uCosminexus Application Server, Security Management Guide
![[Contents]](FIGURE/CONTENT.GIF)
![[Index]](FIGURE/INDEX.GIF)
![[Back]](FIGURE/FRONT.GIF)
![[Next]](FIGURE/AFTER.GIF)
8.4 Load balancer access environment setup
(1) Access list (ACL) settings (ACOS)
If you are using a version of ACOS that is earlier than 2.4.3-P7, create the access list on a server machine that runs either Management Server or Virtual Server Manager. The necessary settings are given below. For details about how to create an access list, see the ACOS document.
- ID: 1
- Action: Permission#
- Source address: Multiple#
- #
- To restrict access to the load balancer, specify arbitrary values for the Action and Source address attributes.
- Note
- If you specify a number other than 1 for the ID attribute when creating the ACL, the load balancer will not be directly accessible via an API (REST architecture).
(2) Creating a cookie persistence template
To maintain a session through cookies, create a cookie persistence template on the host that provides the operation management functionality. The necessary settings are given below. For details about how to create a cookie persistence template, see the load balancer document.
- Cookie name: arbitrary value
- Expire: 0
If you specify 0 for the Expire attribute, only the current session is maintained.
(3) Configuring a trust store
By direct access through API, you communicate with the load balancer via HTTP or HTTPS. HTTPS communication requires a trust store that contains a reliable certificate. If you use HTTPS, specify or omit https in one of the following properties files.
- For controlling the load balancer with Management Server:
- lb.API.protocol.load-balancer-management-IP-address in lb.properties
- For controlling the load balancer with Virtual Server Manager:
- lb.API.protocol in LB-connection-distinguished-name.properties
- lb.API.protocol in tierlb.properties
Before communicating via HTTPS, follow the steps below to configure the trust store.
- Obtain an SSL server certificate from the load balancer.
For details about how to obtain an SSL certificate, see the load balancer document.
- Execute JDK's keytool command on the host that provides the operation management functionality. The SSL server certificate obtained in step 1 will be registered in the trust store.
Below is an example of executing JDK's keytool command.
Cosminexus-installation-directory/jdk/bin/keytool -import -file loadbalancer.cer -alias loadbalancer -keystore C:\work\loadbalancer.keystore -storepass keystore_pass
|
For details about this command, see the JDK document.
- Note
- If you register the certificate in a non-default trust store (other than cacerts) for JDK, use the javax.net.ssl.trustStore parameter in lb.properties to specify the SSL server certificate's absolute path. If you register the certificate in the default trust store (cacerts), the absolute path does not need to be specified.
- For BIG-IP, the default trust store (cacerts) must always be used.
- This default trust store for JDK (cacerts) is located under Cosminexus-installation-directory/jdk/jre/lib/security. The initial password is changeit.
(4) hosts file settings (BIG-IP)
If you will be controlling BIG-IP from Management Server or Virtual Server Manager, register the host name and IP address of BIG-IP in the hosts file. However, there is no need to register this information in the hosts file when you have selected direct connection using ssh protocol to connect to BIG-IP.
All Rights Reserved. Copyright (C) 2013, Hitachi, Ltd