Install the Microsoft HPC Pack Web Components
Applies To: Microsoft HPC Pack 2012, Microsoft HPC Pack 2012 R2
Starting with HPC Pack 2008 R2 with SP2, you can install and configure the HPC Pack web components. The web components include the following:
The Windows HPC Server Web Portal, which cluster users can use to submit and manage jobs
An interface to the HPC Job Scheduler Service using an HTTP web service that is based on the representational state transfer (REST) model
Note
The HPC Pack web components can only be installed on the head node of the cluster.
When the administrator and HPC Server Web Portal are all on the Head Node, the administrator can test how the users see the portal and get access as an administrator by running Internet Explorer with elevated privileges (“Run as administrator”). If an administrator is accessing the HPC Server Web Portal from a server other than the Head Node, then the administrator should connect to the portal with administrative credentials.
To install the HPC Pack web components, you must use the installation file HpcWebComponents.msi. HpcWebComponents.msi is included in HPC Pack installation files available at the Microsoft Download Center, or in the HPC Pack installation media.
To install the web components, perform the following steps:
1. Run HpcWebComponents.msi
2. Choose an SSL certificate for the HPC web components
3. Configure the web components
4. Validate the installation of the HPC Server Web Portal
1. Run HpcWebComponents.msi
First, run the HpcWebComponents.msi installation program on the head node computer. Follow the steps in the wizard.
Note
If you have configured the head node of your cluster for high availability in the context of a failover cluster, run HpcWebComponents.msi first on the active head node, and then on the passive head node.
2. Choose an SSL certificate for the HPC web components
To communicate with web clients over Secure Sockets Layer (SSL), the HPC web components use an SSL certificate that is bound to the port that is used for communication (port 443 by default). If a certificate is not already bound to this port, you must specify the thumbprint of a X.509 certificate during the configuration of the web components. It is recommended that you obtain a trusted certificate from an appropriate certification authority, but you can generate and install a temporary certificate for testing purposes. If you choose to generate and install a temporary certificate for use with the web components, see How to: Create Temporary Certificates for Use During Development. Optionally, when you run the configuration script Set-HPCWebComponents.ps1 (which is installed when you run HpcWebComponents.msi), you can choose to generate and install a self-signed certificate, which you may also find useful for testing or proof-of-concept deployments.
Important
-
If you use a trusted certificate or a temporary certificate, ensure that you import it to the Trusted Root Certification Authorities Store of the local computer account on the head node. If you have configured your head node for high availability in the context of a failover cluster, import it to the Trusted Root Certification Authorities Store on both head node computers.
-
If you need to replace a certificate that is already bound to the port that you want to configure for the web components, you must first delete the existing certificate bindings. To do this, you can use the netsh http delete sslcert command. For more information about managing SSL certificates, see How to: Configure a Port with an SSL Certificate.
3. Configure the web components
To configure the Windows HPC Server Web Portal and the REST interface, you must run the provided HPC PowerShell script %CCP_HOME%\bin\Set-HPCWebComponents.ps1. When you run the script, you specify parameters as indicated in the following table:
Parameter |
Description |
---|---|
-Service <ComponentType> |
Configures the component specified by <ComponentType>. Valid values are Portal or REST. You can omit “-Service”. Note
|
-enable | -disable |
Enables or disables a component. |
-Port <PortNumber> |
Configures the component to use the specified port <PortNumber>. If the parameter is not specified, the script configures port 443 by default. |
-Certificate <CertThumbprint> |
Binds the SSL certificate specified using the thumbprint <CertThumbprint>. Important
|
-AuthenticationMethod <Method> |
Configures the component to use a specified authentication method. Valid values are Basic or NTLM. If the parameter is not specified, the script configures Basic authentication by default. |
Choose one of the following two procedures to set up the web components:
To configure the web components on a single head node
To configure the web components on a head node configured for high availability in a failover cluster
Important
You must configure the web components to use identical certificates and port bindings on both head nodes of the failover cluster.
To configure the web components on a single head node
Start HPC PowerShell as an administrator.
To view the current port configurations for SSL certificates, type the following command:
netsh http show sslcert
In the command output, note any IP:port bindings.
If you need to delete an existing SSL certificate binding to the port <PortNumber> that you plan to use for the web components, type the following:
netsh http delete sslcert 0.0.0.0:<PortNumber>
To change the directory to the location of the script, type:
cd $env:CCP_HOME\bin
To configure the Windows HPC Server Web Portal, run the Set-HPCWebComponents.ps1 HPC PowerShell script using the –Service Portal parameter:
If no existing SSL certificate is bound on the default port 443, to run the script so that the available certificates are displayed, type:
.\Set-HPCWebComponents.ps1 –Service Portal -enable
- When prompted, type the number of a certificate in the list of available certificates. If you want the script to generate and configure the portal with a self-signed certificate, type 0.
To run the script by specifying port <PortNumber> and the thumbprint <CertThumbprint> of an SSL certificate, type:
.\Set-HPCWebComponents.ps1 –Service Portal –enable –certificate <CertThumbprint> -Port <PortNumber>
Important
If an SSL certificate is already bound on the port <PortNumber>, you must either specify that certificate when you run the script, or choose a different certificate and port binding.
