Professional Documents
Culture Documents
1
Implementation Guide
Products:
Radware AppDirector
Software: AppDirector version 2.11.22DL
Platform: On-Demand Switch II XL
-1-
Table of Contents
SOLUTION OVERVIEW .......................................................................................3
PEOPLESOFT 9.1 APPLICATION OVERVIEW ..................................................3
RADWARE APPDIRECTOR OVERVIEW ............................................................4
DEPLOYMENT NOTES........................................................................................4
Session Persistency .............................................................................................................................. 5
Domain Name and Host name for the site............................................................................................. 5
SSL Offloading.................................................................................................................................... 6
Idle Timeout ........................................................................................................................................ 7
APPDIRECTOR AND PEOPLESOFT 9.1 ARCHITECTURE...............................7
Diagram 1.0 PeopleSoft 9.1 and AppDirector Logical Topology ........................................................ 8
Tests Conducted for Solution Validation .............................................................................................. 9
Table 1.0 - Test Conducted for Solution Validation .............................................................................. 9
APPDIRECTOR CONFIGURATION FOR PEOPLESOFT 9.1 ...........................10
Table 2.0 Lab Configuration............................................................................................................ 10
Diagram 2.0 PeopleSoft 9.1 and AppDirector Lab Topology............................................................ 11
PRIMARY APPDIRECTOR CONFIGURATION .................................................11
IP Configuration ................................................................................................................................ 12
Farm Configuration............................................................................................................................ 14
Create Cache Policy........................................................................................................................... 15
Create Compression Policy ................................................................................................................ 16
Create SSL Certificate........................................................................................................................ 17
Create SSL Policy.............................................................................................................................. 18
Create Layer 4 Policy......................................................................................................................... 19
Configure L7 Persistency for the web farm......................................................................................... 20
Adding Servers to the Farm................................................................................................................ 21
Health Monitoring.............................................................................................................................. 23
Create the Health Monitoring Checks. ................................................................................................ 24
Binding Health Checks to Servers ...................................................................................................... 27
GENERAL REDUNDANT CONFIGURATION....................................................28
Primary AppDirector VRRP Configuration ........................................................................................ 28
Primary Virtual Routers ..................................................................................................................... 29
Primary Associated IP Addresses ....................................................................................................... 30
Primary Mirroring.............................................................................................................................. 32
Auto-Generate the Backup AppDirector Configuration.........................................................34
Setting up basic IP connectivity on the Backup AppDirector............................................................... 34
Auto Generating the Backup Configuration from the Primary AppDirector ......................................... 35
Upload the Backup Configuration file to the Backup AppDirector ...................................................... 36
Appendix 1 Primary AppDirector Configuration File ..........................................................38
Appendix 2 Backup AppDirector Configuration File...........................................................41
Appendix 3 Starting PeopleSoft HRMS ...............................................................................44
Appendix 4 Stop PeopleSoft HRMS.....................................................................................45
Appendix 5 PIA and load balancer checklist.......................................................................46
Appendix 6 Certificates and Keys .......................................................................................48
Appendix 7 HTTP redirect to HTTPS ...................................................................................49
Appendix 8 Test Plan ...........................................................................................................53
-2-
Solution Overview
The Radware and PeopleSoft joint solution ensures PeopleSoft 9.1 customers
solution resilience, efficiency and scale. Radwares AppDirector guarantees
PeopleSoft applications maximum availability, scalability, performance and
security, managing traffic for the web server content. AppDirector works in
conjunction with PeopleSoft 9.1 servers to offload resource intensive processing,
providing advanced health monitoring and avoiding system down time to deliver a
best of breed subsystem. With a pay as you grow platform licensing model,
AppDirector ensures long term investment protection facilitating incremental
growth demanded by todays Business. Diagram 2.0 is a logical depiction of the
intended deployment model.
PeopleSoft's product suite runs over a web-centric design called Pure Internet
Architecture (PIA). This format allows all of a company's business functions to be
accessed and run on a web browser.
http://www.oracle.com/applications/peoplesoft-enterprise.html
-3-
Radware AppDirector Overview
AppDirector lets you get the most out of your service investments by maximizing
the utilization of service infrastructure resources and enabling seamless
consolidation and high scalability. AppDirectors throughput licensing options
allows pay as you grow investment protection. Make your network adaptive and
more responsive to your dynamic services and business needs with AppDirectors
fully integrated traffic classification and flow management, health monitoring and
failure bypassing, traffic redirection, bandwidth management, intrusion prevention
and DoS protection.
Deployment Notes
This configuration currently only covers offloading SSL from the PeopleSoft Web
tier. You should continue to configure your PeopleSoft Application Tier to natively
support SSL according to the default instructions listed in the PeopleSoft
PeopleTools Installation guide.
-4-
See the LoadBalancing.pdf (Web Server only) in appendix 5 for PeopleSoft Load
balancing requirements, or see below for how to address PeopleSoft
requirements.
Session Persistency
In AppDirector we configured the Web Server farm for Cookie insertion and
removal to address the persistency requirements.
