Load balancing WSO2 Identity Server (PDP cluster) using Apache HTTP server

In my previous blog post [1] [2],   I have explained, how we can load balance PDP cluster (WSO2 Identity Server cluster) using WSO2LB and WSO2ESB. In this blog post i am going to use Apache HTTP server to load balance the WSO2 Identity Server cluster nodes.

pre-request :

1. You need to install Apache HTTP server.

Actually If you are in ubuntu, you can easily install it by using apt-get as follows

apt-get install apache2

2. You need to enable necessary modules

proxy_http
ssl
proxy_balancer
You can easily do this using a2enmod command in ubuntu.

3. You need a key and a certificate files to configure SSL communication with Apache HTTP server.

Following are the summarized steps to create a key and a certificate using a self signed Certificate Authority (CA). Here default openssl configurations are used. (In ubuntu, default openssl configuration file can be found at /etc/ssl/openssl.cnf) .  Please refer this for more details

[1] Creating a local Certificate Authority (CA) using OpenSSL

First build the CA key using following command
$ openssl genrsa -des3 -out ca.key 1024 (key name as ca.key)
Next build the certificate of CA. This is the CA’s certificate and can have it publicly available
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt (created CA key location is given and certificate name given as ca.crt )

[2] Generate a server key and CSR (Certificate Signing Request)

Private key for Apache HTTPD Server is built with default openssl configuration,
$ openssl genrsa -des3 -out server.key 1024 (key name as server.key)
Then CSR is created to signed by a Certificate Authority
$ openssl req -new -key server.key -out server.csr (created server key location is given and csr name as server.crt )

[3] Sign the certificate signing request (CSR) with the self-created Certificate Authority(CA)

$ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt (CA and server keys location are given, certificate name as server.crt)

[4] Make a server.key which doesn’t cause Apache to prompt for a password.

$ openssl rsa -in server.key -out server.key.insecure
$ mv server.key.insecure server.key (rename key to server.key )

Now you have the key file; server.key and certificate file; server.crt

Lets go through step by step now………

Step 1.  Configure virtual host containing following sample content. ( in ubuntu you can create it inside etc/apache2/sites-available directory)

<IfModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin [email protected]
 ServerName localhost
 ServerAlias localhost
 ProxyRequests Off
 SSLEngine On
 SSLProxyEngine On
 SSLCertificateFile /home/asela/Security/162/server.crt
 SSLCertificateKeyFile /home/asela/Security/162/server.key
<Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
ProxyPass /balancer-manager !
 ProxyPass / balancer://wso2.identity.domain/ lbmethod=byrequests stickysession=JSESSIONID
 ProxyPassReverse / https://localhost:9443/
 ProxyPassReverse / https://localhost:9444/
<Proxy balancer://wso2.identity.domain>
 BalancerMember https://localhost:9443 route=isNode1 loadfactor=1
 BalancerMember https://localhost:9444 route=isNode2 loadfactor=1
 </Proxy>
</VirtualHost>
</ifModule>

Important notes of this configurations.

1. I have assumed that Apache HTTP server and WSO2 Identity server cluster (2 nodes. with HTTPS port 9443 and 9444) are running in same machine (localhost).
2. All the requests that comes to 443 port are load balance to 9443 and 9444
3. ServerName and ServerAlias parameters set to “localhost”
4. SSL has been enabled for both client side (for clients who call to Apache HTTP server) and back end servvers (for WSO2 Identity Server nodes)
(please note certificate validation is not enabled for backend services)
5. Proxy is created to send all request to wso2.identity.domain load balancer.
6. In wso2.identity.domain load balancer configuration, members (WSO2 Identity Server nodes) has been defined with following two parameters

route – this defined the jvmRoute parameter which is configured in the corresponding WSO2 Identity server node. This parameter is needed to achieve the sticky session.
loadfactor – this defined how load must be shared between two nodes. Here it has configure equal load for both two nodes.

You can find more details from Apache HTTP server docs and you can define your own configuration. Then virtual host configuration which is defined above, just a sample one.

Step2. enable virtual host configuration

You can easily do this in ubuntu using a2ensite command

Step3. Restart Apache HTTP server

In ubuntu, use

/etc/init.d/apache2 restart

Step4. Restart WSO2 Identity server nodes with proper jvmRoute Ids (As we have configured as virtual host configuration)

Please pass corresponding jvmRoute id as system property value.

As an example in UNIX before WSO2IS server is started you can set this as following

export JAVA_OPTS=’-DjvmRoute=isNode1′

Or you can set this in the wso2server.sh or wso2server.bat. In wso2server.sh script file, you can set as;

-DjvmRoute=isNode1

Step5. Please change your client application (web app or java client) to connect to the Apache HTTP server.

Please note, client need to communicate with Apache HTTP server using SSL, Therefore it must be trusted by your client application. So you need to export CA certificate of Apache Apache HTTP server in to client’s trust store.