test

Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

6.3 Configuring the Access Manager Load Balancer

The Access Manager servers are fronted by one load balancer (Load Balancer 3). Users internal to the company will access the servers through the non-secure port 7070. Users external to the company will access the servers through the secure port 9443. Additionally, configuring two load balancer instances enables you to customize internal-facing and external-facing login pages. Users external to your company first access the Distributed Authentication User Interface which, in turn, routes the request to the secure port 9443. The following figure illustrates this architecture.

Figure 6–1 Load Balancer 3 Fronts Two Access Manager Servers

Load Balancer 3 handles all requests for Access Manager. Access Manager 1 and Access Manager 2 themselves access the Directory Server load balancers.

Load Balancer 3 sends the user and agent requests to the server where the session originated. Secure Sockets Layer (SSL) is terminated before a request is forwarded to the Access Manager servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 3 is capable of the following types of load balancing:

Cookie-based 

The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. 

IP-based 

This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. 

TCP 

The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 3 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. 

Use the following list of procedures as a checklist for configuring the Access Manager load balancer. The first procedure tests the Directory Server load balancing and system failover configurations.

  1. To Verify Successful Directory Server Load Balancing and System Failover for Access Manager 1 and Access Manager 2

  2. To Configure the Access Manager Load Balancer

  3. To Request an Secure Sockets Layer Certificate for the Access Manager Load Balancer

  4. To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer

  5. To Install an SSL Certificate on the Access Manager Load Balancer

  6. To Create an SSL Proxy for SSL Termination on the Access Manager Load Balancer

ProcedureTo Verify Successful Directory Server Load Balancing and System Failover for Access Manager 1 and Access Manager 2

Perform the following steps to confirm that Access Manager directory requests are directed to only one instance of Directory Server, and that system failover and recovery work properly. The steps in this procedure are specific to Access Manager 1. Substitute http://AccessManager-2.example.com:1080/amserver/console where appropriate to perform this procedure for Access Manager 2.

  1. Confirm that the load balancer is properly configured for simple persistence.

    1. As a root user, log in to the DirectoryServer–1 and the DirectoryServer–2 host machines.

    2. On each server, use the tail command to watch the Directory Server access log.


      # cd /var/opt/mps/am-config/logs
# tail-f logs/access

    3. Access http://AccessManager-1.example.com:1080/amserver/console from a web browser and log in to the Access Manager 1 console as the default administrator.

      Username

      amadmin

      Password

      4m4dmin1

    4. Navigate inside the Access Manager 1 console while paying attention to the Directory Server access logs.

      You should see all directory accesses are directed to one Directory Server instance only, excluding the health check probing from the load balancer device. The navigation should not have any errors.

    5. Log out of the Access Manager 1 console and close the browser when successful.

  2. Confirm that Directory Server failover is working properly.

    1. Stop Directory Server 1 instance.


      # cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm stop /var/opt/mps/am-config

Server stopped

    2. Access http://AccessManager-1.example.com:1080/amserver/console from a web browser and log in to the Access Manager 1 console as the default administrator.

      Username

      amadmin

      Password

      4m4dmin1

    3. Navigate inside the Access Manager 1 console while paying attention to the Directory Server access logs.

      You should see all directory accesses are directed to Directory Server 2. The navigation should not have any errors.

    4. Log out and close the browser when successful.

    5. Start the Directory Server 1 instance.


      # cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm start /var/opt/mps/am-config

Server started

    6. Stop Directory Server 2 instance.


      # cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm stop /var/opt/mps/am-config

Server stopped

    7. Access http://AccessManager-1.example.com:1080/amserver/console from a web browser and log in as the administrator, if necessary.

      Username

      amadmin

      Password

      4m4dmin1

    8. Navigate inside the Access Manager 1 console while paying attention to the Directory Server access logs.

      You should see all directory accesses are directed to Directory Server 1. The navigation should not have any errors.

    9. Log out and close the browser when successful.

    10. Start the Directory Server 2 instance.


      # cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm start /var/opt/mps/am-config

Server started

  3. Confirm that both Directory Servers are running and log out of both host machines.

  4. Repeat this procedure for Access Manager 2.

    Substitute http://AccessManager-2.example.com:1080/amserver/console where applicable and perform these steps again.

ProcedureTo Configure the Access Manager Load Balancer

Before You Begin

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in using the following information:

    User name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. Create a Pool.