Session persistence is a requirement of PIA. The state information for the user
(such as PeopleCode variables and Page Processor state) is stored in the HTTP
Session. Without the state information, PIA cannot maintain continuity of the user's
dialog. This state information is sent to the Application Server for processing
subsequent requests.
<session-param>
<param-name>
CookieDomain
</param-name>
<param-value>
estuate.psft
</param-value>
The host name for the site was set to PS.estuate.psft, where PS is the host and
estuate.psft is the domain and this should resolve DNS to the VIP.
-5-
SSL Offloading
This will redirect connections that come in as HTTP and redirect the client to
request the connection using HTTPS.
*** Recycle web server and application server after the WebProfile modification is
complete. (Please refer to Start_PeopleSoftWebAndAppServer.txt and
Stop_PeopleSoftWebAndAppServer.txt) in the Appendix.
See the configuration section for SSL Certificate and SSL Policy.
See appendix 6 for an explanation of Certificates, Keys and how to generate a
Certificate request.
-6-
Idle Timeout
The TCP Idle Timeout value on AppDirector should be set slightly longer then the
Connection Maximum Idle Time value for PeopleSoft (default 20 minutes), This
timeout setting specifies the amount of idle time a user connection will wait before
getting terminated by AppDirector.
Setting the Idle time is critical to this configuration. If the Connection Maximum Idle
Time is shorter than the AppDirector idle timeout value, a user may experience
occasional Server Busy errors after long periods of idle time.
Set the PIA "Inactivity Logout" in seconds to match HTTP timeout in minutes.
-7-
Diagram 1.0 PeopleSoft 9.1 and AppDirector Logical Topology
-8-
Tests Conducted for Solution Validation
The following tests were conducted to ensure the most appropriate solution was
defined and validated. All tests were successfully completed using the
AppDirector and Oracle PeopleSoft 9.1 configurations following Table 1.0.
Load Distribution
PeopleSoft Web Server Load Balance PASS
Persistency Check
PIA Web Server Session Persistence PASS
Health Check
PIA App Server Failure/Health Check PASS
Acceleration Features
PIA Web Server Caching PASS
-9-
AppDirector Configuration for PeopleSoft 9.1
VIP
PeopleSoft virtual IP web 443 76.197.19.54
- 10 -
Diagram 2.0 PeopleSoft 9.1 and AppDirector Lab Topology
Using a serial cable and a terminal emulation program, connect to the AppDirector.
- 11 -
1. Using the following Command line, assign management IP address
192.168.1.50 / 24 to interface 17 (Dedicated Management Interface) of the
AppDirector:
IP Configuration
- 12 -
2. Click the Create button.
3. On the IP Interface Parameters Create page, enter the necessary parameters
as shown below:1
Note: The Peer Address is used to identify the backup AppDirector interface IP
and is referenced during automatic backup configuration file generation.
1
Items circled in red indicate settings that need to be entered or changed. Items not circled should
be left to default settings.
- 13 -
6. Click the Set button to save parameters.
7. Verify that the new entries were created on the IP Interface Parameters page:
Farm Configuration
1. From the menu, select AppDirector Farms Farm Table to display the
Farm Table page similar to the one shown below:
- 14 -
2. Click the Create button.
3. On the Farm Table Create page, enter the necessary parameters as shown
below:
Note: The aging time is displayed in seconds and is set to just over 20 Minutes.
The PeopleSoft time out is set default for 20 Minutes.
- 15 -
2. Click the Create button.
3. On the AppDirector Caching Policy Create page, enter the necessary
parameters as shown below.
- 16 -
2. Click the Create button.
3. On the AppDirector Caching Policy Create page, enter the necessary
parameters as shown below.
Note: This is a self signed certificate, in a production environment you would use a
certificate signed from a CA (Certificate Authority) like VeriSign. See appendix 6
for an explanation of Certificates and how to generate a Certificate request.
You must log into the AppDirector through a secure connection (HTTPS) in order
to configure certificates.
- 17 -
4. There will be a popup when you click on the Key Passphrase field, asking you
to enter in a Passphrase, as shown below.
Note: The Key Passphrase encrypts the key in storage and is required to export
the key from AppDirector. Since Private Keys are the most sensitive parts of PKI
data they must be protected by passphrase. The Passphrase should be at least 4
characters and is recommended to use stronger passphrases than that based on
letters, numbers and signs.
- 18 -
2. Click the Create button.
3. On the SSL Policies Create page, enter the necessary parameters as shown
below.
Note: Please see Appendix 7 for instructions to show how to create a L7 Policy
that redirects all HTTP traffic to the same host name same URI over HTTPS. This
L7 Policy is a safety net; it catches the traffic that incorrectly comes in on HTTP
and redirects it to HTTPS. The Second option is to configure a L4 policy for HTTP
and point it at the PS_WEB_Farm and configure PeopleSoft to redirect the HTTP
request to HTTPS. This was described in the previous section Deployment Notes
- 19 -
4. Click the Set button to save the parameters.
5. Verify that the new entries were created on the Layer 4 Policy Table page:
Persistence is handled at the web tier with cookie insertion and removal
configured in Extended Farm Parameters as seen below.
