Before Starting the Installation

This section contains important information you must be aware of before starting the installation.

Before installing the software, you need to create and configure service endpoints, certificates, reverse proxy and load balancers.

This page discusses:

Service Endpoints

Before you start the installation, the Globe service needs a dedicated URL endpoint to be configured. For example: 

 globe.mydomain.com

HTTPS and Certificates

To be accepted by the 3DEXPERIENCE platform servers, the certificate CN must be equal to the full server URL (i.e. globe.com) or to a domain with a wildcard (i.e. *.mydomain.com).

There is no specificity for the Globe service.

The certificate expiry date must also of course be in the future. The certificate comprises two parts:

  • the (public) certificate itself, needed to be understood by all clients and servers of the platform
  • and the (private) key, which is needed only for the reverse proxy.

Certificates can be obtained from any certificate creation public authority, or, if you have your own authority, generated and signed by this authority. Self-signed certificates may be used, but we strongly recommend that you do not use them, since this will generate many warnings and/or errors from components not recognizing the certificate as valid or safe.

You can generate certificate requests and transmit them to your administrator or provider. For more information see Set Up Certificates.

Reverse Proxy and Load Balancers

Connection to all 3DEXPERIENCE platform services is done via https protocol for security reasons. In order for the application to be contacted by its clients, a set comprising reverse proxy (for ending https calls) and load balancer (for high availability) should be cascaded between the client and the application server for the service. These two functions may be achieved by the same component.

The reverse proxy, apart from securing the communication between the client (or other servers) and the application, also sets some headers to allow CORS capabilities between elements of the platform. Configurations for apache2.4 are built during the service installation process and can be found at:

<install_dir>/<os>/templates/<service_name>_http_fragment.conf[.txt]

They can easily be translated into configurations for other reverse proxy technologies.

All load balancers should be configured to conserve the sessions using cookies and a parameter value (see examples given for some load balancers). See the installation documentation for each service for more details.

There are several different possibilities:

  • all the different services may be installed either on different machines, or on the same machine
  • you can have a different reverse proxy for each service, but all the different services may also use the same reverse proxy
  • all the different services may use different HTTPS ports, or the same port.
    Note: Typical examples are the case of a DMZ setup, or security limitations on open ports.

The case where the services are set up using the same virtual host, on the same / uri (without a different path for each service) is not possible in a single httpd.conf configuration file with only one domain.

Note: The fragments for each service are isolated in a location container, allowing them to be used on the same Apache HTTPD server on the same port.

Add all templates into one HTTPD configuration file within a single correctly configured ssl Virtualhost. For more information, see the section "Configuring the Reverse Proxy" in each service installation guide.

Machines

Physical or virtual machines can be used to deploy the Globe service.

Internet Access

Internet access is mandatory to get access to all external data (WMTS, WMS, WFS, and so on).

Firewall settings

We recommend that you update firewall settings to accommodate non-default ports, if chosen for all services.

Shared Directory

Almost all services need a shared directory to store data:

  • Always keep the data directories in a common path managed by mount (generally used Linux) or NAS (Network Attached Storage) having read/write/execute access.
  • This method is particularly useful when large amounts of data need to be saved, and also facilitates management of a load balanced environment.

Configuration information shared between services

Configuration information is also shared between services.

We also recommended that you set up a shared configuration directory in a common path managed by mount (generally used Linux) or NAS (Network Attached Storage) having read/write/execute access for all services including reverse proxies and load balancers.

It should contain the following elements:

  • certificates (.cer (or .crt))
  • TNSNames.ora directory.

Application Servers

The Globe service requires a dedicated, separate application server: the services cannot share the same application server. If the embedded Server JRE is not selected at installation, the setenv.bat/.sh file must be updated with the variable JAVA_HOME for each application server.

Timezone

For all servers, set the time zone to UTC (Coordinated Universal Time).

On Linux, configure the system time zone to UTC. To do so, run for instance the following command:

ln -s /usr/share/zoneinfo/UTC /etc/localtime

Clock synchronization

You must ensure that all clocks on all servers are synchronized using technology such as NTP synchronization.

List of services communicating with DSLS Server

The Globe service communicates with the DSLS server to validate the user’s licenses. CV (Cloud View) licensing is managed with a file.

Load Balancing Recommendations

Load balancing multiple instances of each 3DEXPERIENCE platform service is recommended for production environments, for availability, scalability and performance.

All services supporting access through load balancing must comply with the following constraints:

  • Session affinity is performed through cookie injection (a cookie is set for each client, identifying the affected node and reading this cookie value will enable traffic to be directed to the same node), and per URL.
  • For calls that do not have Cookies:
    • For OPTION call: do not set any Cookie (just set CORS headers and return 200, see reverse proxy configuration for content)
    • For all other calls: Set the cookie with the Node ID, and set the x-dsp-client-node header with the same Node ID
  • Health-checking through HTTP calls.

Standard First request:

OPTION request:

Standard other request (not OPTION, not first):

In compliance with these constraints, here is an example of a load balancing configuration using haproxy (behind an independent reverse proxy).

Note: HAProxy support is limited to Linux Operating Systems. 
global
  log 127.0.0.1 syslog notice
  option httplog        
  maxconn 4000

defaults
  log global
  option tcplog
  option forwardfor 
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  option http-server-close

frontend http-in  
  bind *:{inbound port}  
  mode http  
  capture cookie SERVERID len 100
  default_backend Service_All

backend Service_All  
  balance roundrobin  
  mode http  
  cookie SERVERID insert indirect nocache secure httponly 
 #for all services except 3DSpace :  
  option httpchk OPTIONS /{Service uri}//healthcheck/ HTTP/1.0 
 #for 3DSpace : 
 # option httpchk OPTIONS /enovia/ HTTP/1.0  
  http-send-name-header x-dsp-client-node         
 # List of servers  
  server Front_0 {server0 IP}:{tomee port} cookie Front_0 check  
  server Front_1 {server1 IP}:{tomee port} cookie Front_1 check

Service healthCheck

You can check the Globe service status by opening the following URL in your browser:

https://<hostname>:<port>/<URI>/datasupplier/healthcheck