Configuring load balancer rules for Data One WUI access on CEMAN

Introduction

In clustered environments, access to the Data One WUI hosted on CEMAN nodes is mediated by a front-end load balancer that exposes a single logical address and port and then evenly distributes calls across all back-end CEMAN nodes.

This section describes how to configure such load balancer in a generic way, the described concepts must then be translated by the administrator into specific configuration directives for the specific load balancer product actually adopted.

Relevant DMCFG variables for the load balancer configuration

namedescription
ceman_ip_balancedExternal load balancer address, used by application via browser to reach Data One WUI
ceman_http_port_balancedExternal load balancer HTTP/S port, used by application via browser to reach Data One WUI
IAM_PROXY_PORTExternal load balancer HTTP/S port port, used behind-the-scenes by the browser to contact Data One WUI
ceman_https_portInternal Data One WUI / CEMAN-core listening port
KEYCLOAK_HTTPS_PORTInternal Data One IAM listening port

Load balancer rules

  1. Incoming calls to cemanip_balanced host at ceman_http_port_balanced port
    must be routed to each
    <cemanNode> at ceman_https_port
    in a round-robin fashion
  2. Incoming calls to cemanip_balanced host at IAM_PROXY_PORT port
    must be routed to each
    <cemanNode> at KEYCLOAK_HTTPS_PORT
    in a round-robin fashion

Where <cemanNode> can be any of the hostnames where CEMAN instances belonging to a CEMAN cluster are installed.

Trusting of load balancer certificate by CEMAN

As a final step you need to retrieve the load balancer certificate chain and import it into CEMAN trust store available at <DATAONE_HOME>/wlp/usr/servers/<CEMAN_SERVER_NAME>/resources/security/key.p12.

Example

This is a simple example involving a self-signed certificate:

echo -n | openssl s_client -connect ceman_ip_balanced:ceman_http_port_balanced | openssl x509 > loadbal.cert

keytool -import -file loadbal.cert -alias loadbal -keystore \<DATAONE_HOME>/wlp/usr/servers/\<CEMAN_SERVER_NAME>/resources/security/key.p12 -storetype pkcs12 -storepass mypassord -noprompt

Will you use Data One for MFT with Data Mover?
Additional rules will be needed.

These rules are the minimal set of rules required by the product to run.

When using Data One for MFT with Data Mover you will define file transfer protocol servers that require additional load balancing traversal rules to be added, in a protocol-specific way.