Set Up a Load Balancer for Orchestrator Clustering › Apache Load Balancer › Apache Load Balancer Configuration on Windows › Secure Configuration (Windows) › Configure Secure Communication (Windows)

Configure Secure Communication (Windows)

You can configure a load balancer for secure communication. In the following steps, certloc denotes your certificate location.

Follow these steps:

1. Install a load balancer and prepare configuration templates.
2. Open the workers.properties file.
3. Add the first node by defining node1 that begins with the following line:

   worker.node1.host=<Enter node1 hostname here>
   

4. From this line, replace the Enter node1 hostname here placeholder for worker.node1.host with the valid value.

   Note: The valid values are the IP address, the FQDN, or the DNS alias that resolves to the host where you are installing the initial Domain Orchestrator node. The valid value is the same value that is used for “Server Host” when installing the Domain Orchestrator.

5. Save and close the workers file.
6. Review CA default locations in the openssl file in the following directory.

   apache_install_location/conf
   

7. Create or get a certificate file and private key file with a “Common Name” that matches the “ServerName” in httpd.conf.

   For example, the following steps show how to use the openssl utility that is provided with the Apache load balancer to create a certificate file. Additional options control certificate expiration, file names, and algorithms. If your site has special requirements, reference the vendor-provided documentation.

   1. Open a command prompt.
   2. Change directories to the Apache bin folder.

      cd apache_install_location/bin
      

   3. Create a Certificate Signing Request file (CSR) and PEM files. To do so, type the following command where “mypamserver” is a name of your choice:

      openssl req -config ../conf/openssl.cnf -new -out mypamserver.csr
      

      You are prompted for the passphrase for the PEM file and other identifying information.

      • You can accept default values for most identifying information (for example, Country Name, State or Province Name, Locality Name, Organization Name, and Organization Unit Name). To leave a field blank, enter a period (.).
      • When the Common Name prompt appears, enter the host name portion of “ServerName” as the value in apache_install_location/conf/httpd.conf.

        For example, if “ServerName” in httpd.conf has the value myhost.mycompany.com:80, specify myhost.mycompany.com as the “Common Name”.

      • The following fields are optional: Email address, dir, a challenge password, and an optional company name.

      The Apache load balancer creates mypamserver.csr and privkey.pem in the current directory.

   4. Create your private RSA key. To do so, enter a passphrase for privkey.pem when the Apache load balancer prompts you.

      openssl rsa -in privkey.pem -out mypamserver.key
      

   5. Create your certificate.

      openssl x509 -in mypamserver.csr -out mypamserver.cert -req -signkey mypamserver.key
      

8. Close the command prompt and open Windows Explorer to copy and delete generated files:
   1. Select the certloc folder or create a folder to hold your certificate and private key files.
   2. Open the apache_install_dir\bin folder at the location where the CERT and KEY files were generated.
   3. Drag-and-drop (that is, move) mypamserver.cert and mypamserver.key to certloc.
   4. Delete the intermediate files that were created in the apache_install_dir/bin folder. The intermediate files include mypamserver.CSR, privkey.PEM, and .RND.
9. Back up the files you created.
10. Use a text editor to modify the httpd text file (apache_install_location\conf\httpd.conf) as follows:
    1. Uncomment the following lines:

       LoadModule rewrite_module modules/mod_rewrite.so
       

       LoadModule ssl_module modules/mod_ssl.so
       

       Include conf/extra/httpd-ssl.conf
       

    2. Add the following lines at the end of “httpd.conf”. You can copy and paste the text from httpd VIRTUALHOST_EXAMPLE file that you extracted from the SecureDomainConfig_Template.zip.

       <VirtualHost *:80> 
       JkMountFile conf/uriworkermap.properties 
       RewriteEngine On 
       RewriteCond %{HTTPS} off 
       RewriteCond http://%{HTTP_HOST}%{REQUEST_URI} !^http://.*c2orepository*|MirroringRequestProcessor*|mirroringrepository*|StartAgent*|genericNoSecurity*|soapAttachment* 
       RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost> 
       # Load balancing module
       include conf/mod-jk.conf
       

    3. Save the modified httpd.conf file and close the editor.
11. Back up the files you edited.
12. Use a text editor to modify the apache_install_location/conf/extra/httpd-ssl.conf configuration file as follows:
    1. Uncomment (if it is commented) the following text: “Listen 443”
    2. Change the SSLCertificateFile location to .../certloc/mypamserver.cert.

       SSLCertificateFile "C:/certloc/mypamserver.cert"
       

    3. Change the SSLCertificateKeyFile location to .../certloc/mypamserver.key.

       SSLCertificateKeyFile "C:/certloc/mypamserver.key"
       

    4. Add the following lines to the end of the <VirtualHost> element, before the </VirtualHost> element:

       SSLOptions +StdEnvVars +ExportCertData
       JkMountFile conf/uriworkermap.properties
       

    5. Save the modified httpd.conf-ssl file and close the editor.
13. Restart the Apache service. To do so, click Programs, Apache HTTP Server 2.2, Control Apache Server, Restart on the Start menu.

    The changes take effect.