Table of Contents Previous Next


3 Installing the EDB Ark Console : 3.1 Installing EDB Ark for Amazon AWS

C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\cc4d1785\Screen Shot 2017-05-15 at 9.42.17 AM.png
When configuring your instance, you should include the following selections on the Step 3: Configure Instance Details dialog of the Amazon launch wizard (see Figure 3.1):
Use the Auto-assign Public IP drop-down to specify Enable to automatically assign an IP address to the new instance.
Use the Advanced Details section to provide the text of the script that will start the Ark console setup or recovery dialog.
#!/bin/sh
rm -f /var/ppcd/startup-password.txt
echo "
console_password" > /var/ppcd/startup-password.txt
chown ppcd:ppcd /var/ppcd/startup-password.txt
chmod 600 /var/ppcd/startup-password.txt
C:\Users\susan\Desktop\sec_group.png
The Custom TCP rule that opens ports 7800 through 7999 provides enough ports for 200 cluster connections; the upper limit of the port range can be extended if more than 200 clusters are required.
When configuring the Ark console, you are required to provide the setup dialog with details about the AWS service user and the service role. Specify:
the Amazon external ID that will be used by the Ark service user (ppcd) in the Service Account External ID field.
the AWS_ACCESS_KEY_ID associated with the AWS role used for account administration in AWS Access Key field.
the AWS_SECRET_ACCESS_KEY associated with the AWS role used for account administration in AWS Secret Key field.
To create the Ark console's service user account, connect to the Amazon AWS management console, and navigate to the Users dashboard; select the Add user button to open the Add user dialog (shown in Figure 3.3).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\b45ad010\Screen Shot 2017-01-06 at 4.02.26 AM.png
On the Add user dialog:
Check the box to the left of Programmatic access.
Click Next: Permissions to continue.
When the Permissions dialog opens, click the button labeled Attach existing policies directly, then click the Create policy button. When the Create Policy dialog opens, click the Create Policy button.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\06821cbe\Screen Shot 2017-04-26 at 3.11.24 PM.png
Click the Select button to the right of Create Your Own Policy to provide a security policy.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9a47dbd\Screen Shot 2017-01-06 at 4.10.45 AM.png
On the Review Policy dialog (see Figure 3.5):
Provide the text that defines the policy in the Policy Document field. You can use the policy provided in Section 10.1.
Click Create Policy to continue.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\db7b2fe1\Screen Shot 2017-05-16 at 12.49.47 PM.png
Then, return to the Add user tab, and click the Refresh button above the list of policies (see Figure 3.6). Select the new policy from the list, and click Next:review.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\948dbc30\Screen Shot 2017-05-16 at 12.50.48 PM.png
Review the details about the user account, and click the Create user button to create the user (see Figure 3.7).
The AWS console will confirm that the user has been added successfully. Click Show to display the Secret access key value (see Figure 3.8).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\078e097f\Screen Shot 2017-05-16 at 12.52.51 PM.png
Provide the Access key id in the AWS Access Key field on the Ark console setup dialog.
Provide the Secret access key in the AWS Secret Key field on the Ark console setup dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\69bef57d\Screen Shot 2017-01-05 at 4.19.11 PM.png
Navigate to the Roles page, and click the Create New Role button.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e93d7cf7\Screen Shot 2017-01-05 at 4.21.31 PM.png
Select the AWS Service Roles radio button (shown in Figure 3.10), and then the Select button to the right of Amazon EC2 to continue to the Attach Policy dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9377ce9\Screen Shot 2017-01-05 at 4.22.29 PM.png
When the Attach Policy dialog (shown in Figure 3.11) opens, do not select a policy; instead, click Next Step to continue to the Set role name and review dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\0d8c17ed\Screen Shot 2017-05-17 at 4.55.59 AM.png
When the Create Role dialog opens (shown in Figure 3.12), specify a name for the new role and click the Create Role button.
C:\Users\susan\Desktop\Screen Shot 2017-01-06 at 3.03.07 PM.png
The role will be displayed in the role list on the Amazon IAM Roles page (see Figure 3.13). You can click the role name to display detailed information about the role. Please note that the Summary tab will display a Role ARN, but the ARN will not be enabled until the security policy and trust policy are updated.
