test

Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

Part I About This Deployment Example

This first part of the Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover provides introductory material and an overview of the Sun Java™ System Access Manager 7.1 deployment solution that incorporates load-balancing, distributed authentication, policy agents, and protected resources. It contains the following chapters:

Chapter 1 Components and Features

This chapter contains introductory information on the deployment example. It includes the following sections:

1.1 System Components and Architecture

The following components comprise the system environment of the deployment example. Figure 1–1 follows the list and illustrates the components as they will be situated when the deployment is complete.

Sun Java System Access Manager

Two Access Manager servers provide core Access Manager functionality. Both servers share the same configuration data, accessed through a single load balancer deployed in front of two instances of Directory Server.

Sun Java System Directory Server

Two instances of Directory Server provide storage for the Access Manager configuration data and user entries. Configuration data includes information about Access Manager services, realms, policies, and more. User entries will be created and used for testing the deployment. Both Directory Server instances are master replicas that engage in multi-master replication (MMR). MMR allows data to be synchronized in real time between two directories, providing high availability to the Access Manager layer.

Note –

No Directory Server Administration Console is installed with the bits downloaded for this deployment example. The command line is used for all Directory Server configurations.

Protected Resources

The protected resources are host machines that contain content for which you want to restrict access. Towards this end, web servers, application servers, and policy agents will be installed. For example, a Human Resources Department might use Sun Java System Web Server to host content and applications. Some of the hosted information must be made available to benefits administration vendors (such as health care providers or stock administrators) that need to access employee information in order to coordinate benefits. These external vendors access the protected resources through an external-facing load balancer. Other information must be restricted to internal Human Resources administrators who access the protected resources through an internal-facing load balancer.

Sun Java System Access Manager Policy Agents 2.2

Both Web Policy Agents and J2EE Policy Agents are used to restrict access to content or applications hosted on the protected resources. The policy agents intercept HTTP requests from external users and redirect the request to Access Manager for authentication. The agent communicates with the Access Manager servers through an internal-facing load balancer.

Distributed Authentication User Interface

The Distributed Authentication User Interface is a component of Access Manager that provides a thin presentation layer for user authentication. During user authentication, a Distributed Authentication Module retrieves the user's credentials and passes them to Access Manager for verification. Thus, the user does not have direct network access to any Access Manager servers.

Sun Java System Message Queue Broker Cluster

Access Manager uses two Message Queue broker instances to form a cluster for distributing client connections and message delivery. The Berkeley Database by Sleepycat Software, Inc. is the session store database. When an Access Manager server goes down and session failover is enabled, the user's session token can be retrieved from one of the Message Queues by the available Access Manager server. This ensures that the user remains continuously authenticated, allowing access to the protected resources without having to reauthenticate.

Load Balancers

The load balancer hardware and software used for this deployment is BIG-IP® manufactured by F5 Networks. They are deployed as follows:

Distributed Authentication User Interface Load Balancer. This external-facing load balancer exposes the remote, web-based Distributed Authentication User Interface for user authentication and self-registration.

Access Manager Load Balancer. This internal-facing load balancer exposes the web-based Access Manager administration console to internal administrators. Alternatively, internal administrators can bypass this load balancer and log in directly to an Access Manager administration console.

Directory Server Load Balancer. The load balancers in front of the Directory Server instances provide round-robin load balancing for Directory Server access, and detects individual Directory Server failures and recovery. Failed servers are taken out of the load balancer list. The load balancer also provides a single virtual Directory Server host name for the Access Manager servers.

Figure 1–1 System Architecture

Illustrates flow from Internet through multiple load balancers and optional firewalls to Access Manager servers.

Note –

Actual firewalls are not set up in this example deployment although they are referred to in this illustration. For information on specific firewall rules, see 2.5 Firewall Rules.

1.2 Key Features of Deployment

1.3 Sequence of Interactions

The following sequence describes the interactions between the various components in this deployment example. The interactions are illustrated and the numbered steps correspond to the numbers in the diagrams.

