Previous Topic: Secure CommunicationNext Topic: Linux

Set Up a Load Balancer for Orchestrator ClusteringNGINX Load BalancerSecure CommunicationWindows

Windows

Secure communication for NGINX requires SSL certificates (c2okey2.pem and c2ocert.pem files). Make sure you generate these files before you begin this procedure.

Follow these steps:

  1. Navigate to the following folder: 
    nginx_install_dir/conf

    This folder contains secure-pam-server.conf file.

  2. Open the secure-pam-server.conf file.
  3. There are three code blocks that require editing for every node that you add. Edit the blocks according to your security measures.
    1. Add the node1 host name in the upstream loadbalancer block: 
      server <Enter node1 hostname here>:8443 max_fails=3 fail_timeout=3s
    2. Add the node1 host name under the upstream jettyloadbalancer block. 
      server <Enter node1 hostname here>:8443 max_fails=3 fail_timeout=3s
    3. Add the node1 host name under the Define node1 block: 
      server <hostname of machine where you have installed node1>:<jetty server port> max_fails=3 fail_timeout=3s

    Replace the Enter node1 hostname here placeholders with a valid value. Do not change the port numbers unless you use a different port for the CA Process Automation node.

    Note: The valid values are the IP address, the FQDN, or the DNS alias that resolves to the host where you are installing the initial Domain Orchestrator node. The valid value is the same value that is used for “Server Host” when installing the Domain Orchestrator.

    Repeat these steps for each additional node that you install.

  4. Update the following lines by specifying the location of c2ocert.pem and c2okey2.pem files (in the nginx_installed_location\conf directory). 
    ssl_certificate      <certificate_location\c2ocert.pem>;

    ssl_certificate_key  <certificate_location\c2okey2.pem>;

    For example:

    ssl_certificate      <nginx_install_dir\conf\c2ocert.pem>;
  5. Save and close the secure-pam-server.conf file.
  6. Open the nginx.conf file.
  7. Add the following entry in the http block at the end of the nginx.conf file: 
    include nginx_install_dir/conf/secure-pam-server.conf;

    This entry links NGINX with the configuration changes you made for CA Process Automation in the secure-pam-server.conf file.

  8. Save and close the nginx.conf file.

    Important! Perform the rest of these steps after you install at least one Orchestrator node. See Interactive Domain Orchestrator Installation or Unattended Domain Orchestrator Installation for instructions.

  9. Once you have installed at least one Orchestrator node, open the nginx_install_dir/conf/nginx.conf file.
  10. Remove any server blocks of code as they can conflict with the server identified in the secure-pam-server file.

    For example:

    server {
        listen       80;
        server_name  <LOADBALANCER_HOSTNAME>;
location / {
             root   /usr/share/nginx/html;
              index  index.html index.htm;
       }
}
  11. Save and close the nginx.conf file.
  12. Stop NGINX. In a command prompt, navigate to the NGINX directory location and enter: 
    nginx -s stop
  13. Restart NGINX.

    The changes take effect.