Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

6.2 Configuring the Distributed Authentication UI Servers Load Balancer

Configure the Distributed Authentication UI servers load balancer.
Configure Distributed Authentication UI servers to authenticate to Access Manager as a custom user.
Configure the load balancer cookies for the Distributed Authentication UI servers.
Request an SSL certificate for the Distributed Authentication UI load balancer.
Install a root CA certificate on the Distributed Authentication UI load balancer.
Install an SSL certificate on the Distributed Authentication UI load balancer.
Configure SSL termination on the Distributed Authentication UI load balancer.

To Configure the Distributed Authentication UI Servers Load Balancer

Before You Begin

Contact your network administrator to obtain an available virtual IP address.

Note –

The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

Create a Pool.

A pool contains all the backend server instances.
1. Go to URL for the Big IP load balancer and log in.
2. Open the Configuration Utility.
  
  Click “Configure your BIG-IP (R) using the Configuration Utility.”
3. In the left pane, click Pools.
4. On the Pools tab, click the Add button.
5. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  Example: AuthenticationUI-Pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add IP addresses for the Distributed Authentication UI server hosts. For this example, add AuthenticationUI-1:1080 and AuthenticationUI-2:1080.
6. Click the Done button.

Configure the load balancer for persistence.
1. In the left frame, click Pools.
2. Click the DistributedUI-Pool link.
3. Click the Persistence tab.
4. Under Persistence Type, choose Passive HTTP Cookie, and then click Apply.

Add a Virtual Server.
1. In the left frame, Click Virtual Servers.
2. On the Virtual Servers tab, click the Add button.
3. In the Add Virtual Server wizard, enter the virtual server IP address and port number.
  
  In this example, enter the IP address for Load Balancer 4, and enter the port number 90.
4. Continue to click Next until you reach the Pool Selection dialog box.
5. In the Pool Selection dialog box, assign the AuthenticationUI-Pool that you have just created.
6. Click the Done button.

Add monitors.

Monitors are necessary for the load balancer to detect any backend server failures that may occur.
1. In the left frame, click Monitors.
2. Click the Basic Associations tab.
3. Add an HTTP monitor to each Web Server node.
  
  In the Node list, locate the IPaddress:port of the node for which you are creating the monitor. Select the Add checkbox.
4. Click Apply.

Verify that the Distributed Authentication UI server load balancer is configured properly.

Start a new browser and go to the Distributed Authentication UI load balancer URL. Example:

http://LoadBalancer-4.example.com:90/.

If the browser successfully renders the default Sun Web Server default document root page, close the browser.

To Configure Distributed Authentication UI Servers to Authenticate to Access Manager as a Custom User

Set up a custom user.
1. Open a browser and go to the Access Manager login URL.
  
  https://LoadBalancer-3.example.com:9443/amserver/UI/Login
2. Log in to the Access Manager console using the following information:
  
  Username
  
  amadmin
  
  Password
  
  4m4dmin1
3. On the Access Control tab, click the top-level realm example.com.
4. Click the Subjects tab.
5. Click the Agents tab.
6. On the Agents tab, click the New button.
7. In the New Agent page, provide the following information, and then click Create.
  
  ID
  
  authuiadmin
  
  Password
  
  4uthu14dmin
8. On the Agent tab, in the list of Agent names, click on authuiadmin.
  1. On the General tab, copy the UniversalID value, and save it where you can use it later.
9. Log out of the console.

Define authuiadmin as a special user in Access Manager 1.
1. As a root user, log in to host AccessManager–1.
2. Locate the /etc/opt/SUNWam/config/AMConfig.properties file.
  
  Make a backup of this file before you modify it.
3. In the file, locate the following property:
  
  com.sun.identity.authentication.special.users
4. At end of the list of values, add the UniversalID that you obtained and saved from the Agents list:
  
  |uid=authuiadmin,ou=agents,o=example.com
  
  This step authorizes the user to authenticate remote applications to the Access Manager server using the Access Manager Client SDK.

Define authuiadmin as a special user in Access Manager 2.
1. As a root user, log into host AccessManager–2.
2. Locate the /etc/opt/SUNWam/config/AMConfig.properties file.
  
  Make a backup of this file before you modify it.
3. In the file, locate the following property:
  
  com.sun.identity.authentication.special.users
4. At end of the list of values, add the UniversalID that you obtained and saved from the Agents list:
  
  |uid=authuiadmin,ou=agents,o=example.com
  
  This step authorizes the user to authenticate remote applications to the Access Manager server using the Access Manager Client SDK.