- 20 -
2. Select the web server farm under the Farm Name to display the Extended
Farm Parameters Update page, enter the necessary parameters as shown
below:
Note: Close Session At Aging will reset sessions if still existing when their Aging
Time expires. This will ensure any clean-up of abandoned sessions which could
hold state on the servers inadvertently.
Note: Configuring Cookie Insertion for Web Service HTTP Persistence in the
Extended Farm Parameters Update page generates all of the L7 persistence
logic automatically from the single drop down menu. See Appendix 4 to view and
better understand the entries that auto generate to facilitate this function. Cookies
are inserted on reply and removed on request.
- 21 -
3. On the Server Table Create page, enter the necessary parameters as shown
below:
- 22 -
6. Click the Set button to save parameters.
7. Verify that the new entries were created on the Server Table page:
Health Monitoring
- 23 -
3. Click the Set button to save parameters.
1. From the menu, select Health Monitoring Check Table to display the
Health Monitoring Check Table page similar to the one shown below:
- 24 -
4. Before clicking the Set button, choose the button next to Arguments to
populate the specific settings for the rest of this check. Enter the information
below:
5. Click the Set button for the Method Arguments and click the Set button again in
the Health Monitoring Check Table Create window.
6. Create a second health check for HTTPS Web/Application servers. On the
Health Monitoring Check Table Create page, enter the necessary
parameters as shown below:
- 25 -
7. Before clicking the Set button, choose the button next to Arguments to
populate the specific settings for the rest of this check. Enter the information
below:
8. Click the Set button for the Method Arguments and click the Set button again in
the Health Monitoring Check Table Create window.
9. Verify the new entries were created on the Health Monitoring Check Table
- 26 -
The status of this check may display Unknown until the server replies
successfully to the AppDirectors check.
- 27 -
6. Click the Create button to bind the second web server health check.
7. Create the health check binding for the second web server. On the Health
Monitoring Binding Table Create page, enter the necessary parameters as
shown below:
1. From the menu, select Redundancy Global Configuration and set the
parameters as noted below:
- 28 -
2. Click the Set button to save these changes.
- 29 -
4. Click the Set button to save the parameters.
5. On the Virtual Router Table Create page, click the Create button to configure
another interface. enter the necessary parameters as shown below:
Note: 255 indicates that the Primary devices IP is the Virtual VRRP IP. As an
alternative you can create a floating IP or 3rd IP configuration using the L4 policy to
create a VRRP Virtual-interface. This IP will float between the AppDirectors and
will belong to the active AppDirector. This will allow you to access the primary
device when the backup is active.
- 30 -
2. Click the Create button
3. On the Associated IP Addresses Create page, enter the necessary
parameters as shown below:
8. Change the Admin Status from down to up, but leave all other settings
unchanged:
- 31 -
9. Click the Set button to save the parameters.
10. Or you can bring all the interfaces up by selecting VRIDs to All Up click the Set
button to save the parameters.
11. Make certain that the State of this VR is displayed as Master in the Virtual
Router table:
Primary Mirroring
- 32 -
Note: enable session-ID mirroring, if you are using the cookie-insertion feature.
The new cookie insertion feature uses dynamic session-ids.
Note: This sets the Backup AD IP used as the target address for mirroring traffic.
- 33 -
Auto-Generate the Backup AppDirector Configuration
Using a serial cable and a terminal emulation program, connect to the AppDirector.
- 34 -
Auto Generating the Backup Configuration from the Primary AppDirector
1. From the web interface menu of the Primary AppDirector, select File
Configuration Receive from Device to display the Download
Configuration File page similar to the one shown below:
- 35 -
3. Click the Set button to launch save file window.
1. From the web interface menu of the Backup AppDirector, select File
Configuration Send to Device to display the Configuration File Upload
page similar to the one shown below:
- 36 -
Note: Clicking the Browse button and navigate to the updated configuration file.
2. Click the Set button to upload the configuration. The Backup device will reboot
and be ready for use.
- 37 -
Appendix 1 Primary AppDirector Configuration File
!
!Device Configuration
!Date: 19-05-2010 04:22:35
!DeviceDescription: AppDirector with Cookie Persistency
!Base MAC Address: 00:03:b2:4b:16:40
!Software Version: 2.11.22DL (Build date Mar 8 2010, 17:27:35,Build#2)
!APSolute OS Version: 10.31-07.01DLA(17):2.06.10
!
!
! The following commands will take effect only
! once the device has been rebooted!
!
!
! The following commands take effect immediately
! upon execution!
!
