Bits, Bytes, & Radio Waves

A Journey Through Discovery

VMware Identity Manager and NSX Advanced Load Balancer (ALB)

Overview

You think there would be plenty of good resources documenting this, but I couldn’t find one. I found all kinds of resources for configuring against a Horizon environment, though. In this post, I am deploying a VMware Identity Manager cluster from an Aria Suite Lifecycle Manager (LCM). This is my configuration of setting up the globalenvironment in LCM.

VMware Aria Suite Lifecycle Manager (LCM)

The first thing is to make sure the LCM appliance itself has a trusted certificate. I do not use public Certificate Authority (CA) signed certificates. The first thing is to upload the certificate to the Locker. This certificate can be created from the CA or a CSR can be generated from LCM and signed by the CA. Either way, we need to get an LCM certificate uploaded.

While here, let’s get the certificate for the VMware Identity Manager cluster uploaded. Make sure that the Common Name (CN) is for the load balanced address. There must be DNS A and PTR records for the nodes. (Canonical Names (CNAME) are not supported). This is the address that you want clients to hit. In my case, I am using vidm.aaronrombaut.com. This certificate has the load balanced address in the Common Name (CN) and the underlying nodes in the Subject Alternative Name (SAN) field.


https://<aria-suite-lcm-fully-qualified-domain-name>/dashboard > Locker

If you are here trying to deploy the VMware Identity Manager cluster, here is the link to complete that. https://www.aaronrombaut.com/vmware-aria-suite-lifecycle-vmware-identity-manager-vidm/

NSX Advanced Load Balancer (ALB) Terminology

I find it helps to learn (and understand) terminology. Since the NSX ALB is a relatively new technology for me, I am still new to these terms.

Virtual Service – this is the application that the clients will connect to. It is configured with the fully-qualified-domain-name and IP address for the load balanced service. In this case, we are clustering VMware Identity Manager nodes. In DNS, I have configured a forward (A) record and a reverse (PTR) record for vidm.aaronrombaut.com which points to 172.16.10.130.

VS VIPs – this is the actual virtual IP address (172.16.10.130) and host name (vidm.aaronrombaut.com) configuration to be used in the virtual service.

Pools – this is where the individual servers that the load balanced address (the VS VIP) points to. In the case of my Identity Manager cluster, I have a pool with three nodes (vidm-1.aaronrombaut.com; vidm-2.aaronrombaut.com; and vidm-3.aaronrombaut.com).

SSL/TLS Certificates – this is where the machine certificate, containing the load balanced address in the Common Name (CN) field, and intermediate and root certificates are installed. NSX Advanced Load Balancer breaks up the certificate chain into individual certificates, which is rather nice; it makes it easier to swap out and keep inventory.

Health Monitor Profile – this is what is configured that is used to check for liveness on the nodes in the pool.

NSX Advanced Load Balancer Configuration

I am using VMware NSX ALB (Avi) version 22.1.5, build 9093 for this configuration.

Certificates

We need to upload the exact certificate and signing chain that was used in the Aria Suite Lifecycle Manager.

Templates > Security > SSL/TLS Certificates > Create > Application Certificate

Templates > Security > SSL/TLS Certificates > Create > Root/Intermediate CA Certificate

Make sure the dots in the Status column are green before proceeding.

Health Monitor

Templates > Profiles > Health Monitors > Create

Viewed as a JSON File, bold is used in the User Interface (UI).

{
    "url": "https://avi-50.aaronrombaut.com/api/healthmonitor/healthmonitor-955249a1-b1ca-4f4c-b678-e1934433b43c#VMware Identity Manager Health Monitor",
    "uuid": "healthmonitor-955249a1-b1ca-4f4c-b678-e1934433b43c",
    "name": "VMware Identity Manager Health Monitor",
    "is_federated": false,
    "tenant_ref": "https://avi-50.aaronrombaut.com/api/tenant/admin#admin",
    "_last_modified": "1715972558055162",
    "failed_checks": 2,
    "https_monitor": {
        "exact_http_request": false,
        "http_request": "GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.0",
        "http_response_code": [
            "HTTP_2XX"
        ]
    },
    "receive_timeout": 4,
    "send_interval": 10,
    "successful_checks": 2,
    "type": "HEALTH_MONITOR_HTTPS",
    "authentication": {}
}

VS VIPs

Applications > VS VIPs > Create

Viewed as a JSON File, bold is used in the User Interface (UI).

