Hi All,
Just set up a basic AC/IS on host 1 with MAG Appliance on host 2. I hit a couple of minor issues when compared to a basic LAG setup. Normally, after install, I expect the LAG status to be yellow (as no IDP cluster assigned) but would be able to configure basic public services (i.e. can protect target apps with no authentication contract assigned). This is what I found with the MAG:
Instalation issues:
1. During the install, I had pointed the NTP address to my local address and this appeared in the ntp.conf file. However, in iMgr it claimed to still be pool.ntp.org.
2. When I installed I didn't see any COS (0x68) partition. The docs indicate that there should be one but I thought with the Apache AG it just used the normal file system. Should there be a COS partition? If not, the docs need quite a bit of updating. (Also, the swap was 2GB when I only had 1.5GB available - according to the docs it should be 3GB).
3. Although I entered a password at install time, the root password still turned out to be "novell".
After the install the status of the AG was yellow (I see from the docs that unlike the LAG, that status should be green). In the details, the "Reverse Proxies" showed "Apache Service failed to respond within 10 seconds" and "Access Gateway log" was yellow - "The last part of the file error_log contains errors... Dns server is not reachable". From packet traces it appears the reason for that is that my MAG could not resolve the name NOVELL Worldwide. If I manually added a local HOSTS entry for NOVELL Worldwide then the error went away. 2 thoughts:
4. In test, demo or PoC environments, this could be a pain and lead to customer concern - my setup had a DNS server but it wasn't forwarding to the Internet hence the reason for the failed response but that does not mean that the DNS server is unreachable as indicated by the error message. That check should be removed (the LAG doesn't do this check).
5. If the MAG was checking the file "error_log" then that suggests that the file is important and so should be downloadable via iManager - General Logging, but it isn't. It turns out that the log in question is "/var/log/novell-apache2/error_log".
I created a reverse proxy, proxy service and protected resource as a first step to prove I could access a target app (no IS cluster assigned so it was a public resource) but the service did not start up. iMgr health shows that "there is a Pending config file. (1325341348872-config.xml). (Required Action) Check AGM log files for potential processing problems". Basically, it looks like the config doesn't apply unless you also configure the IS cluster entry at which point the config applies OK and the Apache service starts. Some thoughts:
6. If the IS cluster entry is mandated then the iMgr UI should force it rather than simply failing to apply with a generic error. Better yet, it shouldn't be mandated.
7. What are the "AGM log files"? I would expect to find them on the "General Logging" tab so that they can be downloaded but they aren't there. If they exist as unique files then they should be listed for download. If it just means the catalina log file (as I gather the AGM app is a Tomcat app) then the error message should be more meaningful.
8. Looking at the log files it appears that Catalina appears in /opt when log files should appear in /var. I'm not sure why we partition off /var if the log files aren't there.
9. The JCC log doesn't appear to be downloadable from iMgr. (and when it is, it is also served from /opt rather than /var but that has always been the case).
Cheers,
Martin
Just set up a basic AC/IS on host 1 with MAG Appliance on host 2. I hit a couple of minor issues when compared to a basic LAG setup. Normally, after install, I expect the LAG status to be yellow (as no IDP cluster assigned) but would be able to configure basic public services (i.e. can protect target apps with no authentication contract assigned). This is what I found with the MAG:
Instalation issues:
1. During the install, I had pointed the NTP address to my local address and this appeared in the ntp.conf file. However, in iMgr it claimed to still be pool.ntp.org.
2. When I installed I didn't see any COS (0x68) partition. The docs indicate that there should be one but I thought with the Apache AG it just used the normal file system. Should there be a COS partition? If not, the docs need quite a bit of updating. (Also, the swap was 2GB when I only had 1.5GB available - according to the docs it should be 3GB).
3. Although I entered a password at install time, the root password still turned out to be "novell".
After the install the status of the AG was yellow (I see from the docs that unlike the LAG, that status should be green). In the details, the "Reverse Proxies" showed "Apache Service failed to respond within 10 seconds" and "Access Gateway log" was yellow - "The last part of the file error_log contains errors... Dns server is not reachable". From packet traces it appears the reason for that is that my MAG could not resolve the name NOVELL Worldwide. If I manually added a local HOSTS entry for NOVELL Worldwide then the error went away. 2 thoughts:
4. In test, demo or PoC environments, this could be a pain and lead to customer concern - my setup had a DNS server but it wasn't forwarding to the Internet hence the reason for the failed response but that does not mean that the DNS server is unreachable as indicated by the error message. That check should be removed (the LAG doesn't do this check).
5. If the MAG was checking the file "error_log" then that suggests that the file is important and so should be downloadable via iManager - General Logging, but it isn't. It turns out that the log in question is "/var/log/novell-apache2/error_log".
I created a reverse proxy, proxy service and protected resource as a first step to prove I could access a target app (no IS cluster assigned so it was a public resource) but the service did not start up. iMgr health shows that "there is a Pending config file. (1325341348872-config.xml). (Required Action) Check AGM log files for potential processing problems". Basically, it looks like the config doesn't apply unless you also configure the IS cluster entry at which point the config applies OK and the Apache service starts. Some thoughts:
6. If the IS cluster entry is mandated then the iMgr UI should force it rather than simply failing to apply with a generic error. Better yet, it shouldn't be mandated.
7. What are the "AGM log files"? I would expect to find them on the "General Logging" tab so that they can be downloaded but they aren't there. If they exist as unique files then they should be listed for download. If it just means the catalina log file (as I gather the AGM app is a Tomcat app) then the error message should be more meaningful.
8. Looking at the log files it appears that Catalina appears in /opt when log files should appear in /var. I'm not sure why we partition off /var if the log files aren't there.
9. The JCC log doesn't appear to be downloadable from iMgr. (and when it is, it is also served from /opt rather than /var but that has always been the case).
Cheers,
Martin