Installation Guide › Configuration › Load Balancing

Load Balancing

To configure load balancing, make the following changes on each server.

Provisioning Servers

Create these VIPs/Pools on each server:

• CA IAM Connector Server Requests over port 22001 – Used to talk to on-premise CA IAM Connector Server
• CA IAM Connector Server over port 20080 – Used for accessing the Connector Server Admin console
• CA IAM Connector Server over port 20410 – Used for configuring connxp for acquiring the endpoint required for Directory Sync.
• CA IAM Connector Server over port 20498 – Used for the Directory Sync from On-premise to Cloud.

SiteMinder Policy Server and Advanced Authentication

Make the following changes on each SiteMinder Policy Server.

Create these VIPs/Pools:

• SiteMinder Policy Server over port 44441 – This is for the agent to communicate with the Policy Server
• SiteMinder Policy Server over port 44442 - This is for the agent to communicate with the Policy Server
• SiteMinder Policy Server over port 44443 - This is for the agent to communicate with the Policy Server
• Authminder over port 9090 – Used for connecting to Arcot Admin Console
• Authminder over port 9745 – Used by Authminder Admin Service
• Authminder over port 9742 – Used by Authminder server for issuance
• Riskminder over port 7680 – Used by RiskMinder

Make the following file and configuration changes.

1. Log in to the Arcot Administration console as master admin.
   1. Navigate to Services and Server Configurations, Administration Console, UDS Connectivity
   2. Change the hostname from localhost to the internal host (SiteMinder Policy Server Load Balancer).
   3. Refresh the caches of AuthMinder and RiskMinder (WebFort and RiskFort).
2. Edit /opt/CA/siteminder/arcot/conf/adaptershim.ini
   1. For each authscheme entry, the following properties have the URL for end user browser redirects:

   AuthSchemeParam, ArcotAFMLandingURL, ErrorPageURL, InitialFCCURL, FinalFCCURL

   • Replace all Secure Proxy Server hostnames with your Secure Proxy Server load balancer VIP in the URL.
   • Change http to https.
   1. For each authscheme entry, the following properties have the URL for internal calls:

   ArcotSMBaseURL

   • Replace all localhost with your SiteMinder Policy Server load balancer VIP.
   • Do not change http.
3. Edit /opt/CA/AdvancedAuth/Tomcat/webapps/tenant-services/WEB-INF/classes/resources/config.properties
   • Replace the internal Identity Management base URL with the Identity Management load balancer, as follows:

     imBaseURL=http://<Identity Management load balancer VIP>:8080/iam/im

4. Copy the Secure Proxy Server load balancer SSL certificate and import it to the Java key store. Import it to the Java key store that is used by Tomcat.

Make these changes to the Advanced Authentication database:

1. In the table AOK_SYSTEM_DATA
   1. Change com.ca.cm.sso.ShimTokenServer to your SiteMinder Policy Server load balancer VIP
   2. Change com.ca.cm.uds to your SiteMinder Policy Server load balancer VIP
   3. Change webfort to your SiteMinder Policy Server load balancer VIP
2. In the table AOK_OVERLOADED_PROPS
   1. Change tws.base.url to http://<SMPS LB VIP>:9090/tenant-services/cm/tenantws
3. Restart the SiteMinder Policy Server, Tomcat, and the Secure Policy Server.

Secure Proxy Server

Make the following changes on each Secure Proxy Server.

Create these VIPs/Pools:

Secure Proxy Server over port 443 with offload to port 80 on Secure Proxy Server – used for all communication through Secure Proxy Server.

Make the following file and configuration changes.