Restart both Access Manager 1 server and Access Manager 2 server.

Log out of Access Manager 1 and log out of Access Manager 2.

Define the custom user as a special user on the Authentication UI 1 server.
1. As a root user log into host AuthenticationUI— 1.
2. Locate the following file:
  opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/ webapps/distAuth/WEB-INF/classes/AMConfig.properties
  Make a backup of this file before you modify it.
3. In the file, set the following properties:
  
  com.sun.identity.agents.app.username=authuiadmin
  
  com.iplanet.am.service.password=4uthu14dmin

Define the custom user as a special user on the Authentication UI 2 server.
1. As a root user, log into host AuthenticationUI–2.
2. Locate the following file:
  opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ webapps/distAuth/WEB-INF/classes
  Make a backup of this file before you modify it.
3. In the file, set the following properies:
  
  com.sun.identity.agents.app.username=authuiadmin
  
  com.iplanet.am.service.password=4uthu14dmin

Restart Authentication UI 1 server and Authentication UI 2 server.

# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com

# ./stop ; ./start

# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com

# ./stop ; ./start

Log out of Authentication UI 1 server and log out of Authentication UI 2 server.

Verify that everything works.
1. On Directory Server 1 and Directory Server 2, go to logs directory and run the tail command.
  
  # cd /var/opt/mps/serverroot/slapd-am-config/logs
  
  # tail -f access | grep authuiadmin
2. In a browser, go to following URL to open the Access Manager login page.
  
  https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto=https://LoadBalancer-3.example.com:9443/amserver/UI/Login
  
  Using this URL, you will be able to view entries for the Authentication UI server binding to the Directory Server as the special user authuiadmin.
3. In the logs, look for entries similar to this:
```
[12/Jul/2006:21:08:33 -0700] conn=43430 op=0 msgId=1059 - 
BIND dn="uid=authuiadmin,ou=agents,o=example.com" method=128 version=3 
[12/Jul/2006:21:08:33 -0700] conn=43430 op=0 msgId=1059 - 
RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=authuiadmin,ou=agents,o=example.com"
```
  When you see err=0 in either log, you know that the Authentication UI server successfully logged into the Access Manager server. If the err value is anything other an 0, you must troubleshoot the configuration.
4. Log in to the Access Manager console using the following information:
  
  Username
  
  amadmin
  
  Password
  
  4m4dmin1
  
  If you can successfully log in, you know that authentication worked successfully

Log out of the console.

To Configure the Load Balancer Cookies for the Distributed Authentication UI Servers

Go to the following directory:

# cd /webapps/distAuth/WEB-INF/classes

Modify the AMconfig.properties file.

Make a backup of this file.

At the end of the file, uncomment the last two lines and set the following values:
```
com.iplanet.am.lbcookie.name=AuthenticationUILBCookie 
com.iplanet.am.lbcookie.value=AuthenticationUI-1
```

Restart the Authentication UI 1 host.

As a root user log into host AuthenticationUI–2 .

Go to the following directory:

# cd /webapps/distAuth/WEB-INF/classes

Modify the AMconfig.properties file.

Make a backup of this file.

At the end of the file, uncomment the last two lines and set the following values:
```
com.iplanet.am.lbcookie.name=AuthenticationUILBCookie 
com.iplanet.am.lbcookie.value=AuthenticationUI-2
```

Restart the Distributed Authentication UI 1 server.

To Request an SSL Certificate for the Distributed Authentication UI Load Balancer

Open a browser, go to the BIG-IP URL:

https://is-F5.example.com

Click “Configure your BIG-IP (R) using the Configuration Utility.”

In the left pane, click Proxies.

Click the Cert-Admin tab.

On the SSL Certificate Administration page, click the button named “Generate New Key Pair/Certificate Request.”

In the Create Certificate Request page, provide the following information:

Key Identifier:

LoadBalancer-4.example.com

Organizational Unit Name:

Deployment

Domain Name:

LoadBalancer-4.example.com

Challenge Password:

password

Retype Password:

password

Click the button “Generate Key Pair/Certificate Request.”

On the SSL Certificate Request page, the request is generated in the Certificate Request field.

Copy all the text contained in the Certificate Request field.

Save the text in a text file to keep it handy for later use.

Send the text of the certificate request to a Certificate Authority of your choice.

