How to configure BlackBerry Social Networking Application Proxy load balancing using IIS

Article ID: KB22988

Type: Support Content

Last Modified: 12-14-2011

 

Product(s) Affected:

  • BlackBerry Client for IBM Lotus Quickr
  • BlackBerry Client for IBM Connections
  • BlackBerry Social Networking Application Proxy
CollapseEnvironment
  • BlackBerry® Client for IBM® Lotus® Connections
  • BlackBerry® Client for IBM® Lotus® Quickr
  • BlackBerry® Social Networking Application Proxy
CollapseOverview

Load balancing is one of the ways to increase the number of concurrent client connections to the application server. There are two types of load balancers that can be used.

  1. Hardware load balancer
  2. Software load balancer

The scope of this document to provide steps for load balancing the multiple instances of BlackBerry SNAP Service deployed on Tomcat servers using software load balancer. There are several commercial and non-commercial software load balancers available in the market that can used for load balancing Tomcat server; however we will use Microsoft Internet Information Server (IIS) 6 and ISAPI plug-in module with AJP protocol.

The IIS server is scalable web server that can accept user requests and sends them to balanced instances of Tomcat server using ISAPI plug-in module in between. The jk module (ISAPI) has an integrated virtual load balancer worker that can contain any number of physical workers or particular physical nodes. Each of the nodes can have its own balance factor or the worker's quota (lbfactor). The Lbfactor is how much we expect this worker to work in other words workers's work quota. To setup the round robin (symmetric) topology as it’s shown in this document set equivalent lbfactor for all nodes serving as part of load balancer configuration.

 


  1. BlackBerry® Social Networking Application Proxy Installation and Configuration
  2. Feed Reader Configuration
  3. IIS 6 Installation
  4. IIS and BlackBerry Social Networking Application Proxy Integration
  5. Testing and Troubleshooting
  6. SSL Configuration on IIS
  7. Update IT Policy Rules for Client setup

1 - BlackBerry® Social Networking Application Proxy Installation and Configuration

  1. Follow the BlackBerry® Social Networking Application Proxy installation guide to install Social Networking Application Proxy service for node1 and node2. Skip this step if the BlackBerry Social Networking Application Proxy has already been installed on targeted nodes.
  2. Find server.xml located under C:\Program Files\Research In Motion\BlackBerry\SNAP\snap_tomcat\conf\ directory for all BlackBerry Social Networking Application Proxy service nodes.
  3. Modify server.xml as per following instructions. Follow same instructions for every additional node in the cluster.
    • Node 1:

      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"></Connector>
      <Engine defaultHost="localhost" jvmRoute="node1" name="Catalina">
      :
      :
      </Engine>

    • Node 2:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443">
    </Connector>
    <Engine defaultHost="localhost" jvmRoute="node2" name="Catalina">
    :
    :
    </Engine>

  4. Restart the BlackBerry Social Networking Application Proxy Services on all nodes.

2 - Feed Reader Configuration

Feed Reader Service should not run in load balancing environment, therefore all BlackBerry Social Networking Application Proxy nodes should point to one active Feed Reader service. The following steps describe how to configure Feed Reader for snap nodes that are running in clustered environment.

Select the Feed Reader Service installed on node1 or node2 to be the active Feed Reader service.

Note: You must have only one Feed Reader active among all nodes in the clustered environment, therefore it is advised to stop Windows “BlackBerry SNAP FeedReader” service on all other nodes

  1. Log on to node1 using https://<node1_SNAP_server_name>:22446/snapconsole
  2. Under IBM® Lotus® Connections panel
    1. Click on Homepage Subscription
    2. In right from Homepage Subscription Configuration drop down select Enable
    3. Provide the Feed Reader URL that you have selected in step #1 (if Feed Reader Service on NODE1 is selected, https://<node1_SNAP_server_name>:22444/snap/DeviceConnector)

  3. Repeat step 2 for Node2 BlackBerry Social Networking Application Proxy server (https://<node2_SNAP_server_name>:22446/snapconsole) and every snap node in the cluster
  4. Restart the BlackBerry Social Networking Application Proxy Services from each and every snap node in the cluster.

3 - IIS 6 Installation

The following is the configuration for IIS 6 and ISAPI server plug-in module on Windows Server 2008 / 2003 is to perform weighted round-robin load balancing with sticky sessions between two BlackBerry Social Networking Application Proxy Services; node1 and node2 over the AJP protocol.