  1. A user attempts to access a J2EE application hosted by Protected Resource 1 and Protected Resource 2.

  2. Load Balancer 6 directs the user to Protected Resource 1.

  3. The J2EE Policy Agent intercepts the request and checks for an Access Manager cookie. In this scenario, no cookie is found and the request is returned to the browser which then redirects it to Load Balancer 4, the load balancer for the Distributed Authentication User Interface.

  4. Load Balancer 4 routes the user request to Distributed Authentication User Interface 2.

  5. Distributed Authentication User Interface 2 displays a login page to the user.

  6. The user enters credentials on the login page and they are returned to Distributed Authentication User Interface 2.

    Incoming request goes to J2EE Policy Agent to Load Balancer 4 and then to DAUI for user credential request and response.

  7. Distributed Authentication User Interface 2 passes the credentials to Load Balancer 3.

  8. Load Balancer 3 routes the credentials to Access Manager 1 for validation.

  9. Access Manager 1 sends a request for validation to Load Balancer 2 which specifically handles Directory Server requests for user data.

  10. Load Balancer 2 routes the request to Directory Server 2 where validation takes place.

    Credentials are passed via load balancer to Access Manager and then Directory Server where validation takes place.

  11. After successful authentication, Access Manager 1 sends the response back to the J2EE Policy Agent. The J2EE Policy Agent receives the request and checks for the Access Manger cookie.

  12. When a cookie is found, the J2EE Policy Agent sends a session validation request to the Access Manager Load Balancer 3.

  13. The Access Manager load balancer forwards the request to the Access Manager 1 where the session originated. Cookie-based persistency enables proper routing.

  14. Access Manager 1 sends a response back to the J2EE Policy Agent.

  15. If the session is not valid, the J2EE Policy Agent would redirect the user to the Distributed Authentication User Interface.

  16. If the session is valid, the J2EE Policy Agent receives the response back and sends a policy request to the Access Manager Load Balancer 3.

  17. The policy request is directed to Access Manager 1 which conducts the policy evaluation.

  18. Based on the policy evaluation, the J2EE Policy Agent either allows access to the resource or denies access to the resource. In this scenario, the user is allowed access to the Application Server.

    Response is returned, session is validated, policy request is sent and access is allowed.

Chapter 2 Technical Overview

This chapter contains technical information regarding the machines, software, and other components used in this deployment example. It contains the following sections:

2.1 Host Machines

The following table lists the attributes of the physical host machines used for this deployment example.

Table 2–1 Physical Machines and Operating Systems

Host Machine 

Architecture 

Operating System 

DirectoryServer–1 

x86 

Solaris 10 

DirectoryServer–2 

x86 

Solaris 10 

AccessManager–1 

SPARC 

Solaris 10 

AccessManager–2 

SPARC 

Solaris 10 

MessageQueue–1 

SPARC 

Solaris 10 

MessageQueue–2 

SPARC 

Solaris 10 

AuthenticationUI–1 

x86 

Solaris 10 

AuthenticationUI–2 

x86 

Solaris 10 

ProtectedResource–1 

SPARC 

Solaris 10 

ProtectedResource–2 

SPARC 

Solaris 10 

2.2 Software

The following table lists the software used in this deployment example.

Table 2–2 Software Versions and Download Locations

Product 

Version 

Download Location 

Sun Java™ System Access Manager 

7.1 

http://www.sun.com/download/

Sun Java System Web Server 

7.0 

http://www.sun.com/download/

Sun Java System Directory Server 

6.0 

http://www.sun.com/download/

BEA Weblogic Server 

9.2 

http://www.bea.com

Web Policy Agent 

(for Sun Java System Web Server) 

2.2 

http://www.sun.com/download/

J2EE Policy Agent 

(for BEA Weblogic Server) 

2.2 

http://www.sun.com/download/

Java  

(for Access Manager and policy agents) 

1.5.0_09 

http://www.java.com/en/

BIG-IP Load Balancer 

 

http://www.f5.com

2.3 Main Service URLs for Deployment Components

The following table summarizes the main service URLs for the components used in this deployment example. For detailed configuration information, see Part III, Reference: Summaries of Server and Component Configurations.

