This section explains how to use Apache HTTP server to load balance the WSO2 Identity Server cluster nodes.
You need to install Apache HTTP server. If you are using Linux, you can easily install it by using apt-get, zypper, or another installation program as follows:
You need to enable the necessary modules. These are:
a2enmodor a similar command is available in your Linux version, you can use it to enable these modules.
- You need a key and certificate files to configure SSL communication with Apache HTTP server.
The following are the summarized steps to create a key and a certificate using a self signed Certificate Authority (CA). Here default openssl configurations are used (in Ubuntu, the default openssl configuration file can be found at
- Create a local Certificate Authority (CA) using OpenSSL.
First build the CA key using the following command:
Next build the certificate of CA. This is the CA’s certificate and it can be publicly available.
- Generate a server key and CSR (Certificate Signing Request).
Private key for Apache HTTPD Server is built with the default openssl configuration.
Then CSR is created to be signed by a Certificate Authority.
Sign the certificate signing request (CSR) with the self-created Certificate Authority(CA).
Make a server.key which does not cause Apache to prompt for a password.
Now you have the key file; the server.key and certificate file, and the server.crt file. Now use the following steps to balance the WSO2 Identity Server load using Apache HTTP server.
Configure virtual host containing following sample content (in Ubuntu you can create it inside
Important notes of this configurations.
- Assume that Apache HTTP server and WSO2 Identity Server cluster (2 nodes with HTTPS port 9443 and 9444) are running in same machine (localhost).
- All the requests that come to the 443 port are load balanced to 9443 and 9444.
ServerAliasparameters are set to “
SSL is enabled for both client side (for clients who call the Apache HTTP server) and back end servers (for WSO2 Identity Server nodes).
Certificate validation is not enabled for backend services.
- A proxy is created to send all requests to
- In the
wso2.identity.domainload balancer configuration, members (WSO2 Identity Server nodes) are defined with the following two parameters
route– This defines the
jvmRouteparameter which is configured in the corresponding WSO2 Identity Server node. This parameter is needed to achieve the sticky session.
loadfactor– This defines how load must be shared between two nodes. It configures equal load for both two nodes.
You can find more details from Apache HTTP server docs and you can define your own configuration. The virtual host configuration, which is defined above, is just a sample one.
Enable virtual host configuration. If
a2ensite or a similar command is available in your Linux version, you can use it to enable the configuration.
- Restart Apache HTTP server.
In Linux, use:
Restart WSO2 Identity Server nodes with proper
jvmRoute Ids (since we have configured this as the virtual host configuration).
Pass the corresponding
jvmRoute id as system property value.
For example, in Linux before the WSO2 IS server is started you can set the following:
Or you can set this in the wso2server.sh or wso2server.bat. In the wso2server.sh script file, you can set it using the following:
Change your client application (web app or Java client) to connect to the Apache HTTP server.
The client needs to communicate with the Apache HTTP server using SSL. Therefore it must be trusted by your client application. So you need to export the CA certificate of the Apache Apache HTTP server into the client’s trust store.