6.13 Installing Moab Web Services

You must deploy Moab Web Services on the same host as Moab Server (Moab Server Host). For documentation clarity, these instructions refer to the shared host for Moab Server and MWS as the MWS Server Host.

This topic contains instructions on how to install Moab Web Services (MWS).

In this topic:

6.13.1 Open Necessary Ports
6.13.2 Install Dependencies, Packages, or Clients
6.13.3 Install MWS Server

6.13.1 Open Necessary Ports

If your site is running firewall software on its hosts, you will need to configure the firewall to allow connections to the necessary ports.

In this section:

6.13.1.A Open the Tomcat Port (8080)
6.13.1.B Open the MWS MongoDB Database Port (27017)

6.13.1.A Open the Tomcat Port (8080)

On the MWS Server Host, do the following:

[root]# iptables-save > /tmp/iptables.mod
[root]# vi /tmp/iptables.mod

# Add the following lines immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 8080 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod
[root]# service iptables save

[root]# firewall-cmd --add-port=8080/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="8080"

[root]# service SuSEfirewall2 restart

6.13.1.B Open the MWS MongoDB Database Port (27017)

Depending on your system configuration, your MongoDB databases may not be installed on the same host as their corresponding component servers. For example, you may choose to install the MWS MongoDB database on the same host where you have installed other MongoDB databases instead of on the MWS Server Host.

Do the following, as needed:

If you have chosen to install the MWS MongoDB database on the same host you installed other MongoDB databases (for example, the same host you installed the Moab MongoDB database), confirm the firewall port (27017) is already opened on that host.

If you have chosen to install the MWS MongoDB database on a different host from other MongoDB databases, you will need to open the MWS MongoDB database port in firewall for that host. To open the port in the firewall, do the following:

[root]# iptables-save > /tmp/iptables.mod
[root]# vi /tmp/iptables.mod

Add the following line immediately *before* the line matching
# "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

-A INPUT -p tcp --dport 27017 -j ACCEPT

[root]# iptables-restore < /tmp/iptables.mod
[root]# service iptables save

[root]# firewall-cmd --add-port=27017/tcp --permanent
[root]# firewall-cmd --reload

[root]# vi /etc/sysconfig/SuSEfirewall2

FW_SERVICES_EXT_TCP="27017"

[root]# service SuSEfirewall2 restart

6.13.2 Install Dependencies, Packages, or Clients

In this section:

6.13.2.A Install Java
6.13.2.B Install Tomcat
6.13.2.C Install MongoDB

6.13.2.A Install Java

Install the Linux x64 RPM version of Oracle® Java® 8 Runtime Environment.

Oracle Java 8 Runtime Environment is the recommended Java environment, but Oracle Java 7 is also supported. All other versions of Java, including OpenJDK/IcedTea, GNU Compiler for Java, and so on cannot run MWS.

On the MWS Server Host, do the following:

Install the Linux x64 RPM version of Oracle Java SE 8 JRE.
1. Go to the to the Oracle Java download page.
2. Copy the URL for the Linux x64 RPM version, and run the following command:
```
[root]# rpm -Uh <URL>
```
```
[root]# ln -s /usr/sbin/update-alternatives /usr/sbin/alternatives
[root]# rpm -Uh <URL>
```

6.13.2.B Install Tomcat

Install Tomcat 7.

Tomcat 7 is required to run MWS 9.0 and later. MWS 9.0 will not run on Tomcat 6.

On the MWS Server Host, do the following:

[root]# yum install tomcat

If installing on RHEL 6, tomcat may not be found in the standard RHEL distribution repositories.

One way to overcome this problem is to install the missing dependencies from EPEL or other reputable repositories. For example (for the current RHEL 6 repositories):

[root]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root]# yum install yum-utils
[root]# yum-config-manager --disable epel
[root]# yum install --enablerepo=epel tomcat

[root]# zypper install tomcat

6.13.2.C Install MongoDB

To install and enable MongoDB, do the following on the MWS Server Host:

Install MongoDB.

[root]# cat > /etc/yum.repos.d/mongodb.repo <<End-of-file
[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64
gpgcheck=0
enabled=1
exclude=mongodb-org mongodb-org-server
End-of-file
[root]# yum install mongo-10gen-server

[root]# zypper ar --refresh -r http://download.opensuse.org/repositories/server:/database/SLE_12/server:database.repo
[root]# zypper install mongodb

Start MongoDB.

There may be a short delay (approximately three minutes) for Mongo to start the first time.

