Provisioning Your Own SmartSimple Server

From SmartWiki
Revision as of 06:54, 21 August 2023 by Chin (talk | contribs)

Jump to: navigation, search


Construction warning.png Please note that this page is currently under construction. There is more information to come.


Overview

This article outlines the necessary steps in order to provision your own SmartSimple server infrastructure if you have subscribed to the Private Cloud offering and wish to bring your own hardware to host SmartSimple.

Infrastructure Prerequisites

A successful deployment requires that you have the expertise and resources available in order to provision as well as support the below items.

Operating System

  • CentOS (currently supported version is CentOS 7 x86-64, or RHEL 7 x86-64 is also compatible).

Resources

Computing Resources

Required:

  • CPU: Minimum equivalent of an Amazon Web Service m4.xlarge sized general purpose EC2 instance (currently equivalent to 4 virtual CPU units of 2.3 GHz Intel Xeon® E5-2686 v4 (Broadwell) processors or 2.4 GHz Intel Xeon® E5-2676 v3 (Haswell) processors).
  • Memory: Minimum equivalent of an Amazon Web Service m4.xlarge sized general purpose EC2 instance (currently equivalent to 16 GB RAM).

Storage

Required:

  • Minimum 10 GB volume mounted to / root volume.
  • Minimum 500 GB volume mounted to /smartsimple volume.
  • The ability to dynamically expand these volumes or add additional as necessary.

Recommended:

  • Additional 20 GB volume partitioned into 4 x 5 GB parts and mounted to /tmp, /var, /var/log, and /var/log/audit.
  • Encryption employed for all volumes. SmartSimple infrastructure utilizes Amazon Web Service (AWS) Key Management Service (KMS) which employs the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM), known as AES-GCM. AWS KMS uses this algorithm with 256-bit secret keys. The KMS is configured to rotate the secret keys on an annual basis.

Network

Firewall

Required:

  • Open inbound ports 80 (HTTP), and 443 (HTTPS) to all sources.
  • Open inbound port 22 (SSH) to several static IPs from SmartSimple office locations to allow administrative access for SmartSimple staff.
  • Open inbound port 22 (SSH) to your other SmartSimple environments (e.g. the backup environment) to allow them to sync with each other.
  • Open inbound port 8009 (AJP) or other equivalent may be required from the web to the application environment in the case that these are separate environments.
  • Open inbound port 3306 (JDBC) may be required from the application to the database environment in the case that these are separate environments.

Recommended:

  • Drop all other inbound connections.

Required:

  • Open outbound ports 80 (HTTP), and 443 (HTTPS) to all sources.
  • Open outbound port 22 (SSH) to your other SmartSimple environments (e.g. the prod environment) to allow them to sync with each other.
  • Open outbound port 123 (NTP) to all sources.
  • Open outbound port 587 (SMTP) to all sources.
  • Open outbound port 8009 (AJP) or other equivalent may be required from the web to the application environment in the case that these are separate environments.
  • Open outbound port 3306 (JDBC) may be required from the application to the database environment in the case that these are separate environments.

Recommended:

  • Open outbound traffic to all sources.

Domain Administration

You may choose to utilize your own domain address for your SmartSimple server instead of using our default domain. In order to do so you will require the following:

  • A registered domain.
  • Decide on a fully qualified domain name for your SmartSimple application. This must contain a subdomain string in the format applicationname.yourdomain.com, e.g. apply.smartsimple.com.
  • An A record in your DNS pointing to your server.
  • A reverse DNS entry configured for your server. (Optional)
  • An SSL certificate (this can be purchased with a CSR provided by SmartSimple or you can provide an existing certificate and private key). The certificate should be in PEM format.

Architecture

Coming soon...

Security

Coming soon...

Disaster Recovery

Since you may choose to provision all or only a part of the infrastructure you have a variety of options for disaster recovery. The below outlines firstly, the typical disaster recovery solution employed by SmartSimple, and then secondly, the various options that you may choose from depending on your environment.

