Federation Manager Guide › Failover Support for Federation Manager › How To Configure Failover with SSL Enabled › Configure SSL-enabled Failover Behind a Load Balancer › Migrate the SSL Setup to the Secondary System

Migrate the SSL Setup to the Secondary System

After the Apache SSL is configured at the primary Federation Manager machine, it can be migrated to the secondary machine behind the load balancer.

Note: This procedure does not apply if Federation Manager is behind a proxy server.

Ensure that the following criteria is met:

• Same certificate is used for each Federation Manager machine.
• Each Federation Manager machine must be configured with the same host name.
• Federation Manager is accessed through a load balancer.
• All machines must be of the same platform (Windows/Solaris/Linux).

To copy the SSL configuration to the secondary machine

1. Enable Apache SSL on the primary Federation Manager machine. Once enabled, the following components are available:
   • SSL server cert

     federation_mgr_home/secure-proxy/SSL/certs/server.crt

   • CA bundle

     federation_mgr_home/secure-proxy/SSL/certs/ca-bundle.cert

   • SSL server key

     federation_mgr_home/secure-proxy/SSL/keys/server.key

   • certificate request file

     federation_mgr_home/secure-proxy/keys/fedmgrsslcertrequest.pem

   • SSL properties file

     federation_mgr_home/config/fedmanager.properties

2. Import the CA certificate that signed the SSL Server Certificate to the secondary machine. Use the Federation Manager UI to import the certificate.

   This certificate should be imported before or during the SSL configuration process on the primary machine. It is recommended that you use the same alias as was used for this certificate on the primary machine.

3. Copy each of the files listed in step 1 to the same locations on the secondary machine. The folders should already exist.

   Note the following:

   • The secondary machine should already have a copy of ca-bundle.cert. That copy should be backed up or deleted; the new copy from the primary machine has additional data that the secondary machine requires.
   • Copying the certificate request file (fedmgrsslcertrequest.pem) is only required if you want to retrieve it using the Federation Manager UI on the secondary machine. If not, do not copy the file.
   • The SSL properties file should contain at least the following two properties:
     • fedmgr.ssl.enabled, set to Y.
     • fedmgr.ssl.ca.alias, set to the alias of the CA that signed the SSL server certificate request.
     • If you used a different alias when importing this certificate on the secondary machine, update this property with the alias value you actually used.

The configuration is now migrated and you can activate SSL on the secondary system.