Authentication vs load balancing

Hi all u guru's
We are developing an application which must communicate securely with a farm of application servers through load balancing (all servers are assigned virtual ip). The constraint is that all servers are independent ( do not manage back end db to save common secure context for example). We are also constrained on communication between the servers.
Does anybody knows the protocol (or any other solution) for establishing secure communication in such conditions ?
the problem is establishing symmetric key (we don't know to which application server the message is sent).
We proposed next solution:
1. Client invents symmetric key.
2. a payload with symmewtric key encypted (with server public key) and signed (with client private key) is added to every message.
3. every Application server can decrypt and verify the key and store it for future use (if the message come with the the same payload id).
Can someone tell is there any main disadvantages to the scheme, that can ruin it all?
please answer also to [email protected]

The major drawback is transaction size and speed, depending on the type of application. Have you considered using sticky sessions (where every user is assigned to the same machine he first hit)? The other option is serializing the info/key from machine to machine as needed, which in my opinion is not a secure thing to do.
Those are the other two options off the top of my head. I'm guessing that you have some sort of client capable of mainting the key information for the user. If not, and all you have is a browser, I don't think this will work like you think it will.

Similar Messages

X.509 certificate based authentication with load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Hi George,
If you want the client's cert, the server has to ask for it and this
implies two-way SSL. Normal one-way SSL the server provides the cert to
the client and the client decides if it wants to continue the handshake.
If the client is OK with the server certs and two-way SSL is configured
on the server, then the server will request the client send it's certs.
If the client certs are OK, then the pipe is established.
Concerning the load balancer I'm assuming it is simply providing a
tunnel, but I don't have the experience to comment and it is something I
would suggest that you that you seek guidance from our outstanding
support team [1] or drop a note in the security newsgroup [2] for the
experts to review.
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
[2]
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
George Coller wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

SharePoint Central Administration: High Availability and Load Balancing

Running Central Administration on more than one server in the farm is 100% supported and indeed a recommended best practice on SharePoint 2010.
Is Load Balancing on Central Administration
supported for SharePoint 2013?
Is Implementing Kerberos Authentication for load balanced Central Administration 100% supported in SharePoint 2013?
Is Implementing Central Administration on Port 80 or 443 100% supported on SharePoint 2013?
I’ve read a article about from Spence
Harbar. I would like to know of this is supported for SharePoint 2013?
Source:
http://www.harbar.net/articles/spca.aspx
jtjscholten

Thanks! Disappointed there is no description from Microsoft :(
jtjscholten

Certificate based authentication with SSL load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Siebel Testing. Cookie handling, cookie load balancing and authentication.

We are delivering a PoC in a big Siebel customer and we are finding some issues.
Environment information is:
- Siebel testing, version 8.
- NTLM Windows authentication.
     When we create a Siebel Load script, recording works fine. Replaying the script, after adding the Authentication function, does not work
     When we create a Web Load Script with the same structure and business process, after adding the Authentication function, it works.
     Looking at the difference between Web and Siebel scripts, only difference are a couple of cookies that Web script considers and Siebel does not. This two cookies are added in the second call of the NTLM handshake requests (two requests with 401 http code and a final with a 200 http code). The application, in the first NTLM handshake request, ask the browser to add a couple of cookies that the browser (and OLT in a web load script) add. Siebel load script does not add/handle this cookies.
     Accordingly, the script works with web module but does not work with Siebel module.
Right now we only have two options to make Siebel work:
- Change the DNS address to point to a single node for the application, instead of pointing to the load balancing service. This way, cookies are not needed and the script does not fail.
- Add the cookies by hand. This way, cookie content is "hardcoded" and, so, it will not be useful for load balancing purposes, which lead us to previous bullet. Load testing using Siebel will not work load balanced.
I added a web script (works fine with no tweaking) and a Siebel script executed with normal configuration (does not work) and workaround (avoiding the load balancing cookies- it works).
Many thanks for the help,
Iván.
IM_Siebel_Second_Test.zip
Siebel web test.zip
Edited by: user9982485 on 03-Aug-2010 09:18

Álex,
Thank you a lot, I will call you related to other issue also. Thanks for the kind help!.
IMHO, it works or not depending on cookies added for load balancing. Siebel module does not specifically add these cookies, while web module does. If you delete the cookies from the web module, it stops working, so I guess the cookies are making/breaking the script.
I will send you the scripts, so you can have a look.
Thanks,
Iván.

