How to Configure Remote Staging in a Clustered Liferay DXP Environment

 
Well, I decided to write this post after breaking my head a lot (almost brains were flying everywhere), to be able to configure remote staging in a clustered environment. The staging is that feature that you love or hate, it's a case of love and hate, like a mexican novel style, where in the end everything is right and everyone lives happily forever :p
 
Let's stop chatting and follow what matters, what we need to do to achieve success with staging is not as complicated as it seems, I believe that after this post, when your boss says "configure remote staging in our environment," you'll not feel like a cat when hear its owner saying it will give a bath.
 
 
The architecture we are going to base is simple, a instance that will be staging ( which has database configurations and file repository different from the cluster nodes), a balancer, responsible for the traffic between the nodes of the cluster, two nodes that we will call of appserver01 and appserver02 connected to the same database.
 
 
Assuming that the web and application tier are already configured and that the cluster is already configured as well, I've divided the staging configuration into three parts:
 
1 - Configuration of properties: staging, appserver01 and appserver02;
2 - Setting the TunnelAuthVerifier property in the system settings;
3 - Enabling remote staging in the publishing option of the Site Adminidtration.
 
The first thing to worry about is the Liferay property files, more specifically the portal-ext.properties files, where we'll set up the tunneling.served.shared.secret and tunneling.servlet.shared.secret.hex properties on the stagingappserver01 and appserver02.
 
This property guarantees the secure communication of one portal with the other, thus denying another portal that does not share the same secret key.
 
tunneling.servlet.shared.secret=[secret]
 
If your operating system is Unix, you can use this command to generate a 128-bit AES key.
 
openssl enc -aes-128-cbc -k abc123 -P -md sha1
 
The following key lengths are supported by the available encryption algorithms:
  • AES: 128, 192, and 256 bit keys
  • Blowfish: 32 - 448 bit keys
  • DESede (Triple DES): 56, 112, or 168 bit keys (However, Liferay places an artificial limit on the minimum key length and does not support the 56 bit key length)
By setting this property to true, you must configure the tunneling.served.shared.secret property using a hexadecimal encoding.
 
tunneling.servlet.shared.secret.hex=true
 
Add the following lines to the portal-ext.properties file of each Liferay by configuring a secret key:
 
tunneling.servlet.shared.secret=[secret]
tunneling.servlet.shared.secret.hex=true
 
Another property that we should worry about is the tunnel.servlet.hosts.allowed, which must be added in the portal-ext.properties file on the application tier, appserver01 and appserver02, this property will allow connection between the configured IPs, you must inform in this property the IP of the staging instance.
 
Add the following lines to the portal-ext.properties file on the appserver01 and appserver02 nodes:
 
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP,STAGING_IP
tunnel.servlet.https.required=false
 
Note: SERVER_IP must be replaced by the IP of the instance itself and STAGING_IP by the IP of the Staging instance;
 
After setting up the properties files, you need to restart each portal.
 
The second thing we need to configure is the TunnelAuthVerifier property in the system settings of the nodes in our application tier, appserver01 and appserver02, navigate to the Control Panel → Configuration → System Settings → Foundation → Tunnel Auth Verifier. Click /api/liferay/do and insert the Staging IP addresses you are using in the Hosts allowed field. Then select Update.
 
You can also do this configuration on each node of your cluster, through the TunnelAuthVerifierConfiguration-default.config file that you are in (I really recommend that the configuration should be done this way):
 
osgi/configs/com.liferay.portal.security.auth.verifier.tunnel.module.configuration.TunnelAuthVerifierConfiguration-default.config
 
Adding the following lines to the file:
 
enabled=true
hostsAllowed=127.0.0.1,SERVER_IP,STAGING_IP
serviceAccessPolicyName=SYSTEM_USER_PASSWORD
urlsIncludes=/api/liferay/do
 
Note: If your portal is less than or equal to SP4 version the file extension should be .cfg
 
Finally, we must enable remote staging on our Staging instance, go to the Publishing options in the Site Administration and select Staging, then select Remote Live and additional options appear.
 
 
Fill in the field Remote Host/IP, for the sake of availability, it is recommended to fill this field with the balancer IP of our WEB tier, then inform the remote port of this balancer through the Remote Port field and, finally, access appserver01, copy the remote site ID and paste in the Remote Site ID field, save the settings.