Technical Architecture - University of Edinburgh€¦ · Web viewThe database runs under Oracle Data Guard configured for maximum availability. This ships the archive redo logs to

Web Central

Technical Architecture

Version 1.1214/09/2015

Web CentralTechnical Architecture Version 1.12 14/09/2015

Contents1 Project planning.........................................................................51.1 EST083 Migration of Estates Application Servers.........................................5Previous projects....................................................................................................81.2 EST082 Migration of Estates Application Servers.........................................8

2 Service design..........................................................................112.1 Service description.....................................................................................112.2 Resilience measures..................................................................................142.3 Disaster recovery category........................................................................142.4 Backup policy.............................................................................................152.5 Security issues...........................................................................................152.6 Authentication and authorisation...............................................................162.7 External access..........................................................................................172.8 Interfaces and dependencies.....................................................................172.9 Exceptions and other issues......................................................................17

3 Service specification.................................................................193.1 URLs, certificates and channels.................................................................193.2 Servers.......................................................................................................203.3 Users, roles and groups.............................................................................223.4 Data sources..............................................................................................253.5 Firewall configuration.................................................................................253.6 Scheduled tasks.........................................................................................263.7 Software licences.......................................................................................27

4 Service operation.....................................................................284.1 Support contacts........................................................................................284.2 Startup and shutdown steps......................................................................284.3 Log files......................................................................................................324.4 Configuration files......................................................................................334.5 Patching.....................................................................................................33

5 Common procedures.................................................................345.1 Cloning.......................................................................................................345.2 Giving access to Samba shares..................................................................355.3 Switch on/off debugging............................................................................365.4 Switch on/off EASE authentication.............................................................37

6 Disaster recovery plan..............................................................38

Page 2 of 40


Version controlDate Version Author Sections Amendments

04/09/2013 1.0 Gordon McKenna

All Initial draft based on K:\ISAPPS\dsg\DevelopmentTechnology\tad_diags\EST069\Technical_Architecture.doc


3, 5, 9, 15, 20

Minor changes following review by DevTech.


2 Added explanation of afm UUN problem following handover meeting.


12 Reverted to active-passive configuration.


1, 4, 21 Changed Archibus version number, added detail about EST074.

19/11/2014 1.5 Pride Shoniwa All Changed server names12/12/2014 1.6 Riky Harris All Mainly formatting changes03/02/2015 1.7 Riky Harris All Convert to new template

for EST08224/03/2015 1.8 Riky Harris 3.1 Add details of Web Central

CAD service08/06/15 1.9 Anne Finnan 5.2 Added 5.2.3 connecting to

samba15/06/2015 1.10 Gordon

McKenna5.3, 5.4 Added instructions on

switching on/off debugging and EASE.


4.2 Amended shutdown procedure to delete all folders under ../jsp, not just schemaCompiled.

14/09/2015 1.12 Ewan Scott 1,2,3,4,6 EST083 – process improvement: amendments – the SQStage java app

Page 3 of 40


##Black font colour to be restored at end of project##

Page 4 of 40


1 Project planning

1.1 EST083 – process improvement: amendments to purchase order process (SQStage java app)

1.1.1 Stakeholders

Role Unit Name

Technical Architect Development Technology

Ewan Scott

Peer Reviewer Development Technology

Gillian Henderson

Project Manager Project Services Andy StewartProduction Representative

Production Management Anne Finnan

ITI Representative IT Infrastructure ???

1.1.2 Key deliverables

Deliverable Business benefit

The project MUST provide an infrastructure that will enable the purchase order process to be migrated from the Archibus desktop client to the SciQuest infrastructure.

1. Remove a dependency on the Archibus PC client

2. Improved efficiency and quality in procurement from improved procurement management in SciQuest.

The project SHOULD deliver a structure that will allow other services beyond Archibus to use the Purchase Requisition java application.

The java application structure developed - the SQStage java app - should offer a generic interface to SciQuest which other services can plug into.