[root]# chkconfig mongod on
[root]# service mongod start

[root]# cat > /usr/lib/systemd/system/mongodb.service <<End-of-file
[Unit]
Description=High-performance, schema-free document-oriented database
After=syslog.target network.target

[Service]
Type=forking
User=mongod
Group=mongod
Environment=CONFIG=/etc/mongod.conf
Environment=OPTIONS=
EnvironmentFile=-/etc/sysconfig/mongod
ExecStart=/usr/bin/mongod -f \$CONFIG \$OPTIONS
PrivateTmp=true
LimitNOFILE=65536
TimeoutStartSec=180
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target
End-of-file
[root]# rm -f /etc/init.d/mongod
[root]# systemctl enable mongodb.service
[root]# systemctl start mongodb.service

[root]# systemctl enable mongodb.service
[root]# systemctl start mongodb.service

Prepare the MongoDB database by doing the following:
1. Add the required MongoDB users.
  The passwords used below (secret1, secret2, and secret3) are examples. Choose your own passwords for these users.
```
[root]# mongo
> use admin;
> db.addUser("admin_user", "secret1");
> db.auth ("admin_user", "secret1");

> use moab;
> db.addUser("moab_user", "secret2");
> db.addUser("mws_user", "secret3", true);

> use mws;
> db.addUser("mws_user", "secret3");
> exit
```
  Because the admin_user has read and write rights to the admin database, it also has read and write rights to all other databases. See Control Access to MongoDB Instances with Authentication for more information.
2. Enable authentication in MongoDB.
```
[root]# vi /etc/mongod.conf
auth = true
[root]# service mongod restart
```
```
[root]# vi /etc/mongod.conf
auth = true
[root]# systemctl restart mongodb.service
```
  MongoDB authentication is enabled (auth = true) by default. No further action is needed.

6.13.3 Install MWS Server

You must complete the tasks to install the dependencies, packages, or clients before installing MWS Server. See 6.13.2 Install Dependencies, Packages, or Clients.

If your configuration uses firewalls, you must also open the necessary ports before installing the MWS Server. See 6.13.1 Open Necessary Ports .

On the MWS Server Host, do the following:

Verify Moab Server is installed and configured as desired (for details, see 6.12 Installing Moab Workload Manager).
Start Moab.

[root]# service moab start

[root]# systemctl start moab.service

[root]# systemctl start moab.service

Create the MWS home directory and subdirectories.

See Configuration in the Moab Web Services Administrator Guide for more information.

The default location for the MWS home directory is /opt/mws. These instructions assume the default location.

Do the following:

[root]# mkdir -p \
    /opt/mws/etc/mws.d \
    /opt/mws/hooks \
    /opt/mws/log \
    /opt/mws/plugins \
    /opt/mws/spool/hooks \
    /opt/mws/utils
[root]# chown -R tomcat:tomcat /opt/mws
[root]# chmod -R 555 /opt/mws
[root]# chmod u+w \
    /opt/mws/log \
    /opt/mws/plugins \
    /opt/mws/spool \
    /opt/mws/spool/hooks \
    /opt/mws/utils

Download the latest MWS build (mws-<version>.tar.gz) from the Adaptive Computing website.
The variable marked <version> is the desired version of the suite; for example, 9.0.3.
Extract the contents of the MWS download tarball into a temporary directory. For example:

[root]# mkdir /tmp/mws-install
[root]# cd /tmp/mws-install
[root]# tar xvzf $HOME/Downloads/mws-9.0.3.tar.gz

Copy the extracted utility files to the utility directory created in the previous step and give the tomcat user ownership of the directory.
```
[root]# cd /tmp/mws-install/mws-9.0.3/utils
[root]# cp * /opt/mws/utils
[root]# chown tomcat:tomcat /opt/mws/utils/*
```
Connect Moab to MongoDB.

The USEDATABASE parameter is unrelated to the MongoDB configuration.
1. Set the MONGOSERVER parameter in /opt/moab/etc/moab.cfg to the MongoDB server hostname. Use localhost as the hostname if Moab and MongoDB are hosted on the same server.
```
MONGOSERVER <host>[:<port>]
```
  If your MONGOSERVER host is set to anything other than localhost, edit the /etc/mongod.conf file on the MongoDB server host and either comment out any bind_ip parameter or set it to the correct IP address.
```
# Listen to local interface only. Comment out to listen on all interfaces.
#bind_ip=127.0.0.1
```
2. In the /opt/moab/etc/moab-private.cfg file, set the MONGOUSER and MONGOPASSWORD parameters to the MongoDB moab_user credentials you set. See 6.13.2.C Install MongoDB.
```
MONGOUSER     moab_user
MONGOPASSWORD secret2
```
3. Verify that Moab is able to connect to MongoDB.
```
[root]# service moab restart
[root]# mdiag -S | grep Mongo

Mongo connection (localhost) is up (credentials are set)
```
```
[root]# systemctl restart moab.service
[root]# mdiag -S | grep Mongo

Mongo connection (localhost) is up (credentials are set)
```
```
[root]# systemctl restart moab.service
[root]# mdiag -S | grep Mongo

Mongo connection (localhost) is up (credentials are set)
```

Secure communication using secret keys.

