Skip to ContentSun and Oracle Channel Sun How to Buy Log In

Sun GlassFish Enterprise Server 2.1 High Availability Administration Guide

Innerhalb

Sun GlassFish Enterprise Server 2.1

Nach weiteren Dokumenten suchen

Support-Ressourcen

Dieses Buch im PDF-Format herunterladen (1513 KB)

Chapter 4 Configuring Web Servers for HTTP Load Balancing

This chapter explains how to configure the web servers supported by the HTTP load balancer plug-in. The HTTP load balancer plug-in supports the following web servers:

Sun Web Server 6.1 and 7.0 (32–bit)
Apache Web Server 2.2 and 2.0.x (32–bit)
Microsoft IIS 5.0 and 6.0 (32–bit)

Note –

The HTTP load balancer plug-in does not support web servers running in 64–bit mode.

The HTTP load balancer plug-in installation program, which is a part of the Enterprise Server installation program, makes a few modifications to the web server’s configuration files. These changes depend upon the web server you are using. In addition, for some web servers you must make manual configurations in order for the HTTP load balancer to work properly.

Note –

The HTTP load balancer plug-in can be installed either along with Sun GlassFish Enterprise Server , or separately, on a machine running the supported web server. For complete details on the installation procedure, see Chapter 1, Installing Sun GlassFish Enterprise Server, in Sun GlassFish Enterprise Server 2.1 Installation Guide.

Configuring Sun Web Server

For Sun Web Server, when you install the load balancer plug-in using the installation wizard, the installation wizard automatically does all the necessary configuration. No manual configuration is required. The load balancer plug-in bundled with Enterprise Server supports the following versions of Sun Web Server:

Sun Web Server 6.1
Sun Web Server 7.0

But, if you are using GlassFish v2.1 or the Enterprise Server without HADB bundle, you must download the load balancer plug-in separately from http://download.java.net/javaee5/external/SunOS_X86/aslb/jars/ and make some manual changes to set it up. For detailed steps on how to install and set up the plug-in, refer to the Sun GlassFish Enterprise Server 2.1 Installation Guide.

To Configure Sun Web Server

Before You Begin

Note –

The following steps are automatically performed by the installation program for Enterprise Server. But, if you are using GlassFish v2.1, you will need to perform these steps manually.

To the web server instance's magnus.conffile, add the following lines:

##BEGIN EE LB Plug-in Parameters
Init fn="load-modules"
shlib="web-server-install-dir/plugins/lbplugin/bin/libpassthrough.so"
funcs="init-passthrough,service-passthrough,name-trans-passthrough" Thread="no"
Init fn="init-passthrough"
##END EE LB Plug-in Parameters=

Append the following line if it does not exist already:

Init fn="load-modules" shlib=".../libj2eeplugin.so" shlib_flags="(global|now)"

In the file web-server-install-dir/config/obj.conf, insert the following in a single line before the first occurrence of the string nametrans:
```
Nametrans fn="name-trans-passthrough" name="lbplugin"
config-file="web-server-install-dir/config/loadbalancer.xml"
```
The order in which NameTrans entries appear in obj.conf is very important. The installer puts the NameTrans entries in the correct location, but if you are editing obj.conf for other purposes you must ensure that the order remains correct. In particular, the load balancer info must come before the document-root function. For more information on the obj.conf file, see Sun Java System Web Server 7.0 Administrator’s Configuration File Reference on docs.sun.com.

Append the following lines to the file web-server-install-dir/config/obj.conf:

<Object name = "lbplugin"> 
ObjectType fn="force-type" type="magnus-internal/lbplugin"
PathCheck fn="deny-existence" path="*/WEB-INF/*"
Service type="magnus-internal/lbplugin" fn="service-passthrough"
Error reason="Bad Gateway" fn="send-error" uri="$docroot/badgateway.html"
</Object>

Edit the web-server-install-dir/start script to update the LD_LIBRARY_PATH value to include app-server-install-dir/lib/lbplugin/lib.

The app-server-install-dir/lib/lbplugin/lib directory contains binaries that the load balancer plug-in requires.

(Optional) For the new DAS-based Load Balancer Administration, configure the web server for SSL.

For detailed instructions for Web Server 6.1 , see To Set Up the HTTP Load Balancer in SSL Mode for Sun Web Server 6.1.