1.1.3 Technical commitments

Commitment Y/N Justification (if not)

Will the project conduct a load test? N ##to be decided

Page 5 of 40


Will the project conduct a DR test? N The DR technology is already proven

Has a service restart been tested? N will be tested

1.1.4 Summary of technical changes

Currently Estates and Buildings create and manage purchase orders within Archibus Desktop Client. This project migrates this process so that purchase orders are created and managed with SciQuest.

a new java application will receive and send validation responses to SciQuest.

requisition and purchase order management will be implemented in Web Central.

a new purchase order import into the Archibus schema will be created.

To facilitate this:

a new application user will be created on the web central application servers to host the SQStage java app running under a fresh tomcat install.

a new GEN database schema will be created handle staging area data.

new tables will be created within the EBIS database AFM schema.

a new URL will be created to run under https for the secure link with the external sciQuest system

Page 6 of 40


1.1.5 Estimated costs

Item Development Test Live

e.g. hardware £ £ £e.g. disk on SAN £ £ £e.g. backup £ £ £e.g. licences £ £ £e.g. maintenance £ £ £e.g. support £ £ £

Subtotals £ £ £Total £ 0

There are no new costs associated with the migration of this service to existing, shared infrastructure. ###to be confirmed

Page 7 of 40


2 Service design

2.1 Service description

Web Central is an application which enables the Estates and Buildings division to manage the University’s property holdings. It consists of a web enabled application hosted on Apache/Tomcat, and an Oracle database on a Linux server.

Web Central is responsible for managing the validating requisitions created by Estates users in SciQuest. This is refered to as the SQStage java app.

2.1.1 Key technologies

Technology Version New or existing

Archibus 21.2 ExistingApache HTTPD 2.2 ExistingApache Tomcat 5.5.36 ExistingOracle Java Development Kit

1.6.0_45 Existing

Oracle Client 11gR2 x86 ExistingOracle RDBMS 11.2.0.3.0 ExistingLinux 2.6.32-

358.14.1.el6.x86_64Existing

Samba 3.0.10 on appsutilkb1t, 3.0.28 on appsutilkb1

Existing

SQStage java appSciQuest ?.? ##get current SciQuest

versionApache Tomcat 8 New versionJava 1.8 New version

2.1.2 Technical diagrams

Page 8 of 40


Page 9 of 40


Page 10 of 40


(from System Design Document)

Page 11 of 40


2.2 Resilience measures

2.2.1 Application

Main application

For some time, the Web Central application has been running in an Active-Active configuration on servers running at two different sites. If one server became unavailable, the other would continue to host the application.

One limitation of this configuration was for file storage. A samba share provides access for Estates staff to directly edit and upload drawings onto the file system. To save complication, this is only to the KB server, so changes made were not reflected to users accessing the Web Central system on AT until the rsync cron job ran.

Another problem was that users saving views and dashboard settings to the website would be unable to access these on a subsequent login to the other web server, before the rsync job had run.

Given these two problems and the small number of users accessing the system, it was decided to revert to an active-passive configuration in November 2013. The fact that the application was running in active-active was in any case felt to be an error which had crept into the system at some unknown time in the past.

In the event of a failure of the active server, the Tomcat instances – webcentral and sqstage - on the passive server should be started using the instructions above, and the Load Balancer will automatically reroute all traffic to it.

2.2.2 Database

The database runs under Oracle Data Guard configured for maximum availability. This ships the archive redo logs to a standby database, so that in the event of a failure of the primary database the standby database can be opened with minimal loss of service.

2.3 Disaster recovery category

Application Category

Web Central 3

Page 12 of 40


Archibus Client 3SQStage java app 3

2.4 Backup policy

Component Variance from backup policy

Operating System None (standard backup)Database None (standard backup)File system None (standard backup)Other None (standard backup)

2.5 Security issues

The Web Central application is accessed via SSL. As SSL termination is being used by the load balancers, network traffic on the UoE network would be unencrypted.

The SQStage java app is not used by users directly and is accessed via SSL only, with traffic unencrypted after offload at the load balancers. The only valid external source IP addresses allowed to connect are those provided by SciQuest (66.179.165.172, 66.179.165.140).

Access via the Archibus client (internal to the UoE network only) uses unencrypted SQLnet.

Access and authority to publish to the samba file share is restricted by Unix username and password on each Application server.

