Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1010778.1
Update Date:2009-09-22
Keywords:

Solution Type  Technical Instruction Sure

Solution  1010778.1 :   Setting up Sun Fire[TM] B1600 for loadbalancing SSL traffic in non-VLAN mode  


Related Items
  • Sun Fire B10n Content Load Balancing Blade
  •  
  • Sun Fire B10p SSL Proxy Blade Server
  •  
  • Sun Fire B1600 Blade System Chassis
  •  
  • Sun Fire B100s Blade Server
  •  
Related Categories
  • GCS>Sun Microsystems>Servers>Blade Servers
  •  

PreviouslyPublishedAs
214902


Description
SunFire[TM] B1600 Blade platform is used for loadbalancing traffic using
speciality Blades (Sun Fire[TM] B10n, Sun Fire[TM] B10p).

The steps below explains in detail, with an example of configuring SunFire B1600, loadbalancing traffic in non-VLAN mode.



Steps to Follow
Setting up Sun Fire B1600 for loadbalancing SSL traffic in non-VLAN mode
The following components will be modified to load balance SSL traffic:

1) Sun Fire B10n Content load balancing blade
2) Sun Fire B10p SSL proxy blade ( non-vlan is supported from 1.867 version onward)
3) Router (a ServerBlade can also act as a router)
4) B1600 switch
5) Server Blades
6) Clients (a ServerBlade can also act as client)

1) B10n Setup

Some limits:
- Maximum number of SSL blades that can be added per service is 16
- Maximum number of SSL blade entries that can be created on a B10n is 128

Configuring the network/vlan:

1.1 config ip interface 0 192.4.142.79 mask 255.255.255.0

- Set the IP address on interface 0 to 192.4.142.79 with a subnet
mask of 255.255.255.0

Configuring B10p's information:

1.2 config ssl name ssl1 192.4.142.58

- Create an SSL blade entry on B10n with the name "ssl1" and one
interface specified at 192.4.142.58. NOTE: The interface IP address
should correspond to the one configured on the SSL blade with the
"set management" command.

1.3 config ssl port-pair ssl1 secureport 443 clearport 880

- Add a port pair to the entry with the secureport specified at 443 and
the clearport specified at 880. NOTE: This should correspond to the
same values specified on B10p blade with the "set portpair"
command (see section 2 for B10p setup).

Verifying B10p configuration on B10n:

1.4 show ssl

- Displays basic information about all the SSL blades configured on B10n

1.5 show ssl ssl1

- Displays detailed information about the SSL blade entry "ssl1".

Configuring a Layer 7 SSL service on B10n:

1.6 config service name svc1 vip 192.50.50.2:443:tcp ssl 880 interface 0
lb-layer 7 l7-proto http

- Create an SSL service on B10n that is load balanced on layer 7 for
the HTTP protocol. The service "svc1" is bound to interface 0 and
is offered at the VIP 192.50.50.2, port 443 and TCP protocol. The
port specified after the ssl keyword, i.e., 880, is the decrypted
port.

- Make sure VIP and Management IP addresses are on different subnet
to provide high secuirty.

NOTE: The VIP specified for the service, i.e., 192.50.50.2 in this example
should be configured as the server address in the "create service" command on
all the SSL blades added to the service. The service port (443 in this
example) should correspond to the secure port of the port pair associated to
the service on B10p and the decrypted port (880 in this example) should
correspond to the clear port of the port pair on B10p.

Add netmask to VIP : config vip-netmask {ip addr/hostname} mask netmask

1.7 config service lb-group default svc1 server 192.4.142.71:0:tcp:2:1
192.4.142.80:0:tcp:3:1 192.4.142.74:0:tcp:4:1 192.4.142.75:0:tcp:5:1
192.4.142.77:0:tcp:6:1 scheme wt-round-robin

- Configure the default load balancing group of the service with 5
servers 192.4.142.71, 192.4.142.80, 192.4.142.74, 192.4.142.75 and
192.4.142.77 and the LB scheme specified as weighted round robin.

- B10n Management IP address and Server Management IP address should
be on the same subnet.

1.8 config service ssl svc1 ssl ssl1:active

- Add the SSL blade entry "ssl1" to the service in an active mode.

NOTE: An SSL service cannot be enabled until one or more SSL entries are
added to it using the above command.

1.9 config enable service name svc1

- Enable the service "svc1" on B10n.

1.10 commit force

- Save the configuration changes

Checking the service config on B10n:

1.11. show service svc1

_______________________________________________________________________________
_______________________________________________________________________________

2) B10p Setup:

NOTE : Verify B10p version by executing "show version" on B10p.
If the B10p version is below 1.867, upgrade to 1.867 or higher
Both non-vlan mode and vlan are supported from 1.867. Prior to 1.867
only vlan mode was supported.

