This document describes the monitoring techniques of components supported by an on-premise deployment of Apigee Edge for Private Cloud.
Overview
Edge supports several ways for getting details about services as well as checking their statuses. The following table lists the types of checks you can perform on each eligible service:
Mgmt API | |||||||
Component | Memory Usage [JMX*] | Service Check | User/Org/ Deployment Status | axstatus | Database check | apigee-service Status |
apigee-monit ** |
Management Server | |||||||
Message Processor | |||||||
Router | |||||||
Qpid | |||||||
Postgres | |||||||
More Info | More Info | More Info | More Info | More Info | More Info | More Info | |
* Before you can use JMX, you must enable it, as described in Enable JMX. ** The |
Monitoring ports and configuration files
Each component supports Java Management Extensions (JMX) and Management API monitoring calls on different ports. The following table lists the JMX and Management API ports for each type of server, and configuration file locations:
Component | JMX Port | Management API Port | Configuration file location |
---|---|---|---|
Management Server | 1099 | 8080 | $APIGEE_ROOT/customer/application/management-server.properties |
Message Processor | 1101 | 8082 | $APIGEE_ROOT/customer/application/message-processor.properties |
Router | 1100 | 8081 | $APIGEE_ROOT/customer/application/router.properties |
Qpid | 1102 | 8083 | $APIGEE_ROOT/customer/application/qpid-server.properties |
Postgres | 1103 | 8084 | $APIGEE_ROOT/customer/application/postgres-server.properties |
Use JMX to monitor components
The following sections explain how to use JMX to monitor Edge components.
Enable JMX
To enable JMX without authentication or SSL based communication, perform the steps below. Note: In production systems, both encrypted authentication and SSL should be enabled for security.
- Edit the appropriate configuration file (see
Configuration file reference). Create the configuration file if it doesn’t exist.
conf_system_jmxremote_enable=true
- Save the configuration file and make sure it is owned by
apigee:apigee
. - Restart appropriate Edge component
apigee-service edge-management-server restart
To disable JMX, either remove the property conf_system_jmxremote_enable
or change
its value to false
. Then restart the appropriate Edge component.
Authentication in JMX
Edge for Private Cloud supports password based authentication using details stored in files. You can store passwords as a Hash for added security.
- To enable JMX authentication in an edge-* component, edit the appropriate configuration file
(see
Configuration file reference). Create the configuration file if it doesn’t exist:
Save the configuration file and make sure it is owned byconf_system_jmxremote_enable=true conf_system_jmxremote_authenticate=true conf_system_jmxremote_encrypted_auth=true conf_system_jmxremote_access_file=/opt/apigee/customer/application/management-server/jmxremote.access conf_system_jmxremote_password_file=/opt/apigee/customer/application/management-server/jmxremote.password
apigee:apigee
. - Create a SHA256 hash of the password:
echo -n '
' | openssl dgst -sha256 - Create a
jmxremote.password
file with JMX user credentials:- Copy the following files from your
$JAVA_HOME
directory to the directory/opt/apigee/customer/application/<component>/
:cp ${JAVA_HOME}/lib/management/jmxremote.password.template $APIGEE_ROOT/customer/application/management-server/jmxremote.password
- Edit the file and add your JMX username and password using the following syntax:
USERNAME <HASH-PASSWORD>
- Make sure the file is owned by
apigee
and that the file mode is 400:chown apigee:apigee $APIGEE_ROOT/customer/application/management-server/jmxremote.password chmod 400 $APIGEE_ROOT/customer/application/management-server/jmxremote.password
- Copy the following files from your
- Create a
jmxremote.access
file with JMX user permissions:- Copy the following files from your $JAVA_HOME directory to
the directory
/opt/apigee/customer/application/<component>/
cp ${JAVA_HOME}/lib/management/jmxremote.access$APIGEE_ROOT/customer/application/management-server/jmxremote.password/jmxremote.access
- Edit the file and add your JMX username followed by a permission (READONLY/READWRITE)
USERNAME READONLY
- Make sure the file is owned by
apigee
and that the file mode is 400:chown apigee:apigee $APIGEE_ROOT/customer/application/management-server/jmxremote.password chmod 400 $APIGEE_ROOT/customer/application/management-server/jmxremote.access
- Copy the following files from your $JAVA_HOME directory to
the directory
- Restart the appropriate Edge component:
apigee-service edge-management-server restart
To disable JMX authentication, either remove the property
conf_system_jmxremote_authenticate
or change the value to false
and
restart appropriate Edge component.
SSL in JMX
To enable SSL based JMX in an edge-* component:
- Edit the appropriate configuration file
(see
Configuration file reference). Create the configuration file if it doesn’t exist:
Save the configuration file and make sure it is owned byconf_system_jmxremote_enable=true conf_system_jmxremote_ssl=true conf_system_javax_net_ssl_keystore=/opt/apigee/customer/application/management-server/jmxremote.keystore conf_system_javax_net_ssl_keystorepassword=<keystore-password>
apigee:apigee
. - Prepare a keystore containing the server key and place it at the path provided in the
configuration
conf_system_javax_net_ssl_keystore
above. Ensure the keystore file is readable byapigee:apigee
. - Restart the appropriate Edge component:
apigee-service edge-management-server restart
To disable SSL-based JMX, either remove the property conf_system_jmxremote_ssl
or change the value to false
. Restart the appropriate Edge component.
Monitoring via Jconsole
Monitoring instructions via jconsole remain the same as described in https://docs.apigee.com/private-cloud/v4.52.01/how-monitor#jconsole.
One line can be added that “jconsole will need to be started with truststore and truststore password if SSL is enabled for JMX.” Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/management/jconsole.htmlMonitor with JConsole
Use JConsole (a JMX compliant tool) to manage and monitor health check and process statistics. With JConsole, you can consume JMX statistics exposed by your servers and display them in a graphical interface. For more information, see Using JConsole.
You need to start JConsole with truststore and truststore password if SSL is enabled for JMX. See Using JConsole.
JConsole uses the following service URL to monitor the JMX attributes (MBeans) offered via JMX:
service:jmx:rmi:///jndi/rmi://IP_address:port_number/jmxrmi
Where:
- IP_address is the IP address of the server you want to monitor.
- port_number is the JMX port number of the server you want to monitor.
For example, to monitor the Management Server, issue a command like the following (assuming the server's IP address is 216.3.128.12):
service:jmx:rmi:///jndi/rmi://216.3.128.12:1099/jmxrmi
Note that this example specifies port 1099, which is the Management Server JMX port. For other ports, see JMX and Management API monitoring ports.
The following table shows the generic JMX statistics:
JMX MBeans | JMX Attributes |
---|---|
Memory |
HeapMemoryUsage |
NonHeapMemoryUsage |
|
Usage |
|
Configuration file reference
The following sections describe changes you might need to make to Edge component configuration files for JMX related configurations. See Monitoring ports and configuration files for more information.
JMX configuration to be added to the appropriate component’s configuration file
- Enable JMX agent on the edge-component. False by default.
conf_system_jmxremote_enable=true
Configurations for password based authentication
- Enable password based authentication. False by default.
conf_system_jmxremote_authenticate=true
- Path to access file. Should be owned and readable by Apigee user only.
conf_system_jmxremote_access_file=/opt/apigee/customer/application/management-server/jmxremote.access
- Path to password file. Should be owned and readable by Apigee user only.
conf_system_jmxremote_password_file=/opt/apigee/customer/application/management-server/jmxremote.password
- Enable storing password in encrypted format. False by default.
conf_system_jmxremote_encrypted_auth=true
Configurations for SSL based JMX
- Enable SSL for JMX communication. False by default.
conf_system_jmxremote_ssl=true
- Path to keystore. Should be owned and readable by Apigee user only.
conf_system_javax_net_ssl_keystore=/opt/apigee/customer/application/management-server/jmxremote.keystore
- Keystore password:
conf_system_javax_net_ssl_keystorepassword=changeme
Optional JMX configurations
Values listed are default values and can be changed.
- JMX Port. Default values are listed in the table below.
conf_system_jmxremote_port=
- JMX RMI Port. By default, Java process will pick a random port.
conf_system_jmxremote_rmi_port=
- The host name for remote stubs. Default IP address of localhost.
conf_system_java_rmi_server_hostname=
- Protect JMX registry with SSL. Default false. Only applicable if SSL is enabled.
conf_system_jmxremote_registry_ssl=false
Monitor with the Management API
Edge includes several APIs that you can use to perform service checks on your servers as well as check your users, organizations, and deployments. This section describes these APIs.
Perform service checks
The Management API provides several endpoints for monitoring and diagnosing issues with your services. These endpoints include:
Endpoint | Description |
---|---|
/servers/self/up |
Checks to see if a service is running. This API call does not require you to authenticate. If the service is running, this endpoint returns the following response: <ServerField> <Up>true</Up> </ServerField> If the service is not running, you will get a response similar to the following (depending on which service it is and how you checked it): curl: Failed connect to localhost:port_number; Connection refused |
/servers/self |
Returns information about the service, including:
This API call requires you to authenticate with your Apigee admin credentials. |
To use these endpoints, invoke a utility such as curl
with commands that use the
following syntax:
curl http://host:port_number/v1/servers/self/up -H "Accept: [application/json|application/xml]"
curl http://host:port_number/v1/servers/self -u username:password -H "Accept: [application/json|application/xml]"
Where:
- host is the IP address of the server you want to check. If you are logged into the server, you can use "localhost"; otherwise, specify the IP address of the server as well as the username and password.
- port_number is the Management API port for the server you want to check. This is a different port for each type of component. For example, the Management Server's Management API port is 8080. For a list of Management API port numbers to use, see JMX and Management API monitoring ports
To change the format of the response, you can specify the Accept
header as
"application/json" or "application/xml".
The following example gets the status of the Router on localhost (port 8081):
curl http://localhost:8081/v1/servers/self/up -H "Accept: application/xml"
The following example gets information about the Message Processor at 216.3.128.12 (port 8082):
curl http://216.3.128.12:8082/v1/servers/self -u sysAdminEmail:password -H "Accept: application/xml"
Monitor user, organization, and deployment status
You can use the Management API to monitor user, organization, and deployment status of your proxies on Management Servers and Message Processors by issuing the following commands:
curl http://host:port_number/v1/users -u sysAdminEmail:passwordcurl http://host:port_number/v1/organizations -u sysAdminEmail:password
curl http://host:port_number/v1/organizations/orgname/deployments -u sysAdminEmail:password
Where port_number is either 8080 for the Management Server or 8082 for the Message Processor.
This call requires you to authenticate with your system administration username and password.
The server should return a "deployed" status for all calls. If these fail, do the following:
- Check the server logs for any errors. The logs are located at:
- Management Server:
opt/apigee/var/log/edge-management-server
- Message Processor:
opt/apigee/var/log/edge-message-processor
- Management Server:
- Make a call against the server to check whether it is functioning properly.
- Remove the server from the ELB and then restart it:
/opt/apigee/apigee-service/bin/apigee-service service_name restart
Where service_name is:
edge-management-server
edge-message-processor
Check status with the apigee-service
command
You can troubleshoot your Edge services by using the apigee-service
command when you are
logged into the server running the service.
To check the status of a service with apigee-service
:
- Log in to the server and run the following command:
/opt/apigee/apigee-service/bin/apigee-service service_name status
Where service_name is one of the following:
- Management Server:
edge-management-server
- Message Processor:
edge-message-processor
- Postgres:
edge-postgres-server
- Qpid:
edge-qpid-server
- Router:
edge-router
For example:
/opt/apigee/apigee-service/bin/apigee-service edge-message-processor status
- Management Server:
- If the service is not running, start the service:
/opt/apigee/apigee-service/bin/apigee-service service_name start
- After restarting the service, check that it is functioning, either by using the
apigee-service status
command you used previously or by using the Management API described in Monitor with the Management API.For example:
curl -v http://localhost:port_number/v1/servers/self/up
Where port_number is the Management API port for the service.
This example assumes you are logged into the server and can use "localhost" as the hostname. To check the status remotely with the Management API, you must specify the IP address of the server and include the system administrator username and password in your API call.
Postgres monitoring
Postgres supports several utilities that you can use to check its status. These utilities are described in the sections that follow.
Check organizations and environments on Postgres
You can check for organization and environment names that are onboarded on the Postgres Server
by issuing the following curl
command:
curl -v http://postgres_IP:8084/v1/servers/self/organizations
The system should display the organization and environment name.
Verify analytics status
You can verify the status of the Postgres and Qpid analytics servers by issuing the following
curl
command:
curl -u userEmail:password http://host:port_number/v1/organizations/orgname/environments/envname/provisioning/axstatus
The system should display a success status for all analytics servers, as the following example shows:
{ "environments" : [ { "components" : [ { "message" : "success at Thu Feb 28 10:27:38 CET 2013", "name" : "pg", "status" : "SUCCESS", "uuid" : "[c678d16c-7990-4a5a-ae19-a99f925fcb93]" }, { "message" : "success at Thu Feb 28 10:29:03 CET 2013", "name" : "qs", "status" : "SUCCESS", "uuid" : "[ee9f0db7-a9d3-4d21-96c5-1a15b0bf0adf]" } ], "message" : "", "name" : "prod" } ], "organization" : "acme", "status" : "SUCCESS" }
PostgreSQL database
This section describes techniques that you can use specifically for monitoring the Postgres database.
Use the check_postgres.pl
script
To monitor the PostgreSQL database, you can use a standard monitoring script,
check_postgres.pl
. For more information, see
http://bucardo.org/wiki/Check_postgres.
Before you run the script:
- You must install the check_postgres.pl script on each Postgres node.
- Ensure that you have installed
perl-Time-HiRes.x86_64
, a Perl module that implements high resolution alarm, sleep, gettimeofday, and interval timers. For example, you can install it by using the following command:
yum install perl-Time-HiRes.x86_64
- CentOS 7: Before using check_postgres.pl on CentOS v7, install the
perl-Data-Dumper.x86_64
RPM.
check_postgres.pl output
The default output of the API calls using check_postgres.pl
is Nagios
compatible. After you install the script, do the following checks:
- Check the database size:
check_postgres.pl -H 10.176.218.202 -db apigee -u apigee -dbpass postgres -include=apigee -action database_size --warning='800 GB' --critical='900 GB'
- Check the number of incoming connections to the database and compares with maximum allowed
connections:
check_postgres.pl -H 10.176.218.202 -db apigee -u apigee -dbpass postgres -action backends
- Check if database is running and available:
check_postgres.pl -H 10.176.218.202 -db apigee -u apigee -dbpass postgres -action connection
- Check the disk space:
check_postgres.pl -H 10.176.218.202 -db apigee -u apigee -dbpass postgres -action disk_space --warning='80%' --critical='90%'
- Check the number of organization and environment onboarded in a Postgres node:
check_postgres.pl -H 10.176.218.202 -db apigee -u apigee -dbpass postgres -action=custom_query --query="select count(*) as result from pg_tables where schemaname='analytics' and tablename like '%fact'" --warning='80' --critical='90' --valtype=integer
Run database checks
You can verify that the proper tables are created in PostgreSQL database. Log in to PostgreSQL database using the following command:
psql -h /opt/apigee/var/run/apigee-postgresql/ -U apigee -d apigee
Then run:
\d analytics."org.env.fact"
Check health status of postgres process
You can perform API checks on the Postgres machine by invoking the following curl
command:
curl -v http://postgres_IP:8084/v1/servers/self/health
This command returns the ACTIVE
status when postgres process is active. If the
Postgres process is not up and running, it returns the INACTIVE
status.
Postgres resources
For additional information about monitoring the Postgres service, see the following:
- http://www.postgresql.org/docs/9.0/static/monitoring.html
- http://www.postgresql.org/docs/9.0/static/diskusage.html
- http://bucardo.org/check_postgres/check_postgres.pl.html
Apache Cassandra
JMX is enabled by default for Cassandra and remote JMX access to Cassandra does not require a password.
Enable JMX authentication for Cassandra
You can enable JMX authentication for Cassandra. After doing so, you will then be required to pass a username and password to all calls to the nodetool utility.
To enable JMX authentication for Cassandra:
- Create and edit the
cassandra.properties
file:- Edit the
/opt/apigee/customer/application/cassandra.properties
file. If the file does not exist, create it. - Add the following to the file:
conf_cassandra_env_com.sun.management.jmxremote.authenticate=true conf_cassandra_env_com.sun.management.jmxremote.password.file=${APIGEE_ROOT}/customer/application/apigee-cassandra/jmxremote.password conf_cassandra_env_com.sun.management.jmxremote.access.file=${APIGEE_ROOT}/customer/application/apigee-cassandra/jmxremote.access
- Save the
cassandra.properties
file. - Change the owner of the file to
apigee:apigee
, as the following example shows:chown apigee:apigee /opt/apigee/customer/application/cassandra.properties
For more information on using properties files to set tokens, see How to configure Edge.
- Edit the
- Create and edit
jmx_auth.sh
:- Create a file at the following location if it does not exist:
/opt/apigee/customer/application/jmx_auth.sh
- Add the following properties to the file:
export CASS_JMX_USERNAME=JMX_USERNAME export CASS_JMX_PASSWORD=JMX_PASSWORD
- Save the
jmx_auth.sh
file. - Source the file:
source /opt/apigee/customer/application/jmx_auth.sh
- Create a file at the following location if it does not exist:
- Copy and edit the
jmxremote.password
file:- Copy the following file from your
$JAVA_HOME
directory to/opt/apigee/customer/application/apigee-cassandra/
:cp ${JAVA_HOME}/lib/management/jmxremote.password.template $APIGEE_ROOT/customer/application/apigee-cassandra/jmxremote.password
- Edit the
jmxremote.password
file and add your JMX username and password using the following syntax:JMX_USERNAME JMX_PASSWORD
Where JMX_USERNAME and JMX_PASSWORD are the JMX username and password you set previously.
- Make sure the file is owned by "apigee" and that the file mode is 400:
chown apigee:apigee /opt/apigee/customer/application/apigee-cassandra/jmxremote.password
chmod 400 /opt/apigee/customer/application/apigee-cassandra/jmxremote.password
- Copy the following file from your
- Copy and edit the
jmxremote.access
file:- Copy the following file from your
$JAVA_HOME
directory to/opt/apigee/customer/application/apigee-cassandra/
:cp ${JAVA_HOME}/lib/management/jmxremote.access
$APIGEE_ROOT/customer/application/apigee-cassandra/jmxremote.access
- Edit the
jmxremote.access
file and add the following role:JMX_USERNAME readwrite
- Make sure the file is owned by "apigee" and that the file mode is 400:
chown apigee:apigee /opt/apigee/customer/application/apigee-cassandra/jmxremote.access
chmod 400 /opt/apigee/customer/application/apigee-cassandra/jmxremote.access
- Copy the following file from your
- Run
configure
on Cassandra:/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra configure
- Restart Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra restart
- Repeat this process on all other Cassandra nodes.
Enable JMX password encryption
To enable JMX password encryption, do the following steps:
- Open the file
source/conf/casssandra-env.sh
. - Create and edit the
cassandra.properties
file:- Edit the
/opt/apigee/customer/application/cassandra.properties
file. If the file does not exist, create it. - Add the following to the file:
conf_cassandra_env_com.sun.management.jmxremote.encrypted.authenticate=true
- Save the cassandra.properties file.
- Change the owner of the file to apigee:apigee, as the following example shows:
chown apigee:apigee /opt/apigee/customer/application/cassandra.properties
- Edit the
- On the command line, generate SHA1 hash(es) of the desired password(s) by entering
echo -n 'Secret' | openssl dgst -sha1
- Set the password(s) against the username in
$APIGEE_ROOT/customer/application/apigee-cassandra/jmxremote.password
(created in in the previous section). - Run configure on Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra configure
- Restart Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra restart
- Repeat this process on all other Cassandra nodes.
Enable JMX with SSL for Cassandra
Enabling JMX with SSL provides additional security and encryption for JMX-based communication with Cassandra. To enable JMX with SSL, you need to provide a key and a certificate to Cassandra to accept SSL-based JMX connections. You also need to configure nodetool (and any other tools that communicate with Cassandra over JMX) for SSL.
SSL-enabled JMX supports both plaintext and encrypted JMX passwords.
To enable JMX with SSL for Cassandra, use the following procedure:
- Enable JMX. Enable password encryption if required.
- Enable JMX authentication for Cassandra.
as described above. Ensure nodetool is working with the configured
username and password.
/opt/apigee/apigee-cassandra/bin/nodetool -u <JMX_USER> -pw <JMX_PASS> ring
Prepare keystore and truststore.
Keystore should contain a key and certificate, and is used to configure the Cassandra server. If keystore contains multiple key pairs, Cassandra uses the first key pair to enable SSL.
Note that the passwords for keystore and the key should be the same (the default when you generate the key using keytool).
- Truststore should contain the certificate only and is used by clients (apigee-service based commands or nodetool) to connect over JMX.
After verifying the above requirements:
- Place the keystore file in
/opt/apigee/customer/application/apigee-cassandra/
. - Ensure the keystore file is readable by Apigee user only by entering
chown apigee:apigee /opt/apigee/customer/application/apigee-cassandra/keystore.node1
chmod 400 /opt/apigee/customer/application/apigee-cassandra/keystore.node1
- Configure Cassandra for JMX with SSL by doing the following steps:
- Stop the Cassandra node by entering
apigee-service apigee-cassandra stop
- Enable SSL in Cassandra by
opening the file
/opt/apigee/customer/application/cassandra.properties
and adding the following lines:conf_cassandra_env_com.sun.management.jmxremote.ssl=true conf_cassandra_env_javax.net.ssl.keyStore=/opt/apigee/customer/application/apigee-cassandra/keystore.node1 conf_cassandra_env_javax.net.ssl.keyStorePassword=keystore-password ## On FIPS enabled systems, when you are using non standard keystore, set the following: ## These can be skipped otherwise ## Possible values are JKS, PKCS12, BCFKS conf_cassandra_env_javax.net.ssl.keyStoreType=PKCS12 conf_cassandra_env_javax.net.ssl.keyStoreAlias=cassjmx-tls-alias
- Change the owner of the file to apigee:apigee, as the following example shows:
chown apigee:apigee /opt/apigee/customer/application/cassandra.properties
- Run configure on Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra configure
- Restart Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra restart
- Repeat this process on all other Cassandra nodes.
- Start the Cassandra node by entering
apigee-service apigee-cassandra start
- Stop the Cassandra node by entering
- Configure the
apigee-service
Cassandra commands. You need to set certain environment variables while runningapigee-service
commands, including the ones below:apigee-service apigee-cassandra stop apigee-service apigee-cassandra wait_for_ready apigee-service apigee-cassandra ring apigee-service apigee-cassandra backup
There are several options for configuring
apigee-service
for JMX authentication and SSL. Choose an option based on usability and your security practices.- Option 1 (SSL arguments stored in file)
- Option 2 (SSL arguments stored in environment variables)
- Option 3 (SSL arguments passed directly to
apigee-service
)
Option 1 (SSL arguments stored in file)
Set the following environment variables:
export CASS_JMX_USERNAME=ADMIN # Provide encrypted password here if you have setup JMX password encryption export CASS_JMX_PASSWORD=PASSWORD export CASS_JMX_SSL=Y
Create a file in Apigee user’s home directory (
/opt/apigee
).$HOME/.cassandra/nodetool-ssl.properties
Edit the file and add the following lines:
-Djavax.net.ssl.trustStore=<path-to-truststore.node1> -Djavax.net.ssl.trustStorePassword=<truststore-password> -Dcom.sun.management.jmxremote.registry.ssl=true ## If you are using a non standard truststore, set below, otherwise skip ## Possible values are JKS, PKCS12, BCFKS -Djavax.net.ssl.trustStoreType=PKCS12
Make sure the trustore file is readable by Apigee user.
Run the following
apigee-service
command. If it runs without error, your configurations are correct.apigee-service apigee-cassandra ring
Option 2 (SSL arguments stored in environment variables)
Set the following environment variables:
export CASS_JMX_USERNAME=ADMIN # Provide encrypted password here if you have setup JMX password encryption export CASS_JMX_PASSWORD=PASSWORD export CASS_JMX_SSL=Y # Ensure the truststore file is accessible by Apigee user. export CASS_JMX_TRUSTSTORE=<path-to-trustore.node1> export CASS_JMX_TRUSTSTORE_PASSWORD=<truststore-password> # If you are using a non standard truststore type, export truststore type as well # Possible values are JKS, PKCS12, BCFKS export CASS_JMX_TRUSTSTORE_TYPE=PKCS12
Run the following
apigee-service
command. If it runs without error, your configurations are correct.apigee-service apigee-cassandra ring
Option 3 (SSL arguments passed directly to
apigee-service
)Run any
apigee-service
command like the one below. You don't need to configure any environment variables.CASS_JMX_USERNAME=ADMIN CASS_JMX_PASSWORD=PASSWORD CASS_JMX_SSL=Y CASS_JMX_TRUSTSTORE=<path-to-trustore.node1> CASS_JMX_TRUSTSTORE_PASSWORD=<trustore-password> CASS_JMX_TRUSTSTORE_TYPE=PKCS12 /opt/apigee/apigee-service/bin/apigee-service apigee-cassandra ring
Set up nodetool. Nodetool requires JMX parameters to be passed to it. There are two ways you can configure nodetool to run with SSL-enabled JMX, as described in the configuration options below:
The options differ in the way SSL related configurations are passed to nodetool. In both cases, the user running nodetool should have READ permissions on the truststore file. Choose an appropriate option based on usability and your security practices.
To learn more about nodetool parameters, see the DataStax documentation.
Configuration Option 1
Create a file in the home directory of the user running nodetool.
$HOME/.cassandra/nodetool-ssl.properties
Add the following lines to the file:
-Djavax.net.ssl.trustStore=<path-to-truststore.node1> -Djavax.net.ssl.trustStorePassword=<truststore-password> -Dcom.sun.management.jmxremote.registry.ssl=true ## If you are using a non standard truststore, set below, otherwise skip ## Possible values are JKS, PKCS12, BCFKS -Djavax.net.ssl.trustStoreType=PKCS12
The truststore path specified above should be accessible by any user running nodetool.
Run
nodetool
with the--ssl
option./opt/apigee/apigee-cassandra/bin/nodetool --ssl -u <jmx-user-name> -pw <jmx-user-password> -h localhost ring
Configuration option 2
Run
nodetool
as a single command with the extra parameters listed below./opt/apigee/apigee-cassandra/bin/nodetool -Djavax.net.ssl.trustStore=<path-to-truststore.node1> -Djavax.net.ssl.trustStorePassword=<truststore-password> -Dcom.sun.management.jmxremote.registry.ssl=true -Djavax.net.ssl.trustStoreType=PKCS12 -Dssl.enable=true -u <jmx-user-name> -pw <jmx-user-password> -h localhost ring
Revert SSL configurations
If you need to revert the SSL configurations described in the procedure above, do the following steps:
- Stop
apigee-cassandra
by enteringapigee-service apigee-cassandra stop
- Remove the line
conf_cassandra-env_com.sun.management.jmxremote.ssl=true
from the file/opt/apigee/customer/application/cassandra.properties
. - Comment out the following lines in
/opt/apigee/apigee-cassandra/source/conf/cassandra-env.sh
# JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/opt/apigee/data/apigee-cassandra/keystore.node0" # JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=keypass" # JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true”
- Start
apigee-cassandra
by entering - Remove the environment variable
CASS_JMX_SSL
if it was set.unset CASS_JMX_SSL
- Check that
apigee-service
based commands likering
,stop
,backup
, and so on, are working. - Stop using the
--ssl
switch with nodetool
apigee-service apigee-cassandra start
Disable JMX authentication for Cassandra
To disable JMX authentication for Cassandra:
- Edit
/opt/apigee/customer/application/cassandra.properties
. - Remove the following line in the file:
conf_cassandra-env_com.sun.management.jmxremote.authenticate=true
- Run configure on Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra configure
- Restart Cassandra:
/opt/apigee/apigee-service/bin/apigee-service apigee-cassandra restart
- Repeat this process on all other Cassandra nodes.
Use JConsole: Monitor task statistics
Use JConsole and the following service URL to monitor the JMX attributes (MBeans) offered via JMX:
service:jmx:rmi:///jndi/rmi://IP_address:7199/jmxrmi
Where IP_address is the IP of the Cassandra server.
Cassandra JMX statistics
JMX MBeans | JMX Attributes |
---|---|
ColumnFamilies/apprepo/environments ColumnFamilies/apprepo/organizations ColumnFamilies/apprepo/apiproxy_revisions ColumnFamilies/apprepo/apiproxies ColumnFamilies/audit/audits ColumnFamilies/audit/audits_ref |
PendingTasks |
MemtableColumnsCount |
|
MemtableDataSize |
|
ReadCount |
|
RecentReadLatencyMicros |
|
TotalReadLatencyMicros |
|
WriteCount |
|
RecentWriteLatencyMicros |
|
TotalWriteLatencyMicros |
|
TotalDiskSpaceUsed |
|
LiveDiskSpaceUsed |
|
LiveSSTableCount |
|
BloomFilterFalsePositives |
|
RecentBloomFilterFalseRatio |
|
BloomFilterFalseRatio |
Use nodetool to manage cluster nodes
The nodetool utility is a command line interface for Cassandra that manages
cluster nodes. The utility can be found at /opt/apigee/apigee-cassandra/bin
.
The following calls can be made on all Cassandra cluster nodes:
- General ring info (also possible for single Cassandra node): Look for the
"Up" and "Normal" for all nodes.
nodetool [-u username -pw password] -h localhost ring
You only need to pass your username and password if you enabled JMX authentication for Cassandra.
The output of the above command looks as shown below:
Datacenter: dc-1 ========== Address Rack Status State Load Owns Token 192.168.124.201 ra1 Up Normal 1.67 MB 33,33% 0 192.168.124.202 ra1 Up Normal 1.68 MB 33,33% 5671...5242 192.168.124.203 ra1 Up Normal 1.67 MB 33,33% 1134...0484
- General info about nodes (call per node)
nodetool [-u username -pw password] -h localhost info
The output of the above command looks like the following:
ID : e2e42793-4242-4e82-bcf0-oicu812 Gossip active : true Thrift active : true Native Transport active: true Load : 273.71 KB Generation No : 1234567890 Uptime (seconds) : 687194 Heap Memory (MB) : 314.62 / 3680.00 Off Heap Memory (MB) : 0.14 Data Center : dc-1 Rack : ra-1 Exceptions : 0 Key Cache : entries 150, size 13.52 KB, capacity 100 MB, 1520781 hits, 1520923 requests, 1.000 recent hit rate, 14400 save period in seconds Row Cache : entries 0, size 0 bytes, capacity 0 bytes, 0 hits, 0 requests, NaN recent hit rate, 0 save period in seconds Counter Cache : entries 0, size 0 bytes, capacity 50 MB, 0 hits, 0 requests, NaN recent hit rate, 7200 save period in seconds Token : 0
- Status of the thrift server (serving client API)
nodetool [-u username -pw password] -h localhost statusthrift
The output of the above command looks like the following:
running
- Status of data streaming operations: Observe traffic for cassandra nodes:
nodetool [-u username -pw password] -h localhost netstats
The output of the above command looks like the following:
Mode: NORMAL Not sending any streams. Read Repair Statistics: Attempted: 151612 Mismatch (Blocking): 0 Mismatch (Background): 0 Pool Name Active Pending Completed Dropped Commands n/a 0 0 0 Responses n/a 0 0 n/a
For more info on nodetool, see About the nodetool utility.
Cassandra resource
Refer to the following URL: http://www.datastax.com/docs/1.0/operations/monitoring.
Monitoring Apache Qpid Broker-J
You can monitor Qpid Broker-J from the Qpid management console. This section explains how to access the console and use it to perform basic monitoring functions. For more detailed information on using the management console, see Web Management Console in the Apache Qpid documentation.
Access the management console
The default management console port is 8090. To access the console on this default port, point your web browser to:
http://QPID_NODE_IP:8090
To log in to the console, use the default credentials set by Apigee or the ones set in the Edge configuration file. For details, see Edge configuration file reference.
Monitor queues and messages
In the left-navigation panel, navigate to Java-Broker > virtualhosts > queues. Select a queue to view its details in the main part of the UI. In the details view, you can see Queue Attributes and Statistics, including information on messages delivered, enqueued, message rates, and so on.
View and download log files
In the left-navigation panel, navigate to Java-Broker > brokerloggers > logfile. In the main UI details view, you can view log file details and download log files.
Using the Qpid management API
You can use the Apache Qpid Broker-J REST API to automate management tasks and monitor the broker. For details, see the Apache Qpid Broker REST API documentation.
You can also use command line tools to monitor the broker. For example:
curl "QPID_NODE_IP":"8090"/api/latest/broker -u "USERNAME":"PASSWORD"
Enable monitoring with SSL for Qpid
To provide additional security for monitoring and management, enable SSL on Qpid’s Management Portal and Qpid's Management APIs. Follow the guidelines below to provide a key and certificate.
Qpid provides an option for a File Keystore, which is enabled in Apigee. This type accepts the standard JKS keystore format understood by Java and Java tools such as keytool. It can also accept a PKCS12 keystore, which can be generated using tools like OpenSSL.
Keystore preparation
For generating keystores, see Java Keytool Documentation.
For generating PKCS12 keystores, see OpenSSL Documentation.