Can't see Native Authentication Provide while configuing Load Balance Manag

I am configuring Load Balance Manager in FDM 11.1.1.3. I followed the steps as per Oracle, and am setting my local Windows 2003 default Adminstrator account as the username for everything. Everything worked fine upto the point where I specify the authentication provider. I wanted to use Native Authentication, but when I try to "add" an authentication provider, the only option I have is to add Shared Services, Visual Basic Script Authentication and Visual Basic SSO. Can't figure out why Native authentication is not there.
to be completely honest, I don't care what mode it uses as long as it works. What are the implications of using Native vs Shared Services. Say I choose Shared services, do I have to do anything in shared services as part of the configuration?
I am running Hyperion Planning, Essbase.

When you say "native authentication" are you referring to the shared services native directory or are you expecting to see NTLM, MSAD, or LDAP as available authentication providers?
All authentication is now handled via shared services in 11.1.1.3. You will need to specify the provider as shared services and then add your MSAD or LDAP providers within shared services and provision the users for the FDM application(s).
NTLM is no longer supported and has been removed from the FDM list of providers as well as an available external provider option in shared services.

Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?

Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5. SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM. We would like to implement ADFS 3.0
later for Single Sign-on, and we are wondering if ADFS supports SSL offload.
Do we need to bind the certificate to the WFEs as well to use ADFS?
Thank you!

Just got it confirmed that ADFS supports SSL offload. There is no direct communication between SharePoint and ADFS server during the authentication process. It is always the browser that's talking to ADFS server. We just need to do the following:
Configure SharePoint URLs in ADFS as replying parties with https.
Configure AAM in SharePoint to make sure internal URL is http and public URL is https.

Load balancing host named site collection

I am jumping into the realm of host named site collection. While the learning experience has been good, still there are some questions unanswered. Please bare patience since my questions are long.
- I have a non host header site on port 80 that has https certificate added to IIS for supporting app store in https mode.
- I tried to created the host name site collection using https in this default port 80 non host header web application and was greeted with error. Then i extended the web app to different zone with port 443 . Then created the host header site collection
with https with web application name for extended 443 one. Creation went in fine.
- I tired to use IPs on now extended IIS site and bind certificates on that one. The site does not load. I do the same again in the default zone iss site, bind ips on that one and site loads. Now question is even though host header site collection was created
using extended web application url , why binding had to be done on default zone IIS site?
- Second test, i changed the authentication mode for extended, no effect on host named site collection but as soon as i changed it in default zone it reflected in host named site collection. I am confused why it needs extended zone url to create the https
site but every change done in default zone is getting reflected on this host named site collection.
Now for load balancing , it works fine with IP? But how to load balance these host named site collection using url. I talked with f5 team and they said i need to send some reply query string from each site. Where do i do that? Or is it even needed?
Accoring to this link : https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm
. If the site hosts an application, though, the monitor should request a dynamic page on each webserver which forces a transaction with the application to verify its health and returns a specific phrase upon success.
For application monitoring, the recommended best practice is to create such a script specific to your application, configure the monitor Send string to call that script, and set the Receive string to match that phrase.
Has any one done this before? I tired to search for resource regarding this for iis or sharepoint but was not able to get anything.
Thank you for your patience for reading such a long question.
Adit

first part of question:
Default Web Appliction in port 80: Creating https host named site collection fails.
Extend default web application on port 443 : Https hostnamed site collection created when web application name is passed for extended web application on port 443. This means this site collection is associated with this extended web application correct? But
all the changes made in IIS only reflect if it is made to port 80 web application. Also changing authentication scheme from Central Admin, only changes on default zone reflects on site collection not the one in extended web application? Why if the site
was only created on extended web application paremeter, changes on default are reflecting on it but not from extended.
Second part of question:
Each Hostnamed site collection when load balanced thorough f5 using IP for 3 WFE uses 3 IPs for each. This way we will run out of IPs pretty soon. I want to know if there is way to load balance these sites using Hostname or anyother paramenter through f5
and if any body has done it?
https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm link talks about sending reply string
from application but i do not know where to set it up or how to do it? No resources in the net. Just asking if any one else has done it.
Adit