2.1 create key

 Enter key name: key1
Enter key strength (1024): 1024
Key key1 generated.

- This creates the key "key1" on B10p. Use "show key" to display all
the keys configured on the B10p board.

2.2 create certificate

 Enter key name: key1
Enter country (US): US
Enter state or province (CA): CA
Enter locality (Company Town): Newark
Enter common name (www.companyname.com): www1.sun.com
Enter organization (Company Name): Sun Microsystems
Enter organization unit (Company Unit): PTS
Enter email address (www@companyname.com): root@www1.sun.com
Certificate key1 generated.

- This creates a self-signed certificate using the key "key1".
Use "show key" to display the certificate along with the key.
- You may create a certificate signed by certificate authority
using "create certrequest" command

2.3 set routed

 Enter port number (1..2) (1): 1
Enter router inbound IP address (x.x.x.x): 192.4.142.79
Enter primary router outbound IP address (x.x.x.x): 192.100.100.254
Enter secondary router outbound IP address (x.x.x.x): 0.0.0.0

- This sets the parameters on port 1 for operation of B10p in the
routed mode.

NOTE: The router inbound IP address corresponds to the management IP address configured on B10n with the "config ip" command.

2.4 set inband

 Enter port number (1..2) (1): 1
Enter inband (data) IP Address (x.x.x.x): 192.100.100.205
Enter inband (data) netmask (x.x.x.x): 255.255.255.0

- This sets the inband (data) IP address on port 1 to 192.100.100.205
with a subnet mask of 255.255.255.0.

NOTE: This address has to be on the same subnet as the outbound router IP
address as configured by the "set routed" command.

2.5 set management

 Enter port number (1..2) (1): 1
Enter inband (admin) IP Address (x.x.x.x): 192.4.142.58
Enter inband (admin) netmask (x.x.x.x): 255.255.255.0
Enter inband (admin) gateway (x.x.x.x): 0.0.0.0

- This sets the management parameters on port 1. The management IP is
set to 192.4.142.58 with a subnet mask of 255.255.255.0.

- This is the IP used for health checks towards the inbound router,
i.e., B10n and also the one configured on B10n, for B10n to perform
health checks on B10p.

- B10p management IP address and B10n management IP address should be
on the same subnet.

2.6 set vlan filter disable

Disable the VLAN filtering on the SSL proxy blade

- For a B10n content load balancing blade with an SSL proxy blade in
non-VLAN mode, the VLAN filter must be disabled. This means that the
SSL proxy blade will not expect a VLAn tag for any incoming or
outgoing traffic and no filtering will be done based on the VLAN ID

2.7 set portpair

 Enter portpair number (1..4) (1): 1
Enter secure port (https) (443): 443
Enter clear port (http) (880): 880

- This configures port pair 1 on B10p with the secure port
specified as 443 and the clear port specified as 880.

NOTE: Upto 4 such port pairs can be configured on B10p. The maximum value
of each port cannot exceed 1000. Each of the 8 ports in the 4 port pairs
should be unique.

2.8 create service, e.g.,

 Enter service name: svc1
Enter key name: key1
Enter server IP Address (0.0.0.0): 192.50.50.2
Enter cipher (export/best/optimal/high/medium/low) (best): best
Enter portpair number (1..4) (1): 1
Service svc1 created.

- This creates a service "svc1" on B10p with the key "key1"
associated with it. The service is offered at the IP address
192.50.50.2. The "best" cipher is chosen for this service and port
pair 1 (with secure port 443 and clear port 880) is configured for
the service. Use "show service" to display all the services
configured on the B10p blade.

NOTE: Unique keys/certificates should be used for each service
configured on a B10p blade. The same key/certificate should be used
for the same service configured on multiple B10ps.

2.9 config save

- Save the configuration as permanent
________________________________________________________________________________
________________________________________________________________________________

3) Router Setup (Using a ServerBlade as a router)

I)

 *  rm /etc/notrouter
*  ndd -set /dev/ip ce0:ip_forwarding 1

II)

3.1 ifconfig ce0 plumb 192.60.60.254 netmask 255.255.255.0 broadcast + up
clients are in 192.60.60.0 subnet.

3.2 ifconfig ce0 addif 192.50.50.254 netmask 255.255.255.0 broadcast + up
Route from client to VIP on VIP side, e.g., 192.50.50.254
NOTE: the VIPs are in the 192.50.50.0 subnet.