- 38 -
appdirector farm nhr setCreate 0.0.0.0 -ip 76.197.19.62 -fl 1
appdirector farm extended-params set PS_WEB_Farm -ic "Enable and remove cookie on return path"
appdirector nat client status set Disabled
redundancy backup-interface-group set Enabled
system internal appdirector full-session-id-table setCreate PS_WEB_Farm 0\
TCP -k d6QlsE4K6n -l Cookie -d "No Learning" -fl 1
appdirector segmentation nhr-table setCreate DefaultNHR -ip 76.197.19.62 -fl 1
appdirector l4-policy ssl-policy create PS_SSL -c PS_Cert
appdirector l4-policy compression create PS_Compression -pe Hardware
appdirector l4-policy caching create PS_Cache
appdirector l4-policy table create 76.197.19.54 TCP 443 0.0.0.0 PS_Web \
-fn PS_WEB_Farm -ta HTTPS -sl PS_SSL -co PS_Compression -ca PS_Cache
appdirector l4-policy table create 76.197.19.54 TCP 80 0.0.0.0 PS_redirect -po PS_HTTP_Redirect -ta HTTP
redundancy vrrp automated-config-update set Enabled
appdirector l7 modification table setCreate Auto-G_Cookie_PS_WE -i 0 -f \
PS_WEB_Farm -d Reply -am Auto-G_Cookie_PS_WE
appdirector l7 modification table setCreate Auto-G_RCookie_PS_W -i 0 -f \
PS_WEB_Farm -ac Remove -mm Auto-G_RCookie_PS_W
manage trap-logging status set Enabled
manage trap-logging file-size set 1000
manage trap-logging min-severity set Info
redundancy mirror main sid-status set Enabled
redundancy global-configuration failure-action set Ignore
health-monitoring binding create 15 36
health-monitoring binding create 16 37
health-monitoring status set enable
health-monitoring response-level-samples set 0
redundancy vrrp virtual-routers create G-1 1 -as Up -p 255 -pip 76.197.19.61
redundancy vrrp virtual-routers create G-11 2 -as Up -p 255 -pip 192.168.168.3
redundancy vrrp associated-ip create G-1 1 76.197.19.61
redundancy vrrp associated-ip create G-11 2 192.168.168.3
redundancy vrrp associated-ip create G-1 1 76.197.19.54
manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm
manage telnet status set enable
manage telnet server-port set 23
manage web status set enable
manage ssh status set enable
manage secure-web status set enable
services dns client primary-server set 68.94.156.1
services dns client alt-server set 0.0.0.0
services dns client status set Enabled
redundancy arp-interface-group set Send
statistics protocol reporting set Disabled
statistics protocol period set 30
statistics protocol lifetime set 30
net l2-interface set 100001 -ad up
net l2-interface set 100063 -ad up
redundancy vrrp global-advertise-int set 0
manage snmp groups create SNMPv1 public -gn initial
manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create SNMPv2c public -gn initial
manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create UserBased radware -gn initial
manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly
manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn ReadOnlyView
manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn ReadOnlyView
manage snmp access create initial UserBased authPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly UserBased authPriv -rvn ReadOnlyView
manage snmp views create iso 1
manage snmp views create ReadOnlyView 1
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.2.7.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.18.1.1 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.15.1.2.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.4 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.5 -cm excluded
manage snmp notify create allTraps -ta v3Traps
manage snmp global engine-id set 80000059030003b24b1640
manage snmp users create radware -cf 0.0 -ap MD5 -akc \
5efe7eb262018b74de977d1091aff3f9 -pp DES -pkc 5efe7eb262018b74de977d1091aff3f9
