Configuring Apache Load Balancer

Configuring Cloud gateway with (load balancer) Apache httpd modules with ssl.

Configuration

  • Download Apache HTTP Server Project (httpd 2.4.57, Apache lounge): Download - The Apache HTTP Server Project.

  • Extract the above downloaded zip and put it at the default configured path on your local disk.

    Note
    Define SRVROOT "c:/Apache24
    If extracted zip is not copied to above default location then file root path for extracted folder needs to be updated in httpd.conf:
    Define SRVROOT "c:/Apache24"
    ServerRoot "${SRVROOT}"

  • Go to C:\Apache24\bin and try to execute httpd.exe, default port is 80.

    In case of startup errors, configuration file needs to be modified:

    • If the default port is not available, then change the port to an available port inhttpd.conf like Listen 8443.

    • Be sure you installed latest 14.34.31938 Visual C++ Redistributable Visual Studio 2015-2022 : vc_redist_x64 or vc_redist_x86 see Redistributable.

  • To configure load balancer, following modules need to be uncommented in thehttpd.conf file:

    • mod_lbmethod_byrequests

    • mod_lbmethod_bytraffic

    • mod_proxy

    • mod_proxy_ajp

    • mod_proxy_balancer

    • mod_proxy_connect

    • mod_proxy_http

    • mod_slotmem_shm

    • mod_socache_shmcb

    • mod_ssl

    • mod_headers

  • Next step is to add cluster with hosts load balancer supporting sticky session at the end of httpd.conf file:

    Copy 
    ProxyRequests Off
    ProxyPass / balancer://mycluster/
    ProxyPassReverse / balancer://mycluster/
        
    Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
    <Proxy balancer://mycluster>
        BalancerMember https://myserver1.example.com:8443 route=server1 
        BalancerMember https://myserver2.example.com:8443 route=server2
        ProxySet lbmethod=byrequests
        ProxySet stickysession=ROUTEID
    </Proxy>

    In the above given file, Proxy tag is used to define cluster, mycluster is the name given to cluster.

    BalancerMember is used to define hosts inside cluster. https://myserver1.example.com:8443is CIB machine address and port on which it's running. All the configured CIBs need to be added under cluster.

  • For SSL, the following configuration statements need to be added in httpd.conf above the Proxy tag:

    Copy 
    SSLVerifyCLient none
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

  • Uncomment below line in httpd.conf file to include ssl configuration file in server.

    Include conf/extra/httpd-ssl.conf

  • Update ServerName in httpd.conf configuration file with the required IP and port configured, example:

    ServerName 127.0.0.1:8443

  • Updated ServerName in httpd-ssl.conf configuration file with the localhost IP and port configured, example:
    ServerName 127.0.0.1:443

Generating and Installing certificates

To configure the load balancer with ssl, perform the following steps:

Creating certificates:

  • Create certificate on the load balancer machine.

  • Create certificate on Cloud Gateway machine(s).

  • Create certificate on IdentityIQ machine(s).

  • Below are the steps of creating certificateon the load balancer machine using openssl which is shipped under C:\Apache24\bin:

    openssl req -x509 -nodes -newkey rsa:2048 —out server.crt -keyout server.key

    Note
    To eliminate startup error, create a non-CA certificate. To do this change, the following CA value needs to be set to FALSE inopenssl.conf (available under C:\Apache24\conf) before generating certificate.
    #These extensions are added when 'ca' signs a request.
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE

  • To create non-CA certificates on CIB machine(s), follow the above steps.

    Note
    Download openssl (if not available) and generate with above configuration. In external Openssl downloaded zip theopenssl.conf file and openssl.exe will be available in same folder (like C:\Users\Administrator\Downloads\openssl-1.0.2j-fips-x86_64\OpenSSL\bin).
    Certificate should be generated on all CIB machines connected to LB.

  • Similarly, create certificate for IIQ machine(s), follow the steps provided above.

    Note
    This is required in case of two-way ssl only.
    Certificate should be generated on all IIQ machines connected to LB.

Installing certificates

  • TheApache Load Balancer certificate needs to be added in its own configuration file (httpd-ssl.conf), to add:

    • Post certificate generation, LB’s certificate and key will be available under C:\Apache24\bin folder.

    • Next step is to copy the generated certificate with its key file from C:\Apache24\bin and paste it in C:\Apache24\conf folder.

    • Once copied, add the path of these copied file in https-ssl.conf configuration file (if not default path)

    Copy 
    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
    #   require an ECC certificate which can also be configured in
    #   parallel.

    SSLCertificateFile "${SRVROOT}/conf/server.crt"
    Copy 
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    #   ECC keys, when in use, can also be configured in parallel

    SSLCertificateKeyFile "${SRVROOT}/conf/server.key"

  • The CIB’s certificate needs to be installed on the load balancer’s machine. Use the following steps to install:

    • Copy the generated certificate from CIB machine and paste it under java’s security folder (java/jre/lib/security) of the Apache load balancer.
      Add this certificate in the java keystore using below command:

      keytool -importcert -file "C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\selfSignedCert.cer" -keystore cacerts -alias "selfSignedCert"

  • The load balancer’s certificate needs to be installed on IIQ machines. To install, copy the generated certificate from the load balancer machine and paste it insidejava keystore folder on IIQ machine.

For completing stickiness configuration

Modify IIQ’s Tomcat server file server.xml, add jvmRoute with values “server1” and “server2“ as configured in Proxy tag of httpd.conf file.

<Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">

Configuration on IdentityIQ:

  1. Create a Cloud Gateway application on IIQ (say CIB-LB) - with the load balancer’s IP, configured port and add CIB username and password. Perform Test Connection to check if up and running.
    (In case of ssl, provide port as configured in httpd-ssl.conf file)

  2. To enable the App Sync feature, add the following flag in the Cloud Gateway load balancer’s application (CIB-LB) from the application Debug page:

    <entry key="isLoadBalancerEnabled" value="true"/>

  3. Configure connector application (for example, Delimited or Workday). Add CIB-LB application name into Proxy application section in connector application. Save the application before performing any operation.

  4. This will enable the application to send the app.xml in the request, which will then get saved on CIB server (no CIB sync task is required here).