Last week I posted some notes on the basic installation done for the initial OpenAM install chapter that I was writing. Looking at the work Steve is doing for session management, I decided that a single instance would not be enough. Luckily I have 8 GB RAM on this laptop. Using VirtualBox, CentOS, and HAProxy, I now have a host-only network of 3 systems, 2 for OpenAM, 1 for the load balancer (and probably a test application at some point).
For each guest in VirtualBox, I have configured host-only networking, no DHCP, for 3 guests in VirtualBox, each based on CentOS 6.
$ cat /etc/redhat-release CentOS Linux release 6.0 (Final)
Root user: root:password
Normal user: mark:password
Set up networking on /etc/hosts
in each machine and in the host. Static networking, with the gateway being the host. Here’s the hosts file excerpt:
$ cat /etc/hosts ... 192.168.56.1 host 192.168.56.2 openam.example.com 192.168.56.3 openam-bis.example.com 192.168.56.4 lb.example.com
Installed Java 6 (/path/to/jdk1.6
).
$ cat .bash_profile ... # User specific environment and startup programs PATH=.:/path/to/jdk1.6/bin:$PATH:$HOME/bin export PATH JAVA_HOME=/path/to/jdk1.6 export JAVA_HOME JRE_HOME=$JAVA_HOME/jre export JRE_HOME
Installed Apache Tomcat 7 (/path/to/tomcat
) on each host. Then configured Tomcat to start at boot time and stop at shutdown (chkconfig --add tomcat
).
$ cat /etc/init.d/tomcat #!/bin/sh # # tomcat # # chkconfig: 345 95 5 # description: Manage Tomcat web application container CATALINA_HOME="/path/to/tomcat" export CATALINA_HOME JAVA_HOME=/path/to/jdk1.6 export JAVA_HOME JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m" export JAVA_OPTS cd ${CATALINA_HOME} # Determine what action should be performed on the server case "${1}" in start) /bin/su mark -c "${CATALINA_HOME}/bin/startup.sh" exit ${?} ;; stop) /bin/su mark -c "${CATALINA_HOME}/bin/shutdown.sh" exit ${?} ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac
On the system with HAProxy and only 1024 MB memory, removed the following lines from /etc/init.d/tomcat
:
JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m" export JAVA_OPTS
For the two openam*.example.com guests, installed OpenDJ on both openam.example.com and openam-bis.example.com in /path/to/OpenDJ
, and enabled OpenDJ to start at boot time (chkconfig --add opendj
).
$ cat /etc/init.d/opendj #!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License, Version 1.0 only # (the "License"). You may not use this file except in compliance # with the License. # # You can obtain a copy of the license at # https://OpenDS.dev.java.net/OpenDS.LICENSE. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at # trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, # add the following below this CDDL HEADER, with the fields enclosed # by brackets "[]" replaced with your own identifying information: # Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # chkconfig: 345 95 5 # description: Control the OpenDJ Directory Server # Set the path to the OpenDJ instance to manage INSTALL_ROOT="/path/to/OpenDJ" export INSTALL_ROOT cd ${INSTALL_ROOT} # Determine what action should be performed on the server case "${1}" in start) /bin/su mark -c "${INSTALL_ROOT}/bin/start-ds --quiet" exit ${?} ;; stop) /bin/su mark -c "${INSTALL_ROOT}/bin/stop-ds --quiet" exit ${?} ;; restart) /bin/su mark -c "${INSTALL_ROOT}/bin/stop-ds --restart --quiet" exit ${?} ;; *) echo "Usage: $0 { start | stop | restart }" exit 1 ;; esac
OpenDJ listens on 1389 (LDAP), 1636 (LDAPS), 4444 (Admin), 8989 (Repl) on each host. Contains Example.com data from http://mcraig.org/ldif/Example.ldif.
Fixed up iptables
for all the ports needed.
# /etc/init.d/iptables stop # vi /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Jul 13 10:42:56 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1233:104093] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1636 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4444 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5444 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8989 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9989 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Jul 13 10:42:56 2011 # /etc/init.d/iptables start
Installed OpenAM as a web app in Tomcat. (cp openam/deployable-war/opensso.war /path/to/tomcat/webapps/openam.war
)
- amadmin:password
- policy agents pwd:secret12
- Embedded config directory 1689 (JMX), 2389 (LDAP), 5444 (Admin), 9989 (Repl)
- Site “Example Site” + load balancer URL “http://lb.example.com:8080/openam”
On the lb.example.com guest, installed HAProxy.
# ls /etc/haproxy/ haproxy haproxy.conf # /etc/haproxy/haproxy -v HA-Proxy version 1.4.15 2011/04/08 Copyright 2000-2010 Willy Tarreau # cat /etc/haproxy/haproxy.conf global daemon user nobody group nobody defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:8080 default_backend servers backend servers #appsession amlbcookie len 20 timeout 3h request-learn balance roundrobin cookie SERVERID insert nocache server openam.example.com 192.168.56.2:8080 check cookie 1 server openam-bis.example.com 192.168.56.3:8080 check cookie 2
The non-self explanatory parts in the backend servers section:
cookie SERVERID insert nocache
IIRC adds a cookie to help HAProxy direct client traffic to the same backend server where possible.server fqdn ip:port check cookie value
IIRC tells HAProxy to check the server accepts HTTP requests and assigns the cookie the specified value.- The
appsession
line is what Sam thought should be sufficient instead of the cookie line and extra server parameters to know how to balance requests.
I’m not sure this configuration actually works as expected, yet. I only know that it seems to work at least a bit.
Configured HAProxy to start at boot time (chkconfig --add haproxy
):
# cat /etc/init.d/haproxy #!/bin/sh # # haproxy # # chkconfig: 345 95 5 # description: Manage HAProxy service # # Inspired by http://mattiasgeniar.be/downloads/haproxy/haproxy.init. # HAPROXY="/etc/haproxy/haproxy" export HAPROXY checkconfig() { ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf if [ $? -ne 0 ]; then echo "Errors found in configuration file." return 1 fi return 0 } start() { ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf if [ $? -ne 0 ]; then echo "Errors found in configuration file." return 1 fi echo -n "Starting HAProxy..." ${HAPROXY} -D -f /etc/haproxy/haproxy.conf -p /var/run/haproxy.pid RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/haproxy return $RETVAL } stop() { echo -n "Shutting down HAProxy..." kill $(cat /var/run/haproxy.pid) RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/haproxy [ $RETVAL -eq 0 ] && rm -f /var/run/haproxy.pid return $RETVAL } restart() { ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf if [ $? -ne 0 ]; then echo "Errors found in configuration file." return 1 fi stop start } check() { ${HAPROXY} -c -q -V -f /etc/haproxy/haproxy.conf } reload() { ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf if [ $? -ne 0 ]; then echo "Errors found in configuration file." return 1 fi echo -n "Reloading HAProxy config: " ${HAPROXY} -f /etc/haproxy/haproxy.conf -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) success $"Reloading HAProxy config: " echo } # Possible parameters case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; checkconfig) check ;; *) echo "Usage: haproxy {start|stop|status|restart|reload|checkconfig}" exit 1 esac exit 0
Hope to provide more news as I start to test Steve’s new session management feature.
Pingback: How to set up multiple DAUI instances - aldaris blog