Jun 30 2014

SGeoS Esri ArcGIS 10.2.2 for Server Standard Java – Module 1 of 9

Published by at 1324h under SL In General

Esri ArcGIS 10.2.2 for Server Standard – Java

Build steps for configuration Module-stage-1

  1. Start from completed system Module-stage-0
  2. Create an installation directory for ArcGIS Server
    Name the installation directory with only lowercase letters per the Esri instructions.  Let the installation user own the new directory so that they can perform all necessary actions within.  The example here was chosen to convey version ArcGis Server 10.2.2

    mkdir /ags1022
    chown ags_install /ags1022
    chgrp ags_install /ags1022
    
  3. Enable NFS Export for ArcGIS Server Directory
    Make the installation directory for ArcGIS Server available via NFS.  This will permit Windows 7 Enterprise users (or more likely other ArcGIS Server machines) to connect to it .  Append a line to /etc/exports

    /ags1022  workstationIP(rw,sync,no_root_squash,no_all_squash)
    

    If you find that the check boxes during install seem not to have included NFS as they should: no worries.  It’s like this:

    sudo yum install nfs* -y
    

    Then fire up the share:

    service rpcbind start
    chkconfig rpcbind on
    service nfs start
    chkconfig nfs on
    
  4. Enable SMB for Windows 7 Pro users
    The NFS share is going to be useful among Linux servers, but to develop our services from a Windows desktop, only Windows 7 Enterprise systems have an NFS client built in.  There are open-source NFS clients for Windows, but they are not version-matched with NFS versions most commonly installed on CentOS 6.5.  The main use of NFS is for storage mapping among SGeoS modules on different tiers within a single site, or exchange across SGeoS modules in collaborating environments, such as Dev?Test/QA?Production server transfers.For the Dev machine, we’ll want to enable SMB connections so that any necessary Windows 7 workstation can be configured to connect, particularly Windows 7 Professional machines commonly found deployed through City and County of San Francisco and also at home.SMB can be a less secure means of sharing storage, because it is designed to be compatible with systems that used old and insecure approaches to publishing storage space.  To make this  a clean connection, we’ll configure both iptables as well as mark SELinux to open only the minimum required connection types—but run SELinux in permissive mode to allow SELinux to log but not block actions.Because it is more secure than Workgroup shares, SGeoS modules configure SMB to only work with Active Directory.  Samba Workgroup sharing takes place on other ports that can be left closed.

    It’s easy enough to install the system standard SMB server, but important to configure firewall, give some respect for proper SELinux configuration, and configure the actual SMB shares.
    For Active Directory only we can add these to /etc/sysconfig/iptables
    AGS_01

    Then install

    yum install samba samba-client samba-common ntpd
    

    Verify the installed version; at CentOS 6.5 we get 3.6.9

    smbd --version
    

    Label the served directory to let SELinux know it’s OK to share

    semanage fcontext -a -t public_content_rw_t ‘/ags1022(/.*)?’
    

    Set the Samba services to start at boot time.

    chkconfig smb on
    chkconfig nmb on
    

    With an enterprise install, the standard configuration is found at /etc/samba/smb.conf and should have a section like this to enable a share around ArcGIS Server.  In general, deeper shares with restricted users and allowed client IP are strongly preferred for better server security.

    [ags1022]
       comment = ArcGIS Server 10.2.2 Java
       path = /ags1022
       browseable = yes
       public = no
       writable = yes
       printable = no
    

    It might be desirable to configure Samba to use Active Directory, and according to documentation at http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server it is necessary to have precise time within an AD network, including both a running ntpd and ntp-signd daemons.

    service ntpd stop
    ntpdate wwv.nist.gov
    service ntpd start
    chkconfig ntpdate on
    
  5. Create Esri install and user Linux system accounts
    To create a user account, make it and set its password.
    We need to have a normal user for the ArcGIS Server install, and not install it as root.
    So create a new user and set their password.

    useradd ags_install
    passwd ags_install
    
    useradd ags_user
    passwd ags_user
    
  6. Fulfill Esri-specified system configuration Dependencies
    Work through the Esri-specified dependencies listed http://t.co/f1UoXNrzdr
    yum install Xvfb freetype fontconfig mesa-libGL mesa-libGLUIdentify the hard and soft limits set in the system for file handles and processes

    ulimit -Hn -Hu
    ulimit -Sn -Su
    

    It’s likely default limits are too small to run ArcGIS Server properly, so sudo to edit the file /etc/security/limits.conf  adding these four lines to change settings for
    the ags_intall user
    AGS_02

