Previous Topic: Secure CommunicationNext Topic: Linux

Set Up a Load Balancer for Orchestrator ClusteringNGINX Load BalancerSecure CommunicationWindows

Windows

Secure communication for NGINX requires SSL certificates (c2okey2.pem and c2ocert.pem files). Make sure you generate these files before you begin this procedure.

Follow these steps:

  1. Navigate to the following folder: 
    nginx_install_dir/conf

    This folder contains secure-pam-server.conf file.

  2. Open the secure-pam-server.conf file.
  3. There are five code blocks that require editing for every node that you add. Edit the blocks according to your security measures.

    Note: When you select Support Secure Communication check box, this field specifies the port used in the URL that accesses CA Process Automation Web services and the browser-based CA Process Automation UI.

    1. Add the node1 host name under the upstream uiloadbalancer block: 
      server <Enter node1 hostname here>:<https port> max_fails=3 fail_timeout=3s
    2. Add the node1 host name in the upstream loadbalancer block: 
      server <Enter node1 hostname here>:<https port> max_fails=3 fail_timeout=3s
    3. Add the node1 host name under the upstream repositoryloadbalancer block: 
      server <Enter node1 hostname here>:<https port> max_fails=3 fail_timeout=3s
    4. Add the node1 host name under the upstream jettyloadbalancer block. 
      server <Enter node1 hostname here>:<server port> max_fails=3 fail_timeout=3s
    5. Add the node1 host name under the Define node1 block: 
      server <Enter node1 hostname here>:<server port> max_fails=1 fail_timeout=3s

      Note: Defines the port that the Domain Orchestrator uses to communicate with other Orchestrators and agents.

    Replace the Enter node1 hostname here placeholders with a valid value. Do not change the port numbers unless you use a different port for the CA Process Automation node. By default, the https port is configured to 8443 and the server port is configured to 443.

    Note: The valid values are the IP address, the FQDN, or the DNS alias that resolves to the host where you are installing the initial Domain Orchestrator node. The valid value is the same value that is used for “Server Host” when installing the Domain Orchestrator.

    Repeat these steps for each additional node that you install.

  4. Update the following lines by specifying the location of c2ocert.pem and c2okey2.pem files (in the nginx_installed_location\conf directory). 
    ssl_certificate      <certificate_location\c2ocert.pem>;

    ssl_certificate_key  <certificate_location\c2okey2.pem>;

    For example:

    ssl_certificate      <nginx_install_dir\conf\c2ocert.pem>;
  5. Save and close the secure-pam-server.conf file.
  6. Open the nginx.conf file.
  7. Add the following entry in the http block at the end of the nginx.conf file: 
    include nginx_install_dir/conf/secure-pam-server.conf;

    This entry links NGINX with the configuration changes you made for CA Process Automation in the secure-pam-server.conf file.

  8. Save and close the nginx.conf file.

    Important! Perform the rest of these steps after you install at least one Orchestrator node. See Interactive Domain Orchestrator Installation or Unattended Domain Orchestrator Installation for instructions.

  9. Stop NGINX. In a command prompt, navigate to the NGINX directory location and enter: 
    nginx -s stop
  10. Restart NGINX.

    The changes take effect.