Authentication for access with ODBC for the Archibus client uses the AFM database account – the schema owner for all of the Archibus data. Firstly, it is not recommended that this is the account used for client connections. Secondly, the ‘weak’ password for this account is the same for all three environments, which is also not recommended. Thirdly, the password for this account is very widely known amongst Estates, IS, external suppliers and others and the potential for misuse is massive. While IS Applications would never share a password in this manner, it is assumed that the Business Owners must be sharing it, which, again, is not recommended.

Page 13 of 40


2.6 Authentication and authorisation

EASE is used for authentication of Web Central users with authorisation being performed internally by the Web Central application which uses tables in the AFM_SECURE schema in the EBIS database.

As the AutoDesk space planning tools are not able to use Cosign SSO, the Web Central CAD service provides an alternative Apache VHost without Cosign to connect to the same application via an alternative AJP.

Access to the SciQuest system is based on EASE authentication in conjunction with external authorisation controlled by SciQuest.

Page 14 of 40


2.7 External access

Name Contact details

Access method Description of need

Martin Matt, Mass PLCInnovation House, Molly Millar’s Close, Wokingham, Berkshire, RG41 2RXTel: 01189 778560Mobile: 07956 [email protected]

Citrix GoToMeeting

Via Dev Tech member

Access to application via conference call and desktop sharing application, with a client running on Dev Tech / Estates PC

###add SciQuest if access to be granted

2.8 Interfaces and dependencies

The Archibus system depends on the EBIS database which contains the data being available.

SQStage application data is hosted in the GEN database.

To access Web Central, EASE must be available.

The external Sciquest site must be available to initiate purchase requisition.

SciQuest exports an XML file daily for processing into eFinancials.

The EBIS database pulls purchase order data over from FIN database in daily scheduled job.

2.9 Exceptions and other issues

Because the upgrade is going to be an in-place upgrade across the three environments, there will be periods when DEV, TEST and LIVE are running different versions.

Page 15 of 40

mailto:[email protected]

mailto:[email protected]


Database changes may have an impact on other projects working on the EBIS databases.

We would also recommend that the version of Tomcat used is updated due to security concerns with 5.5.31. However, it is understood that Mass Capital Budgeting does not work with Tomcat 6. Further investigation with the supplier is required.

There are no such issues with the SQStage java app and it is running on Java 1.8 and Tomcat 8.

Page 16 of 40


3 Service specification

3.1 URLs, certificates and channels

3.1.1 Development

Application URL

Web Central https://www-dev.webcentral.estates.ed.ac.ukWeb Central CAD https://www-dev.webcentralcad.estates.ed.ac.ukSQStage java app https://www-dev.sqstage.finance.ed.ac.uk

3.1.2 Test

Application URL

Web Central https://www-test.webcentral.estates.ed.ac.ukWeb Central CAD https://www-test.webcentralcad.estates.ed.ac.ukSQStage java app https://www-test.sqstage.finance.ed.ac.uk

3.1.3 Live

Application URL

Web Central https://www.webcentral.estates.ed.ac.ukWeb Central CAD https://www.webcentralcad.estates.ed.ac.ukSQStage java app

https://www.sqstage.finance.ed.ac.uk

3.1.4 Certificates

Certificate CN CA Server Location

www-dev.webcentral.estates.ed.ac.uk Cosign /usr/local/certswww-test.webcentral.estates.ed.ac.uk Cosign /usr/local/certswww.webcentral.estates.ed.ac.uk Cosign /usr/local/certswww-dev.webcentralcad.estates.ed.ac.uk

Cosign /usr/local/certs

Page 17 of 40

https://www.webcentralcad.estates.ed.ac.uk/

https://www-test.webcentralcad.estates.ed.ac.uk/

https://www-dev.webcentralcad.estates.ed.ac.uk/


www-test.webcentralcad.estates.ed.ac.uk

Cosign /usr/local/certs

www.webcentralcad.estates.ed.ac.uk Cosign /usr/local/certswww-dev.webcentral.estates.ed.ac.uk EdUni /usr/local/certswww-test.webcentral.estates.ed.ac.uk EdUni /usr/local/certswww.webcentral.estates.ed.ac.uk EdUni /usr/local/certshttps://www-dev.sqstage.finance.ed.ac.uk

QuoVadis

/usr/local/certs

https://www-test.sqstage.finance.ed.ac.uk

QuoVadis

/usr/local/certs

https://www.sqstage.finance.ed.ac.uk QuoVadis

/usr/local/certs

3.1.5 MyED channels

None.

