14.6 Configuring the Web Policy Agents Load Balancer

Load Balancer 11 can be located in a less-secured zone, and handles traffic for the Web Policy Agents.

Load Balancer 11 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same Web Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same Web Policy Agent instance. This is important from the performance perspective. Each Web Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual Web Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of Web Policy Agents increases further.

As a general rule, in situations where each Web Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same Web Policy Agent instance.

Use the following as your checklist for configuring the Web Policy Agents load balancer:

• To Configure the Web Policy Agents Load Balancer

• To Configure the Web Policy Agents to Work with the Web Policy Agents Load Balancer

• To Verify that the Web Policy Agents Load Balancer is Working Properly

To Configure the Web Policy Agents Load Balancer

1. Go to URL for the Big IP load balancer login page and log in.

   https://ls-f5.siroe.com

2. Log in using the following information:

   User name:

   username

   Password:

   password

3. Request an SSL Certificate for Load Balancer 11.

   1. Log in to the BIG-IP load balancer.

   2. Click Proxies in the left pane.

   3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

   4. In the Create Certificate Request page, provide the following information:

      Key Identifier:

      LoadBalancer-11.siroe.com

      Organization:

      siroe.com

      Domain Name:

      LoadBalancer-11.siroe.com

      Email Address:

      jdoe@siroe.com

   5. Click the Generate Request button.

   6. In the Generate Request page, copy the request that looks similar to this:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

      See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

4. After you receive the certificate from the issuer, install the SSL Certificate.

   1. In the BIG-IP load balancer console, click the Cert Admin tab.

   2. On the Cert Admin tab, click Install Certificate.

   3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   4. Click Install Certificate.

5. Create a Pool.

   A pool contains all the backend server instances.

   1. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   2. In the left pane, click Pools.

   3. On the Pools tab, click the Add button.

   4. In the Add Pool dialog, provide the following information:

      Pool Name

      federation_web_agents

      Load Balancing Method

      Round Robin

      Resources

      192.18.72.151:2080 (for Protected Resource 3)

      192.18.72.152:2080 (for Protected Resource 4)

      Click Done.

6. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_web_agents.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

      Click Apply.

7. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add Virtual Server dialog box, provide the following information:

      Address

      192.18.69.14 (for LoadBalancer-11.siroe.com )

      Service

      5080

      Click Next.

   4. Continue to click Next until you reach the Select Physical Resources dialog box.

      Pool

      federation_web_agents

   5. In the Pool Selection dialog box, assign the Pool (federation_web_agents) that you have just created.

   6. Click the Done button.

8. Create proxies.

   1. In the left frame, click Proxies.

   2. On the Proxies tab, click Add.

   3. In the Add Proxy page, provide the following information:

      Proxy Type:

      Mark the SSL checkbox.

      Proxy Address:

      192.18.69.14

      Proxy Service:

      6443

      Destination Address:

      192.18.69.14

      Destination Service:

      5080

      SSL Certificate:

      LoadBalancer-11.siroe.com

      SSL Key:

      LoadBalancer-11.siroe.com

      Server SSL Certificate:

      LoadBalancer-11.siroe.com

      Server SSL Key:

      LoadBalancer-11.siroe.com

      Click Done.

9. Add Monitors.

   1. Click the Monitors tab, and then click the Add button.

      In the Add Monitor dialog provide the following information:

      Name:

      WebAgent-http

      Inherits From:

      Choose http.

   2. Click Next.

      In the Configure Basic Properties page, click Next.

   3. In the Configure ECV HTTP Monitor, in the Send String field, enter the following:

      GET /launch.html

      Click Next.

   4. In the Destination Address and Service (Alias) page, click Done.

      On the Monitors tab, the monitor you just added is now contained in the list of monitors.

   5. Click the Basic Associations tab.

      Look for the IP addresses for ProtectedResource-3:2080 and ProtectedResourece-4:1080.

   6. Mark the Add checkbox for ProtectedResource-3 and ProtectedResource-4.

   7. At the top of the Node column, choose the monitor that you just added, WebAgent-http.

   8. Click Apply.

To Configure the Web Policy Agents to Work with the Web Policy Agents Load Balancer

In this procedure you modify the AMAgent.properties file. Map Protected Resource 3 and Protected Resource 4 to Load Balancer 11.

1. Log in as a root user to Protected Resource 3.

   # cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com

2. Use a text editor to modify the AMAgent.properties file.

   For this property:

   com.sun.am.policy.agents.config.notenforced_list

   append the following to the end of the value string :

   http://ProtectedResource-3.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html

3. Set the following properties:

   com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com

   Save the file.

4. Restart Web Server 3 on Protected Resource 3.

   #cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com ./stop; ./start

5. Log in as a root user to Protected Resource 4.

   # cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com

6. Use a text editor to modify the AMAgent.properties file.

   For this property:

   com.sun.am.policy.agents.config.notenforced_list

   append the following to the end of the value string :

   http://ProtectedResource-4.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html

7. Set the following properties:

   com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com

   Save the file.

8. Restart Web Server 4 on Protected Resource 4.

   #cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com ./stop; ./start

To Verify that the Web Policy Agents Load Balancer is Working Properly

1. In a browser, go to the following URL:

   https://LoadBalancer-11.siroe.com:6443/index.html

   The load balancer redirects the request to the Access Manager login page.

2. Log in to the Access Manager console using the following information:

   Username

   spuser

   Password

   spuser

   If the default Web Server index.html page is displayed, then the load balancer is configured properly.

3. Verify that Load Balancer 11 monitors are monitoring the Web Servers properly.

   1. Log in as a root user to Protected Resource 3.

   2. Run the tail command.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com/logs # tail -f access

      If you see frequent entries similar to this one:

      192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526

      then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.

   3. Log in as root to Protected Resource 4.

   4. Run the tail command.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com/logs # tail -f access

      If you see frequent entries similar to this one:

      192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526

      then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.