Configure Load Balancer For IBM Security Identity Manager Virtual

Configure Load Balancer For IBM Security
Identity Manager Virtual Appliance cluster
Rahul Relan
rahrelan@in.ibm.com
Parag Gokhale
parag.gokhale@in.ibm.com
Version: July 6, 2015
Abstract:
IBM Security Identity Manger (ISIM) virtual appliances are deployed in a cluster to provide high availability
and scalability. Such deployments need a load balancer to manage workload distribution. This document
describes how to configuration Nginx, Apache HTTP Server, and IBM HTTP Server as Load balancers for
ISIM.
• Table of Contents
1Introduction ...............................................................................................................................3
2SSL Certificates ........................................................................................................................3
3Configure Nginx As A Load Balancer........................................................................................4
4Configure Apache HTTP Server as Load Balancer..................................................................5
5Configure IBM HTTP Server as Load Balancer........................................................................7
6Conclusion ................................................................................................................................8
7Resources.................................................................................................................................8
8About the authors......................................................................................................................9
• Table of Figures
Figure 1: Cluster deployment......................................................................................................3
• Table of Listings
Listing 1: Create private key.......................................................................................................4
Listing 2: Create SSL certificate..................................................................................................4
Listing 3: Enable SSL..................................................................................................................4
Listing 4: Define origin servers....................................................................................................5
Listing 5: Configure httpd.conf....................................................................................................5
Listing 6: Configure HTTPD SSL................................................................................................6
Listing 7: Configure HTTPD........................................................................................................6
Listing 8: Create SSL stash.........................................................................................................7
Listing 9: Configure HTTPServer................................................................................................8
1 Introduction
Most production installations of IBM Security Identity Manager (ISIM) virtual appliances are deployed
in a cluster to provide high availability and scalability. The recommended deployment architecture
expects installing a load balancer to spread workload among virtual appliance cluster members. A
hardware or software load balancer needs to be able to define routing algorithms, failure detection, and
stop routing requests to a failed server.
Figure 1: Cluster deployment
The load balancer should be deployed in an active-passive pair to avoid single point of failure. The rest
of this document describes configuration steps for a load balancer.
2 SSL Certificates
Ideally, you shall have a certificate, signed by a commercial Certificate Authority, to be installed with
this load balancer. You may skip this section unless you are creating a self signed certificate.
Create self-signed certificate
Ensure openssl packages are installed on the machine where you expect to install the load balancer.
Create a folder '/etc/lb/ssl' and generate the certificate.
1. Create key and certificate:
[root@loadbal ssl]# openssl req -x509 -nodes -days 365 -newkey
rsa:2048 -keyout /etc/lb/ssl/lb.key -out /etc/lb/ssl/lb.crt
Generating RSA private key, 2048 bit long modulus
.........................+++
............+++
e is 65537 (0x10001)
Listing 1: Create private key
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be
left blank.
----Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Pune
Organization Name (eg, company) [Default Company Ltd]:IBM
Organizational Unit Name (eg, section) []:ISL
Common Name (eg, your name or your server's hostname) []:loadbal
Email Address []:root@in.ibm.com
Listing 2: Create SSL certificate
3 Configure Load Balancer
This document describes the steps to configure three load balancers. Certain assumptions includes
information on ports - 9082 and 9122 are ports on which application server is configured on Primary
and cluster member node respectively in a cluster. Apache load balancer is configured on Windows
machine whereas others are configured on a Linux machine.
3.1 Configure Nginx As A Load Balancer
Modify Nginx configuration /etc/nginx/conf.d/isim.conf as follows:
Enable SSL
server {
listen 9082 ssl;
ssl on;
ssl_certificate /etc/lb/ssl/lb.crt;
ssl_certificate_key /etc/lb/ssl/lb.key;
}
Listing 3: Enable SSL
