4.4 Configuring Load Balancer 1 for the User Data Instances

Load Balancer 1 is configured in front of the Directory Server user data instances. This section assumes that you have already installed the load balancer. Before beginning, note the following:

• The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.

• Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

• Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

• Get the IP addresses for Directory Server 1 and Directory Server 2 by running the following command on each host machine:

  # ifconfig -a

Use the following list of procedures as a checklist for completing the task.

1. To Request a Certificate for the User Data Load Balancer

2. To Import the Root Certificate to the User Data Load Balancer

3. To Install the Server Certificate to the User Data Load Balancer

4. To Configure the User Data Load Balancer 1

5. To Create an SSL Proxy for SSL Termination at the User Data Load Balancer 1

To Request a Certificate for the User Data Load Balancer

Generate a request for a server certificate to send to a CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

2. Log in to the BIG-IP console using the following information.

   Username

   username

   Password

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. In the left pane, click Proxies.

5. Click the Cert-Admin tab.

6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

7. In the Create Certificate Request page, provide the following information.

   Key Identifier:

   lb-1.example.com

   Organizational Unit Name:

   Deployment

   Domain Name:

   lb-1.example.com

   Challenge Password:

   password

   Retype Password:

   password

8. Click Generate Key Pair/Certificate Request.

   On the SSL Certificate Request page, the request is generated in the Certificate Request field.

9. Save the text contained in the Certificate Request field to a file named lb-1.csr.

10. Log out of the console and close the browser.

11. Send lb-1.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named lb-1.cer.

To Import the Root Certificate to the User Data Load Balancer

Import the CA root certificate on Load Balancer 1 to ensure that a link between Load Balancer 1 can be maintained with the CA. Use the same root certificate that you imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Before You Begin

You should already have a root certificate from the CA of your choice.

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

2. Log in to the load balancer as administrator.

3. Click Proxies.

4. Click the Cert-Admin tab.

5. Click Import.

6. In the Import Type field, choose Certificate and click Continue.

7. Click Browse in the Certificate File field on the Install SSL Certificate page.

8. Choose Browser in the Choose File dialog box.

9. Navigate to ca.cer and click Open.

10. Enter OpenSSL_CA_cert in the Certificate Identifier field.

11. Click Install Certificate.

    The Certificate OpenSSL_CA_Cert page is displayed.

12. Click Return to Certificate Administration on the Certificate OpenSSL_CA_Cert page.

    OpenSSL_CA_Cert, the root certificate, is now included in the Certificate ID list.

To Install the Server Certificate to the User Data Load Balancer

Before You Begin

This procedure assumes you have received the server certificate requested in To Request a Certificate for the User Data Load Balancer, just completed To Import the Root Certificate to the User Data Load Balancer, and are still logged into the load balancer console.

1. In the BIG-IP load balancer console, click Proxies.

2. Click the Cert-Admin tab.

   The key lb-1.example.com is in the Key List.

3. In the Certificate ID column, click Install for lb-1.example.com.

4. In the Certificate File field, click Browse.

5. In the Choose File dialog, navigate to lb-1.cer, the server certificate, and click Open.

6. Click Install Certificate.

7. On the Certificate lb-1.example.com page, click Return to Certificate Administration Information.

   Verify that the Certificate ID indicates lb-1.example.com on the SSL Certificate Administration page.

8. Log out of the load balancer console.

To Configure the User Data Load Balancer 1

Before You Begin

This procedure assumes that you have just completed To Import the Root Certificate to the User Data Load Balancer and are still logged into the load balancer console.

1. Click Configure your BIG-IP (R) using the Configuration Utility.

2. Create a Pool.

   A pool contains all the backend server instances.

   1. In the left pane, click Pools.

   2. On the Pools tab, click Add.

   3. In the Add Pool dialog, provide the following information:

      Pool Name

      DirectoryServer-UserData-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address and port number of both Directory Server host machines: ds-1:1736 and ds-2:1736.

   4. Click Done.

3. Add a Virtual Server.

   The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

   ---

   Tip –

   If you encounter JavaScript^TM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.

   ---

   1. In the left frame, click Virtual Servers.

   2. Click Add on the Virtual Servers tab.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb-1.example.com

      Service

      490

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. Assign DirectoryServer-UserData-Pool to the virtual server in the Pool Selection dialog box.

   6. Click Done.

4. Add Monitors

   Monitors are required for the load balancer to detect the backend server failures.

   1. In the left frame, click Monitors.

   2. Click the Basic Associations tab.

   3. Add an LDAP monitor for the Directory Server 1 node.

      In the Node column, locate the IP address and port number, ds-1:1736, and select the Add checkbox.

   4. Add an LDAP monitor for the Directory Server 2 node.

      In the Node column, locate the IP address and port number, ds–2:1736, and select the Add checkbox.

   5. At the top of the Node column, in the drop-down list, choose tcp.

   6. Click Apply.

5. Configure the load balancer for persistence.

   The user data load balancer is configured for simple persistence. With simple persistence, all requests sent within a specified interval are processed by the same Directory Server instance, ensuring complete replication of entries. For example, when a request requires information to be written to Directory Server 1, that information must also be replicated to Directory Server 2. As the replication takes time to complete, if a related request is directed by the load balancer to Directory Server 2 during the replication process itself, the request may fail as the entry might only be partially created. When properly configured, simple persistence ensures that both requests are routed to Directory Server 1 and processed in consecutive order; the first request is finished before the second request begins processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data. Simple persistence tracks connections based only on the client IP address.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, DirectoryServer-UserData-Pool.

