C H A P T E R 4 - Setting Up Sun Fire Blades for Load Balancing SSL Traffic

C H A P T E R 4

Setting Up Sun Fire Blades for Load Balancing SSL Traffic

This chapter describes how to set up a Sun Fire B1600 for load balancing SSL traffic with the Sun Fire B10n content load balancing blade and the Sun Fire B10p SSL proxy blades.

This chapter includes the following sections:

Setting Up for Load Balancing SSL Traffic

Setting Up the Sun Fire B10n Content Load Balancing Blade

Setting Up the SSL Proxy Blade

Setting Up the Router

Setting Up the Sun Fire B1600 Switch

Setting Up Sun Fire B100s Solaris Server Blades

Setting Up Clients/External Routers

Setting Up for Load Balancing SSL Traffic

You must configure the following components to load balance SSL traffic:

Sun Fire B10n content load balancing blade

Sun Fire B10p SSL proxy blade

Router

Sun Fire B1600 blade chassis

Server blades

Clients/External routers

In addition to modifying these components, you must set up three VLANS:

Data/client VLAN for security.

Management VLAN for separation of management traffic. Heartbeat messages between the load balancing blade, the server blades and the SSL proxy blade are on this VLAN.

Service VLAN for tenant separation. Service related traffic between the load balancing blade and the server blades is on this VLAN.

Setting Up the Sun Fire B10n Content Load Balancing Blade

The following limitations apply:

A maximum of 16 SSL blades can be added for each service.

A maximum of 128 SSL blade entries can be created on a B10n content load balancing blade.

To Configure the Network Interface and VLAN

1. Set the IP address on interface 0:

puma{admin}# config ip interface 0 ip-addr mask subnet_mask

Example:

puma{admin}# config ip interface 0 192.50.50.132 mask 255.255.255.0

2. Set the data/client VLAN:

puma{admin}# config data vlan N

Where N is the number of the data/client VLAN.

Example:

puma{admin}# config data vlan 10

3. Enable the data/client VLAN:

puma{admin}# config enable vlan data

4. Set the management VLAN:

puma{admin}# config management vlan N

Example:

puma{admin}# config management vlan 3

5. Enable the management VLAN:

puma{admin}# config enable vlan management

To Configure the SSL Proxy Blade

Note - Refer to Chapter 4, "Command-Line Options" and "Configuring SSL Blade Entries" of the Sun Fire B10n Content Load Balancing Blade Administration Guide for detailed descriptions of the commands.

1. Create an SSL blade entry on the B10n content load balancing blade with the following command.

puma{admin}# config ssl name ssl_device_name ip-addr

Example:

puma{admin}# config ssl name ssl1 192.50.50.205

This command creates an SSL blade device name ssl1.

Note - The interface IP address must correspond to the one configured on the SSL proxy blade with the set management command.

2. Add a port pair to the entry with the secureport specified at 443 and the clearport specified at 880.

puma{admin}# config ssl port-pair ssl1 secureport 443 clearport 880

Note - These values must correspond to the same values specified on the SSL proxy blade with the set portpair command.

To Verify the SSL Proxy Blade Configuration on the B10n Content Load Balancing Blade

1. Display the basic information about all the SSL blades configured on the B10n content load balancing blade:

puma{admin}# show ssl

2. Display detailed information about the SSL proxy blade entry ssl1:

puma{admin}# show ssl ssl1

To Configure a Layer 7 SSL Service on a B10n Content Load Balancing Blade

1. Create an SSL service on the B10n content load balancing blade that is load balanced on Layer 7 for the HTTP protocol.

puma{admin}# config service name svc1 vip 110.10.10.1:443:tcp ssl 880 interface 0 lb-layer 7 l7-proto http

The previous example shows the service svc1 is bound to interface 0 and is offered at the VIP 110.10.10.1, port 443 and the TCP protocol. The port specified after the ssl keyword, that is, 880, is the decrypted port.

Note - The VIP specified for the service (110.10.10.1 in this example) must be configured as the server address in the create service command on all the SSL proxy blades added to the service. The service port (443 in this example) must correspond to the secure port of the port pair associated to the service on the SSL proxy blade and the decrypted port (880 in this example) must correspond to the clear port of the port pair on the SSL proxy blade.

