Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

Previous: 5.3 Configuring the Access Manager Servers to Run as Non-Root Users
Next: 5.5 Importing the Root CA Certificate into the Access Manager Web Servers

5.4 Configuring the Access Manager Load Balancer

In this procedure, you configure the Access Manager servers to access the Directory Server through the load balancer. All configuration changes you implement through the Access Manager 1 console will be replicated to Access Manager 2, so there is no need to repeat these steps on the Access Manager 2 console. However, you must also edit XML files in this task. You must manually edit the XML files on Access Manager 1 and on Access Manager 2.

Note –

The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

Use the following as your checklist for configuring the Access Manager load balancer:

To Configure the Access Manager Servers to Access the Directory Server Load Balancer

Go to the Access Manager URL.

http://AccessManager-1.example.com:1080/amserver/console

Click the Configuration tab.

Under Authentication, edit the following service configurations. Edit the service configurations to reflect the LDAP server name and port number LoadBalancer-1.example.com:1389

Under Authentication, for the following services, change the Primary LDAP server name and port to the load-balancer name and port. In this example, the new name is LoadBalancer-1.example.com:389 .
1. Under Authentication, click LDAP.
  
  In the Primary LDAP Server list, Add LoadBalancer-1.example.com:389 and delete the default server from the list. Click Save, and the return to the Configuration tab.
2. Under Authentication, click Membership.
  
  In the Primary LDAP Server list, Add LoadBalancer-1.example.com:389 and delete the default server from the list. Click Save, and the return to the Configuration tab.
3. Under Authentication, click MSISDN.
  
  In the Primary LDAP Server list, Add LoadBalancer-1.example.com:389 and delete the default server from the list. Click Save, and the return to the Configuration tab.
4. Under Global Properties, click Policy Configuration.
  
  In the Primary LDAP Server, add LoadBalancer-1.example.com:389 and delete the default server from the list. Click Save, and the return to the Configuration tab.

Edit the following property files on AccessManager–1.

Still logged in to the Access Manager server as a root user, use an editor to modify the file /etc/opt/SUNWam/config/serverconfig.xml.

Change LDAP serer host name and port number to the fully-qualified name and port number for Load Balancer 1 Example:

<iPlanetDataAccessLayer>
				<ServerGroup name="default" miConnPool="1" maxConnPool="10">
						<Server name="Server1" 
								host="LoadBalancer-1.example.com" port="389" 
 type="SIMPLE"/>
...

Use an editor to modify the file /etc/opt/SUNWam/config/AMConfig.properties.

Set the following properties:
- com.iplanet.am.directory.port=389
- com.iplanet.am.directory.host=LoadBalancer-1.example.com
- com.sun.am.event.connection.idle.timeout=3

The connection idle time out value is set to 3 minutes. This value is less than the value for the Firewall 3–to-Load Balancer 1 connection timeout which is 5 minutes in this example. By setting this value to be 3 minutes, the Access Manager server will assume its persistent search connections may be silently dropped by Firewall 3–to-Load Balancer 1. The Access Manager server will re-establish the persistent search connections every 3 minutes. Otherwise, the Access Manager server may forever block on the persistent search because it is not made aware that the TCP connection is dropped silently.

Edit the following property files on AccessManager–2.

Still logged in to the Access Manager server as a root user, use an editor to modify the file /etc/opt/SUNWam/config/serverconfig.xml.

Change LDAP serer host name and port number to the fully-qualified name and port number for Load Balancer 1. Example:

<iPlanetDataAccessLayer>
				<ServerGroup name="default" miConnPool="1" maxConnPool="10">
						<Server name="Server1" 
								host="LoadBalancer-1.example.com" port="389" 
 type="SIMPLE"/>
...

Use an editor to modify the file /etc/opt/SUNWam/config/AMConfig.properties.

Set the following properties:
- com.iplanet.am.directory.port=389
- com.iplanet.am.directory.host=LoadBalancer-1.example.com
- com.sun.am.event.connection.idle.timeout=3

Restart both Access Manager servers in order for the changes to take place.