manage snmp target-address create v3MngStations -tl v3Traps -p radware-authPriv
manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn public -sl noAuthNoPriv
manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c -sn public -sl noAuthNoPriv
manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm UserBased -sn radware -sl authPriv
manage snmp community create public -n public -sn public
manage telnet session-timeout set 5
manage telnet auth-timeout set 30
system diagnostics policies setCreate all
- 39 -
system diagnostics capture output file set "RAM Drive and Flash"
system diagnostics capture output term set Disabled
system diagnostics capture point set Both
redundancy force-down-ports-time set 0
manage trap-logging power-supply-traps set enable
system diagnostics capture traffic-match-mode set "Inbound and Outbound"
appdirector global connectivity-check tcp-timeout set 3
security certificate table \
Name: PS_Cert \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIBkzCB/QICQsQwDQYJKoZIhvcNAQEEBQAwEjEQMA4GA1UEAxMHUmFkd2FyZTAe \
Fw0xMDA0MzAyMTE0NTRaFw0xMTA0MzAyMTE0NTRaMBIxEDAOBgNVBAMTB1JhZHdh \
cmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALdIdq7FfTIXKQ6DCyn9K0DD \
6Oq8cus6UOteYjaR7Uh49ELGZzuWIa1anKVjroZivRNUo8imUnZoT2i05YjBeXA6 \
acXHX2R2zgcGcMfv9xo0/fT4P/kJwPZw1dlnE3taxJV3GoZesVzAwY1UN4HPBzRS \
YyyJssatz+QE+lRwibwFAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEALavtgqcgXqKF \
w5+A2F+7YIcTAUMb9iEErvfpOmWOhPnCYCTe85vGvWwKiblaX9dW3bMEY04iGASR \
8XlI2+2WVx2c9+bCOoeQvlkNEEl+WBMPODdtmvRo6sM64R3VXj1zUhlaT8SIauh1 \
3vfarEHxCz0jTJ7Q/OXrOgZ6rTBxMqU= \
-----END CERTIFICATE----- \
Name: radware \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIB2zCCAYUCAlwOMA0GCSqGSIb3DQEBBAUAMHgxCzAJBgNVBAYTAlVTMRAwDgYD \
VQQIEwdSYWR3YXJlMRAwDgYDVQQHEwdSYWR3YXJlMRYwFAYDVQQDEw0xNjkuMjU0 \
LjAuMjU0MRAwDgYDVQQKEwdSYWR3YXJlMRswGQYDVQQLExJSYWR3YXJlIHdlYiBz \
ZXJ2ZXIwHhcNMTAwMjA4MjEzNDI3WhcNMTEwMjA4MjEzNDI3WjB4MQswCQYDVQQG \
EwJVUzEQMA4GA1UECBMHUmFkd2FyZTEQMA4GA1UEBxMHUmFkd2FyZTEWMBQGA1UE \
AxMNMTY5LjI1NC4wLjI1NDEQMA4GA1UEChMHUmFkd2FyZTEbMBkGA1UECxMSUmFk \
d2FyZSB3ZWIgc2VydmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMXK79BTZAhS \
73YN8jMvODBAyVgooyBaW+itysolx9oBq2qRFvMJlagNihyIF1rd8WpUNwKCkXnP \
IBsU72iYQPkCAwEAATANBgkqhkiG9w0BAQQFAANBAGI8jmu64CMax9tU0Xyr0bqO \
EVszi5Vk2y0noebs6t8psMeC75qlDHeN3Lw2WBv/e26X1BEo3YoM9EVb3JNf4r8= \
-----END CERTIFICATE----- \
Name: rdwrhmm \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIB8zCCAZ0CAkTnMA0GCSqGSIb3DQEBBAUAMIGDMQswCQYDVQQGEwJVUzEQMA4G \
A1UECBMHUmFkd2FyZTEQMA4GA1UEBxMHUmFkd2FyZTEaMBgGA1UEAxMRUlcgU1NM \
IG1vbml0b3JpbmcxEDAOBgNVBAoTB1JhZHdhcmUxIjAgBgNVBAsTGVJhZHdhcmUg \
SGVhbHRoIE1vbml0b3JpbmcwHhcNMTAwMjA4MjEzNDI4WhcNMTEwMjA4MjEzNDI4 \
WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1JhZHdhcmUxEDAOBgNVBAcTB1Jh \
ZHdhcmUxGjAYBgNVBAMTEVJXIFNTTCBtb25pdG9yaW5nMRAwDgYDVQQKEwdSYWR3 \
YXJlMSIwIAYDVQQLExlSYWR3YXJlIEhlYWx0aCBNb25pdG9yaW5nMFwwDQYJKoZI \
hvcNAQEBBQADSwAwSAJBANWyhqErW6RxhMEjV51E9VaWSvsuIVeAbgGHpEnsxrGB \
4A5H5f9Fg+91WnqXHa0Hp5Iga0ZvoPEm7/KMCqfUYUECAwEAATANBgkqhkiG9w0B \
AQQFAANBAIB9/Uvd4268jZ4FqbKpWu7tzyUbcJ/Ejv08bwQJG9o7Pqh6kK9rnbdH \
CSlfBpt0ZK3TUd3HSsLuJuPZT03UyEY= \
-----END CERTIFICATE-----
- 40 -
Appendix 2 Backup AppDirector Configuration File
!
!Device Configuration
!Date: 19-05-2010 04:25:06
!DeviceDescription: AppDirector with Cookie Persistency
!Base MAC Address: 00:03:b2:4b:16:40
!Software Version: 2.11.22DL (Build date Mar 8 2010, 17:27:35,Build#2)
!APSolute OS Version: 10.31-07.01DLA(17):2.06.10
!
!
! The following commands will take effect only
! once the device has been rebooted!
!
!
! The following commands take effect immediately
! upon execution!
!
