13.6 Configuring the J2EE Policy Agents Load Balancer
Load Balancer 10 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.
Load Balancer 10 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual J2EE Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.
As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.
Use the following as your checklist for Configuring the J2EE Policy Agents load balancer:
To Configure the J2EE Policy Agents Load
Balancer
-
Go to URL for the Big IP load balancer login page and log in.
https://ls-f5.siroe.com
- User name:
-
username
- Password:
-
password
-
Request an SSL Certificate for Load Balancer 10.
-
Log in to the BIG-IP load balancer.
-
Click Proxies in the left pane.
-
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
-
In the Create Certificate Request page, provide the following information:
- Key Identifier:
-
LoadBalancer-10.siroe.com
- Organization:
-
siroe.com
- Domain Name:
-
LoadBalancer-10.siroe.com
- Email Address:
-
jdoe@siroe.com
-
Click the Generate Request button.
-
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
-
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
-
-
After you receive the certificate from the issuer, install the SSL Certificate.
-
In the BIG-IP load balancer console, click the Cert Admin tab.
-
On the Cert Admin tab, click Install Certificate.
-
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
-
Click Install Certificate.
-
-
Create a Pool.
A pool contains all the backend server instances.
-
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
-
In the left pane, click Pools.
-
On the Pools tab, click the Add button.
-
In the Add Pool dialog, provide the following information:
- Pool Name
-
federation _j2ee_agents
- Load Balancing Method
-
Round Robin
- Resources
-
Add the IP address of both Application Server hosts. In this example:
192.18.72.152:8080 (for Application Server 3)
192.18.72.151:8080 (for Application Server 4)
-
Click the Done button.
-
In the List of Pools, click the name of the pool you just created (federation_j2ee_agents).
-
-
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
-
In the left frame, Click Virtual Servers.
-
On the Virtual Servers tab, click the Add button.
-
In the Add a Virtual Server dialog box, provide the following information:
- Address
-
192.18.69.14 (for LoadBalancer-10.siroe.com )
- Services Port
-
1080
- Pool
-
federation_j2ee_agents
-
Continue to click Next until you reach the Pool Selection dialog box.
-
Click the Done button.
-
To Terminate SSL at the J2EE Policy Agents
Load Balancer
You should still be logged into the BigIP load balancer program after the last task.
-
Create an SSL Proxy.
-
Click the Proxies tab, and then click the Add button.
-
In the Add Proxy page, provide the following information:
- Proxy Type:
-
Mark the SSL box.
- Proxy Address:
-
192.18.49.14
- Proxy Service:
-
4443
- Destination Address:
-
192.18.69.14
- Destination Service:
-
4080
- SSL Certificate:
-
LoadBalancer-10.siroe.com
- SSL Key:
-
LoadBalancer-10.siroe.com
- Server SSL Certificate:
-
LoadBalancer-10.siroe.com
- Server SSL Key:
-
LoadBalancer-10.siroe.com
Click Next.
- Rewrite Redirects:
-
Matching
Click Done.
- © 2010, Oracle Corporation and/or its affiliates