3.2 Servers

3.2.1 Application servers

Development Test Live

Servers appsutilkb1d(Active)appsutilat1d (Disabled)

appsutilkb1t (Active)appsutilat1t (Disabled)

appsutilkb1 (Active)appsutilat1 (Disabled)

Physical / Virtual

Virtual Virtual Virtual

Shared / Dedicated

Shared Shared Shared

CPU cores 4 4 4Memory 16GB 16GB 16GBOS RHEL 6.6 RHEL 6.6 RHEL 6.6Software and versions

Web Central v21,Tomcat 5.5.36



Page 18 of 40


Dependencies

SMTP, Cosign, Samba, JDK, rsync



3.2.2 Database servers

Development Test Live

Server oradevkb.is.ed.ac.ukoradevat.is.ed.ac.uk

oratestkb2.is.ed.ac.ukoratestat2.is.ed.ac.uk

oraat2.is.ed.ac.ukorakb2.is.ed.ac.uk

Physical / Virtual

Physical Physical Physical

Shared / Dedicated

Shared Shared Shared

CPU cores 32 32 32Memory 384GB 384GB 384GBOS RHEL 6.6 RHEL 6.6 RHEL 6.6Instance EBISDEV EBISTEST EBISLIVEDatabase version

11.2.0.3.0 11.2.0.3.0 11.2.0.3.0

Dependencies

N/A N/A N/A

3.2.3 File systems

Server names Volume Size Purpose

N/A

3.2.4 File shares

Server names Shared path Share name

appsutilkb1d.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilkb1d\WebCProject

appsutilkb1t.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilkb1t\WebCProject

appsutilkb1.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilkb1\WebCProject

Page 19 of 40


Share name Users / groups Permissions

appsutilat1d.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilat1d\WebCProject

appsutilat1t.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilat1t\WebCProject

appsutilat1.is /u01/app/webcent/apache-tomcat/webapps/archibus/projects/

\\appsutilat1\WebCProject

The samba shares on the AT servers (greyed out above) exist to keep the systems identical and to enable running of the service on these servers for Business Continuity reasons.

3.3 Users, roles and groups

3.3.1 Unix

Username Home directory Description

All accounts below relate to the application servers – appsutil[kb|at]*

afm /home/mis/afm Runs various cron scripts. Note that you can’t log in directly as this user, because there is a user in the university who already has this UUN. If you need to access this account, log in as oracle and “sudo su afm”.

webcent /homes/est/webcent Application owner.sqstage /homes/est/sqstage SQStage java app user.afinnanafsmithastewar4charperdfoggoetorrancgboaggdawson1gmckennagnicoll

/home/samba/afinnan/home/samba/afsmith/home/samba/astewar4/home/samba/charper/home/samba/dfoggo/home/samba/etorranc/home/samba/gboag/home/samba/gdawson1/home/samba/gmckenna/home/samba/gnicoll

Samba users accounts for members of Estates (and IS Applications for support) to access the ‘WebCProject’ share.

Page 20 of 40


janeconthomso5paulcrupaulinespmannpshoniwarharris7ronmclv1knels2

/home/samba/janeco/home/samba/nthomso5/home/samba/paulcru/home/samba/paulines/home/samba/pmann/home/samba/pshoniwa/home/samba/rharris7/home/samba/ronmcl/home/samba/v1knels2

Group Members Description

mis afm Standard IS Apps groupest webcent, sqstage,

samba usersEstates group

estsmb samba users Group for Estates Samba accounts

Application Directory

Owner Description

/u01/app/webcent webcent Location for Web Central components/u01/app/sqstage sqstage Location for SQStage java app

3.3.2 Oracle

Instance Username Roles Description

EBIS* afm AFM_ROLE, APPLICATION

Main table owner. Also used for JDBC connections from web server.

