Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Inosh J

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

This documentation is still work in progress!

The following diagram illustrates a typical deployment pattern for WSO2 Enterprise Mobility Manager.

...

The following databases are needed for the clustering.

Database NameDescriptionDatabase Script Location
CDM core database (DM_DS)This stores generic data about devices (such as unique identifier, device type, ownership type), device enrollment information, device operations, policy management related data, etc.<PRODUCT_HOME>/dbscripts/cdm/
APIM Database (WSO2AM_DB)This stores data related to JAX-RS APIs and OAuth token data.<PRODUCT_HOME>/dbscripts/apimgt/
Registry database (REG_DB)This acts as the registry database. This database stores governance and config registry and must be mounted to all nodes in the cluster.<PRODUCT_HOME>/dbscripts/
User and permission manager (UM_DB)This database stores the user permission related details.<PRODUCT_HOME>/dbscripts/

The following databases are related to plugins. These enable you to keep the data that is essential for these devices to work (such as APNS related keys) and this data is not available in the CDM core database.

Database NameDescriptionDatabase Script Location
iOS DB (MobileIOSDM_DS)Stores the iOS related the data.<PRODUCT_HOME>/dbscripts/cdm/plugins/ios
Android DB (MobileAndroidDM_DS)Stores the Android related data.<PRODUCT_HOME>/dbscripts/cdm/plugins/android/
Windows DB (MobileWindowsDM_DS)Stores the Microsoft Windows related data.<PRODUCT_HOME>/dbscripts/cdm/plugins/windows/

To change the datasource configurations, please change the following files.

Files to changeDatasources
<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xmlThis file must include the datasource configuration for the following databases.
  • APIM datasource
  • Registry datasource
  • User permission manager datasource
<PRODUCT_HOME>/repository/conf/datasources/emm-datasources.xml This file must include the datasource configuration for the following databases. 
  • CDM core datasource
  • IOS plugin datasource
  • Android datasource
  • Windows datasource

See Setting up the Database for an example of how datasources are configured.

...

  1. Open the nginx.conf file and do the following configurations for the worker node.

    Note

    Note: The URL used by the worker nodes is work.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

       

    Code Block
    languagexml
    upstream work.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}

server {
        listen 80;
        server_name work.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://work.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.work.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;

}

server {
listen 443;
    server_name work.emm.wso2.com;
    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.work.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

    For Mutual SSL enabled setup, please note the following changes

    Code Block
    languagexml
    titleChanges for Mutual SSL enabled deployeement
     server {
          listen 443;
               server_name ssl.work.emm.wso2.com;
               ssl                         on;
               ssl_certificate      /etc/nginx/certs/server.crt;
               ssl_certificate_key  /etc/nginx/certs/server.key;
               ssl_client_certificate /etc/nginx/certs/ca.crt;
               ssl_verify_client optional;


          location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_set_header PROXY-MUTUAL-AUTH-HEADER $ssl_client_s_dn;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.work.emm.wso2.com;

 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
          }
       }




    ssl_certificate             - This is used to define the SSL certificate of nginx
ssl_certificate_key         - This is used to define the private key of the SSL certificate of nginx
    ssl_client_certificate      - CA certificate used to sign the client certificates.
    ssl_verify_client           - on | off | optional | optional_no_ca Please refer the nginx documentation for more details
                                  http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client;
    proxy_set_header PROXY-MUTUAL-AUTH-HEADER $ssl_client_s_dn; This header is set so that the EMM server can validate the client details.

     With latest nginx versions, the behaviour has changed and $ssl_client_s_dn_legacy must be used instead of ssl_client_s_dn


  2. Open the nginx.conf file and do the following configurations for the manager node.

    Note

    Note: The URL used by the manager nodes is mgt.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

    Code Block
    languagexml
    upstream mgt.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}

server {
        listen 80;
        server_name mgt.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://mgt.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.mgt.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;

}

server {
listen 443;
    server_name mgt.emm.wso2.com;
    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.mgt.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

  3. Open the nginx.conf file and do the following configurations for the key manager or identity provider node.

    Note

    Note: The key manager’s URL is keymgt.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

    Code Block
    languagexml
    upstream keymgt.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}
 
server {
        listen 80;
        server_name keymgt.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://keymgt.emm.wso2.com;
 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.keymgt.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;
 
}
 
server {
listen 443;
    server_name keymgt.emm.wso2.com;
 

    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;


    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.keymgt.emm.wso2.com;
 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

...

  1. Download and unzip the WSO2 EMM binary distribution. The extracted directory is referred to as <EMM_HOME> in this document.

  2. Configure the HostName and the MgtHostName. To do this, edit the <EMM_HOME>/repository/conf/carbon.xml file as follows.

    Code Block
    languagexml
    <HostName>work.emm.wso2.com</HostName>
<MgtHostName>mgt.emm.wso2.com</MgtHostName>
    • HostName: Host name or IP address of the machine hosting this server, e.g. work.emm.wso2.com or 192.168.1.10 .This is will become part of the End Point Reference of the services deployed on this server instance.
    • MgtHostName: Host name to be used for the Carbon management console.

  3. Configure the HTTP/HTTPS proxy ports to communicate through the load balancer by editing the <EMM_HOME>/repository/conf/tomcat/catalina-server.xml file as follows.

    Code Block
    languagexml
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

port="9763"
proxyPort="80"
redirectPort="443"
…
/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
redirectPort="443"
…
/>
  4. Configure the policy monitoring frequency. You set the value in milliseconds and the default is 10 minutes. To do this, edit the <EMM_HOME>/repository/conf/cdm-config.xml file.
    <MonitoringFrequency>60000</MonitoringFrequency> 

  5. Configure the URL in the invitation email (this must point to the worker’s public host name). To do this, edit the <EMM_HOME>/repository/conf/cdm-config.xml file. 

    Tip

    Tip: In a real deployment, please make sure to use the HTTPS address for the URL with a properly signed SSL certificate.

    <LBHostPortPrefix>http://work.emm.wso2.com</LBHostPortPrefix>

    Configure the QR code URL to publically expose the URL in the emm-web-agent jaggery application and the URL of the key manager. This file is in the emm-web-agent.zip file. Edit the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/config/config.json file. Use a ZIP file browser to change the file. 

    Code Block
    "dynamicClientRegistrationEndPoint" : "https://keymgt.mdm.wso2.com/dynamic-client-web/register/",
…….
…...
"generalConfig" : {
"host" : "http://work.emm.wso2.com",
"companyName" : "WSO2 Enterprise Mobility Manager",
…………………….
}

...

  1. Restart the configured load balancer.

  2. Start the key manager node.
    sh <PRODUCT_HOME>/bin/wso2server.sh -Dsetup

  3. Start the manager node.
    sh <PRODUCT_HOME>/bin/wso2server.sh

  4. Start the two worker nodes.

    Warning
    titleNote

    Make sure to start the worker node using the command given below. Do not use -DworkerNode=true to start the worker node.

    sh <PRODUCT_HOME>/bin/wso2server.sh -DworkerNode=true

  5. Check for ‘member joined’ log messages in the worker consoles.