For detailed instructions for Web Server 7, see To Set up the HTTP Load Balancer in SSL Mode for Sun Web Server 7 .

If the web server is not already running, start the web server.

Configuring Sun Java System Web Server to Use Auto Apply

Auto Apply is a feature provided by Enterprise Server 9.1 to send the load balancer configuration automatically over the wire to the web server configuration directory. The following procedures explain how to configure Sun Java System Web Server (versions 6 and 7) to use this feature.

To Set Up the HTTP Load Balancer in SSL Mode for Sun Web Server 6.1

Note –

You need to perform the steps in this section only if you want to use the Auto Apply feature of the load balancer plug-in. This feature helps to send the load balancer configuration automatically over the wire to the web server configuration directory.

Using a browser, access the Admin GUI of Web Server and login.

Select your server instance and click on Manage.

Click on the Security tab.

Initialize the trust database by giving the username and password. This could be done using either the certutil command or the GUI. The following options of the certutil command could be used to initialize the trust database:
```
certutil -N -P  "https-instance-name-hostname-" -d .
```
- When prompted by certutil, enter the password to encrypt your keys. Enter a password, which will be used to encrypt your keys. The password should be at least eight characters long, and should contain at least one non-alphabetic character.
- When prompted to enter a new password, specify your password.

Create a sample local Certificate Authority (CA) using the following command:
```
certutil -S -P "https-boqueron.virkki.com-boqueron-" 
-d . 
-n SelfCA -s "CN=Self CA,OU=virkki.com,C=US" 
-x -t "CT,CT,CT" 
-m 101 -v 99 -5
```
1. When prompted to enter 0-7 for the type of certificate, type 5 for SSL CA. When the prompt reappears, specify 9.
2. When queried “Is this a critical extension [y/n]?,” specify “y.”

Use the above sample CA to generate a certificate
```
certutil -S -P "https-instance-name-hostname-"
-d . -n MyServerCert -s "CN=boqueron.virkki.com,C=US"
-c SelfCA -t "u,u,u" -m 102 -v 99 -5
```
1. When prompted to enter 0-7 for the type of certificate, type 1 for SSL Server. When the prompt reappears, specify 9.
2. When queried “Is this a critical extension [y/n]?,” specify “y.”

Edit the current HTTP Listener socket by clicking on Preferences->Edit Listen Socket. Enable the security and choose the certificate created in the previous step.

If you wish to not use the GUI, change the entry to read as follows : Change the tag so that the value of security is "true." The tag must be altered to contain additional body content and a closing tag. Be sure to remove carriage returns when adding the tag.

LS id="ls1" port="80" servername="$DEPLOY-INSTANCE" 
defaultvs="https-$DEPLOY-INSTANCE" ip="any" security="true" 
acceptorthreads="1" blocking="false"> 
<SSLPARAMS servercertnickname="$HOST-DOMAIN" ssl2="off"
ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" 
ssl3="on"
tls="on"
ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5
+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,
-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,
+fips_3des_sha,-fips_des_sha" tlsrollback="on" 
clientauth="off"/>
</LS>

To Export and Import the DAS Certificate for Sun Web Server 6.1

If you are using Enterprise Server with HADB, export the DAS certificate by executing the command:
```
<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12-W
<file password> -K <master password> -n s1as
```
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, you must use the following commands to export the DAS certificate:
```
<JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore
<GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks-file s1as.rfc
```
  where, <GLASSFISH_HOME> indicates the Application Server installation directory and <DOMAIN_NAME> refers to the domain whose certificate is being exported.
- Copy the certificate file to the web server configuration directory.

If you are using Enterprise Server with HADB bundle, import the DAS certificate into the Web Server instance using the following commands:
```
<webserver home>/bin/https/admin/bin/pk12util-i sjsas.p12-d <webserver
home>/alias -W<file password> -K <webserver security db password> -P
<instance-name>-<hostname>-
```
```
<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw"
-d alias -P <instance-name>-<hostname>-
```
This command makes the Application Server CA be a trusted CA to sign both client and server certificates.
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, import the DAS certificate from the rfc file created using certutil, the NSS security tool.
```
<webserver_home>/bin/certutil -A -a -n s1as -t "TCu,Cu,Tuw" -i s1as.rfc -d alias -P <instance-name>-<hostname>-
```
  where, <webserver_home> refers to the web server installation directory.
  
