FIXEdge C++ with FIXICC H2: Deployment Guide with Consul
PostgreSQL installation and configuration
NOTE!
- in case you already have postgres setup in your network, you can skip this part
- installation should be performed under the root user.
Install PostgreSQL from yum repository
yum install -y postgresql postgresql-server
Initialize a new PostgreSQL installation
postgresql-setup initdb
By default PostgreSQL server is only accessible via Unix Domain Sockets or loopback IP interface (127.0.0.1) to the local users, the users are authenticated by the operating system, i.e. the OS user postgres can connect as PostreSQL user postgres without any additional authentication from the PostgreSQL server side. To allow PgAdmin4 and FIXICC H2 to work we need to enable access via a network
To enable network access to PostgreSQL server edit file /var/lib/pgsql/data/pg_hba.conf and add the following lines:
host all all 0.0.0.0/0 md5 host all all ::0/0 md5
It allows all users to connect from any host via TCP or SSL socket using hashed passwords.
Remove lines that enable ident connection to localhost:
# IPv4 local connections: host all all 127.0.0.1/32 ident # IPv6 local connections: host all all ::1/128 ident
To enable listening of all network interfaces edit file /var/lib/pgsql/data/postgresql.conf , replace line:
# listen_addresses = 'localhost'
with
listen_addresses = '*'
Enable auto-start and start postgresql server (check service status)
systemctl enable --now postgresql systemctl status postgresql
Consul installation and configuration
Add HashiCorp repository:
yum install -y yum-utils yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
Install consul from yum repository
yum install -y consul
Generate Consul certificate and private key
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/consul.d/consul.key -out /etc/consul.d/consul.crt -subj '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.consul' chown consul:consul /etc/consul.d/*
NOTE!
- replace '/C=RU/L=Saratov/O=EPAM/OU=BFIX/CN=fixicch2.consul' with your company identityConfigure consul as follows (/etc/consul.d/consul.json)
NOTE!
Create consul.json file if missing in the directory.{ "bind_addr": "{{GetInterfaceIP \"ens5\"}}", "bootstrap": true, "server": true, "addresses": { "https": "0.0.0.0" }, "ports": { "http": -1, "https": 8501 }, "auto_encrypt": { "allow_tls": true, "tls": true }, "client_addr": "0.0.0.0", "ui": true, "data_dir": "/var/lib/consul", "log_level": "INFO", "disable_update_check": true, "disable_anonymous_signature": true, "verify_server_hostname": false, "cert_file": "/etc/consul.d/consul.crt", "key_file": "/etc/consul.d/consul.key", "auto_encrypt": { "allow_tls": true } }
NOTE!
- replace ens5 with your server's network interface
- you can find your network interface id with `ifconfig` commandRemove or backup /etc/consul.d/consul.hcl
Create consul data directory
mkdir /var/lib/consul chown consul:consul /var/lib/consul
Remove ConditionFileNotEmpty in /usr/lib/systemd/system/consul.service
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
Enable auto-start and start consul server (check service status)
systemctl enable --now consul systemctl status consul
Consul UI should be available on https://server_ip:8501/ui/
FIXICC-H2 installation and configuration
Install dependencies
yum install -y java-1.8.0-openjdk
- Download latest package from https://clientspace.b2bits.com/product-58 (fixicc-h2-*.el7.x86_64.rpm)
Install rpm package fixicc-h2-*.el7.x86_64.rpm
rpm -i fixicc-h2-*.el7.x86_64.rpm
Login into postgres server
sudo -u postgres psql
Create a user and a database for FIXICC H2 in postgresql
CREATE USER fixicch2 WITH CREATEDB PASSWORD 'fixicch2'; CREATE DATABASE fixicch2; GRANT ALL PRIVILEGES ON DATABASE fixicch2 TO fixicch2;
Exit psql console
postgres=# \q
Generate keystore for FIXICC-H2
keytool -genkey -noprompt -alias jetty -keyalg RSA -dname 'CN=admin, OU=EPM-BFIX, O=EPAM Systems, L=Unknown, S=Unknown, C=Unknown' -keystore /etc/fixicc-h2/keystore.jks -storepass fixicch2 -keypass fixicch2 chown fixicc-h2:fixicc-h2 /etc/fixicc-h2/keystore.jks
Edit /etc/fixicc-h2/local.app.properties and set properties as follows
cuba.rest.anonymousEnabled = true cuba.anonymousLogin = anonymous cuba.dbmsType = postgres cuba.dataSourceProvider = application cuba.dataSource.username = fixicch2 cuba.dataSource.password = fixicch2 cuba.dataSource.dbName = fixicch2 cuba.dataSource.host = 127.0.0.1 cuba.dataSource.port = 5432 fixicch2.consul.encrypted_connection = true fixicch2.consul.host = 127.0.0.1 fixicch2.consul.port = 8501 fixicch2.consul.insecure_connection_enabled = true fixicch2.fixServerType = all fixicch2.consul.check.tls_skip_verify=true fixicch2.secure_http_port = 8443 fixicch2.key_store_path = keystore.jks fixicch2.trust_store_path = keystore.jks
Edit /usr/lib/systemd/system/fixicc-h2.service as follows
[Unit] Description=FIXICC-H2 After=syslog.target network.target [Service] Type=simple User=fixicc-h2 Group=fixicc-h2 SuccessExitStatus=143 Environment=FIXICC_H2_KEY_STORE_PASSWORD=fixicch2 FIXICC_H2_KEY_MANAGER_PASSWORD=fixicch2 FIXICC_H2_TRUST_STORE_PASSWORD=fixicch2 ExecStart=/bin/bash -c '/usr/bin/java -Dapp.home=/etc/fixicc-h2/ -Dfixicch2.secure_http_port=8443 -Dfixicch2.key_store_path=/etc/fixicc-h2/keystore.jks -Dfixicch2.trust_store_path=/etc/fixicc-h2/keystore.jks -jar /usr/lib64/fixicc-h2/22H1/app.jar' ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target
Enable auto-start and start FIXICC-H2 server (check service status)
systemctl enable --now fixicc-h2 systemctl status fixicc-h2
FIXICC-H2 UI should be available on https://server_ip:8443/app/
default user:password is admin:admin
FIXEdge installation and configuration
Install dependencies
yum install -y libtool-ltdl
NOTE for RHEL systems!
