In this deployment, SSL is not enabled at each Federation Manager server but is instead terminated at the load balancer. By terminating SSL at the load balancer, you can be sure that communication to the Federation Manager servers is secure while achieving the highest server availability and fastest response times.
Use the following as your checklist for configuring SSL termination at the Federation Manager load balancer:
Log in to the BIG-IP load balancer.
Click Proxies in the left pane.
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
In the Create Certificate Request page, provide the following information:
LoadBalancer-9.siroe.com
siroe.com
LoadBalancer-9.siroe.com
jdoe@siroe.com
Click the Generate Request button.
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
After you receive the certificate from the issuer, install the SSL Certificate.
Log in to the BIG-IP load balancer console.
In the BIG-IP load balancer console, click the Cert Admin tab.
On the Cert Admin tab, click Install Certificate.
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Click Install Certificate.
In the left frame, click Proxies, and then click Add.
On the Add Proxy page, provide the following information:
SSL
Enter the IP address of LoadBalancer-9.siroe.com.
Enter 3443.
Enter the IP address of LoadBalancer-9.siroe.com.
Enter 1080.
LoadBalancer-9.siroe.com
LoadBalancer-9.siroe.com
Mark this box.
Click Next, then provide the following information:
Choose Matching.
Click Done.
As a root user, log in to the Federation Manager 1 host.
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config |
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-1.siroe.com" defaultvs ... |
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ... |
Save the file.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/ # ./stop ; ./start |
As a root user, log in to the Federation Manager 2 host.
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config |
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-2.siroe.com" defaultvs ... |
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ... |
Save the file.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/ # ./stop ; ./start |
Go to the Federation Manager URL:
https://LoadBalancer-9.siroe.com:3443/federation/UI/Login
The following message is displayed:
“Unable to verify the identity of LoadBalancer-9.siroe.com as a trusted site.”
Choose “Accept this certificate temporarily for this session,” and then click OK.
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, then SSL is configured properly.