Clustering Config for DMZ Server Migration

tomgluver
New Contributor III

Our organization is migrating our Prod and DMZ servers from 2008 R2 servers (EoL) to 2016 servers. We're starting by migrating our DB to the new Prod server, and was able to get that working; however, it was not talking to our current DMZ server, which should be a firewall issue, which I believe is resolved, when we open 3306 (the change had to be reverted for time).

My question is, how/where do you connect the DMZ to the main, internal server? I've looked at the server.xml files, I've looked at all the configs, and can't seem to find what links the two. Is it just the keystore files? I did a test reinstall of JSS on our DMZ server to try to get back to the initial setup screen. It prompted me to connect to Localhost, but that's not where the DB is, and was not able to get past the configuration screen of the first run.

Any help would be appreciated.

Thanks

8 REPLIES 8

notverypc
New Contributor III

The details of the Database is stored in the

DataBase.xml

Which is located in:

ROOT/WEB-INF/xml/

Hope this helps

blackholemac
Valued Contributor III

@notverypc is right...DataBase.xml is where you specify.

Are you running your MySQL instance on a separate server or on your production JSS?

Whichever one, You will need to drop into MySQL command line, setup a user for MySQL for your DMZ instance and grant permission to the database. The commands are specified in the installation guide, but you will want to run your grant command for ‘<yourdbuser>>@<<ipaddressofyourmysqlinstance>’ in addition to the one you already ran For your production database

kerouak
Valued Contributor

And make sure that you Database.xml file has the correct Database name and server details as the internal.

You may also want to look at "securing the jss" KB

blackholemac
Valued Contributor III

@kerouak has some good info too...I would recommend a quick review of this article, in that it keeps it all easy.

https://www.jamf.com/jamf-nation/articles/174/installing-a-jss-web-application-in-the-dmz

tomgluver
New Contributor III

Hi all, thanks for your responses.

@blackholemac , our DB is on our internal server. Our DMZ server has the web app disabled, and is only used for user-initiated enrollment. Does the DMZ server need a "GRANT ALL on db.*", even though it's limited access?

Thanks again!

kerouak
Valued Contributor

@tomgluver

Settings for your DMZ mac here:

GRANT INSERT, SELECT, UPDATE, DELETE, LOCK TABLES ON <database>.* TO ‘username>’@’<hostname’ IDENTIFIED BY ‘<password>’;

blackholemac
Valued Contributor III

It doesn’t necessarily need a “grant all” but it does need the ability to “modify” the database. I use the term “modify” loosely because that may well be a permission key and I don’t want to confuse the word with what is actually needed.

You will need the ability to “create” and “change” records given that you are allowing enrollment at a minimum.

http://dev.mysql.com/doc/refman/5.7/en/privileges-provided.html

The link above lists the actual syntax of permissions you can grant with MySQL 5.7...I would pay a friendly call to Jamf to confirm what is formally required for the limited DMZ instance to function. Most Jamf documentation does a “grant all.”

kerouak
Valued Contributor

I'ts as I said earlier....

mysql -u root -p

Mysql> GRANT INSERT, SELECT, UPDATE, DELETE, LOCK TABLES ON <your database>.* TO ‘<dmz username>’@’<dmz ip address>’ IDENTIFIED BY ‘<password>’;

That's exactly the command you need to run on the Database. Been doin this for years in clustered env.