EBIS* afm_secure AFM_ROLE Minor table owner, used for application security. Also used for JDBC connections from web server.

GEN* sqstage APPLICATION SQStage requisition staging area objects

Page 21 of 40


GEN* sqstagereq sqstage_req database user used by SQStage java app

GEN* sqstagebrowser

sqstage_browser read only access to the sqstage schema

Instance OPS$ username Roles Description

EBIS* OPS$afm AFM_ROLE Database user for cron scripts run by afm.

Instance Database role Description

EBIS* AFM_ROLE Main application role giving privileges to AFM tables.

GEN* SQSTAGE_REQ role for sqstagereq userGEN* SQSTAGE_BROWSER role for sqstagebrowser user

Instance Schema Tablespace

EBIS* AFM AFM_P1AFM_SC

GEN* sqstage SQSTAGE_DATASQSTAGE_INDEX

Page 22 of 40


3.4 Data sources

3.4.1 Java

Connection name

Web Central SQSTAGE

Username JDBC JDBCDatabase EBIS* GEN*Additional settings

N/A N/A

3.5 Firewall configuration

3.5.1 Central firewall

Source Destination Port Protocol

EdLan appsutilkb1d.isappsutilat1d.is

443 HTTPS

Any appsutilkb1t.isappsutilat1t.is

443 HTTPS

Any appsutilkb1.isappsutilat1.is

443 HTTPS

EdLan appsutilkb1d.isappsutilat1d.is

445 CIFS

EdLan appsutilkb1t.isappsutilat1t.is

445 CIFS

EdLan appsutilkb1.isappsutilat1.is

445 CIFS

net-oradb-clients net-oradb-servers 1500-1900 tcp

3.6 Scheduled tasks

3.6.1 Unix cron jobs

Server Account Script Schedule Description

Page 23 of 40


name

appsutilkb1d.is webcent Application code rsync

Daily, 20:18

Cron to copy application code from appsutilkb1d to appsutilat1d

appsutilkb1t.is webcent Application code rsync

Daily, 20:24

Cron to copy application code from appsutilkb1t to appsutilat1t

appsutilkb1.is webcent Application code rsync

Daily, 20:28

Cron to copy application code from appsutilkb1 to appsutilat1

3.6.2 Oracle DBMS_SCHEDULER jobs

Database Account procedure name

Schedule Description

GEN* sqstage new_record_check (##to be confirmed)

DEV – n/aTEST – 1130LIVE – 0900(Mon-Fri)

Inserts new requisitions into AFM table.

3.7 Software licences

Software Supplier Requirements Expires

Web Central 21.2 Mass PLC on behalf of ARCHIBUS, Inc.

Yes Unknown

Page 24 of 40


4 Service operation

4.1 Support contacts

Vendor Contact details Required information

Martin Matt at Mass PLC

Tel: 01189 778560Mobile: 07956 [email protected]

None

sciQuest ###to be added

4.2 Startup and shutdown steps

4.2.1 Shut down

1. Log in to the appropriate database server as the oracle user.

Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things.

$ sqlplus /nolog> conn / as sysdba> shutdown immediate

Then stop the applications.

2. Log in to the appropriate application server as the webcent user.

$ cd $TOMCAT_HOME$ bin/shutdown.sh

Using CATALINA_BASE: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_HOME: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_TMPDIR: /u01/app/webcent/apache-tomcat-5.5.31/tempUsing JRE_HOME: /u01/java/jdk1.6.0_24Using CLASSPATH: /u01/app/webcent/apache-tomcat-5.5.31/bin/bootstrap.jar

The following will confirm that the Tomcat process for this user has finished (but give it time!) If the process doesn’t eventually disappear, kill it.