  You can check the presence of this certificate by using the following command, which would list the s1as certificate along with other CA certificates including the default server certificate. Ensure that you type the command in a single line.
```
<WS_INSTALL_ROOT>/bin/certutil -L -d
<WS_INSTALL_ROOT>/admin-server/config-store/
<DEFAULT_CONFIG_NAME>/config
```

If obj.conf does not contain the following lines, please append them at the end of the file. If you are using Enterprise Server with HADB bundle, this step is automatically performed by the installation program.
```
<Object ppath="*lbconfigupdate*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
<Object ppath="*lbgetmonitordata*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>
```

You can verify the above set up from the DAS using the steps provided in the section Verifying the Setup. Instead of using the local CA, you can use any other CA and server certificate. In that case you can skip steps 5 and 6 listed in the previous section, but need to import the server certificate that you obtained from other CAs.

To Set up the HTTP Load Balancer in SSL Mode for Sun Web Server 7

(Optional) Create the NSS database using the following command. This step is not needed if the NSS database exists. Make sure that you type the command in a single line.
```
webserver-install-dir/bin/certutil -N -d 
/webserver-install-dir/admin-server/config-store/config-name/config
```
When prompted, provide the NSS database password.

Start the Admin Server using the following command.

webserver-install-dir/admin-server/bin/startserv.bat

Create a self-signed certificate using the following command. Make sure that you type the command in a single line.

webserver-install-dir/bin/wadm create-selfsigned-cert --user=
admin-user --server-name=host-name 
--nickname=ServerCert --token=internal --config=config-name

Create an HTTP listener using the following command. Make sure that you type the command in a single line.

webserver-install-dir/bin/wadm create-http-listener 
--user=admin-user --server-name=host-name 
-default-virtual-server-name=default-virtual-server-name 
--listener-port=8090 --config=config-name http-listener-ssl

Enable the SSL and assign certificate using the following command. Make sure that you type the command in a single line.

webserver-install-dir/bin/wadm set-ssl-prop 
--user=admin-user --http-listener=http-listener-ssl 
--config=config-name enabled=true server-cert-nickname=ServerCert

To Export and Import the DAS Certificate for Sun Web Server 7

If you are using Enterprise Server with HADB bundle, export the DAS certificate by executing the command:
```
<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsa.p12 -W
<file password> -K <master password> -n s1as
```
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, export the DAS certificate, named with the alias “s1as” using the Java SE 5.0 security tool called keytool. While doing so, select the -rfc option to export the certificate in the printable encoding format, as defined by the Internet RFC 1421 standard.
  
  From the command line, you can use the following commands to export the DAS certificate:
```
<JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore
<GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks-file s1as.rfc
```
  where, <GLASSFISH_HOME> indicates the Application Server installation directory and <DOMAIN_NAME> refers to the domain whose certificate is being exported.
- Copy the certificate file to the web server configuration directory.

If you are using Enterprise Server with HADB bundle, import the DAS certificate into the Web Server instance using the following commands:
```
<webserver home>/bin/https/admin/bin/pk12util-i sjsas.p12 -d <webserver
home>/alias -W<file password> -K <webserver security db password> -P
<instance-name>-<hostname>-
```
```
<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw"
-d alias -P <instance-name>-<hostname>-
```
This command makes the Application Server CA be a trusted CA to sign both client and server certificates.
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, import the DAS certificate from the rfc file created using certutil, the NSS security tool.
```
<webserver_home>/bin/certutil -A -a -n s1as -t "TC" -i s1as.rfc -d
<WS_INSTALL_ROOT>/admin-server/config-store/<CONFIG_NAME>/config
```
  where, <webserver_home> refers to the web server installation directory and <CONFIG_NAME> refers to the configuration name created for the default web server instance.
  
  You can check the presence of this certificate by using the following command, which would list the s1as certificate along with other CA certificates including the default server certificate. Make sure that you type the entire command in a single line.
```
<WS_INSTALL_ROOT>/bin/certutil -L -d
<WS_INSTALL_ROOT>/admin-server/config-store/
<DEFAULT_CONFIG_NAME>/config
```
  You can also use the Web Server Admin Console to view this. Select the configuration to which the certificate has been imported to (default config, in this case), and then select the Certificates tab. To look at all the certificates available, select the Certificate Authorities sub tab.

