Setting up SSL Termination Between Gateway and Portal Server at Load Balancer

SSL Termination between Gateway and Portal Server at Load Balancer means that SSL traffic between Gateway and the Portal Server is terminated at the Load Balancer. SSL communication has an overhead of encrypting and decrypting that affects performance.

To Set up SSL Termination Between Gateway and Portal Server at Load Balancer

Assume there are two instances of Portal Server: PS1 and PS2 on Node 1 and Node 2 respectively. Gateway is on Node 3 and Load Balancer is on Node 4 — between Gateway and Portal Server instances. Access Manager (AM) instances are on Portal Server (PS) instances. Assume there are two instances for Access Manager and Portal Server: Gateway —> Load Balancer —> Portal Server instances (PS 1, PS 2....and so on).

1. On Node 1, install Portal Server, Access Manager, and Directory Server.

   Use Java ES 5 or Java ES Update 1 installer for installing Access Manager and Directory Server. Use Portal Server 7.2 GUI installer for installing Portal Server 7.2.

2. Start the web container and Directory Server and ensure that Portal Server is accessible, to check whether everything is installed properly on Node 1.

3. On Node 3, install Gateway and Access Manager SDK and point to Portal Server on Node 1. Ensure that you can login to Portal Server through Gateway on Node 1.

   Now, you have setup a single Gateway and Portal Server without a Load Balancer.

4. On Node 2, install Application Server 9.1 to create Access Manager and Portal Server instances.

5. Login to Access Manager (on Node 1) Administration Console, through a web browser. In the Organization Aliases listbox on the right side with entries Node1.domain.com and domain, add the Node2.domain.com entry.

6. Click Service Configuration -> Platform. In the Platform Server List, add the http://Node2.domain.com:port entry.

7. On Node 2, install Access Manager. Point to Directory Server on Node 1. Restart Application Server 9.1 on Node 2 and ensure that the Access Manager Administration Console is accessible.

8. Create a Portal Server instance on Node 2.

   1. Install Portal Server 2 in the Configure Later mode.

   2. Modify the Webcontainer.properties.SJSAS9.1 and run the following command.

      ./psadmin create-instance -u amadmin -f ps-password -p portal-id -w /opt/SUNWportal/template/Webcontainer.properties.SJSAS91

   3. Restart Application Server 9.1 and access the newly created Portal Server instance.

9. Install Load Balancer on Node 4. This can be a software or a hardware load balancer. Ensure that you can load balance Access Manager and Portal Server URIs through this SSL instance of Load Balancer.

10. Access Portal Server Administration Console on Node 1 or Node 2.

    1. Go to Secure Remote Access -> default. In the Portal Servers list box, remove the existing entry. Add the https://Node4.domain.com:port/portal entry in the list box.

    2. In the URLs to which User Session Cookie is Forwarded list box, add the following URLs and save:

       http://Node1.domain.com:port http://Node1.domain.com:port/portal http://Node2.domain.com:port http://Node2.domain.com:port/portal https://Node4.domain.com:port https://Node4.domain.com:port/portal

    3. Click the Security Tab. In the Non-Authenticated URL list, add the following URLs to the existing URLs:

       http://Node2.domains.com:port/amserver/css http://Node2.domain.com:port/amserver/login_images, http://Node2.domain.com:port/amserver/js http://Node2.domain.com:port/amconsole/console/js http://Node2.domain.com:port/amconsole/console/images http://Node2.domain.com:port/amconsole/console/css http://Node2.domain.com:port/amserver/images https://Node4.domains.com:port/amserver/css https://Node4.domain.com:port/amserver/login_images, https://Node4.domain.com:port/amserver/js https://Node4.domain.com:port/amconsole/console/js https://Node4.domain.com:port/amconsole/console/images https://Node4.domain.com:port/amconsole/console/css https://Node4.domain.com:port/amserver/images

11. On Node 1 and Node 2, run the following command to populate Non-Authenticated URL list under the default Gateway profile:

    ./psadmin provision-sra -u amadmin -f ps_password -p portal-id --gateway-profile default --enable ./psadmin provision-sra -u madmin -f ps_password --loadbalancer-url https://Node4.domain.com:port/portal --console --console-url https://Node4.domain.com:port/psconsole -gateway-profile default ----enable

12. On Node 1, open the /etc/opt/SUNWam/config/AMConfig.properties file and do following:

    • Add the following line: com.sun.identity.server.fqdnMap[Node4.domain.com]=Node4.domain.com

    • Edit the line: com.sun.identity.loginurl=https://Node4.domain.com:port/amserver/UI/Login

    • com.iplanet.am.jssproxy.trustAllServerCerts=true

13. On Node 1 and Node 2, add a Certificate Authority Root CA certificate to JVM keystore:

    cd /usr/jdk/entsys-j2se/jre/lib security /usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA import -trustcacerts -alias "Node1.domain.com" -storepass changeit -file path-to-rootca-certificate

14. On Node 1 and Node 2, run the following command.

    psadmin set-attribute -u amadmin -f ps-password p portal1 -m desktop -a AccessURL "https://Node4.domain.com:port"

15. On Node 2, repeat the above step. Restart Application Server 9.1 and Common Agent Container.

16. Install server certificate and Root CA certificate on Gateway Node from the same Certificate Authority from where Load Balancer was assigned certificate.

17. Point the Gateway to Load Balancer instead of Portal Server and Access Manager on Node 1. Do the following on the Gateway Node.

    1. In the platform.conf.default file, change gateway.ignoreServerList to true.

    2. In the platform.conf.default file, change gateway.dsame.agent to https\://Node4.domain.com\:port/portal/RemoteConfigServlet.

    3. In the AMConfig-default.properties and AMConfig.properties files, change the Access Manager related information as follows:

       com.iplanet.am.server.host=Node4.domain.com com.iplanet.am.server.port=load-balancer-port com.iplanet.am.console.protocol=https com.iplanet.am.console.host=Node4.domain.com com.iplanet.am.console.port=load-balancer-port com.iplanet.am.profile.host=Node4.domain.com com.iplanet.am.profile.port=load-balancer-port com.iplanet.am.naming.url=https://Node4.domain.com:load-balancer-port/amserver/namingservice com.iplanet.am.notification.url=https://Node4.domain.com:load-balancer-port/amserver/notificationservice

18. Restart the Gateway and access it.