Symantec Identity Management

Improve the migration processes from IG Embedded JBOSS 5.1GA to Wildfly

  • 1.  Improve the migration processes from IG Embedded JBOSS 5.1GA to Wildfly

    Posted 10-05-2016 06:20 PM

    Hello Team,

     

    With regards to dev-ops, we are always looking for improvements to auto-deploy solutions, especially stacks to a cluster.

    To assist with dev-ops and performance, we wish to auto-deploy IG; then per the readme.txt file; zip up this "reference IG deployment" and push to other systems.

     

    ### First note for improvement - hazelcast ####

     

    There are two (2) reference notes about the migration of Identity Governance from its embedded JBOSS 5.1GA release to either RHEL JBOSS 6.x EAP or Wildfly 8.x for a clustered environment.

     

     

    1.  IG Wiki/Bookshelf notes: 

    JBoss WildFly Installation - CA Identity Governance - 12.6.05 - CA Technologies Documentation 

     

    2.  IG readme.txt flie under the extracted folder   ..//CA-IdentityGovernance-12.6.0X-Core/Utils&Conf/  JBossEAP6  or JBossWildfly   with the zip file of   CA-IdentityGovernance-12.6.0X-Core.zip

     

     

    One of the sections for improvement is the need to extract the eurekify.war file to update the hostname/ip addresses in the hazelcast.xml file.    (see section "Configure Hazelcast and Compressed Files"  in IG Wiki)

     

    Proposal:   Using a JVM switch, we can redirect the JBOSS use of the embedded file, to an external file.

    1.  Copy the hazelcast.xml to JBOSS_HOME/standalone/configuration

    2.   Edit the haszelcast.xml and add the hostnames/ip addresses of all cluster members of the IG environment.

    3.   Update JBOSS_HOME/bin/ca-gm-run.sh file to use a JVM switch that points to the external hazelcast.xml file.

    GM_JAVA_OPTS="$GM_JAVA_OPTS -Dhazelcast.config=$JBOSS_HOME/standalone/configuration/hazelcast.xml"

     

    This process will allow rapid updates for IG cluster nodes.  No need to extract and re-zip the eurekify.war file.

     

    The body of the hazelcast.xml to update for IP/hostnames:

     

                <tcp-ip enabled="true">

     <!-- #######################################################################  -->

                    <members>ip-172-31-45-44,ig002</members>

    <!-- #######################################################################  -->

                      </tcp-ip>

     

     

     

    The JBOSS_HOME/standalone/log/eurekify.log  notes on hazelcast.xml

     

    INFO  [com.hazelcast.config.XmlConfigBuilder] (MSC service thread 1-1) Using configuration file /content/eurekify.war/WEB-INF/classes/hazelcast.xml in the classpath.

            hazelcast.config = /opt/CA/IG/wildfly-8.2.1.Final/standalone/configuration/hazelcast.xml

            sun.java.command = /opt/CA/IG/wildfly-8.2.1.Final/jboss-modules.jar -mp /opt/CA/IG/wildfly-8.2.1.Final/modules org.jboss.as.standalone -Djboss.home.dir=/opt/CA/IG/wildfly-8.2.1.Final -Djboss.server.base.dir=/opt/CA/IG/wildfly-8.2.1.Final/standalone --server-config=standalone-full-ca-gm.xml -b 0.0.0.0 -Dwicket.configuration=deployment -Dworkpoint.classpath.url=../Workpoint/ -Dorg.jboss.as.logging.per-deployment=false -Djboss.node.name=ca-gm-node-1 -Dhazelcast.config=/opt/CA/IG/wildfly-8.2.1.Final/standalone/configuration/hazelcast.xml

    INFO  [com.hazelcast.config.XmlConfigBuilder] (MSC service thread 1-3) Using configuration file at /opt/CA/IG/wildfly-8.2.1.Final/standalone/configuration/hazelcast.xml

    INFO  [com.hazelcast.config.XmlConfigBuilder] (MSC service thread 1-3) Using configuration file at /opt/CA/IG/wildfly-8.2.1.Final/standalone/configuration/hazelcast.xml

    INFO  [com.hazelcast.system] (MSC service thread 1-3) [dev_RCM] Hazelcast 1.9.2.1 (20110216) starting at Address[172.31.45.44:5701]

