8.4 Configuring the Distributed Authentication User Interface Load Balancer

The following figure illustrates how Load Balancer 4 is configured in front of the two instances of the Distributed Authentication User Interface.

Figure 8–1 Distributed Authentication

Use the following list of procedures as a checklist for configuring the Distributed Authentication User Interface load balancer.

1. To Configure the Distributed Authentication User Interface Load Balancer

2. To Configure Load Balancer Cookies for the Distributed Authentication User Interface

3. To Request a Secure Sockets Layer Certificate for the Distributed Authentication User Interface Load Balancer

4. To Import a CA Root Certificate on the Distributed Authentication User Interface Load Balancer

5. To Install an SSL Certificate on the Distributed Authentication User Interface Load Balancer

6. To Configure SSL Termination on the Distributed Authentication User Interface Load Balancer

To Configure the Distributed Authentication User Interface Load Balancer

Before You Begin

• This procedure assumes that you have already installed a load balancer.

• The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

• Contact your network administrator to obtain two available virtual IP addresses.

• Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

• Get the IP addresses for Distributed Authentication User Interface 1 and Distributed Authentication User Interface 2 by running the following command on each host machine:

  # ifconfig -a

1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

2. Log in using the following information.

   User name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. In the left pane, click Pools.

   2. On the Pools tab, click Add.

   3. In the Add Pool dialog, provide the following information:

      Pool Name

      AuthenticationUI-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address and port number of both Distributed Authentication User Interface host machines: AuthenticationUI-1:1080 and AuthenticationUI-2:1080.

   4. Click Done.

5. Add a Virtual Server.

   This step defines instances of the load balancer.

   ---

   Tip –

   If you encounter JavaScript^TM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

   ---

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click Add.

   3. In the Add Virtual Server wizard, enter the virtual server IP address and port number.

      Address

      Enter the IP address for LoadBalancer-4.example.com

      Service

      90

      Pool

      AuthenticationUI-Pool

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. In the Pool Selection dialog box, assign the AuthenticationUI-Pool Pool.

   6. Click Done.

6. Add Monitors.

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an HTTP monitor to each Web Server node.

      In the Node list, locate the IP address and port number for AuthenticationUI-1:1080 and AuthenticationUI-2:1080, and select the Add checkbox.

   4. Click Apply.

7. Configure the load balancer for persistence.

   1. In the left frame, click Pools.

   2. Click the AuthenticationUI-Pool link.

   3. Click the Persistence tab.

   4. Under Persistence Type, choose Passive HTTP Cookie and click Apply.

8. To verify that the Distributed Authentication User Interface load balancer is configured properly, access http://LoadBalancer-4.example.com:90/ from a web browser.

   If the browser successfully renders the default Web Server document root page, the load balancer has been configured properly.

To Configure Load Balancer Cookies for the Distributed Authentication User Interface

Modify AMconfig.properties on both Distributed Authentication User Interface host machines.

1. Log in as a root user to the AuthenticationUI–1 host machine.

2. Change to the classes directory.

   # cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/ web-app/AuthenticationUI-1.example.com/distAuth/WEB-INF/classes

3. Make the following changes to AMconfig.properties.

   ---

   Tip –

   Backup AMConfig.properties before you modify it.

   ---

   • Uncomment the last two lines at the end of the file.

   • Set the following values:

     com.iplanet.am.lbcookie.name=AuthenticationUILBCookie 
     com.iplanet.am.lbcookie.value=AuthenticationUI-1

4. Save the file and close it.

5. Restart the AuthenticationUI–1 host machine.

6. Log in as a root user to the AuthenticationUI–2 host machine.

7. Change to the classes directory.

   # cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com/distAuth/WEB-INF/classes

8. Make the following changes to AMconfig.properties.

   ---

   Tip –

   Backup AMConfig.properties before you modify it.

   ---

   • Uncomment the last two lines at the end of the file.

   • Set the following values:

     com.iplanet.am.lbcookie.name=AuthenticationUILBCookie 
     com.iplanet.am.lbcookie.value=AuthenticationUI-2

9. Save the file and close it.

10. Restart the AuthenticationUI–2 host machine.

To Request a Secure Sockets Layer Certificate for the Distributed Authentication User Interface Load Balancer

Generate a request for a Secure Sockets Layer (SSL) certificate to send to a certificate authority.

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, from a web browser.

2. Log in to the BIG-IP console using the following information.

   User Name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. In the left pane, click Proxies.

5. Click the Cert-Admin tab.

6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

7. On the Create Certificate Request page, provide the following information:

   Key Identifier:

   LoadBalancer-4.example.com

   Organizational Unit Name:

   Deployment

   Domain Name:

   LoadBalancer-4.example.com

   Challenge Password:

   password

   Retype Password:

   password

8. Click Generate Key Pair/Certificate Request.

   On the SSL Certificate Request page, the request is generated in the Certificate Request field.