    A pool contains all the backend server instances.

    1. In the left pane, click Pools.

    2. On the Pools tab, click Add.

    3. In the Add Pool dialog, provide the following information.

      Pool Name

      AccessManager-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP addresses and port numbers for the Access Manager servers: AccessManager-1:1080 and AccessManager-2:1080.

    4. Click Done.

  5. Add a Virtual Server for the non-secure port 7070 on the Access Manager Load Balancer 3.

    This step defines instances of the load balancer.

    Note –

    If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

    1. In the left frame, click Virtual Servers.

    2. On the Virtual Servers tab, click Add.

    3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for LoadBalancer-3.example.com

      Service

      7070

      Pool

      AccessManager-Pool

    4. Continue to click Next until you reach the Pool Selection dialog box.

    5. In the Pool Selection dialog box, assign the AccessManager-Pool Pool.

    6. Click Done.

  6. Add Monitors.

    Access Manager comes with a JSP file named isAlive.jsp that can be contacted to determine if the server is down. In the following steps, you create a custom monitor that periodically accesses the JSP. If a success response can be obtained, it means not only that Access Manager is responding to TCP connection request, but also that free threads exist to process the request.

    1. Click the Monitors tab

    2. Click Add and provide the following information.

      Name:

      AccessManager-http

      Inherits From:

      Choose http.

    3. Click Next on the Configure Basic Properties page.

    4. Enter the following value in the Send String field of the Configure ECV HTTP Monitor dialog.

      GET /amserver/isAlive.jsp

    5. On the Destination Address and Service (Alias) page, click Done.

      The monitor you entered is now added to the list of monitors.

    6. Click the Basic Associations tab.

    7. Find the IP address for AccessManager-1:1080 and AccessManager-2:1080.

    8. Mark the Add checkbox for AccessManager-1 and AccessManager-2.

    9. At the top of the Node column, choose the monitor that you just added, AccessManager-http.

    10. Click Apply.

  7. Configure the load balancer for persistence.

    1. In the left pane, click Pools.

    2. Click the name of the pool you want to configure.

    3. Click the Persistence tab.

    4. Under Persistence Type, select Cookie Hash and set the following values.

      In this type of persistence, the load balancer uses a portion of the cookie as a hash ID.

      Cookie Name:

      amlbcookie

      Offset:

      1

      Length:

      1

    5. Click Apply.

  8. Log out of the load balancer console.

  9. Verify that the Access Manager load balancer is configured properly.

    1. As a root user, log in to the AccessManager–1 host machine.

    2. Run tail to view the access log.


      # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/logs
# tail -f access

      If you see frequent entries similar to the one below, the custom monitor is configured properly.


      IP_address--[12/Oct/2006:13:10:20-0700]
"GET /amserver/isAlive.jsp" 200 118

      If you do not see “GET /amserver/isAlive.jsp”, you must troubleshoot the load balancer configuration.

    3. As a root user, log in to the AccessManager–2 host machine.

    4. Run tail to view the access log.


      # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/logs
# tail -f access

      If you see frequent entries similar to the one below, the custom monitor is configured properly.


      IP_address--[12/Oct/2006:13:10:20-0700]
"GET /amserver/isAlive.jsp" 200 118

      If you do not see “GET /amserver/isAlive.jsp”, you must troubleshoot the load balancer configuration.

    5. Access http://LoadBalancer-3.example.com:7070/, the internal-facing load balancer, in a web browser.

      Caution – Caution –

      Do not supply the amserver prefix.

      If the browser displays the default Sun Java System Web Server document root page, it is configured properly.

    6. Log out of both Access Manager host machines.

ProcedureTo Request an Secure Sockets Layer Certificate for the Access Manager Load Balancer

Generate a request for a Secure Sockets Layer (SSL) certificate to send to a certificate authority.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console using the following information.

    Username

    username

    Password

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Click the Cert-Admin tab.

  6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

  7. In the Create Certificate Request page, provide the following information.

    Key Identifier:

    LoadBalancer-3.example.com

    Organizational Unit Name:

    Deployment

    Domain Name:

    LoadBalancer-3.example.com

    Challenge Password:

    password

    Retype Password:

    password

  8. Click Generate Key Pair/Certificate Request.

    On the SSL Certificate Request page, the request is generated in the Certificate Request field.

