Updating and Monitoring HTTP Load Balancer

My previous blog talks about setting up a Load Balancer plug-in. If you setup a SSL connection between DAS and load balancer, configuration changes can be pushed from DAS (Domain Administration Server) to Load Balancer automatically. This avoids manual copying of loadbalancer.xml. The monitoring data about load balancer can also be obtained, once SSL is setup. The following instructions talk about setting up Load Balancer in SSL Mode.

Instructions to install load balancer and enable the 9.0 features:

Please make sure that you have the load balancer setup using either instructions from my previous blog or using manual steps. Start the webserver's admin server by calling <web server home>/https-admserv/start. Now you are ready to setup the SSL.

1. From the browser access the admin gui of the webserver and login

2. Select your server instance and click on manage

3. Click on security tab

4. Initialize the trust database by giving the username and password. This could be done either using certutil or using GUI. The following certutil options could be used to initialize trust database:

certutil -N -P "https-boqueron.virkki.com-boqueron-" -d .
When prompted by certutil, enter the password to encrypt your keys:

Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.

Enter new password: your-password
Re-enter password: your-password

The following is the screen shot for this task :

5. Create a sample local CA (Certificate Authority)

certutil -S -P "https-boqueron.virkki.com-boqueron-" -d . -n SelfCA -s "CN=Self CA,OU=virkki.com,C=US" -x -t "CT,CT,CT" -m 101 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 5 for SSL CA. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

6. Use the above create sample CA to generate a certificate

certutil -S -P "https-boqueron.virkki.com-boqueron-" -d . -n MyServerCert -s "CN=boqueron.virkki.com,C=US" -c SelfCA -t "u,u,u"   -m 102 -v 99 -5

You will be asked to enter 0-7 for type of certificate, please choose 1 for SSL Server. It will re-ask the same dialog again, this time choose 9 now to finish the dialog

For the following question Is this a critical extension [y/n]? please answer y.

7. Edit the current http listener socket by clicking on "Preferences->Edit Listen Socket" enable the security and choose the certificate created in step 6. The following is the screen shot for this task :

If you wish to not use GUI. Change the entry to read as follows:

Change the tag so that the value of security= is "true"; the tag must be altered to contain additional body content and a closing tag. Be sure to remove carriage returns when adding the tag.
<LS id="ls1" port="80" servername="$DEPLOY-INSTANCE" defaultvs="https-$DEPLOY-INSTANCE" ip="any" security="true" acceptorthreads="1" blocking="false">
<SSLPARAMS servercertnickname="$HOST-DOMAIN" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>

</LS>
8. Export DAS certificate by executing the command

<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12 -W <file password> -K <master password> -n s1as

9. Import the das certificate into webserver instance

<webserver home>/bin/https/admin/bin/pk12util -i sjsas.p12 -d <webserver home>/alias -W <file password> -K <webserver security db password> -P <instance-name>-<hostname>-

<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw" -d alias -P <instance-name>-<hostname>. This command makes s1as CA be a trusted CA to sign both client and server certificates. The following screen shot shows a sample certificate : -

If obj.conf does not contain the following lines, please inser the following lines to the end of obj.conf

<Object ppath="\*lbconfigupdate\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
<Object ppath="\*lbgetmonitordata\*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>

You can verify the above setup from DAS. From the appserver admin gui, create a cluster, load balancer. Instead of using local CA, you can use any other CA and server certificate. In that case you skip step 5 and 6, but need to import server certificate you obtained from other CAs.
From CLI, the following creates the load balancer and sets it up, so that DAS posts the configuration changes automatically to that load balancer.

asadmin create-http-lb-config --target cluster1 sample_lb_config

asadmin create-http-lb --config sample_lb_config --autoapplyenabled=true --devicehost device_host_or_ip --deviceport device_port sample_lb Give the webserver host and https listener port for device host and port. Click on test connection to test the connection. By default load balancer created from GUI uses SSL connection to connect to load balancer device.
Comments:

Post a Comment:
Comments are closed for this entry.
About

sv96363

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today