2. Configure the default load balancing group of the service with two servers (192.50.50.10, and 192.50.50.11 in this example) and the load balancing scheme specified as weighted round robin.

puma{admin}# config service lb-group default svc1 server 192.50.50.10:0:tcp:2:1 192.50.50.11:0:tcp:3:1 scheme wt-round-robin

3. Add the SSL proxy blade entry ssl1 to the service in an active mode.

puma{admin}# config service ssl svc1 ssl ssl1:active

An SSL service cannot be enabled until one or more SSL entries are added to it using the config service ssl command.

4. Set the service VLAN

puma{admin}# config service vlan svc1 vlan N

Where N is the VLAN ID number.

The B10n content load balancing blade will tag all traffic from this service, destined to the server blades with the VLAN ID number specified here when VLAN is enabled on the service.

Example:

puma{admin}# config service vlan svc1 vlan 5

5. Enable VLAN tagging for the service.

puma{admin}# config enable service vlan svc1

6. Enable the service svc1 on the B10n content load balancing blade:

puma{admin}# config enable service name svc1

7. Check the service configuration on the B10n content load balancing blade:

puma{admin}# show service svc1

Setting Up the SSL Proxy Blade

To Access the SSL Proxy Blade Console

1. Telnet to the Sun Fire B1600 console.

% telnet sc_ip-addr

Where sc_ip-addr is the IP address of the Sun Fire B1600.

2. Get to the SSL proxy blade console:

sc0> console Sn

Login:so

Password:

CLI#

Where n is the slot number of the SSL proxy blade.

To Set Up the SSL Proxy Blade

1. Create the key on the SSL proxy blade:

CLI# create key

Enter key name: key1

Enter key strength (1024): 1024

    Key key1 generated.

This example creates the key key1 on the SSL proxy blade.

2. Use the show key command to display all the keys configured on the SSL proxy blade.

3. Create a self-signed certificate:

CLI# create certificate

CLI#  create certificate

Enter key name: keyname

Enter country (US): abbreviated_country

Enter state or province (CA): abbreviated_state

Enter locality (Company Town): town_name

Enter common name (www.company-name.com): www1.my-company.com

Enter organization (Company Name): my_company_name

Enter organization unit (Company Unit): department

Enter email address (support@company-name.com): email@company_name.domain

Certificate generated.

The previous example creates a certificate using the key key1. Use the show key command to display the certificate along with the key.

4. Set the parameters on port 1 for operation of the SSL proxy blade in the routed mode.

CLI# set routed

Enter port number (1..2) (1): 1

Enter router inbound IP address (0.0.0.0): 192.50.50.132

Enter primary router outbound IP address (0.0.0.0): 192.100.100.254

Enter secondary router outbound IP address (0.0.0.0): 0.0.0.0

The router inbound IP address corresponds to the management IP address configured on the B10n content load balancing blade with the config ip command.

5. Set the inband (data) IP address on port 1 (192.100.100.205 in this example) and the subnet mask (255.255.255.0 in this example):

CLI# set inband

Enter port number (1..2) (1): 1

Enter inband (data) IP Address (0.0.0.0): 192.100.100.205

Enter inband (data) netmask (255.255.255.0): 255.255.255.0

Note - This address has to be on the same subnet as the outbound router IP address as configured by the set routed command.

6. Set the management parameters on port 1.

CLI# set management

Enter port number (1..2) (1): 1

Enter inband (admin) IP Address (0.0.0.0): 192.50.50.205

Enter inband (admin) netmask (255.255.255.0): 255.255.255.0

In this example, the management IP is set to 192.50.50.205 with a subnet mask of 255.255.255.0.

Note - This is the IP address used for health checks towards the inbound router; that is, the B10n content load balancing blade and also the IP address configured on the B10n content load balancing blade to perform health checks on the SSL proxy blade.

7. Set the client VLAN:

CLI# set vlan client #

Note - This is the VLAN on which all SSL encrypted traffic (to be load balanced) from the client is sent. The value must also correspond to that set on the B10n content load balancing blade with the config data vlan command.

Example:

CLI# set vlan client 10

8. Set the management VLAN on port 1:

CLI# set vlan management

Enter port number (1..2) (1): 1

Enter management vlan tag (admin) (0..4095): 3

Note - This is the VLAN (3 in this example) on which all the management traffic from the SSL proxy blade is sent (that is, for FTP, export, health checks towards the inbound router, and such). The value must correspond to that set on the B10n content load balancing blade with the config management vlan command.