  7. Enable default httpd
    While it’s possible to install a pre-release Apache 2.4 from RedHat, the default CentOS 6.5 version is 2.2.13—installing more updated versions of web server and OpenSSL are described a couple of sections below.The classic Enterprise approach uses the stock install of httpd 2.2.15 on CentOS 6.5

    yum install httpd
    

    If there’s reason to attach to network (like always), SELinux can be set to allow this

    setsebool -P httpd_can_network_connect on
    

    Poise for open server, but enable only secure browsing with these lines in
    file /etc/sysconfig/iptables for workstations at 10.1.15.x to access via https://
    ags_03

    service httpd restart
    

    If it is desired to have the server always start up the web server, set that to happen

    chkconfig httpd on
    
  8. Install updated httpdOption A:If there’s a desire for an Apache 2.4 httpd on the server, but not the stomach to build one from source, then make the install this way using a software collection  scl  that can install pre-release postings by Red Hat people.  While not a pure enterprise approach, this technique does offer a minimal-risk method to update important framework elements like httpd.
    curl -s http://repos.fedorapeople.org/repos\
       /jkaluza/httpd24/epel-httpd24.repo > /etc/yum.repos.d/epel-httpd24.repo
    
    yum install httpd24-httpd
    

    Then to test it:

    service httpd24-httpd start
       Starting httpd:                                            [  OK  ]
    curl -s http://localhost/ | grep 'Test Page for'
        <title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
    


    Option B:
    For security enthusiasts, configure and build from the latest stable Apache source.
    This makes most sense if one also chose to build the very latest OpenSSL from source, in Module-stage0 > Step 7 > Option B. This approach is normal for banking and payment card industries.

    cd /opt/installs
    wget wget http://<some apache mirror site>\
    /apache//apr/apr-1.5.1.tar.gz
    tar xvf apr-1.5.1.tar.gz
    cd apr-1.5.1
    ./configure
    make
    sudo make install
    

    This should place the APR configuration file at /usr/local/apr/bin/apr-1-config

    cd /opt/installs
    wget wget http://<some apache mirror site>\
    /apache//apr/apr-util-1.5.3.tar.gz
    tar xvf apr-util-1.5.3.tar.gz
    cd apr-util-1.5.3
    ./configure --with-apr=/usr/local/apr/bin/apr-1-config
    make
    sudo make install
    

    This should place the APR-util library at /usr/local/apr/lib

    And one more dependency was observed for building httpd:

    yum install  pcre  pcre-devel
    

    Prepare for SSL connections with a self-signed web server certificate

    cd /usr/local
    mkdir pki
    cd pki
    

    Once there, generate a private key for postgresql

    openssl genrsa -out htca.key 8192
    <
    

    Generate a Certificate Signing Request

    openssl req -new -key htca.key -text -out htca.csr
    

    Generate a Self-Signed Key

    openssl x509 -req -days 365 -in htca.csr -signkey htca.key -out htca.crt
    

    Copy these  files to the following locations (DO NOT move them; copy them–then delete)

    cp htca.crt /etc/pki/tls/certs
    cp htca.key /etc/pki/tls/private
    cp htca.csr /etc/pki/tls/private
    chmod 600 /etc/pki/certs/htca.crt /etc/pki/tls/private/htca.*
    rm htca.*
    <
    

    Then we should be ready to actually build an optimized httpd; the  ./configure  is long on options and requires a patch listed here to work with ssl, which it must do.

    cd /opt/installs
    wget http://<some apache mirror>\
    /apache//httpd/httpd-2.4.9.tar.bz2
    tar xvf httpd-2.4.9.tar.bz2
    cd httpd-2.4.9
    export LDFLAGS=”-L/usr/local/lib64”
    
    ./configure  --prefix=/usr/local/httpd \
      --enable-so \
      --enable-pie \
      --with-apr=/usr/local/apr/bin/apr-1-config \
      --enable-ssl \
      --with-ssl=/usr/local/openssl \
      --enable-allowmethods \
      --enable-info \
      --enable-speling \
      --with-mpm=event \
      LDFLAGS=-L/usr/local/lib64 \
      $@
    
    make
    sudo make install
    

    Duplicate some of the enterprise httpd service configuration to make it easier to run the new web server

    su
    cp  /etc/sysconfig/httpd  /etc/sysconfig/httpd2
    cp  /etc/init.d/httpd  /etc/init.d/httpd2
    ln -s  /usr/local/httpd/bin/httpd  /usr/sbin/httpd2
    ln -s  /usr/local/httpd/bin/apachectl  /usr/sbin/apachectl2
    mkdir  /usr/lib64/httpd2
    cp -r /usr/local/httpd/modules /usr/lib64/httpd2
    

    Edit /etc/init.d/httpd2   so that it contains these sort of changes

    apachectl=/usr/sbin/apachectl2
    httpd=${HTTPD-/usr/sbin/httpd2}
    prog=httpd2
    pidfile=${PIDFILE-/var/run/httpd/httpd2.pid}
    lockfile=${LOCKFILE-/var/lock/subsys/httpd2}
    

    Edit /usr/local/httpd/conf/httpd.conf  to redirect all traffic to SSL connections.