- 41 -
net next-hop-router setCreate 76.197.19.62 -id 5 -fl 1
appdirector farm nhr setCreate 0.0.0.0 -ip 76.197.19.62 -fl 1
appdirector farm extended-params set PS_WEB_Farm -ic "Enable and remove cookie on return path"
appdirector nat client status set Disabled
redundancy backup-interface-group set Enabled
system internal appdirector full-session-id-table setCreate PS_WEB_Farm 0\
TCP -k d6QlsE4K6n -l Cookie -d "No Learning" -fl 1
appdirector segmentation nhr-table setCreate DefaultNHR -ip 76.197.19.62 -fl 1
appdirector l4-policy ssl-policy create PS_SSL -c PS_Cert
appdirector l4-policy compression create PS_Compression -pe Hardware
appdirector l4-policy caching create PS_Cache
appdirector l4-policy table create 76.197.19.54 TCP 443 0.0.0.0 PS_Web \
-fn PS_WEB_Farm -ta HTTPS -rs Backup -sl PS_SSL -co PS_Compression -ca PS_Cache
appdirector l4-policy table create 76.197.19.54 TCP 80 0.0.0.0\
PS_redirect -po PS_HTTP_Redirect -ta HTTP -rs Backup
redundancy mirror main dns-status set Disabled
redundancy vrrp automated-config-update set Enabled
appdirector l7 modification table setCreate Auto-G_Cookie_PS_WE -i 0 -f \
PS_WEB_Farm -d Reply -am Auto-G_Cookie_PS_WE
appdirector l7 modification table setCreate Auto-G_RCookie_PS_W -i 0 -f \
PS_WEB_Farm -ac Remove -mm Auto-G_RCookie_PS_W
manage trap-logging status set Enabled
manage trap-logging file-size set 1000
manage trap-logging min-severity set Info
redundancy mirror main sid-status set Disabled
redundancy global-configuration failure-action set Ignore
health-monitoring binding create 15 36
health-monitoring binding create 16 37
health-monitoring status set enable
health-monitoring response-level-samples set 0
redundancy vrrp virtual-routers create G-1 1 -as Up -p 155 -pip 76.197.19.60
redundancy vrrp virtual-routers create G-11 2 -as Up -p 155 -pip 192.168.168.2
redundancy vrrp associated-ip create G-1 1 76.197.19.61
redundancy vrrp associated-ip create G-11 2 192.168.168.3
redundancy vrrp associated-ip create G-1 1 76.197.19.54
manage user table create radware -pw GndridF04zNWSGOrZjKFV78REiEra/Qm
manage telnet status set enable
manage telnet server-port set 23
manage web status set enable
manage ssh status set enable
manage secure-web status set enable
services dns client primary-server set 68.94.156.1
services dns client alt-server set 0.0.0.0
services dns client status set Enabled
redundancy arp-interface-group set Send
statistics protocol reporting set Disabled
statistics protocol period set 30
statistics protocol lifetime set 30
net l2-interface set 100001 -ad up
net l2-interface set 100063 -ad up
redundancy vrrp global-advertise-int set 0
manage terminal prompt set AppDirector_peer
manage snmp groups create SNMPv1 public -gn initial
manage snmp groups create SNMPv1 ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create SNMPv2c public -gn initial
manage snmp groups create SNMPv2c ReadOnlySecurity -gn InitialReadOnly
manage snmp groups create UserBased radware -gn initial
manage snmp groups create UserBased ReadOnlySecurity -gn InitialReadOnly
manage snmp access create initial SNMPv1 noAuthNoPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly SNMPv1 noAuthNoPriv -rvn ReadOnlyView
manage snmp access create initial SNMPv2c noAuthNoPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly SNMPv2c noAuthNoPriv -rvn ReadOnlyView
manage snmp access create initial UserBased authPriv -rvn iso -wvn iso -nvn iso
manage snmp access create InitialReadOnly UserBased authPriv -rvn ReadOnlyView
manage snmp views create iso 1
manage snmp views create ReadOnlyView 1
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.2.7.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.18.1.1 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.15.1.2.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.4.1.89.35.1.61 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.2 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.4 -cm excluded
manage snmp views create ReadOnlyView 1.3.6.1.6.3.16.1.5 -cm excluded
manage snmp notify create allTraps -ta v3Traps
manage snmp global engine-id set 80000059030003b24b1640
