Notes on setting up a content-switching Citrix Netscaler with Shibboleth support. I use Netscaler 9, I think.
Assume two servers, S1 and S2, that I want to present as www.example.com. They have Shibboleth. I want SSL and non-SSL both.
/----> s1-lb ---> s1-int ---> (server or server farm 1)www-ext---> \----> s2-lb ---> s2-int ---> (server or server farm 2)
Set up Shibboleth Service Providers on both servers. The Host can be S1 and S2, doesn't matter. Set the HandlerURL to /S1Shibboleth.sso or something, rather than /Shibboleth.sso, because some way to distinguish them is needed.
On the Netscaler device, set up S1 and S2 as servers/services with their real internal IP. Call these s1-int and s2-int. Type HTTP, port 80. Set up similar ones called s1-int-ssl and s2-int-ssl with type SSL, port 443.
add service s1-int 10.0.0.43 HTTP 80add service s1-int-ssl 10.0.0.43 SSL 443add service s2-int 10.0.0.44 HTTP 80add service s2-int-ssl 10.0.0.44 SSL 443
Set up load balancers, of types and port HTTP/80 and SSL/443, called s1-lb, s2-lb, s1-lb-ssl, s2-lb-ssl. Their IPs can be private 10-subnet IPs. The s1 IP is same for both SSL and non-SSL, and the s2 IP is also the same (but different from s1's). Example: set s1-lb and s1-lb-ssl as 10.0.0.4, and set s2-lb and s2-lb-ssl as 10.0.0.5. Bind the services s1-int s1-int-ssl etc. to the appropriate load balancers. You'll need SSL certificates to associate with each one.
add lb vserver s1-lb HTTP 10.100.1.10 80add lb vserver s1-lb-ssl SSL 10.100.1.10 443add lb vserver s2-lb HTTP 10.100.1.11 80add lb vserver s2-lb-ssl SSL 10.100.1.11 443# bind services:bind lb vserver s1-lb s1-intbind lb vserver s1-lb-ssl s1-int-sslbind lb vserver s2-lb s2-intbind lb vserver s2-lb-ssl s2-int-ssl
Set up content switching policies for your apps on s1 and s2. (See Netscaler manual.) Set up policies for the /S1Shibboleth.sso and /S2Shibboleth.sso as well!
add cs policy s1-shib -rule "REQ.HTTP.URL == /S1Shibboleth.sso || REQ.HTTP.URL == '/S1Shibboleth.sso/*'"add cs policy s2-shib -rule "REQ.HTTP.URL == /S2Shibboleth.sso || REQ.HTTP.URL == '/S2Shibboleth.sso/*'"
Set up two content switchers: www-ext and www-ext-ssl. Add all the policies to each one, the targets being the appropriate load balancers. That should do it. I don't think you need to set up Apache on the boxes any different. Using S1 as the ServerName should be fine.
add cs vserver www-cs HTTP 10.0.0.90 80add cs vserver www-cs-ssl SSL 10.0.0.90 443# add policies:bind cs vserver www-cs s1-lb -policyName s1-shibbind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shibbind cs vserver www-cs s2-lb -policyName s2-shibbind cs vserver www-cs-ssl s2-lb-ssl -policyName s2-shib
You'll need SSL certificates for the SSL vservers. See the Netscaler manual. If you've set up a certificate (www.crt) and key (www.key), you can scp the files to /nsconfig/ssl on the Netscaler and then add them like so:
add ssl certKey www-cert -cert www.crt -key www.keybind ssl certKey s1-lb-ssl www-certbind ssl certKey www-cs-ssl www-cert
Update Aug 22 2009: Summary:
add service s1-int 10.0.0.43 HTTP 80add service s1-int-ssl 10.0.0.43 SSL 443add lb vserver s1-lb HTTP 10.100.1.10 80add lb vserver s1-lb-ssl SSL 10.100.1.10 443add cs vserver www-cs HTTP 10.0.0.90 80add cs vserver www-cs-ssl SSL 10.0.0.90 443bind cs vserver www-cs s1-lbbind cs vserver www-cs-ssl s1-lb-sslbind lb vserver s1-lb s1-intbind lb vserver s1-lb-ssl s1-int-sslbind cs vserver www-cs s1-lb -policyName s1-shibbind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shibadd ssl certKey www-cert -cert www.crt -key www.keybind ssl certKey s1-lb-ssl www-certbind ssl certKey www-cs-ssl www-cert
Update Nov 17 2009: To add a root CA, copy the CA file (e.g. CA.pem) to /nsconfig/ssl and issue this command from the Netscaler command line:
link ssl certKey www-cert CA.pem
联系客服