This chapter contains technical information regarding the machines, software, and other components used in this deployment example. It contains the following sections:
The following table lists the attributes of the host machines used for this deployment example.
Table 2–1 Host Machines and Operating Systems
Host Machine |
Architecture |
Operating System |
---|---|---|
da–1 |
SPARC |
Solaris 10 |
da–2 |
SPARC |
Solaris 10 |
ds–1 |
x86 |
Solaris 10 |
ds–2 |
x86 |
Solaris 10 |
mq–1 |
x86 |
Solaris 10 |
mq-2 |
x86 |
Solaris 10 |
osso–1 |
SPARC |
Solaris 10 |
osso–2 |
SPARC |
Solaris 10 |
pr–1 |
SPARC |
Solaris 10 |
pr–2 |
SPARC |
Solaris 10 |
The following table lists the software used in this deployment example.
Table 2–2 Software and Download Locations
Product |
Version |
Download Location |
---|---|---|
Sun OpenSSO Enterprise |
8.0 | |
Sun Java System Web Server |
7.0 Update 3 | |
Sun Java System Application Server |
9.1 Update 1 | |
Sun Java System Directory Server |
6.1 | |
BEA Weblogic Server |
10 | |
Web Policy Agent (for Sun Java System Web Server) |
3.0 | |
J2EE Policy Agent (for Sun Java System Application Server and BEA Weblogic Server) |
3.0 | |
Java (for OpenSSO Enterprise and policy agents) |
1.5.0_09 | |
BIG-IP Load Balancer |
4.5.10 |
The following table summarizes the main service URLs for the components used in this deployment example. For detailed configuration information, see Part III, Reference: Summaries of Server and Component Configurations.
Table 2–3 Components and Main Service URLs
Components |
Main Service URL |
|
---|---|---|
Directory Server Instances and Load Balancers |
||
Directory Server 1 |
ldaps://ds-1.example.com:1736 (for monitor node) ldaps://ds-1.example.com:1736 (for user data) |
|
Directory Server 2 |
ldaps://ds-2.example.com:1736 (for monitor node) ldaps://ds-2.example.com:1736 (for user data) |
|
Load Balancer 1 |
ldaps://lb-1.example.com:489 (for user data) |
|
OpenSSO Enterprise Instances and Load Balancer |
||
OpenSSO Enterprise 1 |
https://osso-1.example.com:1081 (for monitor node) https://osso-1.example.com:1081/opensso/console |
|
OpenSSO Enterprise 2 |
https://osso-2.example.com:1081 (for monitor node) https://osso-2.example.com:1081/opensso/console |
|
Load Balancer 2 |
https://lb-2.example.com:1081 |
|
Distributed Authentication User Interfaces and Load Balancer |
||
Distributed Authentication User Interface 1 |
https://da-1.example.com:1443 (for monitor node) https://da-1.example.com:1443/distAuth/ (for users) |
|
Distributed Authentication User Interface 2 |
https://da-2.example.com:1443 (for monitor node) https://da-2.example.com:1443/distAuth/ (for users) |
|
Load Balancer 3 |
https://lb-3.example.com:1443 (secure port) |
|
Protected Resources 1 and 2: Web Containers, Policy Agents and Load Balancers |
||
Web Container 1 |
https://pr-1.example.com:8989 (for Sun Java System Web Server administration console) |
|
Web Policy Agent 1 |
http://pr-1.example.com:1080 |
|
J2EE Container 1 |
http://pr-1.example.com:7001/console (for BEA Weblogic administration server) |
|
J2EE Policy Agent 1 |
http://pr-1.example.com:1081/agentapp |
|
Web Container 2 |
https://pr-2.example.com:8989 (for Sun Java System Web Server administration console) |
|
Web Policy Agent 2 |
http://pr-2.example.com:1080 |
|
J2EE Container 2 |
http://pr-2.example.com:7001/console (for BEA WebLogic administration server) |
|
J2EE Policy Agent 2 |
http://pr-2.example.com:1081/agentapp |
|
Policy Agent Load Balancers |
||
Load Balancer 4 |
http://lb-4.example.com:90 (for web policy agents) |
|
Load Balancer 5 |
http://lb-5.example.com:91 (for J2EE policy agents) |
|
Message Queue Broker Instances |
||
Message Queue 1 |
http://mq-1.example.com:7777 |
|
Message Queue 2 |
http://mq-2.example.com:7777 |
The following table provides an overview of the types of communication that take place between servers, load balancers, and other components in the deployment example.
