Prerequisites: The person following these steps should have good knowledge of Linux shell scripting and must log in with sudo privileges.
Hardware Requirements:
CPU
Processor power or CPU requirements are dependent on the number of concurrent active users and expected workload. Your exact needs may vary depending upon the workload which could be influenced by multiple factors such as (but not limited to) how active your users are, the amount of automation and API access etc. Below is recommended CPU configuration:
1. 2 cores is the minimum recommended, which supports up to 100 active users.
2. 4 cores to support up to 300 active users.
Memory
Same as the CPU, memory also depends on the workload. The workload depends on a number of factors like concurrent active users, number of resources being scheduled, automation, filtering out of large datasets, reporting etc.
1. 4 GB is the minimum recommended, which is good for up to 200 resources.
2. 8 GB to support up to 500 resources.
3. 16 GB to support up to 1000 resources.
Storage
Storage requirement depends on the number of resources being scheduled, frequency of data backup, retention of old backups and other factors.
Considering the machine is dedicated to eResource Scheduler, the minimum required storage is 20 GB, however, we recommend using 40 GB to support backups and other utilities you might need to configure on the machine running eResource Scheduler.
1. Get the root privileges to install the required packages
sudo su
cd
2. Install Java 11
Check if it's not already installed
java -version
apt update
Install if the above command does not show 'jdk version 11'.
apt-get -y install openjdk-11-jre
java -version
3. Install wget utility if not already installed.
Check if wget is already installed
wget --version
If the above command does not show you the version of wget command on your system, you need to install it, using the below command.
apt-get -y install wget
4. Install PostgreSQL 11
Check if it's not already installed
psql --version
Install if the above command does not show PostgreSQL 11.x.
Create the file repository configuration:
sh -c 'echo "deb http://apt-archive.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
Import the repository signing key:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
Install PostgreSQL server and required libraries:
apt-get -y install postgresql-11
Enable PostgreSQL service:
systemctl enable postgresql
Check PostgreSQL service status:
systemctl status postgresql
5. Create ers user & group.
groupadd -r ers useradd -r -g ers -d /opt/ers -s /sbin/nologin ers
6. Download and extract ers packages.
Install zip / unzip if not already installed
zip -h
If the above command says `command not found`, install using the below command.
apt-get install zip unzip
#Set environment variable
ERS_VERSION=4.11.0
wget https://storage.googleapis.com/app-file-store/self-hosted/files/version/ers-self-hosted-$ERS_VERSION.zip -P /tmp
unzip /tmp/ers-self-hosted-$ERS_VERSION.zip -d /opt/ers/
chown -RH ers: /opt/ers
7. Create and set up the database.
Execute the installation script and follow the instructions to set up the eRS database
/opt/ers/install.sh
The above command generates database schema and creates a root user to log in. Default LoginId is root and Password is eYu?169tUO?a. Kindly change this password after the first login.
8. Configure eRS
Edit eRS configuration file
vi /opt/ers/standalone/configuration/ers-config.xml
Find data source directive and configure database properties. Verify connection-url and set the ers user password that you created earlier.
.... <datasource jta="false" jndi-name="java:/postgresql/ers" pool-name="PostgresDS" enabled="true" use-ccm="false" statistics-enabled="true"> <connection-url>jdbc:postgresql://localhost:5432/ers</connection-url> <driver-class>org.postgresql.Driver</driver-class> <driver>postgresql</driver> <pool> <max-pool-size>10</max-pool-size> </pool> <security> <user-name>ers</user-name> <password>ers_user_password</password> </security> <validation> ....
Find mail-session directive and configure the 'from' address and SMTP authentication.
.... <mail-session name="default" jndi-name="java:jboss/mail/default" from="mailfrom@domain.com"> <smtp-server outbound-socket-binding-ref="mail-smtp" ssl="true" username="smtp_user_name" password="password"/> </mail-session> ....
Find outbound-socket-binding directive with name mail-smtp and configure smtp host and port
.... <outbound-socket-binding name="mail-smtp"> <remote-destination host="smtp-host" port="port-no"/> </outbound-socket-binding> ....
Find the host directive and replace localhost with the desired host to reach this server.
....
<host name="default-host" alias="localhost">
....
Similarly, set the host in the server_location property
....
<property name="server_location" value="http://localhost:${jboss.http.port:8080}"/>
....
