ESG-InstallGuideR2-8
Comments
Description
Intel® Expressway Service Gateway Installation GuideSoft-Appliance Edition Version 2.8 September 2011 Order Number: 325745-001US Disclaimer and Legal Information INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel's Web Site. Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See http://www.intel.com/products/processor_number for details. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations. Results have been estimated based on internal Intel analysis and are provided for informational purposes only. Any difference in system hardware or software design or configuration may affect actual performance. Intel Expressway Service Gateway, Intel Expressway Tokenization Broker, Intel Services Designer, Intel Expressway Service Gateway for Healthcare, Intel SOAE-H, and Intel are trademarks of Intel Corporation in the U.S. and other countries. * Other names and brands may be claimed as the property of others. Copyright © 2011, Intel Corporation. All rights reserved. 2 Intel® Expressway Service Gateway Installation Guide Document Revision History Document Revision History Date Revision Description Initial document published for Intel® Expressway Service Gateway v2.8 Document published for Intel® Expressway Service Gateway v2.8 August 2011 September 2011 001 002 Intel® Expressway Service Gateway Installation Guide 3 Document Revision History 4 Intel® Expressway Service Gateway Installation Guide . ....................5............ 19 4..................................................................... 36 5................0 3.......... 42 Determining the Load Balancer Version ...0 5............2 SUSE Linux Enterprise 11 OS* Installation and Configuration for ESG............................................1 Red Hat Enterprise Linux OS* AS5 Installation Requirements for ESG................ 33 5................. and Network Requirements for a Cluster ...2 Managing Nodes in a Service Gateway Cluster.......................... Software..............2 6............... 7 2... 8 2......................................................... 34 5.... 30 5........5 Installing Unlimited Strength Java* Cryptography Extension (JCE) . 27 5...........3...2.......... 6 Preparing Your System for ESG Installation..1 Viewing the Status of a Node’s Message Processing....3 Installing Service Gateway ...................................... 11 2.............3................................................................................7 Supported Transport Protocols ......3.....................................................................................................8 Supported Authentication Protocols.............. 16 3.................. 14 3.......................2 Changing the IP Address for a Master Node’s Management NIC ...................................................1 Example of Postinstalling ESG ............5 Changing the IP Address for a Node’s Management Network Interface ....... 34 5.....................4 6.3......... 13 3.............................. 3 1......................... 30 5. 17 3....1 Permissions for Service Gateway ................6 Security Support ............................................... 32 5........................................................... 41 Starting............ 32 5....................................................................7 Making a Network Interface Inactive ....................... 21 Managing a Collection of Service Gateway Machines.......... 13 3..............4 Removing a Node from a Cluster ...................................... 5 1........ 11 Installation Procedure for ESG....... 5 1...............................2 Removing a Master Node from a Cluster ..... 3 1....................... 36 5..........................................................................................................2 Prerequisites.......................3......................................................................4 Installing the Java Runtime Environment .........................3 Software Requirements .........................................1 6................................................................5 Uninstall and Reinstall Service Gateway...1 Changing the IP Address for a Slave Node’s Management NIC ..........................3 Viewing a Node’s Logs .................. 40 Installing and Configuring a Load Balancer on a Service Gateway Cluster ......................................... 10 2................................................................................ 34 5..........0 4..................................................................1 Logging into the Management Console ............... 36 Front 6.............................. 16 3........................................................4 Support for Virtual Machines . 4 1......................................................................................................... 7 2..0 Intel® Expressway Service Gateway Installation Guide 1 ...6 Making a Network Interface Active.............................................................. 23 5... 24 5......................6 Set Parameter Limits for ESG............... 42 2.........................4 Message and File Transfer between Nodes ...................5 End Load Balancing for HTTP Traffic ........ and Management......................................... 17 Accessing the Management Console ..0 6.................................. 3 1.........................................1 Removing a Slave Node from a Cluster....................... 4 1................1 Hardware..................................3 Enabling Ports....................... 4 1....3 Cluster Operation..........................2 Removing the Web Browser Security Warning Caused by the Management Console ................................. Stopping..........0 Introduction ................4.......2 Hardware Requirements ............................................................. 39 Prerequisites for Load Balancing ................1 Example of Postinstalling Service Gateway on a Slave Node ........................ 13 3.....2 Setting up a Service Gateway Cluster............. Communication.......................... 29 5...............................................4 Starting and Stopping ESG Service .............................1 Supported Servers .........4.............. 13 3....................................Contents Contents 1..................................................3 6................................. 42 Monitoring Traffic Handled by the Load Balancer........................................... or Uninstalling the Load Balancer ............... 11 2................... 19 4............................................................................5 Setting the Path to the CLI .....................................................5..................... .55 8.........................8 6......................................53 8......................................................2 Installing a Cavium Device Driver .................9 6...........................................56 8..............................Contents 6.........................................................................................................................................4 Creating and Using a Backup of Cavium Device Driver .....................45 Using Connection Affinity ..............47 Integrating Hardware Cavium Cards with Service Gateway..........59 8...........0 9...................3...............6....49 7..........2 Back up Service Gateway Logs Before Upgrade ..............1 Upgrade Command Syntax..3 Upgrading Service Gateway ........0 2 Intel® Expressway Service Gateway Installation Guide .1 Example of Executing lbconfig ............................................................................................2 Procedure for Upgrading a Cluster..........................5 Performing a Cluster-wide Upgrade .........46 Configuring an Application to use Front End Load Balancing.....................................44 Defining Load Balancing Algorithms............................50 7...............53 8.........................................................46 Failover and Electing a Director .....................................................................................1 Prerequisites for Integrating a Cavium Card with Service Gateway.....................53 8..............................................49 7............................................................................................................................1 Prerequisites for a Cluster-wide Upgrade.3 Backing out a Cluster-wide upgrade ..3 Removing a Cavium Device Driver .............................56 8......................1 Example of an Upgrade .....0 Describing the Command Syntax for lbconfig ...3..........56 8.10 7..2 Backing Out an Upgrade ....57 8.........................................50 Upgrade Procedure ...............................................6 6.....................54 8.............................................5........................................................49 7..................4 Check the status of the Service Gateway ............................................................................56 8.....5.7 6....5..............................................................57 Troubleshooting a Service Gateway Installation ......43 6................. integrates and routes XML.Introduction 1. The recommended processor and memory configuration for the Service Gateway is 2 Quad core processors (8 core. This document provides instructions about installing the Service Gateway on the Linux* operating system. web services and legacy data in a single.2 Hardware Requirements The minimum processor and memory configuration for the Service Gateway is Pentium 4 class processor with a 4 gigabytes of RAM. ESG can be installed on any supported Intel® OEM server. which is the ESG software installed on a customer provided operating system and hardware or in a virtual machine. 2 socket) and 8 gigabytes of RAM. Intel® Expressway Service Gateway Installation Guide 3 . ESG accelerates. easy to manage software appliance form factor. is a software-appliance designed to simplify and secure application architecture on-premise or in the cloud.1 Supported Servers Service Gateway is a server-based product that provides optimal performance when the server is dedicated to it. other software can run on the server if required. which includes the following: • Dell PowerEdge* 2950 (Quad-Core) • HP ProLiant* DL380 G5 server (Dual Core or Quad Core) • HP ProLiant* BL460C server (Dual-Core) 1. also known as Service Gateway. secures. Service Gateway expedites deployments by addressing common security and performance challenges.0 Introduction Intel® Expressway Service Gateway (ESG). The Service Gateway comes in a soft-appliance the form factor. However. Intel® Expressway Service Gateway’s soft-appliance form factor is designed for Intel® OEM servers. 1. Introduction 1.3 Software Requirements To install Service Gateway in a software environment, the system must have the following: Table 1. ESG Software Environment Item Software Version • Red Hat Enterprise Linux* AS 5 64-bit • SUSE* Linux Enterprise Server 11 (SLES 11) 64-bit Java Runtime Environment (JRE*) 1.6.0_22 or greater. Operating System Java Runtime Environment* 1.4 Support for Virtual Machines You can run Service Gateway on the following virtual machines: • Oracle Virtual Manager* v2.1.5 • VMWare ESX* 3.0 • VMWare ESXi* 3.5 To run Service Gateway on a virtual machine, the VM must meet the following requirements: • 2 CPU cores • 8 GB of RAM • minimum of 10 GB of free disk space ESG performance scales proportionally to the number of cores. For example, if the runtime processed 1000 msg/sec on a virtual machine with 2 CPU cores allocated, then allocating the 4 CPU cores doubles message throughput. 1.5 Installing Unlimited Strength Java* Cryptography Extension (JCE) In the JRE used by ESG, you must install unlimited JCE. If you do not, then the runtime cannot perform Java-based cryptographic functions. To install the unlimited JCE, perform the following steps. 1. If the ESG service is running, stop it now. 2. Verify the Java Runtime Environment (JRE) is installed on your system and ESG will use that JRE. 3. Go to the Download Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 web page. 4. On the web page, download the jce_policy-6.zip. 5. Unzip the jce_policy-6.zip. 6. Open the jce folder. 7. In the jce folder, open the README.txt. 8. In the README.txt, follow the instructions about installing the unlimited JCE into the JRE used by ESG. 4 Intel® Expressway Service Gateway Installation Guide Introduction 9. Start up the ESG service. 1.6 Security Support Service Gateway supports cryptographic processing using a Cavium hardware security card for high performance applications or software-only OpenSSL*. For details about setting up Service Gateway to use Cavium hardware cards, refer to the section 7.0 Integrating Hardware Cavium Cards with Service Gateway. When you install Service Gateway, the runtime uses the default version of OpenSSL for cryptographic processing, such as a WS-security policy encrypting a message request. The version of OpenSSL used by Service Gateway depends on the operating system that the runtime is installed on. On software only versions of Service Gateway, the runtime supports OpenSSL 0.9.8o. If Service Gateway uses a Cavium security card for security offloading, then the runtime uses OpenSSL 0.9.8o. 1.7 Table 2. Supported Transport Protocols This table lists transport protocols supported by Service Gateway: ESG Transport Protocols Protocol HTTP(S) v1.0 and v1.1 JMS v1.1 IBM MQ MLLP Release 1 and Release 2 File Transfer Protocol (FTP) Secure File Transfer Protocol (SFTP) File Raw TCP N/A Description Can modify metadata? Yes Yes Yes No Yes Yes ESG can communicate with any message broker that supports the JMS standard APIs. Service Gateway has been tested with Sun MQ*, Oracle AQ*, WebSphere MQ Series*, and Active MQ*. N/A Mirth v1.6.0. This is an implementation of MLLP Release 1. RFC 959 File Transfer Protocol 2.1 network protocol that provides file access, file transfer, and file management functionality over an, encrypted, reliable data stream. Treats a file system as an endpoint. ESG can get or put files on a file system that is accessible from a network, such as NFS. N/A Yes No Intel® Expressway Service Gateway Installation Guide 5 Introduction 1.8 Table 3. Supported Authentication Protocols This table lists authentication protocols supported by ESG: ESG Authentication Protocols Protocol LDAP CA SiteMinder* Tivoli Access Manager* Oracle Access Manager* Online Certificate Status Protocol Oracle Entitlements Server* WS-Trust Specific Version Tested 6.0.4 6.0 6.0 10.14.01 with OID 10.14.01 RFC 2560 and RFC 5019 10.1.4.3.0 on top of Weblogic* 10.3 with Oracle* Database 10.2.10 Active Directory Federation Service 2.0 with WS-Trust 1.3 For information about the authentication protocols used in ESG, refer to the Security Reference Guide for Intel® Expressway Service Gateway. 