Use the steps in this topic to configure AWS Elastic Load Balancer as the load balancer for WSO2 products.
Clustering deployment pattern
This cluster consist of three WSO2 Application Server instances running in separate EC2 instances as two worker nodes and one manager node. AWS ELB performs load balancing with this cluster by distributing incoming requests to the worker nodes via HTTP/S on port 80/443. In order to access the management console via load balancer we need a separate AWS ELB to make the request as https://mgt.as.wso2.com/carbon.
Configuring AWS ELB
- Sign in to the AWS Management Console.
- On the Amazon EC2 Resources console, click on Load Balancers under the Network & Security section.
- Click Create Load Balancer. In the page that appears, do the following.
- Specify Load Balancer Name and Create LB inside.
- Specify HTTP and HTTPS ports (here we have specify HTTP load balancer port 80 with Instance port 9763 and HTTPS load balancer port 443 with Instance port 9443).
- Click Continue.
- In the Select Certificate section, provide the SSL certificates to configure the HTTPS listeners of the load balancer.
Choose to use an existing SSL Certificate.
In the Select a Cipher section, you must provide the security policies to configure the SSL negotiation settings of the load balancer.
Select Predefined Security Policy or create a Custom Security Policy.
In the Configure Health Check section, the load balancer automatically perform health checks on EC2 instances and only routes to instances that pass the health check.
Specify the Ping Protocol, and Ping Port as shown in the image above.
In the Add EC2 Instances section, set up worker nodes to the load balancer and click Continue.
- In the Review section, you can review the configuration you made.
- Finally click Create and a message appears indicating that you have successfully created the load balancer. Now you can see the ELB configuration in the dashboard.
- In order to configure the AWS ELB to access the AS management console, follow the same steps above: There we need to setup HTTPS (443 -> 9444) port only and need to add EC2 instance which has manager node configurations.
Uploading a new SSL certificate
Extract the "Private Key" and "Public Key Certificate" from wso2carbon.jks. Type the password "wso2carbon" each time you are prompted.
- Extract PK in PKCS12 format.
keytool -v -importkeystore -srckeystore wso2carbon.jks -srcalias wso2carbon -destkeystore mypkcs12file.p12 -deststoretype PKCS12
- Print the key.
openssl pkcs12 -in mypkcs12file.p12 -nocerts -nodes
- Copy only the key ("Begin Private Key" to "End Private Key") to a separate file (private.pem).
- Remove the password from the extracted key. Note that
server.keyis the private key here.
openssl rsa -in private.pem -out server.key
- Extract the public key. Note that
public.certis the public key.
keytool -export -alias wso2carbon -keystore wso2carbon.jks -rfc -file public.cert
Now copy and paste private/public keys in the AWS management console. Note that you have to copy including "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----".
Give a meaningful name to the certificate.
This includes any additional configurations that are specific to the WSO2 product you are configuring.
Note: When configuring this for WSO2 API Manager 2.0.0 and more recent versions, you must configure ciphers for this in the
<APIM_HOME>/repository/conf/tomcat/catalina_server.xml file. This is done so that the AWS ELB can communicate with the WSO2 API Manager. The following is a sample configuration.