Manual build for Userify Enterprise Cluster on AWS
To build a cluster automatically at AWS, please see Automatic Build.
This HOWTO is designed for AWS, but it is also applicable to most other clouds with similar technology. In situations where S3 is not available, NFS shared directory storage may be substituted instead. (Userify works fine over NFS.)
- Install and configure a Redis Elasticache cluster. (preferably multi-AZ). We recommend that you configure the proper elasticache access now.
- Use ACM to generate a TLS certificate for your given hostname (such as
- Install and configure Userify Enterprise on a single node by following the normal single node instructions. Be sure to opt for data storage in S3.
- In the configuration dashboard, change the redis hostname to match your Redis elasticache cluster hostname. Please notify us if you have any problems with this step. If you prefer, you can add
redis_host: ”your-elasticache-hostname”to the JSON in /opt/userify-server/base_config.cfg first.
- Remove the Redis server from the node. (Usually accomplished with something such as
sudo apt-get --purge remove redis-server, or
sudo yum erase redis). You do not need to retain data from the redis server; do not remove redis client libraries, but those are normally separate packages.
- Restart the node and ensure that the new Redis server is connected and working ok. It is sometimes helpful to log into the node with SSH,
sudo pkill userify-,
cd /opt/userify-server, and
sudo ./userify-serverto view output directly on screen. You can test access to Elasticache by running
redis-cli -h elasticachehostname keys "*"later; keep in mind that this command is for testing only and will momentarily slow down your Elasticache cluster.
- Optionally, front-end the Userify server with ha-proxy or nginx for faster static file delivery. (Please see our other HOWTO's on how to do this.) Keep in mind that Userify listens on port 8120 (or on any port specified on the command line) with unencrypted HTTP, so you can proxy /api requests directly to port 8120 and terminate TLS elsewhere.
- Make any additional changes to the node to fit your environment (such as external loghost reporting, automatic OS updates, security hardening, etc.) Keep a backup of the /opt/userify-server/base_config.cfg file somewhere, as it contains your cryptokey that is impossible to recover otherwise.
- Use the AWS console to create an Amazon Machine Image (AMI) of your node.
- Use this node to create a Launch Configuration for an Auto Scaling Group. We recommend
m3.mediumclass instances as a good balance of capacity versus cost. You can also specify a minimum group size of 1 and a maximum of 1 if you don't want it to automatically grow as needed. You can create auto-scaling rules to auto-scale the group when CPU exceeds 70%. It is recommended that you span multiple Availability Zones with your Autoscaling Group.
- Create a (classic) Elastic Load Balancer (recommended) or ALB and configure it to list on TLS using the TLS certificate generated in ACM and forwarding traffic to port 8120 (HTTP, unencrypted) on nodes in the Auto Scaling Group. You can also simply forward TCP on port 443 to the nodes and terminate TLS on the nodes themselves, using Userify's built-in certificate management tools, but using ACM is recommended.
- Log into the Userify configuration dashboard through the ELB and new hostname and choose the URL settings tab. Adjust the URL and hostname settings (they should be automatically set when you access that page through the new hostname) and click save.
- You should also configure at least a self-signed TLS key and certificate in the key control panel to cause Userify to switch to CA-signed node for deployments, even though you're going to be using the ELB for TLS front-end. This switch is automatically enabled when you configure TLS inside of Userify. There are also other ways to trigger this switch in the configuration file; please contact support for details.
- Cycle all ELB nodes and test ensure everything is working properly.
- Test by deploying nodes to ensure proper operation and that the managed nodes are seeing the correct hostname in their deployment scripts, and that they are connecting through the ELB using TLS properly, with certificate signature checks.
- You can reconfigure anything through the configuration dashboard in the future, but you should cycle the nodes or userify service (i.e., sudo pkill userify-server will do it) that you are not configuring through (or just all of them) to ensure that your changes are picked up. In particular, you should ensure that any additional changes such as SMTP configuration through SES or elsewhere, Active Directory, etc are fully reflected throughout the cluster.
- Congratulations! You have successfully built a Userify Enterprise cluster. We are working on providing a customer-usable CloudFormation template to automatically do all of these steps in one step; please contact us if you want to try it out. Also, we're always interested in how it went, so please let us know.