This document describes how the ITPAM Domain Orchestrator can be clustered over a secondary Domain Server to enhance scalability and high availability.
The following steps detail the installation of a clustered Domain Orchestrator, using CA Embedded Entitlements Manager (CA EEM) as a Security Server, Microsoft SQL Server 2005 as the database and Apache HTTP Server as the load balancer. A basic standalone Domain Orchestrator is often co-located with the database server and CA EEM, however in a clustered environment these shared components should be located on a separate server. For the loadbalancer, ITPAM is certified with Apache HTTP Server with the mod_jk module as the loadbalancer. Based on this we will need a minimum of three servers for our environment, one for each orchestrator node and one for the shared components (EEM, database, load balancer). This is in addition to the Server/Machines that should be managed by CA IT PAM Agents.
Install the Apache HTTP Server
The first step is to install the loadbalancer on the shared server. To do this:
- Ensure that you have access to the "Apache HTTP Server" (apache_2.2.14-win32-x86-openssl-0.9.8k.msi or later) and the corresponding "Apache to Tomcat Connector" (mod_jk-1.2.30-httpd-2.2.3.so). These can be downloaded from http://www.apache.org. In this doc we will use version 2.2.14, but any later 2.2.xx version can be used. . You can download the mod_jk.so binary corresponding to the OS from http://tomcat.apache.org/download-connectors.cgi and select the Binary Releases section to see a list of available downloads. In our example we are using "mod_jk-1.2.30-httpd-2.2.3.so".
- Ensure that port 80 is available on this server for Apache. Microsoft IIS (for example) uses port 80 so ensure that IIS is uninstalled or disabled.
- Double-click on the install package "apache_2.2.14-win32-x86-openssl-0.9.8k.msi" to begin to install Apache HTTP Server.
- Click the Run button in the Open File ? Security Warning dialog.
- Click Next on the Welcome to the Installation Wizard for Apache HTTP Server 2.2.14 page.
- Select the "I accept the terms in the license agreement" option and click the next button on the License Agreement page.
- Click Next on the "Read This First" page.
- Enter the Network Domain, Server Name and Administrator's Email Address on the Server Information page. Click the next button when done.
- Verify that the Typical option is selected on the Setup Type page and click the Next button.
- Click Next on the Destination Folder page to install the Apache HTTP Server to the default location. From here on out <APACHE_HOME> will refer to this directory which is C:\Program Files\Apache Software Foundation\Apache2.2.
- Click the Install button on the Ready to Install the Program page.
- Click the Finish button on the Installation Wizard Completed page after the product finishes installing.
- Copy the mod_jk-1.2.30-httpd-2.2.3.so file to the <APACHE_HOME>\modules and rename the file to mod_jk.so.
- Create a file called mod-jk.conf in the directory <APACHE_HOME>\conf with the following contents:
# Load mod_jk module
# Specify the filename of the mod_jk lib
LoadModule jk_module modules/mod_jk.so
# Where to find workers.properties
# Where to put jk logs
# Set the jk log level [debug/error/info]
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
# JkOptions indicates to send SSK KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"
# You can use external file for mount points.
# It will be checked for updates each 60 seconds.
# The format of the file is: /url=worker
# Add shared memory.
# This directive is present with 1.2.10 and
# later versions of mod_jk, and is needed for
# for load balancing to work properly
# Add jkstatus for managing runtime data
Allow from all
- Create a file called uriworkermap.properties in the directory <APACHE_HOME>\conf with the following contents:
#In uriworkermap.properties for Domain clustering make following entries:
# Mount the Servlet context to the ajp13 worker
# Mount your applications
# All the mirroring requests will go to the primary domain server
#Request to upload report and resource will go to primary domain server
#All the mirroring request will go to primany server
#Agent start up request will go to primary domain server
#Gwt requests which are specific to primary domain server like Manage Version
#and Reporting will go to primary domain server only
#Installation request will go to primary domain server
#All the Secondary domain setting setting request will go to Primary domain servers
#Agent installation request will go to load balancer
#All the reports will be uploaded to the primary domain server only. So we will have
#to map the URL which will be used to open the report to primary domain server.
