Generate Server Client Certificate and Install
----------------------------------------------
The new CN will need a DataONE CA signed client certificate installed in /etc/dataone/client/certs. The Subject will most likely be the the same as the DN of the ldap entry.
To generate the client Cert for a CN node, run the command
sudo -s java -jar d1_certificate_manager.jar --cn cn-dev-3.dataone.org --dir /home/rwaltz/D1Certs --caPassword "password" with appropriate substitutions for the arguments
this will create a CN client cert in /home/rwaltz/D1Certs/cn-dev-3.crt
sftp it to the machine and copy it to /etc/dataone/client/certs/cn-dev-3.crt
Setup LDAP Replication on Nodes for new entry
-------------------------------------------------
LDAP will need to have new entries for replication. As of right now, all the development machines get created with development node CNs upon installation. The entries on the new machine will need to be deleted before it is replicated to avoid conflicts (However, upon initial creation, the dn entry dc=org will have to be entered for initial setup to work(so installation will have to take this into account... as well as determine if it is the first server to be created in an ldap cluster so that population will be performed initially on the first machine but not on subsequent machines)
If the server being configured is not the first server installed for an environment, then all entries created during installation should be deleted with the following commands:
/usr/share/dataone-cn-os-core/debian/ldap/ldapDeleteAllEntries.pl
(If a server attempts to replicate entries that are duplicated on a remote machine, then replication will fail)
The file /etc/ldap/slapd.conf will need to be configured for replication. Each property named serverID has to be unique among all the replicating servers. serverID should start at 1 and ascend sequentially.
Each server has entries for the other servers it is replicating to. For this example, c0t3, the replication section will look like:
########################## START OF MODIFICATIONS #####################
# This must be unique across the set of N multi masters
serverID 2
# define the set of N providers, 'rid' need only be unique per-file
syncRepl rid=1
provider=ldap://128.111.220.50:389
binddn="cn=admin,dc=dataone,dc=org"
bindmethod=simple
credentials=PASSWORD
searchbase="dc=org"
type=refreshAndPersist
interval=00:00:00:05
retry="5 5 300 5"
timeout=1
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
########################## END OF MODIFICATIONS #####################
After this section has been appropriately configured to reflect the new replica situation. LDAP will need to be shutdown, the config files will need to regenerated following the convention in the bash script (should be run as root):
#!/bin/bash
LDAP_USER=openldap
LDAP_CONF=/etc/ldap
## stop the default service
echo "Stopping slapd"
/etc/init.d/slapd stop
## start, using slapd.conf file
echo "Generating ldif config using: ${LDAP_CONF}/slapd.conf"
#slapd -h 'ldap:/// ldapi:///' -g ${LDAP_USER} -u ${LDAP_USER} -f /etc/ldap/slapd.conf
rm -rf /etc/ldap/slapd.d/*
slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
if [ -e ${LDAP_CONF}/slapd.d/cn=config/olcDatabase={1}hdb.ldif ]
then
sed -i.bak 's/uri=\"\"//' ${LDAP_CONF}/slapd.d/cn=config/olcDatabase={1}hdb.ldif
rm ${LDAP_CONF}/slapd.d/cn=config/olcDatabase={1}hdb.ldif.bak
fi
chown -R ${LDAP_USER}.${LDAP_USER} /etc/ldap/slapd.d
echo "Starting slapd"
/etc/init.d/slapd start
## End of Script
All the other servers should then be updated with the new server configuration, after all the other servers have been updated shutdown and restart ldap on each machine
/etc/init.d/slapd stop
/etc/init.d/slapd start
Run the command:
ldapadd -c -D cn=admin,dc=dataone,dc=org -W -H ldap://localhost:389 -x -f /usr/share/dataone-cn-os-core/debian/ldap/devRobertWaltzPrincipal.ldif
make certain data has been replicated by executing the following command on the new machine:
ldapsearch -x -W -D cn=admin,dc=dataone,dc=org -W -H ldap://localhost:389 -b 'dc=org'
the results of the command should equal the results of any other replicated server.
Create New LDAP Entry for New Node
-------------------------------------
The subject will be added to the Node list as the subject of the new node. Coordinating Nodes have to be pre-registered before they can take part of the CN infrastructure. Therefore, the typical registration process for MNs can not be followed where CN's are concerned. It is best if they are directly added to LDAP through an LDIF file. An example LDIF file for a development Node appears as such:
dn: cn=c0t3,dc=dataone,dc=org
cn: c0t3
d1NodeId: c0t3
d1NodeName: cn_dev_3
d1NodeDescription: Development Protocol Coordinating Node Number 3
d1NodeBaseURL: https://cn-dev-3.dataone.org/cn
d1NodeReplicate: FALSE
d1NodeSynchronize: FALSE
d1NodeApproved: TRUE
d1NodeState: up
d1NodeType: cn
subject: cn=cn-dev-3.dataone.org,dc=dataone,dc=org
d1NodeContactSubject: cn=Robert Waltz A610,o=Google,c=US,dc=cilogon,dc=org
objectclass: device
objectclass: d1Node
dn: d1NodeServiceId=CNCore-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNCore-v1
d1NodeId: c0t3
d1NodeServiceName: CNCore
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
dn: d1NodeServiceId=CNRead-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNRead-v1
d1NodeId: c0t3
d1NodeServiceName: CNRead
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
dn: d1NodeServiceId=CNAuthorization-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNAuthorization-v1
d1NodeId: c0t3
d1NodeServiceName: CNAuthorization
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
dn: d1NodeServiceId=CNIdentity-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNIdentity-v1
d1NodeId: c0t3
d1NodeServiceName: CNIdentity
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
dn: d1NodeServiceId=CNReplication-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNReplication-v1
d1NodeId: c0t3
d1NodeServiceName: CNReplication
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
dn: d1NodeServiceId=CNRegister-v1,cn=c0t3,dc=dataone,dc=org
d1NodeServiceId: CNRegister-v1
d1NodeId: c0t3
d1NodeServiceName: CNRegister
d1NodeServiceVersion: v1
d1NodeServiceAvailable: TRUE
objectclass: d1NodeService
with the saved ldif file run the command:
ldapadd -c -D cn=admin,dc=dataone,dc=org -W -H ldap://localhost:389 -x -f c0t3.ldif
once added, search for the entries on other replicated machines.
