Technical Architecture



Web CentralTechnical ArchitectureVersion 1.1214/09/2015Contents TOC \o "1-2" \h \z \u 1Project planning PAGEREF _Toc430106569 \h 51.1EST083 Migration of Estates Application Servers PAGEREF _Toc430106570 \h 5Previous projects PAGEREF _Toc430106571 \h 81.2EST082 Migration of Estates Application Servers PAGEREF _Toc430106572 \h 82Service design PAGEREF _Toc430106573 \h 112.1Service description PAGEREF _Toc430106574 \h 112.2Resilience measures PAGEREF _Toc430106575 \h 142.3Disaster recovery category PAGEREF _Toc430106576 \h 142.4Backup policy PAGEREF _Toc430106577 \h 152.5Security issues PAGEREF _Toc430106578 \h 152.6Authentication and authorisation PAGEREF _Toc430106579 \h 162.7External access PAGEREF _Toc430106580 \h 172.8Interfaces and dependencies PAGEREF _Toc430106581 \h 172.9Exceptions and other issues PAGEREF _Toc430106582 \h 173Service specification PAGEREF _Toc430106583 \h 193.1URLs, certificates and channels PAGEREF _Toc430106584 \h 193.2Servers PAGEREF _Toc430106585 \h 203.3Users, roles and groups PAGEREF _Toc430106586 \h 223.4Data sources PAGEREF _Toc430106587 \h 253.5Firewall configuration PAGEREF _Toc430106588 \h 253.6Scheduled tasks PAGEREF _Toc430106589 \h 263.7Software licences PAGEREF _Toc430106590 \h 274Service operation PAGEREF _Toc430106591 \h 284.1Support contacts PAGEREF _Toc430106592 \h 284.2Startup and shutdown steps PAGEREF _Toc430106593 \h 284.3Log files PAGEREF _Toc430106594 \h 324.4Configuration files PAGEREF _Toc430106595 \h 334.5Patching PAGEREF _Toc430106596 \h 335Common procedures PAGEREF _Toc430106597 \h 345.1Cloning PAGEREF _Toc430106598 \h 345.2Giving access to Samba shares PAGEREF _Toc430106599 \h 355.3Switch on/off debugging PAGEREF _Toc430106600 \h 365.4Switch on/off EASE authentication PAGEREF _Toc430106601 \h 376Disaster recovery plan PAGEREF _Toc430106602 \h 38Version controlDateVersionAuthorSectionsAmendments04/09/20131.0Gordon McKennaAllInitial draft based on K:\ISAPPS\dsg\DevelopmentTechnology\tad_diags\EST069\Technical_Architecture.doc 06/09/20131.1Gordon McKenna3, 5, 9, 15, 20Minor changes following review by DevTech.12/09/20131.2Gordon McKenna2Added explanation of afm UUN problem following handover meeting.07/11/20131.3Gordon McKenna12Reverted to active-passive configuration.13/06/20141.4Gordon McKenna1, 4, 21Changed Archibus version number, added detail about EST074.19/11/20141.5Pride ShoniwaAllChanged server names12/12/20141.6Riky HarrisAllMainly formatting changes03/02/20151.7Riky HarrisAllConvert to new template for EST08224/03/20151.8Riky Harris3.1Add details of Web Central CAD service08/06/151.9Anne Finnan5.2Added 5.2.3 connecting to samba15/06/20151.10Gordon McKenna5.3, 5.4Added instructions on switching on/off debugging and EASE. 23/06/20151.11Gordon McKenna4.2Amended shutdown procedure to delete all folders under ../jsp, not just schemaCompiled.14/09/20151.12Ewan Scott1,2,3,4,6EST083 – process improvement: amendments – the SQStage java app##Black font colour to be restored at end of project##Project planningEST083 – process improvement: amendments to purchase order process (SQStage java app)StakeholdersRoleUnitNameTechnical Architect Development TechnologyEwan ScottPeer ReviewerDevelopment TechnologyGillian HendersonProject ManagerProject ServicesAndy StewartProduction RepresentativeProduction ManagementAnne FinnanITI RepresentativeIT Infrastructure???Key deliverablesDeliverableBusiness benefitThe project MUST provide an infrastructure that will enable the purchase order process to be migrated from the Archibus desktop client to the SciQuest infrastructure.Remove a dependency on the Archibus PC clientImproved efficiency and quality in procurement from improved procurement management in SciQuest.The project SHOULD deliver a structure that will allow other services beyond Archibus to use the Purchase Requisition java application.The java application structure developed - the SQStage java app - should offer a generic interface to SciQuest which other services can plug into.Technical commitmentsCommitmentY/NJustification (if not)Will the project conduct a load test?N##to be decidedWill the project conduct a DR test?NThe DR technology is already provenHas a service restart been tested?Nwill be testedSummary of technical changesCurrently Estates and Buildings create and manage