    Include conf/extra/httpd-ssl.conf
    Include conf/extra/httpd-mpm.conf
    
    <IfModule unixd_module>
    User apache
    Group apache
    </IfModule>
    
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    
    Include conf/extra/httpd-ssl.conf
    
    # Redirect everything to an ssl connection
    # functional Directory is then specified in extra/httpd-ssl.conf
    <VirtualHost *:80>
    ServerName sg11
    Redirect permanent / https://sg11/
    </VirtualHost>
    
    <IfModule dir_module>
    DirectoryIndex  index.html
    </IfModule>
    
    <Files “.ht*”>
    Require all denied
    </Files>
    

    Edit /usr/local/httpd/conf/extra/httpd-ssl.conf  for system content locations and so editors can update content through the SMB share configured at the ArcGIS for Server directory.

    Listen 443
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLSessionCache        "shmcb:/usr/local/httpd/logs/ssl_scache(512000)"
    
    <VirtualHost _default_:443>
    
    ServerName sg11:443
    DocumentRoot "/ags1022/html"
    ServerAdmin your.name@here.net
    ErrorLog "/usr/local/httpd/logs/error_log"
    TransferLog "/usr/local/httpd/logs/access_log"
    
    <Location />
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    </Location>
    
    SSLEngine on
    SSLCertificateFile "/etc/your_path_to.crt"
    SSLCertificateKeyFile "/etc/your_path_to_server_private.key"
    
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/httpd/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    </VirtualHost>
    

    Back up the site configuration  by making a copy of the modified site configuration files in another location.

    cd /usr/local/httpd
    mkdir /root/httpd_local_conf
    cp -r conf /root/httpd_local_conf
    
  9. Build latest stable Python from source; development server config
    If there’s reason to build PostGIS support framework components with Python support later, it might help to have built the Python locally, so as to appease the linker later.  Reference Python source is from the python.org site. They’ve chosen to compress their archives with a scheme that requires the XZ compression library.  Since Python appears to have a lot of ties to development libraries, it’s been suggested in more than one place to bulk up on some of these tools for smoother builds.
    These may be removed on a production server; they are needed for development.

    yum groupinstall development
    yum install -y zlib-dev openssl-dev sqlite-devel bzip2-devel \
    ncurses-devel readline-devel tk-devel gdbm-devel db4-devel \
    libpcap-devel xz-libs xz-devel
    

    One possible build location is /opt/installs, where a TARFILES directory could be made.
    Create the directory if it doesn’t already exist

    mkdir /opt/installs
    cd !$
    

    Once there, get the compressed source similar to below and decode it

    cd /opt/installs
    wget https://www.python.org/ftp/python/2.7.6/Python-2.7.6.tar.xz
    xz -d Python-2.7.6.tar.xz
    cd ..
    tar xvf TARFILES/Python-2.7.6.tar
    cd Python-2.7.6
    

    Prepare to create a shared library by appending the path /usr/local/lib to /etc/ld.so.conf
    so that it at least looks like:

    include ld.so.conf.d/*.conf
    /usr/local/lib
    

    Then have the linker read the new configuration with

    /sbin/ldconfig
    

    Configure the Python build for alternate location, unicode-32, and shared library. Make it

    ./configure --prefix=/usr/local --enable-shared --with-threads
    make
    

    Let’s not clobber the system’s Python install, and make this the alternate Python install
    This should leave only four minor and/or deprecated bits not found.  Good riddance to them.
    ags_04

    FInally install as an alternate Python so as not to impact any ArcGIS for Server defaults.  Be doubly certain to include the “altinstall” if you’re root.

    make altinstall
    

    Should the make have problems finding libpython2.7.so.1.0,  it could be necessary to create a file /etc/ld.so.conf.d/python2.7.conf   hat lists path /usr/local/python27/lib  if that was chosen as the prefix during config.  After changes there, run this to reload the loader’s configurations

    /sbin/ldconfig
    

    Set up Python build capability by adding Setuptools, then leverage that to install pip and since we’re building the system with Python 2 (and not yet 3), add virtualenv

    mkdir /usr/local/src/Setuptools_py
    cd !$
    wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
    python2.7 ez_setup.py
    easy_install-2.7 pip
    pip2.7 install virtualenv
    