Cisco 886VA - Multiple PPPoE Line Load Balancing

Dear Cisco Community,
due to the need of increased bandwidth a customer ordered three ADSL6000/576Kbit lines from the same ISP. Dial-in is done with PPPoE and the IP is not static.
- Is it possible to load balance between the three ISP lines with this router as the Cisco 886VA-K9 (Advanced IP Services) doesnt support PFR/OER I want to load balance per session, meaning each TCP session takes the same path, the next TCP session takes second path, next TCP session takes third path, then first path again and so on.
- I did read the tutorials avaiable, but they don't discuss how the lines are used in round-robin fashion, just how to distribute different traffic on different lines. (https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla?page=1) or (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html)
- How would you solve this challenge?
Relevant config so far:
vlan 1
name #LAN#
vlan 2
name #WAN-Uplink1#
vlan 3
name #WAN-Uplink2#
interface FastEthernet0
description #LAN#
switchport access vlan 1
interface FastEthernet2
description #WAN-Uplink1#
switchport access vlan 2
no ip address
pppoe enable
pppoe-client dial-pool-number 20
interface FastEthernet3
description #WAN-Uplink2#
switchport access vlan 3
no ip address
pppoe enable
pppoe-client dial-pool-number 30
interface ATM0
description #WAN-Uplink3#
no ip address
logging event atm pvc state
logging event atm pvc autoppp
logging event subif-link-status
no atm ilmi-keepalive
no ip redirects
no ip unreachables
no ip proxy-arp
dsl enable-training-log delay 0
dsl bitswap both
interface ATM0.1 point-to-point
bandwidth 550
bandwidth receive 6000
pvc pvc 1/32
pppoe enable
pppoe-client dial-pool-number 10
vbr-nrt 500 500 1
service-policy out WAN-Control1-Parent
interface Vlan1
description #LAN#
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
description #WAN-Dialer1#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 20
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control2-Parent
interface Dialer2
description #WAN-Dialer2#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 30
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control3-Parent
interface Dialer3
description #WAN-Dialer3-ATM#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username xxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
ip nat inside source route-map ISP1 interface Dialer1 overload
ip nat inside source route-map ISP2 interface Dialer2 overload
ip nat inside source route-map ISP3 interface Dialer3 overload
route-map ISP1 permit 10
match ip address 100
match interface Dialer1
route-map ISP2 permit 10
match ip address 100
match interface Dialer2
route-map ISP3 permit 10
match ip address 100
match interface Dialer3
access-list 100 remark #NAT-LIST#
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
Thank you for helping.

Hey there,
I managed to fulfill my requirement..
If its a cluster on same machine or across machines, this should work
1. Login to machine, cd $DOMAIN_HOME
2. mkdir -p Apex_lsn_config/AdminServer Apex_lsn_config/<MS1> Apex_lsn_config/<MS2> # MS1 and MS2 are the Managed Server names as appropriate
#If you are planning for cluster spawning MS's across machines, make sure you create the dir's on step 2 for each machine respectively. (in my case $DOMAIN_HOME is not shared)
3. Copy apex-config.xml from the /tmp/apex or whatever location you have it currently to Apex_lsn_config/<MS1> Apex_lsn_config/<MS2>
4. cd $DOMAIN_HOME/bin; cp -p SetDomainEnv.sh SetDomainEnv.sh.orig #Backup the file
5. Append -Djava.io.tmpdir in SetDomainEnv.sh as below for JAVA_OPTIONS # Do it on both machine if you are not sharing DOMAIN_HOME and planning cluster across machines
-Djava.io.tmpdir=$DOMAIN_HOME/APEX_CONFIG/${SERVER_NAME}
Hint: Search for "iterativeDev" and append the same line with -Djava.jo.tmpdir
6. Modify "java.io.tmpdir" from the web.xml file of apex.war as below and re-deploy the war
<context-param>
<param-name>config.dir</param-name>
<param-value>${java.io.tmpdir}</param-value>
</context-param>
7. Bounce Weblogic Admin and Manged Servers. Make sure to tail the Managed Server log to see apex-config.xml is picked from the new location.
8. Brew a Coffee for yourself :)
- You find the instructions on creating a cluster from weblogic documentation, the steps mentioned above are only to overcome the bdb locking issue whilst creating a cluster.
Did it help?
Edited by: Oratime on Mar 25, 2013 2:44 AM

Load Balancing Directory Servers with Access Manager - Simple questions

Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!

Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch!

