There are at least 3 possible configurations of authorization-enabled FT pairs.
1) Primary and secondary servers share a common users.conf file.
2) Primary and secondary servers each uses separate users.conf file.
3) Primary and secondary servers retrieve user/group from a common LDAP.
Before we look into each option, ensure the server names and server passwords are identical on both servers. Server password is stored in the tibemsd.conf file. Examine the section in tibemsd.conf.
######################################################################## # Server Identification Information. # # server: unique server name # password: password used to login into other routed server ######################################################################## server = EMS-SERVER password =
You must setup the server password on both servers. You can do this on individual server, without needing to run them as pair.
First, start up the first instance (using tibemsd1.conf)
Connect to this instance using tibemsadmin in $EMS_HOME/bin
tibadmin@tibems01:~/tibco/ems/5.1/bin$ ./tibemsadmin TIBCO Enterprise Message Service Administration Tool. Copyright 2003-2010 by TIBCO Software Inc. All rights reserved. Version 5.1.5 V3 3/29/2010 Type 'help' for commands help, 'exit' to exit: >
Connect to tibems01 (login name = admin, password = blank)
> connect tibems01 Login name (admin): Password: Connected to: tcp://tibems01:7222 tcp://tibems01:7222>
Set the server password using the following command.
tcp://tibems01:7222> set server password=serverpass Server parameters have been changed tcp://tibems01:7222>
Before you proceed to carry out the same step to tibems02, lets inspect the tibemsd1.conf file. You should see that the mangled password is now there.
########################################################################
# Server Identification Information.
#
# server: unique server name
# password: password used to login into other routed server
########################################################################
server = EMS-SERVER
password = $man$o9y3vdC5oxiNRQT6Sb4F+FqKLqM
Now set the server password in tibemsd2.conf, with the exact same password used in tibemsd1.conf.
tibadmin@tibems01:~/tibco/ems/5.1/bin$ ./tibemsadmin TIBCO Enterprise Message Service Administration Tool. Copyright 2003-2010 by TIBCO Software Inc. All rights reserved. Version 5.1.5 V3 3/29/2010 Type 'help' for commands help, 'exit' to exit: > connect tibems02 Login name (admin): Password: Connected to: tcp://tibems02:7222 tcp://tibems02:7222> set server password=serverpass Server parameters have been changed tcp://tibems02:7222>
Inspect tibemsd2.conf file.
########################################################################
# Server Identification Information.
#
# server: unique server name
# password: password used to login into other routed server
########################################################################
server = EMS-SERVER
password = $man$vwtgocxurfOKsIcAiMOwD84fCDc
Note that the mangled password does not need to be identical in both tibemsd1.conf and tibemsd2.conf.
The FT pair are still not operational until we create a user 'EMS-SERVER' in each server. This is where it gets confusing. Not only you set up the server password (stored in the tibemsd.conf files), you also need to create a user called 'EMS-SERVER' with the exactly same password (serverpass). This task is subject to which option we choose and is described in sections below.
Option1: Primary and secondary servers share a common users.conf file (in other words, both tibemsd1.conf and tibemsd2.conf point to a single users.conf file)
 |
| Servers using a common users.conf file |
Start either one of the instances (I chose tibems01)
Start tibco admin tool and connect.
> connect tibems01 Login name (admin): Password: Connected to: tcp://tibems01:7222 tcp://tibems01:7222> create user EMS-SERVER password=serverpass User 'EMS-SERVER' has been created tcp://tibems01:7222>
Now inspect the users.conf file.
admin::"Administrator" EMS-SERVER:$2$og/IEiSh$gp3b15kK67UPbMR3t7NX4h2X:""
The user admin is created by default by the server, without a password.
The EMS-SERVER is the one that we have just created. Note the mangled password.
Option 2: Primary and secondary servers each uses separate users.conf files (say, tibemsd1.conf uses users1.conf and tibemsd2.conf uses users2.conf)
 |
| Servers have own users.conf file |
Perform what were done in step 1 for both tibems01 and tibems02. You should see the mangled password for EMS-SERVER in both usersN.conf files.
3) Primary and secondary servers retrieve user/group from a common LDAP.
Not covered in this article. We will discuss this when I have my LDAP server deployed.
Happy authorizing...☺
Cheers,
In my experience using different uses.conf files is an operational issue because each user needs to be created twice. With a common user.conf (in fact with every configuration common except tibems.conf) you only need it to create it on the active/primary node just once. The same for the rest of the configuration. Once the fail over takes place the secondary server seems to re-read all its configuration files and hence your changes done on the primary take effect.
ReplyDeleteThanks beltza for sharing your experience. I would agree with that. Though one is allowed to setup FT pair that uses separate users.conf, I can't imagine the practical application of it.
ReplyDelete