After completing the Create Role wizard, you must modify the inline security policy and trust relationship to allow Ark to use the role. Highlight the role name, navigate to the Permissions tab, expand the Inline Policies menu, and select click here to add a new policy (see Figure 3.14).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9be7df3\Screen Shot 2017-01-05 at 4.25.34 PM.png
When the Set Permissions dialog opens, select the Custom Policy radio button, and then click the Select button (see Figure 3.15).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a4cae180\Screen Shot 2017-01-05 at 4.25.59 PM.png
C:\Users\susan\Desktop\Screen Shot 2017-01-06 at 3.12.46 PM.png
Use the fields on the Set Permissions dialog (Figure 3.16) to define the security policy:
Copy the security policy text into the Policy Document field. For a sample security policy that you can use when creating the service role, please see Reference – AWS Service Role Security Policy and Trust Relationship.
After providing security policy information, click Apply Policy to return to the Role information page. Then, select the Edit Trust Relationship button (located in the Trust Relationships section) to display the Policy Document (see Figure 3.17).
C:\Users\susan\Desktop\2.21.png
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\38f55e91\Screen Shot 2017-01-06 at 3.41.53 PM.png
The Summary dashboard (see Figure 3.18) will display values that you must provide in the ppcd.properties file when configuring your Ark console:
The Role ARN associated with the service role must be provided in the Service Account Role ARN field.
The external ID associated with the service role must be provided in the Service Account External ID field. In the example shown, the external id is EDB-ARK-SERVICE; you can find this value under the Conditions section of the Trust Relationships tab.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\05115a46\Screen Shot 2017-05-01 at 9.19.31 AM.png
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\9133f3a9\Screen Shot 2017-05-15 at 9.59.16 AM.png
Use the AWS Access Key field to specify the Amazon access key ID associated with the AWS role that will be used for account administration.
Use the AWS Secret Key field to specify the Amazon secret key associated with the AWS role that will be used for account administration.
Use the Service Account Role ARN field to specify the Amazon Role ARN (resource name) that should be used by the Ark service user (ppcd) when performing management functions on behalf of Ark.
Use the Service Account External ID field to specify the Amazon external ID that should be used by the Ark service user (ppcd).
Use the Enable Self Registration field to specify if the Ark console should allow self-registration for Ark users; specify true to allow self-registration, or false to disable self-registration.
Use the Contact Email Address field to specify the email address that will be included in the body of cluster status notification emails.
Use the Email From Address field to specify the return email address used on cluster status notification emails.
Use the Notification Email field to specify the email address to which email notifications about the status of the Ark console will be sent.
Use the API Timeout field to specify the number of minutes that an authorization token will be valid for use with the API.
Use the WAL Archive Container field to specify the name of the object storage container where WAL archives (used for point-in-time recovery) are stored. You must provide a value for this field; once set, this property must not be changed.
Use the Dashboard Docs URL field to specify the location of the content that will be displayed on the Dashboard tab of the Ark console. If your cluster resides on a network with Internet access, set the parameter to DEFAULT to display content (documentation) from EnterpriseDB; to display alternate content, provide the URL of the content. To display no content in the lower half of the Dashboard tab, leave the field blank.
Use the Dashboard Hot Topics URL field to specify the location of the content that will be displayed on the Dashboard tab of the Ark console. If your cluster resides on a network with Internet access, set the parameter to DEFAULT to display content (alerts) from EnterpriseDB; to display alternate content, provide the URL of the content. Leave the field blank to omit content.
Use the Storage Bucket field to specify the name of the bucket in which backups will be stored.
Use the Console Backup Folder field to specify the name of the backup folder within the storage bucket.
Use the drop-down listbox in the Timezone field to select the timezone that will be displayed by the Ark console.
