Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..
259 views

Standard RAS Build

I have two servers at two different locations as my Central "Cluster" using the External URL in system settings as

https://my-oo.com:8443/oo which is the global load balancer address for the two servers

server1.mycompany.com and server2.mycompany.com

I'm trying to install 2 standard RAS servers in addion to the two I already have, but they are placed in a network segment that is not the same as the Central "cluster". These new RAS servers would be in a worker group different from the current RAS servers

The Central servers are setup for SSL and have CA certificates installed using the FQDN of the server meaning each has it own certificate.

I'm having a tough time getting through the Standard RAS installation wizard. I'm not sure what Central address to use as that seems to depend on what CA cert is installed..but on which server?. Even when I use try to add the cert of either central server to the new RAS in the install wizard, I get connection or cert path issues.

Labels (1)
0 Likes
11 Replies
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: Standard RAS Build

In a cluster based environment = 2 central behind a LB we recommand to use the LB URL when installing the RASes. This way, if one of the Central's goes down you RAS will still function - as It communicates with the LB while the LB FW to running Central servers.

A diagram here: https://lnast01pcache.saas.hpe.com/asset/resources/pd/oo/1ln1459952004/HPOO_DisasterRecovery_Guide_0.pdf 

Andrei Vasile Truta
0 Likes
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

Thank you Andrel. So it sounds like I have the two Centrals installed correctly for DR. I suppose my issue comes back to the SSL certs then? Each Central server has its own certificate based on its own FQDN such that when I attempt to test the connection. I'm  getting one of two errors each time I try depending on what I have provided for the connection and cert inputs

unable to connect: hostname in certificate didn't match: <my-oo.com> != <server1.mycompany.com>

unable to connect: hostname in certificate didn't match: <my-oo.com> != <server2.mycompany.com>

or

unable to connect: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

0 Likes
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: Standard RAS Build

what URL are you providing during the install of the RASes?

Andrei Vasile Truta
0 Likes
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

0 Likes
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: Standard RAS Build

I guess you got hostname missmatch when you used the Centrals and the path error when you used the LB.

I suggest to stick with the LB. Try to follow the screenshot attached.

I hope this one will solve.

StandardRAS.png

Andrei Vasile Truta
0 Likes
Highlighted
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

I can't see your pic very well, but I understand you are suggesting to use the LB address and get the LB CA cert.  I guess I'm just not clear on how to do that second part. I'm also abit confused about TLS. vs SSL and wheather I have the right format .crt/.cer vs. .pfx or .p12. The wizard stipulates .crt or cer. but the hardening guide suggest otherwise.

All that said, I am able to get a successful connection test in the installtion wizard if I use the Central's server FQDN address instead of the LB address and then use a .cer file created as a certificate DER encoded export from that specific server. I think obviously this won't work in the desired load balanced DR configuration.

0 Likes
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

Update, Please help...

Generated new keys on the CENTRAL server
keytool -genkeypair -keysize 2048 -keyalg RSA -alias tomHPOO -keystore "E:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store.NEW"

Generated CSR

keytool -certreq -alias tomHPOO -keyalg RSA -file "E:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\27954tomHPOO.csr" -keystore "E:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store.NEW"

Got a new CA cert with the GLB name as the CN and the FQDNs set as the SAN,

Stopped Central

Remove the old

keytool -delete -alias tomcat -keystore "E:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store.NEW"

Import the new

keytool -importcert -alias tomcat -keystore "E:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store.NEW" -file E:\newcert.cer

copy key.store key.store.org

copy key.store.NEW key.store

start Central

It would seem tomcat does not start because I cannot get a bowser to conenct to it and this is in the wrapper.log

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
INFO   | jvm 1    | 2017/03/31 21:58:13 | java.io.IOException: Alias name tomcat does not identify a key entry

SEVERE: Failed to initialize connector [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
INFO   | jvm 1    | 2017/03/31 21:58:13 | org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]

Not sure what I did wrong?