9. Set the inband (data) VLAN on port 1:

CLI# set vlan inband

Enter port number (1..2) (1): 1

Enter management vlan tag (0..4095): 10

Note - This is the VLAN (10 in this example) on which all health check traffic towards the outbound router is sent out. Its value should correspond to that used in the set vlan client command on the SSL proxy blade.

10. Enable the VLAN filtering on the SSL proxy blade:

CLI# set vlan filter enable

For a B10n content load balancing blade with an SSL proxy blade, the VLAN filter must be enabled. This means that the SSL proxy blade will not process any incoming traffic on the client VLAN (10 in this example). This filtering is a security measure on the SSL proxy blade.

11. Configure port pair 1 on the SSL proxy with the secure port specified as 443 and the clear port specified as 880:

CLI# set portpair

Enter portpair number (1..4) (1): 1

Enter secure port (https) (443): 443

Enter clear port (http) (880): 880

Note - Up to four such port pairs can be configured on the SSL proxy blade. The maximum value of each port cannot exceed 1023. Each of the eight ports in the four port pairs must be unique.

12. Create a service svc1 on the SSL proxy with the key key1 associated with it:

CLI# create service

Enter service name: svc1

Enter key name: key1

Enter server IP Address (0.0.0.0): 110.10.10.1

Enter cipher (export/best/optimal/high/medium/low) (best): best

Enter portpair number (1..4) (1): 1

    Service svc1 created.

In this example, the service is offered at the IP address 110.10.10.1. The best cipher is chosen for this service and port pair 1 (with secure port 443 and clear port 880) is configured for the service.

13. Use show service to display all the services configured on the SSL proxy blade.

Note - Unique keys and certificates must be used for each service configured on an SSL proxy blade. The same key and certificate must be used for the same service configured on multiple SSL proxy blades.

Setting Up the Router

Configure the following interfaces on the router.

1. On the client/data VLAN, configure one or more interfaces for the SSL proxy blades and the Sun Fire B100s Solaris server blades to reach the clients.

Note - The address of this interface will be the one configured as the outbound router on the SSL Proxy blade, that is, 192.100.100.254 in this example.

Example:

If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10.

# ifconfig ce10000 addif 192.100.100.254 netmask 255.255.255.0 broadcast +up

2. On the client/data VLAN, configure one interface on each subnet on which services are provided. This provides routes from the clients/external routers to the VIPs (on the VIP side).

In this example, one interface has to be configured on the 110.10.10.0 subnet.

Example:

If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10.

# ifconfig ce10000 addif 110.10.10.254 netmask 255.255.255.0 broadcast +up

3. On the client/data VLAN, configure one interface on each subnet on which clients are configured. This provides routes from the clients/external routers to the services (on the client side).

Example:

If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10, for clients/external routers in the 199.99.9.0 subnet.

# ifconfig ce10000 addif 199.99.9.254 netmask 255.255.255.0 broadcast +up

Setting Up the Sun Fire B1600 Switch

To Get to the Sun Fire B1600 Switch Console

1. If you are not already logged into the switch, Telnet to the Sun Fire B1600 console.

% telnet sc_ip-addr

Where sc_ip-addr is the IP address of the Sun Fire B1600.

2. Get to the switch console:

sc0> console ssc0/swt

To Set Up the Sun Fire B1600 Switch

1. Configure the VLAN database:

Console# configure vlan database

Console(config-vlan)#

2. Create the management VLAN (3 in this example):

Console(config-vlan)# vlan 3 name mgmt-vlan media ethernet

3. Create the client/data on VLAN (10 in this example):

Console(config-vlan)# vlan 10 name client-vlan media ethernet

4. Create the service VLAN (5 in this example):

Console(config-vlan)# vlan 5 name service-vlan media ethernet

5. Exit to the console prompt:

Console(config-vlan)# exit

Console#

To Create VLANs

1. Configure a slot for the B10n content load balancing blade to allow the management, client, and service VLANs:

Console# configure

Console(config)# interface ethernet SNP13

Console(config-if)#

Console(config-if)# switchport allowed vlan add 3 tagged

Console(config-if)# switchport allowed vlan add 10 tagged

Console(config-if)# switchport allowed vlan add 5 tagged

Where SNP is the internal port and 13 is the slot number in which the B10n content load balancing blade is located.