$ ps -fu webcent

Page 25 of 40


UID PID PPID C STIME TTY TIME CMD webcent 13854 3358 0 15:29:14 pts/16 0:00 ps -fu webcent webcent 26356 26336 0 Sep 06 ? 0:00 /usr/lib/ssh/sshd webcent 3356 3281 0 13:56:08 ? 0:00 /usr/lib/ssh/sshd webcent 26358 26356 0 Sep 06 pts/17 0:00 -bash webcent 3358 3356 0 13:56:08 pts/16 0:00 –bash

Then:

$ rm -R webapps/archibus/schemaCompiled/$ rm -R work/Catalina/localhost/archibus/org/apache/jsp/

3. SQStage java app shutdown

Log in to the appropriate application server as the sqstage user.

$ cd $TOMCAT_HOME$ bin/shutdown.sh

###add text as above once built

The following will confirm that the Tomcat process for this user has finished (but give it time!) If the process doesn’t eventually disappear, kill it.

$ ps -fu sqstage


4.2.2 Start up

1. Log in to the appropriate primary database server as the oracle user.

Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things:

$ sqlplus /nolog> conn / as sysdba

You can check that the database is open by running the following SQL:

> SELECT * FROM GLOBAL_NAME;

Page 26 of 40


If this returns the database name, then the database is open (i.e. up and available for users).

Then start the application.

2. Log in to the appropriate application server as the webcent user.

$ cd $TOMCAT_HOME

The following checks if there is a tomcat process currently running for this user. If there is (e.g. the java process shown in the example), shut it down first.

$ ps -fu webcent

UID PID PPID C STIME TTY TIME CMD webcent 27519 3358 0 08:54:51 pts/16 0:00 ps -fu webcent webcent 26283 494 0 08:43:18 pts/16 1:46 /u01/java/jdk1.6.0_24/bin/java -Djava.util.logging.config.file=/u01/app/webcent webcent 3356 3281 0 Sep 09 ? 0:00 /usr/lib/ssh/sshd webcent 3358 3356 0 Sep 09 pts/16 0:00 -bash

Then start tomcat:

$ bin/startup.sh

Using CATALINA_BASE: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_HOME: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_TMPDIR: /u01/app/webcent/apache-tomcat-5.5.31/tempUsing JRE_HOME: /u01/java/jdk1.6.0_24Using CLASSPATH: /u01/app/webcent/apache-tomcat-5.5.31/bin/bootstrap.jar

You can then check the log file:

$ tail -f logs/catalina.out

When you get something like the following it means that Tomcat has started successfully.

Sep 12, 2013 8:44:19 AM org.apache.catalina.startup.Catalina startINFO: Server startup in 59886 ms

Note that this only tells you that Tomcat is running. You should also check the database to ensure that the process has connected successfully (this is important after a database restart, when Tomcat can still be running on the application server but not connected to the database).

Page 27 of 40


Log in to the appropriate database server as the oracle user.

Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things.

$ sqlplus /nolog> conn / as sysdba> select * from v$session where machine like ‘%<server_name>%’;

For example:

> select * from v$session where machine like '%appsutilkb1%';

There should be 3 sessions from the active application server.

If you’re on TEST or LIVE, repeat the startup procedure for each of the application servers. #remove###out of date as we are currently running Active-Passive mode.

3. SQStage java app startup

1. Log in to the appropriate application server as the sqstage user.

$ cd $TOMCAT_HOME

The following checks if there is a tomcat process currently running for this user. If there is (e.g. the java process shown in the example), shut it down first.

$ ps -fu sqstage


Then start tomcat:

$ bin/startup.sh


You can then check the log file:

$ tail -f logs/catalina.out

When you get something like the following it means that Tomcat has started successfully.

Sep 12, 2013 8:44:19 AM org.apache.catalina.startup.Catalina startINFO: Server startup in 59886 ms

Page 28 of 40


4.3 Log files

$TOMCAT_HOME/webapps/archibus/WEB-INF/config/archibus.log

$TOMCAT_HOME/webapps/sqstage/WEB-INF/config/sqstage.log

Also standard Apache/Tomcat log files.

Page 29 of 40


4.4 Configuration files

4.4.1 Archibus core configuration files

$TOMCAT_HOME/webapps/archibus/WEB-INF/config/afm-projects.xml$TOMCAT_HOME/webapps/archibus/WEB-INF/config/context/security/preauth/projectid-source/property/projectid-source.properties$TOMCAT_HOME/webapps/archibus/WEB-INF/config/context/compatibility/afm-config.xml

Also standard Apache/Tomcat configuration files.

