Chapter 3 Installing and Deploying the Federation Manager Servers
This chapter contains detailed information about the following groups of tasks:
3.1 Installing and Configuring Federation Manager 1
Use the following as your checklist for installing and configuring Federation Manager 1:
To Install the Web Server for Federation Manager
1
Before You Begin
The Java ES installer must be mounted on the host computer system where you will install Web Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
-
As a root user, log into the Web Server host.
-
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay
-
When prompted, provide the following information:
-
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
-
Upon successful installation, enter ! to exit.
-
Verify that the Web Server is installed properly.
-
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
-
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN
-
Start a browser, and go to the Web Server administration URL.
http://FederationManager-1.siroe.com:8888
-
Log in to the Web Server console.
- Username
-
admin
- Password
-
admin123
You should be able to see the Web Server console. You can log out of the console now.
-
Start the Web Server instance.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start
-
Go to the Web Server instance URL.
http://FederationManager-1.siroe.com:8080
You should see the default Web Server index page.
-
To Install Federation Manager Server 1
Before You Begin
If you have installed Solaris 10 using a distribution package other than the Solaris Enterprise distribution package, then you must remove the SUNWjas and SUNWjato packages that were automatically installed for you. These packages are different versions than the SUNWjas and SUNWjato packages used by Federation Manager. The appropriate packages will be installed when you run the Federation Manager installer.
-
Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5
-
Unpack the Federation Manager installer.
# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar # ls LICENSE.TXT README.TXT SUNWamfm common fm-7.0-domestic-us.sparc-sun-solaris2.8.tar fmsetup fmsilent-template
-
Edit the download_directory/fmsilent-template file.
Make a backup of the fmsilent-template file, and then set the following properties in the file:
FM_PROCESS_USER=root FM_PROCESS_GROUP=root INST_ORGANIZATION=o=siroe.com SERVER_HOST=FederationManager-1.siroe.com SERVER_PORT=8080 ADMINPASSWD=11111111
-
Save the file as /export/fmsilent.
-
(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup
-
To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent
Next Steps
The Federation Manager installer creates the following web archive (WAR) file:
/var/opt/SUNWam/fm/war_staging/federation.war
You usually customize the Federation Manager WAR file for the environment before the WAR file can be deployed. In a deployment where SAMLv2 is not used, you could customize and deploy the Federation Manager WAR file now. However in this deployment example, you will install the SAMLv2 plug-in and the SAMLv2 patch before you customize the Federation Manager WAR file. So proceed directly to the next task, To Deploy the Federation Manager 1 WAR File.
To Deploy the Federation Manager 1 WAR File
-
Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin
-
Run the wdeploy command:
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war
-
Verify that the WAR file was successfully deployed.
-
Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/ webapps/https-FederationManager-1.siroe.com/federation # ls META-INF config docs html js WEB-INF console fed_css images saml2 com_sun_web_ui css fed_images index.html samples
-
Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start
-
In a browser, go to the following URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.
-
To Install the SAMLv2 Plug-In on Federation
Manager 1
Before You Begin
You must download the SAMLv2 Plug-In and the SAMLv2 Patch 2 onto the Federation Manager 1 host.
To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:
http://www.sun.com/download/products.xml?id=43e00414
-
As a root user, log in to the Federation Manager 1 host.
Change to the directory where you unpacked the SAMLv2 installation files. Example:
# cd /tmp/saml2 # ls ./ SUNWsaml2/ ../ saml2setup* ENTITLEMENT.TXT saml2silent LICENSE.TXT samlv2-1.0-solaris-sparc.tar README.TXT version
-
In a different directory, make a copy of the saml2silent file.
For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 1, you should reflect the same changes in the saml2silent file.
-
Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file.
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install SAMLv2 Patch 2 on Federation Manager 1.
-
Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start
To Install SAMLv2 Patch 2 on Federation Manager
1
Before You Begin
To download the SAMLv2 Patch 2, go to one of the following URLs and follow instructions for downloading the patch for your operating system:
-
Solaris (sparc) 122983-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
-
Solaris (x86) 122984-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
-
Linux 122985-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01
-
Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.
