If setting up Denodo from scratch, the first thing you want to do is setup Solution Manager.
Solution Manager
Get the Denodo Solution Manager installer, license file and certs files from Box (download folders as zip files). The installer folder has been updated to include the latest update as of 2022-08-15.
the installer, license file, and certs files to the server where you want to install Solution Managerssh
into the server and do the following (all steps beyond this assume you are still in the root shell):sudo su unzip denodo-install-solutionmanager-8.0.zip unip certs.zip cd denodo-install-solutionmanager-8.0 chmod +x installer_cli.sh ./installer_cli.sh install
For install path specify
Use defaults for all remaining options
The installer can take 5-10 minutes to run, make sure your machine is kept awake to keep your session alive.
Once the installer is done, copy the license and cert files into the Denodo installation directory
cp LICENSE_FILE_PATH /opt/denodo/conf/denodo.lic cp certs/* /opt/denodo/conf
Run the TLS configurator script
cd /opt/denodo/bin sudo ./denodo_tls_configurator.sh \ --keystore /opt/denodo/conf/denodo_server_key_store.jks \ --cert-cer-file /opt/denodo/conf/denodo_server_public_key.cer \ --truststore /opt/denodo/jre/lib/security/cacerts \ --credentials-file /opt/denodo/conf/credentials.txt \ --denodo-home /opt/denodo
Start the Solution Manager services. For a script, see sm_start.sh
cd /opt/denodo/bin/ ./licensemanager_startup.sh ./solutionmanager_startup.sh ./solutionmanagerwebtool_startup.sh
Confirm the Solution Manager works via a web browser
Virtual Data Port (VDP)
Get the Denodo VDP Manager installer, and vdp-conf.zip files from Box (download folders as zip files). The installer folder has been updated to include the latest update as of 2022-08-15. To update the installer for a new update see https://community.denodo.com/docs/html/browse/latest/en/platform/installation/unattended_installation_of_the_denodo_platform/unattended_installation_of_the_denodo_platform#modifying-the-denodo-platform-installer-to-include-the-latest-update
the installer and certs file to the server where you want to install Solution Managerssh
into the server and do the following (all steps beyond this assume you are still in the root shell):Unzip the zipped files
sudo su unzip denodo-install-8.0.zip unzip vdp-conf.zip
Run the install script
cd denodo-install-8.0 chmod +x installer_cli.sh ./installer_cli.sh install
For install path use
For license manager host use denodo-solution-manager-prod-01.it.tufts.edu
The install can take 5-10 minutes to run
Once the installer is done, copy the certs files into the Denodo conf directory
\cp -r conf /opt/denodo
Configure TLS
Run the TLS Configurator Script
cd /opt/denodo/bin ./denodo_tls_configurator.sh \ --keystore /opt/denodo/conf/denodo_server_key_store.jks \ --cert-cer-file /opt/denodo/conf/denodo_server_public_key.cer \ --truststore /opt/denodo/jre/lib/security/cacerts \ --credentials-file /opt/denodo/conf/credentials.txt \ --denodo-home /opt/denodo
and ensure the following line is present and uncommentedcom.denodo.license.security.ssl.enabled=true
so thatcom.denodo.vdb.vdbinterface.server.VDBManagerImpl.registryURL
is set to the hostname of the server.Start the Virtual Data Port service (with Data Catalog). See start.sh
Confirm the VDP server is working using a local client or DBeaver.
Design Tool
Scheduler Web Admin
Data Catalog
Updating the Servers
Download the applicable update jar from Box or the Denodo support site.
the jar into the target serverReview guidelines outlined here regarding updates: https://community.denodo.com/docs/html/browse/8.0/en/platform/installation/installing_updates_and_hotfixes/installing_updates_and_hotfixes#installing-an-update-or-hotfix-from-the-command-line
Stop server. See Starting and Stopping Servers
Run the update
cd /opt/denodo ./jre/bin/java -jar <DENODO_UPDATE_JAR_PATH> $(pwd) -c
Restart the services using step 6 or 7 of the above sections
Starting and Stopping Servers
The Denodo servers/processes are now running as services under systemd
. See this README for more information.
If a stop or restart is taking too long, you can do the following:
pgrep -u denod | xargs kill -9
Linux Services (WIP)
SSL Certificates 🔒
Leveraging the work of Ned Harvey and team, we have a CA-signed certificate generated by LetsEncrypt automatically delivered to our Denodo servers every 90 days.
Certbot will start attempting to generate and deploy new certificates approximately 1 month prior to the expiration of existing certificates. Generated and deployment attempts are set to take place on Tuesday, Wednesday and Thursday at 6:40 am. With generation and deployment centrally managed in one workflow, there’s little control over the date and time, but there is an option to have the deployment script executed separately which would allow control over the specific day and time for that part of the process.
The certificate files will be deployed by certbot across all Denodo serversm, storing them at /home/certbot/certdir
. A cron job (managed by Ned’s team via puppet) runs every Tuesday and Wednesday and Thursday at 5AM which runs /home/denod/denodo/scripts/certbot_install_cert.sh
. Certificate deployment will only occur when the certificates are detected in the certbot directory.
All scripts can be found here.
Zero Downtime in Production (WIP)
Leveraging the load balancer in front of our production cluster (WIP), we can take each server out of rotation, let it drain out, update the certificate, then return it into the rotation to prevent any downtime.
While most other apps will see the updated certificates immediately, for browsers (like Chrome) you may need to clear your cache or restart the browser for the new certificate to appear.
Load Balancer
The load balancer can be found here: https://tssdc-lb-float-vip.net.tufts.edu/
You need to create a ticket requesting access if you want read or write access.
This page outlines how to create a health check monitor that can be used to remove inactive nodes from a pool: https://community.denodo.com/kb/en/view/document/Configuring%20a%20Denodo%20Cluster%20with%20BigIP%20F5
We can use iRules to direct the traffic to specific nodes based on URL.
SSH Via Public Key
In order to automate ssh and scp commands to Denodo servers, you need to setup public key authentication for a user (such as denod) on each server.
To do this, do the following:
generate an SSH key (
ssh-keygen -t ed25519
) on the client machinecopy the public key
on the remote machine for the target user.As root/sudo, update
to include an exception for the target user to prevent Duo authenticationMatch User *,!TARGET_USER,!certbot,!etsdeploy,!git,!puppetci,!cucmbackup,!zuviz,!etsint,!infoscan,!geneiouslm,!hpcdeploy ForceCommand /usr/sbin/login_duo
Reload the sshd_config
sudo systemctl reload sshd
Tailscale is a service that helps with service connectivity and encryption.
In the event that Tailscale is causing connectivity issues do the following, which will stop and disable tail scale.
sudo systemctl stop tailscaled sudo systemctl disable tailscaled
Once Tailscale is confirmed working, do the following to re-enable it and start it back up
sudo systemctl enable tailscaled sudo systemctl start tailscaled sudo tailscaled up sudo tailscaled status
Updating SSO Configuration
Update SSO configuration in Solution Manager Web Tool
. If Solution Manager needs to be accessed from an LB endpoint, setsso.url
to reflect the LB URL, andsso.jwt.jwk.sourceUrl
to reflect the internal URL pointing to a specific server. This file needs to be updated on all Denodo servers, and requires a server restart after being updated.If using an LB URL, Update
to include the propertycom.denodo.vdb.security.DndTokenAuthenticator.jwkSourceUrl
, this will be the same as thesso.jwt.jwk.sourceUrl
property above.
Config file examples can be found here.