9. Install eRS Systemd service.
mkdir -p /etc/ers cp /opt/ers/docs/contrib/scripts/systemd/ers.conf /etc/ers/ cp /opt/ers/docs/contrib/scripts/systemd/launch.sh /opt/ers/bin/ sh -c 'chmod +x /opt/ers/bin/*.sh' cp /opt/ers/docs/contrib/scripts/systemd/ers.service /etc/systemd/system/ systemctl daemon-reload systemctl enable ers.service systemctl start ers systemctl status ers
If all the steps have been completed successfully, you should be able to see an output that is similar to the one shown below.
ers.service - The eRS Sever (Powered by Wildfly Application Server)
Loaded: loaded (/etc/systemd/system/ers.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2021-07-10 16:26:41 UTC; 8s ago
Main PID: 3046 (launch.sh)
Tasks: 86 (limit: 11387)
Memory: 529.8M
CGroup: /system.slice/ers.service
├─3046 /bin/bash /opt/ers/bin/launch.sh standalone ers-config.xml 0.0.0.0
├─3047 /bin/sh /opt/ers/bin/standalone.sh -c ers-config.xml -b 0.0.0.0
10. Listen on standard HTTP ports (80 and 443)
For security reasons, port no below 1024 can only be opened by the root user. So if you use front-running load balancers or front-end servers, then the recommended way to listen on standard http ports is to configure port mapping on the front-running load balancer or the front-end server.
In case the server is directly accessible over the internet, we can redirect standard ports to ers listening ports as shown below.
apt-get -y install iptables-persistent
# Reply yes to persist these rules on system reboot.
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -I INPUT -p tcp --dport 8080 -j ACCEPT iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
netfilter-persistent save
11. Configure TLS/SSL
Option 1:
Get your valid CA-signed SSL certificate and configure it as below.
cd /opt/ers/standalone/configuration/
openssl pkcs12 -export -in your_ssl_certificate_file_location -inkey certificate_private_key_file -out ers.keystore
keytool -import -alias IntermediateCA -trustcacerts -file your_intermediateCA_certificate_file -keystore ers.keystore
vi /opt/ers/standalone/configuration/ers-config.xml
Find keystore directive under the security realm named ApplicationRealm and configure it as below.
....
<keystore path="ers.keystore" relative-to="jboss.server.config.dir" keystore-password="your_keystore_password"/>
....
Option 2:
If you do not have a CA-signed SSL certificate, you can create a self-signed certificate for the desired host. Clients have to manually trust this type of certificate.
vi /opt/ers/standalone/configuration/ers-config.xml
Find keystore directive under the security realm named ApplicationRealm and configure the hostname you set earlier.
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
If exists, delete the existing keystore to force generate a certificate for the host you have set.
rm /opt/ers/standalone/configuration/application.keystore
Finally, restart ers service to load the configuration changes.
systemctl restart ers
12. Configure secure context (optional)
Edit eRS configuration file and configure security settings.
vi /opt/ers/standalone/configuration/ers-config.xml
Change server location property value to generate secure links by default. Use the same host that you have configured to reach this server.
....
<property name="server_location" value="https://server_host"/>
....
Change secure cookies property value to True
....
<property name="secure_cookies" value="true"/>
....
Redirect HTTP requests to HTTPS.
Find http-to-https rewrite rule and replace localhost with the host you configured earlier.
<rewrite name="http-to-https" target="https://localhost%U" redirect="true"/>
Uncomment below to enable HTTP to HTTPS redirect
.... <filter-ref name="http-to-https" predicate="equals(%p,8080)"/> ....
Uncomment below to enable 'Strict Transport Security'
.... <filter-ref name="transport-security"/> ....
Uncomment below to enable 'X-XSS-Protection'
.... <filter-ref name="xXssProtection"/> ....
Uncomment below to block 'Content Sniffing'
.... <filter-ref name="xContentTypeOptions"/> ....
Restart ers service to load the configuration changes.
systemctl restart ers
13. Accessing the application
To access the application from the client machine, open any modern web browser (Chrome is recommended) and visit the URL http://your_host. Upon accessing the URL, you should see a login page. Login as root user with the following credentials...
Login ID: root
Password: eYu?169tUO?a
After logging in, you will see licensing screen that will have options to request and apply the license.