Clustering PicketLink applications (idp,sp) with mod_proxy
Environment
Red Hat JBoss Enterprise Application Platform (EAP)
- 6.0.x
- 6.1.x
Issue
We want to setup a cluster of EAP 6 instances and deploy PicketLink enabled applications to it.
We need to be able to deploy both sp and idp applications to the cluster
This needs to be done with mod_proxy
Resolution
The below uses an EAP domain setup for ease of configuration, but the setup is similar for standalones instances
The following names are used:
host: slave10.usersys.redhat.com
- host.xml: name=slave10
- one instance with name "i10"
host: slave11.usersys.redhat.com
- host.xml: name=slave11
- one instance with name "i11"
The mod_proxy config:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
ProxyRequests off
ProxyPreserveHost On
<Proxy balancer://jbossfarm>
BalancerMember http://slave10.usersys.redhat.com:8080 route=i10
BalancerMember http://slave11.usersys.redhat.com:8080 route=i11
</Proxy>
# A PicketLink enabled sp
ProxyPass /plhello balancer://jbossfarm/plhello stickysession=JSESSIONID lbmethod=bytraffic nofailover=Off
ProxyPassReverse /plhello balancer://jbossfarm/plhello
# PicketLink IDP
ProxyPass /idp balancer://jbossfarm/idp stickysession=JSESSIONID lbmethod=bytraffic nofailover=Off
ProxyPassReverse /idp balancer://jbossfarm/idp
Note the "route=i10" / "route=i11" which refers to the JBoss instance names.
The web subsystem:
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" instance-id="${jboss.server.name}" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="usersys.redhat.com"/>
<sso cache-container="web" cache-name="sso" domain="usersys.redhat.com" reauthenticate="false"/>
</virtual-server>
</subsystem>
Note:
- instance-id="${jboss.server.name}"
In domain mode this evaluates to "i10" and "i11". In standalone mode you would simply hardcode the values.
- The idp/sp applications must have "<distributable/>" in their web.xml to enable them for clustering
- All identity and service URL's in "picketlink.xml" must point to the Apache webserver.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.