.sp-example.com:1080 and osso2.sp-example.com:1080.

    5. At the top of the Node column, choose the tcp monitor.

    6. Click Apply.

  7. Configure the load balancer for persistence.

    1. In the left pane, click Pools.

    2. Click the name of the pool you want to configure; in this case, OpenSSO-SP-Pool.

    3. Click the Persistence tab.

    4. Under Persistence Type, select Passive HTTP Cookie.

    5. Under Cookie Name, enter amlbcookie.

    6. Click Apply.

  8. In the left pane, click BIGpipe.

  9. In the BIGpipe command window, type the following:


    makecookie ip-address:port

    ip-address is the IP address of the osso1.sp-example.com host machine and port is the same machine's port number; in this case, 1081.

  10. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.36895.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.88888.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  11. In the left pane, click BIGpipe again.

  12. In the BIGpipe command window, type the following:


    makecookie ip-address:port

    ip-address is the IP address of the osso2.sp-example.com host machine and port is the same machine's port number; in this case, 1081.

  13. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.12345.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.99999.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  14. Log out of the load balancer console.

ProcedureTo Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2

SSL communication is terminated at Load Balancer 2. The request is then re-encrypted and securely forwarded to OpenSSO Enterprise. When clients send an SSL-encrypted request to Load Balancer 2, it decrypts the request and re-encrypts it before sending it on to the OpenSSO Enterprise SSL port. Load Balancer 2 also encrypts the responses it receives back from OpenSSO Enterprise, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.

Before You Begin

Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Under the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information.

    Proxy Type:

    Check the SSL and ServerSSL checkbox.

    Proxy Address:

    The IP address of Load Balancer 2.

    Proxy Service:

    1081

    The secure port number

    Destination Address:

    The IP address of Load Balancer 2.

    Destination Service:

    1082

    The non-secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose lb2.sp-example.com.

    SSL Key:

    Choose lb2.sp-example.com.

    Enable ARP:

    Check this checkbox.

  7. Click Next.

  8. On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.

  9. Click Next.

  10. On the page starting with “Server Chain File,” change to Server Trusted CA's File, select “ca.cer” from the drop-down list.

  11. Click Done.

    The new proxy server is added to the Proxy Server list.

  12. Log out of the load balancer console.

  13. Access https://lb2.sp-example.com:1081/index.html from a web browser.

    If the Application Server index page is displayed, you can access it using the new proxy server port number and the load balancer is configured properly.

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

  14. Close the browser.