  10. Mount the Esri ISO and Prepare for Installing AGS
    (WITH IMPORTANT PRACTICAL NOTE)
    When attaching an ISO image such as Esri installation DVD in the VMware vSphere Client, verify that the ISO has not been mounted in Windows (like to poke around the download) and thus used and locked by Virtual Clone Drive.  If the ISO has been mounted, and one has already tried attaching ISO in vSphere, consider restarting the Windows machine!Oddly, when mounting the ESRI Install DVD ISO,  it appears necessary to launch (or re-launch) the vSphere Client by right-clicking and explicitly using “Run as Administrator”
    With a fresh Windows boot (if needed), and vSphere launched as Administrator, it appears necessary to mount the ESRI ISO with explicit file system type into an existing empty directory such as /cdromThe finesse here seems to be that the login as root and mounting of device can take place in the vSphere console window, then launch a nice large PuTTY ssh window,  log in as ags_install, with home directory in /ags1022, to complete the installationAs root in the console window, after attaching the local ISO, mount the image

    mount -t iso9660 /dev/cdrom /cdrom
    

    Then in the PuTTY window have ags_install verify the mount by looking at all mounted devices; noting the presence of read-only storage at /cdrom

    df
    

    ags_05

    In the PuTTY window, cd into the mounted ISO to see the Setup script.

  11. Install ArcGIS for Server
    Why bother installing a GUI just to run the ArcGIS Server install scripts?  Following the instructions at Esri Resources  the command line interface (CLI) install procedure is most readily described as “Installing ArcGIS for Server silently”  Then, in the cdrom install directory, this wickedly terse statement completely installs all of ArcGIS for Server 10.2.2 into  /ags1022

    su - ags_install
    cd /cdrom/ArcGISServer
    ./Setup -m silent -l Yes /a <path-to-.prvc> /d /ags1022
    

    Fire off the script in silent mode. That’s it. Really.
    If need be, it may be necessary to use the SMB share to copy over the Esri provisioning file to /ags1022, then run the authorizeSoftware script against the .prvc

    /ags1022/arcgis/server/tools/authorizeSoftware -f \
    /ags1022/ArcGISforServerStandardEnterprise_server_xxxxxx.prvc
    

    Then start the post-installation configuration process.
    If server name resolves and ports are open, it’s time to point a browser  at a destination like this and Create New Site

    http://sg11.sfgis.us:6080/arcgis/manager
    

    ags_06

  12. Complete ArcGIS for Server Post-Installation Steps
    This begins with defining an ArcGIS for Server site administrator (not an OS account).
    It’s wise to consider saving this password now in a runbook for the server.
    ags_07Consider keeping the working directories up a bit higher than default location
    ags_08Click Finish, and that’s all that it took.  Seriously easier than it was, once upon a time.
    ags_09
  13. Go Forth and Create Map Services
    Log in, go forth and make many Map and Image services!
    ags_10The new AGS Server Manager console looks more like ArcGIS Online these days:
    ags_11
  14. Secure AGS Manger connections for https-only access
    This will either generate a new cert or provide an opportunity to install an established one.
    Visit not the Manager site, but the Admin one.At first, ArcGIS for Server will be reached by

    http://<server>:6080/arcgis/admin
    

    ags_12

    Go to machines
    ags_13

    In the named machine, Resources: click sslcertificates near the bottom
    ags_14

    To create a new self-signed cert, click generate
    ags_15

    Consider using an Alternative name that is the server’s IP address, to help users who may not have the server name properly resolved in DNS.  That way, only https need be accepted.
    The Subject Alternative Name must be formatted in the style  IP:10.x.x.x
    ags_16

    When the certificate is available, move back up to …/arcgis/admin/machines and go to machine name, and click on Supported Operations:  edit
    ags_17

    Enter the name of the cert that you want to use in Web server SSL Certificate field,
    then click Save Edits.
    ags_18

    After it completes, verify that the chosen cert is displayed.

  15. Enable https-only access for Admin connections to ArcGIS Server
    Starting from  http://<server>:6080/arcgis/admin/security/config
    click on  update then modify the Protocol parameter.  If you haven’t yet verified that the certificate was working and you were able to connect via https:, select the HTTP and HTTPS choice.
    If secure admin connections are working and you were able to connect through
    https://<server>:6443/arcgis/admin/security/config   then it’s OK to select the HTTPS Only choice.
    That’s where you want to end up, but don’t lock yourself out while doing it, so try the two-step approach until verified.  When done, click the Update button.
    ags_19After that, only secured connections to the server will be enabled, at :6443, e.g.

    https://sg11.sfgis.us:6443/arcgis/manager/
    https://sg11:6443/arcgis/manager/
    
  16. Make Publisher or Administrative connection from ArcCatalog In the Catalog tree view, GIS Servers > Add ArcGIS Server > Administer GIS Server  use Server URL in form of
    https://sg11.sfgis.us:6443/arcgis
    

    with Authenication as used in the admin pages above.
    If you’ve used your own self-signed cert, just click through the warning and connect away.
    ags_20

No responses yet

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.