- check whether /usr/lib64/libnsl.so.1 exists on your system (create symlink if needed `ln -s /usr/lib64/libnsl.so.2 /usr/lib64/libnsl.so.1`)- Download latest package from https://clientspace.b2bits.com/product-30 (fixedge-*.el7.x86_64.rpm)
Install rpm package fixedge-*.el7.x86_64.rpm
rpm -i fixedge-*.el7.x86_64.rpm
Copy your engine.license file into /etc/fixedge/ directory
cp ./engine.license /etc/fixedge/
Add below config at the end of /etc/fixedge/FIXEdge.properties
# FIXICC-H2 Integration AdminRESTAPI.Enabled = true AdminRESTAPI.Port = 8903 AdminRESTAPI.HTTPSServer.PrivateKey = AdminRESTAPI.key AdminRESTAPI.HTTPSServer.Certificate = AdminRESTAPI.crt Components.Service.ConsulAPI = Consul Components.Service.ConsulAPI.Checks = Components.Service.ConsulAPI.Host = localhost Components.Service.ConsulAPI.Port = 8501 Components.Service.ConsulAPI.SSL = true Components.Service.ConsulAPI.SSL.CertificateAuthority = /etc/fixedge/consul.crt Components.Service.ConsulAPI.Services.Host = localhost Components.Component.ServiceDiscovery = ConsulAPI Components.Service.FIXICCH2 = configuration-service Components.Service.FIXICCH2.Host = 127.0.0.1 Components.Service.FIXICCH2.Port = 8443 Components.Service.FIXICCH2.SSL = true Components.Service.FIXICCH2.SSL.CertificateAuthority = /etc/fixedge/fixicc-h2.crt Components.Service.FIXICCH2.ReconnectInterval = 1000 Components.Component.Configuration = FIXICCH2
Copy consul certificate
cp /etc/consul.d/consul.crt /etc/fixedge/consul.crt chown fixedge:fixedge /etc/fixedge/consul.crt
Extract fixicc-h2 certificate
keytool -export -alias jetty -file /etc/fixicc-h2/fixicc-h2.der -keystore /etc/fixicc-h2/keystore.jks -storepass fixicch2 -keypass fixicch2 openssl x509 -inform der -in /etc/fixicc-h2/fixicc-h2.der -out /etc/fixicc-h2/fixicc-h2.crt cp /etc/fixicc-h2/fixicc-h2.crt /etc/fixedge/fixicc-h2.crt chown fixedge:fixedge /etc/fixedge/fixicc-h2.crt
Enable auto-start and start FIXEdge server (check service status)
systemctl enable --now fixedge systemctl status fixedge
- After startup fixedge server should appear in fixicc-h2 UI
FIXEye Agent installation and configuration
FIXEye Agent installation instruction mentioned below is not applicable for RHEL systems.
- Download latest package from https://clientspace.b2bits.com/product-36 (fixeye-agent-*.el7.x86_64.rpm)
Install rpm package fixeye-agent-*.el7.x86_64.rpm
rpm -i fixeye-agent-*.el7.x86_64.rpm
Copy your fixeye-agent.license file into /etc/fixeye/ directory
cp ./fixeye-agent.license /etc/fixeye/
Edit /etc/fixeye/fixeye-agent.config as follows
-rest-port 8882 -rest-pkey "/etc/fixeye/AdminRESTAPI.key" -rest-cert "/etc/fixeye/AdminRESTAPI.crt" --propfile "/etc/fixeye/fixeye-agent.properties" -f "/var/lib/fixedge/*.in" "/var/lib/fixedge/*.out" --pidfile "/var/log/fixeye/fixeye-agent.pid" -licfile "/etc/fixeye/fixeye-agent.license"
Replace corresponding properties in /etc/fixeye/fixeye-agent.properties with the following
Consul.Enabled=true Consul.Host=localhost Consul.Port=8501 Consul.ReconnectInterval=1000 Consul.ServerName=FIXEdge1 Consul.Services.Host=localhost Consul.Services.HealthChecks.Interval=5 Consul.Services.HealthChecks.Timeout=5 Consul.SSL=true Consul.SSL.CertificateAuthority=/etc/fixeye/consul.crt
Copy consul certificate for fixeye
cp /etc/consul.d/consul.crt /etc/fixeye/consul.crt chown fixeye:fixeye /etc/fixeye/consul.crt
Copy RESTAPI certificate for fixeye
cp /etc/fixedge/AdminRESTAPI.crt /etc/fixeye/AdminRESTAPI.crt cp /etc/fixedge/AdminRESTAPI.key /etc/fixeye/AdminRESTAPI.key chown fixeye:fixeye /etc/fixeye/AdminRESTAPI.crt chown fixeye:fixeye /etc/fixeye/AdminRESTAPI.key
Add fixeye user to the fixedge group
usermod -a -G fixedge fixeye
Enable auto-start and start fixeye-agent server (check service status)
systemctl enable --now fixeye-agent systemctl start fixeye-agent