Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack Thread Tools Display Modes
Load Balancer Configuration and SSL Certificate Placement with BAS
 
  #1 (permalink)  
Old 07-21-2009, 09:13 AM
Otto's Avatar
Proprietor
 
Join Date: Nov 2008
Location: Atlanta, GA
Posts: 2,033
Blog Entries: 14
Default Load Balancer Configuration and SSL Certificate Placement with BAS

Two questions, as DART seems to be incapable of making recommendations and RIM seems to be incapable of issuing best practices outside of a limited scope of knowledge:

1 - Would you recommend placing the SSL certificate on the hardware load balancer (F5, Cisco, etc) or on the BAS web servers?

My thoughts are to off-load the SSL traffic to the load balancers, especially in the instance where you'd be deploying Web Desktop Manager, and have it translate to the BAS servers over the HTTP/18180 port. However, I wanted to see what everyone else had to say before I made a final decision.

2 - If the recommendation is to place the SSL certificate on the BAS web servers, how exactly would you add the certificate to the second (or third or fourth) BAS server?

In my testing, I went through the normal steps to generate and add the new certificate (genkey, import root, certreq, import cert) to the first BAS server and it came online just fine. However, when I went through the steps to import the certificate to the second BAS server (import root, import cert), it would not fully start the BAS-AS service. The BAS-NCC service has the following issue at the end of the log just prior to starting:

Code:
(07/20 20:26:13:890):{main} [STDOUT] [INFO] com.sun.net.ssl.internal.ssl.SSLSessionContextImpl@2130c2
(07/20 20:26:13:921):{AcceptorThread#0:23843} [org.jboss.remoting.transport.socket.SocketServerInvoker] [ERROR] SSLServerSocket error
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
	at org.jboss.security.ssl.DomainServerSocket.accept(DomainServerSocket.java:84)
	at org.jboss.security.ssl.DomainServerSocket.invoke(DomainServerSocket.java:60)
	at javax.net.ssl.SSLServerSocket_$$_javassist_1.accept(SSLServerSocket_$$_javassist_1.java)
	at org.jboss.remoting.transport.socket.SocketServerInvoker.run(SocketServerInvoker.java:520)
	at java.lang.Thread.run(Unknown Source)
In my experience with other software vendors, they have always made recommendations for load balancer configurations as they best work with their product. It was recommended that I contact Cisco for details on how to configure the load balancer. I'm not even asking the more complicated questions about Stickiness configuration, Probe configuration, etc. I'm simply asking a question about something that is being HIGHLY recommended by the software vendor with no best practices or actual documented recommendations being made.
__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-16-2009, 08:14 PM
BES Administrator
 
Join Date: Feb 2009
Location: I come from a land down under where beer does flow and men chunder
Posts: 42
Default

I recently read through the Installation & Configuration guide about how to create a Administration Service pool using DNS round robin, but I could not find instruction about how to configure the pool with a hardware load balancer.

I contacted RIM through our Tx3 subscription informing them that we plan to use an F5 load balancer, & asked if they could provide me with information on how to create a Administration Service pool using a hardware load balancer?

This was the reply:
When setting up a hardware load balancer it would depend on the settings with the load balancer. So you will want to point the BES to the Hardware load balancer then configure the Administration Service Pool.

Not overly helpful. Does anyone else have experience with this & can shed some light.
Reply With Quote
  #3 (permalink)  
Old 11-16-2009, 09:03 PM
RadHaz75's Avatar
BES Expert
 
Join Date: May 2009
Location: Philadelphia, PA
Posts: 98
Default

i stumbled upon this a week or two ago...

http://www.kmsigma.com/subtext/archi...rvers-bas.aspx

the link seems to be down right now but if you google blackberry administration service load balancer - Google Search its the 3rd link down and you can view the cached version.

otto, did you ever figure out what to use for sticky bits? i'm leaning towards ssl.
__________________
Two months ago, I saw a provocative movie on cable TV. It was called The Net, with that girl from the bus.
Reply With Quote
  #4 (permalink)  
Old 11-17-2009, 12:01 AM
Otto's Avatar
Proprietor
 
Join Date: Nov 2008
Location: Atlanta, GA
Posts: 2,033
Blog Entries: 14
Default

Really, nothing much for me to do with regards to sticky bits. As we need to maintain the session, it is enabled on the load balancer configuration for this particular VIP. Here's the SSL configuration with regards to the individual nodes. Per RIM, using HTTP/18180 port is not supported for general web traffic (we use it for our health/status probes, though).

BES 5.0 - Installing an SSL Certificate for BAS/WDM
__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is the Blackberry MDS certificate?????? gpalmer Port 3101: The BES Admin Bar & Grill 13 09-15-2010 03:08 AM
BES 5.0 - Installing an SSL Certificate for BAS/WDM Otto Port 3101: The BES Admin Bar & Grill 7 05-28-2010 04:46 PM
KB13355 - How to load a network security certificate on a BlackBerry smartphone hdawg Featured BlackBerry KB Articles 0 07-30-2009 03:39 PM
KB14697 - Could not load the Java Virtual Machine. Load Library the specified ... hdawg Featured BlackBerry KB Articles 0 07-19-2009 08:41 PM
KB16159 - How to import and use a third-party signed certificate with BES MDS IS hdawg Featured BlackBerry KB Articles 0 06-18-2009 04:53 PM


All times are GMT -4. The time now is 02:21 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2