Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Technical Instruction Sure Solution 1010778.1 : Setting up Sun Fire[TM] B1600 for loadbalancing SSL traffic in non-VLAN mode
PreviouslyPublishedAs 214902 Description SunFire[TM] B1600 Blade platform is used for loadbalancing traffic using speciality Blades (Sun Fire[TM] B10n, Sun Fire[TM] B10p). The steps below explains in detail, with an example of configuring SunFire B1600, loadbalancing traffic in non-VLAN mode. Steps to Follow Setting up Sun Fire B1600 for loadbalancing SSL traffic in non-VLAN mode The following components will be modified to load balance SSL traffic: 1) Sun Fire B10n Content load balancing blade 1) B10n Setup Some limits: Configuring the network/vlan: 1.1 config ip interface 0 192.4.142.79 mask 255.255.255.0 - Set the IP address on interface 0 to 192.4.142.79 with a subnet Configuring B10p's information: 1.2 config ssl name ssl1 192.4.142.58 - Create an SSL blade entry on B10n with the name "ssl1" and one 1.3 config ssl port-pair ssl1 secureport 443 clearport 880 - Add a port pair to the entry with the secureport specified at 443 and Verifying B10p configuration on B10n: 1.4 show ssl - Displays basic information about all the SSL blades configured on B10n 1.5 show ssl ssl1 - Displays detailed information about the SSL blade entry "ssl1". Configuring a Layer 7 SSL service on B10n: 1.6 config service name svc1 vip 192.50.50.2:443:tcp ssl 880 interface 0 - Create an SSL service on B10n that is load balanced on layer 7 for - Make sure VIP and Management IP addresses are on different subnet
NOTE: The VIP specified for the service, i.e., 192.50.50.2 in this example Add netmask to VIP : config vip-netmask {ip addr/hostname} mask netmask 1.7 config service lb-group default svc1 server 192.4.142.71:0:tcp:2:1 - Configure the default load balancing group of the service with 5 - B10n Management IP address and Server Management IP address should 1.8 config service ssl svc1 ssl ssl1:active - Add the SSL blade entry "ssl1" to the service in an active mode.
NOTE: An SSL service cannot be enabled until one or more SSL entries are 1.9 config enable service name svc1 - Enable the service "svc1" on B10n. 1.10 commit force - Save the configuration changes Checking the service config on B10n: 1.11. show service svc1 _______________________________________________________________________________ 2) B10p Setup:
NOTE : Verify B10p version by executing "show version" on B10p. 2.1 create key Enter key name: key1 Enter key strength (1024): 1024 Key key1 generated. - This creates the key "key1" on B10p. Use "show key" to display all 2.2 create certificate Enter key name: key1 Enter country (US): US Enter state or province (CA): CA Enter locality (Company Town): Newark Enter common name (www.companyname.com): www1.sun.com Enter organization (Company Name): Sun Microsystems Enter organization unit (Company Unit): PTS Enter email address (www@companyname.com): root@www1.sun.com Certificate key1 generated. - This creates a self-signed certificate using the key "key1". 2.3 set routed Enter port number (1..2) (1): 1 Enter router inbound IP address (x.x.x.x): 192.4.142.79 Enter primary router outbound IP address (x.x.x.x): 192.100.100.254 Enter secondary router outbound IP address (x.x.x.x): 0.0.0.0 - This sets the parameters on port 1 for operation of B10p in the NOTE: The router inbound IP address corresponds to the management IP address configured on B10n with the "config ip" command. 2.4 set inband Enter port number (1..2) (1): 1 Enter inband (data) IP Address (x.x.x.x): 192.100.100.205 Enter inband (data) netmask (x.x.x.x): 255.255.255.0 - This sets the inband (data) IP address on port 1 to 192.100.100.205
NOTE: This address has to be on the same subnet as the outbound router IP 2.5 set management Enter port number (1..2) (1): 1 Enter inband (admin) IP Address (x.x.x.x): 192.4.142.58 Enter inband (admin) netmask (x.x.x.x): 255.255.255.0 Enter inband (admin) gateway (x.x.x.x): 0.0.0.0 - This sets the management parameters on port 1. The management IP is - This is the IP used for health checks towards the inbound router, - B10p management IP address and B10n management IP address should be 2.6 set vlan filter disable Disable the VLAN filtering on the SSL proxy blade - For a B10n content load balancing blade with an SSL proxy blade in 2.7 set portpair Enter portpair number (1..4) (1): 1 Enter secure port (https) (443): 443 Enter clear port (http) (880): 880 - This configures port pair 1 on B10p with the secure port
