2. Deployment Guide

This guide sets out everything that you need to consider before integrating WANdisco's Access Control and or replication technology into your SCM platform. It isn't possible to address every possible set of conditions so it's important to remain watchful for possible problems - don't hesitate to contact our support team with any questions or concerns.

Though you may have referred to the Deployment Checklist before or during an earlier evaluation of Access Control Plus we strongly recommend that you revisit the checklist immediately prior to your deployment in order to confirm that your system still meets all requirements.

Don't skip this section! Overlooked requirements are a common cause of difficult-to-diagnose setup problems that could take a lot more time to fix than you'll spend running through these checks.

2.1 Deployment Checklist

System setup
Operating Systems	We've tested the following operating systems: Red Hat Linux Enterprise Server (32 or 64 bit): 4, 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 6, 6.1, 6.2, 6.3 CentOS: 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 6, 6.1, 6.2, 6.3
Reserved Ports	Access Control Plus requires that a number of TCP ports are reserved for its exclusive use: application.port=6444 - DConE port handles agreement traffic which coordinates replication between sites. content.server.port=6445 - The content server port is used for the replicator's payload data: account / access control changes etc. jetty.http.port=8082 - The jetty port is used for the MultiSite Plus management interface. Plan your ports While default ports are assigned automatically if you don't select them, we do not recommend that you work with the defaults. A production deployment should start with a site survey from which ports are selected and verified as available at all sites. Running with WANdisco MultiSite products: If you are running with Git MultiSite or SVN MultiSite Plus you should repeat this step for that application, making sure there is no conflict in terms of port reservation.
Deployment Modes	The Deployment mode is completely controlled by the license.key file that you have in place. Should you need to run in a different deployment mode, or change any othe aspect of your license, you should see License Updates. Integration with SVN MultiSite Plus When running Access Control Plus with WANdisco's SVN MultiSite Plus, you should refer to the Deployment Guide for SVN MultiSite Plus. Integration with Git MultiSite When running Access Control Plus with WANdisco's Git MultiSite, you should refer to the Deployment Guide for Git MultiSite Plus. Integration with Both (SVN and Git MultiSite) Running Access Control in this mode allows for the combined management of Git and Subversion teams and resources - You should refer to both MultiSite deployment guides. Standalone Mode In standalone mode only Access Control data is replicated between nodes. Each Access Control Plus node only manages access to local repository data. Generated password/authz files are stored directly on the Access Control nodes. Standalone mode is available for SVN only Currently the Standalone mode is not able to support Git.
Git or Subversion clients	Any that are compatible with SVN or Git servers.
Apache server	If you plan to deploy with an Apache server it will need to be configured to handle repositories appropriately. Both Git and SVN have their own requirements which are documented in more detail in their corresponding MultiSite Administration Guides: Git MultiSite Authentication (HTTP) SVN MultiSite Deployment Checklist (Apache)
SSH	SSH authentication is available for Git and supported by Git MultiSite. It is simple to set up and is attached to a service which is often already enabled. Occasionally, firewall rules may block clients and is not as popular with Windows users. There is guidance available on setting up SSH in WANdisco Git MultiSite Administrator's Guide
System memory	Ensure RAM and swapping containers are at least four times larger than the largest repository file. Minimum: 2GB RAM; 4GB swapping container Minimum isn't Recommended By default, Access Control Plus's Java process is allocated the following heap space: -Xms128m -Xmx2048m If you need to reduce the heap size you're probably not going to have a comfortable margin. Consider increasing your server's system memory. In case of problems getting Access Control Plus running, you may need to alter the heap. If you need to reduce the heap size you won't be operating with a comfortable margin: consider increasing your server's system memory. Recommended: 4GB; 4GB swapping container Running with other apps In production you must always ensure that your system operates with a comfortable margin. The above memory recommendations don't take into account other applications that you may need to run on the server, notably when running Access Control Plus with either the git or SVN MultiSite products. We recommend that you complete load testing and specify your server's memory based on peak usage.
Disk space	Subversion: Match to projects and branches. Checkouts: You need sufficient disk space to handle large, in-transit checkouts which may get buffered to a tmp directory beneath the replicator installation until that checkout has been completed. The required space can be calculated using the following guideline:
File descriptor limit	Ensure hard and soft limits are set to 64000 or higher. Check with the `ulimit` or `limit` command.
Journaling file system	Replicator logs should be on a journaling file system, for example, ext3 on Linux or VXFS from Veritas.
Max. User Process Limit	At least three times the number of Git or SVN users.
Java	Install JDK 6 (previously referred to as 1.6) or higher. We recommend using Oracle JDK 6. JDK 7 While we currently develop primarily to support Java 6's feature set, Access Control Plus is also compatible with Java 7.
License Model	You can read about the license model in the License Management section of the reference guide.

