URL Configuration for KFS Application
General
This is the retained documentation from the Kuali "URL standardization" project. Some of this documentation is no longer relevant, but the majority of it is still a valid reference set of how the KFS application works with UCONN's Apache load balancers to create and deliver URL's out to clients. - BLD
New URLs for each environment
https://kuali<ENV>.uconn.edu/<APP>
Currently two types of environments:
Load balanced, and non load balanced
old | new |
---|---|
dev.kfs.uconn.edu/kfs-dev | kualinp.uconn.edu/kfs-dev |
dev.kr.uconn.edu:8080/kr-dev | kualinp.uconn.edu/kr-dev |
ye.kfs.uconn.edu/kfs-dev | kualinp.uconn.edu/kfs-ye |
ye.kfs.uconn.edu/kr-dev | kualinp.uconn.edu/kr-ye |
trn.kfs.uconn.edu/kfs-dev | kualinp.uconn.edu/kfs-trn |
trn.kfs.uconn.edu/kr-dev | kualinp.uconn.edu/kr-trn |
dr.kfs.uconn.edu/kfs-prd | kualinp.uconn.edu/kfs-dr |
dr.kfs.uconn.edu/kr-prd | kualinp.uconn.edu/kr-dr |
kfs.uconn.edu/kfs-uat | kualinp.uconn.edu/kfs-uat |
kfs.uconn.edu/kr-uat | kualinp.uconn.edu/kr-uat |
kfs.uconn.edu/kfs-sup | kualinp.uconn.edu/kfs-sup |
kfs.uconn.edu/kr-sup | kualinp.uconn.edu/kr-sup |
kfs.uconn.edu/kfs-prd | kuali.uconn.edu/kfs-prd |
kfs.uconn.edu/kr-prd | kuali.uconn.edu/kr-prd |
Procedure
New proposed procedure:
- Setup new dev loadbalancer (Mitch)
- (named virtual host?)
- Convert dev -> kualidev.uconn.edu on new load balancer (currently on prd load balancer)
- Convert UAT, SUP, TRN, DR, YE...
Adjusting the configuration
SA PORTION:
Add or edit the configuration on the load balancers:
Mitch's Wheelhouse
add a file on the load balancer*
/etc/apache2/sites-available/kuali<env>.uconn.edu
and
/etc/apache2/sites-available/kuali<env>80.uconn.edu
dont forget to change the error and custom logs as well in the above
enable it with :
cd to /etc/apache2/sites-available/
a2ensite kuali<env>.uconn.edu
/etc/init.d/apache2 reload
adding new self signed cert to the load balancer:
openssl genrsa -des3 -out kualidev_uconn_edu.key 1024 openssl req -new -key kualidev_uconn_edu.key -out kualidev_uconn_edu.csr cp kualidev_uconn_edu.key kualidev_uconn_edu.key.org openssl rsa -in kualidev_uconn_edu.key.org -out kualidev_uconn_edu.key openssl x509 -req -days 365 -in kualidev_uconn_edu.csr -signkey kualidev_uconn_edu.key -out kualidev_uconn_edu.crt
Creating a self signed certificate for non production
openssl genrsa -des3 -out privkey.pem 2048
type kuali
openssl req -new -key privkey.pem -out cert.csr
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CT Locality Name (eg, city) []:Storrs Organization Name (eg, company) [Internet Widgits Pty Ltd]:UConn Organizational Unit Name (eg, section) []:UITS Common Name (eg, YOUR name) []:kualidev.uconn.edu Email Address []:noreply@uconn.edu
rename the certs
mv *.crt and *.key to /etc/apache2/certs/
ON (env).krapps.uconn.edu Servers:
verify that all references to http in /srv/uconn_configs/workflow/conf/workflow_clientapp.xml have been changed to https (if not notify devs or CM)
add the LB certificate to the JVM keystore:
# keytool -importcert -file /root/kuali(env)_uconn_edu.crt -keystore /etc/pki/java/cacerts -alias kuali(env)
CM PORTION:
now on the target system, turn off the application server:
sudo /sbin/service tomcat6 stop
change the following file:
/etc/tomcat6/tomcat6.conf
- change appserver.url (from http://<env>.<app>.uconn.edu to https://kuali<env>.uconn.edu )
- change application.url (from http://<env>.<app>.uconn.edu/<app>-<env> to https://kuali<env>.uconn.edu/<app> )
- add -DKUALI_ENV=<env> to JAVA_OPTS
JAVA_OPTS="$JAVA_OPTS -Dappserver.url=https://kualidev.uconn.edu" JAVA_OPTS="$JAVA_OPTS -Dapplication.url=https://kualidev.uconn.edu/kfs" JAVA_OPTS="$JAVA_OPTS -DKUALI_ENV=dev"
/etc/tomcat6/server.xml
- add the jvmRoute to the 8009 connector definition, the jvmRoute needs to equal the route definition in the load balancer for that environment
- Also ensure that the numeric node names for the load-balancer routes are correct if this is a multi-node environment
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" jvmRoute="devkr"/>
/etc/tomcat6/Catalina/localhost/<app>-<env>.xml
- remove this file if it exist (old deployment descriptor)
/usr/share/tomcat6/webapps/
- rename the war (remove -<env> from name)
IF KFS:
/srv/uconn_configs/configuration-defaults-config.xml
- Use devkfs's version of this file as a template moving forward into other environments, because it uses ${application.url} and ${appserver.url} everywhere, virtually making the file environment agnostic. (except for database credentials in this file)
- On any systems besides DEV or PRD the variable ${KUALI_ENV} must be set to "dev". This is due to "DEV" essentially meaning "NON-PROD" in paths like /dev/staging/.
