...

Abiquo API Tomcat configuration

...

Make sure the jvmRoute parameter is different in each host as this will be used by Apache tomcat to route requests to each host.
To do that, edit the /opt/abiquo/tomcat/conf/server.xml file inside the tomcat directory and edit the following values:

Code Block
<Engine name="Catalina" defaultHost="localhost" jvmRoute="node1">

You need to import LoadBalancer's Apache SSL certificate and CA into Java truststore in order to enable API complete SSL connections to API endpoints. In case you are using a self-certificate for testing purposes, it will be enough importing the SSL certificate
This should be done in every node running the API webapp:

 

Code Block
# echo -n | openssl s_client -connect abiquo.example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > abiquo.example.com.cert # /usr/java/default/bin/keytool -import -file abiquo.example.com.cert -keystore /path/to/cacerts # /usr/java/default/bin/keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore /path/to/cacerts

Tip
title Tips
You can easily find cacerts files by simple executing: # find / -iname cacerts It's highly recommended make a copy/backup of the cacerts file before adding/removing certificates Note that default password for a JVM truststore is changeit. Also note you may need to adjust paths for both keytool command and cacerts truststore depending on your java version.

...

Restart tomcat after the change to apply new configuration.

...

Now, accessing your balancer IP at httphttps://10abiquo.60.13.10/client-premium or /apiexample.com/ui/ or https://abiquo.example.com/api/, will balance requests between the two backend nodes.

Tip

Check the API balancing with the following curl command: Code Block ~$# curl -k -u admin:xabiquo http--silent -X GET https://10abiquo.60example.13.10com/api/login | xmllint --format - % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 844 100 844 0 0 15238 0 --:--:-- --:--:-- --:--:-- 15345 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <user> <link rel="edit" type="application/vnd.abiquo.user+xml" href="http://10.60.13.10:80/api/admin/enterprises/1/users/1"/> <link rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://10.60.13.10:80/api/admin/enterprises/1"/> <link rel="role" type="application/vnd.abiquo.role+xml" href="http://10.60.13.10:80/api/admin/roles/1"/> <link rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://10.60.13.10:80/api/admin/enterprises/1/users/1/action/virtualmachines"/> <id>1</id> <nick>admin</nick> <password>c69a39bd64ffb77ea7ee3369dce742f3</password> <name>Cloud</name> <surname>Administrator</surname> <description>Main administrator</description> <email/> <locale>en_US</locale> <authType>ABIQUO</authType> <active>true</active> </user> Make sure the href links returned by the curl API call point to the correct location. Otherwise, check your configuration again.

 

API cluster and client-premium cluster

In this setup, there are two separate clusters. One is for balancing API requests, and the other one is to balance client-premium traffic.

Image Removed

Assume the following IP addressing for our cluster nodes.

Installation

Start by installing backend severs using the Server profile of the Abiquo ISO installer. This profile will install API and client-premium webapps, as well as the zookeeper daemon needed for API to work in a clustered configuration.

Once you have all servers with Server profile installed, follow steps below:

• In client-premium nodes, delete de API webapp from tomcat's webapp folder, and API config file:

  Code Block
  # rm -rf /opt/abiquo/tomcat/webapps/api # rm /opt/abiquo/tomcat/conf/Catalina/localhost/api.xml

• In the API nodes, delete the client-premium webapp and client-premium's config file

  Code Block
  # rm -rf /opt/abiquo/tomcat/webapps/client-premium # rm /opt/abiquo/tomcat/conf/Catalina/localhost/client-premium.xml

Keep in mind that you need to keep abiquo.properties file in sync in every node of the cluster.

API Cluster

You should follow the procedure explained in API plus client-premium cluster with a couple of modifications:

1. Remove the client-premium webapp on each node running API.
2. Use the following Apache load balancer configuration file:

# Enable the balancer manager console in the server root
<Location />
    SetHandler balancer-manager
</Location>

# Configure the cluster nodes
<Proxy balancer://cluster>
    BalancerMember ajp://192.168.2.100:8010 route=node1 ping=1
    BalancerMember ajp://192.168.2.101:8010 route=node2 ping=1
</Proxy>

# Configure the modules we want to load balance
ProxyPass /api			    balancer://cluster/api

It is enough for this balancer to just proxy requests to /api context. Remember to set the required properties in Abiquo tomcat servers.

