REST API access via Load Balancer

ECS management API access via vTMIn that post, we discuss how to configure Brocade vTM Load Balancer providing access to ECS management APIs.

Load Balancing is highly recommended to share data access across all ECS nodes. We can use the same LB to provide ECS management access. That increases the overall availability of ECS.

ECS management REST APIs are accessible via HTTPs port 4443. Let’s consider how to configure vTM providing SSL access to that port.

  • Create new vTM Pool
  • Specify nodes as 10.0.0.1:4443,10.0.0.2:4443, etc (comma separated with 4443 port specified.)
  • Pool monitoring has to be configured as Ping.

ECS API via vTM

  • By default Round Robin load balancing is configured. You can use Weighted Round Robin to prefer the specific node to be used for management.

ECS API via vTM-3

  • Enable SSL encryption.
  • Check if ssl_server_name authentication is disabled.

ECS API via vTM

  • Create Virtual Server

ECS API via vTM-5

  • By default that Virtual Server will be available via all existing Traffic IP Groups. You can specify particular VIP if needed to dedicate it for management traffic only.

ECS API via vTM-6

  • Navigate to Wizards > SSL Decrypt a service

ECS API via vTM-8

  • Go through the Wizard steps

ECS API via vTM-9

  • Select the Virtual Server.

ECS API via vTM

  • Select existing SSL certificate or create a new one.

ECS API via vTM-11

  • Specify HTTP protocol.

ECS API via vTM

  • Finally overview the decrypt / re-encrypt config.

ECS API via vTM

  • SSL-decryption is configured now.
  • Enable the Virtual Server

ECS API via vTM-15

  • In case if you got “Address is already in use error message”, please check that Traffic IP Group doesn’t have port 4443 port assigned. If yes, use another Traffic IP Group.

ECS API via vTM

  • Check if we can authenticate via vTM now. VIP 10.100.100.100 is used in my example.
# curl -kv -u root:password https://10.100.100.100:4443/login?using-cookies=true -c cookiefile
 * About to connect() to 10.100.100.100 port 4443 (#0)
 *   Trying 10.100.100.100... connected
 * Connected to 10.100.100.100 (10.100.100.100) port 4443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: none
   CApath: /etc/ssl/certs/
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSL connection using AES128-SHA
 * Server certificate:
 *        subject: …; CN=mycompany.com
 *        start date: 2017-03-14 13:46:45 GMT
 *        expire date: 2018-03-14 13:46:45 GMT
 *        issuer: …; CN=mycompany.com
 *        SSL certificate verify result: self signed certificate (18), continuing anyway.
 * Server auth using Basic with user 'root'
 > GET /login?using-cookies=true HTTP/1.1
 > Authorization: Basic cm9vd…dA==
 > User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10
 > Host: 10.100.100.100:4443
 > Accept: */*
 >
 < HTTP/1.1 200 OK
 < Date: Thu, 20 Apr 2017 09:24:55 GMT
 < Content-Type: application/xml
 < Content-Length: 93
 < Connection: keep-alive
 < X-SDS-AUTH-TOKEN: BAAcTy84SzhP…8=
 * Added cookie X-SDS-AUTH-TOKEN="BAAcTy84SzhP…8=" for domain 10.100.100.100, path /, expire 1492709095
 …
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><loggedIn><user>root</user></loggedIn>

API access via Load Balancer works just fine.

Note: you can configure ECS GUI management access via LB configuring access via HTTPS port 443. The procedure is the same.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s