Setting up Apache load balancing software with vCenter Single Sign-On
Article ID: 336117
Updated On:
Products
VMware vCenter Server
Issue/Introduction
In vSphere 5.1, vCenter Single Sign-On (SSO) can be deployed in three modes: Basic, HA, or Multisite. HA mode can utilize a load balancer to increase the availability of the service. Any SSL-enabled HTTP load balancer can be used.
VMware does not support the configuration of the load balancer. However, VMware provides the information in this article and the attached configuration file as an example of using the Apache HTTP Server with mod_proxy.
This article assumes that you have installed one or more vCenter Single Sign-On nodes in high availability mode. For more information, see Configuring vCenter Single Sign On for High Availability (2033588).
VMware does not support the configuration of the load balancer. However, VMware provides the information in this article and the attached configuration file as an example of using the Apache HTTP Server with mod_proxy.
This article assumes that you have installed one or more vCenter Single Sign-On nodes in high availability mode. For more information, see Configuring vCenter Single Sign On for High Availability (2033588).
Environment
VMware vCenter Server 5.1.x
Resolution
Note: This is an example configuration. All server names are examples and should be replaced with values that are valid for your organization.
Prerequisites
- Set up two or more Single Sign-On nodes in High Availability mode. For more information, see Configuring vCenter Single Sign-On for High Availability (2033588).
- Prepare at least three IP/hostnames, one for the load balancer (
loadbalancer.vmware.com) and two for the Single Sign-On servers (sso1.vmware.com,sso2.vmware.com).
Download and set up Apache HTTPD as a load balancer
- Download Apache 2.2.x with SSL support from http://httpd.apache.org/download.cgi.
Note: The preceding link was correct as of September 16, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.
This example useshttpd-2.2.22.tar.gz. - Using the attached
2034157-httpd.conffile as an example, modify these fields:
Note: If you cannot download the attached file, use the information in the Example configuration section of this article to modify the fields:- The load balancer hostname (
loadbalancer.vmware.com) - The location of the SSL files
- Each Single Sign-On node hostname for each rule
- The load balancer hostname (
Example configuration
This information is provided as an example configuration for use with Apache 2.2.LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule status_module modules/mod_status.so
###################################################################################
# A) Add the load balanced hostname
# This hostname and port will be what is used to connect to SSO in KB 2033588
ServerName CHANGE-ME-loadbalanced-fqdn
Listen 443
###################################################################################
# B) Modify the location of the SSL files
SSLCertificateFile "c:/path_to_certs/server.crt"
SSLCertificateKeyFile "c:/path_to_certs/server.key"
SSLCertificateChainFile "c:/path_to_certs/cacert.pem"
###################################################################################
# C) Load Balance Rules.
# Only the hostnames should need to be changed in this section
#
# Update each Single Sign-On node hostname for each rule
#
# Replace 'node1.changeme.com' with the primary node FQDN
# Replace 'node2.changeme.com' with the backup node FQDN
###################################################################################
# Configure the STS for clustering
ProxyPass /ims/ balancer://stscluster/ nofailover=On
ProxyPassReverse /ims/ balancer://stscluster/
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/ims" env=BALANCER_ROUTE_CHANGED
<Proxy balancer://stscluster>
BalancerMember https://node1.changeme.com:7444/ims route=node1 loadfactor=100
BalancerMember https://node2.changeme.com:7444/ims route=node2 loadfactor=1
ProxySet lbmethod=byrequests stickysession=ROUTEID
</Proxy>
###################################################################################
#Configure the Groupcheck API clustering
ProxyPass /groupcheck/ balancer://gccluster/ nofailover=On
ProxyPassReverse /groupcheck/ balancer://gccluster/
<Proxy balancer://gccluster>
BalancerMember https://node1.changeme.com:7444/sso-adminserver route=node1 loadfactor=100
BalancerMember https://node2.changeme.com:7444/sso-adminserver route=node2 loadfactor=1
ProxySet lbmethod=byrequests stickysession=vmware_soap_session
</Proxy>
###################################################################################
#Configure the proxy for adminserver. It is located only on node1
ProxyPass /sso-adminserver/ https://node1.changeme.com:7444/sso-adminserver/
ProxyPassReverse /sso-adminserver/ https://node1.changeme.com:7444/sso-adminserver/
###################################################################################
#Configure the Lookup Service cluster
ProxyPass /lookupservice/ balancer://lscluster/ nofailover=On
ProxyPassReverse /lookupservice/ balancer://lscluster/
<Proxy balancer://lscluster>
BalancerMember https://node1.changeme.com:7444/lookupservice route=node1 loadfactor=1
BalancerMember https://node2.changeme.com:7444/lookupservice route=node2 loadfactor=1
ProxySet lbmethod=byrequests
</Proxy>
###################################################################################
#Configure for status pages [OPTIONAL]
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
ProxyPass /balancer-manager !
ProxyStatus On
<Location /status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from all
</Location>
###################################################################################
# Standard configurations
SSLVerifyClient none
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
#SSLSessionCache "shmcb:C:/apachehttpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex default
SSLEngine on
SSLProxyEngine on
ProxyRequests On
###################################################################################
#Configure logging locations [OPTIONAL]
ErrorLog "C:/error.log"
TransferLog "C:/access.log"Attachments
Feedback
Yes
No
Powered by