Client cluster

The client-preimium cluster configuration is quite similar to the API cluster. For convenience, client-premium nodes should share Abiquo properties file with nodes running API and you need to remove every webapp other than client-premium one. Also, delete the file /opt/abiquo/tomcat/conf/Catalina/localhost/api.xml so Tomcat does not complain about the missing API webapp.

Now, in the Apache balancer for client-premium instances, use the following configuration file:

# Enable the balancer manager console in the server root
<Location />
    SetHandler balancer-manager
</Location>

# Configure the cluster nodes
<Proxy balancer://cluster>
    BalancerMember ajp://192.168.2.200:8010 route=node1 ping=1
    BalancerMember ajp://192.168.2.201:8010 route=node2 ping=1
</Proxy>

# Configure the modules we want to load balance
ProxyPass /client-premium/	balancer://cluster/client-premium/ stickysession=JSESSIONID|jsessionid

Now you have a balanced client-premium environment that connects to a balanced API cluster.

Adding SSL

If you want to use SSL connections to the Abiquo GUI, follow the steps in Apache Frontend with the following modifications:

• Be sure to set a common name for your certificate. This needs to match ServerName parameter in Apache's virtual host definition and abiquo.server.api.location property in Abiquo configuration file.
• Use the following Apache virtual host configuration, replacing ServerName value with your certificate's CN:

<VirtualHost *:443>
    ServerName apibalancer
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key


    # Enable the balancer manager console in the server root
    <Location />
        SetHandler balancer-manager
    </Location>


    # Configure the cluster nodes (secondary disabled by default)
    <Proxy balancer://cluster>
        BalancerMember ajp://192.168.2.216:8009 route=node1 ping=1
        BalancerMember ajp://192.168.2.217:8009 route=node2 ping=1
    </Proxy>


    # Configure the modules we want to load balance
    ProxyPass /api			balancer://cluster/api
    ProxyPass /client-premium/	balancer://cluster/client-premium/ stickysession=JSESSIONID|jsessionid
</VirtualHost>

• Set abiquo.server.api.location property in Abiquo configuration file to point to the "ServerName" host name and using HTTPS protocol:

abiquo.server.api.location = https://apibalancer/api

• You need to import Apache server's certificate and CA into Java truststore in order for the client-premium webapp to be able to connect to API. This should be done in every node running the client-premium webapp:

# echo -n | openssl s_client -connect <ServerName>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/temp.cert
# /usr/java/default/bin/keytool -import -file /tmp/temp.cert -keystore /usr/java/jdk1.6.0_37/jre/lib/security/cacerts
# /usr/java/default/bin/keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore /usr/java/jdk1.6.0_37/jre/lib/security/cacerts

Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:

...
<name>USE_SECURE_CHANNEL_LOGIN</name> <value>1</value>
...

...

{"links":[{"title":"Abiquo","rel":"enterprise","type":"application/vnd.abiquo.enterprise+json","href":"https://abiquo.example.com:443/api/admin/enterprises/1"},{"title":"CLOUD_ADMIN","rel":"role","type":"application/vnd.abiquo.role+json","href":"https://abiquo.example.com:443/api/admin/roles/1"},{"title":"CLOUD_ADMIN","rel":"edit","type":"application/vnd.abiquo.user+json","href":"https://abiquo.example.com:443/api/admin/enterprises/1/users/1"},{"title":"virtual machines","rel":"virtualmachines","type":"application/vnd.abiquo.virtualmachines+json","href":"https://abiquo.example.com:443/api/admin/enterprises/1/users/1/action/virtualmachines"},{"title":"pending tasks","rel":"pendingtasks","type":"application/vnd.abiquo.tasks+json","href":"https://abiquo.example.com:443/api/admin/enterprises/1/users/1/action/pendingtasks"},{"title":"applications","rel":"applications","type":"application/vnd.abiquo.applications+json","href":"https://abiquo.example.com:443/api/admin/enterprises/1/users/1/applications"}],"id":1,"name":"Cloud","nick":"admin","locale":"en_US","surname":"Administrator","active":true,"email":"","description":"Main administrator","authType":"ABIQUO"}