#The request for the oasis client should go to load balancer
#The request for the third party installation should go to primary serverr
- Create a file called workers.properties in the directory <APACHE_HOME>\conf with the contents below. In the contents below you will notice that there are two nodes: node1 and node 2 which will refer to the Primary Domain Orchestrator and the additional cluster node for the Domain Orchestrator in the cluster, respectively. Within each node you have to provide a host name, which is either the ip address or the fully qualified domain name (which we have chosen), and the Apache JServ Protocol port number, which is 8009 by default and does not need to be changed.
#Define list of workers that will be used for mapping requests
worker.list=loadbalancer, status, Primaryloadbalancer
# Load-balancing behaviour
# Mirroring Load-balancing behaviour
# Define node1
# modify the host as your host IP or DNS name.
# Define Node2
# modify the host as your host IP or DNS name.
# Status worker for managing load balancer
When you finish creating the three files, it should look like the screenshot below.
- Modify <APACHE_HOME>\conf\httpd.conf file by adding the lines below after line 126 in the document. You will add this after the line that reads
#LoadModule vhost_alias_module modules/mod_vhost_alias.so. Make sure to save the file when finished.
#Load balancing module
- Restart Apache by clicking on the green arrow in the notifications area of the taskbar in the lower-right of the desktop, highlighting Apache2.2 in the popup menu, and clicking Restart in the popup menu.
Now open a browser and type in the URL for the loadbalancer and you should see "It works!"
At this point the Apache Server is set up as a loadbalancer for the CA IT PAM nodes that we are about to install.
CA Process Automation 3.1 Installation
Now we will install the ITPAM Domain Orchestrator (or node1 in our loadbalancer). These instructions assume that you have a database available with a user that has create database permissions. In this document we will use Sql Server 2005. Also a Java Development Kit (JDK) is installed and ready to reference in the ITPAM installation. And finally EEM should be installed and you should have the EiamAdmin user's password.
CA Process Automation Third Party Installation (CD1)
- Welcome Screen
- Prerequisites List (JBOSS and Hibernate are required)
- JDBC Jar required for installation (MS SQL Server used in this case). The jar location is populated automatically from the installation media.
- Specify the location of the CD2 media, this will launch the CA PAM 3.1 Domain Installer (the installer can only be launched from the Third Party installer on CD1)
CA Process Automation Domain Installation (CD2)
- Initial Domain Install Panel
- Select the I accept the agreement option on the License Agreement page and click Next.
- Browse to the Java Home directory for the JDK which is under C:\Program Files\Java\jdk1.6.0_18. If you have already setup a JAVA_HOME variable in your System Environment Variables you will not see this page. Click Next when done.
- SSO and Load Balancer configuration
Check the Configure Load Balancer option, type in node1 in the Load Balancer Worker Node text field, and type in the fully qualified domain name for the Apache http server in the Public Host Name text field (this is the host name you used above when you got "It works!" in the browser) In the workers.properties file, you defined two nodes, node1 and node2. Here you are specifying that this CA IT PAM Primary Domain Orchestrator is node1. Click Next when done.
- Type in the Company name. Click Next when completed.
- Enter <password> for the Certificate password to be used for installing additional CA IT PAM Orchestrators. You may make this password the same or different than the password used for the itpamcert.p12 certificate (to be used later when registering the EEM application) which by default is "itpamcertpass". You will need this password in the future when installing additional CA IT PAM Orchestrators. Click Next when completed.
- Click Next on the Select Start Menu Folder page to accept the default options.