Make the following configuration changes to Web Server 7.0.

Append the following lines to obj.conffile located at <WS_INSTALL_ROOT>/admin-server/config-store/<DEFAULT_CONFIG_NAME>/config/:

 <Object ppath="*lbconfigupdate*">
 PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>
<Object ppath="*lbgetmonitordata*">
 PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>

Deploy the configuration. While doing the changes listed in the previous steps, the Admin Console would mark this configuration to be deployed.
1. Select the icon for Deployment Pending in the Web Server Admin Console. You can also deploy this configuration using the CLI utility wadm as follows:
```
<WS_INSTALL_ROOT>/bin/wadm deploy-config-user=<admin><DEFAULT_CONFIG_NAME>
```
  where <admin> is the administator user name.

Test this setup from the GlassFish DAS to see if it communicates with the configured HTTP Load Balancer over SSL. For more information, see Verifying the Setup.

Using Apache Web Server

The load balancer plug-in supports Apache Web Server 2.2.x and 2.0.x. To use Apache Web Server, you must perform certain configuration steps before and after installing the load balancer plug-in. The load balancer plug-in installation also makes additional modifications to the Apache Web Server. After the plug-in is installed, you must perform additional configuration steps. The load balancer plug-in supports only 32–bit versions of Apache Web Server.

Requirements for Using Apache Web Server

For the Apache Web Server, your installation must meet the minimum requirements.

With Apache, the load balancer plug-in requires:

openssl-0.9.7e (source)
httpd-2.2.10 (source) for Apache 2.2.x and httpd-2.0.59 (source) for Apache 2.0.x
gcc-3.3-sol9-sparc-local packages (for Solaris 9 SPARC).
gcc-3.3-sol9-intel-local packages (for Solaris 9 x86)
The pre-installed gcc (for Solaris 10)
flex-2.5.4a-sol9-sparc-local packages (for Solaris 9 SPARC)
flex-2.5.4a-sol9-intel-local packages (for Solaris 9 x86)
The pre-installed flex (for Solaris 10)

The software sources are available at http://www.sunfreeware.com

In addition, before compiling Apache:

On the Linux platform, install Sun GlassFish Enterprise Server on the same machine.
On the Solaris 9 operating system, use pkgadd to install gcc and flex. Note that pkgadd requires root access.
On the Solaris 9 operating system, ensure that gcc version 3.3 and make are in the PATH, and flex is installed.
On the Solaris 10 operating system, before running make for OpenSSL, run mkheaders, located in /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.3/install-tools on Solaris SPARC or /usr/local/lib/gcc-lib/i386-pc-solaris2.9/3.3/install-tools on Solaris x86.
If you are using gcc on Red Hat Enterprise Linux Advanced Server 2.1, the version must be later than gcc 3.0.

Note –

To use a C compiler other than gcc, set the path of the C compiler and make utility in the PATH environment variable.

Applying the Apache Web Server Patch to Apache 2.0.x

Before installing the load balancer plug-in for Apache 2.0.x, apply the patch for the Apache Web Server issue 12355. More details about this issue are available at http://issues.apache.org/bugzilla/show_bug.cgi?id=12355. This patch is required for the Auto Apply feature to work with Apache 2.0.x. To apply the patch, follow these steps.

Untar http-2.0.59.tar and go to the directory httpd-2.0.59.
Download the patch from http://issues.apache.org/bugzilla/attachment.cgi?id=16495 and save it as a file, for example, 12355.diff.
From the directory httpd-2.0.59/modules/ssl, run the following command:
```
patch < 12355.diff
```

Configuring Apache before Installing the HTTP Load Balancer Plug-in

The Apache source must be compiled and built to run with SSL. This section describes the minimum requirements and high-level steps needed to successfully compile Apache Web Server to run the load balancer plug-in. These requirements and steps only apply to the Solaris and Linux versions of the software. For information on the Windows version of Apache, see the Apache web site.

Note –

The instructions included here are adapted from the instructions at http://httpd.apache.org/docs. For detailed instructions on installing SSL-aware Apache, please see that web site.

