The two instances of OpenSSO Enterprise are fronted by one load balancer (Load Balancer 2). Users will access OpenSSO Enterprise through the secure port 1081. Users external to the company will access the Distributed Authentication User Interface which, in turn, routes the request through the secure port 1081.
Load Balancer 2 sends the user and agent requests to the server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the OpenSSO Enterprise servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 2 is capable of the following types of load balancing:
Cookie-based |
The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. |
IP-based |
This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. |
TCP |
The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 2 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. |
In this Deployment Example, we use BIG-IP and it's supported passive-cookie mechanism to address session persistence with the backend OpenSSO Enterprise servers. The intent is to enable persistence of requests to the backend servers depending upon the value of amlbcookie, the OpenSSO Enterprise cookie. Stickiness can then be maintained for all OpenSSO Enterprise related requests from browsers or agents. Different load balancers might support different mechanisms to achieve session persistence. It is the responsibility of the end users to determine and map this functionality to their own choice of load balancer.
This section assumes that you have already installed a load balancer. Before you begin, note the following:
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
Get the IP addresses for OpenSSO Enterprise 1 and OpenSSO Enterprise 2 by running the following command on each host machine:
# ifconfig -a |
Use the following list of procedures as a checklist for completing the task.
To Request a Certificate for the OpenSSO Enterprise Load Balancer
To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer
To Install the Server Certificate to the OpenSSO Enterprise Load Balancer
To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer
Generate a request for a server certificate to send to a CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
Log in to the BIG-IP console using the following information.
username
password
Click Configure your BIG-IP (R) using the Configuration Utility.
In the left pane, click Proxies.
Click the Cert-Admin tab.
On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.
In the Create Certificate Request page, provide the following information.
lb-2.example.com
Deployment
lb-2.example.com
password
password
Click Generate Key Pair/Certificate Request.
On the SSL Certificate Request page, the request is generated in the Certificate Request field.
Save the text contained in the Certificate Request field to a file named lb-2.csr.
Log out of the console and close the browser.
Send lb-2.csr to the CA of your choice.
The CA issues and returns a certified server certificate named lb-2.cer.
Install the CA root certificate on Load Balancer 2 to ensure that a link between the Load Balancer 2 can be maintained with the CA. Use the same root certificate that you imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
Log in with the following information.
username
password
In the BIG-IP load balancer console, click Proxies.
Click the Cert-Admin tab.
Click Import.
In the Import Type field, choose Certificate, and click Continue.
Click Browse in the Certificate File field on the Install SSL Certificate page.
In the Choose File dialog, choose Browser.
Navigate to ca.cer and click Open.
In the Certificate Identifier field, enter OpenSSL_CA_cert.
Click Install Certificate.
On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.
The root certificate named OpenSSL_CA_Cert is now included in the Certificate ID list.
This procedure assumes you have received the server certificate requested in To Request a Certificate for the OpenSSO Enterprise Load Balancer and just completed To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer.
In the BIG-IP load balancer console, click Proxies.
Click the Cert-Admin tab.
The key lb-2.example.com is in the Key List.
In the Certificate ID column, click Install for lb-2.example.com.
In the Certificate File field, click Browse.
In the Choose File dialog, navigate to lb-2.cer, the server certificate, and click Open.
Click Install Certificate.
On the Certificate lb-2.example.com page, click Return to Certificate Administration Information.
Verify that the Certificate ID indicates lb-2.example.com on the SSL Certificate Administration page.
Log out of the load balancer console.
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
Log in using the following information:
username
password
Click Configure your BIG-IP (R) using the Configuration Utility.
Create a Pool.
A pool contains all the backend server instances.
Add a Virtual Server.
The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.
If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.
In the left frame, click Virtual Servers.
On the Virtual Servers tab, click Add.
In the Add a Virtual Server dialog box, provide the following information:
Enter the IP address for lb-2.example.com
1082
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the OSSO-Pool Pool.
Click Done.
Add Monitors.
OpenSSO Enterprise comes with a JSP file named isAlive.jsp that can be contacted to determine if the server is down. Since we have not yet deployed OpenSSO Enterprise, isAlive.jsp cannot be used. In the following sub procedure, create a custom monitor that periodically accesses the Application server instance(s). If desired, the monitor can be changed later to use isAlive.jsp.
Configure the load balancer for persistence.
In the left pane, click BIGpipe.
In the BIGpipe command window, type the following:
makecookie ip-address:port |
ip-address is the IP address of the OSSO-1 host machine and port is the same machine's port number; in this case, 1081.
Press Enter to execute the command.
Something similar to Set-Cookie: BIGipServer[poolname]=692589248.36895.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.36895.0000) for use in To Create a Site on OpenSSO Enterprise 1.
In the left pane, click BIGpipe again.
In the BIGpipe command window, type the following:
makecookie ip-address:port |
ip-address is the IP address of the OSSO-2 host machine and port is the same machine's port number; in this case, 1081.
Press Enter to execute the command.
Something similar to Set-Cookie: BIGipServer[poolname]=692589248.12345.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.12345.0000) for use in To Create a Site on OpenSSO Enterprise 1.
Log out of the load balancer console.
SSL communication is terminated at Load Balancer 2. The request is then re-encrypted and securely forwarded to OpenSSO Enterprise. When clients send an SSL-encrypted request to Load Balancer 2, it decrypts the request and re-encrypts it before sending it on to the OpenSSO Enterprise SSL port. Load Balancer 2 also encrypts the responses it receives back from OpenSSO Enterprise, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.
You should have a root certificate issued by a recognized CA.
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
Log in with the following information.
username
password
Click Configure your BIG-IP (R) using the Configuration Utility.
In the left pane, click Proxies.
Under the Proxies tab, click Add.
In the Add Proxy dialog, provide the following information.
Check the SSL and ServerSSL checkbox.
The IP address of Load Balancer 2.
1081
The secure port number
The IP address of Load Balancer 2.
1082
The non-secure port number
Choose Local Virtual Server.
Choose lb-2.example.com.
Choose lb-2.example.com.
Check this checkbox.
Click Next.
On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.
Click Next.
On the page starting with “Client Cipher List String”, accept the defaults.
Click Next.
On the page starting with “Server Chain File,” change to Server Trusted CA's File, select “OpenSSL_CA_Cert.crt” from the drop-down list.
Click Done.
The new proxy server is added to the Proxy Server list.
Log out of the load balancer console.
Access https://lb-2.example.com:1081/index.html from a web browser.
If the Application Server index page is displayed, you can access it using the new proxy server port number and the load balancer is configured properly.
A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
Close the browser.