Load Balancing on DSL link

Dear All,
We are having 2 internet link from 2 separate ISP.
Please help me in doing load balancing on this 2 ADSL LINK.
Thanks/Regards
Atul

Hello,
here is a sample configuration for load balancing with 2 links:
ip cef
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
no ip route-cache
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0.2 point-to-point
no ip route-cache
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Dialer1
description ISP1_Connection_1
ip address dhcp
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp pap sent-username USERNAME password PASSWORD
interface Dialer2
description ISP1_Connection_2
ip address dhcp
ip mtu 1452
encapsulation ppp
dialer pool 2
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp pap sent-username USERNAME password PASSWORD
ip nat inside source route-map ISP1_Connection_1 interface Dialer1 overload
ip nat inside source route-map ISP1_Connection_2 interface Dialer2 overload
access-list 1 permit 192.168.1.0
route-map ISP1_Connection_1 permit 10
match ip address 1
match interface Dialer1
route-map ISP1_Connection_2 permit 10
match ip address 1
match interface Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
dialer-list 1 protocol ip permit
Regards,
GP

Guest N+1 redundancy & load balancing in seperate data centers

I need assistance in aquiring documentation to setup N+1 redundancy & load balancing between two seperate guest anchor controllers installed in seperate data centers. Can you explaing how it should be setup or point me in the right direction for documentation? If you can't point me in the right direction to aquire documentation; can you answer the following questions?
1) How do I setup my mobility groups on my guest anchor controllers installed in the DMZ? Should both guest anchor's be in the same mobility group.
2) Do both guest anchors share the same virtual IP or do they need to be seperate (DMZ01 - 1.1.1.1 / DMZ02 - 2.2.2.2)? I think seperate!
3) Are there any configuration parameters on the guest anchors for load balancing?
4) Do either on of the guest anchors need to be setup as a master controller? I'm not sure?
5) Are there any configuration parameters on the foreign controllers for load balancing?
6) How do I setup my foreign controllers? Should both guest controllers be added to the mobility group on the foreigh controller? I would think both of them would be added to the foreign controller mobility group.
7) Should both guest anchors be added as an anchor on the WLAN? I would think both controllers would need to be added as anchors under the WLAN!
8) Am I missing anything here? This is how I think it should logically work?
Thanks,
Gordon

I need to elaborate on my questions:
1) Do both of my guest DMZ anchors need to be in a seperate mobility group on their own or can the guest anchors be in completely seperate mobility groups? All 100 + foreign controllers are in seperate mobility groups.
I) Example #1: Guest anchor number 1 (Mobility group: DMZ) / Guest anchor number 2 (Mobility group: DMZ)
II) Example #2: Guest anchor number 1 (Mobility group: DMZ01) / Guest anchor number 2 (Mobility group: DMZ02)
2) Do both guest anchor controllers have to be configured with seperate virtual IP's or do they share the same address?
I) Follow up to this question: I want to register the DMZ controllers with our DNS servers so that my clients receive a name when authenticating through my customized webauth. I am currently using 1.1.1.1 as the virtual address and I'm pretty sure this is the address I need to register with my external DNS server. My question is this. Does the address I use for the virtual interface matter? 1.1.1.1 is not a valid address with my network. Do I need to assign a valid address registered with my network if I'm going to add this address to my external DNS servers?
3) No change to my original question.
4) No change to my original question.
5) No change to my original question. I have run into Cisco documentation that mentions guest anchor load balancing, but the documentation is very vague. I'd love to be able to load balance as the network group wants to limit my guest traffic to the internet. I could double my pipe if I could load balance the guest anchors.
6) No change to my original question, but the answer to question one is key to the setup of my foreign controllers.
7) Elaboration: Should both guest controllers be added as an anchor under the WLAN on the foreign controllers? I would think both of them would be added.
8) No change:
9) Should my secondary guest controller be added as an anchor on the WLAN of the primary guest DMZ controller and visa versa?
Can my Cisco expert answer this or do I need to open a TAC case?
Thanks,
Gordon Shelhon
SR. Wireless Services Engineer
Company: Not specified