To Install SSL-aware Apache

Before You Begin

You must have already downloaded and uncompressed the Apache software.

Download and unpack the OpenSSL source.

Compile and build OpenSSL.

For full installation instructions, see the file named INSTALL in the directory where you uncompressed OpenSSL. That file has information on installing OpenSSL in a user-specified location.

For more information about OpenSSL, see the http://www.openssl.org/.

Download and unpack Apache.

Apache is available from http://httpd.apache.org.

Compile and build Apache. Configure the source tree:
1. For Apache 2.0.x, use this command: cd http-2.0_x. For Apache 2.2.x, use this command: cd http-2.2_x
2. Run the following command:
  
  ./configure --with-ssl= OpenSSL-install-path --prefix= Apache-install-path --enable-ssl --enable-so
  
  In the above commands, x is the Apache version number, open-ssl-install-path is the absolute path to directory where OpenSSL is installed, and Apache-install-path is the directory in which to install Apache.
  
  Note that you only need to use the --enable-ssl --enable-so options if your Apache 2 server will be accepting HTTPS requests.
  
  Apache 2 .0.x has multithreaded behavior if compiled with the --with-mpm=worker option.
  
  Note –
  With Apache 2.2, use the --with-included-apr option to build the bundled Apache Portable Runtime (APR).

For Apache on Linux 2.1, before compiling:
1. Open src/MakeFile and find the end of the automatically generated section.
2. Add the following lines after the first four lines after the automatically generated section:
```
LIBS+= -licuuc -licui18n -lnspr4 -lpthread -lxerces-c 
-lsupport -lnsprwrap -lns-httpd40
LDFLAGS+= -L/application-server-install-dir/lib -L/opt/sun/private/lib
```
  Note that -L/opt/sun/private/lib is only required if you installed Application Server as part of a Java Enterprise System installation.
  
  For example:
```
## (End of automatically generated section)
## 
CFLAGS=$(OPTIM) $(CFLAGS1) $(EXTRA_CFLAGS)
LIBS=$(EXTRA_LIBS) $(LIBS1)
INCLUDES=$(INCLUDES1) $(INCLUDES0) $(EXTRA_INCLUDES)
LDFLAGS=$(LDFLAGS1) $(EXTRA_LDFLAGS)
"LIBS+= -licuuc -licui18n -lnspr4 -lpthread 
-lxerces-c -lsupport -lnsprwrap -lns-httpd40
LDFLAGS+= -L/application-server-install-dir /lib -L/opt/sun/private/lib
```
3. Set environment variable LD_LIBRARY_PATH.
  
  With stand–alone installations, add as-install/lib
  
  With Java Enterprise System installations, set it to the Enterprise Server: as-install/lib:opt/sun/private/lib.
  
  If you are using Solaris 9, add /usr/local/lib to the LD_LIBRARY_PATH.

Compile Apache as described in the installation instructions for the version you are using.

For more information, see the http://httpd.apache.org/

In general, the steps are:
1. make
2. make install
Note –
For Apache 2.2.x, uncomment the following line in the apache-install-location/conf/httpd.conf file: Include conf/extra/httpd-vhosts.conf

Exporting the DAS Certificate

You must manually export the DAS certificate using the following command:

appserver-install-dir/lib/upgrade/certutil -L -d appserver-instance-dir/config -n s1as -a -o sjsas.crt

This certificate will be required at the time of installing the load balancer plug-in. Ensure you perform this task before you install the load balancer plug-in.

Modifications made by the Installer to Apache Web Server Configuration

The Enterprise Server installation program makes the following modifications to Apache configuration while installing the load-balancing pug-in. If you choose to install the load-balancing plug-in manually, you need to perform these steps manually. The installation program extracts the necessary files to the modules directory in the web server’s root directory:

Note –

Ensure that you export the DAS certificate before installing the load-balancing plug-in.