#cd /temp/saml2patch/122983-02 #ls LEGAL_LICENSE.TXT LICENSE.TXT patchinfo postbackout postpatch prebackout prepatch README.122983-02 rel_notes.html SUNWsaml2
-
Run the SAMLv2 patch installer.
The —G option in the following example is for Solaris 10 zones. The option is not necessary if you are not using the Solaris 10 platform.
# cd /temp/saml2patch # patchadd -G 122983-02
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2
-
Go to the directory where the saml2silent file is located.
# cd /opt/SUNWam/saml2/bin
-
Run the update command.
# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent
Any updates required because of the newly-installed patch are made in SAMLv2.
-
Redeploy the Federation Manager 1 WAR file.
At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. Once the WAR file is updated, you must deploy the WAR file.
See To Regenerate and Redeploy the Federation Manager 1 WAR File.
3.2 Installing and Configuring Federation Manager 2
Use the following as your checklist for installing and configuring Federation Manager 2:
To Install the Web Server for Federation Manager
2
Before You Begin
The Java ES installer must be mounted on the host computer system where you will install Web Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
-
As a root user, log into the Web Server host.
-
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay
-
When prompted, provide the following information:
Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>
Press Enter.
<Press ENTER to display the Software License Agreement>
Press Enter.
Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]
Enter y.
Please enter a comma separated list of languages you would like supported with this installation [8]
Enter 8 for “English only.”
Enter a comma separated list of products to install,or press R to refresh the list []
Enter 3 to select Web Server.
Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]
Press Enter.
Enter 1 to upgrade these shared components and 2 to cancel [1]
You are prompted to upgrade shared components only if the installer detects that an upgrade is required.
Enter 1 to upgrade shared components.
Enter the name of the target installation directory for each product: Web Server [/opt/SUNWwbsvr] :
Accept the default value.
System ready for installation Enter 1 to continue [1]
Enter 1.
1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]
Enter 1.
Common Server Settings Enter Host Name [FederationManager-2]
Accept the default value.
Enter DNS Domain Name [siroe.com]
Accept the default value.
Enter IP Address [192.18.87.180]
Accept the default value.
Enter Server admin User ID [admin]
Enter admin.
Enter Admin User's Password (Password cannot be less than 8 characters) []
For this example, enter admin123.
Confirm Admin User's Password []
Enter the same password to confirm it.
Enter System User [root]
Accept the default value.
Enter System Group [root]
Accept the default value.
Enter Server Admin User ID [admin]
Accept the default value.
Enter Admin User's Password []
For this example, enter admin123.
Enter Host Name [FederationManager-2.siroe.com]
Accept the default value.
Enter Administration Port [8888]
Accept the default value.
Enter Administration Server User ID [root]
Accept the default value.
Enter System User ID [webservd]
Enter root.
Enter System Group [webservd]
Enter root.
Enter HTTP Port [80]
Enter 8080.
Enter content Root [/opt/SUNWwbsvr/docs]
Accept the default value.
Do you want to automatically start Web Serverwhen system re-starts.(Y/N) [N]
Accept the default value.
Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]
First, see the next numbered (Optional) step. When ready to install, enter 1.
-
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
-
Upon successful installation, enter ! to exit.
-
Verify that the Web Server is installed properly.
-
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
-
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN
-
Start a browser, and go to the Web Server administration URL.
http://FederationManager-2.siroe.com:8888
-
Log in to the Web Server console.
- Username
-
admin
- Password
-
admin123
You should be able to see the Web Server console. You can log out of the console now.
-
Start the Web Server instance.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
-
Go to the Web Server instance URL.
http://FederationManager-2.siroe.com:8080
You should see the default Web Server index page.
-
To Install Federation Manager Server 2
Before You Begin
If you have installed Solaris 10 using a distribution package other than the Solaris Enterprise distribution package, then you must remove the SUNWjas and SUNWjato packages that were automatically installed for you. These packages are different versions than the SUNWjas and SUNWjato packages used by Federation Manager. The appropriate packages will be installed when you run the Federation Manager installer.
