# Production Installation

SkillTree encourages a high-availability and horizontally scalable production installation. To achieve both of these goals, multiple instances of skills-service must be installed on different nodes/instances. Each skills-service node will have the same configuration and is designed to scale-up or scale down horizontally. You can add or remove instances any time.

TIP

Please note that this section is only applicable if you are installing the SkillTree platform from scratch. If your organization is already running a centralized service please proceed to the Integration User Guide or the Dashboard User Guide

There are two installation modes:

  • Password Auth Mode: Accounts created and managed by SkillTree and/or delegated to OAuth2 authentication provider (ex. GitHub, Google, etc..)
  • PKI Auth Mode: PKI Mode is for intranets where organizations utilize PKI with 2-way SSL certificates to implement authentication and authorization. User's browser must be setup with a personal PKI certificate and that certificate must be issued by a Certificate Authority trusted in the dashboard application's truststore.

TIP

Definitely use Password Auth Mode if you are not sure which mode is applicable to you.

# Password Auth Mode Install

Production-grade installation requires a cluster of skills-service daemons which must reside on multiple machines/instances with a load balancer in front of them. There are a number of products that need to be installed in high-availability mode in order to support a clustered SkillTree setup.

Production Installation for Pass Auth Mode

1: Clustered deployment of skills-service for high-availability and higher throughput

  • Route requests through a load balancer

2: Database - We currently only support PostgreSQL for a production-grade install

  • Visit the Database section to configure skills-service
  • Make sure to install PostgreSQL in high-availability mode
  • PostgreSQL 's installation, setup and management is beyond the scope of this section, please visit [https://www.postgresql.org](https://www.postgresql.org/).

3: WebSocket Stomp Brokers

4: Redis: Required for clustered skills-service deployment to persist HttpSession

# Auth Mode skills-service Configuration

Here is a minimum required list of configurations in order to run production-grade skills-service instance(s). Please visit the Configuration section to learn how to configure skills-service.
Each skills-service instance should be configured with the following:

DB configs:

spring.datasource.url=jdbc:postgresql://<server>:5432/skills
spring.datasource.username=
spring.datasource.password=

Please visit the Database section for further information

WebSocket Stomp:

skills.websocket.enableStompBrokerRelay=true
skills.websocket.relayHost=
skills.websocket.relayPort=

Store HttpSession in Redis:

spring.session.store-type=redis
spring.redis.host=
spring.redis.password=
spring.redis.port=6379

Configure https:

server.port=8443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/path/to/keystore.p12
server.ssl.key-store-password=

# Force TLSv1.2 until https://bugs.openjdk.java.net/browse/JDK-8241248 is fixed
server.ssl.enabled-protocols=TLSv1.2

Java VM option to increase skills-service heap size:

-Xmx2g -Xms2g

# PKI Auth Mode Install

Production-grade installation requires a cluster of skills-service daemons which must reside on multiple machines/instances with a load balancer in front of them. There are a number of products that need to be installed in high-availability mode in order to support a clustered SkillTree setup.

Production Installation for Pass PKI Mode

1: Clustered deployment of skills-service for high-availability and higher throughput

  • Route requests through a load balancer

2: Database - We currently only support PostgreSQL for a production-grade install

  • Visit the Database section to configure skills-service
  • Make sure to install PostgreSQL in high-availability mode
  • PostgreSQL 's installation, setup and management is beyond the scope of this section, please visit [https://www.postgresql.org](https://www.postgresql.org/).

3: WebSocket Stomp Brokers

4: User Info Service - Provides user information based on PKI's Distinguished Name (DN)

  • You are responsible for implementing this service, please visit the User Info Service section to learn more.
  • Make sure to run it in High Availibility mode

# PKI Mode skills-service configuration

Here is a minimum required list of configurations in order to run production-grade skills-service instance(s). Please visit the Configuration section to learn how to configure skills-service.
Each skills-service instance should be configured with the following:

DB configs:

spring.datasource.url=jdbc:postgresql://<server>:5432/skills
spring.datasource.username=
spring.datasource.password=

Please visit the Database section for further information

WebSocket Stomp:

skills.websocket.enableStompBrokerRelay=true
skills.websocket.relayHost=
skills.websocket.relayPort=

Store HttpSession in Redis:

spring.session.store-type=redis
spring.redis.host=
spring.redis.password=
spring.redis.port=6379

Enable PKI mode install:

skills.authorization.authMode=PKI

Configure https and 2-way SSL:

server.port=8443
server.ssl.enabled=true
server.ssl.client-auth=want
	
# Force TLSv1.2 until https://bugs.openjdk.java.net/browse/JDK-8241248 is fixed
server.ssl.enabled-protocols=TLSv1.2

# keystore
server.ssl.key-store=/certs/keystore.p12
server.ssl.key-store-password=
server.ssl.keyStoreType=PKCS12

# truststore
server.ssl.trust-store=/certs/truststore.p12
server.ssl.trust-store-password=
server.ssl.trustStoreType=PKCS12

User Info Service client properties:

# To retrieve user info by DN
skills.authorization.userInfoUri=https://<host>:<port>/userInfo?dn={dn}
# Used by dashboard dropdowns to suggest existing users
skills.authorization.userQueryUri=https://<host>:<port>/userQuery?query={query}
# skills-service checks the health of User Info Service
skills.authorization.userInfoHealthCheckUri=https://<host>:<port>/actuator/health

If User Info Service utilizes 2-way SSL then add the following client authentication properties (Java System Properties):

# Keystore
-Djavax.net.ssl.keyStore=/certs/keystore.p12
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.keyStorePassword=

# Truststore
-Djavax.net.ssl.trustStore=/certs/truststore.p12
-Djavax.net.ssl.trustStoreType=PKCS12
-Djavax.net.ssl.trustStorePassword=

Java VM option to increase skills-service heap size:

-Xmx2g -Xms2g
Last Updated: 12/13/2022, 2:52:20 PM