URL Configuration for KFS Application

General


This is the retained documentation from the Kuali "URL standardization" project. Some of this documentation is no longer relevant, but the majority of it is still a valid reference set of how the KFS application works with UCONN's Apache load balancers to create and deliver URL's out to clients. - BLD  

 

New URLs for each environment 

https://kuali<ENV>.uconn.edu/<APP>

Currently two types of environments:

Load balanced, and non load balanced

 

oldnew
dev.kfs.uconn.edu/kfs-devkualinp.uconn.edu/kfs-dev
dev.kr.uconn.edu:8080/kr-devkualinp.uconn.edu/kr-dev
ye.kfs.uconn.edu/kfs-devkualinp.uconn.edu/kfs-ye
ye.kfs.uconn.edu/kr-devkualinp.uconn.edu/kr-ye
trn.kfs.uconn.edu/kfs-devkualinp.uconn.edu/kfs-trn
trn.kfs.uconn.edu/kr-devkualinp.uconn.edu/kr-trn
dr.kfs.uconn.edu/kfs-prdkualinp.uconn.edu/kfs-dr
dr.kfs.uconn.edu/kr-prdkualinp.uconn.edu/kr-dr
kfs.uconn.edu/kfs-uatkualinp.uconn.edu/kfs-uat
kfs.uconn.edu/kr-uatkualinp.uconn.edu/kr-uat
kfs.uconn.edu/kfs-supkualinp.uconn.edu/kfs-sup
kfs.uconn.edu/kr-supkualinp.uconn.edu/kr-sup
kfs.uconn.edu/kfs-prdkuali.uconn.edu/kfs-prd
kfs.uconn.edu/kr-prdkuali.uconn.edu/kr-prd

 

Procedure


New proposed procedure:

  • Setup new dev loadbalancer (Mitch)
    • (named virtual host?)
  • Convert dev -> kualidev.uconn.edu on new load balancer (currently on prd load balancer)
  • Convert UAT, SUP, TRN, DR, YE...

 

 

Adjusting the configuration

SA PORTION:

Add or edit the configuration on the load balancers:

Mitch's Wheelhouse

add a file on the load balancer*

/etc/apache2/sites-available/kuali<env>.uconn.edu

and

/etc/apache2/sites-available/kuali<env>80.uconn.edu

 

dont forget to change the error and custom logs as well in the above

enable it with :

cd to /etc/apache2/sites-available/

a2ensite kuali<env>.uconn.edu

/etc/init.d/apache2 reload

 

adding new self signed cert to the load balancer:

openssl genrsa -des3 -out kualidev_uconn_edu.key 1024
openssl req -new -key kualidev_uconn_edu.key -out kualidev_uconn_edu.csr
cp kualidev_uconn_edu.key kualidev_uconn_edu.key.org
openssl rsa -in kualidev_uconn_edu.key.org -out kualidev_uconn_edu.key
openssl x509 -req -days 365 -in kualidev_uconn_edu.csr  -signkey kualidev_uconn_edu.key -out kualidev_uconn_edu.crt

Creating a self signed certificate for non production

 

openssl genrsa -des3 -out privkey.pem 2048

type kuali

openssl req -new -key privkey.pem -out cert.csr

 

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CT
Locality Name (eg, city) []:Storrs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UConn
Organizational Unit Name (eg, section) []:UITS
Common Name (eg, YOUR name) []:kualidev.uconn.edu
Email Address []:noreply@uconn.edu

rename the certs 

mv *.crt and *.key to /etc/apache2/certs/

ON (env).krapps.uconn.edu Servers:

verify that all references to http in /srv/uconn_configs/workflow/conf/workflow_clientapp.xml have been changed to https (if not notify devs or CM)

add the LB certificate to the JVM keystore:

# keytool -importcert -file /root/kuali(env)_uconn_edu.crt -keystore /etc/pki/java/cacerts -alias kuali(env)

 

CM PORTION:

now on the target system, turn off the application server:

sudo /sbin/service tomcat6 stop


change the following file:

/etc/tomcat6/tomcat6.conf

  • change appserver.url (from http://<env>.<app>.uconn.edu to https://kuali<env>.uconn.edu )
  • change application.url (from http://<env>.<app>.uconn.edu/<app>-<env> to https://kuali<env>.uconn.edu/<app> )
  • add -DKUALI_ENV=<env> to JAVA_OPTS

 

 

EXAMPLE
JAVA_OPTS="$JAVA_OPTS -Dappserver.url=https://kualidev.uconn.edu"
JAVA_OPTS="$JAVA_OPTS -Dapplication.url=https://kualidev.uconn.edu/kfs"
JAVA_OPTS="$JAVA_OPTS -DKUALI_ENV=dev"

 

 

/etc/tomcat6/server.xml

  • add the jvmRoute to the 8009 connector definition, the jvmRoute needs to equal the route definition in the load balancer for that environment
  • Also ensure that the numeric node names for the load-balancer routes are correct if this is a multi-node environment
EXAMPLE
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" jvmRoute="devkr"/>

 

 /etc/tomcat6/Catalina/localhost/<app>-<env>.xml 

  • remove this file if it exist (old deployment descriptor)

 

/usr/share/tomcat6/webapps/

  • rename the war (remove -<env> from name) 

 

IF KFS:

/srv/uconn_configs/configuration-defaults-config.xml

  • Use devkfs's version of this file as a template moving forward into other environments, because it uses ${application.url} and ${appserver.url} everywhere, virtually making the file environment agnostic. (except for database credentials in this file)
  • On any systems besides DEV or PRD the variable ${KUALI_ENV} must be set to "dev". This is due to "DEV" essentially meaning "NON-PROD" in paths like /dev/staging/.

