CA SiteMinder® Federation Standalone Guide › Failover Support for Federation System › How to Configure Failover with SSL Enabled › Configure SSL-enabled Failover Behind a Load Balancer › Migrate the SSL Setup to the Secondary System

Migrate the SSL Setup to the Secondary System

After the Apache SSL is configured at the primary CA SiteMinder® Federation Standalone machine, it can be migrated to the secondary machine behind the load balancer.

Note: This procedure does not apply if CA SiteMinder® Federation Standalone is behind a proxy server.

Ensure that the following criteria is met:

• Same certificate is used for each CA SiteMinder® Federation Standalone machine.
• Each CA SiteMinder® Federation Standalone machine must be configured with the same host name.
• CA SiteMinder® Federation Standalone is accessed through a load balancer.
• All machines must be of the same platform (Windows/Solaris/Linux).

To copy the SSL configuration to the secondary machine

1. Enable Apache SSL on the primary CA SiteMinder® Federation Standalone machine. Once enabled, the following components are available:
   • SSL server cert

     federation_install_dir/secure-proxy/SSL/certs/server.crt

   • CA bundle

     federation_install_dir/secure-proxy/SSL/certs/ca-bundle.cert

   • SSL server key

     federation_install_dir/secure-proxy/SSL/keys/server.key

   • certificate request file

     federation_install_dir/secure-proxy/SSL/keys/fedmgrsslcertrequest.pem

   • SSL properties file

     federation_install_dir/config/fedmanager.properties

2. Import the CA certificate that signed the SSL Server Certificate to the secondary machine. Use the Administrative UI to import the certificate.

   This certificate should be imported before or during the SSL configuration process on the primary machine. It is recommended that you use the same alias as was used for this certificate on the primary machine.

3. Copy each of the files listed in step 1 to the same locations on the secondary machine. The folders should already exist.

   Note the following:

   • The secondary machine should already have a copy of ca-bundle.cert. That copy should be backed up or deleted; the new copy from the primary machine has additional data that the secondary machine requires.
   • Copying the certificate request file (fedmgrsslcertrequest.pem) is only required if you want to retrieve it using the Administrative UI on the secondary machine. If not, do not copy the file.
   • The SSL properties file should contain at least the following two properties:
     • fedmgr.ssl.enabled, set to Y.
     • fedmgr.ssl.ca.alias, set to the alias of the CA that signed the SSL server certificate request.
     • If you used a different alias when importing this certificate on the secondary machine, update this property with the alias value you actually used.

The configuration is now migrated and you can activate SSL on the secondary system.