purchase orders within Archibus Desktop Client. This project migrates this process so that purchase orders are created and managed with SciQuest.a new java application will receive and send validation responses to SciQuest. requisition and purchase order management will be implemented in Web Central.a new purchase order import into the Archibus schema will be created.To facilitate this:a new application user will be created on the web central application servers to host the SQStage java app running under a fresh tomcat install.a new GEN database schema will be created handle staging area data.new tables will be created within the EBIS database AFM schema.a new URL will be created to run under https for the secure link with the external sciQuest systemEstimated costsItemDevelopmentTestLivee.g. hardware???e.g. disk on SAN???e.g. backup???e.g. licences???e.g. maintenance???e.g. support???Subtotals???Total? 0There are no new costs associated with the migration of this service to existing, shared infrastructure. ###to be confirmedService designService descriptionWeb Central is an application which enables the Estates and Buildings division to manage the University’s property holdings. It consists of a web enabled application hosted on Apache/Tomcat, and an Oracle database on a Linux server.Web Central is responsible for managing the validating requisitions created by Estates users in SciQuest. This is refered to as the SQStage java app.Key technologiesTechnologyVersionNew or existingArchibus 21.2ExistingApache HTTPD2.2ExistingApache Tomcat5.5.36ExistingOracle Java Development Kit1.6.0_45ExistingOracle Client11gR2 x86ExistingOracle RDBMS11.2.0.3.0ExistingLinux2.6.32-358.14.1.el6.x86_64ExistingSamba3.0.10 on appsutilkb1t, 3.0.28 on appsutilkb1ExistingSQStage java appSciQuest?.?##get current SciQuest versionApache Tomcat8New versionJava1.8New versionTechnical diagrams(from System Design Document)Resilience measuresApplicationMain applicationFor some time, the Web Central application has been running in an Active-Active configuration on servers running at two different sites. If one server became unavailable, the other would continue to host the application.One limitation of this configuration was for file storage. A samba share provides access for Estates staff to directly edit and upload drawings onto the file system. To save complication, this is only to the KB server, so changes made were not reflected to users accessing the Web Central system on AT until the rsync cron job ran.Another problem was that users saving views and dashboard settings to the website would be unable to access these on a subsequent login to the other web server, before the rsync job had run.Given these two problems and the small number of users accessing the system, it was decided to revert to an active-passive configuration in November 2013. The fact that the application was running in active-active was in any case felt to be an error which had crept into the system at some unknown time in the past.In the event of a failure of the active server, the Tomcat instances – webcentral and sqstage - on the passive server should be started using the instructions above, and the Load Balancer will automatically reroute all traffic to it.DatabaseThe database runs under Oracle Data Guard configured for maximum availability. This ships the archive redo logs to a standby database, so that in the event of a failure of the primary database the standby database can be opened with minimal loss of service.Disaster recovery categoryApplicationCategoryWeb Central3Archibus Client3SQStage java app3Backup policyComponentVariance from backup policyOperating System None (standard backup)DatabaseNone (standard backup)File systemNone (standard backup)OtherNone (standard backup)Security issuesThe Web Central application is accessed via SSL. As SSL termination is being used by the load balancers, network traffic on the UoE network would be unencrypted.The SQStage java app is not used by users directly and is accessed via SSL only, with traffic unencrypted after offload at the load balancers. The only valid external source IP addresses allowed to connect are those provided by SciQuest (66.179.165.172, 66.179.165.140).Access via the Archibus client (internal to the UoE network only) uses unencrypted SQLnet.Access and