/srv/uconn_configs/deployer.sh

  • remove all occurences of -${KUALI_ENV} (see devkfs's version of this file as an example)



IF RICE:


/srv/uconn_configs/rice-config/rice-config.xml

  • change   <param name="app.context.name">kr-ENV</param>  to   <param name="app.context.name">kr</param>
  • change <param name="application.host">...</param>  to  <param name="application.host">${appserver.url}</param>

 

IF KRAPPS:

You must change the workflow_clientapp.xml file

/srv/uconn_configs/workflow/conf/workflow_clientapp.xml

Change all instances of the old style URL (example: http://uat1.kr.uconn.edu:8080/kr-uat/remoting/)

to the new URL format (example: https://kualiuat.uconn.edu/kr/remoting/)

 

Change job in jenkins:

for KFS:

before the the command that scp's the war, add a new war renaming command:

### Copy .war file to /webapps folder
#rename .war to 'new' naming convention 07/10/2013
mv kfs*.war kfs.war

 

for RICE:

before the the command that scp's the war, add a new war renaming command:

### rename the war artifact and move it to the current directory
mv ${WORKSPACE}/web/target/rice*.war ${WORKSPACE}/kr.war;

 

Pitfalls:

if you get 

"HTTP Status 404 - Invalid path was requested"

when you click on admin tab for instance, double check that the rice.url is set properly in rice-config.xml on the rice server

 

Load Balancer Configuration

These servers site behind the Development/Test Load Balancers (b.uits.uconn.edu).  The following configuration changes were made to properly handle the traffic:

/etc/apache2/sites-available/kualidev80.uconn.edu

			<VirtualHost kualidev.uconn.edu:80>
		        ServerAdmin mitch@uconn.edu
		        ServerName kualidev.uconn.edu
		        Redirect / https://kualidev.uconn.edu/

	        	ErrorLog ${APACHE_LOG_DIR}/kualidev.uconn.edu-error.log

	        	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
		        LogLevel warn

		        CustomLog ${APACHE_LOG_DIR}/kualidev.uconn.edu-access.log combined
			</VirtualHost>

==============================================================================================

/etc/apache2/sites-available/kualidev.uconn.edu

	<VirtualHost kualidev.uconn.edu:443>
        ServerAdmin kualifinancials@uconn.edu
   		ServerName kualidev.uconn.edu

		###############################################
		####          CLUSTER DEFINITIONS          ####
		###############################################

		ProxyPreserveHost On
		ProxyStatus On

		##############################
		### DEV SYSTEM DEFINITIONS ###
		##############################
		ProxyPass /kfs balancer://devkfsCluster
		ProxyPassReverse /kfs balancer://devkfsCluster

		<Proxy balancer://devkfsCluster>
        	BalancerMember ajp://devkfs.uconn.edu:8009/kfs keepalive=On route=devkfs
        	ProxySet lbmethod=byrequests
        	ProxySet stickysession=JSESSIONID|jsessionid
        	ProxySet nofailover=On
		</Proxy>

		ProxyPass /kr balancer://devkrCluster
		ProxyPassReverse /kr balancer://devkrCluster

		<Proxy balancer://devkrCluster>
        	BalancerMember ajp://devkr.uconn.edu:8009/kr route=devkr
        	ProxySet lbmethod=byrequests
        	ProxySet stickysession=JSESSIONID|jsessionid
        	ProxySet nofailover=On
		</Proxy>

		# Forward Proxy
		ProxyRequests Off

		<Proxy *>
		    Order deny,allow
		    Deny from none
		    Allow from localhost
		</Proxy>

		#   Enable/Disable SSL for this virtual host.
		SSLEngine on

		#  A self-signed (snakeoil) certificate can be created by installing the ssl-cert package. 
		#  See /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
		#   If both key and certificate are stored in the same file, only the
		#   SSLCertificateFile directive is needed.
		SSLCertificateKeyFile    /etc/apache2/certs/kualidev_uconn_edu.key
		SSLCertificateFile    /etc/apache2/certs/kualidev_uconn_edu.crt

	</VirtualHost>

==============================================================================================

# a2ensite kualidev80.uconn.edu
# a2ensite kualidev.uconn.edu

# /etc/init.d/apache2 reload







Test Plan

The environment standardizing URL change will first be performed in non-production environments (DEV, UAT, SUP, etc) both load balanced and non-load balanced systems. Once the changes have been made users will test they still have full access to the systems from both the internal and external networks. Once this is confirmed successful the Production systems will be altered. Select users will be available to test the Production change on the day of the cut over.

Back Out Plan 

In the event the change does not work properly, the changes made to the server side and load balancer, as well as the system configuration will be backed out of the configuration files.  The details of the changes to be made on each system can be found above on this page.