    INFO  [com.hazelcast.system] (MSC service thread 1-3) [dev_RCM] Copyright (C) 2008-2010 Hazelcast.com

    INFO  [com.hazelcast.impl.LifecycleServiceImpl] (MSC service thread 1-3) [dev_RCM] Address[172.31.45.44:5701] is STARTING

    INFO  [com.hazelcast.impl.Node] (hz.1.ServiceThread) [dev_RCM]

     Members [1] {

            Member [172.31.45.44:5701] this

    }

    INFO  [com.hazelcast.impl.LifecycleServiceImpl] (MSC service thread 1-3) [dev_RCM] Address[172.31.45.44:5701] is STARTED

     

     

    Note:  The above example was pulled from an example configuration on the ID Suite Virtual Appliance. 

     

     

    ####  Second note for improvement - db password hashes ####

     

    Post task - Encryption of JBOSS/Wildfly Datasources (IG Databases)

     

    Note:  May use either JBOSS libraries to encrypt the files or use the better encryption routines of the ID Suite Password Tool.

     

    Recommend changing the IG database sources from clear text to PBES encryption.

     

     

    1. Copy Password Tools folder from ID Suite (IM iso)

    - This password tool folder is located under the Identity Management ISO (../ca/iam_suite/r12-6-6/server/PasswordTool)

    2.  Edit the shell script of pwdtools.sh  / pwdtools.bat with JAVA_HOME (if JAVA_HOME is not an environmental variable)

    3.  Execute the command with the -JSAFE switch

    ./pwdtools.sh  –JSAFE –p  Password01

    4.  Record this {PBES} hash  to notepad or your clipboard

    5.  Navigate to the JBOSS_HOME/standalone/configuration folder

    6.  Edit standalone-full-ha-ca-gm.xml for six (6) locations:

     

    [root@ip-172-31-45-44 configuration]# grep PBES standalone-full-ha-ca-gm.xml

    <password>{PBES}:B8+4u/F3aiZ9sXus6HyDNA==</password> for eurekifyDS

    <password>{PBES}:B8+4u/F3aiZ9sXus6HyDNA==</password> for eurekifyTmsDS

    <password>{PBES}:B8+4u/F3aiZ9sXus6HyDNA==</password> for eurekifyReportdbDS

    {PBES}:B8+4u/F3aiZ9sXus6HyDNA== for /WPDS

    {PBES}:B8+4u/F3aiZ9sXus6HyDNA== for /WPDS2

    {PBES}:B8+4u/F3aiZ9sXus6HyDNA== for /WPDS3

     

    Example of data-source login/password sections in the standalone-full-ha-ca-gm.xml

     

    <security>

    <user-name>igdba_eurekify_ticketdb</user-name>

    <!-- <password>Password01</password> -->

    <password>{PBES}:B8+4u/F3aiZ9sXus6HyDNA==</password>

    </security>

     

    </xa-datasource-property>

    <!-- <xa-datasource-property name="Password">

    Password01

    </xa-datasource-property> -->

    <xa-datasource-property name="Password">

    {PBES}:B8+4u/F3aiZ9sXus6HyDNA==

    </xa-datasource-property>

     

     

    Start the IG solution; and monitor the JBOSS_HOME/standalone/log/eurekify.log for access to the databases.

     

    15:28:41,290 INFO [com.eurekify.settings.SettingsCommon] (MSC service thread 1-1) jdbc/eurekifyDS data source is loaded

    15:28:42,250 INFO [com.eurekify.settings.Settings] (MSC service thread 1-1) jdbc/eurekifyDS data source URL: jdbc:oracle:thin:@ip-172-31-45-44:1521/XE

    15:28:42,251 INFO [com.eurekify.settings.Settings] (MSC service thread 1-1) jdbc/eurekifyDS parsed by forth pattern

    15:28:42,251 INFO [com.eurekify.settings.Settings] (MSC service thread 1-1) jdbc/eurekifyDS serverIp:ip-172-31-45-44

    15:28:42,251 INFO [com.eurekify.settings.Settings] (MSC service thread 1-1) jdbc/eurekifyDS serverPort:1521

    15:28:42,251 INFO [com.eurekify.settings.Settings] (MSC service thread 1-1) jdbc/eurekifyDS databaseName:XE

     

     

     

     

    Cheers,

     

    Alan