1. Edit /opt/CA/secure-proxy/proxy-engine/conf/server.conf

   Add your Secure Proxy Server Load Balancer VIP with the domain to the hostnames under VirtualHost section

2. Edit /opt/CA/secure-proxy/proxy-engine/conf/proxyrules.xml
   1. Change the Identity Management Server hostname to your Identity Management Server Load Balancer VIP
   2. Change CA IAM Connector Server hostname with port 20080 to your CA IAM Connector Server Admin Load Balancer VIP
   3. Change CA IAM Connector Server hostname with port 20001 to your CA IAM Connector Server Request Load Balancer VIP
3. Edit /opt/CA/secure-proxy/Tomcat/webapps//chs/WEB-INF/classes/config/chsConfig.properties

   Change tenantwebservicebaseurl=http://SiteMinder Policy Server LB VIP:9090/tenant-services/cm/tenantws

4. Edit /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf

   Change policyserver="SiteMinder Policy Server Load Balancer VIP,44441,44441,44441"

5. Copy the Secure Proxy Server Load Balancer VIP SSL certificate and import it to the Java key store. Import it to the Java key store that is used by Tomcat.

   Use the command: keytool -import -alias <any name> -keystore cacerts -file <certificate file>

6. Edit /opt/CA/secure-proxy/Tomcat/properties/instance.properties

   The value of the property service.host should be the internal host (SiteMinder Policy Server Load Balancer)

7. Restart the Secure Proxy Server.

Identity Management Server

Make these changes on each Identity Management Server.

Create these VIPs/Pools on each server:

Identity Management Server over port 8080 - used for communicating with the Identity Management Server

Make the following file and configuration changes.

1. Edit /opt/jboss-5.1.0.GA/server/all/deploy/iam_im.ear/policyserver.rar/META-INF/ra.xml

   Change <config-property-value>Secure Proxy Server Load Balancing VIP,44441,44441,44441</config-property-value>

2. Restart the Identity Management server by running the following commands:

   /etc/init.d im stop 
   /etc/init.d/im start
   

3. If you have deployed any tenants, modify the Advanced Authentication Connection for the tenant:
   1. Log in to the User Console.
   2. Go to Advanced Authenication, Configure AuthMinder Connection
   3. Change the AuthMinder Host Name to the VIP for the SiteMinder Policy Server

      http://<SiteMinder Policy Server Load Balancer VIP>

CSP console

Be sure to make the following changes before creating any tenant:

1. In the CSP console navigate to Infrastructure, Hosts, Host Configuration Objects
2. Click DefaultHostSettings, then click Modify.
   1. Under Configuration Values, delete all individual hosts.
   2. Add your SiteMinder Policy Server Load Balancer VIP. Enter port 44441 for all port values.
   3. Uncheck Enable Failover.
   4. Click Submit.
3. Navigate to Tenants, Manage Hosting Containers.
4. From the drop-down menu, select Modify Hosting Container for your host.
   1. Change Environment Base URL to https://<Secure Policy Server Load Balancer VIP>/iam/im
   2. Change Internal Base URL to http://<Identity Management Load Balancer VIP>:8080/iam/im
   3. Change AuthMinder Host to http://<SiteMinder Policy Server Load Balancer VIP>

Configure SSL from Secure Proxy Server to Identity Management Load Balancer

Network traffic coming from Secure Proxy Server to the load balancer must use SSL. Traffic coming from the load balancer to Identity Management is non-SSL. Perform the following steps to configure this transform from SSL to non-SSL through the load balancer.

1. Create a new virtual server for SSL traffic, port 8443, and assign it to the same pool that was being used for port 8080 to Identity Management.
2. Create a certificate for the Identity Management VIP.
3. Create SSL profile (client). Use the certificate created in the load balancer for the Identity Management VIP.
4. Export the certificate from the Identity Management load balancer to all Secure Proxy Servers:

   /opt/CA/secure-proxy/SSL/certs

5. Run the following command from the above location, on all Secure Proxy Servers:

   openssl x509 -in IM_LB1-<Your VIP>.crt -text >> ca-bundle.cert

6. Edit the following file on all Secure Proxy Servers:

   /opt/CA/secure-proxy/proxy-engine/conf/proxyrules.xml

   Update the file to use port 8443 (rather than port 8080), and to use https (rather than http), as follows:

   <nete:case value="/iam/im/">

   <nete:forward>https://<Identity_Management_fully_qualified_domain_name>:8443$0</nete:forward>

7. Restart the Secure Proxy Server using startssl.