6 Intel® Expressway Service Gateway Installation Guide we recommend that you select: No Firewall.0 Preparing Your System for ESG Installation This section documents the files and parameters required by ESG. Intel® Expressway Service Gateway Installation Guide 7 . 6. Perform the procedure in section 2. 7. Perform the procedure in section 2. When you install Red Hat Enterprise Linux OS* AS5. Select the Customize Later radio button. Install with Machine use as: • • Software Development Web Server 2. 3. Language and other options should follow local administration guidelines. 4. your install will fail or your system will not function correctly. you need to carefully follow port enabling and set ups for these two items. 2.Preparing Your System for ESG Installation 2.6 Set Parameter Limits for ESG.3 Installing Service Gateway. 5.1 Red Hat Enterprise Linux OS* AS5 Installation Requirements for ESG Service Gateway software (ESG) requires certain features of the Linux* operating system that are not the default Red Hat Enterprise Linux OS* installation. If these files are absent or parameters are not set when Service Gateway is installed. Then.3 Enabling Ports.4 Installing the Java Runtime Environment. If you must enable the firewall. use the following when installing: 1. During the post-reboot installation stage of Red Hat Enterprise Linux OS* 5. perform the procedure in section 2. Perform the procedure in section 3. a. 1. perform the following steps. 8 Intel® Expressway Service Gateway Installation Guide . select English (US). select I agree to the License Terms check box. select the New Installation radio button and then select the Next button. you can check the installation media to avoid install problems by selecting the Start Check button. c. 5.Preparing Your System for ESG Installation 2. Once you have checked the installation media. perform the following steps. In the Welcome screen. 3. select the country or geographic location where the machine will reside. In the Language drop-down menu. Select the Next button. select English (US). In the Installation Mode window. the Welcome screen displays. select the Next button. perform the following steps. In the Time zone drop-down menu. select the time zone where the machine will reside. a. As a result. In the Keyboard Layout drop-down menu. In the Region drop-down menu. b. In the Clock and Time Zone screen. b. 4. In the Media Check screen. Read the License Agreement and. a 2. d.2 SUSE Linux Enterprise 11 OS* Installation and Configuration for ESG To install SLES11 64-bit operating system so that Service Gateway can run on it. then if you agree. b. 7. Verify that the Hardware Clock Set to UTC check box is selected. d. b. a. a.Preparing Your System for ESG Installation c. iv. read the license and if you agree with the license select the I Agree button. Wait several minutes for the installation to complete 11. select the Install button. reenter the root user’s password. perform the following steps. e. Select the Next button. Update the date and time by performing the following steps. In the Confirm Installation dialog box. perform the following steps. In the Password for Root User field. In the Installation Settings screen. 10. Select the Next button. 6. In the Current Date field. . verify that all the configuration options are correct and then select the Install button. iii. In the Current Time field. i. 9. enter the current time in the UTC format. In the Confirm Package License fonts dialog box. In the Server Base Scenario screen. Intel® Expressway Service Gateway Installation Guide 9 . Select the Accept button. enter the current date. Select the Physical Machine (Also Fully Virtualized Guests) radio button. Select the Change button. 8. ii. enter the root user’s password. In the Confirm Password field.In the Password for the System Administrator “root” screen. 6 Set Parameter Limits for ESG. then perform the procedure in 2. 12. 20. 14. a. select the Next button.3 Enabling Ports If you have enabled the Linux* operating system's firewall. which clients use to access the web interface.3 Enabling Ports. In the Network Services Configuration screen. • Must have a TCP port available for the Management Console port. 25. 15. c. In the Hostname and Domain Name screen. In the Installation Completed screen. 10 Intel® Expressway Service Gateway Installation Guide . Select the Log in button. In the Hostname field. In the User Authentication Method screen. and Management (OAM) communication. In the username field. select the appropriate authentication method and then click the Next button. c. In the Password field. • Must have a TCP port available for Operation.3 Installing Service Gateway. select the Next button. 16. Perform the procedure in section 3. As a result. 21. 17. Wait several minutes for hardware configuration to complete. The port that ESG uses for this is defined during the postinstall process. select the Next button. If you have enabled the Linux* operating system's firewall. select the Finish button. 2. 26.Preparing Your System for ESG Installation c. The default OAM communication port is 9443. In the New Local User screen. Administration. b. 18.4 Installing the Java Runtime Environment. enter the machine’s domain name. Select the Log in button. In the Test Internet Connection screen. Perform the procedure in section 2. d. Select the Next button. 19. 24. populate each field with the appropriate information and then select the Next button. perform the following steps. enter root. then the ports that the ESG requires are disabled. Select the Next button. You need to ensure that four ports are open on the firewall for the following processes. In the Release Notes screen. 23. b. enter the root user’s password. In the Network Configuration screen. Clear the Change Hostname via DHCP check box. select the Next button. perform the following steps. Note: If you select an authentication method other then Local. Perform the procedure in section 2. then there may be additional configuration steps needs. In the Hardware Configuration screen. The port that ESG uses for this is defined during the postinstall process. a. d. select the Next button. In the login screen. • Must have a TCP port available for exchanging files between nodes in an ESG cluster. enter the machine’s hostname. The default Management Console port is 8443. The default OAM file port is 9444. 22. 13. the login screen displays. In Domain Name field. conf. Log into the Linux machine as the root user. Each entry must be on its own line.core. execute the command:sysctl -a 8. 2. 5.conf.core.6 Set Parameter Limits for ESG Linux OS* has system wide limits for a number of parameters that must be reset for the ESG to install and run properly. 5.6. 3. The default OAM cluster election port is 9445.conf parameters for the current session so a reboot is not needed.rmem_default=135168 net. Open /etc/security/limits. In sysctl. 2. Scroll to the bottom of the file and insert the following line: PATH=$PATH:/opt/scr/ clibin 4.optmem_max=20480 net.msgmni=160 kernel. insert the following entries. 2. perform the following steps. 2.core. 1. If you have not already done so.wmem_max=135168 net. 6.rmem_max=135168 4. kernel. Open /etc/profile in a text editor. To load in sysctl settings from /etc/sysctl. ESG uses the JRE_HOME environment variable to access a JRE. execute the command: ipcs -l 7.core. install a JRE on Linux machine.Preparing Your System for ESG Installation Must have a UDP port available for nodes to communicate about whether cluster election needs to occur.shmmax=2684354560 kernel.conf.unix. 1. Log on as a user with root authority. Intel® Expressway Service Gateway Installation Guide 11 . To view the updated parameters in sysctl.conf in a text editor.5 Setting the Path to the CLI To avoid specifying the full path every time you execute an ESG CLI command. 2. Save and close the profile.core. 3. perform the following steps. To change these kernel parameters. Open /etc/sysctl.msgmnb=512000 net.max_dgram_qlen=1000 net. Save and close sysipcctl.022 or great. execute the following command: sysctl -p. 2. To view all sysctl settings.This reloads the sysctl. The JRE must be 1. Set the environment variable JRE_HOME to point to the JRE.conf in a text editor. Log out off the machine and log back in.4 Installing the Java Runtime Environment 1. The port that ESG uses for this is defined during the postinstall process.wmem_default=135168 net. Preparing Your System for ESG Installation 9. 11. insert the following lines <ESG> hard nofile 65536 <ESG> soft nofile 65536 10. In the limits. 12 Intel® Expressway Service Gateway Installation Guide . Change ESG to the user that ESG is installed under. Save the limits.conf. the user is nobody. Typically.conf file. which are 1 through 1024.0 Front End Load Balancing for HTTP Traffic. there must be a NIC bound to an isolated network. An isolated network means the network does not permit external access of any kind. it is recommended that you install ESG under a non-root user.rpm. For security reasons. The following is an example. then continue on. Only people who need to command line access to the ESG should have access to the ESG’s user ID. perform the following steps. Use SCP (secure copy) or FTP to do this.1 Permissions for Service Gateway For security reasons. Execute the following command to install the ESG: rpm -i [name of rpm]. 3. 5. Ensure that you have root privileges to do the RPM install. it is recommended that ESG be installed under the user nobody. 3. 4. 1. If you are installing this as a master node or as a standalone instance of the ESG. If you plan on using load balancing for HTTP traffic. The user nobody does not have root access nor does the user have a shell.Installation Procedure for ESG 3.2 Prerequisites Prior to installing ESG. where [name of rpm] is the absolute file path to the RPM.0 Managing a Collection of Service Gateway Machines. During ESG’s postinstall. root access is required to register Service Gateway as an OS service. Copy the ESG RPM into a directory on the target system. rpm -i /tmp/esg-runtime-as5-64bit-r2_8_0. where — OS — name of the Linux operating system — x_y_z — the release number of Service Gateway 3.0 Installation Procedure for ESG Service Gateway is installed using the RPM* tool. • esg--runtime-[os]-64bit-[rx_y_z]. you will bind the security gateway’s management traffic to this NIC. you need to have the following: • You must have administrator rights to install Service Gateway. 2. 3. then stop this procedure and refer to section 6. then stop performing this procedure and instead refer to section 5. Installing ESG under an ID with low permissions means that application programmers are not able to use any privileged port numbers. • root access to the machine. • On the machine where ESG will be installed. If you are installing this instance of the ESG as a slave node in a cluster.rpm Intel® Expressway Service Gateway Installation Guide 13 .3 Installing Service Gateway To install Service Gateway. Installation Procedure for ESG 6. Start the ESG by executing the following command: cli serviceStart. Configure the ESG service so that it automatically starts each time the machine restarts by executing the following command: chkconfig --add soae 9. b. i.3. d. Start the postinstallation process by executing the following command: cli postinstall. then you must either install the NICs now or install the ESG on a different machine. When asked to enter a port number for OAM cluster communication.4 Starting and Stopping ESG Service. 3. Determine how many network interfaces the ESG runtime needs to use. c. accept the default by pressing enter. When asked to enter a name for this cluster. type no and press enter. When asked if you want to add this node to an existing cluster. k. type yes and then press enter. accept the default by pressing enter. a. If the machine where the ESG will be installed does not have enough NICs.rpm ESG operational code will use openSSL libraries installed in /opt/scr-openssl/ssl/lib. accept the default by pressing enter. When asked to enter the management interface from the above list. accept the default by pressing enter. e. When asked to enter a a port number for the Web Interface. g. When asked “Are these OK”. When asked to enter a port number for OAM cluster file transfer. 14 Intel® Expressway Service Gateway Installation Guide . When asked to specify a groupid or group name as which this software should run. 7. ~>cd RPM rpm -i /tmp/esg-runtime-as5-64bit-r2_08_0. When asked to specify a userid or username as which this software should run. h. accept the default by pressing enter. REQUIRES RUNNING ANOTHER POSTINSTALL AFTER THE HARDWARE IS INSTALLED. 8. When asked if you want to postinstall. use the default value by pressing enter. accept the default by pressing enter. For additional details about starting and stopping the service. use the default answer of yes by pressing enter. When asked to enter a port number for OAM cluster election. type the name of the NIC bound to an isolated network and then press enter. CAUTION: FOR THE ESG TO USE NIC HARDWARE INSTALLED AFTER A POSTINSTALLATION. accept the default by pressing enter. l. refer to section 3. When asked to specify a value for JRE_HOME. f. j.1 Example of Postinstalling ESG The following is an example of postinstalling Service Gateway on a master node or standalone instance. 