SmartSimple Disaster Recovery Strategy

  • A hot backup environment is provisioned to be always online and available. This backup environment is similar to the production environment but hosted in a different geographical region. This backup environment is synced to the production environment via a daily SSH rsync.
  • A copy of each daily database backup file is moved to an archive location and stored for up to 90 days retention. The archive location is a combination of Amazon S3 and Glacier storage, and the data is transferred there via AWS CLI API calls from the production environment.

Your Disaster Recovery Options

  • Have SmartSimple provision our regular disaster recovery strategy as outlined above.
  • Provision your own infrastructure to fulfill the functions of the above strategy.
  • Provision your own disaster recovery strategy entirely, e.g. just a daily image of your server volumes instead of a hot backup environment.

Example Setup within Amazon Web Services

The following is an example of how to provision the base infrastructure necessary to host SmartSimple in an AWS environment. These instructions assume a setup from scratch, but if you already have existing AWS components that you wish to deploy your SmartSimple environment into then you may need to modify the instructions. Once complete you will need to contact SmartSimple in order to install the SmartSimple components.

Prerequisites

  • A registered Amazon Web Services account.

Creating the Initial Infrastructure

  1. Select a Region to operate in (e.g. US East (N. Virginia)).
  2. Within the VPC (Virtual Private Cloud) service menu, create a VPC with default tenancy.
    1. Create a Subnet in the VPC and select an Availability Zone.
    2. Create an Internet Gateway and attach it to the VPC.
    3. Edit the Route Table associated to the VPC and add the following route:
      Destination: 0.0.0.0/0 Target: above Internet Gateway
  3. Create Security Groups to define the network security.
    1. Create a Security Group for the Web layer. Configure inbound rules for ports 80 (HTTP) and 443 (HTTPS) to be open from all sources (0.0.0.0/0).
    2. Create a Security Group for SSH access. Configure inbound rules for port 22 (SSH) to be open from SmartSimple office environments (contact SmartSimple for a list of static IPs).
    3. Create a Security Group for the Database layer. Configure inbound rules for port 3306 (MySQL) to be open from the above Web Security Group.
  4. Within the IAM service menu, create an Encryption Key. This will be used for volume encryption.
  5. Within the EC2 service menu, launch an EC2 Instance.
    1. From the AWS Marketplace, select the CentOS 7 image 'CentOS 7 (x86_64) - with Updates HVM'.
    2. Select an Instance Type of m4.xlarge.
    3. Select the VPC and corresponding Subnet.
    4. Create three storage Volumes and enable encryption on them using the above key. Set the volumes with the following details:
      • 10GB root volume (/dev/sda1)
      • 500GB SmartSimple volume (/dev/sdf)
      • 20GB ext volume (/dev/sdg)
    5. Encrypt the volumes with the above Encryption Key.
    6. Associate the above Web and SSH Security Groups.

Optional RDS Deployment

While the above steps are sufficient for a base SmartSimple environment, the following instructions are optional if you wish to provision a high availability clustered environment by adding an AWS Relational Database Service (RDS) instance.

  1. Within the RDS service menu, create a new DB Subnet Group and add Subnets for two different Availability Zones.
  2. Create a new Parameter Group based off the default 'mariadb10.0'. Set the following parameters:
    • connect_timeout = 60
    • interactive_timeout = 60
    • log_bin_trust_function_creators = 1
    • time_zone = your local timezone (e.g. 'US/Eastern')
    • wait_timeout = 60
  3. Launch a DB Instance.
    1. Select the MariaDB database engine (version 10.4.x).
    2. Select an Instance Class of db.m4.large (if deploying RDS, the EC2 instance created above may be resized from m4.xlarge down to m4.large).
    3. You may choose whether to enable Multi-AZ Deployment or not.
    4. Set Allocated Storage to 200GB.
    5. Select the VPC, Subnet Group, Security Group, and DB Parameter Group previously created.
    6. Set Publicly Accessible to no, and Enable Encryption to yes and select the Encryption Key previously created.
    7. You may set Auto Minor Version Upgrade to yes to allow for automatic updates.

Creating Additional Environments

In order to create additional environments whether backups for disaster recovery, or for development and testing you can simply take snapshots of the EC2 and RDS instances and deploy new images. You may need to first create new VPC containers for these environments.