2.2 Deployment Types

Access Control Plus can be deployed in various modes, including:

Standalone - One ore more nodes that handle repository access control with in a non-replicated scm environment. To clarify, Access Control Plus itself can still be replicated between multiple nodes, "Standalone" is used here to indicate that it is not dealing with replicated Git or SVN data.
With Git MultiSite - One or more nodes deployed at a one or more sites in conjunction with WANdisco's Git MultiSite product.
With SVN MultiSite - One or more nodes deployed at a one or more sites in conjunction with WANdisco's SVN MultiSite product.
Both (with Git & SVN MultiSite) - One or more nodes deployed at a one or more sites in conjunction with both of WANdisco's SCM replication products.

Confirm which mode you a running in

After installation you can see which mode you're in - Check your mode

2.3 Installation Procedure

Once you've checked through the deployment checklist and you're confident that your system meets all the requirements, run through the following section to get Access Control Plus installed.

Don't forget to check the Release Notes for the current version. There may be references to Known limitations that you'll benefit from known about. See Release Notes

Tips If you run into difficulties, be sure to check out our Knowledgebase before raising contacting Support.

1. Download the Access Control Plus installation script "scm-access-control-plus_rpm_installer.sh" from the WANdisco File Distribution website, along with the necessary license key.

2. Create a home directory for the installation, e.g. /opt/wandisco.

3. Ensure that the license.key file is placed on your server (you'll need to provide a path to it during installation). Before you start, make sure the license matches the version of Access Control that you need.

4. Ensure that the installation script is executable, e.g., enter the command:

chmod a+x scm-access-control-plus_rpm_installer.sh

5. Run the installation script

Running Apache?

Run Access Control Plus with the same user and group that is used for Apache. This will help to ensure that permission problems don't occur.

Non-interactive installation

It is possible to complete an installation without the need for user-interaction. Non-interactive Installation.

[root@redhat6 wandisco]# ./scm-access-control-plus_rpm_installer.sh
Verifying archive integrity... All good.
Uncompressing WANdisco Access Control Plus..........

    ::   ::  ::     #     #   ##    ####  ######   #   #####   #####   #####
   :::: :::: :::    #     #  #  #  ##  ## #     #  #  #     # #     # #     #
  ::::::::::: :::   #  #  # #    # #    # #     #  #  #       #       #     #
 ::::::::::::: :::  # # # # #    # #    # #     #  #   #####  #       #     #
  ::::::::::: :::   # # # # #    # #    # #     #  #        # #       #     #
   :::: :::: :::    ##   ##  #  ## #    # #     #  #  #     # #     # #     #
    ::   ::  ::     #     #   ## # #    # ######   #   #####   #####   #####




Welcome to the WANdisco Access Control Plus installation

You are about to install WANdisco Access Control Plus version 1.0.0-1229

Do you want to continue with the installation? (Y/n) Y

Enter "Y" to continue.

6. The installer now checks for prerequisite applications. If there's a problem with Java, recheck the deployment checklist for information about their requirement. Once Java is confirmed as installed Heap settings are applied for running Access Control Plus.

Checking prerequisites:

INFO: Using the following Memory settings:

INFO: -Xms128m -Xmx2048m

Do you want to use these settings for the installation? (Y/n) Y

We'll run with these default settings, entering "Y. For production you should match these settings to your particular requirements - in which case, enter N and type in the start and maximum heap values.

Changing Java Heap after installation

The Java heap settings are stored in the configuration file /opt/wandisco/scn-access-control-plus/main.config
e.g.

	# Access Control Plus configuration
	# DO NOT DELETE
	ACP_USER=wandisco
	ACP_GROUP=wandisco
	ACP_MEM_LOW=128
	ACP_MEM_HIGH=2048

Setting the LOG_FILE environmental variable

If you need to capture a complete record of installer messages, warnings, errors, then you need to set the "LOG_FILE" environment variable before running the installer.
Run the following:

 export LOG_FILE="opt/wandiscoscp/log/file.file"

The file should have permissions sufficient to enable being appended to by the installer. Ideally it should not exist (or exist and be empty) and the directory in which it resides should enable the account running the installer to create the file.

7. Next, the installer confirms TCP ports that it requires.

Which port should ACP listen on? [8082]: 8082
Which port should DConE listen on? [6444]: 6444
Which port should the Content Delivery service listen on? [6445]: 6445

You can stick with the default values, although we strongly recommend that you allocate ports as part of a detailed site survey so that you can be sure there are no conflicts and that all required ports are available on all sites.

8. Enter the path to your license.key file. Then press enter.

A license file is required to use Access Control Plus

Path to the license file: /opt/wandisco/license.key

9. Enter a name for the Access Control Plus Node, this will be used to refer to this particular instance of Access Control Plus. Choose a unique name consisting of numbers and letters.