These environments are setup for the Archibus client by the following project files:

I:\Archibus\afm_project\dev\EBISDEV.apjI:\Archibus\afm_project\test\EBISTEST.apjI:\Archibus\afm_project\live\EBISLIVE.apj

4.4.2 SQStage config files

### add after DEV build complete

4.5 Patching

Patches and upgrades are supplied by MASS as required.

Page 30 of 40


5 Common procedures

5.1 Cloning

There is a regular requirement to clone the EBISLIVE database to create EBISTEST and EBISDEV. In the instructions below, EBISLIVE is the Source database, while EBISTEST and EBISDEV are the Targets.

##Does SQSTage need to match EBIS – ie. does it need to be cloned at same time?

5.1.1 Export Target

Before cloning, do a full database export from the Target. This is to preserve a number of tables which need to be reimported after cloning. Clone the latest parameter file /home/dba/oracle/scripts/CLONE/expdp_EBISTEST.FULL.<YYYYMMDD>.par on oratestat2, change the dates on the export and dump files, then carry out the export using this parameter file.

5.1.2 Export Source

Do a full database export from the source (although you only really need AFM, as far as I know). Clone the latest parameter file /home/dba/oracle/scripts/CLONE/expdp_EBISLIVE.FULL.<YYYYMMDD>.par on oraat2, change the dates on the export and dump files, then carry out the export using this parameter file.

5.1.3 Drop and recreate AFM

Drop the schema AFM from the target, but do not drop AFM_SECURE.

Recreate the AFM schema before you import the tables, so that all its privileges (including from AFM_SECURE) are present for the import. If you don’t do this, a number of constraints will not be created.

5.1.4 Import Source

Import the schema AFM from the source dumpfile created above. Use the parameter file /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.par

Note that there are a number of invalid packages in the AFM schema in LIVE, so the corresponding errors can be ignored on import.

Page 31 of 40


There were also (sometimes, but not always!) some errors relating to index statistics. See 755253.1 for details and a solution, which uses the parameter files /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.exclude.par and /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.include.par

5.1.5 Fix database links

AFM owns a number of database links which will still be pointing to LIVE environments. Recreate them to point to the equivalent environment (TEST or DEV).

5.1.6 Reimport Target

After cloning, drop the tables AFM.WEB_SECURITY and AFM.WEB_SECURITY2USERS from the target and recreate them by importing from the old Target dumpfile. You can use /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.TABLES1.<YYYYMMDD>.par

Also, leave the tables AFM.AFM_ROLES and AFM.AFM_ROLEPROCS in place, but reimport the data from the old Target dumpfile (use TABLE_EXISTS_ACTION=APPEND in the parameter file). You need both the new data from the Source, and the original data from the Target. Use parameter file /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.TABLES2.<YYYYMMDD>.par

5.1.7 Restart Application

Because you dropped the AFM user, you will have lost all application connections to the database. Restart the application using the instructions in this document.

5.1.8 Alternative

Given the various problems above, it might be easier to hot clone the whole database using the instructions here.

5.2 Giving access to Samba shares

5.2.1 Unix

The user must be created by the Unix team on the relevant server; the following is an example from appsutilkb1d:

paulines:x:10829:12657:Functional:/home/samba/paulines:/bin/true

Page 32 of 40

https://www.wiki.ed.ac.uk/display/insite/Database+Hot+Cloning

https://support.oracle.com/epmos/faces/DocumentDisplay?id=755253.1&displayIndex=3


The user should also be in the estsmb group; here is an example from appsutilkb1d:

estsmb:x:8323:finnan,afsmith,astewar4,charper,dfoggo,etorranc,gboag,gdawson1,gmckenna,gnicoll,janeco,paulcru,paulines,pmann,pshoniwa,rharris7,ronmcl,v1knels2,nthomso5

You can request the account via Direct, but this will require a follow up call to get the shell changed to /bin/false.