authority to publish to the samba file share is restricted by Unix username and password on each Application server.Authentication for access with ODBC for the Archibus client uses the AFM database account – the schema owner for all of the Archibus data. Firstly, it is not recommended that this is the account used for client connections. Secondly, the ‘weak’ password for this account is the same for all three environments, which is also not recommended. Thirdly, the password for this account is very widely known amongst Estates, IS, external suppliers and others and the potential for misuse is massive. While IS Applications would never share a password in this manner, it is assumed that the Business Owners must be sharing it, which, again, is not recommended.Authentication and authorisationEASE is used for authentication of Web Central users with authorisation being performed internally by the Web Central application which uses tables in the AFM_SECURE schema in the EBIS database.As the AutoDesk space planning tools are not able to use Cosign SSO, the Web Central CAD service provides an alternative Apache VHost without Cosign to connect to the same application via an alternative AJP.Access to the SciQuest system is based on EASE authentication in conjunction with external authorisation controlled by SciQuest.External accessNameContact detailsAccess methodDescription of needMartin Matt, Mass PLCInnovation House, Molly Millar’s Close, Wokingham, Berkshire, RG41 2RXTel: 01189 778560Mobile: 07956 298920martin.matt@mass-Citrix GoToMeetingVia Dev Tech memberAccess to application via conference call and desktop sharing application, with a client running on Dev Tech / Estates PC###add SciQuest if access to be grantedInterfaces and dependenciesThe Archibus system depends on the EBIS database which contains the data being available.SQStage application data is hosted in the GEN database.To access Web Central, EASE must be available.The external Sciquest site must be available to initiate purchase requisition.SciQuest exports an XML file daily for processing into eFinancials.The EBIS database pulls purchase order data over from FIN database in daily scheduled job.Exceptions and other issuesBecause the upgrade is going to be an in-place upgrade across the three environments, there will be periods when DEV, TEST and LIVE are running different versions.Database changes may have an impact on other projects working on the EBIS databases.We would also recommend that the version of Tomcat used is updated due to security concerns with 5.5.31. However, it is understood that Mass Capital Budgeting does not work with Tomcat 6. Further investigation with the supplier is required.There are no such issues with the SQStage java app and it is running on Java 1.8 and Tomcat 8.Service specificationURLs, certificates and channelsDevelopmentApplicationURLWeb Central Central CAD java app Central Central CAD java app Central Central CAD java app CNCAServerLocationwww-dev.webcentral.estates.ed.ac.ukCosign/usr/local/certswww-test.webcentral.estates.ed.ac.ukCosign/usr/local/certswebcentral.estates.ed.ac.ukCosign/usr/local/certswww-dev.webcentralcad.estates.ed.ac.ukCosign/usr/local/certswww-test.webcentralcad.estates.ed.ac.ukCosign/usr/local/certswebcentralcad.estates.ed.ac.ukCosign/usr/local/certswww-dev.webcentral.estates.ed.ac.ukEdUni/usr/local/certswww-test.webcentral.estates.ed.ac.ukEdUni/usr/local/certswebcentral.estates.ed.ac.ukEdUni/usr/local/certs channelsNone.ServersApplication serversDevelopmentTestLiveServersappsutilkb1d(Active)appsutilat1d (Disabled)appsutilkb1t (Active)appsutilat1t (Disabled)appsutilkb1 (Active)appsutilat1 (Disabled)Physical / VirtualVirtualVirtualVirtualShared / DedicatedSharedSharedSharedCPU cores444Memory16GB16GB16GBOSRHEL 6.6RHEL 6.6RHEL 6.6Software and versionsWeb Central v21,Tomcat 5.5.36Web Central v21,Tomcat 5.5.36Web Central v21,Tomcat 5.5.36DependenciesSMTP, Cosign, Samba, JDK, rsyncSMTP, Cosign, Samba, JDK, rsyncSMTP, Cosign, Samba, JDK, rsyncDatabase serversDevelopmentTestLiveServeroradevkb.is.ed.ac.ukoradevat.is.ed.ac.ukoratestkb2.is.ed.ac.ukoratestat2.is.ed.ac.ukoraat2.is.ed.ac.ukorakb2.is.ed.ac.ukPhysical / VirtualPhysicalPhysicalPhysicalShared / DedicatedSharedSharedSharedCPU cores323232Memory384GB384GB384GBOSRHEL 6.6RHEL 6.6RHEL 6.6InstanceEBISDEVEBISTESTEBISLIVEDatabase version11.2.0.3.011.2.0.3.011.2.0.3.0DependenciesN/AN/AN/AFile systemsServer namesVolumeSizePurposeN/AFile sharesServer namesShared pathShare nameappsutilkb1d.