  1. Verify if IIS 6 is already installed;
    1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs.
    2. Click the Add/Remove Windows Components button. The Windows Components Wizard starts.
    3. On the Windows Components page, verify that Application Server is selected.
  2. If IIS 6 is not installed (or “Application Server” is not selected in #1)
    1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs.
    2. Click the Add/Remove Windows Components button. The Windows Components Wizard starts.
    3. In the Windows Components Wizard, under Components, select Application Server.

    4. Click Next then follow the instructions provided by the wizard.
    5. After wizard completes the installation, click Finish.

4 - IIS and BlackBerry Social Networking Application Proxy Integration

  1. Now that IIS is being installed, you need to download the ISAPI Server Plug-in to configure the JK 1.2 Connector which will allow IIS to effectively act as a Load Balancer and forward requests to BlackBerry Social Networking Application Proxy Nodes. The ISAPI Server plug-in for IIS can be download from http://apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.30/isapi_redirect-1.2.30.dll
  2. Create C:\ISAPI\Tomcat directory and place isapi_redirect_1.2.30.dll and rename it to isapi_redirect.dll. Keep in mind that the C:\ISAPI\Tomcat directory will be accessed by IIS server.
  3. Create workers.properties and uriworkermap.properties property files in C:\ISAPI\Tomcat directory

    workers.properties file

    # Define workers using ajp13
    worker.list=loadbalancer
    # Set properties for worker1 (ajp13)
    worker.node1.port=8009
    worker.node1.host=<node1 SNAP server IP / DNS name>
    worker.node1.type=ajp13
    worker.node1.lbfactor=1
    #worker.node1.cache_timeout=600

    # Set properties for worker2 (ajp13)
    worker.node2.port=8009
    worker.node1.host=<node2 SNAP server IP / DNS name>
    worker.node2.type=ajp13
    worker.node2.lbfactor=1
    #worker.node2.cache_timeout=600

    # Load-balancing behavior
    worker.loadbalancer.type=lb
    worker.loadbalancer.balanced_workers=node1,node2
    worker.loadbalancer.sticky_session=1

    # Ends worker.properties here

    uriworkermap.properties file

    #Begins URI mapping configuration

    # Mount the context to the ajp13 worker
    /snapconsole=loadbalancer
    /snapconsole/*=loadbalancer
    /lcs-250/*=loadbalancer
    /qkr-110/*=loadbalancer
    /lcsClient/*= loadbalancer
    /qkrClient/*= loadbalancer

    Ends URI mapping configuration

  4. Create isapi_redirect.properties property files in C:\ISAPI\Tomcat directory

    isapi_redirect.properties

    extension_uri=/jakarta/isapi_redirect.dll
    log_file=C:\\isapi\tomcat\\isapi_redirect.log
    #log_levels: debug|info|warn|error
    log_level=info
    worker_file=C:\\isapi\tomcat\\workers.properties
    worker_mount_file=C:\\isapi\tomcat\uriworkermap.properties

      Note: Step 4 can be replaced by editing above properties in windows registry. For that, create isapi_redirect.reg file, edit as given below.

    isapi_redirect.reg

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0]
    "extension_uri"="/jakarta/isapi_redirect.dll"
    "log_file"="C:\\isapi\tomcat\\iis_redirect.log"
    "log_level"="info"
    "worker_file"="C:\\isapi\tomcat\\workers.properties "
    "worker_mount_file"="C:\\isapi\tomcat\\uriworkermap.properties"

  5. Once the file has been created, double click on it and you will be see a prompt as shown below. Click Yes to execute.

  6. To verify the registry, go to Start > Run and enter regedit. Once registry is open navigate to path  “HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0 ” and make sure all the values are correctly stored.

Now the IIS needs to be configured. Go to Start > Run and enter C:\WINDOWS\system32\inetsrv\iis.msc. This will open up IIS console.

  1. To create the new Virtual Directory, expand “Web Sites” and than right click on “Default Web Site” (or any other web site). In drop down menu select New > Virtual Directory …



    Click Next button on wizard window. Enter “jakarta” as Alias name, click Next Select isapi_redirect.dll file path and click Next

    The Virtual Directory for ISAPI will need to have Execute permission in order to function properly. Therefore select Read, Run scripts and Execute as shown below. Click Next button.



    Click Finish button on next dialog window.
  2. The next step is to add an ISAPI filter on the web site. To do this open the “Default Web Site” Properties and click the ISAPI Filters tab.

    Select ISAPI Filters. Click on Add button.



    Add filter name and path to isapi_redirect.dll file



    Note:
    The priority shows “Unknown” and status is empty because IIS has not received any requests for this particular resource. Once you execute a request you should see Status change to Loaded with a priority of High.