43.64 127. [root@iclab002 ~]# cli postinstall Please enter value for JRE_HOME (default="/usr/java/latest/jre"): Add this node to an existing cluster (y/n.d/soae has been installed.133.203.Installation Procedure for ESG Next run the script: /opt/scr/clibin/cli postinstall and answer the questions. It supports chkconfig: chkconfig --add soae /opt/scr/clibin/cli serviceStart or can be manually linked into the desired rc initialization directories.0. /etc/init.59 10. or q to quit): n Detecting network configuration Intf ----eth0 eth1 lo Address ----------------10.1.1 Enter the management interface from the above list [default=eth1]: Selected eth1 for management interface Enter a userid or user name as which this software should run (default=nobody): Enter a groupid or group name as which this software should run (default=nobody): Enter port number for Web Interface [8443]: Using 8443 Enter name for this cluster [ESG-cluster]: Using Cluster name ESG-cluster Enter port number for OAM cluster communication [9443]: Using 9443 Enter port number for OAM cluster file transfer [9444]: Using 9444 Enter port number for OAM cluster election [9445]: Using 9445 Selected the following: cluster name: ESG-cluster OAM cluster communication port: 9443 OAM cluster file transfer port: 9444 Intel® Expressway Service Gateway Installation Guide 15 .0. Execute the command cli serviceStop. The following is an example of this command’s output. CLUSTER:1(ESG-cluster) state=ACT NODE:1-0(iclab002) state=ACT Service state=ACT Master=YES MasterName=iclab002 Mode=NORMAL uptime: 3 days. 2. To determine whether ESG is running. 35 minutes. execute the command chkconfig --add soae. execute the command cli serviceStart. 16 Intel® Expressway Service Gateway Installation Guide . Stopping soaed: [ OK ] 2. the following output displays. 5.4 Starting and Stopping ESG Service To start the ESG. perform the following steps. 3. As a result. To start the ESG. To automatically start Service Gateway when the Linux OS is restarted or rebooted. The following is an example of this command’s output. 1. 3. then the service has stopped. To stop the ESG. *** status Sun Sep 19 12:23:31 2010 *** Node is down! Service state=OOS *** status Sun Sep 19 12:23:31 2010 *** 3.3 Installing Service Gateway. execute the command cli status.Installation Procedure for ESG OAM cluster election port: 9445 Are these OK (yes or no) [yes]: Using these values. Successfully installed 3. 1. Execute the command: rpm -e ESG. To determine whether ESG is running.5 Uninstall and Reinstall Service Gateway To uninstall and reinstall ESG. reinstall ESG by performing the procedure in section 3. If the string Service state=OOS is in the command output. execute the command cli status. If the string ACT is in the command output. then the service has started. Once the RPM is removed. execute the command cli serviceStop. 15 hours. 1 seconds Current Config: factory 1 TCAs (WARNING=1) 0 Alarms 0 Non-Act Managed Objects 0 Apps Deployed *** status Sun Sep 19 12:22:02 CDT 2010 *** 4. perform the following steps. 5. 7. 3. identify the inactive NIC that you need to activate. 6. From the network interface list. 4.7 Making a Network Interface Inactive To make a NIC inactive and configure the ESG to stop using the inactive NIC. 2. Deactivate the NIC by executing the command: ifconfig [network interface] down. 1. Stop the ESG by executing the command cli serviceStop. Execute the command cli scanInterface --preserveOamInterface. Stop the ESG by executing the command cli serviceStop. Start the ESG by executing the command cli serviceStart. Activate the NIC by executing the command: ifconfig [network interface] up. Verify that the NIC was installed prior to ESG postinstallation. then stop performing this procedure because the ESG cannot use the network interface. 3. perform the following steps. Execute the command cli scanInterface --preserveOamInterface. From the network interface list. Display a list of all the network interfaces installed on the machine by executing the command: ifconfig -a. Intel® Expressway Service Gateway Installation Guide 17 . identify the active NIC that you need to deactivate. 6. you can activate the network interface and configure the ESG to use it by performing the following steps. 1. If it was installed after a postinstall.Installation Procedure for ESG 3. 5. 3. Start the ESG by executing the command cli serviceStart. 4. Display a list of all the network interfaces installed on the machine by executing the command: ifconfig -a.6 Making a Network Interface Active If a NIC is installed prior to postinstallation and the NIC is down. 2. Installation Procedure for ESG 18 Intel® Expressway Service Gateway Installation Guide . The Management Console is only supported on Mozilla Firefox* 3.1 Logging into the Management Console The Management Console provides web-based access to the administrative functions of the Service Gateway runtime.0 or higher. 1. 3. In a web browser’s address bar.0 Accessing the Management Console The Management Console provides web-based access to the administrative functions of the Service Gateway runtime.Accessing the Management Console 4. 4. type the following address and then press enter: https://[hostname]:[port number]. you can access the Management Console by performing the following steps. 2. 4. Open a web browser.0 or higher and Internet Explorer* 6. Verify that the web browser is configured with the following settings: JavaScript* is enabled. and popup windows are allowed. SSL is enabled. The management network interface is a NIC bound to an isolated Intel® Expressway Service Gateway Installation Guide 19 . • [hostname] is the name or IP address bound to the management network interface. The following sections explain how to login into the Intel® Expressway Service Gateway Management Console right after ESG is installed or upgraded and how to resolve the security warnings that occur when a user first logs into the Management Console. Verify that you have the appropriate credentials to log in to the Management Console. After you have installed Service Gateway. Default Login Credentials for Management Console User ID admin opsadmin cfgadmin secadmin passwd Password Privileges Security administration. the Management Console displays in your web browser. then you can use one of following the default usernames. Select the Sign In button. Operator administration. In the User name and Password fields. ALLOWING THE USE OF THESE CREDENTIALS IN A PRODUCTION ENVIRONMENT IS INSECURE. To remove this warning. As a result. This warning only appears if you have Cavium network hardware cards installed on the same system as Service Gateway. 20 Intel® Expressway Service Gateway Installation Guide . If login credentials have not been set up yet. then the follow page displays: Note: A warning may display about security acceleration hardware. If your username has been assigned all the ESG roles.Accessing the Management Console network. refer to the Installation Guide for Intel® Expressway Service Gateway which provides the integration procedure for ESG and Cavium cards. 6. You specified the management NIC during the postinstall process. 5. which is a network that does not permit external access. • [Port number] is the web interface port specified during postinstallation. enter valid login credentials. The default port number is 8443. Table 4. and Configuration administrator Operator administration only Configuration administration only Security administration only WARNING: THESE DEFAULT LOGIN CREDENTIALS SHOULD ONLY ALLOWED IN TESTING ENVIRONMENTS. key -passout pass:securityadmin.com/javase/6/docs/technotes/tools/solaris/ keytool. refer to the following keytool documentation: http://download. A browser can only communicate with the Management Console over an SSL connection. For example: openssl genrsa -des3 -out client. Create the client’s private key. This SSL connection requires a X. The following screenshot is of the security warning Firefox displays.509 certificate must be in a PEM format and have the file extension crt.csr.key. The signed X. 5. The Trusted Root CA signs the X. This certificate must identify the Management Console. perform the following steps. you must install a client certificate into ESG and the issuer’s certificate into the web browser. Generate a client certificate request using the client key. 4. Once the original SSL certificate expires. This certificate is only valid for 3 months after the installation. a self-signed certificate is automatically generated and archived in a JKS-type keystore. To avoid certificate errors when the Management Console is loaded into a web browser. To install SSL certificates into Management Console and the web browser. Note: For details about managing SSL certificates in a keystore. The output of this command is client.509 certificate and then returns this certificate to you. verify that you have root privileges in the system.oracle.2 Removing the Web Browser Security Warning Caused by the Management Console You can access and manage the ESG from any computer’s Internet Explorer or Firefox web browser.Accessing the Management Console 4. you must delete the expired certificate and then create a new one.509 certificate that identifies Management Console. delete. A browser can only communicate with Management Console over an SSL connection. Send the CSR to a Trusted Root Certificate Authority.html. To avoid certificate errors when the Management Console is loaded into a web browser. you must install a client certificate into ESG and the issuer’s certificate in the web browser. 2. 1. When ESG is installed. 3.csr. In a system where OpenSSL is installed. For example: openssl req -new -key client.key -out client. the web browser may display a security warning about the connection being untrusted. Intel® Expressway Service Gateway Installation Guide 21 . which is the Client Certificate Request (CSR) that will be sent to a CA Authority. and manage SSL certificates in this keystore. The output of this command is client. You can use the keytool provided with your JRE installation to create. Ensure that you retain the password that encrypted the key. which is the client’s private key. When you first access Management Console. execute the cli SetWiCert command. verify that you have root privileges. 9. • CA Path— file that contains a chain of PEM format certificates starting with the immediate CA certificate that signed the target certificate following through to immediate CA certificates if applicable and ending with the high level (root) CA. Name the folder Cert. If needed. obtain the CA Path that links the Trusted Root Certificate Authority who signed the X. 7. The CA Path must be in a PEM format. Copy the following files into the Cert folder. 11.Accessing the Management Console 6.509 certificate to the client certificate.pem -k /home/lablogin/ cert/client. the key file name is client. • • If Firefox is used. you must specify the absolute path to the CA Path file. if the certificates and key are located in /home/lablogin/cert and the certificate file name is client. Then. the client key.509 certificate that identifies the Management Console and was signed by a CA.key. Client certificate’s private key — used by ESG to decrypt data sent by a web browser. If you have not already done so. then you execute the following command. then install the issuer certificate in the Certificate’s Trusted Root Certification Authorities tab. where the Management Console will be accessed. To successfully execute the command. For example. install the issuer certificate into each system’s web browser.pem. create a folder. then install the issuer certificate in the Certificate Manager’s Authorities tab.pem 22 Intel® Expressway Service Gateway Installation Guide . In the system where ESG is installed. 8.key -c /home/lablogin/cert/client_root. • • 10. and the client certificate. If Internet Explorer is used. cli setWiCert -w /home/lablogin/cert/client. This file must be in a PEM format. This must be in a PEM format. Verify that you have root privileges in the system where ESG is installed. In the system where the ESG is installed. The web browser used the client certificate to encrypt the data.pem. Client certificate — X. and the CA Path file name is client_root. Consequently. and manage applications. The ESG cluster is a group of machines where the Service Gateway is installed on each machine and all the ESG installations can be viewed and administered from the master node. The data on the master node takes precedence over data in a slave node. deleted. or modified in the master node. When an application is deployed from the master node.0 Managing a Collection of Service Gateway Machines A cluster is a group of linked servers that behave like a single server. deploy. and load balancing purposes. Out of the box. if you uploaded and deployed an application called foobar to a master node. If a configuration setting is changed in the master node. Service Gateway cluster is a management cluster. the more messages a particular application can process on each machine). which means it is used for simplifying management tasks across multiple machines (configuration changes in a master node are automatically propagated to the other nodes) and scalability (the more machines you have. then the master node pushes this application to the slave nodes who then deploy it in the same manner as the master node. for redundancy. then that change is automatically replicated to all the other nodes in the cluster. If a client sends a message transaction to a particular node. it is deployed to all the slave nodes automatically. meaning that it does not evenly distribute messages across the nodes in a cluster. For example. The ESG nodes share the same system and application configuration data. However. • In the master node. upload. The individual systems within the cluster are called nodes. The node that controls management and administration of the cluster is the master node. When a particular application or system component is created. then the whole transaction is handled by that node without any other node being involved in the message processing. then the logs and statistical data stored on that machine can no longer be accessed by the master node. If a slave node dies. In most cases. failover. you can manage a cluster by making a change in the master node and then have the master node seamlessly propagate that change to all the other nodes in a cluster. that change is propagated to all the other nodes in the cluster. it does not mean the master node stores the slave nodes’ logs or statistics. When a slave node synchronizes data with a master node. an ESG cluster is not a high availability cluster. there are two exceptions to data being replicated across the nodes in a cluster: logs and statistical data. Service Gateway cluster provides the following features and functionality: • In the master node. Intel® Expressway Service Gateway Installation Guide 23 . all the data on the slave node that differs with data found on the master node is