5.2.2 Samba

The user also needs to be set up in Samba; this is also a step for the Unix team, as it must be run as root. We can’t query this information from Samba either, though the Unix team can do this using “pdbedit –L”.

5.2.3 Connecting to Samba share - Added 08/06/15 AF

For users to connect to samba, you must map a network drive to either:

Dev = \\appsutilkb1d.is.ed.ac.uk\WebCProject

Test = \\appsutilkb1t.is.ed.ac.uk\WebCProject

Live = \\appsutilkb1.is.ed.ac.uk\WebCProject

Enter username/password

NB. Use a backslash before the username with managed Windows7 pc’s to clear the domain (“\uun”)

5.3 Switch on/off debugging

In non-LIVE environments, we regularly have to switch on debugging.

Log on to the application server as webcent and shutdown the application, using the instructions above.

[webcent@appsutilkb1t config]$ cd /u01/app/webcent/apache-tomcat/webapps/archibus/WEB-INF/config

[webcent@appsutilkb1t config]$ vi core.properties

Set app.debug=true to switch debugging on, or app.debug=false to switch debugging off.

Restart the application, using the instructions above.

Page 33 of 40


5.4 Switch on/off EASE authentication

In non-LIVE environments, we regularly have to switch off EASE authentication for debugging purposes.

Log on to the application server as webcent and shutdown the application, using the instructions above.

[webcent@appsutilkb1t config]$ cd /u01/app/webcent/apache-tomcat/webapps/archibus/WEB-INF/config

[webcent@appsutilkb1t config]$ vi security.properties

Set the following lines to switch EASE authentication OFF:

security.configurationFile=context/security/security-afm-users.xml

security.logoutView=login.axvw

security.timeoutView=login.axvw

Set the following lines to switch EASE authentication ON:

security.configurationFile=context/security/security-preauth-remote-user-request-header.xml

security.logoutView=schema/ab-core/views/process-navigator/logout-preauth.htm

security.timeoutView=schema/ab-core/views/process-navigator/logout-preauth.htm

Restart the application, using the instructions above.

Page 34 of 40


6 Disaster recovery planIn the event of a Primary site loss, the database should be failed over to the other servers. The Tomcat services – webcent and sqstage - can be started on the AT application server and the service switched in the Brimham load balancer view. The user’s desktop mounting of the WebCProject Samba share can be modified to use the AT server.

Note that on service restoration, the rsync cron job will attempt to synchronise the AT contents from the KB server (so potentially deleting uploaded items in the Samba share). To avoid this, disable the SSH keys on the AT server before the KB server is brought back up.

Page 35 of 40


Appendix A OLD Project Plans

Page 36 of 40


1 EST082 Migration of Estates Application Servers

1.1.1 Stakeholders

Role Unit Name

Technical Architect Development Technology

Riky Harris

Peer Reviewer Development Technology

Project Manager Project Services Mark LangProduction Representative

Production Management Ron McLeod

ITI Representative IT Infrastructure

1.1.2 Key deliverables

Deliverable Business benefit

The Web Central system MUST be migrated to use the new Applications hosting servers

Use of supported, more performant infrastructure

1.1.3 Technical commitments

Commitment Y/N Justification (if not)

Will the project conduct a load test? N ##EST083 - order load not sufficient to justify this #to be agreed

Will the project conduct a DR test? N ## EST083 - not required with existing technology #to be agreed

Has a service restart been tested? Y ## EST083 -will be done during project

Page 37 of 40


1.1.4 Summary of technical changes

As part of EST082, Web Central is moved from deprecated infrastructure to the new Applications hosting servers. The database tier remains unchanged.

Page 38 of 40


1.1.5 Estimated costs

Item Development Test Live

e.g. hardware £ £ £e.g. disk on SAN £ £ £e.g. backup £ £ £e.g. licences £ £ £e.g. maintenance £ £ £e.g. support £ £ £

Subtotals £ £ £Total £ 0

There are no new costs associated with the migration of this service to existing, shared infrastructure.

Page 39 of 40


Page 40 of 40

Documents

Technical Architecture - University of Edinburgh€¦ · Web viewThe database runs under Oracle Data Guard configured for maximum availability. This ships the archive redo logs to