星期一 十月 01, 2007

2 Access Manager + SSL Termination + LB on my laptop

I like VMWare and my Toshiba M5 box because it make such test very easy and portable.

I run two Solaris 10 VMs, each has an Access Manager 7.1 (JavaES5) installed. My host machine has SJS Web Server 6.1 SP8 installed with Reverse Proxy Plugin. And also has SSL Certificate on it.

I. Infrastructure

Access Manager 1 (VM)

   sol10.testdomain.com (192.168.159.11). SJS WS7 (from JavaES5) as conatiner. AM listens on port 80, non-ssl. Also Directory Server 6 (from JavaES5) is installed and running as the AM repository. Both AM are in Legacy mode.

Access Manager 2 (VM)

   sol10b.testdomain.com (192.168.159.12). SJS WS7 (from JavaES5) as container. AM listens on port 80, non-ssl.

Software LB (Host Machine)

  sec.testdomain.com (192.168.159.1). SJS WS6.1SP8 (for winXP) and reverse proxy plugin. WS6.1 listen on port 443, SSL. and dispatch request to sol10 and sol10b. A home-made SSL Certificate is generated by OpenSSL and installed on WS6.1. In addition, the "amlbcookie" is set as sticky cookie name.

II. Configuration

Platform/Site configuration (store in LDAP)

  • Platform Service
    • SITE: https://sec.testdomain.com:443|10
    • PlATFORM LIST: http://sol10.testdomain.com:80|01|10
    • PlATFORM LIST: http://sol10b.testdomain.com:80|02|10
  • Realm/DNS alias
    • sol10.testdomain.com
    • sol10b.testdomain.com
    • sec.testdomain.com
    • testdomain

AMConfig.properties (for both AMs)

  • com.sun.identity.url.redirect=https,sec.testdomain.com
  • com.sun.identity.server.fqdnMap[sec.testdomain.com]=sec.testdomain.com
  • com.sun.identity.server.fqdnMap[sec.testdomain.com]=sol10.testdomain.com
  • com.sun.identity.server.fqdnMap[sec.testdomain.com]=sol10b.testdomain.com
  • com.sun.identity.loginurl=
  • com.iplanet.am.console.remote=false

AM's web container

  • Modify sun-web.xml for /amserver web application, add the following into <sun-web-app> element
    • <property name="relativeRedirectAllowed" value="true"/>
  • Modify sun-web.xml for /amconsole web application, add the following into <sun-web-app> element
    • <property name="relativeRedirectAllowed" value="true"/>

Software LB (SJSWS6.1)

Reverse Proxy Plugin setting in obj.conf
  • NameTrans fn="assign-name" from="/\*" name="am.testdomain.com"
  • <Object name="am.testdomain.com">
    Service fn="service-passthrough" servers="http://sol10.testdomain.com:80 http://
    sol10b.testdomain.com:80" sticky-cookie="amlbcookie"
    </Object>

III. Some test cases:

Why I test amconsole and console ? I do have some bad experience on console redirect behavior, that's why I test it intensively. For the only two FAILED cases, it is container's issue, not AM itself. I'm trying to cover it up by hacking some SAF items in obj.conf.

UPDATE:
After adding the following two NameTrans statements into AM containers' obj.conf. The two FAILED cases turn to OK.
-------------------------------------------------------------
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
NameTrans fn="restart" from="/amconsole" uri="/amconsole/"
NameTrans fn="restart" from="/amserver/console" uri="/amserver/console/"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/SUNWwbsvr7/lib/icons" name="es-internal"
:
-------------------------------------------------------------

About

純粹個人經驗分享,並非官方立場。

Search

Archives
« 四月 2014
星期日星期一星期二星期三星期四星期五星期六
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
今日