For Apache 2.0.x, the installer adds the following entries to the web server instance’s httpd.conf file:

##BEGIN EE LB Plugin Parameters
LoadModule apachelbplugin_module modules/mod_loadbalancer.so
#AddModule mod_apache2lbplugin.cpp
<IfModule mod_apache2lbplugin.cpp> 
  config-file webserver-instance/httpd/conf/loadbalancer.xml
  locale en
</IfModule>
<VirtualHost machine-ip-address>
  DocumentRoot "webserver-instance/httpd/htdocs"
  ServerName server-name
</VirtualHost>
##END EE LB Plugin Parameters

For Apache 2.2.x, the installer adds the following entries to the web server instance’s httpd.conf file:

##BEGIN EE LB Plugin Parameters
LoadFile /usr/lib/libCstd.so.1 (For Solaris SPARC only)
LoadModule apachelbplugin_module modules/mod_loadbalancer.so
#AddModule apachelbplugin_module
<IfModule apachelbplugin_module> 
  config-file Apache-install-location/conf/loadbalancer.xml
  locale en
</IfModule>
##END EE LB Plugin Parameters

For Apache 2.2.x, the installer adds the following entries to the web server instance’s httpd-vhosts.conf file:

##BEGIN EE LB Plugin Parameters
<VirtualHost machine-ip-address> 
  ServerName host-name
 DocumentRoot Apache-install-location/htdocs
</VirutalHost>
##END EE LB Plugin Parameters

Other changes made by the installer to ensure that Apache's config-file and ssl-config have correct values for your environment. The ssl-config file is located at Apache-install-location/conf/ssl.conf in Apache 2.0.x, or at Apache-install-location/conf/extras/httpd-ssl.conf. The config file is at Apache-install-location/conf/httpd.conf for Apache 2.0.x and for Apache 2.2.x. The summary of changes made are as follows:

In ssl-config, for VirtualHost default:port the default hostname and port is replaced with the hostname of the local system where Apache is installed and the server's port number. Without this change, the load balancer will not work. On Solaris Apache may not start and on Linux, HTTPS requests may not work.
In ssl-config, for ServerName www.example.com:443, www.example.com is replaced with the hostname of the local system where Apache is installed.

Without this change, the following warning appears when you start Apache if a security certificate is installed:
[warn] RSA server certificate CommonName (CN) hostname does NOT match server name!
For more information on installing certificates for Apache, see To Create a Security Certificate for Apache .
In config, replace ServerName www.example.com:80 with www.example.com with the hostname of the local system where Apache is installed.

Without this change, you see warnings when you start Apache that the system could not determine the server's fully qualified domain name, and that there are overlapping VirtualHost entries.
In apache-install-location/conf/extra/httpd-vhosts.conf, ServerName www.example.com:80 is replaced with www.example.com with the hostname of the local system where Apache is installed.

Without this change, you see warnings when you start Apache that the system could not determine the server's fully qualified domain name, and that there are overlapping VirtualHost entries.

Importing the DAS Certificate

The Enterprise Server installation program performs the following tasks for you.

Imports the DAS certificate by copying sjsas.crt to the apache-install-dir/conf/ssl.crt directory.

Appends the following lines to apache-install-dir/conf/extra/httpd-ssl.conf in Apache 2.2.x or to apache-install-dir/conf/httpd.conf in Apache 2.0.x.

<Location /lbconfigupdate>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLCACertificateFile apache-install-dir//conf/ssl.crt/sjsas.crt
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Sun Microsystems" \
and %{SSL_CLIENT_S_DN_OU} eq "Sun GlassFish Enterprise Server" \
and %{SSL_CLIENT_M_SERIAL} eq "<serial_number>" )
</Location>
<Location /getmonitordata>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLCACertificateFile apache-install-dir/conf/ssl.crt/sjsas.crt
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Sun Microsystems" \
and %{SSL_CLIENT_S_DN_OU} eq "Sun GlassFish Enterprise Server" \
and %{SSL_CLIENT_M_SERIAL} eq <serial_number> )
</Location>

Note –

For Apache 2.2.x, ensure that the line, Include conf/extra/httpd-ssl.conf is uncommented in the apache-install-dir/conf/httpd.conf file.

The value for serial-number needs to be generated from the DAS certificate file. Use the following command for generating the serial-number: keytool -printcert -file sjsas.crt. Change all lowercase characters to upper case in the output of this command and use it as the serial-number. This command will also print the name of the application server you are using.

Configuring Apache After Installing the HTTP Load Balancer Plug-In

This section requires the changes you make after installing Apache Web Server.

Modifying httpd.conf parameters to enable sticky round robin

For the sticky round robin feature to work, make the following changes in the apache-install-location/conf/extra/httpd-mpm.conf file for Apache 2.2.x or in the apache-install-location/conf/httpd.conf file for Apache 2.0.x.