manage snmp users create radware -cf 0.0 -ap MD5 -akc \
5efe7eb262018b74de977d1091aff3f9 -pp DES -pkc 5efe7eb262018b74de977d1091aff3f9
manage snmp target-address create v3MngStations -tl v3Traps -p radware-authPriv
manage snmp target-parameters create public-v1 -d SNMPv1 -sm SNMPv1 -sn public -sl noAuthNoPriv
manage snmp target-parameters create public-v2 -d SNMPv2c -sm SNMPv2c -sn public -sl noAuthNoPriv
manage snmp target-parameters create radware-authPriv -d SNMPv3 -sm UserBased -sn radware -sl authPriv
- 42 -
manage snmp community create public -n public -sn public
manage telnet session-timeout set 5
manage telnet auth-timeout set 30
system diagnostics policies setCreate all
system diagnostics capture output file set "RAM Drive and Flash"
system diagnostics capture output term set Disabled
system diagnostics capture point set Both
redundancy force-down-ports-time set 0
manage trap-logging power-supply-traps set enable
system diagnostics capture traffic-match-mode set "Inbound and Outbound"
appdirector global connectivity-check tcp-timeout set 3
security certificate table \
Name: PS_Cert \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIBkzCB/QICQsQwDQYJKoZIhvcNAQEEBQAwEjEQMA4GA1UEAxMHUmFkd2FyZTAe \
Fw0xMDA0MzAyMTE0NTRaFw0xMTA0MzAyMTE0NTRaMBIxEDAOBgNVBAMTB1JhZHdh \
cmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALdIdq7FfTIXKQ6DCyn9K0DD \
6Oq8cus6UOteYjaR7Uh49ELGZzuWIa1anKVjroZivRNUo8imUnZoT2i05YjBeXA6 \
acXHX2R2zgcGcMfv9xo0/fT4P/kJwPZw1dlnE3taxJV3GoZesVzAwY1UN4HPBzRS \
YyyJssatz+QE+lRwibwFAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEALavtgqcgXqKF \
w5+A2F+7YIcTAUMb9iEErvfpOmWOhPnCYCTe85vGvWwKiblaX9dW3bMEY04iGASR \
8XlI2+2WVx2c9+bCOoeQvlkNEEl+WBMPODdtmvRo6sM64R3VXj1zUhlaT8SIauh1 \
3vfarEHxCz0jTJ7Q/OXrOgZ6rTBxMqU= \
-----END CERTIFICATE----- \
Name: radware \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIB2zCCAYUCAlwOMA0GCSqGSIb3DQEBBAUAMHgxCzAJBgNVBAYTAlVTMRAwDgYD \
VQQIEwdSYWR3YXJlMRAwDgYDVQQHEwdSYWR3YXJlMRYwFAYDVQQDEw0xNjkuMjU0 \
LjAuMjU0MRAwDgYDVQQKEwdSYWR3YXJlMRswGQYDVQQLExJSYWR3YXJlIHdlYiBz \
ZXJ2ZXIwHhcNMTAwMjA4MjEzNDI3WhcNMTEwMjA4MjEzNDI3WjB4MQswCQYDVQQG \
EwJVUzEQMA4GA1UECBMHUmFkd2FyZTEQMA4GA1UEBxMHUmFkd2FyZTEWMBQGA1UE \
AxMNMTY5LjI1NC4wLjI1NDEQMA4GA1UEChMHUmFkd2FyZTEbMBkGA1UECxMSUmFk \
d2FyZSB3ZWIgc2VydmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMXK79BTZAhS \
73YN8jMvODBAyVgooyBaW+itysolx9oBq2qRFvMJlagNihyIF1rd8WpUNwKCkXnP \
IBsU72iYQPkCAwEAATANBgkqhkiG9w0BAQQFAANBAGI8jmu64CMax9tU0Xyr0bqO \
EVszi5Vk2y0noebs6t8psMeC75qlDHeN3Lw2WBv/e26X1BEo3YoM9EVb3JNf4r8= \
-----END CERTIFICATE----- \
Name: rdwrhmm \
Type: certificate \
-----BEGIN CERTIFICATE----- \
MIIB8zCCAZ0CAkTnMA0GCSqGSIb3DQEBBAUAMIGDMQswCQYDVQQGEwJVUzEQMA4G \
A1UECBMHUmFkd2FyZTEQMA4GA1UEBxMHUmFkd2FyZTEaMBgGA1UEAxMRUlcgU1NM \
IG1vbml0b3JpbmcxEDAOBgNVBAoTB1JhZHdhcmUxIjAgBgNVBAsTGVJhZHdhcmUg \
SGVhbHRoIE1vbml0b3JpbmcwHhcNMTAwMjA4MjEzNDI4WhcNMTEwMjA4MjEzNDI4 \
WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1JhZHdhcmUxEDAOBgNVBAcTB1Jh \
ZHdhcmUxGjAYBgNVBAMTEVJXIFNTTCBtb25pdG9yaW5nMRAwDgYDVQQKEwdSYWR3 \
YXJlMSIwIAYDVQQLExlSYWR3YXJlIEhlYWx0aCBNb25pdG9yaW5nMFwwDQYJKoZI \
hvcNAQEBBQADSwAwSAJBANWyhqErW6RxhMEjV51E9VaWSvsuIVeAbgGHpEnsxrGB \
4A5H5f9Fg+91WnqXHa0Hp5Iga0ZvoPEm7/KMCqfUYUECAwEAATANBgkqhkiG9w0B \
AQQFAANBAIB9/Uvd4268jZ4FqbKpWu7tzyUbcJ/Ejv08bwQJG9o7Pqh6kK9rnbdH \
CSlfBpt0ZK3TUd3HSsLuJuPZT03UyEY= \
-----END CERTIFICATE-----
- 43 -
Appendix 3 Starting PeopleSoft HRMS
2. Start/Command Prompt
Once in command prompt do the following.
3. cd\peoplesoft\pt850\appserv
psadmin
<Select 1 for Application Server>
<Select 1 for Administer a Domain>
<Select 1 for HR91>
<Select 1 for Boot this domain>
<Select 1 for Boot (Serial Boot))
Application server will start
Type q to exit until you get command prompt
cd \peoplesoft\pt850\webserv\peoplesoft\bin
startpia
Will Start the Web Server
Past the following URL in web browser
http://localhost.radware.com/psp/ps/?cmd=login&languageCd=ENG
Login ID: PS
Password: PS
- 44 -
Appendix 4 Stop PeopleSoft HRMS
2. Start/Command Prompt
Once in command prompt do the following.