NOTE: Upto 4 such port pairs can be configured on B10p. The maximum value 2.8 create service, e.g., Enter service name: svc1 Enter key name: key1 Enter server IP Address (0.0.0.0): 192.50.50.2 Enter cipher (export/best/optimal/high/medium/low) (best): best Enter portpair number (1..4) (1): 1 Service svc1 created. - This creates a service "svc1" on B10p with the key "key1"
NOTE: Unique keys/certificates should be used for each service 2.9 config save - Save the configuration as permanent 3) Router Setup (Using a ServerBlade as a router) I) * rm /etc/notrouter * ndd -set /dev/ip ce0:ip_forwarding 1 II) 3.1 ifconfig ce0 plumb 192.60.60.254 netmask 255.255.255.0 broadcast + up 3.2 ifconfig ce0 addif 192.50.50.254 netmask 255.255.255.0 broadcast + up 3.3 ifconfig ce0 addif 192.100.100.254 netmask 255.255.255.0 broadcast + up 3.4 ifconfig ce0 addif 192.4.142.78 netmask 255.255.255.0 broadcast + up _______________________________________________________________________________ 4) B1600 Switch (SSC0/SWT) Setup: 4.1 Make sure tagged VLANs are not configured on the slots to which B10n, B10p and server blades are connected. ______________________________________________________________________________ 5) Blade Servers' Setup: Note: This example uses Sparc Serverblade ( B100s) 5.1 Download/Install the clbmod packages. cd <location of the clbmod packages> pkgadd -d 5.2 Configure the interfaces on the server (Assuming, switch 0 is active, so ifconfig ce0 plumb 192.4.142.71 netmask 255.255.255.128 broadcast + up - Configure the management IP ifconfig lo0:1 plumb 192.50.50.2 netmask 255.255.255.0 up - Configure the VIP(s) on the loopback interface 5.3 Add the interfaces to the clbmod: /opt/SUNWclb/bin/clbconfig add ce0 - add ce0 to /etc/opt/SUNWclb/clb.conf, automatically adds the interface to clbmod accross reboots. 5.4 Load the module: /etc/init.d/clbctl start 5.5 Check the interfaces on which the module is plumbed: /opt/SUNWclb/bin/clbconfig list 5.6 Make sure the servers are not routing, i.e., /etc/notrouter file should 5.7 kstat clbmod 5.8 Configure the bundled Apache Web Server 5.9 Repeat the above steps to configure more ServerBlades (192.4.142.80..74.
NOTE: Serverblade sends unencrypted response traffic to B10p blade for encryption. 6) Using external sun machine as a client 6.1) Configure client IP in this example ifconfig ge0 plumb 192.60.60.253 netmask 255.255.255.0 broadcast + up 6.2) Add static route to VIPs route add -net 192.50.50.0 192.60.60.254 -static (NOTE: Here we assume the VIPs are in the 192.50.50.0 subnet). 6.3) Launch web browser to access https://192.50.50.2 web page Product Sun Fire B10p SSL Proxy Blade Server Sun Fire B10n Content Load Balancing Blade Sun Fire B100s Blade Server Sun Fire B1600 Blade System Chassis B1600, B10n, B10p, Load balacing, SSL, http, webserver, apache, vlan, non-vlan, no vlan Previously Published As 76841 Change History Date: 2004-10-21 User Name: 7058 Action: Approved Comment: Put trademarks in place. Corrected a few minor grammar problems. Found doc ID 76771, very similar, but for funning IN VLAN mode whereas this doc is for running in NON VLAN mode. I think it's safe to say these are not duplicate material. Reformatted entire docu using STM. Format looks better now. Publishing. Version: 2 Date: 2004-10-20 User Name: 7058 Action: Accept Comment: Version: 0 Date: 2004-10-20 User Name: 99600 Action: Approved Comment: This looks okay to me... I successfully setup a lab example using these instructions, at least. Version: 0 Date: 2004-09-13 User Name: 99600 Action: Accept Comment: Version: 0 Product_uuid 1388ed88-0ee3-11d7-8d55-e80889abea08|Sun Fire B10p SSL Proxy Blade Server ddeee812-0ee2-11d7-9490-b04848e63bdb|Sun Fire B10n Content Load Balancing Blade d68a0250-bcf8-4136-b44a-0535c2bbf62b|Sun Fire B100s Blade Server 10bec5e4-5865-11d6-9ffc-c65b6cd3fd7d|Sun Fire B1600 Blade System Chassis Attachments This solution has no attachment |
||||||||||||
|