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilkb1d\WebCProjectappsutilkb1t.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilkb1t\WebCProjectappsutilkb1.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilkb1\WebCProjectShare nameUsers / groupsPermissionsappsutilat1d.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilat1d\WebCProjectappsutilat1t.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilat1t\WebCProjectappsutilat1.is/u01/app/webcent/apache-tomcat/webapps/archibus/projects/\\appsutilat1\WebCProjectThe samba shares on the AT servers (greyed out above) exist to keep the systems identical and to enable running of the service on these servers for Business Continuity reasons.Users, roles and groupsUnixUsernameHome directoryDescriptionAll accounts below relate to the application servers – appsutil[kb|at]*afm/home/mis/afmRuns various cron scripts. Note that you can’t log in directly as this user, because there is a user in the university who already has this UUN. If you need to access this account, log in as oracle and “sudo su afm”.webcent/homes/est/webcentApplication owner.sqstage/homes/est/sqstageSQStage java app user.afinnanafsmithastewar4charperdfoggoetorrancgboaggdawson1gmckennagnicolljaneconthomso5paulcrupaulinespmannpshoniwarharris7ronmclv1knels2/home/samba/afinnan/home/samba/afsmith/home/samba/astewar4/home/samba/charper/home/samba/dfoggo/home/samba/etorranc/home/samba/gboag/home/samba/gdawson1/home/samba/gmckenna/home/samba/gnicoll/home/samba/janeco/home/samba/nthomso5/home/samba/paulcru/home/samba/paulines/home/samba/pmann/home/samba/pshoniwa/home/samba/rharris7/home/samba/ronmcl/home/samba/v1knels2Samba users accounts for members of Estates (and IS Applications for support) to access the ‘WebCProject’ share.GroupMembersDescriptionmisafmStandard IS Apps groupestwebcent, sqstage, samba usersEstates groupestsmbsamba usersGroup for Estates Samba accountsApplication DirectoryOwnerDescription/u01/app/webcentwebcentLocation for Web Central components/u01/app/sqstagesqstageLocation for SQStage java appOracleInstanceUsernameRolesDescriptionEBIS*afmAFM_ROLE, APPLICATIONMain table owner. Also used for JDBC connections from web server.EBIS*afm_secureAFM_ROLEMinor table owner, used for application security. Also used for JDBC connections from web server.GEN*sqstageAPPLICATIONSQStage requisition staging area objectsGEN*sqstagereqsqstage_reqdatabase user used by SQStage java appGEN*sqstagebrowsersqstage_browserread only access to the sqstage schemaInstanceOPS$ usernameRolesDescriptionEBIS*OPS$afmAFM_ROLEDatabase user for cron scripts run by afm.InstanceDatabase roleDescriptionEBIS*AFM_ROLEMain application role giving privileges to AFM tables.GEN*SQSTAGE_REQrole for sqstagereq userGEN*SQSTAGE_BROWSER role for sqstagebrowser userInstanceSchemaTablespaceEBIS*AFMAFM_P1AFM_SCGEN*sqstageSQSTAGE_DATASQSTAGE_INDEXData sourcesJavaConnection nameWeb CentralSQSTAGEUsernameJDBCJDBCDatabaseEBIS*GEN*Additional settingsN/AN/AFirewall configurationCentral firewallSourceDestinationPortProtocolEdLanappsutilkb1d.isappsutilat1d.is443HTTPSAnyappsutilkb1t.isappsutilat1t.is443HTTPSAnyappsutilkb1.isappsutilat1.is443HTTPSEdLanappsutilkb1d.isappsutilat1d.is445CIFSEdLanappsutilkb1t.isappsutilat1t.is445CIFSEdLanappsutilkb1.isappsutilat1.is445CIFSnet-oradb-clientsnet-oradb-servers1500-1900tcpScheduled tasksUnix cron jobsServerAccountScript nameScheduleDescriptionappsutilkb1d.iswebcentApplication code rsyncDaily, 20:18Cron to copy application code from appsutilkb1d to appsutilat1dappsutilkb1t.iswebcentApplication code rsyncDaily, 20:24Cron to copy application code from appsutilkb1t to appsutilat1tappsutilkb1.iswebcentApplication code rsyncDaily, 20:28Cron to copy application code from appsutilkb1 to appsutilat1Oracle DBMS_SCHEDULER jobsDatabaseAccountprocedure nameScheduleDescriptionGEN*sqstagenew_record_check (##to be confirmed)DEV – n/aTEST – 1130LIVE – 0900(Mon-Fri)Inserts new requisitions into AFM table.Software licencesSoftwareSupplierRequirementsExpiresWeb Central 21.2Mass PLC on behalf of ARCHIBUS, Inc.YesUnknownService operationSupport contactsVendorContact detailsRequired informationMartin Matt at Mass PLCTel: 01189 778560Mobile: 07956 298920martin.matt@mass-NonesciQuest###to be addedStartup and shutdown stepsShut downLog in to the appropriate database server as the oracle user.Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things.$ sqlplus /nolog> conn / as sysdba> shutdown immediate Then stop the applications. Log in to the appropriate application server as the webcent user.$ cd $TOMCAT_HOME$ bin/shutdown.shUsing CATALINA_BASE: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_HOME: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_TMPDIR: /u01/app/webcent/apache-tomcat-5.5.31/tempUsing JRE_HOME: /u01/java/jdk1.6.0_24Using CLASSPATH: /u01/app/webcent/apache-tomcat-5.5.31/bin/bootstrap.jarThe following will confirm that the Tomcat process for this user has finished (but give it time!) If the process doesn’t eventually disappear, kill it.$ ps -fu webcent UID PID PPID C STIME TTY TIME CMD webcent 13854 3358 0 15:29:14 pts/16 0:00 ps -fu webcent webcent 26356 26336 0 Sep 06 ? 0:00 /usr/lib/ssh/sshd webcent 3356 3281 0 13:56:08 ? 0:00 /usr/lib/ssh/sshd webcent 26358 26356 0 Sep 06 pts/17 0:00 -bash webcent 3358 3356 0 13:56:08 pts/16 0:00 –bashThen:$ rm -R webapps/archibus/schemaCompiled/$ rm -R work/Catalina/localhost/archibus/org/apache/jsp/SQStage java app shutdownLog in to the appropriate application server as the sqstage user.$ cd $TOMCAT_HOME$ bin/shutdown.sh###add text as above once builtThe following will confirm that the Tomcat process for this user has finished (but give it time!) If the process doesn’t eventually disappear, kill it.$ ps -fu sqstage###add text as above once builtStart upLog in to the appropriate primary database server as the oracle user.Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things:$ sqlplus /nolog> conn / as sysdbaYou can check that the database is open by running the following SQL:> SELECT * FROM GLOBAL_NAME; If this returns the database name, then the database is open (i.e. up and available for users).Then start the application. Log in to the appropriate application server as the webcent user.$ cd $TOMCAT_HOME The following checks if there is a tomcat process currently running for this user. If there is (e.g. the java process shown in the example), shut it down first.$ ps -fu webcent UID PID PPID C STIME TTY TIME CMD webcent 27519 3358 0 08:54:51 pts/16 0:00 ps -fu webcent webcent 26283 494 0 08:43:18 pts/16 1:46 /u01/java/jdk1.6.0_24/bin/java -Djava.util.logging.config.file=/u01/app/webcent webcent 3356 3281 0 Sep 09 ? 0:00 /usr/lib/ssh/sshd webcent 3358 3356 0 Sep 09 pts/16 0:00 -bash Then start tomcat:$ bin/startup.shUsing CATALINA_BASE: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_HOME: /u01/app/webcent/apache-tomcat-5.5.31Using CATALINA_TMPDIR: /u01/app/webcent/apache-tomcat-5.5.31/tempUsing JRE_HOME: /u01/java/jdk1.6.0_24Using CLASSPATH: /u01/app/webcent/apache-tomcat-5.5.31/bin/bootstrap.jarYou can then check the log file:$ tail -f logs/catalina.outWhen you get something like the following it means that Tomcat has started successfully.Sep 12, 2013 8:44:19 AM org.apache.catalina.startup.Catalina startINFO: Server startup in 59886 msNote that this only tells you that Tomcat is running. You should also check the database to ensure that the process has connected successfully (this is important after a database restart, when Tomcat can still be running on the application server but not connected to the database).Log in to the appropriate database server as the oracle user.Set the environment by running ora<database_name> (e.g. oraebislive). This will set your $ORACLE_HOME and $ORACLE_SID, among other things.$ sqlplus /nolog> conn / as sysdba> select * from v$session where machine like ‘%<server_name>%’;For example:> select * from v$session where machine like '%appsutilkb1%';There should be 3 sessions from the active application server.If you’re on TEST or LIVE, repeat the startup procedure for each of the application servers. #remove###out of date as we are currently running Active-Passive mode.SQStage java app startupLog in to the appropriate application server as the sqstage user.$ cd $TOMCAT_HOME The following checks if there is a tomcat process currently running for this user. If there is (e.g. the java process shown in the example), shut it down first.