This chapter contains technical information regarding the machines, software, and other components used in this deployment example. It contains the following sections:
The following table lists the attributes of the physical host machines used for this deployment example.
Table 2–1 Physical Machines and Operating Systems
Host Machine |
Architecture |
Operating System |
---|---|---|
DirectoryServer–1 |
x86 |
Solaris 10 |
DirectoryServer–2 |
x86 |
Solaris 10 |
AccessManager–1 |
SPARC |
Solaris 10 |
AccessManager–2 |
SPARC |
Solaris 10 |
MessageQueue–1 |
SPARC |
Solaris 10 |
MessageQueue–2 |
SPARC |
Solaris 10 |
AuthenticationUI–1 |
x86 |
Solaris 10 |
AuthenticationUI–2 |
x86 |
Solaris 10 |
ProtectedResource–1 |
SPARC |
Solaris 10 |
ProtectedResource–2 |
SPARC |
Solaris 10 |
The following table lists the software used in this deployment example.
Table 2–2 Software Versions and Download Locations
Product |
Version |
Download Location |
---|---|---|
Sun Java™ System Access Manager |
7.1 | |
Sun Java System Web Server |
7.0 | |
Sun Java System Directory Server |
6.0 | |
BEA Weblogic Server |
9.2 | |
Web Policy Agent (for Sun Java System Web Server) |
2.2 | |
J2EE Policy Agent (for BEA Weblogic Server) |
2.2 | |
Java (for Access Manager and policy agents) |
1.5.0_09 | |
BIG-IP Load Balancer |
The following table summarizes the main service URLs for the components used in this deployment example. For detailed configuration information, see Part III, Reference: Summaries of Server and Component Configurations.
Table 2–3 Components and Main Service URLs
Components |
Main Service URL |
|
---|---|---|
Directory Server Instances and Load Balancers |
||
Directory Server 1 |
ldap://DirectoryServer-1.example.com:1389 (for Access Manager configuration data) ldap://DirectoryServer-1.example.com:1489 (for user data) |
|
Directory Server 2 |
ldap://DirectoryServer-2.example.com:1389 (for Access Manager configuration data) ldap://DirectoryServer-2.example.com:1489 (for user data) |
|
Load Balancer 1 |
http://LoadBalancer-1.example.com:389 (for Access Manager configuration data) |
|
Load Balancer 2 |
http://LoadBalancer-2.example.com:489 (for user data) |
|
Access Manager Servers and Load Balancer |
||
Access Manager 1 |
http://AccessManager-1.example.com:1080/amserver/console |
|
Access Manager 2 |
http://AccessManager-2.example.com:1080/amserver/console |
|
Load Balancer 3 |
http://LoadBalancer-3.example.com:7070 (for Intranet users) https://LoadBalancer-3.example.com:9443 (for Internet users) |
|
Message Queue Broker Clusters |
||
Message Queue 1 |
http://MessageQueue-1.example.com:7777 |
|
Message Queue 2 |
http://MessageQueue-2.example.com:7777 |
|
Distributed Authentication User Interfaces and Load Balancer |
||
Distributed Authentication User Interface 1 |
http://AuthenticationUI-1.example.com:1080/distAuth/UI/Login |
|
Distributed Authentication User Interface 2 |
http://AuthenticationUI-2.example.com:1080/distAuth/UI/Login |
|
Load Balancer 4 |
http://LoadBalancer-4.example.com:90 (non-secure for internal users) https://LoadBalancer-4.example.com:9443 (secure for external users) |
|
Protected Resources 1 and 2, Policy Agents, and Load Balancers |
||
Web Container 1 |
https://ProtectedResource-1.example.com:8989 (for Sun Java System Web Server administration console) |
|
Web Policy Agent 1 |
http://ProtectedResource-1.example.com:1080 |
|
J2EE Container 1 |
http://ProtectedResource-1.example.com:7001/console (for BEA Weblogic administration server) |
|
J2EE Policy Agent 1 |
http://ProtectedResource-1.example.com:1081 |
|
Web Container 2 |
https://ProtectedResource-2.example.com:8989 (for Sun Java System Web Server administration console) |
|
Web Policy Agent 2 |
http://ProtectedResource-2.example.com:1080 |
|
J2EE Container 2 |
http://ProtectedResource-2.example.com:7001/console (for BEA WebLogic administration server) |
|
J2EE Policy Agent 2 |
http://ProtectedResource-2.example.com:1081 |
|
Load Balancer 5 |
http://LoadBalancer-5.example.com:90 (for web policy agents) |
|
Load Balancer 6 |
http://LoadBalancer-6.example.com:91 (for J2EE policy agents) |
The following table provides an overview of the types of communication that take place between servers, load balancers, and other components in the deployment example.
