Installing and configuring Apache Load Balancer server

This topic describes how to install and configure the Apache Load Balancer server. 

Installing the Apache Load Balancer server

  1. Run the httpd-2.2.17-win32-x86-openssl-0.9.8o.exe file to start the Apache Load Balancer server installation wizard.
  2. On the Server Information panel, enter the following information in the fields.
    1. In the Network domain field, specify the domain on which the BMC Atrium Single Sign-On nodes are installed.
      For example: bmc.com.
    2. In the Server name field, specify a name for the Apache Load Balancer server.
      For example:ao-loadbalancer.bmc.com. The server name is required to be specified during installation of BMC Atrium Orchestrator Platform. The load balancer server becomes an entry point for any of the BMC Atrium Single Sign-On related requests coming from BMC Atrium Orchestrator Platform.  
    3. In the Administrator's email address field, enter an appropriate email address.
      The following figure describes the Server Information panel.
      LB_server_server_info.png
  3. Click Next to perform the remaining installation wizard steps and install the load balancer.  

After you install the Apache Load Balancer sever, you must install the OpenSSL certificates. 

To install the OpenSSL certificates

  1. Go to <APACHE>/conf and create a new SSL folder. 
    This directory contains all of the configuration files and some other required resources. Create an ssl directory to hold all of the SSL resource files that you will need, and set the path to the apache bin directory to have access to the OpenSSL utilities.

  2. To generate the private key (privateKey.pem) for the Load Balancer server, go to<APACHE_HOME>/conf/ssl and run the following command.

    Note

    Before running the openSSL command, add Apache bin directory in your %PATH%

    set PATH=%APACHE_HOME%\bin;%PATH% 

    openssl genrsa -out privateKey.pem 1024

  3. To generate the request file (publicCertReq.pem) from the generated private key (privateKey.pem), run the following command:

    openssl req -new -key privateKey.pem -out publicCertReq.pem -config ..\openssl.cnf

  4. To generate the public certificate for the Load Balancer server [publicCert.pem] from the generated private key and the request file, run the following command.

    openssl x509 -in publicCertReq.pem -out publicCert.pem -req -signkey privateKey.pem -days 7305

     

  5. After you have generated the OpenSSL certificates, copy the BMC Atrium Single Sign-On node certificate files (SSO1 - certificate1.pem and SSO2 - certificate2.pem) to theAPACHE_HOME/conf/ssl directory on the Load Balancer server.

  6. Run the following command to copy and place the certificates one after another to create a targetServerCerts.pem truststore file for the load balancer. 

    copy certificate1.pem targetServerCerts.pem

     

    type certificate2.pem >> targetServerCerts.pem

To configure listening ports on a load balancer

After creating the OpenSSL resource files, you need to configure the Apache load balancer config file to ensure that it works as a reverse proxy load balancer with BMC Atrium Orchestrator Platform. Then create two virtual hosts to provide access to the load balancer: one for HTTP and one for HTTPS. The HTTP load balancer functions as a redirect to the HTTPS host.

  1. Open the <APACHE_HOME>/conf/httpd.conf configuration file.
    The Load Balancer server uses the ports specified in the file to listen to all incoming requests from BMC Atrium Orchestrator Platform.

  2. Specify two ports: one for HTTP and one for HTTPS.
    For example, in the following     sample configuration file, HTTP port is 48080, and HTTPS is 48443.

    # BMC: Listen on a port number ending in 80 for HTTP connections and
    #      listen on a port number ending in "443" for HTTPS connections.
    #      
    #      It is best to use the same larger additive value for both ports.
    #      For instance: here we have 48080 as the HTTP port, and 48443 as
    #      the HTTPS port, which essentially means that the value 48000 was
    #      added to the values of 80 and 443.
    #      
    #      These ports are used as the default SSO ports.