(Required) Moab and MWS use Message Authentication Codes (MAC) to ensure messages have not been altered or corrupted in transit. Generate a key and store the result in /opt/moab/etc/.moab.key.

[root]# service moab stop
[root]# dd if=/dev/urandom count=24 bs=1 2>/dev/null | base64 > /opt/moab/etc/.moab.key
[root]# chown root:root /opt/moab/etc/.moab.key
[root]# chmod 400 /opt/moab/etc/.moab.key
[root]# service moab start

[root]# systemctl stop moab.service
[root]# dd if=/dev/urandom count=24 bs=1 2>/dev/null | base64 > /opt/moab/etc/.moab.key
[root]# chown root:root /opt/moab/etc/.moab.key
[root]# chmod 400 /opt/moab/etc/.moab.key
[root]# systemctl start moab.service

[root]# systemctl stop moab.service
[root]# dd if=/dev/urandom count=24 bs=1 2>/dev/null | base64 > /opt/moab/etc/.moab.key
[root]# chown root:root /opt/moab/etc/.moab.key
[root]# chmod 400 /opt/moab/etc/.moab.key
[root]# systemctl start moab.service

(Optional) Moab supports message queue security using AES. This feature requires a Base64-encoded 16-byte (128-bit) shared secret. Do the following:

Generate a key and append the result to /opt/moab/etc/moab-private.cfg

[root]# service moab stop
[root]# echo "MESSAGEQUEUESECRETKEY $(dd if=/dev/urandom count=16 bs=1 2>/dev/null | base64)" >> /opt/moab/etc/moab-private.cfg
[root]# service moab start

[root]# systemctl stop moab.service
[root]# echo "MESSAGEQUEUESECRETKEY $(dd if=/dev/urandom count=16 bs=1 2>/dev/null | base64)" >> /opt/moab/etc/moab-private.cfg
[root]# systemctl start moab.service

[root]# systemctl stop moab.service
[root]# echo "MESSAGEQUEUESECRETKEY $(dd if=/dev/urandom count=16 bs=1 2>/dev/null | base64)" >> /opt/moab/etc/moab-private.cfg
[root]# systemctl start moab.service

If MWS is configured to encrypt the message queue and Moab is not (or vice versa), then MWS will ignore the messsages from Moab.

Verify that encryption is on for the ZeroMQ connection.

[root]# mdiag -S|grep 'ZeroMQ MWS'

  ZeroMQ MWS connection is bound on port 5570 (encryption is on)