To configure the REST interface and start the HPC Web Service, run the Set-HPCWebComponents.ps1 HPC PowerShell script using the –Service REST parameter:
If no existing SSL certificate is bound on the default port 443, to run the script so that the available certificates are displayed and the REST service uses Basic authentication, type:
.\Set-HPCWebComponents.ps1 –Service REST -enable
- When prompted, type the number of a certificate in the list of available certificates. If you want the script to generate and configure the portal with a self-signed certificate, type 0.
To run the script by specifying the NTLM authentication method, port <PortNumber>, and the thumbprint <CertThumbprint> of an SSL certificate, type:
.\Set-HPCWebComponents.ps1 -Service REST -enable –AuthenticationMethod NTLM –certificate <CertThumbprint> -Port <PortNumber>
Important
If an SSL certificate is already bound on the port <PortNumber>, you must either specify that certificate when you run the script, or choose a different certificate and port binding.
After the script completes, stop and restart the HPC Job Scheduler Service by typing the following:
net stop hpcscheduler net start hpcscheduler
To configure the web components on a head node configured for high availability in a failover cluster
Start HPC PowerShell as an administrator.
To configure the web components on the active head node of the failover cluster, follow steps 2 – 6 in the preceding procedure to configure the HPC Server Web Portal and the REST interface.
If you generated and configured a self-signed certificate on the active head node for the web components, export the certificate as a .cer file and import it on the other head node by performing the following steps:
On the active head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.
On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next.
Select Local computer, and then click Finish. Click OK.
In the Microsoft Management Console, in the console tree, expand Certificates, expand Personal, and then expand Certificates.
Right-click the self-signed certificate that was created in the previous step (with a name of the form MyHeadNode.contoso.com), and then click Export. The Certificate Export Wizard appears.
Accept the default selections in the wizard and specify a file name and a location on the failover disk of the failover cluster (or on portable storage media). Do not export the private key.
On the Completing the Certificate Export Wizard page, click Finish.
Using Failover Cluster Manager, move (fail over) the clustered instance to the other head node in the failover cluster.
On the head node that is now active, Click Start, click Run, and then type mmc to start the Microsoft Management Console.
On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next.
Select Local computer, and then click Finish. Click OK.
In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.
Right-click Certificates, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .cer file from the location where you stored it, into the Personal certificate store.
If you configured a certificate other than a self-signed certificate for the web components on the active head node, ensure that you have imported this certificate on the other (inactive) head node of the failover cluster.
If you have not already done so, fail over to the other head node in the failover cluster (the head node on which you have not already run the Set-HPCWebComponents.ps1 script).
Start HPC PowerShell as an administrators.
To configure the web components on the active second node of the failover cluster, follow steps 2 – 6 in the preceding procedure to configure the HPC Server Web Portal and the REST interface.
Important
-
Ensure that you configure the same certificate and port bindings that you configured on the other head node in the failover cluster.
-
If the script generated and configured a self-signed certificate on the other head node, do not type 0 to generate a self-signed certificate on the current head node. Type the number that corresponds to the name of the certificate that you imported from the other head node.
-
Run the Set-HPCWebComponents.ps1 HPC PowerShell script so that the available certificates are displayed. Type:
.\Set-HPCWebComponents.ps1 Portal -enable
When prompted, type the number of a certificate in the list of available certificates. Choose the number that corresponds to the certificate that you configured on the other head node in the failover cluster.
Important
If the script generated and configured a self-signed certificate on the other head node, do not type 0 to generate a self-signed certificate on the current head node. Type the number that corresponds to the name of the certificate that you imported from the other head node.
4. Validate the installation of the HPC Server Web Portal
To confirm that the Windows HPC Server Portal is configured properly, open a browser, then browse to the portal at the following address:
On a single head node (one that is not configured for high availability): https://<HeadNodeName>:<PortNumber>/hpcportal. where <HeadNodeName> is the computer name of the head node and <PortNumber> is the port that is bound by the SSL certificate
On a head node configured for high availability: https://<FQVN>:<PortNumber>/hpcportal, where <FQVN> is the fully qualified virtual name of the failover cluster for the head nodes and <PortNumber> is the port that is bound by the SSL certificate. Example: VirtHN.contoso.com.
Note
You must enable AJAX (active scripting) in your browser to view the portal content. For more information, see How to enable scripting in your browser (https://go.microsoft.com/fwlink/p/?LinkId=217076).
Additional considerations
If you generated a self-signed certificate to configure HPC Server Web Portal, you may see certificate errors or warnings in your browser when you try to access the portal. To avoid this, you can export the self-signed certificate from the Personal certificate store of the local computer account on head node, and import it in the Trusted Root Certification Authorities certificate store on the computer where you are accessing the portal.
If you configured the portal on a head node configured for high availability in the context of a failover cluster, the state of the web portal does not persist if the head node fails over. Any clients that connect to the portal must refresh their connections.
For information about creating a job submission page that lets users submit a job from the HPC Server Web Portal, see the Windows HPC Server 2008 R2 SP2 Test Focus Guide (https://technet.microsoft.com/library/hh184316(WS.10).aspx).