Table 2–4 Summary of Intercomponent Communication
Entity A |
Entity B |
Bi-Directional |
Port |
Protocol |
Traffic Type |
---|---|---|---|---|---|
Internet Users |
LoadBalancer-5 |
90 |
HTTP |
Application Traffic |
|
Intranet Users |
LoadBalancer-3 |
7070 |
HTTP |
Intranet User Authentication |
|
Internet Users |
LoadBalancer-6 |
91 |
HTTP |
Application Traffic |
|
Internet Users |
LoadBalancer-4 |
9443 |
HTTPS |
Internet User Authentication |
|
LoadBalancer-4 |
AuthenticationUI-1 |
1080 |
HTTP |
Internet User Authentication |
|
LoadBalancer-4 |
AuthenticationUI-2 |
1080 |
HTTP |
Internet User Authentication |
|
LoadBalancer-5 |
ProtectedResource-1 |
1080 |
HTTP |
Application Traffic |
|
LoadBalancer-5 |
ProtectedResource-2 |
1080 |
HTTP |
Application Traffic |
|
LoadBalancer-6 |
ProtectedResource-1 |
1081 |
HTTP |
Application Traffic |
|
LoadBalancer-6 |
ProtectedResource-2 |
1081 |
HTTP |
Application Traffic |
|
AuthenticationUI-1 |
LoadBalancer-3 |
9443 |
HTTPS |
Internet User Authentication |
|
AuthenticationUI-2 |
LoadBalancer-3 |
9443 |
HTTPS |
Internet User Authentication |
|
ProtectedResource-1 |
LoadBalancer-3 |
9443 |
HTTPS |
Agent-AM communication |
|
ProtectedResource-2 |
LoadBalancer-3 |
9443 |
HTTPS |
Agent-AM communication |
|
LoadBalancer-3 |
AccessManager-1 |
1080 |
HTTP |
User Authentication Agent-AM communication |
|
LoadBalancer-3 |
AccessManager-2 |
1080 |
HTTP |
User Authentication Agent-AM communication |
|
AccessManager-1 |
AccessManager-2 |
Yes |
1080 |
HTTP |
AM Back-channel communication |
AccessManager-1 |
MessageQueue-1 |
7777 |
HTTP |
Session communication |
|
AccessManager-1 |
LoadBalancer-1 |
389 |
LDAP |
AM Configuration communication |
|
AccessManager-1 |
LoadBalancer-2 |
489 |
LDAP |
User profile communication User Authentication |
|
AccessManager-2 |
MessageQueue-2 |
7777 |
HTTP |
Session communication |
|
AccessManager-2 |
LoadBalancer-1 |
389 |
LDAP |
AM Configuration communication |
|
AccessManager-2 |
LoadBalancer-2 |
489 |
LDAP |
User profile communication User Authentication |
|
MessageQueue-1 |
MessageQueue-2 |
Yes |
7777 |
HTTP |
Session communication |
MessageQueue-2 |
MessageQueue-1 |
Yes |
7777 |
HTTP |
Session communication |
LoadBalancer-1 |
DirectoryServer-1 |
1389 |
LDAP |
AM Configuration communication |
|
LoadBalancer-1 |
DirectoryServer-2 |
1389 |
LDAP |
AM Configuration communication |
|
LoadBalancer-2 |
DirectoryServer-1 |
1489 |
LDAP |
User profile communication User Authentication |
|
LoadBalancer-2 |
DirectoryServer-2 |
1489 |
LDAP |
User profile communication User Authentication |
|
DirectoryServer-1 |
DirectoryServer-2 |
Yes |
1389 |
LDAP |
Data replication communication |
DirectoryServer-1 |
DirectoryServer-2 |
Yes |
1489 |
LDAP |
Data replication communication |
Actual firewalls are not set up in this deployment example. The intended deployment if firewalls were configured would be to protect critical components using three distinct security zones as illustrated in Figure 1–1. One zone is completely secure, protected by all three firewalls, and used for internal traffic only. The second, less secure zone is protected by only two firewalls and is also for internal traffic only. The third, minimally-secured demilitarized zone (DMZ) leaves only simple components and interfaces exposed to the Internet and is used for external traffic. Thus, direct access to individual Access Manager servers and Directory Server instances is allowed only if permitted by firewall rules. Based on the illustration cited:
The Access Manager servers are isolated between an internal firewall and the DMZ. Access Manager services are exposed through both an external-facing load balancer and an internal-facing load balancer. The load balancer and Access Manager servers together provide high data availability within the infrastructure.
The policy agents themselves are deployed behind a load balancer configured in the DMZ.
The Distributed Authentication User Interface would be deployed in the DMZ for communication with Access Manager behind a firewall, additionally protecting the Access Manager servers from exposure in the minimally-secured DMZ.
You may set up firewalls to allow traffic to flow as described in the following table.
Table 2–5 Summary of Firewall Rules
From |
To |
Port # |
Protocol |
Traffic Type |
---|---|---|---|---|
Internet users |
LoadBalancer-4 |
9443 |
HTTPS |
User authentication |
Internet users |
LoadBalancer-5 |
90 |
HTTP |
Application access by internet user |
Internet users |
LoadBalancer-6 |
91 |
HTTP |
Application access by internet user |
AuthenticationUI-1 |
LoadBalancer-3 |
9443 |
HTTPS |
User authentication |
AuthenticationUI-2 |
LoadBalancer-3 |
9443 |
HTTPS |
User authentication |
LoadBalancer-5 |
ProtectedResource-1 |
1080 |
HTTP |
Application access by user |
LoadBalancer-6 |
ProtectedResource-2 |
1081 |
HTTP |
Application access by user |
Intranet User |
LoadBalancer-3 |
7070 |
HTTP |
User authentication and various Access Manager services |
Throughout this deployment example, we use ldapsearch to view replicated entries. An alternative would be to enable the Directory Server audit log and run tail -f. Enabling the audit log will also help to track changes and updates made during Access Manager configuration.