Set up the MWS configuration files. In the extracted directory are several configuration files.
1. Copy the configuration files into place and grant the tomcat user ownership.
```
[root]# cd /tmp/mws-install/mws-9.0.3
[root]# cp mws-config.groovy /opt/mws/etc
[root]# cp mws-config-hpc.groovy /opt/mws/etc/mws.d
[root]# chown tomcat:tomcat /opt/mws/etc/mws-config.groovy /opt/mws/etc/mws.d/mws-config-hpc.groovy
```
2. In the /opt/mws/etc/mws-config.groovy file, change these settings:
  - moab.secretKey: Must match the Moab secret key you generated earlier (contained in /opt/moab/etc/.moab.key).
  - auth.defaultUser.username: Any value you like, or leave as is.
  - auth.defaultUser.password: Any value you like, but choose a strong password.
  - moab.messageQueue.secretKey: If you opted to configure a message queue security key in MWS, this parameter value should match exactly that key specified in /opt/moab/etc/moab-private.cfg for the MESSAGEQUEUESECRETKEY Moab configuration parameter you generated earlier.
```
[root]# vi /opt/mws/etc/mws-config.groovy
									
// Replace <ENTER-KEY-HERE> with the contents of /opt/moab/etc/.moab.key.
									
moab.secretKey = "<ENTER-KEY-HERE>"
moab.server = "localhost"
moab.port = 42559
						
// Replace <ENTER-KEY-HERE> with the value of MESSAGEQUEUESECRETKEY in /opt/moab/etc/moab-private.cfg.

moab.messageQueue.secretKey = "<ENTER-KEY-HERE>"

// Change these to be whatever you like.

auth.defaultUser.username = "moab-admin"
auth.defaultUser.password = "changeme!"
```
  If you do not change auth.defaultUser.password, your MWS will not be secure (because anyone reading these instructions would be able to log into your MWS). Here are some tips for choosing a good password.
3. If you are using Moab Accounting Manager, change these settings in /opt/mws/etc/mws.d/mws-config-hpc.groovy:
  - mam.secretKey: needs to match the MAM secret key in /opt/mam/etc/mam-site.conf on the MAM Server (as token.value)
  - mam.server: set to the hostname of the MAM Server
  - mam.port: set to the port of the MAM Server
```
[root]# vi /opt/mws/etc/mws.d/mws-config-hpc.groovy

mam.secretKey = "<ENTER-KEY-HERE>"
mam.server = "localhost"
mam.port = 7112
```
4. Do one of the following:
  You can configure only one authentication method in /opt/mws/etc/mws-config.groovy—LDAP or PAM, but not both. If you have configured both LDAP and PAM, MWS defaults to using LDAP.
  If you need multiple authentication methods, you must add them to your local PAM configuration. See your distribution documentation for details.
  - If you are configuring an MWS connection to your LDAP server, add the following parameters to the /opt/mws/etc/mws-config.groovy file:
    ldap.server = "192.168.0.5" ldap.port = 389 ldap.baseDNs = ["dc=acme,dc=com"] ldap.bindUser = "cn=Manager,dc=acme,dc=com" ldap.password = "*****" ldap.directory.type = "OpenLDAP Using InetOrgPerson Schema"
    This is just an example LDAP connection. Be sure to use the appropriate domain controllers (dc) and common names (cn) for your environment.
    If you followed the Adaptive Computing tutorial, Setting Up OpenLDAP on CentOS 6, your ldap.directory.type should be set to "OpenLDAP Using InetOrgPerson Schema." However, the use of other schemas is supported. For more information see LDAP Configuration Using /opt/mws/etc/mws-config.groovy.
    To see how to configure a secure connection to the LDAP server, see Securing the LDAP Connection.
  - If you are configuring MWS to use PAM, add the pam.configuration.service parameter to the /opt/mws/etc/mws-config.groovy file. For example:
    pam.configuration.service = "login"
    This is just an example PAM configuration file name. Make sure you specify the name of the configuration file you want MWS to use.
    Configuring MWS to authenticate via PAM using local passwd and shadow files presents a significant security risk. To make local authentication work, you would need to run Tomcat as root or give Tomcat read access to /etc/shadow. This configuration is highly discouraged and is not supported by Adaptive Computing.
    The recommended approach is to configure PAM and NSS to authenticate against NIS or LDAP. For example, to make sure users with both local and NIS accounts are authenticating against NIS, configure the nsswitch.conf file as shown below.
    passwd: nis files shadow: nis files group: nis files
    For more information about PAM configuration with MWS, see PAM (Pluggable Authentication Module) Configuration Using /opt/mws/etc/mws-config.groovy.
5. Add the grails.mongo.username and grails.mongo.password parameters to the /opt/mws/etc/mws-config.groovy file. Use the MWS credentials you added to MongoDB in the Preparing for Manual Installation section.
```
...
grails.mongo.username = "mws_user"
grails.mongo.password = "secret3"
```
6. Make the MWS configuration files read-only.
```
[root]# chmod 400 /opt/mws/etc/mws-config.groovy /opt/mws/etc/mws.d/mws-config-hpc.groovy
```
Configure Tomcat
Add the following lines to the end of /etc/tomcat/tomcat.conf.
```
CATALINA_OPTS="-DMWS_HOME=/opt/mws -Xms256m -Xmx3g -XX:MaxPermSize=384m -Dfile.encoding=UTF8"
JAVA_HOME="/usr/java/latest"
```
MaxPermSize is ignored using Java 8; and therefore can be omitted.

Deploy the mws.war file and start Tomcat.

[root]# chkconfig tomcat on
[root]# service tomcat stop
[root]# cp /tmp/mws-install/mws-9.0.3/mws.war /usr/share/tomcat/webapps
[root]# service tomcat start

[root]# systemctl enable tomcat.service
[root]# systemctl stop tomcat.service
[root]# cp /tmp/mws-install/mws-9.0.3/mws.war /usr/share/tomcat/webapps
[root]# systemctl start tomcat.service

[root]# systemctl enable tomcat.service
[root]# systemctl stop tomcat.service
[root]# cp /tmp/mws-install/mws-9.0.3/mws.war /usr/share/tomcat/webapps
[root]# systemctl start tomcat.service

Navigate to http://<server>:8080/mws/ in a web browser to verify that MWS is running (you will see some sample queries and a few other actions).
Log in to MWS to verify that your credentials are working. (Your login credentials are the auth.defaultUser.username and auth.defaultUser.password values you set in the /opt/mws/etc/mws-config.groovy file.)

Click to enlarge

If you encounter problems, or if the application does not seem to be running, see the steps in 6.59 Moab Web Services Issues.