2. Configure a slot for the SSL proxy blade to allow the management, client and service VLAN.:

Console# configure

Console(config)# interface ethernet SNP15

Console(config-if)#

Console(config-if)# switchport allowed vlan add 3 tagged

Console(config-if)# switchport allowed vlan add 10 tagged

Console(config-if)# switchport allowed vlan add 5 tagged

Where SNP is the internal port and 15 is the slot number in which the SSL proxy blade is located.

3. Configure slots for server blades to allow the management, client, and service VLANs:

Console# configure

Console(config)# interface ethernet SNP10

Console(config-if)#

Console(config-if)# switchport allowed vlan add 3 tagged

Console(config-if)# switchport allowed vlan add 10 tagged

Console(config-if)# switchport allowed vlan add 5 tagged

Where SNP is the internal port and 10 is the slot number in which the server blade is located.

4. Configure uplink slot with Router to allow the management and client VLANs.

Console# configure

Console(config)# interface ethernet NETP7

Console(config-if)#

Console(config-if)# switchport allowed vlan add 3 tagged

Console(config-if)# switchport allowed vlan add 10 tagged

Where NETP is the uplink port and 7 is the uplink port number to which the router is connected.

5. Configure uplink slots with clients/external routers to allow the management and client VLANs.

Console# configure

Console(config)# interface ethernet NETP5

Console(config-if)#

Console(config-if)# switchport allowed vlan add 3 tagged

Console(config-if)# switchport allowed vlan add 10 tagged

Where NETP is the uplink port and 5 is the uplink port number to which a client/external router is connected.

Setting Up Sun Fire B100s Solaris Server Blades

1. Return to the Solaris prompt and download and install the clbmod packages:

# cd location_of_the_clbmod_packages

pkgadd -d

2. Configure the real IP address on the management VLAN (3 in this example):

# ifconfig ce3000 plumb 192.50.50.10 netmask 255.255.255.0 up

This example shows switch 0 as active, so interface ce0 is being configured.

3. Configure any (unique) IP on the service VLAN (5 in this example):

# ifconfig ce5000 plumb 0.0.0.0 netmask 255.255.255.0 up

4. Configure IP on the client/data VLAN (10 in this example) to reach the clients through the router:

# ifconfig ce10000 plumb 192.100.100.10 netmask 255.255.255.0 up

5. Configure the VIPs on the loopback interface, for example:

# ifconfig lo0:1 plumb 110.10.10.1 netmask 255.255.255.0 up

6. Add the interfaces to the clbmod:

# /opt/SUNWclb/bin/clbconfig add ce3000

# /opt/SUNWclb/bin/clbconfig add ce5000

# /opt/SUNWclb/bin/clbconfig add ce10000

Add ce3000, ce5000, ce10000 to /etc/opt/SUNWclb/clb.conf, one on each line, to automatically add the interfaces to clbmod across reboots.

7. Check the interfaces on which the module is plumbed:

# /opt/SUNWclb/bin/clbconfig list

8. Make sure the Sun Fire B100s solaris server blade is not routing, that is, /etc/notrouter file should be present.

9. Configure your web server to listen on the decrypted port, that is, 880 in this example.

10. Repeat the above steps for each server blade you want to configure.

Setting Up Clients/External Routers

On the clients/external routers add routes to the VIPs to use interfaces on the client VLAN (10 in this example) with the target address specified as the client side interface on the router as specified in section Setting Up the Router.

Example:

On a Solaris client directly connected to one of the uplink ports of the B1600, the following commands can be used:

# ifconfig ce10000 plumb 199.99.9.101 netmask 255.255.255.0 broadcast + up

This command configures a ce0 interface on VLAN 10 with an IP address of 199.99.9.101 which is on the same subnet as the client side interface (199.99.9.254) on the router as specified in section Setting Up the Router.

# route add -net 110.10.10.0 199.99.9.254 static

This adds a static route to the VIPs in the 110.10.10.0 subnet through the client side interface (199.99.9.254) on the router as specified in section Setting Up the Router.