  3. The final step is to add “Web Service Extension” for the Tomcat Connector. To do this add a new web service extension and set its status to Allowed as shown here.



    Enter Extension Name and Required Files (isapi_redirect.dll) as shown below. Click Add button

    Select the isapi_tomcat web service extensions and click Allow on next screen.


  4. Restart the IIS Server as shown below.


  5. Click OK on next popup.

5 - Testing and Troubleshooting

  1. Make sure the BlackBerry Social Networking Application Proxy service on all nodes is running. To test open IE browser and type https://<Node1_or_Node2 URL>:22443/lcs-250/services.
  2. Now open another IE browser and type http://loadbalancer_server_url/lcs-250/services

    Errors: HTTP 500
    • Make sure that virtual directory created was called “jakarta
    • Make sure that "isapi_redirect.dll" follows "/jakarta/" in the extension_uri setting in isapi_redirect.properties
    • Make sure that the path for worker_file and worker_mount_file is correct in isapi_redirect.properties
    • Check the workers.properties file and make sure the port setting for worker.ajp12.port is the same as the port specified in the server.xml for the "Apache AJP12 support".
    Errors: HTTP 404
    • Make sure the url entered is correct
    Errors: HTTP 200, HTTP 403
    • Make sure the Execute Access for jakarta Virtual Directory is checked in IIS web site.

6 - SSL Configuration on IIS

To build a secure infrastructure based on public-key cryptography by using digital certificates with technologies such as secure socket layer (SSL). To secure the SNAP it is advised to configure Load Balancer (IIS) on SSL that encrypts all the communication received by IIS and get forwarded to SNAP.

Following are the steps discuss how to setup SSL on an Internet Information Server (IIS).

Create a Certificate Request

  1. Start the Internet Service Manager (ISM), which loads the Internet Information Server snap-in for the Microsoft Management Console (MMC). To do this click on Start > Run and type C:\WINDOWS\system32\inetsrv\iis.msc than hit enter OR click Start, point to Programs, point to Administrative Tools, and then click Internet Service Manager or Internet Information Services (IIS) Manager or double-click the server name so that you see all of the Web sites. In IIS 6.0, expand Web Sites.
  2. Right-click the Web site on which you want to install the certificate, and then click Properties.
  3. Click the Directory Security tab, and then click Server Certificate under Secure Communications to start the Web Server Certificate Wizard. Click Next.
  4. Select Create a new certificate and click Next.
  5.  
  6. Select 2nd option Send the request immediately to an online certificate authority and click Next.
  7. Enter the name of web site and bit length 1024. Click Next.
  8. Type your organization name and the organizational unit. Click Next.
  9. Type either the fully qualified domain name (FQDN) or the server name as the common name. If you are creating a certificate that will be used over the Internet, it is preferable to use a FQDN (for example, www.rim.net). Click Next.
  10. Enter your location information, and then click Next.
  11. Enter SSL Port information (example 443). Click Next.
  12. Select available Certification Authorities. Click Next,
  13. Verify the information that you have typed before you submit it to CA. Click Next.

Configure and test the certificate

  1. On the Directory Security tab, under Secure Communications, note that there are now three available options.

  2. To set the Web site to require secure connections, click Edit. The Secure Communications dialog box appears.

  3. Select Require Secure Channel (SSL) and click OK.
  4. Click Apply and then OK to close the property dialog box.
  5. Browse to the site and verify that it works. To do this, follow these steps:

    1. Open IE browser and access the BlackBerry Social Networking Application Proxy site through HTTP by typing http://loadbalancer_server_url/lcs-250/services
    2. In the browser. You receive an error message that resembles the following:
        HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
        Internet Information Services (IIS)
    3. Try to browse to the same Web page using a secured connection (HTTPS) by typing http://loadbalancer_server_url/lcs-250/services in the IE browser. You may receive a security alert that states that the certificate is not from a trusted root CA. Click Yes to continue to the Web page. If the page appears, you have successfully installed the certificate.
  6. 7 - Update IT Policy Rules for Client setup

    Configure the following IT Policy rule to set up the load balancer URL https://<loadbalancer_servername>/lcs-250/services) from the RIM Value Added Applications policy group.

    • BlackBerry Social Networking Application Proxy URL for Lotus Connections

    For complete instructions refer BlackBerry® Administration Service documentation of BlackBerry Social Networking Application Proxy.

    CollapseAdditional Information

    Disclaimer

    By downloading, accessing or otherwise using the Knowledge Base documents you agree:

       (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

       (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


    Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.