The Distributed Authentication User Interface Load Balancer 3 sends the user and agent requests to the OpenSSO Enterprise server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the Distributed Authentication User Interface servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 3 is capable of the following types of load balancing:
Cookie-based |
The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. |
IP-based |
This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. |
TCP |
The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 3 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. |
In this Deployment Example, we use BIG-IP and it's supported passive-cookie mechanism to address session persistence with the backend OpenSSO Enterprise servers. The intent is to enable persistence of requests to the backend servers depending upon the value of amlbcookie, the OpenSSO Enterprise cookie. Stickiness can then be maintained for all OpenSSO Enterprise related requests from browsers or agents. Different load balancers might support different mechanisms to achieve session persistence. It is the responsibility of the end users to determine and map this functionality to their own choice of load balancer.
This section assumes that you have already installed a load balancer. Before you begin, note the following:
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
Get the IP addresses for Distributed Authentication User Interface 1 and Distributed Authentication User Interface 2 by running the following command on each host machine:
# ifconfig -a |
Use the following list of procedures as a checklist for completing the task.
To Request a Certificate for the Distributed Authentication User Interface Load Balancer
To Import a Root Certificate to the Distributed Authentication User Interface Load Balancer
To Import a Certificate to the Distributed Authentication User Interface Load Balancer
To Configure the Distributed Authentication User Interface Load Balancer
Generate a certificate signing request to send to a CA.
Access https://is-f5.example.com, the BIG-IP load balancer login page, from a web browser.
Log in to the BIG-IP console using the following information.
username
password
Click Configure your BIG-IP (R) using the Configuration Utility.
In the left pane of the console, click Proxies.
Click the Cert-Admin tab.
On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.
On the Create Certificate Request page, provide the following information:
lb-3.example.com
Deployment
lb-3.example.com
password
password
Click Generate Key Pair/Certificate Request.
On the SSL Certificate Request page, the request is generated in the Certificate Request field.
Save the text contained in the Certificate Request field to a text file named lb-3.csr.
Log out of the console and close the browser.
Send lb-3.csr to the CA of your choice.
The CA root certificate proves that the particular CA did, in fact, issue a particular certificate. For this purpose, import the root certificate of the CA that issued the Load Balancer 3 server certificate into the Load Balancer 3 certificate store.
You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.
Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.
Log in using the following information:
username
password
In the left pane of the console, click Proxies.
Click the Cert-Admin tab.
Click Import.
In the Import Type field, choose Certificate, and click Continue.
Click Browse in the Certificate File field on the Install SSL Certificate page.
In the Choose File dialog, choose Browser.
Navigate to the file that contains the CA root certificate and click Open.
In the Certificate Identifier field, enter OpenSSL_CA_cert.
Click Install Certificate.
On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.
The root certificate OpenSSL_CA_Cert is now included in the Certificate ID list.
This procedure assumes you have received a certificate from a CA, just completed To Import a Root Certificate to the Distributed Authentication User Interface Load Balancer, and are still logged into the load balancer console.
In the BIG-IP load balancer console, click Proxies.
Click the Cert-Admin tab.
The key lb-3.example.com is in the Key List. This was generated in To Request a Certificate for the Distributed Authentication User Interface Load Balancer.
In the Certificate ID column, click the Install button for lb-3.example.com.
In the Certificate File field, click Browse.
In the Choose File dialog, navigate to the file that contains the certificate text sent to you by the CA and click Open.
Click Install Certificate.
On the Certificate lb-3.example.com page, click Return to Certificate Administration Information.
Verify that the Certificate ID indicates lb-3.example.com on the SSL Certificate Administration page.
Log out of the load balancer console.
Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.
Log in using the following information.
username
password
Click Configure your BIG-IP (R) using the Configuration Utility.
Create a Pool.
A pool contains all the backend server instances.
In the left pane, click Pools.
On the Pools tab, click Add.
In the Add Pool dialog, provide the following information:
AuthenticationUI-Pool
Round Robin
Add the IP address and port number of both Distributed Authentication User Interface host machines: da-1:1443 and da-2:1443.
Click Done.
Add a Virtual Server.
The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.
If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click Add.
In the Add Virtual Server wizard, enter the virtual server IP address and port number.
Enter the IP address for lb-3.example.com
9443
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the AuthenticationUI-Pool Pool.
Click Done.
Add Monitors.
Monitors are required for the load balancer to detect backend server failures.
Configure the load balancer for persistence.
In the left frame, click BIGpipe.
In the BIGpipe command window, type makecookie IP-address:port.
IP-address is the IP address of the da-1 host machine and port is the same machine's port number; in this case, 1443.
Press Enter to execute the command.
Something similar to Set-Cookie: BIGipServer[poolname]=4131721920.41733.0000; path=/ is displayed. Save the numbered value (in this case, 4131721920.41733.0000) for use in To Configure Load Balancer Cookies for the Distributed Authentication User Interface.
In the left frame, click BIGpipe again.
In the BIGpipe command window, type makecookie IP-address:port.
IP-address is the IP address of the da-2 host machine and port is the same machine's port number; in this case, 1443.
Press Enter to execute the command.
Something similar to Set-Cookie: BIGipServer[poolname]=4148499136.41733.0000; path=/ is displayed. Save the numbered value (in this case, 4148499136.41733.0000) for use in To Configure Load Balancer Cookies for the Distributed Authentication User Interface.
Log out of the load balancer console.
Secure communication is terminated and regenerated at the load balancer before forwarding a request to the Distributed Authentication User Interface.
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
Log in using the following information:
username
password
Click Configure your BIG-IP using the Configuration Utility.
In the left pane, click Proxies.
Under the Proxies tab, click Add.
In the Add Proxy dialog, provide the following information:
Check SSL and ServerSSL.
The IP address of Load Balancer 3.
1443
The secure port number
The IP address of Load Balancer 3.
9443
The secure port number
Choose Local Virtual Server.
Choose lb-3.example.com.
Choose lb-3.example.com.
Check this box.
Click Next.
The Insert HTTP Header String page is displayed.
Choose Matching for Rewrite Redirects.
Click Next.
The Client Cipher List String page is displayed.
Accept the defaults and click Next.
The Server Chain File page is displayed.
Select OpenSSL_CA_Cert.crt from the drop-down list.
Click Done.
The new proxy server is now added to the Proxy Server list.
Log out of the load balancer console.
Access https://lb-3.example.com:1443/index.html from a web browser to verify the configuration.
A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
Close the browser.