Setup Metacat
-------------
Set up Metacat going through all the configuration options. https://cn-dev-3.dataone.org/knb/admin
accept defaults for settings for
Metacat Global Properties
Skins Specific Properties
Install the database under
Database Installation/Upgrade
Bypass (as in press the bypass button) the following setup windows
MemberNode registration process
Dataone Configuration
The difficult configuration window is Replication Configuration.
In the Servers section of the Replication Configuration window, you should add each server in the environment that metacat should replicate its content to and from.
Click the add toggle button.
enter into the Server text box SERVER_NAME/knb/servlet/replication (such that the following dev host would be a valid entry: cn-dev-2.dataone.org/knb/servlet/replication)
Toggle the following
Replicate metadata? Yes
Replicate data? Yes
Replicate SystemMetadata? No (this field is deprecated and should be going away)
Localhost is a hub? No
Then Press Submit.
Repeat for each node that is not the localhost node for the environment to replicate.
For first time setup for an entire environment, need to add the object format to the first machine installed machine. I have script in /usr/share/metacat/debian/createObjectFormat that will do the initial setup. (this step is not needed for subsequent environment installed).
Currently, I don't have the certificates configured in the postinst script for replication, so modify the following properties in
/var/lib/tomcat6/webapps/knb/WEB-INF/metacat.properties
replication.certificate.file=/etc/dataone/client/certs/METACAT1.pem
replication.privatekey.file=/etc/dataone/client/certs/METACAT1.pem
replication.privatekey.password=CHANGEIT
should point to the appropriate server certificate files (without passwords):
replication.certificate.file=/etc/dataone/client/certs/cn-dev-3.crt
replication.privatekey.file=/etc/dataone/client/certs/cn-dev-3.crt
replication.privatekey.password=
by tomcat6
add in to /etc/apache2/sites-available/cn-ssl
SSLVerifyClient require
SSLVerifyDepth 10
Configure Hazelcast
--------------------
Have not gotten to this point yet! keep the default.
The process and storage cluster will need to have their configuration settings modified to particate in the replicated cluster. Note, although both hazelcast.xml files configure hazelcast and are XML, they follow different schemas. The processing configuration file is for use in a Spring environment, while the storage configuration may be used in any other java application.
Processing:
The file /etc/dataone/process/hazelcast.xml will need to have all IPs of the
machines added to the hz:members element, such as:
192.168.56.10, 192.168.56.12
Storage:
Additionally, The file /etc/dataone/storage will need to have all IPs of the
machines added to the tcp-ip element via separate interface tags.
192.168.56.10
192.168.56.12
Configuring Synchronization
---------------------------
The certificate location of the cert to be used by the Processing Daemon is set in the /etc/dataone/node.properties file.
D1Client.certificate.directory=/etc/dataone/client/certs
D1Client.certificate.filename=CLIENTCERTFILENAME
CLIENTCERTFILENAME should be replaced with the name of the certificate file that was installed during the first step "Generate Server Client Certificate and Install":
D1Client.certificate.filename=cn-dev-3.crt
Each time a Science Metadata object is synchronized, a replica entry is made in the systemMetadata to indicate that the CN has a copy. The nodeId of the replica is set in a properties file /etc/dataone/process/synchronization.properties in the property, Synchronization.CN_REPLICA_NODE. For development or sandbox environments, the property should be set to the nodeId of the machine being configured. However for the production environment, the nodeId should be pointed to the CN router node.
Adjust Java Heap Sizes for development servers or other underspec'ed machines:
In the following files:
Modify -Xmx for maximum heap size,-Xms for initial heap size, and XX:MaxPermSize in the following files:
/etc/init.d/d1-processing
/etc/init.d/tomcat6
Turn on Metacat Replication
---------------------------
Now that everything is setup, turn on metacat replication.
goto https://cn-dev-3.dataone.org/knb/admin, click on Replication Configuration window.
You will have to know the current dateTime of the server.
> root@cn-rpw-orc:/var/lib/tomcat6/logs# date
> Fri Jan 6 22:15:17 UTC 2012
In the Timed Replication box, set the First Time text box to a few minutes after the current time:
10:20 PM
Set the Timer button to start, and then press Submit
Create the ObjectFormatList
---------------------------
If the server being configured is the first server installed for an environment, then the ObjectFormatList must be inserted into Metacat. Run the following command:
/usr/share/metacat/debian/createObjectFormat