To Verify Successful Directory Server Load Balancing and System Failover

For each of the Access Manager servers, perform the following steps to confirm its directory accesses are all directed to one and only one Directory Server instance, and that system failover and recover work properly. The following section describes how to perform the sanity check for the first Access Manager instance. Substitute the console URL with that of the second Access Manager instance when you perform the task for the second Access Manager instance.

Confirm that the load balancer is properly configured for simple persistence.
1. As a root user, log into host DirectoryServer-1 and host DirectoryServer-2.
2. For each server, use the tail command to watch the Directory Server access log.
  
  # tail-f logs/access
3. Start a new browser and go to the Access Manager 1 URL.
  
  Example: http://AccessManager-1.example.com:1080/amserver/console
4. Log in to the Access Manager console using the following information:
  
  Username
  
  amadmin
  
  Password
  
  4m4dmin1
5. Navigate inside the Access Manager console while paying attention to the Directory Server access log.
  
  In the access log, you should see all directory accesses are directed to one Directory Server instance only, excluding the health check probing from the load balancer device. The navigation should not have any errors. Logout and close the browser if successful.

Confirm that Directory Server failover works properly.
1. Shut down Directory Server 1.
2. Start a new browser and go to the Access Manager URL.
  
  Example: http://AccessManager-1.example.com:1080/amserver/console
3. Log in to the Access Manager console using the following information:
  
  Username
  
  amadmin
  
  Password
  
  4m4dmin1
4. Navigate inside the Access Manager console while paying attention to the Directory Server access logs.
  
  # cd /var/opt/mps/serverroot/slapd-data/logs
  
  In the access logs, you should see all directory accesses are directed only to Directory Server 2. The navigation should not have any errors. Log out and close the browser if successful.
5. Restart Directory Server 1, and stop Directory Server 2.
6. Start a new browser go to the Access Manager URL.
  
  Example: http://AccessManager-1.example.com:1080/amserver/console
7. Log in to the Access Manager console using the following information:
  
  Username
  
  amadmin
  
  Password
  
  4m4dmin1
8. Navigate inside the Access Manager console,
  
  Watch the access logs of both Directory Server instances. You should see all directory accesses (excluding health checks by load balancer) are directed to only Directory Server 1. The navigation should not have any errors.
9. Log out and close the browser if successful.

Restart Directory Server 2.

Confirm that both Directory Servers are restarted and running.

To Configure the Access Manager Load Balancer

Users internal to your company will access the Access Manager servers through the internal-facing load balancer. The internal-facing load balancer is optional, and enables you to customize an internal-facing login page that is different from the external-facing login page. Users external to your company will first access the Distributed Authentication UI servers, which in turn route requests to the external-facing load balancer. Internal users will access port 90 while External users will access port 9443.

Load Balancer 3 sends the user and agent requests to the server where the session originated. SSL is terminated at Load Balancer 3 before a request is forwarded to the Access Manager Servers. Otherwise the load balancer cannot inspect the traffic for proper routing.

Load Balancer 3 is capable of the following types of load balancing:

Cookie-based	The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers.
IP-based	This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends requests from a specific client to the same server. So a request from the client will always be processed by the server that last processed the request from that client.
TCP	The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 3 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols.

Before You Begin

Contact your network administrator to obtain two available virtual IP addresses.

Note –

Create a Pool.

A pool contains all the backend server instances.
1. Go to URL for the Big IP load balancer log in.
2. Open the Configuration Utility.
  
  Click “Configure your BIG-IP (R) using the Configuration Utility.”
3. In the left pane, click Pools.
4. On the Pools tab, click the Add button.
5. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  Example: AccessManager-Pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add all the Access Manager servers IP addresses. In this example, add the IP address and port number for AccessManager-1:1080 and for AccessManager-2:1080.
6. Click the Done button.

Configure the load balancer for persistence.
1. In the left pane click Pools.
2. Click the name of the pool you want to configure.
3. Click the Persistence tab.
4. On the Persistence tab, under Persistence Type, select Cookie Hash and set the following Hash Values:
  
  Cookie Name:
  
  amlbcookie
  
  Offset:
  
  1
  
  Length:
  
  1
5. Click Apply.

Add a Virtual Server.

