Please change the example values below to match your specific environment.
Please change the example values below to match your specific environment.
Add the apache user to the
tungsten group:
shell> sudo usermod -a -G tungsten apache
Create the apache configuration file for the web
service:
shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.confFor Apache version 2.2:
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
Header set Access-Control-Allow-Origin *
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#AuthType Basic
#AuthName "Tungsten Dashboard - RESTRICTED"
#AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
#Require valid-user
</Directory>
</VirtualHost>
For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC):
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file:
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP:
shell> sudo yum install -y mod_ldap
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub
AuthLDAPBindDN ldapuser@ad.demo.com
AuthLDAPBindPassword abcdef123456
Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
Check the configuration and restart the web server:
shell>sudo apachectl configtestshell>sudo apachectl restart
To use Apache Basic Authentication, edit the Apache configuration file appropriate to your version (2.2. or 2.4, see below), then run the below three commands:
To use Apache 2.2 Basic Authentication, uncomment the four commented-out lines in the example.
To use Apache 2.4 Basic Authentication, select one of the above two example RBAC configs and edit the Apache configuration file accordingly.
shell>htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}shell>sudo apachectl configtestshell>sudo apachectl graceful
To enable RBAC security, the
$WEBROOT/config.json file will need to be
updated with two settings: "enableRBAC": 1 and
"administrators": [], for example:
{
"clusters": {
},
"menus": {
},
"settings": {
"administrators": [ "tungsten","admin","root" ],
"enableRBAC":1
}
}When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:
admistrator - which gives read-write access
to everything to any valid login listed in the
"administrators":[] option in the config
file.
operator - which is read-only and is the role
given to anyone with a valid login
There are additional steps to take when SELinux is enabled.
shell>sudo -ishell>semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/tungsten/html(/.*)?"shell>restorecon -Rv /var/www/tungsten/*shell>semanage port -a -t http_port_t -p tcp 8090shell>setsebool -P httpd_can_network_connect 1shell>systemctl restart httpdshell>systemctl restart php-fpm
Be sure to check in the audit.log for any
denied messages containing http
or php.
This sequence of steps to install and configure Apache 2 and HAProxy on Ubuntu was derived from a session with a customer. YMMV as always.
Generate the custom frontend and backend definitions for HAProxy, and prepare the cluster for updates to the configuration of the cluster nodes, if you have not done them already:
On a single database node per cluster:
tungsten@db1 shell>tpm generate-haproxy-for-apitungsten@db1 shell>echo 'set policy maintenance' | cctrl
Update the cluster configuration to support the REST APIv2.
On all database nodes:
tungsten@dbN shell>vi /etc/tungsten/tungsten.ini==> Ensure that the rest api settings have been added to the above! tungsten@dbN shell>tpm updatetungsten@dbN shell>tapi ping==> Create the REST API admin user if you did not do so at install time: tungsten@dbN shell>tapi --create --create-user tungsten --create-password secret
AFTER all tpm updates have been completed, return the cluster to AUTOMATIC mode.:
On a single database node per cluster:
tungsten@db1 shell> echo 'set policy automatic' | cctrl
Update the /etc/hosts file to ensure all nodes
are reachable.
On the Dashboard web server, perform the following steps as the root user or use sudo for all steps:
tungsten@db1 shell>XXXshell#nslookup dashboard.customer.orgshell#vi /etc/hosts==> Ensure this server's hostname exists in the hosts file ==> Ensure that all database nodes exist in the hosts file
Install Apache 2 and all other needed software on the Dashboard web server:
shell#apt updateshell#apt install apache2shell#systemctl start apache2shell#systemctl enable apache2shell#systemctl status apache2shell#apache2 -Vshell#apt install php php-curl libapache2-mod-php jq socat haproxyshell#vi /etc/php/7.4/apache2/php.ini==> enable extension=php_curl by removing the leading semi-colon (;) shell#systemctl restart apache2
In this example, the customer placed the Tungsten Dashboard web root directory onto an NFS mount, so we needed to create that set of directories before installing the Dashboard package:
shell#mkdir -p /nfs/tungsten/html /nfs/tungsten/etc /nfs/tungsten/logsshell#chown -R www-data: /nfs/tungstenshell#chmod -R ug+rw /nfs/tungsten
Create the .htpassword file to provide Basic
Authorization functionality.
shell#htpasswd -c /nfs/tungsten/etc/.htpasswd tungstensecretsecretshell#cat /nfs/tungsten/etc/.htpasswd
Install the Tungsten Daashboard software package from your home directory into the web root directory, on NFS in this case:
shell#cdshell#tar xvzf tungsten-dashboard-1.0.15-10.tar.gzshell#cd tungsten-dashboard-1.0.15-10shell#cp html/config.php.sample html/config.phpshell#rsync -a html/ /nfs/tungsten/html/shell#vi /nfs/tungsten/html/config.json==> Update the administrators entry if needed:"administrators":[ tungsten ],==> Update the enableRBAC entry to 1:"enableRBAC":1,
Configure the Dashboard virtualhost in Apache2:
For example Apache 2 conf file entries, please see the above section Section 7.1, “Example: Web Server on Amazon Linux 2”.
shell#less /etc/apache2/envvarsshell#less /etc/apache2/apache2.confshell#vi /etc/apache2/sites-enabled/000-default.conf==> Edit the existing section to add the needed items shell#apachectl configtestshell#systemctl restart apache2shell#systemctl status apache2shell#journalctl -xeshell#cat /var/log/apache2/error.log
Validate that the Dashboard web server host is able to reach all the nodes:
shell> for host in db1 db2 db3 db4 db5 db6; do
ping $host
#telnet $host 8090
/usr/bin/curl -s --insecure --user tungsten:secret 'http://${host}:8090/api/v2/manager/status' | jq .
doneConfigure and test HAProxy:
shell#systemctl enable haproxyshell#systemctl start haproxyshell#systemctl status haproxyshell#vi /etc/haproxy/haproxy.cfgshell#systemctl restart haproxyshell#systemctl status haproxyshell#socat stdio /var/run/haproxy.sock | grep -i statshell>telnet localhost 8201shell>telnet localhost 8202shell>telnet localhost 8203shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8201/api/v2/manager/status' | jq .shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8202/api/v2/manager/status' | jq .shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8203/api/v2/manager/status' | jq .