3.3 ifconfig ce0 addif 192.100.100.254 netmask 255.255.255.0 broadcast + up
- The address of this interface will be the one configured as the outbound
router on the SSL proxy blade.
- B10p sends encrypted traffic to clients through this interface.

3.4 ifconfig ce0 addif 192.4.142.78 netmask 255.255.255.0 broadcast + up
B10n & server blades communicate on 192.4.142.0 subnet
Configured 192.4.142.78 on router for testing purpose ( optional step)

_______________________________________________________________________________
______________________________________________________________________________

4) B1600 Switch (SSC0/SWT) Setup:

4.1 Make sure tagged VLANs are not configured on the slots to which B10n, B10p and server blades are connected.
ex: "show running-config" will show slots configured with tagged vlan.
Please remove if tagged vlans are configured on the
slots to which B10n, B10p and server blades are connected

______________________________________________________________________________
______________________________________________________________________________

5) Blade Servers' Setup:

Note: This example uses Sparc Serverblade ( B100s)

5.1 Download/Install the clbmod packages.

cd <location of the clbmod packages>
pkgadd -d

5.2 Configure the interfaces on the server (Assuming, switch 0 is active, so
interface ce0 is being configured):

    ifconfig ce0 plumb 192.4.142.71 netmask 255.255.255.128 broadcast + up

- Configure the management IP

    ifconfig lo0:1 plumb 192.50.50.2 netmask 255.255.255.0 up   

- Configure the VIP(s) on the loopback interface

5.3 Add the interfaces to the clbmod:

       /opt/SUNWclb/bin/clbconfig add ce0

- add ce0 to /etc/opt/SUNWclb/clb.conf, automatically adds the interface to clbmod accross reboots.

5.4 Load the module:

       /etc/init.d/clbctl start

5.5 Check the interfaces on which the module is plumbed:

       /opt/SUNWclb/bin/clbconfig list

5.6 Make sure the servers are not routing, i.e., /etc/notrouter file should
be present.

5.7 kstat clbmod
- use this command to monitor open/close connections on clbmod

5.8 Configure the bundled Apache Web Server
- Add the server ipaddress, 192.4.142.71, to /etc/hosts
- cp /etc/apache/httpd.conf.example /etc/apache/httpd.conf
- Add the line "ServerName 192.4.142.71" at the end of Servername section.
- Add the lines "Listen 80" and "Listen 880" at the end of Listen section.
- Use "/usr/apache/bin/apachectl start" to start the Web Server

5.9 Repeat the above steps to configure more ServerBlades (192.4.142.80..74.
.75..77 etc)

NOTE: Serverblade sends unencrypted response traffic to B10p blade for encryption.
_____________________________________________________________________________
____________________________________________________________________________

6) Using external sun machine as a client

6.1) Configure client IP in this example

    ifconfig ge0 plumb 192.60.60.253 netmask 255.255.255.0 broadcast  + up

6.2) Add static route to VIPs

    route add -net 192.50.50.0 192.60.60.254 -static

(NOTE: Here we assume the VIPs are in the 192.50.50.0 subnet).

6.3) Launch web browser to access https://192.50.50.2 web page



Product
Sun Fire B10p SSL Proxy Blade Server
Sun Fire B10n Content Load Balancing Blade
Sun Fire B100s Blade Server
Sun Fire B1600 Blade System Chassis

B1600, B10n, B10p, Load balacing, SSL, http, webserver, apache, vlan, non-vlan, no vlan
Previously Published As
76841

Change History
Date: 2004-10-21
User Name: 7058
Action: Approved
Comment: Put trademarks in place.
Corrected a few minor grammar problems.
Found doc ID 76771, very similar, but for funning IN VLAN mode whereas this doc is for running in NON VLAN mode. I think it's safe to say these are not duplicate material.
Reformatted entire docu using STM. Format looks better now.
Publishing.
Version: 2
Date: 2004-10-20
User Name: 7058
Action: Accept
Comment:
Version: 0

Date: 2004-10-20
User Name: 99600
Action: Approved
Comment: This looks okay to me... I successfully setup a lab example
using these instructions, at least.
Version: 0

Date: 2004-09-13
User Name: 99600
Action: Accept
Comment:
Version: 0
Product_uuid
1388ed88-0ee3-11d7-8d55-e80889abea08|Sun Fire B10p SSL Proxy Blade Server
ddeee812-0ee2-11d7-9490-b04848e63bdb|Sun Fire B10n Content Load Balancing Blade
d68a0250-bcf8-4136-b44a-0535c2bbf62b|Sun Fire B100s Blade Server
10bec5e4-5865-11d6-9ffc-c65b6cd3fd7d|Sun Fire B1600 Blade System Chassis

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback