Re: [Ejbca-develop] Clustering mode: nodenames discovery

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Btw.
There is usually no need for you to use the "Clear caches" button. the 
caches auto-refresh regularly. Only if you have configured the caches to 
never expire should you need to use that. And you only need to configure 
caches for that if you run an ultra-performant PKI  (tm ;-)), say > 200 
certs/second.

Cheers,
Tomas

On 07/14/2012 09:22 AM, Tomas Gustavsson wrote:
>
> Hi Bruno,
>
> You are correct in most of your analysis. EJBCA uses
> "InetAddress.getLocalHost" to get the local hostname. What this returns
> depends on what is in the host file of course.
>
>   > - is this behavior may considered as a bug? (using nodename rather
>   >    binding IP name).
>
> No, it is deliberate. Hostname is much more flexible, and often more
> correct than ip address. EJBCA does not know which IP JBoss binds to,
> and it can change at any time. Most hosts have multiple IPs, and EJBCA
> can not know which are used for what. With a hostname the cluster nodes
> can have each others hostnames in the local hosts file if needed. This
> can point to anywhere so it is configurable by the admins.
>
> You can simply add the correct ip addresses in the cluster nodes's local
> hosts files.
>
> One improvement that I could think of would be if you could override the
> detected hostname by a configuration option. Than you could use other
> hostnames than the real ones, pointing to other ip-adresses?
>
> By the way, if JBoss is behind an apache proxy, it does not matter what
> IP JBoss binds to, since it will be apache that accepts the connection.
> So it is actually the IPs/hostnames that apache binds to that are relevant.
>
>   > - can you confirm if I remove by hand the node in the nodelist, each
>   >    time I'll start EJBCA on a node, it will add the new member? (since
>   >    EJBCA will check if the hostname exists)
>
> Yes this is correct.
>
>   > - more or less the same question when JBoss are not directly reachable
>   >    but only through an Apache (on a different nodename.. :)
>
> If "nodename" is not reachable from one cluster node to the other, even
> if you add the correct ip address in the local hosts file, you can not
> use the global "clear cache" button. Very simple :-) If you need to
> clear caches when the cluster nodes can not talk to each other, you need
> to clear the cache individually on all nodes.
>
> An error when clicking the button simply means that the cache was not
> cleared on that host, and you have to clear it manually. There is a CLI
> for clearing caches as well, so you can easily script it.
>
> Cheers,
> Tomas
>
> On 07/13/2012 04:19 PM, Bruno Bonfils wrote:
>> Hi folks,
>>
>> I'm wondering how EJBCA determines the "nodename" in a cluster
>> environnement. As far as I understand/remember the code, EJBCA use the
>> hostname of the server, which may we wrong.
>>
>> My environnement is the following:
>> 	2 JBoss, each one use a dedicated IP address (given as -b when
>> starting jboss)
>> 	Each JBoss is protected by an Apache acting as reverse proxy
>>
>> When I start EJBCA, if I displays the list of nodes I can see the list
>> of hostnames of servere where EJBCA is running. And when I click on
>> "Clear all caches" button, I had a "Connexion refused" exception.
>> Indeed, the code is:
>>
>> "String nodeip = InetAddress.getByName(nodename).getHostAddress();"
>>
>> But, since I use a dedicated IP for JBoss, EJBCA is not reachable on the
>> nodename's primary address.
>>
>> So my questions are:
>>
>> - is this behavior may considered as a bug? (using nodename rather
>>     binding IP name).
>> - can you confirm if I remove by hand the node in the nodelist, each
>>     time I'll start EJBCA on a node, it will add the new member? (since
>>     EJBCA will check if the hostname exists)
>> - more or less the same question when JBoss are not directly reachable
>>     but only through an Apache (on a different nodename.. :)
>>
>> Best regards
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>