Prerequisites: The person following these steps should have good knowledge of Linux shell scripting and must log in with sudo privileges.
Hardware Requirements:
CPU
Processor power or CPU requirements are dependent on the number of concurrent active users and expected workload. Your exact needs may vary depending upon the workload which could be influenced by multiple factors such as (but not limited to) how active your users are, the amount of automation and API access etc. Below is recommended CPU configuration:
1. 2 cores is the minimum recommended, which supports up to 100 active users.
2. 4 cores to support up to 300 active users.
Memory
Same as the CPU, memory also depends on the workload. The workload depends on the number of factors like concurrent active users, the number of resources being scheduled, automation, filtering out of large datasets, reporting etc.
1. 4 GB is the minimum recommended, which is good for up to 200 resources.
2. 8 GB to support up to 500 resources.
3. 16 GB to support up to 1000 resources.
Storage
Storage requirement depends on the number of resources being scheduled, frequency of data backup, retention of old backups and other factors.
Considering the machine is dedicated to eResource Scheduler, the minimum required storage is 20 GB, however, we recommend using 40 GB to support backups and other utilities you might need to configure on the machine running eResource Scheduler.
1. Get the root privileges to install the required packages
sudo su
cd
2. Install Java 11
Check if it's not already installed
java -version
Install if the above command does not show 'jdk version 11'.
yum -y install java-11-openjdk
java -version
3. Install wget utility if not already installed.
Check if wget is already installed
wget --version
If the above command does not show you the version of wget command on your system, you need to install it, using the below command.
yum install -y wget
4. Install PostgreSQL 11
Check if it's not already installed
psql --version
Install if the above command does not show PostgreSQL 11.x.
Install the repository RPM:
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Install PostgreSQL server and required libraries:
yum install -y postgresql11-server postgresql11-contrib
Initialise database:
/usr/pgsql-11/bin/postgresql-11-setup initdb
Enable PostgreSQL service:
systemctl enable postgresql-11
Start PostgreSQL service:
systemctl start postgresql-11
Check PostgreSQL service status:
systemctl status postgresql-11
5. Create ers user & group.
groupadd -r ers useradd -r -g ers -d /opt/ers -s /sbin/nologin ers
6. Download and extract ers packages.
#Set environment variable
ERS_VERSION=4.5.1
wget https://storage.googleapis.com/app-file-store/self-hosted/files/version/ers-self-hosted-$ERS_VERSION.zip -P /tmp
unzip /tmp/ers-self-hosted-$ERS_VERSION.zip -d /opt/ers/
chown -RH ers: /opt/ers
7. Create and set up the database.
Edit pg_hba.conf file to allow password authentication
vi /var/lib/pgsql/11/data/pg_hba.conf
Change Method from ident to md5 as shown below
# IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::1/128 md5
Restart PostgreSQL Service
systemctl restart postgresql-11
Execute the installation script and follow the instructions to set up the eRS database
/opt/ers/install.sh
The above command generates database schema and creates a root user to log in. Default LoginId is root and Password is eYu?169tUO?a. Kindly change this password after the first login.
8. Configure eRS
Edit eRS configuration file
vi /opt/ers/standalone/configuration/ers-config.xml
Find datasource directive and configure database properties. Verify connection-url and set the ers user password that you created earlier.
....
<datasource jta="false" jndi-name="java:/postgresql/ers" pool-name="PostgresDS" enabled="true" use-ccm="false" statistics-enabled="true">
<connection-url>jdbc:postgresql://localhost:5432/ers</connection-url>
<driver-class>org.postgresql.Driver</driver-class>
<driver>postgresql</driver>
<pool>
<max-pool-size>10</max-pool-size>
</pool>
<security>
<user-name>ers</user-name>
<password>ers_user_password</password>
</security>
<validation>
....
Find mail-session directive and configure 'from' address and SMTP authentication.
.... <mail-session name="default" jndi-name="java:jboss/mail/default" from="mailfrom@domain.com"> <smtp-server outbound-socket-binding-ref="mail-smtp" ssl="true" username="smtp_user_name" password="password"/> </mail-session> ....
Find outbound-socket-binding directive with name mail-smtp and configure smtp host and port
....
<outbound-socket-binding name="mail-smtp">
<remote-destination host="smtp-host" port="port-no"/>
</outbound-socket-binding>
....
Find the host directive and replace localhost with the desired host to reach this server.
