Deploying Business Intelligence on a Separate Server
Orchestra Business Intelligence is typically deployed on the same application server as the main Orchestra application. However, due to performance and scalability reasons it is also possible to deploy Business Intelligence on a separate server. This section provides installation and setup instructions to accomplish this.
TLSv1.2 Workaround
Standalone Business Intelligence does not support TLSv1.2 out of the box. This means that there will be a handshake failure when the Orchestra server tries to connect to Business Intelligence, since the Orchestra server does not allow a protocol lower than TLSv1.2. To solve this, follow these steps:
1. Add the following Java option to the file standalone.conf.bat, on the Business Intelligence server:
set "JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocol=TLSv1, TLSv1.1, TLSv1.2"
Prerequisites
Two IP addresses, on the same LAN subnet.
Example:
Orchestra SSO login prerequisites
The default option from Orchestra 5.4 and later is to use Orchestra Single sign-on authentication and authorization. That means that you only need to log in to Orchestra in order to access the Orchestra Business Intelligence application from the Home page of Orchestra.
Alternatively, it is possible to modify the Orchestra Business Intelligence installation and use the Business Intelligence application's native login page instead of the Orchestra one. This is, however, not recommended.
In order to share the user session token across different servers, the main Orchestra server and the Business Intelligence server must appear to originate from the same domain from the user browser's point of view, otherwise the cookie same-origin policy of web browsers will prohibit sharing of required session information. There are two supported ways to configure this: same-domain or reverse-proxy. These are explained below.
Same-domain
If each server is mapped to a sub-domain of a common parent domain name, the cookie same-origin policy is not violated and session information can be shared. For same-domain policy installs, each IP must be mapped to a sub-domain of your main domain name in the DNS server your users use to connect to Orchestra.
Reverse-proxy
Another option is use a reverse-proxy / load balancer in front of both servers that has the capability to route requests to different back-ends depending on the context path of the request. In this scenario, the user browser only sees proxy.yourdomain.com and thus the same-origin policy is not violated. Session info is safely shared.
After installation, you will need to manually add the Data Sources for Business Intelligence again. This procedure is described in the Administrator’s Guide, found on Qmatic World.
Detailed instruction regarding each approach is present further down.
Installation
Deployment architecture
Orchestra Server
When installing the main Orchestra Server, take the following bullet into consideration:
• Do not check the Business Intelligence option and the Stat option, in the installation wizard.
Database Server
For the server where the database is run, please take the following bullet into consideration:
• You will need to update the qp_central and qp_agent databases, so the Home page shows an "Orchestra Business Intelligence" entry with the appropriate URL to the Business Intelligence server.
UPDATE qp_central.applications SET enabled = 1, url =
'http://your.domain.name:8080/businessintelligence' WHERE id='bi'
UPDATE qp_central.application_modules SET enabled = 1 WHERE id='bi'
UPDATE qp_agent.applications SET enabled = 1, url =
'http://your.domain.name:8080/businessintelligence' WHERE id='bi'
UPDATE qp_agent.application_modules SET enabled = 1 WHERE id='bi'
Make sure you replace the URL in the example above with the URL that matches your environment.
IMPORTANT: If you are planning to use the reverse-proxy strategy for sharing session information across hosts, please specify the path to the proxy-server as URL in the queries above, e.g:
UPDATE … SET url = 'http://proxy.yourdomain.com:8080/businessintelligence' WHERE …
You may need to modify the SQL above slightly to be compliant with your particular database vendor (e.g. add schema prefixing on table names or similar). Also, some databases may require the use of true or false instead of 1 or 0 for boolean values such as 'is_distributed' or 'enabled'.
• After installation is complete and your Orchestra is up and running, open the
System Administration application and the
Parameters tab and find the
"Stat Server Address" and “
Stat Server Port” parameters, in the
"Statistics Settings" group. Change their values to the protocol, host name and port of your Business Intelligence server. For more information, see
“Parameters” .
If you are using Branch Hub or Hub, this parameter
must be set to the IP address.
Example
Stat Server Address: http://bi.your.domain
Stat Server Port: 8080
This, so the statistics data can reach the separately deployed Business Intelligence server.
Business Intelligence Server
When installing the Business Intelligence server, take the following into consideration:
• Check both the Business Intelligence and the Stat options in the installation wizard. Do not install any of the other applications.
• Make sure that you enter the appropriate domain name to the main Orchestra server, when the installer asks for it. Remember, the address you enter here must be accessible for end users as the address is used for login redirects, logout redirects and the Home button in the Business Intelligence application.
If you are planning to use the reverse-proxy strategy for sharing session information across hosts, please specify the path to the proxy-server instead of directly referencing the Orchestra server.
If you need to modify the value entered in the bullet above later, the value is written to:
[install dir]/pentaho-solutions/system/security.properties
You can modify the central.orchestra.url property later if the central Orchestra server changes host name. This requires restart of the Business Intelligence server to take effect.
Post-install configuration options for session sharing
This section describes the two options for accomplishing session sharing between the Orchestra and the Business Intelligence server.
For both same-domain installations and reverse-proxy installations the file
conf/shiro.ini needs to be updated on the central server.
Locate the section that looks like this:
/qsystem/rest/security/account/** = noSessionCreation, ipFilter[127.0.0.1,0:0:0:0:0:0:0:1]
Inside the brackets, add the proxy server IP address that the BI server will use when communicating with Orchestra. For networks that use both IPv4 and IPv6 you should add both addresses.