When you've completed the setup dialog, click the Save button to validate your changes.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\5040b012\Screen Shot 2017-05-26 at 10.57.32 AM.png
When prompted, click the Restart button to restart the server and start the Ark console. Ark will confirm that the server is restarting (see Figure 3.22).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\829a87ea\Screen Shot 2017-05-26 at 10.57.56 AM.png
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\5e6da953\Screen Shot 2017-05-26 at 11.16.07 AM.png
To define an Amazon role, connect to the Amazon management console, and navigate to the Identity and Access Management dashboard (see Figure 3.24).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\69bef57d\Screen Shot 2017-01-05 at 4.19.11 PM.png
Navigate to the Roles dashboard, and click the Create New Role button.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a4c8e106\Screen Shot 2017-01-05 at 4.20.06 PM.png
When the Set Role Name dialog opens (shown in Figure 3.25), specify a name for the new role and click Next Step to select a role type.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e93d7cf7\Screen Shot 2017-01-05 at 4.21.31 PM.png
On the Select Role Type dialog, select the AWS Service Roles radio button (shown in Figure 3.26), and then the Select button to the right of Amazon EC2 to continue to the Attach Policy dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9377ce9\Screen Shot 2017-01-05 at 4.22.29 PM.png
When the Attach Policy dialog (shown in Figure 3.27) opens, do not specify a policy; instead, click Next Step to continue to the Review dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a4c2e1b8\Screen Shot 2017-01-05 at 4.23.04 PM.png
When the Review dialog opens (as shown in Figure 3.28), review the information displayed, and then click Create Role to instruct the AWS management console to create the described role.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a6c0e7b6\Screen Shot 2017-01-05 at 4.24.00 PM.png
The role will be displayed in the role list on the Amazon IAM Roles page (see Figure 3.29). The Summary tab will display a Role ARN, but the ARN will not be enabled until the security policy and trust policy are updated.
After completing the Create Role wizard, you must modify the inline policy and trust relationship (defined by the security policy) to allow Ark to use the role. Highlight the role name, navigate to the Permissions tab, expand the Inline Policies menu, and select click here to add a new policy (see Figure 3.30).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e9be7df3\Screen Shot 2017-01-05 at 4.25.34 PM.png
When the Set Permissions dialog opens, select the Custom Policy radio button, and then click the Select button (see Figure 3.31).
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\a4cae180\Screen Shot 2017-01-05 at 4.25.59 PM.png
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\e93f7c50\Screen Shot 2017-01-05 at 4.28.20 PM.png
Use the fields on the Set Permissions dialog (Figure 3.32) to define the security policy:
Copy the security policy text into the Policy Document field. The security policy required by Ark is available in Section 10.3, AWS User Security Policy.
After providing security policy information, click Apply Policy to return to the Role information page. Then, select the Edit Trust Relationship button (located in the Trust Relationships section) to display the Policy Document (see Figure 3.33).
C:\Users\susan\Desktop\2.21.png
Replace the displayed content of the policy document with the content of the file available in Section 10.4, AWS User Trust Policy.
EDB-ARK-SERVICE is a placeholder within the trust policy provided in section 10.4. You must replace the placeholder with the External ID provided on the Step 2 tab of the Ark console New User Registration dialog.
To retrieve the External ID, open another browser window and navigate to the Log In page of your Ark console. Click the Register button to open the New User Registration dialog (shown in Figure 3.34).
Screen shot 2014-05-21 at 5
Enter user information in the User Details box located on the Step 1 tab:
Enter your first and last names in the First Name and Last Name fields.
Provide an email address in the Email field; please note that the email address is used as the Login identity for the user.
Use the drop-down listbox in the Cloud Provider field to select the host on which the cloud will reside.
When you've completed Step 1, click Next to open the Step 2 tab.
The Step 2 tab of the New User Registration dialog will display a random External ID number. Copy the External ID from the Step 2 dialog into the trust policy, replacing EDB-ARK-SERVICE. Please note that you must enclose the External ID in double-quotes ("). Click the Update Trust Policy button to save your edits and exit the dialog.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\7f17d3a8\Screen Shot 2017-01-11 at 1.36.26 AM.png
Your Amazon IAM role ARN is displayed on the IAM Roles detail panel of the Amazon management console. Highlight a role name to display the assigned value on the Summary page (as shown in Figure 3.35).
Screen shot 2014-07-22 at 3
Enter your Amazon IAM role ARN in the Role Arn field on the Step 2 dialog, and click Finish to complete the registration (see Figure 3.36). Select Cancel to exit without completing the registration.
C:\Users\susan\AppData\Local\Temp\vmware-susan\VMwareDnD\7ab1d4e9\Screen Shot 2017-01-12 at 10.19.20 AM.png
Figure 3.37 - The Login/Register dialog.
Provide the email address in the Email field, and the associated password in the Password field, and click Log In to connect to the Ark management console (shown in Figure 3.38).
C:\Users\susan\Desktop\Dashboard.png
Figure 3.38 - The Dashboard tab of the Ark management console.

3 Installing the EDB Ark Console : 3.1 Installing EDB Ark for Amazon AWS

Table of Contents Previous Next