   3. Click the Persistence tab.

   4. Under Persistence Type, select Simple.

   5. Enter 300 seconds for the Timeout interval.

   6. Click Apply.

6. Verify the Directory Server load balancer configuration.

   1. Log in as a root user to the host machine of each Directory Server instance.

   2. On each host machine, use the tail command to monitor the Directory Server access log.

      # cd /var/opt/mps/am-users/logs # tail -f access

      You should see connections to the load balancer IP address opening and closing. For example:

      [12/July/2008:13:10:20-0700] conn=69755 op=-1 msgId=-1 - closed 
      [12/July/2008:13:10:25-0700] conn=69756 op=-1 msgId=-1 
      - fd=27 slot=27 LDAP connection from IP_address to IP_address
      [12/July/2008:13:10:25-0700] conn=69756 op=0 msgId=0 
      - RESULT err=80 tag=120 nentries=0 etime=0 
      [12/July/2008:13:10:25-0700] conn=69756 op=-1 msgId=-1 
      - closing from IP_address
      

   3. Execute the following LDAP search against the Directory Server load balancer from Directory Server 1.

      # cd /var/opt/mps/serverroot/dsrk6/bin # ./ldapsearch -h lb-1.example.com -p 490 -Z -P /var/opt/mps/am-users/alias/slapd-cert8.db -b "dc=company,dc=com" -D "cn=directory manager" -w dsmanager "(objectclass=*)" version: 1 dn: dc=company,dc=com dc: company objectClass: top objectClass: domain

      The ldapsearch operation should return entries. Make sure they display in the access log on only one Directory Server.

   4. Run dsadm stop to stop Directory Server 1.

      # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm stop /var/opt/mps/am-users

   5. Perform the (same) LDAP search against the Directory Server load balancer from Directory Server 2.

      # cd /var/opt/mps/serverroot/dsrk6/bin # ./ldapsearch -h lb-1.example.com -p 490 -Z -P /var/opt/mps/am-users/alias/slapd-cert8.db -b "dc=company,dc=com" -D "cn=directory manager" -w dsmanager "(objectclass=*)" version: 1 dn: dc=company,dc=com dc: company objectClass: top objectClass: domain

      The ldapsearch operation should return entries. Verify that the entries display in the access log on only Directory Server 2.

      ---

      Note –

      You may encounter the following error message:

      ldap_simple_bind: Cant' connect to the LDAP 
      server — Connection refused

      This means that the load balancer may not fully detect that Directory Server 1 is stopped. In this case, you may have started the search too soon based on the polling interval setting. For example, if the polling interval is set to 10 seconds, you should wait ten seconds to start the search. You can reset the timeout properties to a lower value using the load balancer console.

      1. Click the Monitors tab.

      2. Click the tcp monitor name.

      3. In the Interval field, set the value to 5.

         This tells the load balancer to poll the server every 5 seconds.

      4. In the Timeout field, set the value to 16.

      5. Click Apply and repeat the LDAP search.

      See your load balancer documentation for more information on the timeout property.

      ---

   6. Start Directory Server 1.

      # ./dsadm start /var/opt/mps/am-users

   7. Stop Directory Server 2.

      # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm stop /var/opt/mps/am-users

   8. Perform the following LDAP search against the Directory Server load balancer from Directory Server 1 to confirm that the request is forwarded to the running Directory Server 1.

      # cd /var/opt/mps/serverroot/dsrk6/bin ./ldapsearch -h lb-1.example.com -p 490 -Z -P /var/opt/mps/am-users/alias/slapd-cert8.db -b "dc=company,dc=com" -D "cn=directory manager" -w dsmanager "(objectclass=*)" version: 1 dn: dc=company,dc=com dc: company objectClass: top objectClass: domain

      The ldapsearch operation should return entries. Make sure the entries display in the access log on only Directory Server 1.

   9. Start Directory Server 2.

      # ./dsadm start /var/opt/mps/am-users

   10. Log out of both Directory Server host machines and the load balancer console.

To Create an SSL Proxy for SSL Termination at the User Data Load Balancer 1

SSL communication is terminated at Load Balancer 1. The request is then re-encrypted and securely forwarded to the SSL port of the Directory Server user data instance. Load Balancer 1 also encrypts the responses it receives back from the user data instance, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.

Before You Begin

You should have a root certificate issued by a recognized CA.

1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

2. Log in with the following information.

   User name:

   username

   Password:

   password

3. Click Configure your BIG-IP (R) using the Configuration Utility.

4. In the left pane, click Proxies.

5. Under the Proxies tab, click Add.

6. In the Add Proxy dialog, provide the following information.

   Proxy Type:

   Check the SSL and ServerSSL checkbox.

   Proxy Address:

   The IP address of Load Balancer 1.

   Proxy Service:

   489

   The secure port number

   Destination Address:

   The IP address of Load Balancer 1.

   Destination Service:

   490

   The non-secure port number

   Destination Target:

   Choose Local Virtual Server.

   SSL Certificate:

   Choose lb-1.example.com.

   SSL Key:

   Choose lb-1.example.com.

   Enable ARP:

   Check this checkbox.

7. Click Next.

8. On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.

9. Click Next.

10. On the page starting with “Client Cipher List String”, accept the defaults.

11. Click Next.

12. On the page starting with “Server Chain File,” change to Server Trusted CA's File and select “OpenSSL_CA_Cert.crt” from the drop-down list.

13. Click Done.

    The new proxy server is added to the Proxy Server list.

14. Log out of the load balancer console.