This page covers configuration changes and steps to enable HA for Ranger KMS using load balancer. Steps given are of Apache HTTPD.
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so |
# This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. #Listen 80 <VirtualHost *:88> ProxyRequests off ProxyPreserveHost on Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED <Proxy balancer://rangercluster> BalancerMember http://ranger-kms-host1-fqdn:9292 loadfactor=1 route=1 BalancerMember http://ranger-kms-host2-fqdn:9292 loadfactor=1 route=2 Order Deny,Allow Deny from none Allow from all ProxySet lbmethod=byrequests scolonpathdelim=On stickysession=ROUTEID maxattempts=1 failonstatus=500,501,502,503 nofailover=Off </Proxy> # balancer-manager # This tool is built into the mod_proxy_balancer # module and will allow you to do some simple # modifications to the balanced group via a gui # web interface. <Location /balancer-manager> SetHandler balancer-manager Order deny,allow Allow from all </Location> ProxyPass /balancer-manager ! ProxyPass / balancer://rangerkmscluster/ ProxyPassReverse / balancer://rangerkmscluster/ </VirtualHost> |
Follow steps 1 to 5 same as mentioned in earlier section to install httpd. Then follow below given steps.
yum groupinstall "Development Tools"
yum install openssl-devel
yum install pcre-devel
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so LoadModule ssl_module modules/mod_ssl.so |
Generate private key
Generate CSR
Generate Self Signed Key
Generate keystore in PEM format
Use keytool to convert PEM format keystore to JKS format
Create truststore of load balancer self signed keystore
keytool -export -keystore httpd_lb_keystore.jks -alias httpd.lb.server.alias -file httpd-lb-trust.cer
Copy generated key and certificate at appropriate location :
vi /usr/local/apache2/conf/ranger-kms-lb-ssl.conf
Let's configure Ranger KMS URLs on Load Balancer.
URL mentioned in Bold i.e BalancerMember http://ranger-kms-host1-fqdn:9292 loadfactor=1 route=1 and http://ranger-kms-host2-fqdn:9292 loadfactor=1 route=2 shall be Ranger-KMS hosts address.
While adding below given lines of the table then change the port. <VirtualHost *:8443> mentioned there is having port 8443 which should be same which you set in earlier step.
<VirtualHost *:8443> SSLEngine On SSLProxyEngine On SSLCertificateFile /usr/local/apache2/conf/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/server.key SSLVerifyClient optional SSLOptions +ExportCertData SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyRequests off Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED <Proxy balancer://rangercluster> BalancerMember http://ranger-kms-host1-fqdn:9292 loadfactor=1 route=1 BalancerMember http://ranger-kms-host1-fqdn:9292 loadfactor=1 route=2
Order Deny,Allow Deny from none Allow from all ProxySet lbmethod=byrequests scolonpathdelim=On stickysession=ROUTEID maxattempts=1 failonstatus=500,501,502,503 nofailover=Off </Proxy> # balancer-manager # This tool is built into the mod_proxy_balancer # module and will allow you to do some simple # modifications to the balanced group via a gui # web interface. <Location /balancer-manager> SetHandler balancer-manager Order deny,allow Allow from all </Location> ProxyPass /balancer-manager ! ProxyPass /balancer://rangerkmscluster/ ProxyPassReverse /balancer://rangerkmscluster/ </VirtualHost> |