deleted on the slave node and replaced with the data from the master node.Managing a Collection of Service Gateway Machines 5. While logs and statistical data from all the nodes in cluster can be viewed on the master node’s Management Console. you may want to install a front end load balancer that evenly distributes message transactions across the cluster and will route messages away from a node if it fails. All other nodes are called slaves. manage system and application configurations and administration for all nodes in a cluster. If the former master node’s ESG service starts up again. ability to execute cluster wide commands that start. An attempt to access a slave node’s Management Console causes an automatic redirect in a web browser to the master node’s Management Console. A master election is the process in which the slave nodes can no longer communicate with the master node’s ESG service and as a consequence elect one of the remaining nodes to be the master. stop. Once identified. and component status from all the nodes in the cluster and then presents that information within a single view in the master node’s Management Console. then it automatically rejoins the cluster as a slave node. the load balancer routes messages to another node.1 Hardware. • Currently. which will process the message the exact same way the failed node would have. • Must have a NIC available for the OAM process. Software. • Manual administrative changes are automatically executed across all nodes in the cluster. • If an ESG cluster processes HTTP message transactions. • From the master node. you can improve the availability and failover for applications deployed to the ESG cluster. the cluster performs a master election. and test components on all nodes in the cluster simultaneously. the cluster instantly identifies this failure and throws up an alarm. With the clustering and load balancing combined. if you deactivate an application configuration on the master node’s Management Console. the nodes must conform to the following requirements. you may encounter issues related to data synchronization and internode communication. testing has been done on a 8 node cluster. the immediately synchronizes all the data on the slave node with the data on the cluster. This is the maximum number of recommended nodes in a cluster. the Management Console provides a single operational view across all members of the cluster. For example. refer to section 6. then a master election automatically takes place in the cluster. All the nodes must use the network interface that is named the same and is bound to the same network for the ESG’s Operation. Administration and Management (OAM) process. then you can use load balancing to intelligently distribute the messages across nodes. message processing. the cluster will not attempt to any data to the slave node until the slave node starts up again. For example.Managing a Collection of Service Gateway Machines • To support scalability. • If for any reason the master node’s ESG service stops running. This is defined during the postinstall process.0 Front End Load Balancing for HTTP Traffic. 5. • If a slave node fails. logs. and Network Requirements for a Cluster In the ESG cluster. if the master node assigns the OAM process to NIC named eth0 and the NIC is bound to the 24 Intel® Expressway Service Gateway Installation Guide . if an application is deployed to the cluster while the slave node is down. it will automatically be added back into the cluster as a slave node. The default OAM NIC is eth0. • The master node collects statistics. If the former master node comes back up. you can collect statistics and debug application and system issues for all nodes in the cluster. When one node fails. when the slave node comes back up the cluster pushes that application onto the slave node. then the application configuration automatically becomes inactive on all the slave nodes in the cluster. • If a master node fails. A master election is the process by which a slave node becomes the master because the original master is no longer available. If the node that failed starts up again. For implementing load balancing. • From the master node’s Management Console. For example. If you create a cluster with more than 8 nodes. then every other node in the cluster must have one as well. then the following ports must be opened in the firewalls: OAM communication port. nodes learn that the master node has died) and then if necessary which slave node will become the master. This is defined during the postinstall process. • If you have more then one ESG cluster on the same network. all the machines’ clocks must be synchronized with one another to within a second. However. • If a firewall is erected between the master node and a user who is on a different network. The default Management Console port is 8443.Managing a Collection of Service Gateway Machines Acme network. OAM file port. You should avoid a situation where one node is using a port that no other node is using or a node is not using a port that every other node is using. • In the cluster. then every other node in the cluster must have one as well. • Must have a TCP port available for OAM communication. The cluster must either consist of all software or all hardware appliances. For example. • If firewalls are erected between the nodes in a cluster. • If one node uses a security card for cryptographic acceleration. an ESG cluster can contain virtual machines and bare metal machines. • The nodes should have the same ports in use at all times. The default OAM file port is 9444. All the nodes must have the same OAM file port. This is a TCP port. and OAM cluster election port. All the nodes must have the same OAM cluster election port. • You can not cluster software installations and hardware appliances of ESG together. then every other node must assign the OAM process to a NIC named eth0 and bind the NIC to the Acme network. • If one node uses a Hardware Security Module. This is defined during the postinstall process.e. then for the user to access the Management Console the Management Console port must be opened on the firewall. Intel® Expressway Service Gateway Installation Guide 25 . All the nodes must provide access to the Management Console through the same port and this port cannot be blocked by any node’s firewall. which the nodes use to exchange files with one another. then the clusters can not share the following ports: OAM communication port. The default OAM cluster election port is 9445. it is highly recommended that you set up all the machines to use the same NTP time source and that the NTP time source have a low offset. • Must have a TCP port available for the Management Console port. • Must have a UDP port available for nodes to communicate about whether cluster election needs to occur (i. All the nodes must have the same OAM communication port. OAM file port. This is defined during the postinstall process. The default OAM communication port is 9443. and OAM cluster election port. which the nodes use to communicate with one another. Before you create a cluster. • Must have a TCP port available for exchanging files between nodes. if the master node is using port 8443 then all the other nodes in the cluster should be using port 8443. The cluster election port is a UDP port and all other ports are TCP ports. such as CPU and RAM. then the node cannot communicate with any other node in the cluster until you manually update the IP on the node where it changed. Then. if the master node has two network interfaces and the slave node has three network interfaces. the slave node must have a NIC named eth1 on the same network named Acme. In this scenario.The network bound to each NIC on the master node must be the same network bound to the NIC of the same name on every other node in the cluster. any additional network interfaces on the slave node will not be used in the cluster. each node must have a unique name within the cluster. alerts. • When joining a node to a cluster. if you have a two node cluster. then each node’s runtime performance will differ from one another. then application design and deployment should be restricted based on the node with the lowest amount of disk space. If you set the workflow threads above zero. then you should always set the number of workflow threads to zero. The number of network interfaces on a slave node can exceed the number of network interfaces on a master node. such as eth1 and eth0. each NIC must be uniquely named and no two NICs may have the same logical name assigned to it. verify that an appropriate hostname is assigned to each machine. For example. However. If the IP address changes. then only two network interfaces are used in the cluster. • It is highly recommended all the members of a cluster have the same computing power. in a two-node cluster. For example. The slave nodes must have at least the same number of NICs with the same names as the master node. if you have a two node cluster. If they do not. For example. if the master node had two active NICs named eth1 and eth0. • In order to identify the source of alarms. • All the nodes must reside in the same timezone. you may only join one node at a time. then you may degrade runtime performance because ESG may use a number of threads that exceeds the number of CPU cores on one of the nodes. the slave node must have a NIC named eth1 on the same network named Acme. For example. You should not combine 32. then every slave node must have two NICs named eth1 and eth0. • All nodes must run the same operating system and OS version. • The network bound to each NIC on the master node must be the same network bound to the NIC of the same name on every other node in the cluster. such as message throughput and the size of the messages a node can process. • Only static IP addresses should be assigned to each node’s management network interface. the master node could have a NIC named eth1 on a network named Acme. For example. you should design applications and file storage based on the limit of 60 GB. • If you have nodes with a number of CPU cores that differ from other nodes in the cluster. • On a node. • All the nodes must run the same version of Service Gateway. the master node could have a NIC named eth1 on a network named Acme. • On each node in the cluster.Managing a Collection of Service Gateway Machines • Before setting up a cluster. • A master node will have a set of active NICs that are each assigned a name. and logs. • All machines should be either 32-bit or 64-bit machines. Then. node1 has 60 GB of disk space and node2 has 100 GB of disk space.and 64-bit machines within a cluster. the JRE used by ESG must have unlimited JCE installed. No node may have the same node name as another node in the cluster. • If you have machines with different amounts of disk space. 26 Intel® Expressway Service Gateway Installation Guide . Each node has its own OAM network interface that the node uses to communicate with every other node in the cluster and the master node uses to propagate configuration changes and application data to all other nodes in the cluster. 6. Determine whether you need to implement load balancing for HTTP traffic. b. If you do. which includes the port number that the Management Console is listening on. then this is not the management interface. Identify the name of the master node’s management network interface. Verify that the system and application configurations are closed on the master node. a.1 Hardware.3 Software Requirements 5.1 Supported Servers 1. perform the following steps. Administration. search for the string Is OAM interface. 2. c. Obtain the following information about the master node: • • 9. In the output of the moDetails command. which is also known as the Operation. and Network Requirements for a Cluster 4. then this is the management interface. and Management (OAM) NIC. f. Log into the master node via an SSH session. To install and configure an ESG load balancer. URL to the Management Console. As a result. Execute following command for one of the interfaces in the list: cli moDetails -t intf -n [name of network interface].2 Setting up a Service Gateway Cluster To set up the ESG cluster. use the RPM to install the ESG. Verify that these machines conform to the following requirements: • • • • 1. 1. 7. refer to section 6.Managing a Collection of Service Gateway Machines 5. To determine the name of the master node’s management network interface. If you are not already root.2 Hardware Requirements 1. Obtain two or more machines where ESG can be installed. Software. 5. perform the following steps. 3. then su to the root user id now. Log into the master node with a user account that has all the ESG roles assigned to it. refer to section 3. In the machine which will become the master node. e. process you must specify that the machine is NOT a node in a cluster. Continue executing the cli moDetails command on each network interface until the output displays Is OAM interface = true. If the string Is OAM interface = true. a list of all the network interfaces used by the ESG displays. During the postinstall. Username and password that has full access to the instance of Service Gateway. search for the string Information specific to this object type. If the string is OAM interface = false. Intel® Expressway Service Gateway Installation Guide 27 . Execute the following command: cli moStatus -t intf.3 Installing Service Gateway. This means all of the Service Gateway roles have been assigned to the username. d. 8. then you must install and configure the load balancer on each node before you set up the cluster.0 Front End Load Balancing for HTTP Traffic. For the procedure about installing ESG. In the group of machines select which one will be the master node. In the Information specific to this object type section. h. j. The following is an example of this output. l. The following command output displays if the node is successfully added to the cluster. 