A Fully Qualified Domain Name (FQDN), for example
proxy.yourdomain.com, can be used instead of IP address. Also, IPv6 address can be omitted, if not used.
Example:
/qsystem/rest/security/account/** = noSessionCreation, ipFilter[127.0.0.1,0:0:0:0:0:0:0:1,192.168.1.101,fe80::31e0:772:61ab:c832:31e0:31e0]
1. Same-domain installation
If each server is mapped to a subdomain of a common parent domain name, the cookie same-origin policy is not violated and session information can be shared. For same-domain policy installations, each IP must be mapped to a subdomain of your main domain name in the DNS server your users use to connect to Orchestra.
Example:
Orchestra Server: | orchestra.yourdomain.com |
Business Intelligence Server: | bi.yourdomain.com |
The cookie domain setting needs to be forced. This is done, by editing the file [install dir]/conf/shiro.ini on the Orchestra host and adding the cookie.domain property, as in the following example:
# Cookie for single sign on
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
cookie.domain = yourdomain.com
Please note that there have been reports of Internet Explorer users having to add the two full domain names to the browser's list of Trusted Sites in order for the cookie to be passed to both hosts.
Important: After adding the
'cookie.domain' property above, please note that this change makes it impossible to log on to Orchestra unless accessed through the DNS domain name, e.g.
http://orchestra.yourdomain.com. While the system is still reachable using its IP address, no login attempts will succeed since the browser will not accept the issued cookie if the domain names does not match.
2. Reverse-proxy installation
An alternative is to use a reverse proxy / load balancer in front of both servers that has the capability to route requests to different backends depending on the context path of the request.
Mapped path | | Internal server |
proxy.yourdomain.com/businessintelligence/** | => | bi.yourdomain.com |
proxy.yourdomain.com/** | => | orchestra.yourdomain.com |
In this scenario, the user browser only sees proxy.yourdomain.com and thus the same-origin policy is not violated. Session info is safely shared.
Qmatic does not provide or support reverse-proxy or load-balancing software. However, for convenience a sample configuration for HAProxy is provided below. HAProxy is a free load-balancing software available for major Linux and Unix operating systems.
http://www.haproxy.org/
The following snippet from a sample HAProxy configuration routes requests to two different backends depending on the request path:
frontend http-in
# bind port 8080 on all interfaces
bind *:8080
# add the Proxy-ip header Glassfish uses for X-Fowarded-For
option forwardfor header Proxy-ip
##### ACL rules to determine where to route incoming traffic #####
# bi - this tells HAProxy to use acl rule 'is_bi' for
# the path /businessintelligence
acl is_bi path_beg /businessintelligence
#### route to appropriate backend ###
# bi - if using acl rule 'is_bi', route requests to backend 'bi'
use_backend bi if is_bi
# default to orchestra backend, e.g. everything else
default_backend orchestra
######### ORCHESTRA BACKEND ##########
backend orchestra
# configure health check URL. Load balancer will return HTTP 503 if this
# check fails. Uses /ping.html in Orchestra
option httpchk GET /ping.html HTTP/1.1\r\nHost:\ www
# Defines a server named 'orchestra1' on the given IP:PORT for this backend
server orchestra1 192.168.1.100:8080 check
######### BI BACKEND ###########
backend bi
# configure health check URL. Uses the / context-root on the BI server
option httpchk GET / HTTP/1.1\r\nHost:\ www
# Defines a server named 'bi1' on the given IP:PORT for this backend
server bi1 192.168.1.101:8080 check
This sample would naturally need to be updated with IP's, port numbers, host names etc. applicable to the customer's infrastructure as well as other required elements of a functional HAProxy configuration. The snippet above only deals with the routing part relevant to the reverse-proxying mechanism and should be.
Configuration updates for reverse-proxy
When using the reverse-proxy approach we need to change a few of the configuration settings we make sure that URL's to the Orchestra and Business Intelligence servers point to the IP or host name of the reverse-proxy and not directly at the servers.
This needs to be updated in two locations:
• On the Orchestra Server update the URL to the Business Intelligence application in the qp_central.applications and qp_agent.applications tables:
UPDATE qp_central.applications SET url = 'http://proxy.yourdomain.com:8080/businessintelligence' WHERE id='bi'
UPDATE qp_agent.applications SET url = 'http://proxy.yourdomain.com:8080/businessintelligence' WHERE id='bi'
E.g. make sure that the URL in the Orchestra Home page uses the reverse-proxy address instead of the direct IP or host name to the Business Intelligence server.
• On the Business Intelligence server, open the [install dir]/pentaho-solutions/system/security.properties file and change the central.orchestra.url property to the host name/ip address of the reverse proxy, e.g:
central.orchestra.url = http://proxy.yourdomain.com:8080
Adjust protocol, host name/ip and port according to your setup.
If you have previously used configuration option 1 (same-domain) and have added a "cookie.domain" entry to the
shiro.ini file, you either need to remove this entry again and restart the Orchestra server or you need to map the IP address of the load balancer to a DNS entry on the same domain specified for the
"cookie.domain" property. Otherwise you will not be able to log in to Orchestra.
After installation, you will need to manually add the Data Sources for Business Intelligence again. This procedure is described in the Administrator’s Guide, found on Qmatic World.