{
    "url": "https://avi-50.aaronrombaut.com/api/vsvip/vsvip-ab163cdf-a0aa-4f62-81c7-9d45f59022f8#vidm.aaronrombaut.com",
    "uuid": "vsvip-ab163cdf-a0aa-4f62-81c7-9d45f59022f8",
    "name": "vidm.aaronrombaut.com",
    "vrf_context_ref": "https://avi-50.aaronrombaut.com/api/vrfcontext/vrfcontext-63f3e5db-b80e-41f1-90f5-d51b0651fab9#global",
    "tenant_ref": "https://avi-50.aaronrombaut.com/api/tenant/admin#admin",
    "cloud_ref": "https://avi-50.aaronrombaut.com/api/cloud/cloud-c1e79050-f564-4842-a5d0-332e1330e8c7#vSphere Cloud",
    "_last_modified": "1715965976262066",
    "east_west_placement": false,
    "vip": [
        {
            "auto_allocate_floating_ip": false,
            "auto_allocate_ip": false,
            "auto_allocate_ip_type": "V4_ONLY",
            "avi_allocated_fip": false,
            "avi_allocated_vip": false,
            "discovered_networks": [
                {
                    "network_ref": "https://avi-50.aaronrombaut.com/api/network/dvportgroup-5035-cloud-c1e79050-f564-4842-a5d0-332e1330e8c7#DSwitch-VM Management Network",
                    "subnet": [
                        {
                            "ip_addr": {
                                "addr": "172.16.10.0",
                                "type": "V4"
                            },
                            "mask": 24
                        }
                    ]
                }
            ],
            "enabled": true,
            "ip_address": {
                "addr": "172.16.10.130",
                "type": "V4"
            },
            "prefix_length": 32,
            "vip_id": "1"
        }
    ],
    "vs_refs": [
        "https://avi-50.aaronrombaut.com/api/virtualservice/virtualservice-1fc36fe5-23ea-4957-bdc8-aa0709520acc#vidm.aaronrombaut.com"
    ],
    "bgp_peer_labels": []
}

When creating the VS VIP, there will be a button to set the cloud and VRF. The name I have for the Cloud field comes from my configuration. The name of the cloud is configured in the NSX ALB Interface at Infrastructure > Clouds, and yours may be different.

Pools

Applications > Pools > Create Pool

Provide a Name, Type, set the Cloud & VRF, and Default Server Port.

Make sure to set the Load Balance Algorithm to Consistent Hash and Type to Source IP Address.

Consistent Hash is a load-balancing algorithm that distributes new connections across the servers using a hash that is based on a key. Setting this key to the Source IP Address ensures that established traffic persists between the client and the VMware Identity Manager node. This configuration combines load balancing and persistence.

Add the individual nodes that comprise the pool by IP Address, Range or DNS Name.

Choose the Health Monitor, VMware Identity Manager Health Monitor, we configured above.

These are the default Profiles/Policies for me.

Leave the default SSL Profile of System-Standard-PFS and choose the Service Engine Client Certificate from the certificate we uploaded previously, vidm.aaronrombaut.com.

For the Fail Action, I chose Close Connection for security reasons.

Virtual Service

This is where it all comes together.

Applications > Virtual Services > Create Virtual Service > Advanced

Select the Cloud

Provide a Name and select the VS VIP. Ensure the Virtual Service is Enabled and that Traffic Enabled is selected. Change the Application Profile to System-Secure-HTTP.

Note: The System-Secure-HTTP Application Profile is a default profile. If there are other services on the NSX ALB, it may make sense to create a separate specific Application Profile, even if only one setting needs to be changed. Using a default Application Profile applies to all Virtual Services that use it, which may not be appropriate.

An additional point to note is that the Application Profile needs to have the X-Forwarded-For option selected, which the System-Secure-HTTP profile includes by default.

For the Service Port, change the Services to 443 and ensure the SSL checkbox is selected.

For the Pool, ensure the Pool radio button is selected and choose the Pool from the drop-down.

In SSL Settings, ensure the SSL Profile is System-Standard-PFS and SSL Certifcate only contains one certificate. Choose the same certificate that was used when configuring the Pool previously.

Conclusion

This is a basic configuration that allows the Aria Suite Lifecycle Manager to build out the VMware Identity Manager cluster. Clients, including the Aria Suite LCM during the deployment, will query DNS for the load balanced address. This will send them to the load balanced address, secured with a TLS certificate. The NSX ALB, will then distribute the client to a backend guest, defined in the Pool, based on the Consistent Hash algorithm. The traffic is then re-encrypted to a node in the pool.

Advanced authentication, such as accounting for smart cards or SAML, should not be configured until the cluster is up and the Aria Suite LCM shows healthy.

Leave a Reply

Your email address will not be published. Required fields are marked *