Table 2–3 Components and Main Service URLs
 

Components 

Main Service URL 

Directory Server Instances and Load Balancers 
 

Directory Server 1 

ldap://DirectoryServer-1.example.com:1389 (for Access Manager configuration data)

ldap://DirectoryServer-1.example.com:1489 (for user data)
 

Directory Server 2 

ldap://DirectoryServer-2.example.com:1389 (for Access Manager configuration data)

ldap://DirectoryServer-2.example.com:1489 (for user data)
 

Load Balancer 1 

http://LoadBalancer-1.example.com:389 (for Access Manager configuration data)
 

Load Balancer 2 

http://LoadBalancer-2.example.com:489 (for user data)
     

Access Manager Servers and Load Balancer 
 

Access Manager 1 

http://AccessManager-1.example.com:1080/amserver/console

 

Access Manager 2 

http://AccessManager-2.example.com:1080/amserver/console

 

Load Balancer 3 

http://LoadBalancer-3.example.com:7070 (for Intranet users)

https://LoadBalancer-3.example.com:9443 (for Internet users)
     

Message Queue Broker Clusters 
 

Message Queue 1 

http://MessageQueue-1.example.com:7777

 

Message Queue 2 

http://MessageQueue-2.example.com:7777

     

Distributed Authentication User Interfaces and Load Balancer 
 

Distributed Authentication User Interface 1 

http://AuthenticationUI-1.example.com:1080/distAuth/UI/Login

 

Distributed Authentication User Interface 2 

http://AuthenticationUI-2.example.com:1080/distAuth/UI/Login

 

Load Balancer 4 

http://LoadBalancer-4.example.com:90 (non-secure for internal users)

https://LoadBalancer-4.example.com:9443 (secure for external users)
     

Protected Resources 1 and 2, Policy Agents, and Load Balancers 
 

Web Container 1 

https://ProtectedResource-1.example.com:8989 (for Sun Java System Web Server administration console)
 

Web Policy Agent 1 

http://ProtectedResource-1.example.com:1080

 

J2EE Container 1 

http://ProtectedResource-1.example.com:7001/console (for BEA Weblogic administration server)
 

J2EE Policy Agent 1 

http://ProtectedResource-1.example.com:1081

     
 

Web Container 2 

https://ProtectedResource-2.example.com:8989 (for Sun Java System Web Server administration console)
 

Web Policy Agent 2 

http://ProtectedResource-2.example.com:1080

 

J2EE Container 2 

http://ProtectedResource-2.example.com:7001/console (for BEA WebLogic administration server)
 

J2EE Policy Agent 2 

http://ProtectedResource-2.example.com:1081

     
 

Load Balancer 5 

http://LoadBalancer-5.example.com:90 (for web policy agents)
 

Load Balancer 6 

http://LoadBalancer-6.example.com:91 (for J2EE policy agents)

2.4 Intercomponent Communication

The following table provides an overview of the types of communication that take place between servers, load balancers, and other components in the deployment example.

Table 2–4 Summary of Intercomponent Communication

Entity A 

Entity B 

Bi-Directional 

Port 

Protocol 

Traffic Type 

Internet Users 

LoadBalancer-5 

 

90 

HTTP 

Application Traffic 

Intranet Users 

LoadBalancer-3 

 

7070 

HTTP 

Intranet User Authentication 

Internet Users 

LoadBalancer-6 

 

91 

HTTP 

Application Traffic 

Internet Users 

LoadBalancer-4 

 

9443 

HTTPS 

Internet User Authentication 

LoadBalancer-4 

AuthenticationUI-1 

 

1080 

HTTP 

Internet User Authentication 

LoadBalancer-4 

AuthenticationUI-2 

 

1080 

HTTP 

Internet User Authentication 

LoadBalancer-5 

ProtectedResource-1 

 

1080 

HTTP 

Application Traffic 

LoadBalancer-5 

ProtectedResource-2 

 

1080 

HTTP 

Application Traffic 

LoadBalancer-6 

ProtectedResource-1 

 

1081 

HTTP 

Application Traffic 

LoadBalancer-6 

ProtectedResource-2 

 