Under the section prefork MPM, ensure that the values of the parameters StartServers and maxclients are set to 1. Otherwise, every new session request will spawn a new Apache process and the load balancer plug-in will be initialized resulting in requests landing in the same instance.

For Apache 2.2.x, uncomment the following line in the apache-install-location/conf/httpd.conf file:

Include conf/extra/httpd-mpm.conf

Configuring security files to work with the load balancer

Apache Web Server must have the correct security files to work with the load balancer plug-in. The load balancer depends on the NSS (Network Security Service) library, which requires these security database files. You need to get these security database files from Enterprise Server, so an installation of Enterprise Server must be available in a location accessible by the Web Server.

To configure security files to work with the load balancer:

For Apache 2.0.x, append /usr/lib/mps to LD_LIBRARY_PATH in the Apache-install-dir/bin/apachectl script.
For Apache 2.2.x, append /usr/lib/mps to LD_LIBRARY_PATH in the Apache-install-dir/bin/envvars file.

Providing access permissions to Apache user

Ensure that the Apache user has the required access permissions to the apache-install-location/conf/ directory and files in this directory. The Apache user is the UNIX user under which the Apache server responds to requests. This user is defined in the file httpd.conf. If you installed Apache as a root user, read the note about configuring the Apache user and group in apache-install-location/conf/httpd.conf.

Note –

Ensure that your configuration of users and groups meets the security requirements for this directory. For example, to restrict access to this directory, add the Apache user to the same user group as the owner of the directory.

Load balancer plug-in initialization

To ensure that the load balancer plug-in is initialized when Apache is started, grant the Apache user read access and write access to the following files:

apache-install-location/conf/loadbalancer.xml
apache-install-location/conf/sun-loadbalancer_1_2.dtd

Modifying directory access permissions to enable auto apply

To ensure that the Auto Apply feature operates correctly, grant the Apache user read access, write access, and execute access to the apache-install-location/conf/ directory.

If the Apache user is in the same group as the owner of this directory, change the mode to 775. If the Apache user is in a different group than the owner of this directory, change the mode to 777.

To Create a Security Certificate for Apache

These steps are required to support HTTPS requests on Apache.

For detailed information on setting up a security certificate on Apache, see the instructions on http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html and http://www.modssl.org/docs/2.8/ssl_faq.html. The following procedure is adapted from those web sites.

Set up the following environment variable:

OPENSSL_CONF=OpenSSL-installation-directory/apps/openssl.cnf.

Create the server certificate and key by executing the following command:

openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 365

When asked for a common name, give the host name on which you plan to run Apache. For all other prompts, enter values that meet any specific requirements you have.

This command creates newreq.pem.

Open the newly-created newreq.pem from the location where the openssl command was run.

Copy the lines beginning with BEGIN CERTIFICATE and ending with END CERTIFICATE and paste them in Apache-install-dir/conf/ssl.crt/server.crt. For example:
-----BEGIN CERTIFICATE----- .... ... -----END CERTIFICATE-----

Copy the lines beginning with BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY and paste them in Apache-install-dir/conf/ssl.key/server.key. For example:
-----BEGIN RSA PRIVATE KEY----- ... ... ... -----END RSA PRIVATE KEY-----

Make sure that the variables SSLCertificateKeyFileand SSLCertificateFile in Apache-install-dir/conf/ssl.conf for Apache 2.0.x or in Apache-install-dir/conf/extra/httpd-ssl.conf for Apache 2.2.x have the correct values.

Ensure that the ServerName is not www.example.com. The ServerName should be the actual host name where Apache will run, matching the Common Name you entered when creating the server certificate and key.

Starting Apache on Solaris and Linux

In general, you should start Apache with the same user that installed the Enterprise Server. You must start Apache as root under the following circumstances:

If you are a Java Enterprise System user.
If you've used port numbers which are less than 1024.
If Apache runs as a different user from the user that starts it.

To start Apache in SSL mode, use one of the following commands:

apachectl startssl or apachectl -k start -DSSL on Apache 2.0.x. Use apachectl start on Apache 2.2.x.

If needed, check the Apache web site for the latest information on starting the Apache server.

