Installing Moab Web Services
This topic contains instructions on how to install Moab Web Services (MWS).
In this topic:
Moab Web Services requires certain ports to be open for essential communication. For communication with the tomcat web server, the default port is 8080. For communication with the Mongo database, the default port is 27017.
- Red Hat-based systems using iptables:
[root]# iptables-save > /tmp/iptables.mod [root]# vi /tmp/iptables.mod # Add the following lines immediately *before* the line matching # "-A INPUT -j REJECT --reject-with icmp-host-prohibited" # Needed on the MWS server for communication with the tomcat web server -A INPUT -p tcp --dport 8080 -j ACCEPT # Needed on the Mongo server if installed on a separate host from MWS -A INPUT -p tcp --dport 27017 -j ACCEPT [root]# iptables-restore < /tmp/iptables.mod [root]# service iptables save
- SuSE-based systems using SuSEfirewall2:
[root]# vi /etc/sysconfig/SuSEfirewall2 # Add the following ports to the FW_SERVICES_EXT_TCP parameter as required # Needed on the MWS server for communication with the tomcat web server FW_SERVICES_EXT_TCP="8080" # Needed on the Mongo server if installed on a separate host from MWS FW_SERVICES_EXT_TCP="27017" [root]# service SuSEfirewall2_setup restart
Dependencies and Packages Installation
Use the following commands to install the required Moab Web Services dependencies and packages.
Install Java
Install the 64-bit RPM version of Oracle® Java® 7 Runtime Environment.
Oracle Java 7 Runtime Environment is the recommended Java environment, but Oracle Java 6 is also supported. All other versions of Java, including OpenJDK/IcedTea, GNU Compiler for Java, and so on cannot run Moab Web Services.
Do the following:
-
Download the Linux x64 RPM version of Oracle Java SE 7 JRE. (Go to the Oracle Java 7 download page, copy the URL to the Linux x64 RPM version, then run the following command.)
- Run the following to install Java 7:
[root]# wget <URL> -O jre-7-linux-x64.rpm
To verify that the download was successful, run the following on the RPM before installation:
[root]# rpm -qip jre-7-linux-x64.rpm
[root]# rpm -Uh jre-7-linux-x64.rpm
Install Tomcat
- RHEL, CentOS, and Scientific Linux:
[root]# yum install tomcat6
- SLES:
[root]# zypper ar --refresh -r http://download.opensuse.org/evergreen/11.4/openSUSE:Evergreen:11.4.repo [root]# zypper in tomcat6 [root]# zypper mr -d openSUSE_Evergreen_11.4
Install MongoDB
To install and enable MongoDB, do the following:
- Install MongoDB.
- RHEL, CentOS, and Scientific Linux:
Create a file called /etc/yum.repos.d/10gen.repo and add the following lines.
[10gen] name=MongoDB Repository baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64 gpgcheck=0 enabled=1 exclude=mongodb-org mongodb-org-server
Install mongo-10gen-server.
[root]# yum install mongo-10gen-server
- SLES:
[root]# zypper ar http://download.opensuse.org/repositories/server:/database/SLE_11_SP3 OpenSuseDatabase [root]# zypper install mongodb
- RHEL, CentOS, and Scientific Linux:
- Start MongoDB.
- RHEL and CentOS, and Scientific Linux:
[root]# chkconfig mongod on [root]# service mongod start
- SLES:
[root]# chkconfig mongodb on [root]# service mongodb start
- RHEL and CentOS, and Scientific Linux:
- Prepare the MongoDB database by doing the following:
- Add the required MongoDB users.
- Enable authentication in MongoDB.
- RHEL and CentOS, and Scientific Linux:
[root]# vi /etc/mongod.conf auth = true [root]# service mongod restart
- SLES:
[root]# vi /etc/mongodb.conf auth = true [root]# service mongodb restart
On SLES machines, auth = true is enabled by default.
- RHEL and CentOS, and Scientific Linux:
The passwords used below (secret1, secret2, and secret3) are examples. Choose your own passwords for these users.
[root]# mongo > use admin; > db.addUser("admin_user", "secret1"); > db.auth ("admin_user", "secret1"); > use moab; > db.addUser("moab_user", "secret2"); > db.addUser("mws_user", "secret3", true); > use mws; > db.addUser("mws_user", "secret3"); > exitBecause the admin_user has read and write rights to the admin database, it also has read and write rights to all other databases. See Control Access to MongoDB Instances with Authentication for more information.
There may be a short delay (approximately 3 minutes) for Mongo to start the first time.
If you see errors while running the chkconfig command, make sure that /sbin is in your PATH environment variable, then run chkconfig again.
export PATH=/sbin:$PATH
You must deploy Moab Web Services on the same server as Moab Workload Manager.
- Verify Moab is installed and configured as desired (for details, see Installing Moab Workload Manager).
- Start Moab.