- Host Ports are displayed as default. Ensure that these ports are not in use on your server. Select to Install as Service (note, the CA Process Automation Orchestrator service must be started after the installation is complete; the service is initially configured to 'Manual' Startup Type)
- PowerShell policy
This allows for central configuration of the PowerShell path and sets the execution of scripts to "Remote Signed" which allows CA Process Automation to run PowerShell scripts.
- CA Process Automation EEM configuration
Select EEM for the Security Server drop-down list on the Select Security Server Type page to use EEM as the security Server. Click Next when finished.
Fill in your EEM server name and check the checkbox for Register Application. Also fill in your EEM certificate password. By default this is "itpamcertpass".
Click the "Register Application" button.
Enter the EiamAdmin Credentials:
- PAMAdmins and PAMUsers groups are created and pamadmin and pamuser users are created within EEM as part of the registration process; policy modifications for these groups and users, as well as user maintenance can be performed in EEM
- PAMAdmins and PAMUsers groups in EEM:
pamadmin and pamuser users in EEM
Click the "Test EEM Settings" button and enter credentials pamadmin/pamadmin
- CA Process Automation Installation Database Configuration
- The Repository and Runtime databases can now be separated to allow for easier maintenance and to enhance performance. After the databases have been created, click 'Check the Database Settings' to ensure they are configured correctly.
- After selecting the Type of Database the rest of the fields are populated with default values except the User Name and Password fields; be sure to denote a meaningful 'Repository Database' value if separate from the Runtime databases
- Database settings for Process Automation Runtime and Queues databases. Check 'copy from main repository' to copy the parameters from the previous (Repository) database settings.
- Database settings for the Process Automation Report databases
Node1 of our cluster is installed. You can now access the itpam URL for your apache http server (i.e. http://servername/itpam) which should now direct you to login to node1.
So now we need to install node2.
Install an Additional Cluster Node for the Domain Orchestrator
NOTE: Follow the above instructions for installing a JDK on this node before launching the installation.
Open a browser on the node2 machine and navigate to http://servername/itpam where servername is the name of your apache http server. This will connect you to the load balancer, and if it was configured properly, it should direct you to the login page of CA IT PAM. Login as an administrator. (i.e. pamadmin)
- Select the Installation tab on the left side and highlight the "Install Cluster Node for Domain Orchestrator" panel.
- Click the Install button in the right.
- Select "Always trust content from this publisher" and click Run.
- Click Next.
- Accept the license and click Next.
- Select the directory where the orchestrator will be installed. Click Next.
- Click Next to install Jboss and Hibernate.
- Click Next.
- Click Next.
- Jboss and Hibernate installs were successful. Click Next.
Leave this screen as it is. It will copy the installation media from the node1 orchestrator to the node2 orchestrator. Click Finish. This may take some time.
To monitor what is going on behind the scenes, browse to the directory you specified for the orchestrator install and see the file that should be growing in size as you refresh the explorer screen.
- Click Next.
- Accept the license agreement and click Next.
- Browse to the path to your JDK and click next.
Notice that the checkboxes on this screen are greyed out. That is because we have selected to install a cluster orchestrator so it uses a lot of the settings from the primary orchestrator to fill in on this installation. Make sure to enter the worker node name for this new orchestrator. This name should match what you entered in the workers.properties file for this machine when you configured Apache. The Public Host Name should be the fully qualified domain name for the host where Apache is installed and the port number that Apache uses (by default it is port 80).
- Enter the company name and click Next.
- Enter the certificate password. The default is "itpamcertpass". If you changed it for the node1 installation, make sure you enter the correct password here.
- Click Next.
- Select to Install as Windows Service. Notice the display name is the name of your Apache http server. Click Next.
- Click Next.
- Click Next.
- EEM is used here and cannot be changed because node1 uses EEM. Click Next.
- EEM information is copied over from node1 and cannot be changed here. Click Next.
- All Database information is copied over from node1 and cannot be edited here. Click Next.
- Click Next.
- Click Next and the installation starts.
Node2 is now complete. You should now be able to start the node2 service and access Apache which will load balance between node1 and node2.