 

0 Likes
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: Standard RAS Build

Hi,

You did not keep the alias tomcat. you created tomHPOO alias but that is not used.

server.xml in tomcat has the keyAlias set to tomcat.

how to solve: repeat your steps but keep the alias

The keytool examples here show that "tomcat" is used as an alias. http://docs.software.hpe.com/OO/10.70/Content/Installation_Configuration/Change_ks_ts_pw.htm?Highlight=server.xml

Andrei Vasile Truta
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

Correct, the alias name needed to stay the same. when I generated the keypair and the CSR. I thought that by simply using the tomcat alias when I imported it would be fine. It was not.  I corrected that and now  the new CA cert with the GLB name and the subject alternative names are in place. the only other issue I had was that I had to load the intermediate cert as well. So from a browser stand point, I am now able to access Central using the GLB name and the FQDN name with no Cert security warnings. So I moved on to the RAS installation on the other side of the firewall once again. This time it went very smoothly, taking the GLB address and using the new CA cert from Central. Upon completing the installation. The new standard RAS shows up on Central as available and idle.

wrapper.log log on the RAS looks clean:
STATUS | wrapper  | 2017/04/03 20:34:43 | Base configuration file is E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\ras-wrapper.conf
STATUS | wrapper  | 2017/04/03 20:34:43 | Found #include file in E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\ras-wrapper.conf: ../conf/wrapper-ras-license.conf
STATUS | wrapper  | 2017/04/03 20:34:43 |   Reading included configuration file, E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\wrapper-ras-license.conf
STATUS | wrapper  | 2017/04/03 20:34:43 | HPE Operations Orchestration RAS (@ E:/Program Files/Hewlett Packard Enterprise/HPE Operations Orchestration/ras) service installed.
STATUS | wrapper  | 2017/04/03 20:34:43 | Base configuration file is E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\ras-wrapper.conf
STATUS | wrapper  | 2017/04/03 20:34:44 | Found #include file in E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\ras-wrapper.conf: ../conf/wrapper-ras-license.conf
STATUS | wrapper  | 2017/04/03 20:34:44 |   Reading included configuration file, E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\conf\wrapper-ras-license.conf
STATUS | wrapper  | 2017/04/03 20:34:44 | --> Wrapper Started as Service
STATUS | wrapper  | 2017/04/03 20:34:44 | Java Service Wrapper Professional Edition 64-bit 3.5.17
STATUS | wrapper  | 2017/04/03 20:34:44 |   Copyright (C) 1999-2012 Tanuki Software, Ltd. All Rights Reserved.
STATUS | wrapper  | 2017/04/03 20:34:44 |     http://wrapper.tanukisoftware.com
STATUS | wrapper  | 2017/04/03 20:34:44 |   Licensed to Hewlett-Packard Company for OO Agent
STATUS | wrapper  | 2017/04/03 20:34:44 |
STATUS | wrapper  | 2017/04/03 20:34:45 | Launching a JVM...
INFO   | jvm 1    | 2017/04/03 20:34:47 | WrapperManager: Initializing...
INFO   | jvm 1    | 2017/04/03 20:34:47 | Running worker...
INFO   | jvm 1    | 2017/04/03 20:34:48 | java.home=E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\java
INFO   | jvm 1    | 2017/04/03 20:34:48 | mgmt.url=https://mycentral.com:8443/oo
INFO   | jvm 1    | 2017/04/03 20:34:48 | oo.home=E:/Program Files/Hewlett Packard Enterprise/HPE Operations Orchestration/ras
INFO   | jvm 1    | 2017/04/03 20:34:48 | worker.credentials.dir=null
INFO   | jvm 1    | 2017/04/03 20:34:48 | encryption.dir=null
INFO   | jvm 1    | 2017/04/03 20:34:48 | security.dir=null
INFO   | jvm 1    | 2017/04/03 20:34:48 | loading spring context ...
INFO   | jvm 1    | 2017/04/03 20:35:08 | Worker started