11.509 certificate. k. e. either enter a directory location to the Java Runtime Environment or accept the default value. the output of this command must display the string Service state=ACT. f. On the master node. a.Managing a Collection of Service Gateway Machines 10. Before you take any other action. enter credentials that has full access to the master node’s instance of Service Gateway. This means the user must have all the ESG roles assigned to it. When instructed to specify a value for JRE_HOME.OOS_AUTO=2. The ESG version must be identical to the one installed on the master node. perform the following steps. enter yes and then press enter. b. where [ESG rpm] is the absolute file path to the ESG RPM. d. Successfully completed reload current Successfully installed To automatically start Service Gateway when the Linux OS is restarted or rebooted. g. execute the command cli status. enter yes and then press enter. For security reasons. press enter. it is recommended that you install the ESG under a non-root user. i. When asked for a master node login and password. c. When asked if you accept the master node’s X. Start the ESG by executing the command cli serviceStart. Ensure that you have root privileges to do the RPM install. Then.OOS_AUTO_START=1) 1 Apps Deployed (ACT_DGRD=1) icbl021 view of other nodes in cluster: NODE:1-0(iclab002) state=ACT *** status Sun Sep 19 17:17:22 CDT 2010 *** 28 Intel® Expressway Service Gateway Installation Guide . Copy the ESG RPM into a directory on the target system. In each slave node. Execute the following command to install the ESG: rpm -i [ESG rpm]. execute the command chkconfig --add soae. Start the postinstallation process by executing the command: cli postinstall When asked if you want to postinstall. CLUSTER:1(ESG-cluster) state=ACT_DGRD NODE:1-1(icbl021) state=ACT_DGRD Service state=ACT Master=NO MasterName=iclab002 Mode=INIT uptime: 23 seconds Current Config: HTTP 1 TCAs (WARNING=1) 2 Alarms (WARNING=2) 6 Non-Act Managed Objects (ACT_DGRD=3. Use SCP (secure copy) or FTP to do this. Obtain an RPM of the ESG. enter the master node’s management interface and then press enter. When asked to specify a management interface. 0.1 Example of Postinstalling Service Gateway on a Slave Node The following is an example of postinstalling Service Gateway on a slave node.0. Are you sure you want to postinstall (yes|no)? yes You answered yes Please enter value for JRE_HOME (default="/usr/java/latest/jre"): Add this node to an existing cluster (y/n.840. 1024 bits modulus: 111400538014406489819022678058520748621231110454030743744078891355630 332279362310240269499357704095494366156599741360612218430441653731771 708414100629171160051422272436661896161290032264381790995380647091272 486143721944408164849096079043119855400246809539051312275249617431894 768579703614143032300551415556179 public exponent: 65537 Validity: [From: Mon Sep 13 20:29:50 CDT 2010.2.2.Managing a Collection of Service Gateway Machines 5. OID = 1.133.113549.1.64 127.5 Key: Sun RSA public key. cli postinstall This command will reset the software package and delete any configs that may have been created. or q to quit): yes please input url of master node: https://intel002:8443 Detecting network configuration Intf ----eth0 eth1 lo Address ----------------10.1 Enter the management interface from the above list [default=eth0]: Selected eth0 for management interface Master node login:admin password: [ [ Version: V3 Subject: CN=foobar.43.59 10. OU=Expressway.1.1. O=Intel Signature Algorithm: SHA1withRSA.203. To: Thu Sep 10 20:29:50 CDT 2020] Intel® Expressway Service Gateway Installation Guide 29 . ..Z.>.f. Any time a change is made to the master node...... However..- ] Do you accept the above certificate... each node within a cluster can be viewed individually on the Management Console.<.FJ BF A3 80 AB 9D B3 DC 8F 83 03 17 1D 7F 9D CC EC 1D 12 8F B6 CC 0D 43 D3 26 5E 1D 2E 24 42 36 2F 8C 0A 90 FE 57 DD C0 4A 2D 4B 92 33 63 82 A5 CD 8D BB 24 BA D4 D4 C8 20 73 A4 20 96 3D 9E 46 4A ..H........Managing a Collection of Service Gateway Machines Issuer: CN=iclab002..W. 0020: CF 07 3C C2 B7 C6 52 16 .....WZ..C. 0010: 7A 5F 5F E1 D0 6F 6E B6 z__.$.. 0060: 71 28 A6 C1 D2 CA 09 EA q(. Changes that are propagated from one node to another are: • Application changes • Application configuration changes • System configuration changes • ESG software changes The following subsections explain how to user the master node’s Management Console to view and manage all the nodes in a cluster. y/n? (n)y Successfully completed reload current Successfully installed 5. Communication.s. 0030: A9 3E 0F EA 02 C0 1D 39 .R..J 0050: 12 46 85 66 7C EF 48 1B K.. 5.... 0070: 01 5A C0 57 5A CB AA 14 ... allowing you to determine the status of each individual machine..3.. the message transactions may be processed successfully each time.1 Viewing the Status of a Node’s Message Processing Even if the cluster is behind a load balancer.. all the message transaction may 30 Intel® Expressway Service Gateway Installation Guide .. .. OU=Expressway......=..F.g. On some nodes. O=Intel SerialNumber: [ 4c8ed00e] ] Algorithm: [SHA1withRSA] Signature: 0000: 10 CB 67 DB BA A6 D6 38 . On other nodes.$B6/ 0040: 4D D1 A6 8D DC 3C CF B5 M......9&^..on.. each node will process different message transactions at different times... and Management Clustering is transparent to the administrator...<.8....3 Cluster Operation. that change is propagated to all the nodes in the cluster.3c.. This option tracks the latency for the node. • • Requests processed — tracks whether message transactions processed by a node were successful or failed. 1. As a result. the drop-down menu displays options for the cluster and each node in the cluster. the message throughput of one node may differ from another. As a result. click the Node Selector drop-down menu. Select the Dashboard tab. 4. 2. The Management Console’s Dashboard provides a filter that lets you see message processing for each node or for the entire cluster. To only view data about a particular application or operation that is being processed by the node. In the Dashboard tab. Open Transactions — tracks how many message transactions the node is currently processing • 7. To view data about messages processed by a particular node. Intel® Expressway Service Gateway Installation Guide 31 . To view message transaction information about each node in a cluster. all the information displayed in the dashboard comes from the message processing performed by the node you selected. 3. 6. perform the following steps. To collected detailed statistics about the messages processed by the node.Managing a Collection of Service Gateway Machines fail. Requests latency — Latency is the time that elapses between Service Gateway receiving a message from a client and the runtime returning a message response to the client. select one the of the following options. 8. In addition. then select Detailed from the Collect metrics drop-down menu. Log in to the Management Console with a user account that has the operation admin role assigned to it. select that node 5. from the Node Selector drop-down menu. In the Graph drop-down menu. select the appropriate option from the Service Selector drop-down menu. If everything is functioning as expected. 7. This means that while you see all the logs generated from the cluster. To stop. or test the node. Log in to the Management Console with a user account that has the operations admin role assigned to it.3.2 Managing Nodes in a Service Gateway Cluster 1.3 Viewing a Node’s Logs By default. To view interval alerts and the node’s IP address. perform the following steps in the Management Console. State — indicates whether the master node can communicate with the slave node. Host Name — identifies the hostname of the machine where the ESG is installed Role — indicates whether the node is the master node or a slave node.3. consider the following information. If alerts appear in the Interval Alerts table. In the Nodes table. 3. then the string ACTIVE appears in the State column. select the node’s arrow in the Nodes table. 32 Intel® Expressway Service Gateway Installation Guide . select the Nodes option. • • • • Name — string the cluster uses to identify the node. In the Components tab. you can remove them by selecting the Dismiss link. 5. 2. you cannot tell which node the logs came from. Management Console provides a cluster-wide view of the logs generated from each node. select the appropriate link in the Operations column. 4. To only view logs generated from a particular node.Managing a Collection of Service Gateway Machines 5. then the string COMMUNICATION_PROBLEM displays in the State column. 6. If communication between the master and slave node is failing. Select the Components tab. restart. 5. 5. File transfer is done via SCP (Secure Copy) or SFTP (Secure File Transfer Protocol). Administration. it is 9443. Select the Logs tab. logs only display if they were generated in the node chosen from the Node Selector drop-down menu. In the Logs tab.3. it is 9444. In the Node Selector drop-down menu. then this is the port where communication is exchanged to determine which node becomes the master. 3. 4. THEN THE CLUSTERS CAN NOT SHARE THE FOLLOWING PORTS: OAM COMMUNICATION PORT. and Management (OAM). By default. Intel® Expressway Service Gateway Installation Guide 33 . and Management (OAM) cluster communication port — this is the node’s port where instructions and information for OAM are sent and received. Administration. the following cluster communication settings are defined: • Management interface — the network interface that exchanges instructions and information for Operation. exceptions.4 Message and File Transfer between Nodes In a cluster. As a result. Each node has its own OAM network interface. Message transfer is done via SSL over TCP. When performing a postinstall in the master node. select the node that you want to view logs from. all message and file transfers between nodes is implemented via secure communications. CAUTION: IF YOU HAVE MORE THEN ONE ESG CLUSTER ON THE SAME NETWORK. click the Node Selector drop-down menu. By default. OAM FILE PORT. commands. Perform a log search for transaction. it is 9445. This is the interface that the master node uses to propagate changes and data to all other nodes in the cluster • Operation. • OAM cluster election — if the master fails. 2. AND OAM CLUSTER ELECTION PORT. By default.Managing a Collection of Service Gateway Machines 1. which the node uses to communicate with every other node in the cluster. or alerts. This is also known as the OAM network interface. • OAM cluster file transfer port — this is the port where files are exchanged between the nodes. 2. Before a node can be removed. 4. import the application configurations that you exported. For details about retrieving this information. Obtain the node’s name. Even though the node is removed from the cluster. perform the following steps.1 Removing a Slave Node from a Cluster To remove a slave node from a cluster. If the service state for each node is state=ACT. execute the command cli removeNode -n [nodename]. log. e. If you need the node to be a completely standalone machine. To determine the state of all nodes execute the cli status. perform the following steps. security. To remove the node. In the node that you removed from the cluster. Answer no. Obtain the master node’s name.2 Managing Nodes in a Service Gateway Cluster. Access both the master and slave nodes from CLI windows. Log in to the master node. then perform the following steps. then all the nodes are active and you can remove the node.4 Removing a Node from a Cluster For a variety of reasons. 1. b. you must export them from the Management Console. a node may need to be removed from the cluster. You can remove slave and master nodes. d. For the procedure about importing configurations. 5. In the master node. a. 1. 2. c. refer to section 5. the following output should display: Successfully deleted the node '[node name]'.4. refer to the Operation and Administration Guide for Intel® Expressway Service Gateway. it still considers itself a part of a cluster in which it cannot communicate with any of the other nodes. execute the following commands: cli status. 34 Intel® Expressway Service Gateway Installation Guide . refer to section 5.3. but the procedure for each is different. During postinstall.2 Removing a Master Node from a Cluster To remove a master node from a cluster.3.4.2 Managing Nodes in a Service Gateway Cluster. To save application configurations. 5. You must run the postinstall command. all the nodes in a cluster must be in the active state. 5. Determine which node you need to remove from the cluster. you will be asked if the node should be added to an existing cluster.Managing a Collection of Service Gateway Machines 5. As a result. For the procedure about exporting configurations. refer to the Operation and Administration Guide for Intel® Expressway Service Gateway. The output of the cli status command must contain the following strings: Service state=ACT Master=YES 6. This will delete all your application. 3. For details about retrieving this information. In the Management Console. perform the following steps. Execute the cli postinstall command. b. such as replacing a node’s hardware. and system data. a. Start the service by executing cli serviceStart. For the procedure about importing configurations. To determine the state of all nodes execute the cli status. As result. For the procedure about exporting configurations. verify that another node has been elected master.Managing a Collection of Service Gateway Machines 3. Answer no. execute the command cli removeNode -n [nodename]. all the nodes in a cluster must be in the active state. In the former master node. During postinstall. the following output should display: Successfully deleted the node '[node name]'. the former master node is added back to the cluster as a slave node. you must export them from the Management Console. Execute the cli postinstall command. If you need the node to be a completely standalone machine. then perform the following steps. 4. Even though the node is removed from the cluster. In the master node. Before a node can be removed. Start the service by executing cli serviceStart. 8. b. As a result. log. refer to the Operation and Administration Guide for Intel® Expressway Service Gateway. In the node that you removed from the cluster. Access both the former master node and the current master node from CLI windows. start the ESG service by executing the command cli serviceStart. To remove the former master node. and system data. Log in to another node in the cluster. then all the nodes are active and you can remove the node. where the [nodename] is the name of the former master node. b. 7. 10. As a result. e. import the application configurations that you exported. You must run the postinstall command. In the command output. 5. 