After verifying requirements
- Place the keystore file in
/opt/apigee/customer/application/apigee-qpidd
. - Ensure the keystore file is readable only by the Apigee user:
chown apigee:apigee /opt/apigee/customer/application/apigee-qpidd/qpidd.keystore chmod 400 /opt/apigee/customer/application/apigee-qpidd/qpidd.keystore
Enable SSL in Qpid
Perform the steps below on one Qpid node at a time:
Open the file /opt/apigee/customer/application/qpidd.properties
and add the following lines:
conf_qpidd_qpid_management.https.enabled=true conf_qpidd_qpid.keystore.storeUrl=/opt/apigee/customer/application/apigee-qpidd/qpidd.keystore conf_qpidd_qpid.keystore.password=keystore-password conf_qpidd_qpid.keystore.certificateAlias=certificate-alias ## If you are using a PKCS12 keystore, specify the keystore type conf_qpidd_qpid.keystore.keyStoreType=PKCS12
- Change the owner of the file to apigee:apigee:
chown apigee:apigee /opt/apigee/customer/application/qpidd.properties
- Configure Qpidd:
apigee-service apigee-qpidd configure
- Restart Qpidd:
apigee-service apigee-qpidd restart
- Check the status with wait_for_ready:
apigee-service apigee-qpidd wait_for_ready
Revert SSL configuration
Remove or comment out the properties from the file /opt/apigee/customer/application/qpidd.properties
:
conf_qpidd_qpid_management.https.enabled=true conf_qpidd_qpid.keystore.storeUrl=/opt/apigee/customer/application/apigee-qpidd/keystore
- Configure Qpidd:
apigee-service apigee-qpidd configure
- Restart Qpidd:
apigee-service apigee-qpidd restart
- Check the status with wait_for_ready:
apigee-service apigee-qpidd wait_for_ready
Apache ZooKeeper
Check ZooKeeper status
- Ensure the ZooKeeper process is running. ZooKeeper writes a PID file to
opt/apigee/var/run/apigee-zookeeper/apigee-zookeeper.pid
. - Test ZooKeeper ports to ensure that you can establish a TCP connection to ports 2181 and 3888 on every ZooKeeper server.
- Ensure that you can read values from the ZooKeeper database. Connect using a ZooKeeper
client library (or
/opt/apigee/apigee-zookeeper/bin/zkCli.sh
) and read a value from the database. - Check the status:
/opt/apigee/apigee-service/bin/apigee-service apigee-zookeeper status
Use ZooKeeper four-letter words
ZooKeeper can be monitored via a small set of commands (four-letter words) that are sent to the port 2181 using netcat (nc) or telnet.
For more info on ZooKeeper commands, see: Apache ZooKeeper command reference.
For example:
srvr
: Lists full details for the server.stat
: Lists brief details for the server and connected clients.
The following commands can be issued to the ZooKeeper port:
- Run the four-letter command ruok to test if server is running in a non-error state. A
successful response returns "imok".
echo ruok | nc host 2181
Returns:
imok
- Run the four-letter command,
stat
, to list server performance and connected clients statistics:echo stat | nc host 2181
Returns:
Zookeeper version: 3.4.5-1392090, built on 09/30/2012 17:52 GMT Clients: /0:0:0:0:0:0:0:1:33467[0](queued=0,recved=1,sent=0) /192.168.124.201:42388[1](queued=0,recved=8433,sent=8433) /192.168.124.202:42185[1](queued=0,recved=1339,sent=1347) /192.168.124.204:39296[1](queued=0,recved=7688,sent=7692) Latency min/avg/max: 0/0/128 Received: 26144 Sent: 26160 Connections: 4 Outstanding: 0 Zxid: 0x2000002c2 Mode: follower Node count: 283
- If netcat (nc) is not available, you can use the python as an alternative. Create a file
named
zookeeper.py
that contains the following:import time, socket, sys c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.connect((sys.argv[1], 2181)) c.send(sys.argv[2]) time.sleep(0.1) print c.recv(512)
Now run the following python lines:
python zookeeper.py 192.168.124.201 ruok
python zookeeper.py 192.168.124.201 stat
LDAP level test
You can monitor OpenLDAP to see whether the specific requests are served properly. In other words, check for a specific search that returns the right result.
- Use
ldapsearch
(yum install openldap-clients
) to query the entry of the system admin. This entry is used to authenticate all API calls.ldapsearch -b "uid=admin,ou=users,ou=global,dc=apigee,dc=com" -x -W -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -LLL
You are then prompted for the LDAP admin password:
Enter LDAP Password:
After entering the password, you see a response in the form:
dn: uid=admin,ou=users,ou=global,dc=apigee,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top uid: admin cn: admin sn: admin userPassword:: e1NTSEF9bS9xbS9RbVNXSFFtUWVsU1F0c3BGL3BQMkhObFp2eDFKUytmZVE9PQ= = mail: opdk@google.com
- Check whether Management Server is still connected to LDAP with the following command:
curl -u userEMail:password http://localhost:8080/v1/users/ADMIN
Returns:
{ "emailId" : ADMIN, "firstName" : "admin", "lastName" : "admin" }
You can also monitor the OpenLDAP caches, which help in reducing the number of disk accesses
and hence improve the performance of the system. Monitoring and then tuning the cache size in the
OpenLDAP server can heavily impact the performance of the directory server. You can view the log
files (opt/apigee/var/log
) to obtain information about cache.