    Listen 48080
    Listen 48443

    NameVirtualHost *:48080

    Note

    When you install BMC Atrium Orchestrator Platform later, you must specify these port numbers when specifying BMC Atrium Single Sign-On configuration. For example, in the configuration file, if you specified 48080 as the HTTP port, and 48443 as the HTTPS port, specify the same port numbers during the installation.

  3. Add an HTTP virtual host using the following steps:
    1. Navigate to to the <APACHE_HOME>/conf/httpd.conf configuration file and add a “VirtualHost” element with the ports that you specified as listening ports on the load balancer server here

    2. Issue two Redirect permanent directives to redirect both the standalone “/atriumsso” address and any address that has “/atriumsso” as its root path to the fully-qualified HTTPS address.

      The following example shows a sample virtual host for the HTTP connections.

      ######################################################################
      # BMC: This is the virtual host for HTTP connections
      ######################################################################
      <VirtualHost *:48080>
          # BMC: Always forward HTTP requests to the load balancer's HTTPS address
          Redirect permanent /atriumsso https://ao-loadbalancer.bmc.com:48443/atriumsso
          Redirect permanent /atriumsso/ https://ao-loadbalancer.bmc.com:48443/atriumsso/
      </VirtualHost>
  4. Add an HTTPS virtual host, which functions as the HTTPS entrance point, using the following steps:

    1. Navigate to the <APACHE_HOME>/conf/httpd.conf configuration file and add a VirtualHost element with the ports that you specified as listening ports on the load balancer server here 
    2. Turn proxy requests off. 
    3. To establish the SSL configuration for incoming requests to the load balancer, specify that the SSL engine should be turned on.
    4. Specify the public certificate of the load balancer and its private key.
      Now, the load balancer is prepared to receive HTTPS requests.
    5. To ensure that the load balancer is able to issue HTTPS requests to the target BMC Atrium Single Sign-On servers, enable the proxy engine, allowing the load balancer to issue its own https requests to the BMC Atrium Single Sign-On servers.

    6. Specify the truststore file that contains the public certificates of those servers so that it is able to authenticate the responses of those servers.
      The following example shows a sample virtual host for the HTTPS connections.

      ######################################################################
      # BMC: This is the virtual host for HTTPS connections
      ######################################################################
      <VirtualHost *:48443>
          # BMC: For reverse proxies like this one, turn ProxyRequests off
          ProxyRequests off
       
          # BMC: This establishes SSL for the server-side of the
          #      load balancer, so that clients can talk to it through SSL
          #      (1) Turn the SSL engine on.
          #
          SSLEngine on
       
          # BMC: (2) Point the server to its public certificate (in PEM format).
          SSLCertificateFile "C:/Apache2.2/conf/ssl/publicCert.pem"
       
          # BMC: (3) Point the server to its corresponding private key (in PEM format)
          SSLCertificateKeyFile "C:/Apache2.2/conf/ssl/privateKey.pem"
       
          # BMC: This establishes SSL for the client-side of the load balancer, so
          #      that the load balancer can talk to each target server
          #      (1) Turn the SSL proxy engine on
          SSLProxyEngine On
       
          # BMC: (2) Point the proxy to its cacerts file. This file should contain
          #      the public certificates of each target server, and/or any public
          #      certificates of certificate authorities issuing target server
          #      certificates, in PEM format all appended together, one after the other
          SSLProxyCACertificateFile "C:/Apache2.2/conf/ssl/targetServerCerts.pem"
       
          # BMC: This sets up the cookie scheme to use the route ID of the worker route.
          Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

       

      The rest of this section of the configuration file appears in the next procedure on adding balancing members configuration. The </VirtualHost> line is shown in that procedure's example (and was deliberately omitted from this example).

To add balancer members configuration

You now set up the cookie scheme to use the route ID of the worker route. 