1081 

HTTP 

Application Traffic 

AuthenticationUI-1 

LoadBalancer-3 

 

9443 

HTTPS 

Internet User Authentication 

AuthenticationUI-2 

LoadBalancer-3 

 

9443 

HTTPS 

Internet User Authentication 

ProtectedResource-1 

LoadBalancer-3 

 

9443 

HTTPS 

Agent-AM communication 

ProtectedResource-2 

LoadBalancer-3 

 

9443 

HTTPS 

Agent-AM communication 

LoadBalancer-3 

AccessManager-1 

 

1080 

HTTP 

User Authentication Agent-AM communication 

LoadBalancer-3 

AccessManager-2 

 

1080 

HTTP 

User Authentication Agent-AM communication 

AccessManager-1 

AccessManager-2 

Yes 

1080 

HTTP 

AM Back-channel communication 

AccessManager-1 

MessageQueue-1 

 

7777 

HTTP 

Session communication 

AccessManager-1 

LoadBalancer-1 

 

389 

LDAP 

AM Configuration communication 

AccessManager-1 

LoadBalancer-2 

 

489 

LDAP 

User profile communication User Authentication 

AccessManager-2 

MessageQueue-2 

 

7777 

HTTP 

Session communication 

AccessManager-2 

LoadBalancer-1 

 

389 

LDAP 

AM Configuration communication 

AccessManager-2 

LoadBalancer-2 

 

489 

LDAP 

User profile communication User Authentication 

MessageQueue-1 

MessageQueue-2 

Yes 

7777 

HTTP 

Session communication 

MessageQueue-2 

MessageQueue-1 

Yes 

7777 

HTTP 

Session communication 

LoadBalancer-1 

DirectoryServer-1 

 

1389 

LDAP 

AM Configuration communication 

LoadBalancer-1 

DirectoryServer-2 

 

1389 

LDAP 

AM Configuration communication 

LoadBalancer-2 

DirectoryServer-1 

 

1489 

LDAP 

User profile communication User Authentication 

LoadBalancer-2 

DirectoryServer-2 

 

1489 

LDAP 

User profile communication User Authentication 

DirectoryServer-1 

DirectoryServer-2 

Yes 

1389 

LDAP 

Data replication communication 

DirectoryServer-1 

DirectoryServer-2 

Yes 

1489 

LDAP 

Data replication communication 

2.5 Firewall Rules

Actual firewalls are not set up in this deployment example. The intended deployment if firewalls were configured would be to protect critical components using three distinct security zones as illustrated in Figure 1–1. One zone is completely secure, protected by all three firewalls, and used for internal traffic only. The second, less secure zone is protected by only two firewalls and is also for internal traffic only. The third, minimally-secured demilitarized zone (DMZ) leaves only simple components and interfaces exposed to the Internet and is used for external traffic. Thus, direct access to individual Access Manager servers and Directory Server instances is allowed only if permitted by firewall rules. Based on the illustration cited:

You may set up firewalls to allow traffic to flow as described in the following table.

Table 2–5 Summary of Firewall Rules

From 

To 

Port # 

Protocol 

Traffic Type 

Internet users 

LoadBalancer-4 

9443 

HTTPS 

User authentication 

Internet users 

LoadBalancer-5 

90 

HTTP 

Application access by internet user 

Internet users 

LoadBalancer-6 

91 

HTTP 

Application access by internet user 

AuthenticationUI-1 

LoadBalancer-3 

9443 

HTTPS 

User authentication 

AuthenticationUI-2 

LoadBalancer-3 

9443 

HTTPS 

User authentication 

LoadBalancer-5 

ProtectedResource-1 

1080 

HTTP 

Application access by user 

LoadBalancer-6 

ProtectedResource-2 

1081 

HTTP 

Application access by user 

Intranet User 

LoadBalancer-3 

7070 

HTTP 

User authentication and various Access Manager services 

2.6 Replicated Entries

Throughout this deployment example, we use ldapsearch to view replicated entries. An alternative would be to enable the Directory Server audit log and run tail -f. Enabling the audit log will also help to track changes and updates made during Access Manager configuration.