Cybersecurity
DevOps Cloud
IT Operations Cloud
ISSUE:
In a typical Access Manager deployment, customizations are made to the Java Server Pages (JSPs) that generate the user interface used for login, logout, and other activities. These customizations need to be copied to every node in the cluster. This can be a burdensome and error prone activity, especially if you have a large cluster. One way to lessen this burden and improve configuration management is to use the Linux utility rdist.
HOW TO STEPS:
The rdist utility is expressly designed for distributing files to multiple hosts. It has options to avoid overwriting newer files and to make backup copies of files that are being updated. A good introduction can be found at: http://www.benedikt-stockebrand.de/rdist-intro_en.html
As an example of how to use rdist I will use a customer environment consisting of a nonproduction IDP cluster of two nodes and a production IDP cluster of six nodes. Node 1 of the nonproduction cluster will be the used as the master copy of all files. The steps I followed to set up rdist are:
/opt/novell/nam/idp/webapps/nidp/images/custom -> 10.201.243.150
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/images ;
/opt/novell/nam/idp/webapps/nidp/css -> 10.201.243.150
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/css ;
/opt/novell/nam/idp/webapps/nidp/jsp -> 10.201.243.150
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/jsp ;
Replace the IP address shown with the IP address or host name of your nonproduction IDP node 2. Now change to the /opt/novell/nam/rdist directory and execute the command:
rdist -v -P /usr/bin/ssh
The utility will look for the default distribution file (Distfile) in the current directory and will execute the command there to compare the contents of the images, css, and jsp directories of node 1 to those on node 2. Since we used the -v option, no updates will be made but it will notify you if any files need to be updated. The output is shown below:
msdavieds1301:/opt/novell/nam/rdist # rdist -v -P /usr/bin/ssh
10.201.243.150: updating host 10.201.243.150
10.201.243.150: /opt/novell/nam/idp/webapps/nidp/jsp/nyclogin2.jsp: need to update
10.201.243.150: updating of 10.201.243.150 finished
In this case the file nyclogin2.jsp is newer on node 1 than it is on node 2. The output shows that is needs to be updated. Since this output matches what I was expecting, I’ll now run the command without the -v option:
msdavieds1301:/opt/novell/nam/rdist # rdist -P /usr/bin/ssh
10.201.243.150: updating host 10.201.243.150
10.201.243.150: /opt/novell/nam/idp/webapps/nidp/jsp/nyclogin2.jsp: updating
10.201.243.150: updating of 10.201.243.150 finished
This output indicates that the file was updated. We had two options set on each action in the distribution file. The “younger” option instructs rdist to update the file only if the file on the source is newer than the one on the destination. If the file on node 2 had been newer, then a warning would be output and the file would not be overwritten. The “keeptargets” option results in a backup being created for each file that is updated. The backup in this case will be named nyclogin2.jsp.OLD. Note that only one backup file is kept so if you update the file a second time you will lose the original content when a new .OLD file is created.
In the scenario described, I do all the editing and updates on nonproduction node 1 and then distribute the updates to nonproduction node 2. Once the changes are tested and ready to go to production, I use a similar process to move the files from nonproduction node 1 to production node 1. To do this, I created a distribution file called DistToProdMaster. The contents of this file are very similar to the first distribution file:
/opt/novell/nam/idp/webapps/nidp/images/custom -> prodidp1.company.com
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/images ;
/opt/novell/nam/idp/webapps/nidp/css -> prodidp1.company.com
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/css ;
/opt/novell/nam/idp/webapps/nidp/jsp -> prodidp1.company.com
install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/jsp ;
To test the distribution to the production master, I execute the command:
msdavieds1301:/opt/novell/nam/rdist # rdist -v -P /usr/bin/ssh -f DistToProdMaster
This will tell me what actions would be taken. Once I’m satisfied with what I see, I execute the command:
msdavieds1301:/opt/novell/nam/rdist # rdist -P /usr/bin/ssh -f DistToProdMaster
Notice that I’m not distributing from the nonproduction server to each production IDP directly. This is very intentional. First, because I like having the opportunity to verify the results on the first node before it is applied across production. Second, because I want to ensure that all the production nodes are perfectly consistent and I want to be able to verify that they are without involving the nonproduction system.
On production node 1 I'll now create a distribution file. Since this will be the default distribution action we will name it “Distfile”. The contents of the file will be:
/opt/novell/nam/idp/webapps/nidp/images/custom -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)
install /opt/novell/nam/idp/webapps/nidp/images/custom ;
/opt/novell/nam/idp/webapps/nidp/css -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)
install /opt/novell/nam/idp/webapps/nidp/css ;
/opt/novell/nam/idp/webapps/nidp/jsp -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)
install opt/novell/nam/idp/webapps/nidp/jsp ;
Notice that I did not include the “younger” and “savetargets” options. This is because I want to ensure that the nodes are identical. There is already a backup on node 1 so creating backups recursively is something to avoid.
Now I execute the following command to distribute all the updated files to every production node.
prodmaster:/opt/novell/nam/rdist # rdist -P /usr/bin/ssh
This example can be extended to any additional files you need to manage across nodes.