- Create the MWS home directory and subdirectories (for more information, see the "Configuration" section of the Moab Web Services Reference Guide).
- Download the latest MWS build (mws-<version>.tar.gz) from the Adaptive Computing website.
- Extract the contents of the MWS download tarball into a temporary directory. For example:
-
Copy the extracted utility files to the utility directory created above and give the tomcat user ownership of the directory.
[root]# cd /tmp/mws-install/mws-<version>/utils [root]# cp * /opt/mws/utils [root]# chown tomcat:tomcat /opt/mws/utils/*
-
Connect Moab to MongoDB.
On the Moab head node, connect Moab to MongoDB.
The USEDATABASE parameter is unrelated to the MongoDB configuration.
- Set the MONGOSERVER parameter in /opt/moab/etc/moab.cfg to the MongoDB
server hostname. Use localhost as the hostname if Moab and MongoDB are hosted
on the same server.
MONGOSERVER <host>[:<port>]
If your MONGOSERVER host is set to anything other than localhost, edit the /etc/mongod.conf file on the MongoDB server host and either comment out any bind_ip parameter or set it to the correct IP address:
# Listen to local interface only. Comment out to listen on all interfaces. #bind_ip=127.0.0.1
- In the /opt/moab/etc/moab-private.cfg file, set the MONGOUSER and MONGOPASSWORD parameters to the MongoDB moab_user credentials you set. See Install MongoDB in the Dependencies and Packages Installation section earlier in this topic.
MONGOUSER moab_user MONGOPASSWORD secret2
- Verify that Moab is able to connect to MongoDB.
[root]# service moab restart [root]# mdiag -S ... Mongo connection (localhost) is up (credentials are set) ...
- Set the MONGOSERVER parameter in /opt/moab/etc/moab.cfg to the MongoDB
server hostname. Use localhost as the hostname if Moab and MongoDB are hosted
on the same server.
-
Secure communication using secret keys.
- (Required) Moab and MWS use Message Authentication Codes (MAC) to ensure
messages have not been altered or corrupted in transit. On the Moab head node,
generate a key and store the result in /opt/moab/etc/.moab.key:
[root]# service moab stop [root]# dd if=/dev/urandom count=18 bs=1 2>/dev/null | base64 > /opt/moab/etc/.moab.key [root]# chown root:root /opt/moab/etc/.moab.key [root]# chmod 400 /opt/moab/etc/.moab.key [root]# service moab start
The key you specify in the .moab.key file is the same key you must also specify in the moab.secretKey property when installing and configuring MWS in the next step.
- (Optional) Moab supports message queue security using AES. This feature
requires a Base64-encoded 16-byte (128-bit) shared secret. On the Moab head
node, generate a key and append the result to /opt/moab/etc/moab-private.cfg
[root]# service moab stop [root]# echo "MESSAGEQUEUESECRETKEY $(dd if=/dev/urandom count=16 bs=1 2>/dev/null | base64)" >> /opt/moab/etc/moab-private.cfg [root]# service moab start
The key you specify in the moab-private.cfg file is the same key you must also specify in the moab.messageQueue.secretKey property when installing and configuring MWS in the next step.
If MWS is configured to encrypt the message queue and Moab is not (or vice versa), then MWS will ignore the messsages from Moab. Furthermore, all attempts to access the MWS service resource will fail.
- (optional) Verify that encryption is on for the ZeroMQ connection.
[root]# mdiag -S|grep 'ZeroMQ MWS' ZeroMQ MWS connection is bound on port 5570 (encryption is on)
- (Required) Moab and MWS use Message Authentication Codes (MAC) to ensure
messages have not been altered or corrupted in transit. On the Moab head node,
generate a key and store the result in /opt/moab/etc/.moab.key:
-
Set up the MWS configuration files. In the extracted directory are several configuration files.
-
Copy the configuration files into place and grant the tomcat user read access.
[root]# cd /tmp/mws-install/mws-<version> [root]# cp mws-config.groovy /opt/mws/etc [root]# cp mws-config-hpc.groovy /opt/mws/etc/mws.d [root]# chown tomcat:tomcat /opt/mws/etc/mws-config.groovy /opt/mws/etc/mws.d/mws-config-hpc.groovy [root]# chmod 400 /opt/mws/etc/mws-config.groovy /opt/mws/etc/mws.d/mws-config-hpc.groovy
- In the /opt/mws/etc/mws-config.groovy file, change these settings:
- moab.secretKey: Must match the Moab secret key you generated earlier (contained in /opt/moab/etc/.moab.key).
- auth.defaultUser.username: Any value you like, or leave as is.
- auth.defaultUser.password: Any value you like, but choose a strong password.
- moab.messageQueue.secretKey: If you opted to configure a message queue security key in MWS, this parameter value should match exactly that key specified in /opt/moab/etc/moab-private.cfg for the MESSAGEQUEUESECRETKEY Moab configuration parameter on the Moab head node in the previous step..
