Configure Load Balancer for OpenAM 12

Posted 4 years ago by Richard Hrúza

Introduction

In this article I will demonstrate how to configure software Load Balancer (LB) for two OpenAMs.

OpenAM is a open source access management software provided by ForgeRock.

Load balancing aims to optimize resource use, maximize throughput, minimize response time, and avoid overload of any single resource. If a one server is down, LB redirect all requests to others servers which are up.

To simplify, I will configure LB, OpenAM 1 and OpenAM 2 on one virtual machine and OpenAMs will be configured with embedded data and config store. To read more about embedded config and data store please check chapters 1.4 and 1.5 here.

siteD

Prerequisites:

  • configured virtual machine
  • 2 x apache tomcat
    • tomcat 1 is listening on port 8080
    • tomcat 2 is listening on port 8081 (conf/server.xml, also it is necessary to change the port for shutdown )
  • edit /etc/hosts to include all hostnames (all hostnames will have the same IP, because they are on the same machine)
    • openam1.profiq.com
    • openam2.profiq.com
    • openam.profiq.com

Load Balancer

I used HA proxy software load balancer.

Download HA Proxy

You can download HA Proxy here.

Install HA Proxy from source

  1. Unpack HA Proxy:
    # tar -xvf haproxy-1.5.14.tar.gz
  2. Navigate into HA Proxy directory:
    # cd ./haproxy-1.5.14
  3. Compile HA Proxy. Compile for Linux kernel 2.6.32 or later and optimize the binaries for the install CPU architecture.
    # make TARGET=linux2632 ARCH=native

    Note: you can check your linux version:

    # uname -a
    Linux centos6-64 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  4. Install the compiled binary:
    # make install
  5. Copy the HA Proxy to yours directory
    # mkdir /opt/HA-Proxy-1.5.14
    # cp /usr/local/sbin/haproxy /opt/HA-Proxy-1.5.14

Configure HA Proxy

  1. Create the configuration file
    # vim /opt/HA-Proxy-1.5.14/haproxy.conf
  2. Add content into HA Proxy configuration file:
    global
       maxconn 4096
       daemon
    
    defaults
       mode http
       option tcpka
       retries 3
       option redispatch
       maxconn 1024
       timeout client 1h
       timeout connect 5000ms
       timeout server 1h
    
    frontend fe
       bind openam.profiq.com:80
       default_backend be
    
    backend be
       mode http
       balance roundrobin
       cookie SERVERID insert indirect nocache
       server openam1 openam1.profiq.com:8080 check cookie 1
       server openam2 openam2.profiq.com:8081 check cookie 2
       option http-server-close
       option redispatch
       appsession amlbcookie len 2 timeout 1h request-learn

Backend is configured for 2 OpenAMs (openam1 and openam2) and LB is listening on openam.profiq.com:80.

It is recommended to use stickiness (“appsession amlbcookie len 2 timeout 1h request-learn”) for the backend, it means, if you log in via openam1 a cookie is sent by the backend with backend-specific value, HA Proxy will then look for that cookie, and will store its value in a table associating it with the server’s identifier, for more info see.

You can find description for properties in to HA Proxy documentation here.

OpenAM 1

Download latest stable OpenAM

Download latest openam (currently it is OpenAM 12.0.1) from forgerock backtsage here.

Install OpenAM 1

  1. Deploy downloaded openam.war into tomcat
    # cp /opt/OpenAM-12.0.1.war /opt/apache-tomcat-7.0.50/webapps/openam.war
  2. Start tomcat 1
  3. Hit the openam1 page: http://openam1.profiq.com:8080/openam and you will see OpenAM Configuration Page
    01ConfPage
  4. Choose “Create New Configuration” and accept the license
  5. Step 1: Set amAdmin password and click next
  6. Step 2: Server config:
    Server URL = http://openam1.profiq.com:8080
    Cookie Domain = .profiq.com
    Platform Locale = en_US
    Configuration Directory = /root/openam1
  7. Step 3: Configuration Data Store Settings
    02COnfDataStore
  8. Step 4: User Data Store Settings
    Set “OpenAM User Data Store”
  9. Step 5: Site Configuration
    03Site
  10. Step 6: Default Policy Agent User
    set password
  11. Summary
    04Summary
  12. Create Configuration

Note: For more info see OpenAM install guide

OpenAM 2

Install OpenAM 2

  1. Deploy downloaded openam.war into tomcat
    # cp /opt/OpenAM-12.0.1.war /opt/apache-tomcat-6.0.39/webapps/openam.war
  2. Start tomcat 1
  3. Hit the openam2 page: http://openam2.profiq.com:8081/openam and you will see OpenAM Configuration Page
  4. Choose “Create New Configuration” and accept the license
  5. Step 1: Set amAdmin password and click next
  6. Step 2: Server config:
    Server URL = http://openam2.profiq.com:8081
    Cookie Domain = .profiq.com
    Platform Locale = en_US
    Configuration Directory = /root/openam2
  7. Step 3: Configuration Data Store Settings
    Set “Add to Existing Deployment”
    Server URL: http://openam1.profiq.com:8080/openam
    05Conf
  8. Step 5 Site Configuration
    Site Name = profiq site
    Load Balancer URL = http://openam.profiq.com:80/openam
    Enable Session HA Persistence and Failover = true
  9. Summary
    06Sum
  10. Create Configuration

Test Configuration

  • Start load balancer:
# /opt/HA-Proxy-1.5.14/haproxy -f /opt/HA-Proxy-1.5.14/haproxy.conf
  • Hit the load balancer: http://openam.profiq.com/openam
  • Login as amadmin
  • if you check cookies there will be cookie amlbcookie = 01 (01 is ID of server, in my case means you are logged via OpenAM1)
  • delete all cookies and shut-down openam1, login again, and observe the cookie amlbcookie. You can observe that second OpenAM server will be used and one can see it by looking at amlbcookie = 02. This simulates purpose of load balancer, where if you have multiple users, load balancer will balance load in a way where it send user 1 to OpenAM 1, user 2 to OpenAM 2, user 3 to OpenAM 1 again etc. This is called round-robin algorithm (“balance roundrobin” = property from HA proxy config file).

Richard Hrúza

Leave a Reply

Related articles

Contact us now

Your message has been sent. Thank you!