Previous Topic: How to Configure Failover with SSL EnabledNext Topic: Migrate the SSL Setup to the Secondary System

CA SiteMinder® Federation Standalone GuideFailover Support for Federation SystemHow to Configure Failover with SSL EnabledConfigure SSL-enabled Failover Behind a Load Balancer

Configure SSL-enabled Failover Behind a Load Balancer

You can configure the system to sit behind a TCP load-balancer. The load balancer passes the requests to the system, which then handles the server-side SSL processing.

Follow these steps:

  1. Install the product on each system, specifying the same Federation Administrator Password for each installation.

    Note: The product can run in standalone or proxy mode, but the primary and secondary server must use the same mode.

  2. Run the Configuration wizard and use the same database connection information for both systems.
  3. The Configuration wizard prompts for the Apache Configuration information. Specify the same virtual host name in the Server Name setting for the primary and secondary federation systems. Both systems must use the same virtual host name.

    If the product is using more than one virtual host or domain, modify the server.conf file for the proxy engine. The server.conf file must list all host names and domains. Add the names to the hostnames field of the Default VirtualHost.

    To edit server.conf

    1. Navigate to the following directory:

      Windows: federation_install_dir\secure-proxy\proxy-engine\conf

      UNIX: federation_install_dir/secure-proxy/proxy-engine/conf

    2. Open the server.conf file in an editor.
    3. Go to the # Default Virtual Host section and add the names to the hostnames setting using a fully qualified URL, as follows.

      <VirtualHost name="default">

      hostnames="virtualhost1.example.com, virtualhost2.example.com"

      </VirtualHost>

      Note: You can specify multiple URLs for the hostnames setting, separating each entry with a comma.

  4. Log in to the Administrative UI.
  5. Click Infrastructure, System Settings.
  6. Change the Global Base URL to include the host and port of the Proxy Server or load balancer in your federated network. Setting this URL helps ensure that the default URL for all entities in any partnership is correct.

    To modify the server.conf file

    1. Navigate to federation_install_dir/secure-proxy/proxy-engine/conf.
    2. Open the server.conf file in an editor.
    3. Go to the # Default Virtual Host section.
    4. Add the base URL to the hostnames setting using fully qualified host names, as follows:

      <VirtualHost name="default">

      hostnames="defaultbaseurl.example.com:80, newbaseurl.example.com:80"

      </VirtualHost>

    Note: Specify multiple host_name:port entries for the hostnames setting, separating each entry with a comma.

  7. Enable SSL for the embedded Apache Web Server on the primary federation system.
  8. Migrate the Apache SSL configuration to the secondary system in the failover deployment.
  9. At the load balancer, configure multiple IP addresses for the same host name, which map to the federation system.

More information:

Install CA SiteMinder® Federation Standalone