Node name: node70

10. Enter system user and group details for running Access Control Plus. Heed the warning about not using root user. In this case we've created a specific user and group for use with our scm related services and applications.

We strongly advise against running Access Control Plus as the root user.

Which user should Access Control Plus run as? wandisco

Which group should Access Control Plus run as? wandisco

11. The next option configures the node for operating as part of a replication group. If you are installing a single Access Control Plus node, select "Y". If you are installing multiple Access Control Plus nodes for replication, you need to decide which of those nodes will have this option enabled.

One of your Access Control Plus nodes needs to be configured as a state machine creator. This MUST only be configured on ONE node.

Configure this node as the statemachine creator? (y/N) y

Here we've entered "y". If you're installing multiple Access Control Nodes then select yes for just one of them.

12. Enter the details for an administrator account, you'll use these details for accessing the Access Control admin console.

Access Control Plus needs an admin user to be configured

First Name: Adie
Last Name: Ministrator
Username: admin
Email Address: adie@theorganization.com
Enter a password for admin:
Confirm the password for admin:

13. In the final step for completion you are given a summary of your entries. Check through them and if you're happy, enter "y" to continue.

Installing with the following settings:

System user:                 wandisco
System group:                wandisco
Node name:                   node70
Application Port:            8082
DConE Port:                  6444
Content Delivery Port:       6445
Application Hostname:        10.0.5.96
License:                     /opt/wandisco/license.key
Admin user:                  admin
Application Minimum memory:  128
Application Maximum memory:  2048
Statemachine Creator:        true

Do you want to continue with the installation? (Y/n) y

14. The installation will now complete with a confirmation that a restart has occured.

Restarting scm-access-control-plus services...
Stopping scm-access-control-plus:[  OK  ]
Starting scm-access-control-plus:[  OK  ]
Installation Complete
[root@redhat6 wandisco]#

At this point the Access Control Plus will be running. You'll continue your set up from there. Open a browser and point it at http://<serviceIP>:8082/ui.
If you chose a different application port during step 7 then you will need to use it instead of the default "8082".

Don't miss out the /ui/ from the URL
Currently the browser-based admin console requires that you include the /ui/ directory in its URL. In a future release we'll ensure that any request on the application port will redirect to the admin console.

15. You will first be presented with the Access Control Plus End-user agreement. Read through the agreement, then click the Accept button to continue.
Access Control Plus Login

16. Login for the first time. Enter the username and password that you provided during step 12. Then click Let's do this
Access Control Plus Login

You'll arrive at Access Control Plus's Management Screen. This provides an overview of the accounts, teams and SCM repositories that Access Control Plus manages, along with rules that dictate what scm resources that account holders can access.
Access Control Login 2

2.4 Getting Set up

After completing the installation you now need to set up Access Control Plus to work to your deployment requirements. Different deployments will require different steps. Below are checklists for some example deployments.

Standalone Mode

Follow this checklist if you are deploying in Standalone mode:
In Standalone mode there's no integration with an SCM replication product (e.g. Git MultiSite).

In this example we'd be running with multiple Access Control Plus nodes, using LDAP authentication and SSL end-to-end encryption of traffic. Click each step to be taken to the relevant sections. Obviously if any of these elements are not required, you can ignore or replace the step. e.g. If you are not running with LDAP, you'll maybe replace that step with Adding Accounts

Follow these links to each step:

Induction - Connecting your nodes
LDAP - Enable LDAP Auth
SSL - Enable SSL Encryption
Email Notifications - Setup Email notification
Repositories Templates - Create Repositories Templates
Resources - Add Resources
Teams - Create a Team
Rules - Create a Rule

If you were running with only one Access Control node, you could drop the Induction step.

Access Control Plus with MultiSite

Follow this checklist if you are deploying with a MultiSite Product:

Follow these links to each step:

Induction - Connecting your nodes
Git/SVN MultiSite - Connect to MultiSite
LDAP - Enable LDAP Auth
SSL - Enable SSL Encryption
Email Notifications - Setup Email notification
Repositories Templates - Create Repositories Templates
Resources - Add Resources
Teams - Create a Team
Rules - Create a Rule

Access Control Plus is now installed. Before you start setting up accounts, teams etc you should run through the Settings screen. First, check off what other elements on your platform need to be integrated into Access Control Plus?:

Setting up LDAP

It is common practice to use one or more LDAP authorities for managing which employees need accounts created in Access Control Plus. You connect any number of LDAP authorities, adding them through the Settings screen.

Local users are exempt from updates and removal for synchronization of team admins and team members. This means that a local admin who appears in an authority won't suddenly be added to a team or be made in to a sys admin. Instead a message is logged to indicate that this user has been skipped, it is then down to the sys admin to ensure that the local user is removed.