3. cd\peoplesoft\pt850\appserv
psadmin
<Select 1 for Application Server>
<Select 1 for Administer a Domain>
<Select 1 for HR91>
<Select 2 for Domain shutdown menu>
Type q to exit until you get command prompt
cd \peoplesoft\pt850\webserv\peoplesoft\bin
stoppia
Will Stop the Web Server
- 45 -
Appendix 5 PIA and load balancer checklist
For customers that use a load balancer, Oracle recommends using a cookie
(session) based load balancer for persistence.
1. Ensure all your webservers have the same cookie name in each weblogic.xml
file. This file can be found in the following directory:
<PS_HOME>/webserv/<DOMAIN-NAME>/applications/peoplesoft/PORTAL/WEB-INF/weblogic.xml
In this example, there's two webservers behind the load balancer. Therefore, verify
that your cookie names are the same:
** If you're running Enterprise Portal and have content providers, please ensure
that all Enterprise Portal webserver cookie name are all exactly the same. The
content provider's webserver cookie names should have their own set of cookie
names. Therefore, both Portal and content should not have the exact same cookie
name. Suppose Enterprise Portal had 4 webservers and HR had 4 webservers. All
4 Enterprise Portal cookie names could be eportal-7011-PORTALPSJSESSIONID,
but all 4 HR cookie names could be hrms-7011-PORTAL-PSJSESSIONID.
<session-param>
<param-name>
CookieDomain
</param-name>
<param-value>
.company.com
- 46 -
</param-value>
3. In PIA, navigate to "PeopleTools -> Web Profile -> Web Profile Configurations".
Search for your Web Profile. Click on Virtual Address and populate your default
addressing. For example, suppose your end users access your load balancer
with the following URL:@ http://mycompany.com/ps/signon.html You would
need to set the following:
a) In PIA, navigate to "PeopleTools -> Web Profile -> Web Profile Configurations".
Search for webprofile. Click on "Security" tab. PIA timeout is "Inactivity Logout" in
seconds. Suppose "Inactivity Logout" = 1200 seconds.
b) In WebLogic, open web.xml file. This file can be found in the following directory:
<PS_HOME>/webserv/<DOMAIN-NAME>/applications/peoplesoft/PORTAL/WE
B-INF/web.xml WebLogic HTTP timeout appears in minutes:
<session-timeout>20</session-timeout>
5. After updating weblogic.xml, web.xml and webprofile, you must bounce your
webservers.
- 47 -
Appendix 6 Certificates and Keys
Certificates
Certificates are digitally signed indicators which identify the server or user. They
are usually provided in the form of an electronic key or value. The digital certificate
represents the certification of an individual business or organizational public key
but can also be used to show the privileges and roles for which the holder has been
certified. It also includes information from a third party verifying identity.
Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
Keys
A key is a variable set of numbers that the sender applies to decrypted data to
produce encrypted data, to be sent via the internet. Usually a pair of public and
private keys is used. A private key is kept secret and used, only by its owner, to
encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the
sender to encrypt or interpret the data. The recipient also uses the key to
authenticate that the data comes from the sender.
The use of keys ensures that unauthorized personnel cannot decipher the data.
Only with the appropriate key can the information be easily deciphered or
understood. Stolen or copied data would be incomprehensible without the
appropriate key to decipher it and prevent forgery. AppDirector supports the
following key size lengths - 512, 1024 or 2048 bytes.
- 48 -
Appendix 7 HTTP redirect to HTTPS
The following instructions shows how to create a L7 Policy that redirects HTTP
traffic to same host name same URI over HTTPS. This L7 Policy is a safety net; it
catches the traffic that incorrectly comes in on HTTP and redirects it to HTTPS.
https://ps.estuate.psft/psp/ps/?cmd=login
Methods Table
A method is defined to identify the Host/URI that is used to identify the traffic that is
to be converted from HTTP to HTTPS.
- 49 -
5. Click the Set button to save the parameters.
- 50 -
Note: HTTPS Redirect To (RDRS): AppDirector redirects the HTTP request to the
specified name or IP and modifies the request to an HTTPS request.
- 51 -
4. Click the Set button to save the parameters.
- 52 -
Appendix 8 Test Plan
- Click on MainMenu
Update a Person - Click on Workforce Modify a Person Search Page Modify a Person
access search Administration should display Search Page
Page - Click on Personal Information displayed
- Click on Modify a Person
Radware AD shows
- 53 -
Not in Service for
PeopleSoft Server
2
- Login to PIA
PIA Web Client - Leave the session open for 20 PIA session will time out amd PIA home session
Session Timeout min display session timeout error timeout page
page will display after 20 mins of displayed after 20
idle time. mins of idle time.
- 54 -
Technical Support
Radware offers technical support for all of its products through the Radware
Certainty Support Program. Please refer to your Certainty Support contract, or the
Radware Certainty Support Guide available at:
http://www.radware.com/content/support/supportprogram/default.asp.
For more information, please contact your Radware Sales representative or:
2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service
names are registered trademarks or trademarks of Radware in the U.S. and other countries. All
other trademarks and names are the property of their respective owners.
- 55 -