Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide

Configuring SSL Termination for a Load Balancer

Before you configure a load balancer to handle SSL requests, first configure SSL for the Access Manger web container. For instructions, see Chapter 3, Configuring Access Manager in SSL Mode, in Sun Java System Access Manager 7 2005Q4 Administration Guide.

To configure SSL for a load balancer and Access Manager servers, consider the following cases:

For all cases, except for the SSL pass-through configuration, you can use a normal server certificate to enable SSL termination for the load balancer. However, when you configure SSL pass-through for the load balancer and the Access Manager servers and the load balancer bypasses all the requests from the client to the Access Manager server, the following SSL problems exist for a normal server certificate:

To solve these problems, Access Manager provides these properties:

Generating a CSR with the SubjectAltName Extension

To generate a certificate signing request (CSR) with the SubjectAltName extension, use the Certificate Database Tool (certutil). If certutil is not available in the /usr/sfw/bin directory, first install the SUNWtlsu package on Solaris systems or the sun-nss-sun-nss-devel RPM on Linux systems. If necessary, set the LD_LIBRARY_PATH environment variable to the appropriate certutil path.

For information about certutil, see: http://www.mozilla.org/

This section describes how to use the certutil if you are using Web Server or Application Server as the web container. If you are using BEA WebLogic Server or IBM WebSphere Application Server as the web container, refer to the respective BEA or IBM product documentation.

To generate a CSR with the SubjectAltName extension, follow these steps:

  1. Log in as or become superuser (root}.

  2. Create a new certificate database (cert8.db) using the certutil -N option. If necessary, first create a directory for your database. For example:

    # mkdir certdbdir 
    # cd certdbdir 
    # certutil -N -d .

    When prompted by certutil, enter the password to encrypt your keys:

    Enter a password which will be used to encrypt your keys. 
    The password should be at least 8 characters long, 
    and should contain at least one non-alphabetic character.
    
    Enter new password: your-password 
    Re-enter password:  your-password
    
  3. Generate the CSR with the SubjectAltName extension. For example:

    # certutil -R -s "cn=lb.example.com,o=example.com,c=us" 
    -o server.req -d . -a -8 amserv1.example.com,amserv2.example.com

    When prompted by certutil, enter the password (or pin) and then type keys to generate the random seed to create your key:

    Enter Password or Pin for "NSS Certificate DB": your-password
    
    A random seed must be generated that will be used in the  
    creation of your key.  One of the easiest ways to create a  
    random seed is to use the timing of keystrokes on a keyboard.   
    
    To begin, type keys on the keyboard until this progress meter  
    is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!   
    
    Continue typing until the progress meter is full:   
    
    |************************************************************|   
    
    Finished.  Press enter to continue:   
    
    Generating key.  This may take a few moments...
  4. Send the CSR (server.req file in the example) to the Certificate Authority (CA). Get the server certificate and add it to the certificate database using the certutil -A option.

  5. Copy the certificate database (cert8.db) to the web container directory.

    • Web Server. Copy the cert8.db and key3.db databases to the /opt/SUNWwbsrv/alias directory and rename them using the Web Server instance name. For example:

      https-webserver.example.com-webserver-cert8.db
      https-webserver.example.com-webserver-key3.db
    • Application Server. Copy the cert8.db and key3.db databases to the instance /config directory. For example:

      /var/opt/SUNWappserver/domains/domain1/config/cert8.db 
      /var/opt/SUNWappserver/domains/domain1/config/key3.db