9. Save the text contained in the Certificate Request field to a text file.

10. Log out of the console and close the browser.

11. Send the certificate request text you saved to the Certificate Authority of your choice.

    A Certificate Authority (CA) is an entity that issues certified digital certificates; VeriSign, Thawte, Entrust, and GoDaddy are just a few. In this deployment, CA certificates were obtained from OpenSSL. Follow the instructions provided by your Certificate Authority to submit a certificate request.

To Import a CA Root Certificate on the Distributed Authentication User Interface Load Balancer

The CA root certificate proves that the particular CA (such as VeriSign or Entrust) did, in fact, issue a particular SSL certificate. You install the root certificate on Load Balancer 4 to ensure that a link between the Load Balancer 4 SSL certificate can be maintained with the issuing company. CA root certificates are publicly available.

Before You Begin

You should have a CA root certificate.

1. Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.

2. Log in using the following information:

   User name:

   username

   Password:

   password

3. In the BIG-IP load balancer console, click Proxies.

4. Click the Cert-Admin tab.

5. Click Import.

6. In the Import Type field, choose Certificate, and click Continue.

7. Click Browse in the Certificate File field on the Install SSL Certificate page.

8. In the Choose File dialog, choose Browser.

9. Navigate to the file that includes the root CA Certificate and click Open.

10. In the Certificate Identifier field, enter OpenSSL_CA_cert.

11. Click Install Certificate.

12. On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.

    The root certificate OpenSSL_CA_Cert is now included in the Certificate ID list.

To Install an SSL Certificate on the Distributed Authentication User Interface Load Balancer

Before You Begin

This procedure assumes you have received an SSL certificate from a CA and just completed To Import a CA Root Certificate on the Distributed Authentication User Interface Load Balancer.

1. In the BIG-IP load balancer console, click Proxies.

2. Click the Cert-Admin tab.

   The key LoadBalancer-4.example.com is in the Key List. This was generated in To Request a Secure Sockets Layer Certificate for the Distributed Authentication User Interface Load Balancer.

3. In the Certificate ID column, click the Install button for LoadBalancer-4.example.com.

4. In the Certificate File field, click Browse.

5. In the Choose File dialog, navigate to the file that contains the certificate text sent to you by the CA and click Open.

6. Click Install Certificate.

7. On the Certificate LoadBalancer-4.example.com page, click Return to Certificate Administration Information.

   Verify that the Certificate ID indicates LoadBalancer-4.example.com on the SSL Certificate Administration page.

8. Log out of the load balancer console.

To Configure SSL Termination on the Distributed Authentication User Interface Load Balancer

Secure Socket Layer (SSL) termination at Load Balancer 4 increases performance on the Access Manager level, and simplifies SSL certificate management. For example, because Load Balancer 4 sends unencrypted data internally neither the Access Manager server nor the Distributed Authentication User Interface has to perform decryption, and the burden on its processor is relieved. Clients send SSL-encrypted data to Load Balancer 4 which, in turn, decrypts the data and sends the unencrypted data to the appropriate Distributed Authentication User Interface. Load Balancer 4 also encrypts responses from the Distributed Authentication User Interface, and sends these encrypted responses back to the client. Towards this end, you create an SSL proxy, the gateway for decrypting HTTP requests and encrypting the reply.

Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.

Before You Begin

Before creating the SSL proxy, you should have a certificate issued by a recognized CA.

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

2. Log in using the following information:

   Username

   username

   Password

   password

3. Click Configure your BIG-IP using the Configuration Utility.

4. In the left pane, click Proxies.

5. On the Proxies tab, click Add.

6. In the Add Proxy dialog, provide the following information:

   Proxy Type:

   Check the SSL checkbox.

   Proxy Address:

   The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.

   Proxy Service:

   9443

   The secure port number

   Destination Address:

   The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.

   Destination Service:

   90

   The non-secure port number

   Destination Target:

   Choose Local Virtual Server.

   SSL Certificate:

   Choose LoadBalancer-4.example.com.

   SSL Key:

   Choose LoadBalancer-4.example.com.

   Enable ARP:

   Check this checkbox.

7. Click Next.

8. In the Rewrite Redirects field, choose All.

9. Click Done.

   The new proxy server is now added to the Proxy Server list.

10. Log out of the load balancer console.

11. Access https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto= https://LoadBalancer-3.example.com:9443 from a web browser.

    ---

    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.

    ---

12. Log in to the Access Manager console as the administrator.

    Username

    amadmin

    Password

    4m4dmin1

    If you can successfully log in to Access Manager, the SSL certificate is installed and the proxy service is configured properly.

13. Log out of Access Manager, and close the browser.