CA SiteMinder® Federation Standalone Guide › Load Balancing Support for Federation System

Load Balancing Support for Federation System

This section contains the following topics:

How to Configure Load Balancing

How to Configure Load Balancing

Load balancing distributes communication activity evenly across a network so that no single device is over burdened. CA SiteMinder® Federation Standalone is intended as a standalone endpoint and has no built-in support for load balancing. However, it is possible to enable a simple load-balancing deployment in a network using CA SiteMinder® Federation Standalone. SSL-enabled load balancing is optional, but it is recommended for sending sensitive data.

The following diagram shows a non-SSL load-balancing deployment.

The following diagram shows an SSL load-balancing deployment, distributing traffic across two systems that use the same database store.

Complete the following configuration steps for load balancing traffic:

1. Configure the load balancer.
2. Set up two or more CA SiteMinder® Federation Standalone systems to work with a load balancer.
3. (Optional) If the load balancer is using SSL, configure CA SiteMinder® Federation Standalone to handle SSL redirection.

Configure the Load Balancer

Configure the load balancer to work in a network with CA SiteMinder® Federation Standalone. Use the load balancer host and port to redirect a user who requests a resource that resides on the CA SiteMinder® Federation Standalone system. Use of the load balancer host and port applies to all resources on the CA SiteMinder® Federation Standalone system.

Note: This procedure assumes that the load balancer administrator knows how to set up the system in the deployment.

Follow these steps:

1. Configure the load balancer to map IP addresses and host names for the federation deployment.
2. Configure the load balancer for the deployment, making sure to pass the following URLs through to the CA SiteMinder® Federation Standalone systems:
   • /affwebservices/*
   • /siteminderagent/*
   • /forms/*

   These URLs enable the load balancer to balance traffic between the federation systems.

3. (Optional) Configure the load balancer to handle SSL traffic.

   If the load balancer is SSL-enabled, all federation traffic comes in to the load balancer over SSL. However, the load balancer sends the traffic to the CA SiteMinder® Federation Standalone systems over a non-SSL (HTTP) connection.

The load balancer is now configured to work with CA SiteMinder® Federation Standalone systems.

Set up the Federation Systems to Work with a Load Balancer

To use load balancing across a federation deployment, set up two or more CA SiteMinder® Federation Standalone systems.

Note: The procedure assumes that all systems are version 12.52 SP1.

Follow these steps:

1. Install the product on each system, specifying the same Federation Administrator Password for each installation.

   Note: Whether the prodcut is run in standalone or proxy mode, the servers must use the same mode.

2. Run the Configuration Wizard on one system.
3. Log in to the Administrative UI.
4. Navigate to Infrastructure, System Settings.
5. In the Server Settings section, change the Global Base URL to include the host and port of the load balancer in your network. Set this URL so that the default URL for all partnership entities is correct.
6. Set up a federation partnership by completing the following tasks
   1. Import certificates and private keys.
   2. Establish user directories connections.
   3. Configure local entities.
   4. Specify a remote entity.
   5. Configure a partnership between the local and remote entities.
   6. Verify that the federation works with the remote partner.
7. Run the Configuration Wizard on the secondary systems, using the same virtual host name of the load balancer that you entered for the first system.

   Each federation system must use the same virtual host name. The virtual host name is the host that you specify for the Server Name in the Apache configuration when you run the Configuration Wizard.

   If the product uses more than one virtual host or domain, modify the server.conf file to include the additional entries.

   To modify the server.conf file

   1. Navigate to federation_install_dir/secure-proxy/proxy-engine/conf.
   2. Open the server.conf file in an editor.
   3. Go to the # Default Virtual Host section.
   4. Add the base URL to the hostnames setting using fully qualified host names, as follows:

      <VirtualHost name="default">

      hostnames="defaultbaseurl.example.com:80, newbaseurl.example.com:80"

      </VirtualHost>

      Note: Specify multiple host_name:port entries for the hostnames setting, separating each entry with a comma.

      Example:

      <VirtualHost name="default"

      hostnames=lb5.example.com:80

      </VirtualHost>

8. Migrate SSL keys and certificates that are stored by the embedded Apache and Tomcat web servers.
   • Follow the SSL migration procedure to complete this task. Migrating SSL data lets you avoid the purchase of a new key or certificate.
   • Generate a new key/certificate request and then get the certificate signed. SSL certificates are not included in the imported configuration file.

   Note: Replicate any change to the certificate configuration on one system to all other systems. Make configuration changes from the Certs and Keys page in the UI. Changes include adding or removing certificates, keys, or CRL data.

9. Log in to the Administrative UI on the other systems that do not have partnerships configured.
10. Navigate to Infrastructure, System Settings. In the UI Settings section, click Disable Administration.

    Access the Administrative UI locally, without going through the load balancer. If the other systems are up and running, enable administration on only one system. If the administration system is disabled at any time, log in a different system and reenable administration.

Now that all federation systems are pointing to the same data store, the configured load balancer is able to balance traffic between the systems.

Configure Redirections to an SSL Load Balancer (optional)

If the load balancer uses SSL, we recommend that you configure the system to redirect traffic over an SSL connection. To redirect traffic, modify the following two files on each federation system:

• LocalConfig.conf
• httpd.conf

Note: Modify these files on all federation systems that are redirecting traffic.

Follow these steps:

1. Navigate to federation_install_dir/secure-proxy/proxy-engine/conf/defaultagent.
2. Open the WebAgent.conf file in an editor. Uncomment the line that begins localconfigfile then save the file.
3. Open the LocalConfig.conf file in an editor.
4. Add the following settings to the LocalConfig.conf file then save the file:

   HttpsPorts="443"
   

   Specify the port on which the load balancer is listening.

   GetPortFromHeaders="YES"
   

5. Navigate to federation_install_dir/secure-proxy/httpd/conf.
6. Open the httpd.conf file in an editor.
7. Locate the SeverName setting and specify the load balancer hostname:port. Do not enter the federation system server host name.

   Example:

   ServerName lb5.example.com:443
   

8. After the ServerName setting, add the UseCanonicalName setting and set it to On. Example:

   UseCanonicalName on
   

Federation system now redirects traffic over an SSL connection.