9. c. then log in to the former master node. after several minutes. it still considers itself a part of a cluster in which it cannot communicate with any of the other nodes. In the Management Console. To save application configurations. perform the following steps. shut down the ESG service by executing the command cli serviceStop. another node in the cluster will be elected as master. In the current master node. d. execute the following commands: cli status. If it has. Intel® Expressway Service Gateway Installation Guide 35 . execute the command cli status. you will be asked if the node should be added to an existing cluster. 6. a. security. The output of the cli status command must contain the following strings: Service state=ACT Master=YES 11. If the service state for each node is state=ACT. In that node. a. This will delete all your application. refer to the Operation and Administration Guide for Intel® Expressway Service Gateway. perform the following steps in the node. search for the string Information specific to this object type. In that section. then this is not the management interface. refer to section 5. 2. b. Obtain the node’s name. 2. As a result. Execute the following command: cli moStatus -t intf. Only static IP addresses should be assigned to each node and those addresses should never change. search for the string Is OAM interface. 36 Intel® Expressway Service Gateway Installation Guide . search for the string Information specific to this object type. 3. then the node will be unable to communicate with any of the nodes in the cluster.5 Changing the IP Address for a Node’s Management Network Interface The management network interface exchanges instructions and information for Operation. If the IP address changes for a node’s management network interface. To address this issue. In that section. which the node uses to communicate with every other node in the cluster. d. This is also known as the OAM network interface.2 Managing Nodes in a Service Gateway Cluster. Verify that the issue is the IP address for the node’s management NIC has changed. and Management (OAM). For details about retrieving this information. b. Administration. For details about retrieving this information.3. d. Verify that the issue is the IP address for the node’s management NIC has changed. In the master node. a list of all the network interfaces used by ESG displays. If the string Is OAM interface = true. e. Execute following command for one of the interfaces in the list: cli moDetails -t intf -n [name of network interface].5. 5. c. a list of all the network interfaces used by ESG displays. c.2 Changing the IP Address for a Master Node’s Management NIC 1. then this is not the management interface. Execute the following command: cli moStatus -t intf. a. If the string is s OAM interface = false. Each node has its own OAM network interface. Obtain the node’s name. This is the interface that the master node uses to propagate changes and data to all other nodes in the cluster. search for the string Is OAM interface. In the output of the moDetails command. then this is the management interface.Managing a Collection of Service Gateway Machines 5. Execute following command for one of the interfaces in the list: cli moDetails -t intf -n [name of network interface]. then this is the management interface. In the output of the moDetails command. If the string Is OAM interface = true.5. Continue executing the cli moDetails command on each network interface until the output displays Is OAM interface = true. 3. perform a procedure in one of the following subsections. To determine which NIC is the management network interface. Verify that master node has lost the ability to communicate with the cluster.1 Changing the IP Address for a Slave Node’s Management NIC 1. Determine which slave node has lost the ability to communicate with the cluster. If the string is OAM interface = false. refer toTo determine which NIC is the management interface. a. execute the following command: cli editNodeOamIp -nodename [Node Name] --oam_ip [new IP address for OAM NIC] 5. As a result. 4. perform the following steps in the node. Determine which slave node was elected as the master. 4.2 Managing Nodes in a Service Gateway Cluster. Continue executing the cli moDetails command on each network interface until the output displays Is OAM interface = true. section 5.Managing a Collection of Service Gateway Machines e. 5.3. execute the following command: cli editNodeOamIp -nodename [Node Name] --oam_ip [new IP address for OAM NIC] Intel® Expressway Service Gateway Installation Guide 37 . In the new master node. Managing a Collection of Service Gateway Machines 38 Intel® Expressway Service Gateway Installation Guide . and avoids overloading any particular ESG instance. 2. All interfaces are on the same network. The interfaces labeled B1. maximizes message throughput. then the node with the lowest IP address becomes Director. Only one node in the load balancer group accepts incoming connections from a client. Figure 1. F2. They are used by the load-balancing software to distribute network traffic. Front End Load Balancing in a ESG Cluster demonstrates how load balancing works in a three-node cluster. and B3 are “back end” interfaces. minimizes response time. The interfaces labeled F1. By distributing messages this way. Figure 1. and F3 are “front end” interfaces. The LVS load balancer can distribute messages to up to six nodes in a ESG cluster. Intel® Expressway Service Gateway Installation Guide 39 . the ESG provides an implementation of Linux Virtual Server* (LVS) that is highly scalable and available. If two nodes start at the same time. During initial set up of the load balancer. Front End Load Balancing in a ESG Cluster The following step-by-step process describes how load balancing works in an ESG cluster 1. To avoid the expense of a dedicated load balancer. They are used to hold the VIP when a node becomes the Director. the ESG supports failover.0 Front End Load Balancing for HTTP Traffic Due to the importance and high volume of messages that Service Gateway receives from an HTTP client. you may need to set up a load balancer that distributes message requests to nodes in a Service Gateway cluster. the first real sever that is started becomes the Director. B2. This node is called the Director.Front End Load Balancing for HTTP Traffic 6. 1 Hardware. However. and start the load balancer before you set up clustering. The physical NIC that the VIP is bound to is determined during the set up of the load balancer. which is bound to a physical NIC. The binding is based on the NIC’s name. Once that decision is made. the node sends a message response directly to the client. Based on a load balancing algorithm. • Need one floating IP address known as a VIP (virtual IP address) in addition to the two unique ones assigned to each machine. refer to section 5. The Director binds the VIP to an external interface (F1). The other IP address is assigned to the back end network interface. 4. To set up an ESG. From the Director’s back end NIC. configure. The NICs must be on the same subnet. • You must obtain the load balancer installer from the Service Gateway Customer Support Portal.1 Prerequisites for Load Balancing In the load balanced environment. 6. • Load balancer must be installed and configured on each machine that will load balance messages before the ESG postinstall is performed on those machines. 40 Intel® Expressway Service Gateway Installation Guide . and Network Requirements for a Cluster. • The subnet of the VIP must be different from all the IP addresses assigned to the machines in the cluster. such as eth0. If another node takes the Director role. • No more than 6 nodes can be in a cluster. which is used to transmit messages to external endpoints. the message is sent to the back end NIC of the Director’s node. Each node must conform to the requirements in section 5. 6. 8. The receiving node processes the message request. which is used to communicate with the Director and hold the VIP if the node becomes the Director. also known as the LO.0 Managing a Collection of Service Gateway Machines. Messages are sent to the VIP. one for the front end and the other for the back end. 7. • All the IP addresses assigned to the machines must be static and never change. The VIP is bound to one physical NIC on the node.Front End Load Balancing for HTTP Traffic 3. the ESG machines must conform to the following requirements. 5. The Director is assigned the Virtual IP address (VIP). A VIP is an IP address that is not connected to a physical network interface card (NIC). LO is a virtual network interface that is not connected to any hardware but is fully integrated into the system’s internal network infrastructure. clustering must be set up right after that. • Each machine requires two network interfaces. the Director determines what node will receive the message request. the message is sent to the receiving node’s loopback network interface. • Two IP addresses must be assigned to each machine in the cluster. You must install. One IP address is assigned to the front end network interface. the VIP is moved to its external interface. • The machines must be in the ESG cluster. Software. This is the IP address that a client uses to access the ESG. Then. The lbconfig command sets up the load balancer on a machine by allowing you to specify settings. /opt/scr-lb/bin/lbconfig --vip=vip:eth0:10. execute the following command: chkconfig --add soae_lb 8. THEN THE LOAD BALANCER CANNOT FUNCTION CORRECTLY. For example. enter a 14-character alphanumeric string. enter passwd. To do this. 9. you must provide the absolute file path to the load balancer’s bin directory:/opt/scr-lb/bin.0. through 9.0. For information about the lbconfig. To do this. The following is an example. 2. back end IP addresses that messages will be routed to. Log into a machine with root privileges. Start the load balancer service by executing the following command: service soae_lb start 10. To avoid specifying the full path. d. to execute the load balancer configuration commands. When the Old password displays.10. You must encrypt communication between the nodes in a load balanced cluster by creating a VRRP password for the production system. c.0. • WARNING: IN A LOAD BALANCED CLUSTER. execute the following command on the load balance installer file: sh [loadbalancer]. WARNING: Intel® Expressway Service Gateway Installation Guide 41 . if the lbconfig’s command option is lb_algo=wrr on one machine. you must do the following: • The lbconfig must be executed with the same command options on each machine. Execute the command /opt/scr-lb/bin/lbpasswd The default password is passwd. In each machine. By default.10. Familiarize yourself with how to use the lbconfig command. enter the same 14character alphanumeric string that you specified in the New password prompt.1 Example of Executing lbconfig. Service 3.103:2 --lb_algo=wrr 7.100/24 backend_server=10. When the Re-enter new password prompt displays. 6. and load balancing algorithms used by the Director. b. a.sh 4.10. IF THE MACHINES DO NOT ALL USE THE SAME VRRP PASSWORD. IF THE LBCONFIG IS EXECUTED WITH COMMAND OPTIONS ON ONE MACHINE THAT DIFFER FROM COMMAND OPTIONS USED ON ANOTHER MACHINE. Execute the lbconfig command with the command options appropriate for your load balanced environment. The VRRP password must be the same on each machine. such as the VIP. Perform steps 1.10. When the New password prompt displays.Front End Load Balancing for HTTP Traffic 6. on each machine that will be part of the load balanced cluster. perform the following steps.6 Describing the Command Syntax for lbconfig and 6.2 Installing and Configuring a Load Balancer on a Gateway Cluster 1. You must configure the load balancer so that it runs automatically after the machine reboots. refer to sections 6. THEN THE MACHINES CANNOT DECRYPT COMMUNICATION FROM ONE ANOTHER.6. then the load balancing algorithm must be weighted round robin on every other machine in the load balanced cluster. execute the following command: PATH=$PATH:/opt/scr-lb/bin 5. To install the load balancer. Copy the load balance installer to the machine.102:1. 0. execute the following command: /opt/scr-lb/bin/lbversion 6.4 Determining the Load Balancer Version To view the load balancer version.10.100:55555 10.103:55556 10.10.10. output displays similar to the following: VIP: VIP1.0 Managing a Collection of Service Gateway Machines.100:5000 0 0 0 10. Stopping. To stop the load balancer service.100:55556 10.10.10. status: VIP Director Address:Port 10. To start the load balancer service.0. number of connections. execute the following command: /opt/scr-lb/bin/lbstatus As a result.10. execute the following command: service /opt/scr-lb/bin/soae_lb start 2.0.3 Starting. To uninstall the load balancer service.0.0. or Uninstalling the Load Balancer 1. and the size of messages handled by the load balancer.0. 6.Front End Load Balancing for HTTP Traffic 11.103:55555 10. Place the machines where the load balancer was installed and configured into the ESG cluster.102:55555 Conn 0 0 0 InPkts 0 0 0 InBytes 0 0 0 10.0.102:55556 27257 148 27109 55189036 296740 54892298 10227M 54987180 10172M 42 Intel® Expressway Service Gateway Installation Guide . execute the following command: service /opt/scr-lb/bin/soae_lb stop 3.10. refer to section 5. For instructions about setting up a cluster. execute the following command: /opt/scr-lb/bin/lbuninstall 6.5 Monitoring Traffic Handled by the Load Balancer To view load balancer status. the first receives three connections for each five connections sent to the other. then the VRRP informs the LVS of the failure and elects a new node as the Director. then the command option looks like this: --vip=vip:eth0:10. In addition.Front End Load Balancing for HTTP Traffic 6. then command option looks like this: lbconfig --vrrp_if=eth0 The ESG load balancer uses Virtual Router Redundancy Protocol (VRRP) to monitor the status of all the nodes in a load balanced cluster.0. If the VRRP network interface is eth0. The VRRP advertisement broadcast interval is 1 second. Note: This argument must precede any reference to the VIP in a --port argument.101.101. separated list of the real servers’ IP addresses. To configure the load balancer. and the virtual IP address and netmask. then the command option looks like this lbconfig --backend_server=10. and 10.10.10. then the command option looks like this: lbconfig --backend_server=10.6 Describing the Command Syntax for lbconfig lbconfig command sets up the load balancer on a machine by allowing you to specify settings.10. 