Add server element to configuration file as follows:
Configure Origin Servers (VAs)
Add upstream element and make a reference using proxy_pass under location sub-element as shown
below:
upstream backend
}
{
ip_hash;
server server1.ibm.com:9082 max_fails=3
server server2.ibm.com:9122 max_fails=3
fail_timeout=20s;
fail_timeout=20s;
Listing 4: Define origin servers
server {
}
...
location / {
proxy_set_header Host $host:443;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect off;
proxy_pass https://backend;
}
...
Listing 5: Configure httpd.conf
Directive ip_hash enables session stickiness.
3.2 Configure Apache HTTP Server as Load Balancer
Locate httpd.conf file. Normally it is found in /etc/httpd/conf Edit the file as follows:
•
Load the necessary modules( mod_proxy, mod_ssl, mod_proxy_balancer, mod_proxy_http).
•
Add VirtualHost directive (Shown in the configuration).
•
Enable SSL and give location of SSL certificate and keyfile.
If installing a self signed certificate, follow steps described in Create self-signed certificate .
Provide load balancing with stickyness using mod_headers, even if the back-end server does not set a
suitable session cookie.
ProxyRequests on
ProxyPreserveHost On
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://isimcluster>
BalancerMember https://server1.in.ibm.com:9082 route=1
BalancerMember https://server1.in.ibm.com:9122 route=2
ProxySet stickysession=ROUTEID
Order allow,deny
Allow from all
</Proxy>
<VirtualHost *:9082>
ServerName https://loadbal.in.ibm.com:9082
ProxyPass / balancer://isimcluster/
ProxyPassReverse / balancer://isimcluster/
SSLProxyEngine On
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Listing 6: Configure HTTPD SSL
<VirtualHost *:9122>
ServerName https://loadbal.in.ibm.com:9122
ProxyPass / balancer://isimcluster/
ProxyPassReverse / balancer://isimcluster/
SSLProxyEngine On
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Listing 7: Configure HTTPD
3.3 Configure IBM HTTP Server as Load Balancer
Locate httpd.conf in the IBM HTTP Server installation:
•
Load the necessary modules( mod_proxy, mod_ibm_ssl, mod_proxy_balancer,
mod_proxy_http).
•
Add Listen directive.
•
Add VirtualHost directive (Explained in configuration).
•
Enable SSL and give location of SSL Key Database File. To create key database file use
ikeyman.bat (or ikeyman.sh for linux) “IBM/HTTPServer/bin/”
•
Create new Key Database File and click on stash password to a file.
•
Create new self signed certificate or import existing certificate.
•
Create one more Key database file for ISIM and create a certificate. Default ISIM application
certificate is set to cn 'localhost' and needs to be changed. After creating key database file go to
appliance dashboard, click Configure and Application server certificate management. Upload
this file.
•
Open Internet Explorer and open your balancer members one by one and download the
certificates by clicking certificate error next to address tab. Click view certificate and go to
details tab and click copy to file. Certificates have to be added to HTTP server's trust store i.e.
Key Database File.
•
Open your Key Database File in ikeyman tool. Click on Personal Certificates, a drop down
menu will appear. Select Signer Certificates and add the downloaded certificates.
Create a cert.conf file in conf directory. Enter location and name of Key Database File and stash
password file as described:
KeyFile "C:\Program Files (x86)\IBM\HTTPServer\bin\key.kdb"
SSLStashfile "C:\Program Files (x86)\IBM\HTTPServer\bin\key.sth"
Listing 8: Create SSL stash
Listen *:9082 https
Listen *:9122 https
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://isimcluster1>
BalancerMember https://server1.in.ibm.com:9082 route=1 loadfactor=34
BalancerMember https://server2.in.ibm.com:9122 route=2 loadfactor=34
ProxySet stickysession=ROUTEID
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost On
<VirtualHost *:9082>
KeyFile "C:\product\IBM\HTTPServer\bin\key.kdb"
ServerName https://loadbal.in.ibm.com:9082
Proxypass / balancer://isimcluster/
ProxyPassReverse / balancer://isimcluster/
ProxyPreserveHost on
SSLEnable on
SSLProxyEngine on
Include conf/cert.conf
#SSLProtocolDisable SSLv2
</VirtualHost>
<VirtualHost *:9122>
KeyFile "C:\product\IBM\HTTPServer\bin\key.kdb"
ServerName https://loadbal.in.ibm.com:9122
Proxypass / balancer://isimcluster/
ProxyPassReverse / balancer://isimcluster/
ProxyPreserveHost on
SSLEnable on
SSLProxyEngine on
Include conf/cert.conf
#SSLProtocolDisable SSLv2
</VirtualHost>
Listing 9: Configure HTTPServer
Note: Stop or Start HTTPServer by running it as Administrator.
Configuration of IBM HTTP Server is very similar to Apache HTTP Server.
4 Conclusion
IBM Identity Manager virtual appliance deployment can be made highly available and scalable by
creating a load balanced cluster of these appliances. Any Layer 4 load balancer can be used and
configured as described in this article.
5 Resources

Nginx download site

Apache HTTP Server

IBM HTTP Server

Learn more about ISIM Virtual Appliance
6 About the authors
Rahul Relan works as an intern in the Security group and pursuing his masters from SRM University.
His interests are cloud security, cryptography and computer network.
Parag Gokhale is Identity Appliance architect in the Security group. He is a senior developer, speaks
at seminars and customer conferences, and has other white papers published on Identity appliances.