-
Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5
-
Unpack the Federation Manager installer.
# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar # ls LICENSE.TXT README.TXT SUNWamfm common fm-7.0-domestic-us.sparc-sun-solaris2.8.tar fmsetup fmsilent-template
-
Edit the download_directory//fmfmsilent file.
Make a backup of the fmsilent-template file, and then set the following properties in the file:
FM_PROCESS_USER=root FM_PROCESS_GROUP=root INST_ORGANIZATION=o=siroe.com SERVER_HOST=FederationManager-2.siroe.com SERVER_PORT=8080 ADMINPASSWD=11111111
-
Save the file as /export/fmsilent.
-
(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup
-
To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent
Next Steps
The Federation Manager installer creates the following web archive (WAR) file:
/var/opt/SUNWam/fm/war_staging/federation.war
You usually customize the Federation Manager WAR file for the environment before the WAR file can be deployed. In a deployment where SAMLv2 is not used, you could customize and deploy the Federation Manager WAR file now. However in this deployment example, you will install the SAMLv2 plug-in and the SAMLv2 patch before you customize the Federation Manager WAR file. So proceed directly to the next task, To Deploy the Federation Manager 2 WAR File.
To Deploy the Federation Manager 2 WAR File
-
Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin
-
Run the wdeploy command:
# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war
-
Verify that the WAR file was successfully deployed.
-
Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/ webapps/https-FederationManager-2.siroe.com/federation # ls META-INF config docs html js WEB-INF console fed_css images saml2 com_sun_web_ui css fed_images index.html samples
-
Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
-
In a browser, go to the following URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.
-
To Install the SAMLv2 Plug-In on Federation
Manager 2
Before You Begin
To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:
http://www.sun.com/download/products.xml?id=43e00414
-
As a root user, log in to the Federation Manager 2 host.
Change to the directory where you unpacked the SAMLv2 installation files. Example:
# cd /tmp/saml2 # ls ./ SUNWsaml2/ ../ saml2setup* ENTITLEMENT.TXT saml2silent LICENSE.TXT samlv2-1.0-solaris-sparc.tar README.TXT version
-
In a different directory, make a copy of the saml2silent file.
For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 2, you should reflect the same changes in the saml2silent file.
-
Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file.
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install the SAMLv2 Patch 2 on Federation Manager 2.
-
Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
To Install the SAMLv2 Patch 2 on Federation
Manager 2
Before You Begin
To download the SAMLv2 Patch 2, go to the following URL and follow instructions for downloading the patch:
-
Solaris (sparc) 122983-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
-
Solaris (x86) 122984-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
-
Linux 122985-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01
-
Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.
#cd /temp/saml2patch/122983-02 #ls LEGAL_LICENSE.TXT LICENSE.TXT patchinfo postbackout postpatch prebackout prepatch README.122983-01 rel_notes.html SUNWsaml2
-
Run the SAMLv2 patch installer.
The —G option is for Solaris 10 zones. If you are not using the Solaris 10 platform, do not use the —G option.
# cd /temp/saml2patch # patchadd -G 122983-02
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2
-
Go to the directory where the SAMLv2 saml2silent file is located.
# cd /opt/SUNWam/saml2/bin
-
Run the update command.
# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent
-
Redeploy the Federation Manager 2 WAR file.
At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. The next step is to deploy the WAR file.
See To Regenerate and Redeploy the Federation Manager 2 WAR File.
3.3 Configuring the Federation Manager Load Balancer
In this phase of the deployment, you set up Load Balancer 9 to manage Federation Manager requests. For more information about the f-5 Networks BIG-IP load balancers used in this deployment, see 2.9 Setting Up Load Balancer Hardware and Software in this manual.
Use the following as your checklist for configuring the Federation Manager Load Balancer:
-
Configure Load Balancer 9 for the Federation Manager Servers.
-
Configure Federation Manager 1 to work with the Federation Manager Load Balancer.
-
Configure Federation Manager 2 to work with the Federation Manager Load Balancer.
