9.2 Configuring the J2EE Policy Agents Load Balancer
Load Balancer 6 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.
Load Balancer 6 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual Web Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.
As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.
Use the following as your checklist for configuring the J2EE Policy Agents load balancer:
To Configure the J2EE Policy Agents Load
Balancer
-
Go to URL for the Big IP load balancer login page and log in.
https://ls-f5.example.com
- User name:
-
username
- Password:
-
password
-
Create a Pool.
A pool contains all the backend server instances.
-
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
-
In the left pane, click Pools.
-
On the Pools tab, click the Add button.
-
In the Add Pool dialog, provide the following information:
- Pool Name
-
Example: J2EEAgent-Pool
- Load Balancing Method
-
Round Robin
- Resources
-
Add all the Application Server IP addresses. In this example, add the IP address and port number for ProtectedResource-1:1081 and for ProtectedResource-2:1081.
-
Click the Done button.
-
In the List of Pools, click the name of the pool you just created (J2EEAgent-Pool).
-
Click the Persistence tab, provide the following information, and then click Apply:
- Persistence Type:
-
Choose “Active Http Cookie.”
- Method:
-
Choose Insert.
-
-
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
-
In the left frame, Click Virtual Servers.
-
On the Virtual Servers tab, click the Add button.
-
In the Add a Virtual Server dialog box, provide the following information:
- Address
-
xxx.xx.69.14 (for LoadBalancer-6.example.com )
- Services Port
-
91
- Pool
-
J2EEAgent-Pool
-
Continue to click Next until you reach the Pool Selection dialog box.
-
In the Pool Selection dialog box, assign the Pool (J2EEAgent-Pool) that you have just created.
-
Click the Done button.
-
-
Add Monitors.
To Configure the Agent
In the AMAgent.properties file, map Protected Resource 1 and Protected Resource 2 to Load Balancer 6 .
-
Log in as root to Protected Resource 1.
-
Use a text editor to modify the AMAgent.properties file.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of AMAgent.properties, and then set the following property:
com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-6.example.com] = LoadBalancer-6.example.com
-
Save the file.
-
Log in as root to Protected Resource 2.
-
Use a text editor to modify the AMAgent.properties file.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of AMAgent.properties, and then set the following property:
com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-6.example.com] = LoadBalancer-6.example.com
-
Save the file.
To Create Polices for the Agent Resources
The policies you create here are used in a subsequent procedure that verifies that the agents and load balancer work properly.
-
Create a referral policy for Load Balancer 6.
-
Go to the Access Manager URL:
https://loadbalancer-3.example.com:9443/amserver/UI/Login
-
Log in to the Access Manager console using the following information:
- Username
-
amadmin
- Password
-
4m4dmin1
-
On the Access Control tab, click the realm name example.com.
-
Click the Policies tab.
-
Click the “Referral URL Policy for users realm” link.
-
In the Edit Policy page, under Rules, click New.
-
In the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name), and then click Next.
-
In the page “Step 2 of 2: New Rule,” provide the following information:
- Name:
-
URL Rule for LoadBalancer-6
- Resource Name:
-
http://LoadBalancer-6.example.com:91/*
-
Click Finish, and then click Save.
The new rules you added are now contained in the rules list.
-
-
Create a policy for the users realm.
-
In the Edit Policy page, click the Realms link.
-
On the Access Control tab, click the users link.
-
Click the Policies tab, and then click New Policy.
In the Name field, enter URL Policy for LoadBalancer-6 .
-
Under Rules, click NEW.
-
In the page “Step 1 of 2: Select Service Type for the Rule,” click Next.
-
In the page “Step 2 of 2: New Rule,” provide the following information:
- Name:
-
Enter LoadBalancer-6.
- Parent Resource Name:
-
Click http://LoadBalancer-6.example.com:91/* to select it.
The Parent Resource Name selected is not contained in the Resource Name field.
- GET
-
Mark the checkbox, and verify that the Allow option is selected.
- POST
-
Mark the checkbox, and verify that the Allow option is selected.
-
Click Finish.
-
In the “Step 1 of 2: Select Subject Type” page, be sure that Access Manager Identity Subject is selected, and then click Next.
-
In the “Step 2 of 2: New Subject — Access Manager Identity Subject” page, provide the following information:
- Name:
-
LoadBalancer-6_Roles
- Filter:
-
In the drop-down list, select Role. Then click Search. The search returns a list of available roles.
-
In the Available: list, select manager and employee, and then click Add.
The roles manager and employee are now contained in the Selected List.
-
Click Finish.
-
-
Log out of the Access Manager console and close the browser.
To Verify that the J2EE Policy Agents Load
Balancer is Working Properly
-
Restart the Application Servers.
-
Stop Application Server 1 .
# cd /usr/local/bea/user_projects/ domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationsServer-1 t3://localhost:7001
-
Stop the administration server.
# ./stopWebLogic.sh
-
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
-
Start Application Server 1.
# nohup ./startManagedWebLogic.sh ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &
-
Stop Application Server 2 .
# cd /usr/local/bea/user_projects/domains/ ProtectedResource-2/bin # ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001
-
Stop the administration server.
# ./stopWebLogic.sh
-
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
-
Start Application Server 2.
# nohup ./startManagedWebLogic.sh ApplicationServer-2 http://ProtectedResource-2.example.com:7001 &
-
-
Go to the Sample Application URL:
http://loadbalancer-6.example.com:91/agentsample/index.html
The Sample Application welcome page is displayed.
-
Click J2EE Declarative Security > “Invoke the Protected Servlet”
The Policy Agent redirects to the Access Manager login page.
-
Log in to the Access Manager console using the following information:
- Username
-
testuser1
- Password
-
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
-
Click the “J2EE Declarative Security” link.
-
On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.
If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.
-
Click the “J2EE Declarative Security” link to go back.
-
Click the “Invoke the Protected EJB via an Unprotected Servlet” link.
If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.
-
Close the browser.
-
In a new browser session, go to the Sample Application URL:
http://loadbalancer-6.example.com:91/agentsample/index.html
The Sample Application welcome page is displayed.
-
Click the “J2EE Declarative Security” link.
-
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.
The Policy Agent redirects to the Access Manager login page.
-
Log in to the Access Manager console using the following information:
- Username
-
testuser2
- Password
-
password
If you can successfully log in as testuser2, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
-
Click the “J2EE Declarative Security” link to go back.
-
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.
The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.
- © 2010, Oracle Corporation and/or its affiliates