Important: If MWS is configured to encrypt the message queue and Moab is not (or vice versa), then the messages from Moab will be ignored. Furthermore, all attempts to access the MWS service resource will fail.
[root]# vi /opt/mws/etc/mws-config.groovy // Replace <ENTER-KEY-HERE> with the contents of /opt/moab/etc/.moab.key.
moab.secretKey = "<ENTER-KEY-HERE>" moab.server = "localhost" moab.port = 42559 // Replace <ENTER-KEY-HERE> with the value of MESSAGEQUEUESECRETKEY in /opt/moab/etc/moab-private.cfg. moab.messageQueue.secretKey = "<ENTER-KEY-HERE>"
// Change these to be whatever you like. auth.defaultUser.username = "moab-admin" auth.defaultUser.password = "changeme!"
If you do not change auth.defaultUser.password, your MWS will not be secure (because anyone reading these instructions would be able to log into your MWS). Here are some tips for choosing a good password.
- Do one of the following:
- If you are configuring an MWS connection to your LDAP server, add the following parameters to /opt/mws/etc/mws-config.groovy:
- If you are configuring MWS to use PAM, add the the pam.configuration.service parameter to the mws-config.groovy file. For example:
- Add the grails.mongo.username and grails.mongo.password parameters to the mws-config.groovy file. Use the MWS credentials you added to MongoDB in the Preparing for Installation section.
You can configure only one authentication method in mws-config.groovy—LDAP or PAM, but not both. If you have configured both LDAP and PAM, MWS defaults to using LDAP.
If you need multiple authentication methods, you must add them to your local PAM configuration. See your distribution documentation for details.
ldap.server = "192.168.0.5" ldap.port = 389 ldap.baseDNs = ["dc=acme,dc=com"] ldap.bindUser = "cn=Manager,dc=acme,dc=com" ldap.password = "*****" ldap.directory.type = "OpenLDAP Using InetOrgPerson Schema"
This is just an example LDAP connection. Be sure to use the appropriate domain controllers (dc) and common names (cn) for your environment.
If you followed the Adaptive Computing tutorial, Setting Up OpenLDAP on CentOS 6, your ldap.directory.type should be set to "OpenLDAP Using InetOrgPerson Schema." However, the use of other schemas is supported. For more information see LDAP Configuration Using mws-config.groovy.
To see how to configure a secure connection to the LDAP server, see Securing the LDAP Connection.
pam.configuration.service = "login"
For more information about PAM configuration with MWS, see PAM (Pluggable Authentication Module) Configuration Using mws-config.groovy.
There is a security risk when authenticating local users through your PAM configuration. This behavior is highly discouraged and not supported by Adaptive Computing.
... grails.mongo.username = "mws_user" grails.mongo.password = "secret3"
-
- Add the following lines to the end of /etc/tomcat6/tomcat6.conf:
- Deploy the mws.war file and start Tomcat.
- Navigate to http://<server>:8080/mws/ in a web browser to verify that MWS is running (you will see some sample queries and a few other actions).
- Log in to MWS to verify that your credentials are working. (Your login credentials are the auth.defaultUser.username and auth.defaultUser.password values you set in the /opt/mws/etc/mws-config.groovy file.)
[root]# service moab start
The default location for the MWS home directory is /opt/mws. These instructions assume the default location.
Here is a sample script for this setup:
[root]# mkdir -p \
/opt/mws/etc/mws.d \
/opt/mws/hooks \
/opt/mws/log \
/opt/mws/plugins \
/opt/mws/spool/hooks \
/opt/mws/utils
[root]# chown -R tomcat:tomcat /opt/mws # Depending on your OS, the Tomcat username might be tomcat6.
[root]# chmod -R 555 /opt/mws
[root]# chmod u+w \
/opt/mws/log \
/opt/mws/plugins \
/opt/mws/spool \
/opt/mws/spool/hooks \
/opt/mws/utils
[root]# mkdir /tmp/mws-install [root]# cd /tmp/mws-install [root]# tar xvzf $HOME/Downloads/mws-<version>.tar.gz
CATALINA_OPTS="-DMWS_HOME=/opt/mws -Xms256m -Xmx3g -XX:MaxPermSize=384m -Dfile.encoding=UTF8"
JAVA_HOME="/usr/java/latest"
Some Linux distributions use /etc/default/tomcat6 or /etc/sysconfig/tomcat6 instead of /etc/tomcat6/tomcat6.conf.
[root]# chkconfig tomcat6 on
[root]# service tomcat6 stop
[root]# cp /tmp/mws-install/mws-8.1.0/mws.war /usr/share/tomcat6/webapps
[root]# service tomcat6 start
|
|
Click to enlarge |
If you encounter problems, or if the application does not seem to be running, see the steps in Moab Web Services Issues.