$ ps -fu sqstage###add text as above once built Then start tomcat:$ bin/startup.sh###add text as above once builtYou can then check the log file:$ tail -f logs/catalina.outWhen you get something like the following it means that Tomcat has started successfully.Sep 12, 2013 8:44:19 AM org.apache.catalina.startup.Catalina startINFO: Server startup in 59886 msLog files$TOMCAT_HOME/webapps/archibus/WEB-INF/config/archibus.log$TOMCAT_HOME/webapps/sqstage/WEB-INF/config/sqstage.logAlso standard Apache/Tomcat log files.Configuration filesArchibus core configuration files$TOMCAT_HOME/webapps/archibus/WEB-INF/config/afm-projects.xml$TOMCAT_HOME/webapps/archibus/WEB-INF/config/context/security/preauth/projectid-source/property/projectid-source.properties$TOMCAT_HOME/webapps/archibus/WEB-INF/config/context/compatibility/afm-config.xmlAlso standard Apache/Tomcat configuration files.These environments are setup for the Archibus client by the following project files:I:\Archibus\afm_project\dev\EBISDEV.apjI:\Archibus\afm_project\test\EBISTEST.apjI:\Archibus\afm_project\live\EBISLIVE.apj SQStage config files### add after DEV build completePatchingPatches and upgrades are supplied by MASS as mon proceduresCloningThere is a regular requirement to clone the EBISLIVE database to create EBISTEST and EBISDEV. In the instructions below, EBISLIVE is the Source database, while EBISTEST and EBISDEV are the Targets.##Does SQSTage need to match EBIS – ie. does it need to be cloned at same time?Export TargetBefore cloning, do a full database export from the Target. This is to preserve a number of tables which need to be reimported after cloning. Clone the latest parameter file /home/dba/oracle/scripts/CLONE/expdp_EBISTEST.FULL.<YYYYMMDD>.par on oratestat2, change the dates on the export and dump files, then carry out the export using this parameter file.Export SourceDo a full database export from the source (although you only really need AFM, as far as I know). Clone the latest parameter file /home/dba/oracle/scripts/CLONE/expdp_EBISLIVE.FULL.<YYYYMMDD>.par on oraat2, change the dates on the export and dump files, then carry out the export using this parameter file.Drop and recreate AFMDrop the schema AFM from the target, but do not drop AFM_SECURE. Recreate the AFM schema before you import the tables, so that all its privileges (including from AFM_SECURE) are present for the import. If you don’t do this, a number of constraints will not be created.Import SourceImport the schema AFM from the source dumpfile created above. Use the parameter file /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.parNote that there are a number of invalid packages in the AFM schema in LIVE, so the corresponding errors can be ignored on import.There were also (sometimes, but not always!) some errors relating to index statistics. See 755253.1 for details and a solution, which uses the parameter files /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.exclude.par and /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.<YYYYMMDD>.include.parFix database linksAFM owns a number of database links which will still be pointing to LIVE environments. Recreate them to point to the equivalent environment (TEST or DEV).Reimport TargetAfter cloning, drop the tables AFM.WEB_SECURITY and AFM.WEB_SECURITY2USERS from the target and recreate them by importing from the old Target dumpfile. You can use /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.TABLES1.<YYYYMMDD>.parAlso, leave the tables AFM.AFM_ROLES and AFM.AFM_ROLEPROCS in place, but reimport the data from the old Target dumpfile (use TABLE_EXISTS_ACTION=APPEND in the parameter file). You need both the new data from the Source, and the original data from the Target. Use parameter file /home/dba/oracle/scripts/CLONE/impdp_EBISTEST.AFM.TABLES2.