anothervsphereu
Contributor
Contributor

Identity Manager LB with NSX

Does anyone have some step by step instructions on how to load balance Identity Manager 3.x with and NSX load balancer.  I am struggling to get this set up, particularly with the certificate aspect.

0 Kudos
4 Replies
Sreec
VMware Employee
VMware Employee

Load-balancing for IDM with NSX is same process like another LB. I have done a 3 node setup with F5 and it works flawlessly. May I know what problem you are facing from certificate perspective ?  You please go through F5 article once -> https://f5.com/Portals/1/PDF/Partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf   

Note : VMware recommends the use of Certificates which support Subject Alternate Names (SANs) defining each of the node FQDNs (public or internal) within the load balanced VIP FQDN. Wildcard certificates may be used, but due to wildcard certificate formats, SAN support is typically not available with wildcards from public CAs - and public CAs may complain about supplying an internal FQDN as a SAN value even if they do support SAN values. Additionally, some VMware Identity Manager features may not be usable with wildcard certificates when SAN support is not defined

If you are clear with article ,I would recommend you to configure first IDM with LB and confirm everything is working as expected and  then move forward with cloning of other IDM.

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
anothervsphereu
Contributor
Contributor

Here is the latest on what I did today

So first, I have been trying to use a wildcard cert.  Apparently identity manager does not like wildcard certs.

  1. Created a new internal certificate for identity.mydomain.com.  I also add SANS names for each of the IDM appliances
  2. Imported that into identity manager as a custom certificate
  3. Imported that same certificate on my NSX load balancer.
  4. Setup my NSX application pool to use that certificate.

pastedImage_0.png

After these steps, I attempted to reconfigure the IDM FDQN for identity.mydomain.com and I did not receive an invalid URL error.  But when I try to connect to https://identity.mydomain.com I get this

pastedImage_1.png

I also checked using this command from the IDM.

   Curl -v 3 -ssl https://identity.mydomain.com

pastedImage_7.png

I thought maybe this was because IDM does not use TLSv1.0, so I tried this

Curl -v 3 –tlsv1.2 and get this

pastedImage_4.png

After all that, I tried setting the NSX load balancer to Passthrough mode.  Different error, still can’t connect

pastedImage_8.png

0 Kudos
Sreec
VMware Employee
VMware Employee

IDM support wildcat cert,mine is working with the same. Can you remove IDM from LB and reconfigure the IDM FQDN once again and try the URL connection without LB ?

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
anothervsphereu
Contributor
Contributor

This issue was with the NSX load balancer.  In the load balancer config under the server Pool settings, it did not like the fact that I had the VMs defined by name.  It wanted them by IP address.  After changing this, identity manager is working behind my load balancer.

pastedImage_0.png

0 Kudos