  9. Save the text contained in the Certificate Request field to a text file.

  10. Log out of the console and close the browser.

  11. Send the certificate request text you saved to the Certificate Authority of your choice.

    A Certificate Authority (CA) is an entity that issues certified digital certificates; VeriSign, Thawte, Entrust, and GoDaddy are just a few. In this deployment, CA certificates were obtained from OpenSSL. Follow the instructions provided by your Certificate Authority to submit a certificate request.

ProcedureTo Import a Certificate Authority Root Certificate on the Access Manager Load Balancer

The CA root certificate proves that the particular CA (such as VeriSign or Entrust) did, in fact, issue a particular SSL certificate. You install the root certificate on Load Balancer 3 to ensure that a link between the Load Balancer 3 SSL certificate can be maintained with the issuing company. CA root certificates are publicly available.

Before You Begin

You should have a CA root certificate.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in with the following information.

    User name:

    username

    Password:

    password

  3. In the BIG-IP load balancer console, click Proxies.

  4. Click the Cert-Admin tab.

  5. Click Import.

  6. In the Import Type field, choose Certificate, and click Continue.

  7. Click Browse in the Certificate File field on the Install SSL Certificate page.

  8. In the Choose File dialog, choose Browser.

  9. Navigate to the file that includes the root CA certificate and click Open.

  10. In the Certificate Identifier field, enter OpenSSL_CA_cert.

  11. Click Install Certificate.

  12. On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

    The root certificate OpenSSL_CA_Cert is now included in the Certificate ID list.

ProcedureTo Install an SSL Certificate on the Access Manager Load Balancer

Before You Begin

This procedure assumes you have received an SSL certificate from a CA and just completed To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer.

  1. In the BIG-IP load balancer console, click Proxies.

  2. Click the Cert-Admin tab.

    The key LoadBalancer-3.example.com is in the Key List. This was generated in To Request an Secure Sockets Layer Certificate for the Access Manager Load Balancer.

  3. In the Certificate ID column, click Install for LoadBalancer-3.example.com.

  4. In the Certificate File field, click Browse.

  5. In the Choose File dialog, navigate to the file that contains the certificate text sent to you by the CA and click Open.

  6. Click Install Certificate.

  7. On the Certificate LoadBalancer-3.example.com page, click Return to Certificate Administration Information.

    Verify that the Certificate ID indicates LoadBalancer-3.example.com on the SSL Certificate Administration page.

  8. Log out of the load balancer console.

ProcedureTo Create an SSL Proxy for SSL Termination on the Access Manager Load Balancer

Secure Socket Layer (SSL) termination at Load Balancer 3 increases performance on the Access Manager level, and simplifies SSL certificate management. Because Load Balancer 3 sends unencrypted data to the Access Manager server, it does not have to perform decryption, and the burden on its processor is relieved. Clients send SSL-encrypted data to Load Balancer 3 which, in turn, decrypts the data and sends the unencrypted data to the appropriate Access Manager server. Load Balancer 3 also encrypts responses from the Access Manager server, and sends these encrypted responses back to the client. Towards this end, you create an SSL proxy, the gateway for decrypting HTTP requests and encrypting the reply.

Note –

SSL communication is terminated at Load Balancer 3 before a request is forwarded to the Access Manager servers.

Before You Begin

Before creating the SSL proxy, you should have a certificate issued by a recognized CA.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in with the following information.

    User name:

    username

    Password:

    password

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Under the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information.

    Proxy Type:

    Check the SSL checkbox.

    Proxy Address:

    The IP address of Load Balancer 3.

    Proxy Service:

    9443

    The secure port number

    Destination Address:

    The IP address of Load Balancer 3.

    Destination Service:

    7070

    The non-secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose LoadBalancer-3.example.com.

    SSL Key:

    Choose LoadBalancer-3.example.com.

    Enable ARP:

    Check this checkbox.

  7. Click Next.

  8. In the Rewrite Redirects field, choose Matching.

  9. Click Done.

    The new proxy server is added to the Proxy Server list.

  10. Log out of the load balancer console.

  11. Access https://LoadBalancer-3.example.com:9443/index.html from a web browser.

    If the Web Server index page is displayed, you can access the Web Server using the new proxy server port number and the load balancer is configured properly.

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

  12. Close the browser.