10. If you used the weight parameter.10. The VIP name can consist of letters. Table 5.100.102.100. If the VIP is 10. It is highly recommended that the VRRP network interface is identical to the physical network interface associated with the VIP.10. If a node fails then the VRRP informs the LVS not to route messages to that node. rs stands for real server. --vrrp_if -backend_s erver --vips Intel® Expressway Service Gateway Installation Guide 43 .0. 10.0.0. Defines the VIP.100/24 To use load balancing in an HTTP application. For example.100/24 and the physical NIC is eth0. 10.10. The default VRRP network interface is eth0. which holds the role of Director. the physical NIC that the VIP is bound to.100:3. The weights are used by the wrr and wlc balancing algorithms. The real servers are the nodes to which the director sends messages to. Command List of lbconfig Command Options Description Specifies the network interface used for sending and receiving VRRP advertisements.0.10. you must select the VIP network interface from the input server’s network interface drop-down menu.10.0.10. digits.10. to each IP address that indicates the relative priority for which a node serves a request.0. The name of the VIP is represented as a network interface in the Service Gateway. 10. This is an optional command. If load balancing is implemented in a three-node cluster and the IP addresses are 10.101:5. if two servers are set as weight 3 and weight 5. 10. and underscores.0.102 You can add a weight parameter. Comma.10.0. use some of the command options in Table 5. if the Director fails. such as the VIP and the load balancing algorithms that the Director uses. The list must include the IP address of the node.102:3 The weights are implemented as a ratio.0.0. List of lbconfig Command Options with the lbconfig executable. backend_server=10. • rr=round robin • wrr=weighted round robin • lc=least-connection • wlc=weighted least-connection • sh=source hashing • sed=shortest expected delay • nq=never queue For example. then messages are distributed based on the port’s load balancing algorithm. The port command option allows the Director to use different load balancing algorithms at once.102:1.6.0. are routed to the same node. any additional connections made by client within user-defined interval. refer to Table 6. Front end Load Balancing Algorithms. if you need the Director to distribute messages using round robin. then the Director uses the never queue load balancing algorithm for routing messages. then the command option looks like this: lbconfig --lb_algo=rr Port where a particular load balancing algorithm is used.10. The following list identifies what each load balancing algorithm acronym stands for. This persistence timeout is the period of time during which a messages are routed to the same real server.103:2 --port=vip:5555:sed -lb_algo=nq 2.Front End Load Balancing for HTTP Traffic Table 5. set the input server’s port number to 5555 3. To specify the algorithm. Execute the lbconfig command with these options: lbconfig --vip=vip:eth0:10. Command --last List of lbconfig Command Options Description Displays the last lbconfig command executed. If an HTTP application’s input server uses the port number specified in the lbconfig command option. 6. Unit of time is in seconds. For example: --lb_algo --port 1. assume the system has the following requirements: 44 Intel® Expressway Service Gateway Installation Guide . Specifies the default load balancing algorithm that the Director uses to distribute messages to the real servers.10. Useful for replicating lbconfig commands on other nodes in a cluster. In a HTTP application.1 Example of Executing lbconfig Before executing the lbconfig command.0.10. For a description of each algorithm.10. If any other port number is specified in the input server. Then the director uses the sed load balancing algorithm to route messages. This is the format: --port=[name of VIP]:[port number]:[load balancing algorithm]. If you have multiple load balancing groups.100/24 . 4.0. -persistence _timeout -lb_group_i d if the client establishes a connection to a node. then you must specify a unique identifier for each group. you must enter the load balancing algorithm. This command option requires the name of the VIP’s network interface defined by the --vip argument typed before this argument. round robin rr Weighted round robin wrr leastconnection lc Intel® Expressway Service Gateway Installation Guide 45 .10.10.100/24.0.0.103. Director sends messages to the server with the least number of established HTTP connections.100/24 --vrrp_if=eth0 -backend_server=10. • The physical NIC that the VIP is associated with is eth0.102 and 10.0. Servers with equal weights process an equal number of messages.0. then the Director sends a message to each node in a sequential order. • In general.0.7 Defining Load Balancing Algorithms Table 6. first serve basis. • The virtual IP address and subnet mask is 10.10. Message1 goes to node1. Behaves like round robin but is designed to better handle servers with different processing capacities. • The real servers’ IP addresses are 10. /opt/scr-lb/bin/lbconfig --vip=vip:eth0:10. then you would execute the following command.0. For example. Wrr routes messages based on the weights assigned to the real servers. the Director must use the weighted least-connection algorithm.10. • In some rare cases. If the system has the requirements described above. if three messages are sent to the VIP and there are three nodes in the cluster.10. • If multiple messages are sent by the same client within a 5 second window.10.Front End Load Balancing for HTTP Traffic • This is a two-node cluster. Servers with higher weights receive more connections first and process more messages than servers with lesser weights. and message3 goes to node3. then all the messages must be sent to the same real server.102 has the highest priority. Front end Load Balancing Algorithms lists and defines all the load balancing algorithms supported by ESG. message2 goes to node2.102:2. • The network interface for VRRP is eth0.0. Table 6.103:1 --port=vip:5555:wlc -lb_algo=wrr --persistence_timeout=5 6. 10. the load balancing algorithm the Director must use is weighted round robin.10. Algorithm Front end Load Balancing Algorithms Command Option Definition Sends requests to each server in a sequential order on a first come.10. Weights are assigned when the lbconfig command was executed. that message is always routed to the same server. perform the following steps. Algorithm Front end Load Balancing Algorithms Command Option Definition Behaves like least connection but is designed to better handle servers with different processing capacities. 6. Director sends messages to the server with the shortest expected delay. Upload an HTTP proxy application into an application configuration. the Director uses the IP address in order to route the messages to the same server. Servers with higher weights receive more connections than servers with lesser weights.8 Using Connection Affinity Connection affinity is the process by which a group of messages is assigned a unique identifier and then based on that identifier routed to the same real server. This is a load balancing algorithm.Front End Load Balancing for HTTP Traffic Table 6. This persistence timeout is the period of time during which a messages are routed to the same real server. Director sends message to idle server. Servers with equal weights get an equal number of connections. In the application configuration. 2. are routed to the same node. • Source hashing: Generates a hash from the client’s IP address which is then saved to a hash table. The server’s expected delay is calculated as follows: (C + 1) / U Where C is the number of connections to the server and U is the weight of the server. In the input server. you can use the following types of connection affinities. Then. In the ESG. Weights are assigned when the lbconfig command was executed. 1. If all servers are unavailable. open the application’s input server for editing. Then. any additional connections made by client within user-defined interval. Unit of time is in seconds. 3. then the message is sent to the server with the shortest expected delay. select the name of the VIP from the Network Interface dropdown menu. If the client’s IP address changes. wlc routes messages based on the weights assigned to the real servers. • Persistence timeout: if the client establishes a connection to a node. If an idle server available. This is a command option that can be executed with lbconfig. whenever a client with a particular IP address sends a message. weighted leastconnection wlc source hashing sh shortest expected delay sed never queue nq 6. 46 Intel® Expressway Service Gateway Installation Guide .9 Configuring an Application to use Front End Load Balancing In the Management Console. then the messages are no longer routed to the same server. Generates a hash from the client’s IP address which is then saved to a hash table. whenever a client with a particular IP address sends a message. then node2 binds the VIP to eth0. if there’s a three node cluster and the Director is node1 and binds the VIP to eth0. then node2 and node3 associate the VIP with eth0. 5. If the Director has failed. with its VIP. consider a two-node cluster. if the Director node fails. The heartbeat checks whether the Director has failed and whether the remaining nodes in the cluster are active. The VIP is bound to one physical NIC on the Director’s node. • Healthcheck — the Director sends a heartbeat every two seconds to each application that uses load balancing. If an application is not functioning. For example. then the Director stops sending connections to that application. you could have specified that a particular load balancing algorithm is used if a particular port is specified in the input server’s Port field. then the Director. When the lbconfig was executed. even when that node is not the Director nor possesses the VIP. then the other nodes in the cluster elect another Director. even though the network interface’s IP address has changed. ANY CONNECTIONS DIRECTED TO IT ARE LOST.10 Failover and Electing a Director Two types of checks are periodically performed. If node1 fails and node2 becomes the Director. THIS MEANS THERE IS A TWO SECOND WINDOW IN WHICH DATA COULD BE LOST DUE TO A NODE FAILING. enter that port number in the input server’s Port field. 6. where node1 is the Director and the VIP is bound to eth0. CAUTION: IF A NODE FAILS. then a Director election automatically takes place. The new Director already knows the VIP is bound to a particular NIC based on the network interface’s name. THEN EXISTING CONNECTIONS AND DATA ARE LOST. Consequently. such as eth0. which address an application or director failing. • VRRP (Virtual Router Redundancy Protocol) heartbeat — each node in the cluster sends out a VRRP advertisement every second to every other node in the cluster. HEALTH CHECKER PERFORMS A CONNECTION TEST ON EACH NODE EVERY TWO SECONDS. If necessary. UNTIL THE DIRECTOR NOTICES THE NODE IS DOWN.Front End Load Balancing for HTTP Traffic 4. Each node in the cluster associates the VIP with the same NIC name. such as the machine crashing or ESG service stopping. moves to a different node. Intel® Expressway Service Gateway Installation Guide 47 . If the Director node fails. A Director election is the process by which the load balancing service elects one of the nodes to be the Director. Activate the application configuration. For example. Front End Load Balancing for HTTP Traffic 48 Intel® Expressway Service Gateway Installation Guide . 4. contact customer support. If that statement does not display. • To integrate Service Gateway with the Cavium security processors. 3. Stop the ESG service by executing the command cli serviceStop. you must install the cavium driver into the system where the ESG is installed. To use the hardware for security processing. The following command is an example.1.tgz into the SecCardDriver folder. perform the following steps. you must obtain a specially built tar file provided by Intel. Verify that a Cavium card is installed by executing the command cli secCardDriverInfo.Integrating Hardware Cavium Cards with Service Gateway 7.tgz. then you do not have a security card installed that is supported by ESG and you cannot perform this procedure. Copy the secCardDrivers-[version_number]. where for the -d --driverbundle option you enter the absolute file path to the secCardDrivers-r[version number]. 7. 2. the ESG requires OpenSSL libraries and device drivers contained in the tar file.1 Prerequisites for Integrating a Cavium Card with Service Gateway Before you can set up Service Gateway to use a Cavium card. This tar file contains OpenSSL libraries and device drivers that the ESG requires in order to use the hardware for security processing. There is a previous instance of openssl libraries and/or drivers installed. 7. The command output must display the following statement: Found security card cavium. On the system where the ESG installed. create a folder named SecCardDriver.tgz.5... then the command fails with the following error message. Install the Cavium device drivers by executing the secCardDriverInstall command. Please use --olddriverbackup to specify a file to save Intel® Expressway Service Gateway Installation Guide 49 . 5. cli secCardDriverInstall -d /home/lablogin/secCardDriver/ secCardDrivers-r2. To learn what version of the Cavium card that Service Gateway supports. Obtain the secCardDrivers-r[version_number].tgz from the Salesforce website. If a security card device driver and/or OpenSSL libraries was already installed. 6. 1. The ESG can offload security processing to the security card. you must have and know the following: • The Cavium card must be installed on the same system as Service Gateway.0 Integrating Hardware Cavium Cards with Service Gateway Service Gateway supports a Cavium Network hardware card for cryptographic processing and acceleration. which speeds up message throughput.2 Installing a Cavium Device Driver To integrate the ESG with a Cavium security card. To do this. cli secCardDriverRestore -b /home/lablogin/secCardDriver/ 50 Intel® Expressway Service Gateway Installation Guide . which specifies the absolute file path file to where the backup of the existing driver will be written prior to the new driver being installed. The secCardDriverRestore removes the existing device drivers and/or OpenSSL libraries and replaces those files with the drivers and libraries from the backup. To do this. When executing this command. perform the procedure in section 7. cli secCardDriverIgnore -b /home/lablogin/secCardDriver/ secCardDrivers_Backup. then execute the secCardDriverInstall command. The following command is an example. The following command is an example. you must use the -b. This generates the tar file that contains the backup. This backup file must be in a tgz format. 