-
Verify that the Federation Manager load balancers are working properly.
To Configure Load Balancer 9 for the Federation
Manager Servers
Before You Begin
-
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
Note –The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
-
You must also have ready the IP addresses for Federation Manager 1 and Federation Manager 2.
To obtain these IP addresses, on each Federation Manager host, run the following command:
ifconfig —a
-
Create a Pool.
A pool contains all the backend server instances.
-
Go to URL for the Big IP load balancer login page.
-
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
-
In the left pane, click Pools.
-
On the Pools tab, click the Add button.
-
In the Add Pool dialog, provide the following information:
- Pool Name
-
Example: fm_server_pool
- Load Balancing Method
-
Round Robin
- Resources
-
Add the IP address of both Federation Manager hosts. In this example:
192.18.72.89 (for Federation Manager 1)
192.18.72.86 (for Federation Manager 2)
-
Click the Done button.
-
-
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
-
In the left frame, Click Virtual Servers.
-
On the Virtual Servers tab, click the Add button.
-
In the Add a Virtual Server dialog box, provide the following information:
- Address
-
192.18.69.14 (for LoadBalancer-9.siroe.com )
- Service
-
1080
-
Continue to click Next until you reach the Select Physical Resources page.
Select Pool, and then choose fm_server_pool from the drop-down list.
-
On the same page, set the Cookie Name property to fmlbcookie.
-
Click the Done button.
-
-
Configure the load balancer for persistence.
-
In the left frame, click Pools.
-
Click the name of the pool you want to configure.
In this example, fm_server_pool.
-
Click the Persistence tab.
-
On the Persistence tab, under Persistence Type, select Active HTTP Cookie and set the following:
- Method:
-
Insert
When the Insert method is specified, the first time a server receives a request, the load balancer inserts a cookie and cookie value. On subsequent requests, when the load balancer sees the same cookie name and value, it redirects the request to the same server that received the initial request.
-
Click Apply.
-
-
Create a new monitor.
This monitor will simply indicate whether the Federation Manager servers are running or stopped.
-
Click the Monitors tab.
-
Click the Add.
-
In the Name and Parent window, provide the following information, and then click Next.
- Name
-
fm_servers_monitor
- Inherits From
-
http
-
In the Basic Properties window, accept the default values, and then click Next.
- Interval
-
5
- Timeout
-
16
-
In the Configure Destination Address and Service window, accept the default values and then click Done.
The new monitor is added to the list on the Monitors tab.
-
-
Click the Basic Associations tab.
-
Find the IP addresses for Federation Manager 1 and for Federation Manager 2
In this example: 192.18.72.89 for Federation Manager 1, and 192.18.82.86 for Federation Manager 2.
-
In the Node dropdown list, select fm_servers_monitor.
-
Mark the ADD box for each IP address, and then click APPLY.
When you click Nodes in the left frame of the console, you will be able to see if each server is running or stopped.
-
To Configure Federation Manager 1 to Work
with the Federation Manager Load Balancer
-
As a root user, log in to the Federation Manager 1 host.
-
Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes
-
In the AMConfig.properties file, set the following property:
com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com
-
Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com
This property will be used when you terminate SSL at the Federation Manager load balancer.
-
Add the Federation Manager load balancers to the Organization Aliases list.
-
Go to the Federation Manager login URL:
http://Federationmanager-1.siroe.com:8080/federation/UI/Login
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
-
Click the Configuration tab. On the General Properties page, Under Organizational Attributes, add the Federation Manager load balancer to the DNS Aliases list.
In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
Click Save.
-
-
Regenerate the Federation Manager WAR file.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent
-
Redeploy the Federation Manager WAR file.
See the section To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.
To Configure Federation Manager 2 to Work
with the Federation Manager Load Balancer
-
As a root user, log in to the Federation Manager 2 host.
-
Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes
-
In the AMConfig.properties file, set the following properties:
com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com
-
Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com
This property will be used when you terminate SSL at the Federation Manager load balancer.
-
Add the Federation Manager load balancers to the Organization Aliases list.