/srv/uconn_configs/deployer.sh
remove all occurences of -${KUALI_ENV} (see devkfs's version of this file as an example)
IF RICE:
/srv/uconn_configs/rice-config/rice-config.xml
- change <param name="app.context.name">kr-ENV</param> to <param name="app.context.name">kr</param>
- change <param name="application.host">...</param> to <param name="application.host">${appserver.url}</param>
IF KRAPPS:
You must change the workflow_clientapp.xml file
/srv/uconn_configs/workflow/conf/workflow_clientapp.xml
Change all instances of the old style URL (example: http://uat1.kr.uconn.edu:8080/kr-uat/remoting/)
to the new URL format (example: https://kualiuat.uconn.edu/kr/remoting/)
Change job in jenkins:
for KFS:
before the the command that scp's the war, add a new war renaming command:
### Copy .war file to /webapps folder #rename .war to 'new' naming convention 07/10/2013 mv kfs*.war kfs.war
for RICE:
before the the command that scp's the war, add a new war renaming command:
### rename the war artifact and move it to the current directory mv ${WORKSPACE}/web/target/rice*.war ${WORKSPACE}/kr.war;
Pitfalls:
if you get
"HTTP Status 404 - Invalid path was requested"
when you click on admin tab for instance, double check that the rice.url is set properly in rice-config.xml on the rice server
Load Balancer Configuration
These servers site behind the Development/Test Load Balancers (b.uits.uconn.edu). The following configuration changes were made to properly handle the traffic:
/etc/apache2/sites-available/kualidev80.uconn.edu <VirtualHost kualidev.uconn.edu:80> ServerAdmin mitch@uconn.edu ServerName kualidev.uconn.edu Redirect / https://kualidev.uconn.edu/ ErrorLog ${APACHE_LOG_DIR}/kualidev.uconn.edu-error.log # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/kualidev.uconn.edu-access.log combined </VirtualHost> ============================================================================================== /etc/apache2/sites-available/kualidev.uconn.edu <VirtualHost kualidev.uconn.edu:443> ServerAdmin kualifinancials@uconn.edu ServerName kualidev.uconn.edu ############################################### #### CLUSTER DEFINITIONS #### ############################################### ProxyPreserveHost On ProxyStatus On ############################## ### DEV SYSTEM DEFINITIONS ### ############################## ProxyPass /kfs balancer://devkfsCluster ProxyPassReverse /kfs balancer://devkfsCluster <Proxy balancer://devkfsCluster> BalancerMember ajp://devkfs.uconn.edu:8009/kfs keepalive=On route=devkfs ProxySet lbmethod=byrequests ProxySet stickysession=JSESSIONID|jsessionid ProxySet nofailover=On </Proxy> ProxyPass /kr balancer://devkrCluster ProxyPassReverse /kr balancer://devkrCluster <Proxy balancer://devkrCluster> BalancerMember ajp://devkr.uconn.edu:8009/kr route=devkr ProxySet lbmethod=byrequests ProxySet stickysession=JSESSIONID|jsessionid ProxySet nofailover=On </Proxy> # Forward Proxy ProxyRequests Off <Proxy *> Order deny,allow Deny from none Allow from localhost </Proxy> # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing the ssl-cert package. # See /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateKeyFile /etc/apache2/certs/kualidev_uconn_edu.key SSLCertificateFile /etc/apache2/certs/kualidev_uconn_edu.crt </VirtualHost> ============================================================================================== # a2ensite kualidev80.uconn.edu # a2ensite kualidev.uconn.edu # /etc/init.d/apache2 reload
Test Plan
The environment standardizing URL change will first be performed in non-production environments (DEV, UAT, SUP, etc) both load balanced and non-load balanced systems. Once the changes have been made users will test they still have full access to the systems from both the internal and external networks. Once this is confirmed successful the Production systems will be altered. Select users will be available to test the Production change on the day of the cut over.
Back Out Plan
In the event the change does not work properly, the changes made to the server side and load balancer, as well as the system configuration will be backed out of the configuration files. The details of the changes to be made on each system can be found above on this page.