<YYYYMMDD>.parRestart ApplicationBecause you dropped the AFM user, you will have lost all application connections to the database. Restart the application using the instructions in this document.AlternativeGiven the various problems above, it might be easier to hot clone the whole database using the instructions here. Giving access to Samba sharesUnixThe user must be created by the Unix team on the relevant server; the following is an example from appsutilkb1d:paulines:x:10829:12657:Functional:/home/samba/paulines:/bin/trueThe user should also be in the estsmb group; here is an example from appsutilkb1d:estsmb:x:8323:finnan,afsmith,astewar4,charper,dfoggo,etorranc,gboag,gdawson1,gmckenna,gnicoll,janeco,paulcru,paulines,pmann,pshoniwa,rharris7,ronmcl,v1knels2,nthomso5You can request the account via Direct, but this will require a follow up call to get the shell changed to /bin/false.SambaThe user also needs to be set up in Samba; this is also a step for the Unix team, as it must be run as root. We can’t query this information from Samba either, though the Unix team can do this using “pdbedit –L”.5.2.3 Connecting to Samba share - Added 08/06/15 AFFor users to connect to samba, you must map a network drive to either:Dev = \\appsutilkb1d.is.ed.ac.uk\WebCProject Test = \\appsutilkb1t.is.ed.ac.uk\WebCProjectLive = \\appsutilkb1.is.ed.ac.uk\WebCProjectEnter username/password NB. Use a backslash before the username with managed Windows7 pc’s to clear the domain (“\uun”)Switch on/off debuggingIn non-LIVE environments, we regularly have to switch on debugging.Log on to the application server as webcent and shutdown the application, using the instructions above.[webcent@appsutilkb1t config]$ cd /u01/app/webcent/apache-tomcat/webapps/archibus/WEB-INF/config[webcent@appsutilkb1t config]$ vi core.properties Set app.debug=true to switch debugging on, or app.debug=false to switch debugging off.Restart the application, using the instructions above.Switch on/off EASE authenticationIn non-LIVE environments, we regularly have to switch off EASE authentication for debugging purposes.Log on to the application server as webcent and shutdown the application, using the instructions above.[webcent@appsutilkb1t config]$ cd /u01/app/webcent/apache-tomcat/webapps/archibus/WEB-INF/config[webcent@appsutilkb1t config]$ vi security.properties Set the following lines to switch EASE authentication OFF:security.configurationFile=context/security/security-afm-users.xml security.logoutView=login.axvwsecurity.timeoutView=login.axvwSet the following lines to switch EASE authentication ON:security.configurationFile=context/security/security-preauth-remote-user-request-header.xmlsecurity.logoutView=schema/ab-core/views/process-navigator/logout-preauth.htmsecurity.timeoutView=schema/ab-core/views/process-navigator/logout-preauth.htmRestart the application, using the instructions above.Disaster recovery planIn the event of a Primary site loss, the database should be failed over to the other servers. The Tomcat services – webcent and sqstage - can be started on the AT application server and the service switched in the Brimham load balancer view. The user’s desktop mounting of the WebCProject Samba share can be modified to use the AT server.Note that on service restoration, the rsync cron job will attempt to synchronise the AT contents from the KB server (so potentially deleting uploaded items in the Samba share). To avoid this, disable the SSH keys on the AT server before the KB server is brought back up.OLD Project PlansEST082 Migration of Estates Application ServersStakeholdersRoleUnitNameTechnical Architect Development TechnologyRiky HarrisPeer ReviewerDevelopment TechnologyProject ManagerProject ServicesMark LangProduction RepresentativeProduction ManagementRon McLeodITI RepresentativeIT InfrastructureKey deliverablesDeliverableBusiness benefitThe Web Central system MUST be migrated to use the new Applications hosting serversUse of supported, more performant infrastructureTechnical commitmentsCommitmentY/NJustification (if not)Will the project conduct a load test?N##EST083 - order load not sufficient to justify this #to be agreedWill the project conduct a DR test?N## EST083 - not required with existing technology #to be agreedHas a service restart been tested?Y## EST083 -will be done during projectSummary of technical changesAs part of EST082, Web Central is moved from deprecated infrastructure to the new Applications hosting servers. The database tier remains unchanged.Estimated costsItemDevelopmentTestLivee.g. hardware???e.g. disk on SAN???e.g. backup???e.g. licences???e.g. maintenance???e.g. support???Subtotals???Total? 0There are no new costs associated with the migration of this service to existing, shared infrastructure. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download