Posted on 10-01-2018 07:44 PM
Our organization is migrating our Prod and DMZ servers from 2008 R2 servers (EoL) to 2016 servers. We're starting by migrating our DB to the new Prod server, and was able to get that working; however, it was not talking to our current DMZ server, which should be a firewall issue, which I believe is resolved, when we open 3306 (the change had to be reverted for time).
My question is, how/where do you connect the DMZ to the main, internal server? I've looked at the server.xml files, I've looked at all the configs, and can't seem to find what links the two. Is it just the keystore files? I did a test reinstall of JSS on our DMZ server to try to get back to the initial setup screen. It prompted me to connect to Localhost, but that's not where the DB is, and was not able to get past the configuration screen of the first run.
Any help would be appreciated.
Thanks
Posted on 10-01-2018 11:21 PM
The details of the Database is stored in the
DataBase.xml
Which is located in:
ROOT/WEB-INF/xml/
Hope this helps
Posted on 10-02-2018 04:14 AM
@notverypc is right...DataBase.xml is where you specify.
Are you running your MySQL instance on a separate server or on your production JSS?
Whichever one, You will need to drop into MySQL command line, setup a user for MySQL for your DMZ instance and grant permission to the database. The commands are specified in the installation guide, but you will want to run your grant command for ‘<yourdbuser>>@<<ipaddressofyourmysqlinstance>’ in addition to the one you already ran For your production database
Posted on 10-02-2018 04:21 AM
And make sure that you Database.xml file has the correct Database name and server details as the internal.
You may also want to look at "securing the jss" KB
Posted on 10-02-2018 04:32 AM
@kerouak has some good info too...I would recommend a quick review of this article, in that it keeps it all easy.
https://www.jamf.com/jamf-nation/articles/174/installing-a-jss-web-application-in-the-dmz
Posted on 10-02-2018 05:53 AM
Hi all, thanks for your responses.
@blackholemac , our DB is on our internal server. Our DMZ server has the web app disabled, and is only used for user-initiated enrollment. Does the DMZ server need a "GRANT ALL on db.*", even though it's limited access?
Thanks again!
Posted on 10-02-2018 06:15 AM
Settings for your DMZ mac here:
GRANT INSERT, SELECT, UPDATE, DELETE, LOCK TABLES ON <database>.* TO ‘username>’@’<hostname’ IDENTIFIED BY ‘<password>’;
Posted on 10-02-2018 06:17 AM
It doesn’t necessarily need a “grant all” but it does need the ability to “modify” the database. I use the term “modify” loosely because that may well be a permission key and I don’t want to confuse the word with what is actually needed.
You will need the ability to “create” and “change” records given that you are allowing enrollment at a minimum.
http://dev.mysql.com/doc/refman/5.7/en/privileges-provided.html
The link above lists the actual syntax of permissions you can grant with MySQL 5.7...I would pay a friendly call to Jamf to confirm what is formally required for the limited DMZ instance to function. Most Jamf documentation does a “grant all.”
Posted on 10-03-2018 07:00 AM
I'ts as I said earlier....
mysql -u root -p
Mysql> GRANT INSERT, SELECT, UPDATE, DELETE, LOCK TABLES ON <your database>.* TO ‘<dmz username>’@’<dmz ip address>’ IDENTIFIED BY ‘<password>’;
That's exactly the command you need to run on the Database. Been doin this for years in clustered env.