A Certificate Authority is an entity that issues certified digital certificates. VersiSign, Thawte , Entrust, and GoDaddy are just a few examples of Certificate Authority companies. In this deployment example, CA certificates were obtained from OpenSSL. Follow the instructions provided by the Certificate Authority for submitting a certificate request.

To Install a Root CA Certificate on the Distributed Authentication UI Load Balancer

The root Certificate Authority certificate proves that a Certificate Authority such as VeriSign or Entrus actually issued the digital server certificate you received. You install the root certificate on Load Balancer 3 to ensure that the link between the Load Balancer 3 SSL certificate can be maintained with the issuing company.

In the BIG-IP load balancer console, click Proxies.

Click the Cert-Admin tab.

Click the Import link.

In the Import Type field, choose Certificate, and then click Continue.

In the Install SSL Certificate page, in the Certificate File field, click Browse.

In the Choose File dialog, choose Browser.

Navigate to the file that includes the root CA Certificate, and click Open.

In the Certificate Identifier field, enter OpenSSL_CA_cert.

Click Install Certificate.

In the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

The new certificate OpenSSL_CA_Cert is now included in the Certificate ID list.

To Install an SSL Certificate on the Distributed Authentication UI Load Balancer

Once you've received the SSL certificate from a Certificate Authority, in the BIG-IP load balancer console, click Proxies.

Click the Cert-Admin tab.

The key LoadBalancer-4.example.com is in the Key List. This was generated in a previous step when you generated a key pair and a certificate request.

In the Certificate ID column, click the Install button for LoadBalancer-4.example.com.

In the Certificate File field, click Browse.

In the Choose File dialog, navigate to the text file in which you saved the certificate text sent to you by the certificate issuer, and then click Open.

Click Install Certificate.

In the Certificate LoadBalancer-3.example.com page, click Return to Certificate Information link.

In the SSL Certificate Administration page, verify that the Certificate ID indicates LoadBalancer-4.example.com.

To Configure SSL Termination on the Distributed Authentication UI Load Balancer

In this deployment example, Secure Socket Layer (SSL) termination at Load Balancer 4 increases the performance at the server level, and simplifies SSL certificate management. Clients will access Load Balancer 4 using SSL-encrypted data. Load Balancer 4 decrypts the data and then sends the unencrypted data on to the Access Manager server. The Access Manager server or Authentication UI server does not have to perform decryption, and the burden on its processor is relieved. Load Balancer 3 then load-balances the decrypted traffic to the appropriate Access Manager server. Finally, Load Balancer 34encrypts the responses from server, and sends encrypted responses to the client.

In this deployment example, an SSL certificate is required only at the Load Balancer 4, and not required for each Access Manager server. This simplifies SSL certificate management. Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.

In this deployment example, you set up a proxy server using BIG-IP^TM hardware and software.

Configure the new proxy service.
1. Log in to the BIG-IP load balancer using the following information:
  
  Username
  
  username
  
  Password
  
  password
2. Click the link “Configure your BIG-IP using the Configuration Utility.”
3. In the load balancer console, in the left pane, click Proxies.
4. On the Proxies tab, click Add.
5. In the Add Proxy dialog, provide the following information:
  
  Proxy Type:
  
  Check the SSL checkbox.
  
  Proxy Address:
  
  xxx.xx.69.14 (The IP address of Load Balancer 3, the Access Manager server load balancer.)
  
  Proxy Service:
  
  9443 (The port number of the new proxy you are setting up.)
  
  Destination Address:
  
  xxx.xx.69.14
  
  Destination Service:
  
  90
  
  Destination Target:
  
  Choose Local Virtual Server.
  
  SSL Certificate:
  
  Choose LoadBalancer-4.example.com.
  
  SSL Key:
  
  Choose LoadBalancer-4.example.com.
  
  Enable ARP:
  
  Check this checkbox.
6. Click Next.
7. In the Rewrite Redirects field, choose All.
8. Click Done.
  
  The new proxy server is now added to the Proxy Server list.

Verify that you can access the Access Manager server using the new proxy server port number.
1. Open a browser, and go to the following URL:
```
https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto=
https://LoadBalancer-3.example.com:9443/amserver/UI/Login
```
  Tip –
  You may see a message indicating that the Access Manager server doesn't recognize the certificate issuer. When this happens, install the root Certificate Authority certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
  1. Log in to the Access Manager console using the following information:
    
    Username
    
    amadmin
    
    Password
    
    4m4dmin1
    
    If you can successfully log in to Access Manager 1, then the SSL certificate is installed properly and proxy service is configured properly.
2. Log out of Access Manager, and close the browser.