If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
1. In the left frame, Click Virtual Servers.
2. On the Virtual Servers tab, click the Add button.
3. In the Add a Virtual Server dialog box, provide the following information:
  
  Address
  
  xxx.xx.69.13 (for LoadBalancer-3.example.com )
  
  Service
  
  90
  
  Pool
  
  AccessManager-Pool
4. Continue to click Next until you reach the Pool Selection dialog box.
5. In the Pool Selection dialog box, assign the Pool (AccessManager-Pool) that you have just created.
6. Click the Done button.

Add Monitors.

The load balancer has a built-in HTTP monitor that probes the Access Manager TCP port periodically. Successive probing failure indicates the server is down. However, this probing does not address the case where the Access Manager server responds to a TCP connection request, but fails to process any further Access Manager requests because of internal errors such as deadlocks. Access Manager comes with a JSP file /amserver/isAlive.jsp to address this challenge. In the following steps, you create a custom monitor that periodically accesses the JSP. If a success response can be obtained, it means not only that Access Manager is responding to TCP connection request, but also that free threads exist to process the request.
1. Click the Monitors tab, and then the click Add button.
  
  In the Add Monitor dialog, provide the following information:
  
  Name:
  
  AccessManager-http
  
  Inherits From:
  
  Choose http.
2. Click Next.
  
  In the Configure Basic Properties page, click Next.
3. In the “Configure ECV HTTP Monitor” dialog, in the Send String field, enter the following:
  
  GET /amserver/isAlive.jsp
4. In the Destination Address and Service (Alias) page, click Done.
  
  On the Monitors tab, the monitor you just added is now contained in the list of monitors.
5. Click the Basic Associations tab.
  
  Look for the IP address for AccessManager-1:1080 and AccessManager-2:1080.
6. Mark the Add checkbox for AccessManager-1 and AccessManager-2.
7. At the top of the Node column, choose the monitor that you just added, AccessManager-http.
8. Click Apply.

To Verify that the Access Manager Load Balancer is Configured Properly

Run the tail command to view the access log.
# cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/logs # tail -f access
If you see frequent entries similar to this one:
xxx.xx.69.18--[12/Oct/2006:13:10:20-0700] "GET/amserver/isAlive.jsp" 200 118
then the custom monitor is configured properly. If you do not see “GET /amserver/isAlive.jsp” then you must troubleshoot the load balancer configuration.

Run the tail command to view the access log.
# cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/logs # tail -f access
If you see frequent entries similar to this one:
xxx.xx.69.18--[12/Oct/2006:13:10:20-0700] "GET /amserver/isAlive.jsp" 200 118
then the custom monitor is configured properly. If you do not see “GET /amserver/isAlive.jsp” then you must troubleshoot the load balancer configuration.

Start a new browser and go to the internal-facing load balancer URL.

Example: http://LoadBalancer-2.example.com:90/ . Do not supply the amserver prefix.

If the browser successfully renders the default Sun Web Server default document root page, close the browser.

To Request an SSL Certificate for the Access Manager Load Balancer

Open a browser, go to the BIG-IP URL:

https://is-F5.example.com

Click “Configure your BIG-IP (R) using the Configuration Utility.”

In the left pane, click Proxies.

Click the Cert-Admin tab.

On the SSL Certificate Administration page, click the button named “Generate New Key Pair/Certificate Request.”

In the Create Certificate Request page, provide the following information:

Key Identifier:

LoadBalancer-3.example.com

Organizational Unit Name:

Deployment

Domain Name:

LoadBalancer-3.example.com

Challenge Password:

password

Retype Password:

password

Click the button “Generate Key Pair/Certificate Request.”

On the SSL Certificate Request page, the request is generated in the Certificate Request field.

Copy all the text contained in the Certificate Request field.

Save the text in a text file to keep it handy for later use.

Send the text of the certificate request to a Certificate Authority of your choice.

A Certificate Authority is an entity that issues certified digital certificates. VersiSign, Thawte , Entrust, and GoDaddy are just a few examples of Certificate Authority companies. In this deployment example, CA certificates were obtained from OpenSSL. Follow the instructions provided by the Certificate Authority for submitting a certificate request.