Access Control Settings

1. From the admin console, click the Settings link on the menu bar.
Settings 01

2. The settings are displayed in an Accordion style menu. Click either the links on the side menu or the title bars in the right-hand panel.
Settings 01

Full details on setting up each section is provided in the Settings reference guide. What settings you apply will be largely determined by how you are using Access Control Plus. The products appearance and functionality differs depending on whether you are running it in a stand-alone mode or in conjunction with WANdisco's Git or SVN MultiSite products.

Application Settings

The Application Settings extend Access Control Plus's own functionality.

Access Control Updates

This section contains settings for running Access Control in Batch updates mode. For more information see the reference section on Batch updates.

Repository Templates

The Repository Templates section is where Git or SVN repositories are defined. In order for Access Control Plus to manage access to a repository a template that corresponds with an existing repository must be added here, along with appropriate references it a password or authorization file.

See Adding Repository Templates, Managing Repository Templates.

Node Management

The Node Management section is used to control how Access Control Plus communicates with other Access Control Plus nodes on replication network, specifically when Access Control Plus is used in conjunction with WANdisco's DConE replication protocol.

Node Induction

The Node Induction section is used to connect this particular instance of Access Control Plus to a replication network. Again, this applies to deployments where multiple instances of Access Control Plus are running, which would allow each development site to have it's own replica of the the access control service.

See Inducting a node.

Node Repairs

The Node Repairs tool is used should one or more nodes be lost or experiencing a lengthy disconnection from the replication network. The tool is used to redefine the replication group so that the remaining nodes can continue to operate.

See Running a Node repair.

External Applications

Connects Access Control Plus to supporting systems to benefit from additonal capabilities.

Connect to MultiSite

If you are running Access Control Plus along with WANdisco's Git or SVN MultiSite products then you enter the necessary details for Access Control Plus to talk to MultiSite via its REST API interface.

See Connecting to SVN MultiSite , See Connecting to Git MultiSite.

Connect to LDAP

Most deployments will use an existing LDAP authority to manage their employee system accounts. This section lets you connect to multiple LDAP authorities and setup queries to filter for accounts that need access to SCM resources.

See Adding an LDAP Authority, Manage LDAP Authorities

Email Notifications

The Email Notifcations settings are used to connect to an available relay server so that Access Control Plus and send notifcation emails to administration staff.

See Manage email settings

2.5 Non-interactive Installation

There is a facility for kicking off the installation of a node without the need for root-level terminal access to the server. Once the installation has finished you can complete the configuration of the node through a browser (interactive-style) or script the configuration using REST API calls. It should be noted, however, that the induction of the nodes still requires interaction with the admin UI.

A "silent" start to the installation requires the running of the following command:

ACP__USER=wandisco
ACP_GROUP=wandisco
ACP_PORT=9000
etc...
export ACP_USER ACP_GROUP ACP_PORT ACP_DCONE_PORT ACP_CONTENT_PORT ACP_NODE_NAME etc...
./scm-access-control-plus_rpm_installer.sh

The installation will then run without user interaction. Once installation is completed, the browser-based admin console will start. You'll then need to complete the node set up from step 14.

It should be possible to build additional automation into the installation by using various calls to the REST API, setting up an admin account, setting up defaults for resources, templates and LDAP settings, etc. It is however, not yet possible to complete the induction of nodes without support from WANdisco's support team.

Environmental Variables

ACP_USER=wandisco: System user for the Access Control Plus process
ACP_GROUP=wandisco: System group used by Access Control Plus process
ACP_PORT=9000: Port allocated for web access to the admin console
ACP_DCONE_PORT=9050: Port allocated for replicated data
ACP_CONTENT_PORT=8000: Port allocated for Access Control's internal content delivery
ACP_NODE_NAME=node1: Name of the Node (different for each node)
ACP_ADMIN_USER=admin: Admin account username
ACP_ADMIN_FIRST_NAME=mr: Admin account first name
ACP_ADMIN_LAST_NAME=admin: Admin account last name
ACP_ADMIN_EMAIL=mr@admin.com: Email address for the admin account - needed to allow Access Control Plus to send out notification emails.
ACP_ADMIN_PASSWORD=password: Admin password
ACP_MEM_LOW=128: The minimum amount of memory allocated to Access Control Plus.
ACP_MEM_HIGH=2048: The maximum amount of memory allocated to Access Control Plus.
ACP_LICENSE_FILE=/home/wandisco/keys/License.key: The full path to the license.key file
ACP_STATEMACHINE_CREATOR='true': True only for a single (Induction controller node), 'false' for the rest.
ACP_HOSTNAME=node1: The IP address or fully qualified domain name of the node (must match with those encoded into to the license.key file.)

Access Control Plus
Last doc build: 17:35 09 May 2014