Connecting the Server and Lane

The main points:

Since all computers involved are web servers, we use static IP's. Pick internal IP numbers. We cannot emphasize enough that because your server and lanes are web servers, your point of sales network must be internal.

The lanes do not communicate with one another, but each lane must be able to see the server and the server must be able to see all the lanes. For now, ICMP has to be left on, because the lane makes the initial check for the availablity of the server, and vice versa, by pinging. We have since found a better way, but it's not in the code yet. leave ICMP on.

The lane has everything it needs to conduct transactions independently of the server. The lane and server only communicate with each other under the following circumstances:

  • at the end of each sales transaction when the lane attempts to upload sales records to the server
  • when current data on the master tables on the server is pushed to the cache on the lane
Whether the cache on the lane is current or not, the lane always refers to the cache (opdata). When the server is unavailable, the lane goes into "stand alone" mode and sales data is then collected locally on the lane until the server becomes available again, in which case all local data is automatically uploaded. We will have a more detailed discussion of data transfer in our documentation.

The lane reads from the local cache (opdata) and upload to the server. Each lane therefore connects to two MySQL servers: the local one within the lane, and the remote one on the server.

The lane connects to the MySQL servers using the user names and passwords set in /pos/is4c/ini/ini.php. By default, the user name is "is4clane" with no password for both connections. This can be changed by editing ini.php, but the corresponding accounts must be already set up in the respective MySQL. In addition to the user names and passwords, MySQL security commands also need to know the hosts. use "localhost" for local connection, and the host IP for remote connection. As a reminder, for the lane to connect to the server, the accounts used by the lane is to be set up on the server

The server takes data from the master table within itself (or locally, as they say) and update the data in the cache in the lanes. It also accept uploads of sales data from all the lanes. The server therefore needs to connect to the local MySQL server and the MySQL server on each lane

The server connects to the local MySQL server and the remote MySQL servers on the lanes using the user names and passwords set in /pos/fannie/define.conf. By default, the user name is "is4cserver" with no password for all connections. Once again, if and when you change it, the new username and password has to be set up on the server and on all the lanes.

The mysql command for granting persmission in MySQL is

GRANT ALL PRIVILEGES ON *.* TO '<username>'@'<host>' 
-> IDENTIFIED BY '<password>' WITH GRANT OPTION;
The default user account settings for te lane and the servers are in create_lane_acct and create_server_acct respectively in the /pos/installation/mysql/script directory. Edit them to reflect your user accounts. We do recommend that as long as your network is internal, use the most lenient secuity requirements to makes sure that everything works first, so that you have a baseline before you add layers of security to lock it down again. Note that on the server, unless you use wild card, you need to set up accounts for all the lanes.

A peculiarity of MySQL account setting is that the wild card character % for hosts applies only to hosts other than the localhost. In other words, if you want the user "mikecollins" to be able to connect to the server MySQL from all hosts, local and remote, you will need to run two commands:

GRANT ALL PRIVILEGES ON *.* TO 'mikecollins'@'localhost' 
-> IDENTIFIED BY '<password>' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON *.* TO 'mikecollins'@'%' 
-> IDENTIFIED BY '<password>' WITH GRANT OPTION;

To test that the lane can connect to the database on the server, open a shell on the lane and issue the following command

mysql -h <server_ip> -u <username> -p<password>
Notice that there is no space after the -p switch. The default is
mysql -h <server_ip> -u is4clane
without the -p switch.

Similary, to test that the server can connect to a lane

mysql -h <lane_ip> -u is4cserver
Run the grant command as necessary until all database connectivity problems are resolved.

Consult MySQL documentation for more indepth information on database security. And if you work better with a GUI for this kind of thing, consider using MyAdmin, given out free with MySQL.

Finally, edit /pos/fannie/define.conf to add in the IP's for all your lanes.

A word on security. We re-emphasize that your point of sales network has to be an internal network. Leaving your lanes and server accessible from the internet is tantamount to leaving your books and cash boxes out in the streets. At the risk of stating the obvious, do not simply plug your lanes and servers into the WAN router. Have at least one firewall between your outside router and your internal network, even though the WAN router may claim to be a firewall. It is especially important in our case because all the computers in an IS4C network are web servers. Set firewall rules. Use hosts.allow, hosts.deny, iptables, httpd.conf settings, and all other means to lock down your system. Remember that you need redundant security measures and that user names and passwords by themselves are not sufficient to guarantee security. Be careful of your wireless access points. Don't make the mistake of allowing computers in the neighborhood to connect to your wireless router, be given an internal IP via dhcp, and gain access to everything. For that reason, avoid using IP numbers from the network 192.168.0.0. For computers that need to access the internet, make sure that except for those specifically designated, none of your internal computers can be accessed from the internet. It might be important for you to allow remote access to authorized users, such as remote technical support people who need to access your lanes in case of emergency. Give some thoughts as to how you want to set that up. Makes sure that even trusted users have to go through at least one internal firewall before gaining access to the point of sales. Create the most strigent firewall rules consistent with your being able to do your work. I am sure you'll be careful, but if you are the financial manager, or the human resource manager, go find your I.T. person and asks him/her to "lock it down tight", just in case.