Apache2 Load Balancer and Proxy for Identity Applications


Due to the requirements of high availability environments and the need for Identity Application Clusters, the use of a LoadBalancer is necessary.

Apache2 comes with balancer and proxy functionalities by default.

With the modules mod_proxy and mod_proxy_balancer a configured Identity Application Cluster (see: https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/b1hipio1.html) can be set up.

In the following setup our LoadBalancer is called ia.mynetwork.com and the two Identity Applications Servers ianode1.mynetwork.com and ianode2.mynetwork.com

Identity Applications Cluster

For the setup it is necessary that Identity Applications are configured for cluster operation: https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/b17v4ys4.html

Tomcat Configuration

The Tomcat instances must be prepared for proxy operations.

Edit the server.xml (/opt/netiq/idm/apps/tomcat/conf/server.xml) and adapt the existing connector:


<Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol" ... proxyPort="443" proxyName="ia.mynetwork.com"/>


Set the Engine Parameter jvmRoute:


<Engine name="Catalina" defaultHost="localhost" jvmRoute="node1">


Restart the Tomcat instance:

systemctrl restart netiq-tomcat.service

Apache2 Configuration

We need an Apache2 instance that can reach the Identity Applications Servers.
Furthermore we have to activate the mentioned Apache2 modules and the module mod_lbmethod_byrequests to use the advantages of the LoadBalancer.

a2enmod mod_proxy

a2enmod proxy_http

a2enmod proxy_balancer

a2enmod lbmethod_byrequests

Virtual Host

As a last step we need an Apache2 virtual host configuration:



<VirtualHost *:443> ServerName ia.mynetwork.com DocumentRoot "/srv/www/htdocs" ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLEngine on SSLCertificateFile /opt/netiq/security/certificate.crt SSLCertificateKeyFile /opt/netiq/security/privatekey.pem <Proxy balancer://userapp> Require all granted BalancerMember https://ianode1.mynetwork.com:8543 route=node1 BalancerMember https://ianode2.mynetwork.com:8543 route=node2 ProxySet stickysession=JSESSIONID|jsessionid ProxySet timeout=30 </Proxy> SSLProxyEngine on ProxyRequests Off ProxyStatus On proxyPreserveHost On proxyPassreverseCookiePath / / proxyPass /IDMProv balancer://userapp/IDMProv proxyPass /osp balancer://userapp/osp proxyPass /sspr balancer://userapp/sspr proxyPass /idmdash balancer://userapp/idmdash proxyPass /idmadmin balancer://userapp/idmadmin proxyPass /idmappsdoc balancer://userapp/idmappsdoc <Location "/balancer-manager"> SetHandler balancer-manager Require host localhost </Location> ProxyPassReverse / https://ianode1.mynetwork.com:8543 ProxyPassReverse / https://ianode2.mynetwork.com:8543 </VirtualHost>


Finally, the URLs in the Identity Application (OSP, UserApplication, Identity Applications, SSPR etc.) must be adapted to the load balancer address.

Use/opt/netiq/idm/apps/configupdate/configupdate.sh and edit /opt/netiq/idm/apps/sspr/sspr_data/SSPRConfiguration.xml (or use the webinterface /sspr/private/config/editor?sso=false)

You can check and control the balancer with the url /balancer-manager.


I also use this setup in environments where load balancing is not necessary, but I cannot adjust the ports of the Identity Applications or port 443 is already used on the server, for example with an Open Enterprise Server.


How To-Best Practice
Comment List