However, when I enable it I start getting these errors from it in  E:\Program Files\Hewlett Packard Enterprise\HPE Operations Orchestration\ras\var\logs\execution .log
2017-04-03 20:34:54,358 [WrapperSimpleAppMain] (AbstractBeanFactory.java:1432) WARN  - Bean creation exception on FactoryBean type check: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'm2ArtifactService' defined in class path resource [META-INF/spring/remoteServicesContext.xml]: Cannot resolve reference to bean 'executor' while setting bean property 'httpInvokerRequestExecutor'; nested exception is org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'executor': Requested bean is currently in creation: Is there an unresolvable circular reference?
2017-04-03 20:34:54,358 [WrapperSimpleAppMain] (ProxyUtilsImpl.java:37) INFO  - Proxy configuration mode: no
2017-04-03 20:34:54,998 [WrapperSimpleAppMain] (BasicAuthenticationCommonsHttpInvokerRequestExecutor.java:32) WARN  - Traffic compression settings : TRAFFIC_COMPRESSION_ENABLED[false]
2017-04-03 20:34:59,858 [WrapperSimpleAppMain] (AbstractEventsBuffer.java:57) WARN  - Debugger execution events:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:34:59,873 [WrapperSimpleAppMain] (DebuggerEventsOutBuffer.java:46) WARN  - Debugger execution events:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:34:59,873 [WrapperSimpleAppMain] (AbstractEventsBuffer.java:57) WARN  - Events:  - init buffer with capacity: 200, with bulkSize:200
2017-04-03 20:34:59,936 [WrapperSimpleAppMain] (AbstractEventsBuffer.java:57) WARN  - Step log Buffer:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:34:59,936 [WrapperSimpleAppMain] (LanguagesLogEventsOutBuffer.java:40) WARN  - Step log Buffer:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:34:59,967 [WrapperSimpleAppMain] (AbstractEventsBuffer.java:57) WARN  - Step log execution events:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:34:59,967 [WrapperSimpleAppMain] (StepLogEeOutBuffer.java:41) WARN  - Step log execution events:  - init buffer with capacity: 5000, with bulkSize:5000
2017-04-03 20:35:01,623 [WrapperSimpleAppMain] (OutboundBufferImpl.java:69) INFO  - maxBufferWeight = 7500
2017-04-03 20:35:01,623 [WrapperSimpleAppMain] (WorkerManager.java:92) INFO  - Initialize worker with UUID: 04d632f9-c301-4230-8379-83122a7ea0e5
2017-04-03 20:35:01,701 [WrapperSimpleAppMain] (InBuffer.java:86) INFO  - InBuffer capacity is set to :500, coolDownPollingMillis is set to :200
2017-04-03 20:35:09,248 [Thread-4] (WorkerManager.java:199) INFO  - Worker is up
2017-04-04 13:38:09,227 [WorkerFillBufferThread] (InBuffer.java:146) ERROR - Failed to load new ExecutionMessages to the buffer!
org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [https://mycentral.com:8443/oo/central-remoting/queueDispatcherService]; nested exception is java.net.UnknownHostException: mycentral.com
Caused by: java.net.UnknownHostException: mycentral.com
2017-04-04 13:38:09,243 [scoreWorkerScheduler-2] (WorkerConfigurationServiceImpl.java:83) ERROR - Failed to fetch paused information:
org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [https://mycentral.com:8443/oo/central-remoting/pauseResumeService]; nested exception is java.net.UnknownHostException: mycentral.com

This goes on for quite a bit...I've made no modifications to the  ras-wrapper.cnf file.

0 Likes
AndreiTruta Outstanding Contributor.
Outstanding Contributor.

Re: Standard RAS Build

Is this mgmt.url=https://mycentral.com:8443/oo the FQDN of LB? Just make sure it is set to the correct value by changing it in the wrapper conf file of your RAS.

 

On top of that it might be that you'll need some proxy settings in the same wrapper conf similar to the below (just make sure you do not duplicate the additional numbers).

wrapper.java.additional.1=-Dhttp.proxySet=true
wrapper.java.additional.2=-Dhttp.proxyHost=<the proxy host>
wrapper.java.additional.3=-Dhttp.proxyPort=<the proxy port>
wrapper.java.additional.4=-Dhttp.proxyUser=<the proxy username>
wrapper.java.additional.5=-Dhttp.proxyPassword=<the proxy password>

Andrei Vasile Truta
0 Likes
Super Contributor.. JamesLindsay Super Contributor..
Super Contributor..

Re: Standard RAS Build

Yes, mgmt.url=https://mycentral.com:8443/oo is the FQDN of LB. Not sure about an available proxy. I did find this but I'm not sure it applies

QCCR8C31682 [EPR Lloyds] Upgrading RASes Automatically through Central failed

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.