In the Xconf RDK community instance , the data service and Admin UI is added standalone jetty services and both are deployed in the same VM. This documentation explains the steps that were followed to achieve it.
KeyPoints
- According to this tutorial, Cassandra DB and the two xconf applications are deployed in the same server
- The xconf applications – data service and admin ui are deployed in two separate jetty instancesBoth the applications are deployed as separate processes
- In usual cases the applications will be deployed in seperate nodes, Eventhough the document is based on our experience in setting up both the services in a single server, this document can be referred for how the application can be deployed in jetty as a system service and also how ssl can be enabled in a jetty server with CA provided certificates
Prerequisites
- Required: Xconf dataservice and Xconf admin ui war files
- Environment: Ubuntu 18.04
- OpenSSL (Open SSL has to be installed and added to PATH)
- Jetty 9.4.37
- Install Java
- Setup Cassandra DB
Deploy Xconf-data-service war
- Create folder ‘jetty’ and install jetty in it by downloading jetty 9.4.37 version using ‘wget’ command. In this case, JETTY_HOME directory is /opt/jetty
...
- If jetty run is not successful, then run this command
update-rc.d <service> defaults (update-rc.d jetty defaults)
Deploy Xconf Admin Service
- Create folder ‘jetty2’ and install jetty in it
cd /opt
mkdir jetty2
cd jetty2
wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/jetty-distribution-9.4.37.v20210219.tar.gz /copy the tarball file from /opt/jetty
gzip –d jetty-distribution-9.4.37.v20210219.tar.gz
tar -xf jetty-distribution-9.4.37.v20210219.tar.gz--strip=1
(Or copy the jetty tar ball file from data service setup)
- Copy war file to webapps folder and rename it to admin.war
mv xconfAdminService2.war admin.war
- Copy the service.properties file to jetty home (/opt/jetty2) folder.
- Edit start.ini with the following contents. (If we want to enable both http and https)
--module=https
jetty.http.port=9093
etc/jetty-ssl.xml
-DappConfig=service.properties
- Follow the steps mentioned in the session 'Https using CA certificate in jetty for enabling SSL' for this jetty instance
- Copy jetty.sh to init.d
cp bin/jetty.sh /etc/init.d/jetty2
Create the file /etc/default/jetty2 with the following data
vim /etc/default/jetty2
JETTY_HOME=/opt/jetty2
Before starting jetty as a service we can verify if the app is running by stepping opt/jetty2 and run the command java –jar start.jar –DappConfig=service.properties
- To run jetty as service
sudo service jetty2 start
- To check the status
sudo service jetty2 status
- If jetty run is not successful, then run this command
update-rc.d <service> defaults (update-rc.d jetty2 defaults)
Https using CA certificate in jetty
After obtaining the certificate file from the CA follow the below steps for configuration:
We need to convert the crt file that is obtained from the CA to PKCS12 format. This can be done with the following steps:
...
After the above commands pfx or pkcs12 file will be generated.
2.Importing the PKCS12 file in your Jetty keystore
We need to import the PKCS12 file in the keystore of Jetty.
...
Now we have created a new keystore and imported our PKCS12 file.
3.Enabling SSL and HTTPS for Jetty
Jetty 9 has a modular architecture, which means that you can enable different modules through the configuration files.
...
- Navigate to the JETTY_HOME/lib folder.
- Run following Java command (the lib version depends on your Jetty version):
java -cp jetty-util-9.4.37.v20210219.jar org.eclipse.jetty.util.security.Password <your password>
- Copy the generated password, which is the line starting with OBF to your clipboard (a sample output is OBF:1wty1th11wgg1saj11v2h1sov1v1x1t371sar1wfi1thl1wug).
4. XML files configuration
Jetty modules are configured through the XML files under JETTY_HOME/etc folder. By enabling these modules, we are activating jetty-ssl.xml and jetty-https.xml files.The following changes need to be done in the below files:
- jetty-ssl-context.xml
The obfuscated password generated in step 3 and the path for the keystore generated in JETTY_HOME/etc is updated in the jetty-context.xml :
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="Provider"><Property name="jetty.sslContext.provider"/></Set> <Set name="KeyStorePath"> <Property name="jetty.sslContext.keyStoreAbsolutePath"> <Default> <Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/keystore"/> </Default> </Property> </Set> <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="secret"/></Set> <Set name="KeyStorePassword"> OBF:1wty1th11wgg1saj1t2z1v2h1sov1v1x1t371sar1wfi1thl1wug </Set> <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set> <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="secret"/></Set> <Set name="KeyManagerPassword"> OBF:1wty1th11wgg1saj1t2z1v2h1sov1v1x1t371sar1wfi1thl1wug </Set> <Set name="TrustStorePath"> <Property name="jetty.sslContext.trustStoreAbsolutePath"> <Default> <Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/keystore"/> </Default> </Property> </Set> <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="secret"/></Set> <Set name="TrustStorePassword"> OBF:1wty1th11wgg1saj1t2z1v2h1sov1v1x1t371sar1wfi1thl1wug </Set> <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set> <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set> |
---|
2. jetty-ssl.xml
The port number for https connection need to be updated in this file. The following example has selected the port 9092 for xconf data service. For admin service, we have set it as 9093.
...