  1. Specify the load balancer reverse proxy as <Proxy balancer://ssobalancer>.
  2. Specify each target server by using a “BalancerMember” directive and the FQDN of BMC Atrium Single Sign-On nodes. 
    For each member, specify the unique route ID, in this case use the IP addresses (with periods replaced by dashes).
    BalancerMember https://clm-pun-sso1.bmc.com:8443 route=172-28-140-59"
  3. Specify that the sticky session should be tied to the route ID.ProxySet stickysession=ROUTEID
  4. Specify that any URL address with /atriumsso path should be routed to an available balancer member.
    ProxyPass /atriumsso balancer://ssobalancer/atriumsso nofailover=off.
  5. Specify that the HTTP headers and URL for messages to URLs ending in /atriumsso from balancer members should be rewritten to replace any URLs with the load balancer's root URL.
    ProxyPassReverse /atriumsso balancer://ssobalancer/atriumsso

  6. Specify that any URL address with /atriumsso/* path should be routed to an available balancer member while preserving the full path.

    ProxyPass /atriumsso/ balancer://ssobalancer/atriumsso/ nofailover=off 

  7. Specify that the http headers and URL for messages to URLs ending in /atriumsso/ from balancer members should be rewritten to place any URLs with the load balancer's root URL while preserving the full path.
    ProxyPassReverse /atriumsso/ balancer://ssobalancer/atriumsso/
    The following example shows a sample balancer members configuration. 

    # BMC: This sets up the load balancer reverse proxy.
        <Proxy balancer://ssobalancer>
            #
            # BMC: Add a BalancerMember entry for each target site. These should be
            #      https address. Use the FQHN, and set the route parameter to the
            #      IPv4 address with periods replaced by dashes and ending with a
            #      standalone double quote. Here is an example:
            #       BalancerMember >/https://<FQHN>:<sslport route=###-###-###-###"
            BalancerMember https://clm-pun-sso1.bmc.com:8443 route=172-28-140-59"
            # "
            BalancerMember https://clm-pun-sso2.bmc.com:8443 route=172-28-140-60"
            # "

            # BMC: Specify that the sticky session should be tied to the route ID.
            ProxySet stickysession=ROUTEID
        </Proxy>

        # BMC: Specify that any URL address with /atriumsso path should be routed
        #      to and available balancer member
        ProxyPass /atriumsso balancer://ssobalancer/atriumsso nofailover=off

        # BMC: Specify that the http headers and URL for messages to URLs ending in
        #      /atriumsso from balancer members should be rewritten to replace any
        #      URLs with the load balancer's root URL
        ProxyPassReverse /atriumsso balancer://ssobalancer/atriumsso

        # BMC: Specify that any URL address with /atriumsso/* path should be routed
        #      to an available balancer member while preserving the full path
        ProxyPass /atriumsso/ balancer://ssobalancer/atriumsso/ nofailover=off

        # BMC: Specify that the http headers and URL for messages to URLs ending in
        #      /atriumsso/ from balancer members should be rewritten to place any
        #      URLs with the load balancer's root URL while preserving the full path
        ProxyPassReverse /atriumsso/ balancer://ssobalancer/atriumsso/
    </VirtualHost>

To enable modules

To enable the load balancer and BMC Atrium Single Sign-On related modules, you must uncomment the following modules.

  • mod_headers.so
  • mod_proxy.so
  • mod_proxy_balancer.so
  • mod_proxy_http.so
  • mod_ssl.so

The following figure shows the modules that you need to enable.

httpd_conf.png

To configure cache

After you have configured the balancer members, set the cache for SSL. This step is optional. However, BMC recommends that you configure the cache to increase the performance of the server significantly. 

The following example shows a sample SSL session cache:

# BMC: Specify the path to and a size of the SSL session cache.
#
SSLSessionCache "shmcb:c:/Apache2.2/conf/ssl/ssl_scache(512000)"
 
</IfModule>

To restart the Apache HTTP server

After applying all the given changes to the Apache httpd server, restart the server to apply all the changes.

Run the following command to restart the server.

<%APACHE_HOME%>\conf>httpd -k restart

Where to go from here

Installing-BMC-Atrium-Orchestrator-Platform

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*