REST API access via Load Balancer

ECS management API access via vTMIn that post, we discuss how to configure Brocade vTM Load Balancer providing access to ECS management APIs.

Load Balancing is highly recommended to share data access across all ECS nodes. We can use the same LB to provide ECS management access. That increases the overall availability of ECS.

ECS management REST APIs are accessible via HTTPs port 4443. Let’s consider how to configure vTM providing SSL access to that port.

  • Create new vTM Pool
  • Specify nodes as,, etc (comma separated with 4443 port specified.)
  • Pool monitoring has to be configured as Ping.


  • By default Round Robin load balancing is configured. You can use Weighted Round Robin to prefer the specific node to be used for management.

ECS API via vTM-3

  • Enable SSL encryption.
  • Check if ssl_server_name authentication is disabled.


  • Create Virtual Server

ECS API via vTM-5

  • By default that Virtual Server will be available via all existing Traffic IP Groups. You can specify particular VIP if needed to dedicate it for management traffic only.

ECS API via vTM-6

  • Navigate to Wizards > SSL Decrypt a service

ECS API via vTM-8

  • Go through the Wizard steps

ECS API via vTM-9

  • Select the Virtual Server.


  • Select existing SSL certificate or create a new one.

ECS API via vTM-11

  • Specify HTTP protocol.


  • Finally overview the decrypt / re-encrypt config.


  • SSL-decryption is configured now.
  • Enable the Virtual Server

ECS API via vTM-15

  • In case if you got “Address is already in use error message”, please check that Traffic IP Group doesn’t have port 4443 port assigned. If yes, use another Traffic IP Group.


  • Check if we can authenticate via vTM now. VIP is used in my example.
# curl -kv -u root:password -c cookiefile
 * About to connect() to port 4443 (#0)
 *   Trying connected
 * Connected to ( port 4443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: none
   CApath: /etc/ssl/certs/
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSL connection using AES128-SHA
 * Server certificate:
 *        subject: …;
 *        start date: 2017-03-14 13:46:45 GMT
 *        expire date: 2018-03-14 13:46:45 GMT
 *        issuer: …;
 *        SSL certificate verify result: self signed certificate (18), continuing anyway.
 * Server auth using Basic with user 'root'
 > GET /login?using-cookies=true HTTP/1.1
 > Authorization: Basic cm9vd…dA==
 > User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10
 > Host:
 > Accept: */*
 < HTTP/1.1 200 OK
 < Date: Thu, 20 Apr 2017 09:24:55 GMT
 < Content-Type: application/xml
 < Content-Length: 93
 < Connection: keep-alive
 * Added cookie X-SDS-AUTH-TOKEN="BAAcTy84SzhP…8=" for domain, path /, expire 1492709095
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><loggedIn><user>root</user></loggedIn>

API access via Load Balancer works just fine.

Note: you can configure ECS GUI management access via LB configuring access via HTTPS port 443. The procedure is the same.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s