7. then a backup is usually created that contains the device drivers and/or OpenSSL libraries that were replaced by those commands. Regardless of which command you execute. Start the ESG by executing the command cli serviceStart. In some situations. which specifies the absolute file path file to where the backup of the existing driver will be written prior to the new driver being installed.Integrating Hardware Cavium Cards with Service Gateway backup. you must use the -b. CAUTION: IF YOU EXECUTE THE SECCARDDRIVERIGNORE COMMAND THEN ESG WILL NOT USE THE SECURITY CARD FOR ANY CRYPTOGRAPHIC PROCESSING OR SECURITY ACCELERATION. Replace the existing device drivers and/or OpenSSL libraries with ones in the backup tar file by executing the secCardDriverRestore command. Configure the ESG to stop using the Cavium security card by executing the secCardDriverIgnore command. such as the cavium card failing and needing to be replaced. Execute the secCardDriverInstall or secCardDriverIgnore commands.tgz 3. The following command is an example. perform the following steps.1.2 Installing a Cavium Device Driver. you may need to configure the ESG to stop using the Cavium card and instead only use the OpenSSL libraries installed with the software for security processing.5. This backup file must be in a tgz format.tgz 7. 2.--olddriverbackup option.3 Removing a Cavium Device Driver After you perform the procedure in section 7. the Service Gateway is configured to use the Cavium card for cryptographic processing and acceleration. Stop the ESG service by executing the command cli serviceStop.--olddriverbackup option. 2. you must use the -b.4 Creating and Using a Backup of Cavium Device Driver If you executed either the secCardDriverInstall or secCardDriverIgnore commands. you must use the -b.tgz -b /home/lablogin/secCardDriver/ secCardDrivers_Backup. Start the ESG service by executing the command cli serviceStart. which specifies the absolute file path file to the backup of the previously installed drivers. If you receive this error message. To reconfigure the ESG to use the security card. When executing this command. cli secCardDriverInstall -d /home/lablogin/secCardDriver/ secCardDrivers-r2. 1. When executing this command. This backup file must be in a tgz format.-olddriverbackup option.-olddriverbackup with that command. perform the following steps.4 Creating and Using a Backup of Cavium Device Driver 7. To do this. 1. Start the ESG service by executing the command cli serviceStart.Integrating Hardware Cavium Cards with Service Gateway secCardDrivers_Backup. Intel® Expressway Service Gateway Installation Guide 51 .tgz 3. Integrating Hardware Cavium Cards with Service Gateway 52 Intel® Expressway Service Gateway Installation Guide . A fresh installation completely deletes your existing application configurations. • You may want to reinstall the current release for some reason. such as a disk corruption. This can be done by using the cli upgrade_save and cli installUpgrade commands.2 Back up Service Gateway Logs Before Upgrade When you perform an upgrade. c. You also need the RPM of the release you wish to back out to. you should always perform an upgrade rather than reinstallation except under extreme conditions. Run cli upgrade_save on the current machine. This occurs because the log format changes from release to release and an older log format cannot be read or searched by a newer version of ESG. execute the following CLI command: cli saveLogFiles -f logs. 8. • The upgrade command converts your existing configurations to the new release.tgz Where: Intel® Expressway Service Gateway Installation Guide 53 . When you have a working ESG. a. • You can back out an upgrade with the –b option on the cli installUpgrade. Run cli installUpgrade using the tgz bundle from step b. • An upgrade allows you to go from any lower release to any higher release of ESG.0 Upgrade Procedure The Service Gateway runtime is upgraded using the Command Line Interface (CLI). You can preserve the logs by copying the logs to a secure directory location. if current hardware has eth0 and eth1. To back up the logs. To do this. For example. then the new machine must also have eth0 and eth1. all logs are automatically deleted. • You can upgrade the ESG and move it to new hardware if the new hardware has the same set of network interfaces.Upgrade Procedure 8. you must have the tgz file generated by executing the upgrade_save command. b.1 Upgrade Command Syntax The full syntax for the upgrade command is this: cli upgrade -r rpm [-d upgrade_save_dir] [--upgradeCluster] Where: • rpm — name of the new RPM you are upgrading to • upgrade_save_dir — the directory where you want to save the backup of your currently installed RPM • upgradeCluster — upgrades all nodes of an entire cluster at the same time 8. Copy the tgz bundle that contains the ESG from the current machine to the new machine. If it finds a node that has the same version of the ESG and both nodes were part of the same cluster in a previous release. you now have the option to back out an upgrade and restore the previous version of ESG with your application configurations. then the tgz file is saved to the directory where saveLogFiles is executed. Log in to the ESG machine with root privileges. perform the following steps. If this node was a part of a cluster. To back out the upgrade. 3. Create this tarball now by executing the upgrade_save command. Upgrade cannot proceed if any configurations are open for edit. Determine whether you are upgrading a cluster. /tmp>cli upgrade_save /tmp/save upgrade tar file is: /tmp/save/save. For details. execute the following command: cli serviceStop 7. it may be necessary to back out the upgrade and restore the previous version of ESG with the deployed applications and application configurations created in that release.3. If necessary. This example assume the RPM is in directory /tmp. refer to section 8. A cluster cannot contain nodes with different versions of the ESG. If you do not specify an absolute file path in the -f argument. perform the procedure in section 8. The following is an example. 54 Intel® Expressway Service Gateway Installation Guide . 8. To do this. 8. 4. then after upgrade the node will be removed from the cluster. If that occurs. you must specify the full directory path to the RPM or the command can not execute. Make sure all application and system configurations are saved and closed. If the ESG is running. 1. While upgrading ESG is a stable process. then do not perform this procedure and instead perform the procedure in section 8. then they will form a cluster otherwise the node will elect itself as master.rpm Where the name contains the version type and the version number. it is possible that an error could occur or an application configuration could become corrupted. Run the CLI upgrade command.tgz upgrade_save successfully completed /tmp> As a result.3 Upgrading Service Gateway To upgrade Service Gateway.3.2 Backing Out an Upgrade.Upgrade Procedure • logs. In the upgrade command. 5. you must first store the application configuration data into tarball.2 Backing Out an Upgrade.5 Performing a Cluster-wide Upgrade 2. If you are. Copy the new RPM to the ESG machine.tgz is the tgz file that contains all of the ESG logs. Start the upgraded ESG by executing the command: cli serviceStart 10. 6. Once the node is removed form the cluster. it searches for another upgraded member of the cluster. configure the ESG service so that it automatically starts each time the machine restarts by executing the following command: chkconfig --add soae 9. substituting the name of your ESG RPM for “name”: cli upgrade -r /tmp/name. .rpm .. If you would like to save a backup of these logs..rpm Warning: This command will delete all logs.Upgrade Procedure 8. You must issue a cli serviceStop command before the upgrade can run successfully and that you must issue a cli serviceStart command once upgrade is completed to start the ESG again.[root@iclab002 ~]# .tgz cli upgrade -r /root/esg-runtime-as5-64bit-r2_8_0. You are now ready to start the soae service. esg patch in progress Installing with uid: 99 gid: 99 Forcing service state to new state = OOS.. do you want to continue 'yes|no'? yes You answered yes Pre-retrofit check of config cluster Pre-retrofit check of config current Pre-retrofit check of config factory test RPM for validity upgrade tar file is: /tmp/retrofit. esg completed (upgrade) successfully.begin upgrade_finish configured uid/gid will be used Forcing service state to new state = POSTINSTALLING..intel/systemBackup.. Hit Return to continue Intel® Expressway Service Gateway Installation Guide 55 . You are about to upgrade the software...installing new esg rpm: /root/esg-runtime-as564bit-r2_8_0.esg. or is the first node of a cluster to be upgraded. execute command "cli saveLogFiles".3.. In this example.1 Example of an Upgrade The following is an example of upgrading to a new RPM. /tmp>cli saveLogFiles -f logs. the system being upgraded is either a standalone system.tgz upgrade_save successfully completed Prepare Upgrade Stopping soaed: [ OK ] Please wait while upgrade continues soae service will be stopped and uninstalled Please Wait . the administrator must investigate and resolve problems manually. and will give details on any problems encountered.7. 56 Intel® Expressway Service Gateway Installation Guide .7 and needed to revert back to 2.4 Check the status of the Service Gateway Once upgrade is complete. if you upgraded to 2. If a node is not in the ACTIVE state or cannot communicate with the cluster. During a cluster-wide upgrade. if the a node completes upgrading before the master. • Application and system configurations cannot be open for edit in any node./restoreSystem -r [absolute path to ESG RPM] 8. then it becomes the master and the master from the previous release becomes a slave in the new release. it will not be clear what the problem is. However. 2. 3. • All nodes must be in the ACTIVE state. Execute the following command: . cd to /tmp/retrofit. • Runs a configuration audit between master and other nodes to ensure all nodes have a consistent set of configurations. To back out to a previous release.3.intel/. then you’d obtain the 2. Log into the machine where ESG installed as root. The ESG generates an alarm stating there is a communication problem for any nodes that fail to come up on the new release. If that occurs. • As each node completes the upgrade. This makes it highly likely that master node will complete its upgrade first and become the master node in the new release. Obtain ESG RPM of the version that you want to downgrade or install as.2 Backing Out an Upgrade While upgrading ESG is a stable process. • Copies the RPM to all nodes of the cluster. 8.8 from 2. 4. then the upgrade cannot start. then the command does not execute. communication between the nodes stops. check the status of the ESG by executing the command: cli status -v The -v option stands for verbose.Upgrade Procedure 8. If any of the nodes fail to join the cluster after an upgrade.7 RPM. it attempts to re-join the cluster. verify that the cluster meets the following requirements.1 Prerequisites for a Cluster-wide Upgrade Before upgrading a cluster.5. • Upgrade forces the master to upgrade first. Each node then upgrades on its own. it may be necessary to back out the upgrade and restore the previous version of ESG with the deployed applications and application configurations created in that previous release. 1.5 Performing a Cluster-wide Upgrade You can execute a single command to simultaneously upgrade all the nodes in a cluster. For example. 8. it is possible that an error could occur or an application configuration could become corrupted. For nodes that fail to come up on the new release. • When upgrade is initiated. If any copy to any node fails.esg. perform the following steps. the following occurs. 2.7. perform the following steps. if you upgraded to 2. then you’d obtain the 2. 8. 3.5. Verify that the cluster conforms to the requirements in section 8. Login to the master node as root. Apply the upgrade by executing the following command: cli upgrade --upgradeCluster -r /root/esg-runtime-as5-64bit-r2_8_0.Upgrade Procedure • None of the nodes are permitted to have an alarm or Threshold Crossing Alert (TCA). 1. For example. Log into the master node as root.2 Procedure for Upgrading a Cluster To upgrade an entire cluster using a single CLI command. Execute the following command: . except if the TCA is caused by the factory configuration being active. perform the following steps.8 from 2. 8. You must specify the absolute file path to the RPM. 3.intel/. 1. 4.5.esg./restoreSystem -r [absolute path to ESG RPM] -c Intel® Expressway Service Gateway Installation Guide 57 . cd to /tmp/retrofit.3 Backing out a Cluster-wide upgrade To back out the upgrade.7 RPM.rpm Where: • -r specifies the RPM you are upgrading to.1 Prerequisites for a Cluster-wide Upgrade. 2.5.7 and needed to revert back to 2. Obtain ESG RPM of the version that you want to downgrade or install as. Upgrade Procedure 58 Intel® Expressway Service Gateway Installation Guide . Intel® Expressway Service Gateway Installation Guide 59 .0 Solution Set the JRE_HOME environment variable Set the kernel.c. Install problems and solutions Error JRE dir not available The number of IPC queues has not been set to 120 or more Default route not set and is equal to 0.b.0 Troubleshooting a Service Gateway Installation This section lists certain typical problems you may encounter when installing a Service Gateway using the RPM* tool.msgmni parameter as shown in Preparing Your System for ESG Installation Use the command: route add default gw a.Troubleshooting a Service Gateway Installation 9. Errors that can cause the ESG install to fail are: Table 7.d is the IP address of your gateway.b.c.0.0.d where a. Troubleshooting a Service Gateway Installation 60 Intel® Expressway Service Gateway Installation Guide .
Copyright © 2024 DOKUMEN.SITE Inc.