FTP Load-Balancing in DSR mode

Hello Experts ..
Need some clarity on FTP LB under DSR mode .... I have my DSR working fine for normal http traffic , but facing issues with FTP on the same , please find the configs attached below
Topology
Client ( 10.20.10.101) -----> CAT6k ( 10.20.10.110 & 10.10.15.2) --> ACE --- > Server
VLAN 149 VLAN 149 & VLAN 150
access-list access line 8 extended permit icmp any any
access-list access line 16 extended permit tcp any any
access-list acl line 8 extended permit ip any any
rserver host real2
ip address 10.10.15.101
inservice
serverfarm host ftp
transparent
rserver real2
inservice
class-map match-all ftp-vip
2 match virtual-address 192.168.5.5 tcp eq ftp
class-map match-any ftp_1
2 match access-list access
policy-map type management first-match mgmt
class class-default
permit
policy-map type loadbalance first-match ftp
class class-default
serverfarm ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
class ftp-vip
loadbalance vip inservice
loadbalance policy ftp
inspect ftp
class ftp_1
nat dynamic 5 vlan 150
interface vlan 61
ip address 61.202.200.200 255.0.0.0
access-group input acl
service-policy input mgmt
no shutdown
interface vlan 150
description server-side
ip address 10.10.15.1 255.255.255.0
no normalization
access-group input acl
nat-pool 5 10.10.15.209 10.10.15.209 netmask 255.255.255.255 pat
service-policy input LBPOL
service-policy input mgmt
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.15.2
Client
======
root@TLS_SRV ~]# ifconfig eth1.149
eth1.149 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.20.10.101 Bcast:10.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:203 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10444 (10.1 KiB) TX bytes:8408 (8.2 KiB)
route
192.168.5.0 10.20.10.110 255.255.255.0 UG 0 0 0 eth1.149
CAT6k
=======
interface Vlan149
ip address 10.20.10.110 255.255.255.0
end
interface Vlan150
ip address 10.10.15.2 255.255.255.0
end
ip route 192.168.5.5 255.255.255.255 10.10.15.1
Server
=======
eth1.150 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.10.15.101 Bcast:10.10.15.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9194 errors:0 dropped:0 overruns:0 frame:0
TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503104 (491.3 KiB) TX bytes:71884 (70.1 KiB)
eth1.150:1 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:192.168.5.5 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
route
10.20.0.0 10.10.15.2 255.255.0.0 UG 0 0 0 eth1.150
When i do FTP from client 10.20.10.101 , my connection is getting refused.... But when i connect to my server directly bypassing ACE i am getting authenticated ..
As per the DSR , i made Rserver & ACE as L2 Adjacent , so when ACE receives the packet it will change the dest ip instead it will use VIP ip as destination , but the MAC will be rewritten to Rserver MAC address... As i said before all works fine for http DSR ...
I know NAT doesn't work in ACE when its configured under DSR , but for FTP i made NAT config , but even if i remove the same its not working , Is my config for FTP is correct ?
Could some please look into this and reply ?
Thanks
Charles

if you need to route / provide load balancing between 2 hosts, then you will need to have Route SAF . you can use web server 7 reverse proxy cli or gui to get this. however, you might want to start from a fresh configuration to avoid reverse-map / map that you have experimented with does not overlap with the 'Route' functionality that you seem to need here
here are some reference content
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_sun
http://www.sun.com/bigadmin/features/articles/web_server_zones.jsp

IChat Load Balancing or failover solution?

Hello, I am working a plan to develop a iChat server. I think a Mac Mini would be a good start for a group of 50 users. The users are all over the country and my role is to unite them all in a iChat domain. I thought about building two Mac Mini servers and have them run a same domain where all users are registered in. So, we would not be impacted when one of them goes down.
Anyway, the question is how can I have a load balancing or failover solution for the iChat domain?

On the issue of load balancing, whilst I don't have any experience with macMini's, you will not need to worry about load balancing with 50 users. I'm sure you can probably put a few naughts on the end of that before you need to worry.
The design you are proposing will not work for iChat services / and for that matter most of Apple server services. For high availability services (e.g. transparent failover) I think you are going to struggle to get this working and it 'seems' Apple no longer offers guidance on this subject on 10.6.x.
You will increase availability by using an Xserve with dual PSUs and raid disks. If you are only running high availability ichat services, I would buy a pair of second hand xserves with 10.5 OS and set the ipfailover services running. Personally I would buy one and a service kit and not bother with HA - as you will find the servers are very reliable.
If you have to use mini's then just have one live and keep a near constant clone of it on another ready to manually swap out if you have a hardware failure.
Your proposed design will not work without a lot of effort non of which is supported by Apple - although it would be rewarding if you did get it working. You cannot have server to server traffic for the same domain as all your application data needs to be stored centrally. OD only provides services for authentication. The ichat server also has its own data store and this is not distributed nor can it be. It is possible to move the data store over to say an enterprise version of mysql and have that distributed.

Https through load balancer breaks declarative security

Hello,
My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.
I need someone to please confirm/deny the following statements:
1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).
2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.
3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.
After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.
Nuno

After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
Network Device

Authentication vs load balancing

Similar Messages

Maybe you are looking for