test

Deployment Example 2: Federation Using SAML v2

3.4 Configuring SSL Termination at the Federation Manager Load Balancer

In this deployment, SSL is not enabled at each Federation Manager server but is instead terminated at the load balancer. By terminating SSL at the load balancer, you can be sure that communication to the Federation Manager servers is secure while achieving the highest server availability and fastest response times.

Use the following as your checklist for configuring SSL termination at the Federation Manager load balancer:

  1. Request an SSL certificate.

  2. Install the SSL certificate.

  3. Configure the Web Server 1 for SSL termination.

  4. Configure the Web Server 2 for SSL termination.

  5. Verify that SSL on the Federation Manager load balancer is working properly.

ProcedureTo Request an SSL Certificate

  1. Log in to the BIG-IP load balancer.

  2. Click Proxies in the left pane.

  3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

  4. In the Create Certificate Request page, provide the following information:

    Key Identifier:

    LoadBalancer-9.siroe.com

    Organization:

    siroe.com

    Domain Name:

    LoadBalancer-9.siroe.com

    Email Address:

    jdoe@siroe.com

  5. Click the Generate Request button.

  6. In the Generate Request page, copy the request that looks similar to this:


    -----BEGIN CERTIFICATE REQUEST-----
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU
AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0
EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC
xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0
wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz
ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC
FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU
ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0
GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo
2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2
-----END CERTIFICATE REQUEST-----

  7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

    See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

ProcedureTo Install the SSL Certificate

After you receive the certificate from the issuer, install the SSL Certificate.

  1. Log in to the BIG-IP load balancer console.

    1. In the BIG-IP load balancer console, click the Cert Admin tab.

    2. On the Cert Admin tab, click Install Certificate.

    3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:


      -----BEGIN CERTIFICATE REQUEST-----
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU
AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0
EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC
xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0
wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz
ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC
FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU
ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0
GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo
2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2
-----END CERTIFICATE REQUEST-----

    4. Click Install Certificate.

  2. In the left frame, click Proxies, and then click Add.

  3. On the Add Proxy page, provide the following information:

    Proxy Type:

    SSL

    Proxy Address:

    Enter the IP address of LoadBalancer-9.siroe.com.

    Proxy Service:

    Enter 3443.

    Destination Address:

    Enter the IP address of LoadBalancer-9.siroe.com.

    Destination Service:

    Enter 1080.

    SSL Certificate:

    LoadBalancer-9.siroe.com

    SSL Key:

    LoadBalancer-9.siroe.com

    Enable ARP:

    Mark this box.

    Click Next, then provide the following information:

    Rewrite Redirects:

    Choose Matching.

    Click Done.

ProcedureTo Configure the Web Server 1 for SSL Termination

  1. As a root user, log in to the Federation Manager 1 host.

  2. Go to the following directory:


    /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config

  3. Modify the server.xml file.

    Make a backup of server.xml, and then modify the original file. Change this line:


    <LS id="ls1" port="8080" servername="FederationManager-1.siroe.com" defaultvs ...

    to:


    <LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...

    Save the file.

  4. Restart the Web Server.


    # cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/
# ./stop ; ./start

ProcedureTo Configure the Web Server 2 for SSL Termination

  1. As a root user, log in to the Federation Manager 2 host.

  2. Go to the following directory:


    /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config

  3. Modify the server.xml file.

    Make a backup of server.xml, and then modify the original file. Change this line:


    <LS id="ls1" port="8080" servername="FederationManager-2.siroe.com" defaultvs ...

    to:


    <LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...

    Save the file.

  4. Restart the Web Server.


    # cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/
# ./stop ; ./start

ProcedureTo Verify that SSL on the Federation Manager Load Balancer is Working Properly

  1. Go to the Federation Manager URL:

    https://LoadBalancer-9.siroe.com:3443/federation/UI/Login

    The following message is displayed:

    “Unable to verify the identity of LoadBalancer-9.siroe.com as a trusted site.”

  2. Choose “Accept this certificate temporarily for this session,” and then click OK.

  3. Log in to the Federation Manager console:

    User Name:

    amadmin

    Password:

    11111111

    If you can log in successfully, then SSL is configured properly.