Configuring load balancer rules for Data One WUI access on CEMAN
Introduction
In clustered environments, access to the Data One WUI hosted on CEMAN nodes is mediated by a front-end load balancer that exposes a single logical address and port and then evenly distributes calls across all back-end CEMAN nodes.
This section describes how to configure such load balancer in a generic way, the described concepts must then be translated by the administrator into specific configuration directives for the specific load balancer product actually adopted.
Relevant DMCFG variables for the load balancer configuration
name | description |
---|---|
ceman_ip_balanced | External load balancer address, used by application via browser to reach Data One WUI |
ceman_http_port_balanced | External load balancer HTTP/S port, used by application via browser to reach Data One WUI |
IAM_PROXY_PORT | External load balancer HTTP/S port port, used behind-the-scenes by the browser to contact Data One WUI |
ceman_https_port | Internal Data One WUI / CEMAN-core listening port |
KEYCLOAK_HTTPS_PORT | Internal Data One IAM listening port |
Load balancer rules
- Incoming calls to cemanip_balanced host at ceman_http_port_balanced port
must be routed to each
<cemanNode> at ceman_https_port
in a round-robin fashion - Incoming calls to cemanip_balanced host at IAM_PROXY_PORT port
must be routed to each
<cemanNode> at KEYCLOAK_HTTPS_PORT
in a round-robin fashion
Where <cemanNode> can be any of the hostnames where CEMAN instances belonging to a CEMAN cluster are installed.
Trusting of load balancer certificate by CEMAN
As a final step you need to retrieve the load balancer certificate chain and import it into CEMAN trust store available at <DATAONE_HOME>/wlp/usr/servers/<CEMAN_SERVER_NAME>/resources/security/key.p12.
Example
This is a simple example involving a self-signed certificate:
echo -n | openssl s_client -connect ceman_ip_balanced:ceman_http_port_balanced | openssl x509 > loadbal.cert
keytool -import -file loadbal.cert -alias loadbal -keystore \<DATAONE_HOME>/wlp/usr/servers/\<CEMAN_SERVER_NAME>/resources/security/key.p12 -storetype pkcs12 -storepass mypassord -noprompt
Will you use Data One for MFT with Data Mover?
Additional rules will be needed.These rules are the minimal set of rules required by the product to run.
When using Data One for MFT with Data Mover you will define file transfer protocol servers that require additional load balancing traversal rules to be added, in a protocol-specific way.
Updated 5 months ago