-
Go to the Federation Manager login URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
-
Click the Organization tab. Under Organization Attributes, add the Federation Manager load balancers to the DNS Aliases list.
In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
Click Save.
-
-
Regenerate the Federation Manager 2 WAR file.
See the section in this manual, To Regenerate and Redeploy the Federation Manager 2 WAR File.
To Verify that the Federation Manager Load
Balancers are Working Properly
-
Use the tail command to monitor traffic requests to Federation Manager 1 and Federation Manager 2.
-
As a root user, log in to the Federation Manager 1 host.
-
Restart the Federation Manager 1 server:
# cd /FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
-
Use the tail command to monitor the Federation Manager access log.
# tail —f logs/access
-
As a root user, log in to the Federation Manager 2 host.
-
Start the Federation Manager 2 server:
# cd FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
-
Use the tail command to monitor the Directory Server access log.
# tail —f logs/access
-
-
Go to the following Federation Manager URL:
http://LoadBalancer-9.siroe.com:1080/federation/UI/Login
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
As you log in and log out of the Federation Manager console, you should see in the access log that all requests are going to the same Federation Manager server. This indicates that the load balancer is working properly, and that the persistence setting is properly configured.
3.4 Configuring SSL Termination at the Federation Manager Load Balancer
In this deployment, SSL is not enabled at each Federation Manager server but is instead terminated at the load balancer. By terminating SSL at the load balancer, you can be sure that communication to the Federation Manager servers is secure while achieving the highest server availability and fastest response times.
Use the following as your checklist for configuring SSL termination at the Federation Manager load balancer:
To Request an SSL Certificate
-
Log in to the BIG-IP load balancer.
-
Click Proxies in the left pane.
-
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
-
In the Create Certificate Request page, provide the following information:
- Key Identifier:
-
LoadBalancer-9.siroe.com
- Organization:
-
siroe.com
- Domain Name:
-
LoadBalancer-9.siroe.com
- Email Address:
-
jdoe@siroe.com
-
Click the Generate Request button.
-
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
-
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
To Install the SSL Certificate
After you receive the certificate from the issuer, install the SSL Certificate.
-
Log in to the BIG-IP load balancer console.
-
In the BIG-IP load balancer console, click the Cert Admin tab.
-
On the Cert Admin tab, click Install Certificate.
-
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
-
Click Install Certificate.
-
-
In the left frame, click Proxies, and then click Add.
-
On the Add Proxy page, provide the following information:
- Proxy Type:
-
SSL
- Proxy Address:
-
Enter the IP address of LoadBalancer-9.siroe.com.
- Proxy Service:
-
Enter 3443.
- Destination Address:
-
Enter the IP address of LoadBalancer-9.siroe.com.
- Destination Service:
-
Enter 1080.
- SSL Certificate:
-
LoadBalancer-9.siroe.com
- SSL Key:
-
LoadBalancer-9.siroe.com
- Enable ARP:
-
Mark this box.
Click Next, then provide the following information:
- Rewrite Redirects:
-
Choose Matching.
Click Done.
To Configure the Web Server 1 for SSL Termination
-
As a root user, log in to the Federation Manager 1 host.
-
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config
-
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-1.siroe.com" defaultvs ...
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...
Save the file.
-
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/ # ./stop ; ./start
To Configure the Web Server 2 for SSL Termination
-
As a root user, log in to the Federation Manager 2 host.
-
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config
-
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-2.siroe.com" defaultvs ...
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...
Save the file.
-
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/ # ./stop ; ./start
To Verify that SSL on the Federation Manager
Load Balancer is Working Properly
-
Go to the Federation Manager URL:
https://LoadBalancer-9.siroe.com:3443/federation/UI/Login
The following message is displayed:
“Unable to verify the identity of LoadBalancer-9.siroe.com as a trusted site.”
-
Choose “Accept this certificate temporarily for this session,” and then click OK.
-
Log in to the Federation Manager console:
- User Name:
-
amadmin
- Password:
-
11111111
If you can log in successfully, then SSL is configured properly.
- © 2010, Oracle Corporation and/or its affiliates