Configuring load balancer rules for Data One WUI access on CEMAN

Introduction

In clustered environments, access to the Data One WUI hosted on CEMAN nodes is mediated by a front-end load balancer that exposes a single logical address and port and then evenly distributes calls across all back-end CEMAN nodes.

This section describes how to configure such load balancer in a generic way, the described concepts must then be translated by the administrator into specific configuration directives for the specific load balancer product actually adopted.

Relevant DMCFG variables for the load balancer configuration

Load balancer rules

1. Incoming calls to cemanip_balanced host at ceman_http_port_balanced port
   must be routed to each
   <cemanNode> at ceman_https_port
   in a round-robin fashion
2. Incoming calls to cemanip_balanced host at IAM_PROXY_PORT port
   must be routed to each
   <cemanNode> at KEYCLOAK_HTTPS_PORT
   in a round-robin fashion

Where <cemanNode> can be any of the hostnames where CEMAN instances belonging to a CEMAN cluster are installed.

Trusting of load balancer certificate by CEMAN

As a final step you need to retrieve the load balancer certificate chain and import it into CEMAN trust store available at <DATAONE_HOME>/wlp/usr/servers/<CEMAN_SERVER_NAME>/resources/security/key.p12.

Example

This is a simple example involving a self-signed certificate:

echo -n | openssl s_client -connect ceman_ip_balanced:ceman_http_port_balanced | openssl x509 > loadbal.cert

keytool -import -file loadbal.cert -alias loadbal -keystore \<DATAONE_HOME>/wlp/usr/servers/\<CEMAN_SERVER_NAME>/resources/security/key.p12 -storetype pkcs12 -storepass mypassord -noprompt