To Install a Root CA Certificate on the Access Manager Load Balancer

The root Certificate Authority certificate proves that a Certificate Authority such as VeriSign or Entrus actually issued the digital server certificate you received. You install the root certificate on Load Balancer 3 to ensure that the link between the Load Balancer 3 SSL certificate can be maintained with the issuing company.

In the BIG-IP load balancer console, click Proxies.

Click the Cert-Admin tab.

Click the Import link.

In the Import Type field, choose Certificate, and then click Continue.

In the Install SSL Certificate page, in the Certificate File field, click Browse.

In the Choose File dialog, choose Browser.

Navigate to the file that includes the root CA Certificate, and click Open.

In the Certificate Identifier field, enter OpenSSL_CA_cert.

Click Install Certificate.

In the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

The new certificate OpenSSL_CA_Cert is now included in the Certificate ID list.

To Install an SSL Certificate on the Access Manager Load Balancer

Once you've received the SSL certificate from a Certificate Authority, in the BIG-IP load balancer console, click Proxies.

Click the Cert-Admin tab.

The key LoadBalancer-3.example.com is in the Key List. This was generated in a previous step when you generated a key pair and a certificate request.

In the Certificate ID column, click the Install button for LoadBalancer-3.example.com.

In the Certificate File field, click Browse.

In the Choose File dialog, navigate to the text file in which you saved the certificate text sent to you by the certificate issuer, and then click Open.

Click Install Certificate.

In the Certificate LoadBalancer-3.example.com page, click Return to Certificate Administration Information link.

In the SSL Certificate Administration page, verify that the Certificate ID indicates LoadBalancer-3.example.com.

To Configure SSL Termination on the Access Manager Load Balancer

In this deployment example, Secure Socket Layer (SSL) termination at Load Balancer 3 increases the performance at the server level, and simplifies SSL certificate management. Clients will access Load Balancer 3 using SSL-encrypted data. Load Balancer 3 decrypts the data and then sends the unencrypted data on to the Access Manager server. The Access Manager server or Authentication UI server does not have to perform decryption, and the burden on its processor is relieved. Load Balancer 3 then load-balances the decrypted traffic to the appropriate Access Manager server. Finally, Load Balancer 3 encrypts the responses from server, and sends encrypted responses to the client.

In this deployment example, you set up a proxy server using BIG-IP^TM hardware and software.

Configure the new proxy service.
1. Log in to the BIG-IP load balancer using the following information:
  
  Username
  
  username
  
  Password
  
  password
2. Click the link “Configure your BIG-IP using the Configuration Utility.”
3. In the load balancer console, in the left pane, click Proxies.
4. On the Proxies tab, click Add.
5. In the Add Proxy dialog, provide the following information:
  
  Proxy Type:
  
  Check the SSL checkbox.
  
  Proxy Address:
  
  xxx.xx.69.14 (The IP address of Load Balancer 3, the Access Manager server load balancer.)
  
  Proxy Service:
  
  9443 (The port number of the new proxy you are setting up.)
  
  Destination Address:
  
  xxx.xx.69.14
  
  Destination Service:
  
  90
  
  Destination Target:
  
  Choose Local Virtual Server.
  
  SSL Certificate:
  
  Choose LoadBalancer-3.example.com.
  
  SSL Key:
  
  Choose LoadBalancer-3.example.com.
  
  Enable ARP:
  
  Check this checkbox.
6. Click Next.
7. In the Rewrite Redirects field, choose Matching.
8. Click Done.
  
  The new proxy server is now added to the Proxy Server list.

Verify that you can access the Access Manager server using the new proxy server port number.
1. Open a browser, and go to the following URL:
```
https://LoadBalancer-3.example.com:9443/index.html
```
  Tip –
  A message may be displayed indicating that the Access Manager server doesn't recognize the certificate issuer. When this happens, install the root Certificate Authority certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
  1. Log in to the Access Manager console using the following information:
    
    Username
    
    amadmin
    
    Password
    
    4m4dmin1
    
    If you can successfully log in to Access Manager 1, then the SSL certificate is installed properly and proxy service is configured properly.
2. Log out of Access Manager, and close the browser.