....
<host name="default-host" alias="localhost">
....
Similarly, set the host in the server_location property
....
<property name="server_location" value="http://localhost:${jboss.http.port:8080}"/>
....
9. Install eRS Systemd service.
mkdir -p /etc/ers cp /opt/ers/docs/contrib/scripts/systemd/ers.conf /etc/ers/ cp /opt/ers/docs/contrib/scripts/systemd/launch.sh /opt/ers/bin/ sh -c 'chmod +x /opt/ers/bin/*.sh' cp /opt/ers/docs/contrib/scripts/systemd/ers.service /etc/systemd/system/ systemctl daemon-reload systemctl enable ers.service systemctl start ers systemctl status ers
If all the steps have been completed successfully, you should be able to see an output that is similar to the one shown below.
ers.service - The eRS Sever (Powered by Wildfly Application Server)
Loaded: loaded (/etc/systemd/system/ers.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2021-07-10 16:26:41 UTC; 8s ago
Main PID: 3046 (launch.sh)
Tasks: 86 (limit: 11387)
Memory: 529.8M
CGroup: /system.slice/ers.service
├─3046 /bin/bash /opt/ers/bin/launch.sh standalone ers-config.xml 0.0.0.0
├─3047 /bin/sh /opt/ers/bin/standalone.sh -c ers-config.xml -b 0.0.0.0
10. Listen on standard HTTP ports (80 and 443)
For security reasons, port no lower than 1024 can only be opened by the root user. So if you use front-running load balancers or front-end servers, then the recommended way to listen on standard http ports is to configure port mapping on the front-running load balancer or the front-end server.
In case the server is directly accessible over the internet, we can redirect standard ports to ers listening ports as shown below.
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8443 firewall-cmd --runtime-to-permanent
11. Configure TLS/SSL
Option 1:
Get your valid CA-signed SSL certificate and configure it as below.
cd /opt/ers/standalone/configuration/
openssl pkcs12 -export -in your_ssl_certificate_file_location -inkey certificate_private_key_file -out ers.keystore
keytool -import -alias IntermediateCA -trustcacerts -file your_intermediateCA_certificate_file -keystore ers.keystore
vi /opt/ers/standalone/configuration/ers-config.xml
Find keystore directive under the security realm named ApplicationRealm and configure it as below.
....
<keystore path="ers.keystore" relative-to="jboss.server.config.dir" keystore-password="your_keystore_password"/>
....
Option 2:
If you do not have a CA-signed SSL certificate, you can create a self-signed certificate for the desired host. Clients have to manually trust this type of certificate.
vi /opt/ers/standalone/configuration/ers-config.xml
Find keystore directive under the security realm named ApplicationRealm and configure the hostname you set earlier.
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
If exists, delete the existing keystore to force generate a certificate for the host you have set.
rm /opt/ers/standalone/configuration/application.keystore
Finally, restart ers service to load the configuration changes.
systemctl restart ers
12. Configure secure context (optional)
Edit eRS configuration file and configure security settings.
vi /opt/ers/standalone/configuration/ers-config.xml
Change server location property value to generate secure links by default. Use the same host that you have configured to reach this server.
....
<property name="server_location" value="https://server_host"/>
....
Change secure cookies property value to True
....
<property name="secure_cookies" value="true"/>
....
Redirect HTTP requests to HTTPS.
Find http-to-https rewrite rule and replace localhost with the host you configured earlier.
<rewrite name="http-to-https" target="https://localhost%U" redirect="true"/>
Uncomment below to enable HTTP to HTTPS redirect
.... <filter-ref name="http-to-https" predicate="equals(%p,8080)"/> ....
Uncomment below to enable 'Strict Transport Security'
.... <filter-ref name="transport-security"/> ....
Uncomment below to enable 'X-XSS-Protection'
.... <filter-ref name="xXssProtection"/> ....
Uncomment below to block 'Content Sniffing'
.... <filter-ref name="xContentTypeOptions"/> ....
Restart ers service to load the configuration changes.
systemctl restart ers
13. Accessing the application
To access the application from a client machine, open any modern web browser (Chrome is recommended) and visit the URL http://your_host. Upon accessing the URL, you should see a login page. Login as root user with the following credentials...
Login ID: root
Password: eYu?169tUO?a
After logging in, you will see licensing screen that will have options to request and apply for the license.