Table 2–4 Summary of Intercomponent Communication
Entity A |
Entity B |
Bi-Directional |
Port |
Protocol |
Traffic Type |
---|---|---|---|---|---|
Internet Users |
Load Balancer 4 |
90 |
HTTP |
Application Traffic |
|
Internet Users |
Load Balancer 5 |
91 |
HTTP |
Application Traffic |
|
Internet Users |
Load Balancer 3 |
1443 |
HTTPS |
Internet User Authentication |
|
Load Balancer 3 |
Distributed Authentication User Interface 1 |
1443 |
HTTPS |
Internet User Authentication |
|
Load Balancer 3 |
Distributed Authentication User Interface 2 |
1443 |
HTTPS |
Internet User Authentication |
|
Load Balancer 4 |
Protected Resource 1 |
1080 |
HTTP |
Application Traffic |
|
Load Balancer 4 |
Protected Resource 2 |
1080 |
HTTP |
Application Traffic |
|
Load Balancer 5 |
Protected Resource 1 |
1081 |
HTTP |
Application Traffic |
|
Load Balancer 5 |
Protected Resource 2 |
1081 |
HTTP |
Application Traffic |
|
Distributed Authentication User Interface 1 |
Load Balancer 2 |
1081 |
HTTPS |
Internet User Authentication |
|
Distributed Authentication User Interface 2 |
Load Balancer 2 |
1081 |
HTTPS |
Internet User Authentication |
|
Protected Resource 1 |
Load Balancer 2 |
1081 |
HTTPS |
Agent - OpenSSO Enterprise communication |
|
Protected Resource 2 |
Load Balancer 2 |
1081 |
HTTPS |
Agent - OpenSSO Enterprise communication |
|
Load Balancer 3 |
OpenSSO Enterprise 1 |
1081 |
HTTPS |
Agent - OpenSSO Enterprise communication for authentication |
|
Load Balancer 3 |
OpenSSO Enterprise 2 |
1081 |
HTTPS |
Agent - OpenSSO Enterprise communication for authentication |
|
OpenSSO Enterprise 1 |
OpenSSO Enterprise 2 |
Yes |
1081 |
HTTPS |
Back-channel communication |
OpenSSO Enterprise 1 |
Message Queue 1 |
7777 |
HTTP |
Session communication |
|
OpenSSO Enterprise 1 |
Load Balancer 1 |
489 |
LDAPS |
User profile communication for authentication |
|
OpenSSO Enterprise 2 |
Message Queue 2 |
7777 |
HTTP |
Session communication |
|
OpenSSO Enterprise 2 |
Load Balancer- 2 |
489 |
LDAPS |
User profile communication for authentication |
|
Message Queue 1 |
Message Queue 2 |
Yes |
7777 |
HTTP |
Session communication |
Message Queue 2 |
Message Queue 1 |
Yes |
7777 |
HTTP |
Session communication |
Load Balancer 1 |
Directory Server 1 |
1736 |
LDAPS |
User profile communication for authentication |
|
Load Balancer 1 |
Directory Server 2 |
1736 |
LDAPS |
User profile communication for authentication |
|
Directory Server 1 |
Directory Server 2 |
Yes |
1489 |
LDAP |
Data replication communication |
Directory Server 2 |
Directory Server 1 |
Yes |
1489 |
LDAP |
Data replication communication |
Actual firewalls are not set up in this deployment example. If firewalls were deployed they would protect critical components using three distinct security zones as illustrated in 1.1 Deployment Architecture and Components. One zone is completely secure, protected by all three firewalls, and used for internal traffic only. The second, less secure zone is protected by only two firewalls but is also for internal traffic only. The third, minimally-secured demilitarized zone (DMZ) leaves only simple components and interfaces exposed to the Internet and is used for external traffic. Thus, direct access to individual instances of OpenSSO Enterprise and Directory Server is allowed only if permitted by firewall rules. Based on the illustration cited:
The instances of OpenSSO Enterprise are isolated between an internal firewall and the DMZ, and exposed through an external-facing load balancer. The load balancer and instances together provide high data availability within the infrastructure.
The policy agents themselves are deployed behind a load balancer configured in the DMZ.
The Distributed Authentication User Interface would be deployed in the DMZ for communication with OpenSSO Enterprise behind a firewall, additionally protecting the OpenSSO Enterprise instances from exposure in the minimally-secured DMZ.
You may set up firewalls to allow traffic to flow as described in the following table.
Table 2–5 Summary of Firewall Rules
From |
To |
Port # |
Protocol |
Traffic Type |
---|---|---|---|---|
Internet users |
Load Balancer 3 |
1443 |
HTTPS |
User authentication |
Internet users |
Load Balancer 4 |
90 |
HTTP |
Application access by internet user |
Internet users |
Load Balancer 5 |
91 |
HTTP |
Application access by internet user |
Distributed Authentication User Interface 1 |
Load Balancer 2 |
1081 |
HTTPS |
User authentication |
Distributed Authentication User Interface 2 |
Load Balancer 2 |
1081 |
HTTPS |
User authentication |
Load Balancer 4 |
Protected Resource 1 |
1080 |
HTTP |
Application access by user |
Load Balancer 5 |
Protected Resource 2 |
1081 |
HTTP |
Application access by user |
Throughout this deployment example, we use ldapsearch to view replicated entries. An alternative would be to enable the Directory Server audit log and run tail -f. Enabling the audit log will also help to track changes and updates made during OpenSSO Enterprise configuration.