Verifying the Setup

Install the load balancer plug-in. For detailed steps to install the plug-in, see Sun GlassFish Enterprise Server 2.1 Installation Guide. During the installation, provide the path to the DAS certificate.
Log in to the Application Server Admin Console and create a new cluster. For steps to create a new cluster, refer to the Admin Console Online Help.
Create a new HTTP Load Balancer. While creating the load balancer, specify the web server host as the device host, web server SSL Port as the device port and select the cluster you created in the previous step as the target. For detailed steps to create a new HTTP Load Balancer, refer to the Admin Console Online Help.
To verify that the communication between the DAS and the web server is working properly, in the Admin Console, navigate to the HTTP Load Balancers node and click the HTTP Load Balancer. In the Load Balancer Device Settings page that appears, press the Test Connection button.

If you have not enabled the Automatically Apply Changes option while creating a load balancer, then you must manually export the load balancer configuration by going to the Export tab and clicking Apply Changes now.
If the test connection fails, be sure to check the Application Server domain logs and the web server logs to troubleshoot the problem. Also check if all the configuration steps have been performed correctly.

Using Microsoft IIS

To use Microsoft Internet Information Services (IIS) with the load balancer plug-in, follow the steps provided in these sections.

To Configure Microsoft IIS to use the HTTP Load Balancer Plug-in

Open the Internet Services Manager.

Select the web site for which you want to enable the plug-in.

This web site is typically named the Default Web Site.

Right click on the web site and select Properties to open the Properties notebook.

Add a new ISAPI filter, following these steps:
1. Open the ISAPI Filters tab.
2. Click Add.
3. In the Filter Name field, enter Enterprise Server
4. In the Executable field, type C:\Inetpub\wwwroot\sun-passthrough\sun-passthrough.dll.
5. Click OK, and close the Properties notebook.

Create and configure a new virtual directory:
1. Right click on the default web site, select New, and then Virtual Directory.
  
  The Virtual Directory Creation Wizard opens.
2. In the Alias field, type sun-passthrough .
3. In the Directory field, type C:\Inetpub\wwwroot\sun-passthrough.
4. Check the Execute Permission checkbox.
  
  Leave all other permission-related check boxes are left unchecked.
5. Click Finish.

Add the path of the sun-passthrough.dll file, the Enterprise Server as-install/bin and the Enterprise Server as-install/lib to the system’s PATH environment variable.

For IIS 6.0 users, configure the Load Balancer Web Service Extension to run in IIS 6 using the following steps:
1. In the IIS manager, expand the local computer, and click Web Service Extensions.
2. In the Tasks pane, select Add a new Web Service Extension.
3. Enter the name of the Extension as Sun-Passthrough and click Add.
4. Type the path to sun-passthrough.dll, C:\Inetpub\wwwroot\sun-passthrough.
5. Click OK.
6. Select Set extension status to Allowed.

For IIS 6.0 users, create the file C:\inetput\wwwroot\sun-passthrough\lb.log and give NTFS write and modify permissions to the group IIS_WPG on the file.

Because IIS 6.0 runs in Worker Process Isolation Mode, it runs the IIS server with the security privileges of the group IIS_WPG.

For all IIS users, restart the machine.

Verify that the web server, load balancer plug-in, and Enterprise Server are operating correctly.

Type the following in a web browser to access the web application context root: http://web-server-name/web-application, where web-server-name is the host name or IP address of the web server and web-application is the context root that you listed in the C:\Inetpub\wwwroot\sun-passthrough\sun-passthrough.properties file.

Tip –
The ISAPI filter status should be green. To check the filter status, access the web site's Properties notebook and click the ISAPI Filters tab. If the status is not green, try sending any HTTP request to the IIS HTTP port. It is OK if the request fails. Recheck the ISAPI filter status.

Automatically configured sun-passthrough properties

The installer automatically configures the following properties in sun-passthrough.properties. You can change the default values.

Property	Definition	Default Value
`lb-config-file`	Path to the load balancer configuration file	`IIS-www-root\sun-passthrough\loadbalancer.xml`
`log-file`	Path to the load balancer log file	`IIS-www-root\sun-passthrough\lb.log`
`log-level`	Log level for the web server	`INFO`

Note –

The Auto Apply feature is not currently supported with IIS.