Version

    Azure Marketplace

    Overview

    The CloverDX Server offering on Azure Marketplace provides an easy way to create a CloverDX Server instance in the Azure cloud infrastructure. The offering spins-up a recommended cloud architecture that contains a standalone CloverDX Server with good defaults and recommended environment. The server instance uses Azure resources of the user, who is charged for them by Azure.

    The CloverDX Server Azure offering contains an ARM (Azure Resource Manager) template that deploys a virtual machine and other necessary resources. The ARM template is configured by an user interface with simple configuration options. All the resources are deployed to a single Resource Group chosen by the user.

    Quickstart

    Prerequisites:

    High-level overview of steps:

    1. Deploy the CloverDX Server on Azure Marketplace
    2. Activate and configure the server instance

    Steps

    1. Navigate to the CloverDX Server BYOL offering on the Azure Marketplace and use the GET IT NOW button on the offering’s marketplace page. Accept the Terms and Conditions and proceed with the Continue button.

    2. You were redirected to the CloverDX Server BYOL offering inside Azure Portal. To proceed, click the Create button. This will launch the wizard where you can configure the server deployment.

      Azure Marketplace Configuration Wizard

      Figure 11.7. Azure Marketplace Configuration Wizard


      1. Basics
        • Susbcription - the top-level Azure subscription used for billing.
        • Resource group - we recommend deploying to an empty resource group which won’t be shared with other deployments. Managing resources is easier when multiple deployments do not share resource groups.
        • Region - the location where all resources are going to be deployed. Our offering is designed to work in all regions.
        • Resource prefix - names of all resources created by our offering will start with this prefix. This makes identifying resources easier.
      2. Virtual Machine Settings
        • Virtual machine size - the VM instance size. Default size is pre-selected, and you can pick from 4 different sizes that we support. If you want to change the size and can’t see any other sizes in the selector, make sure to disable filters. Larger instances have better performance but higher cost.
        • Admin user name - the admin account name on the OS of the virtual machine.
        • Authentication type - you can choose between password and ssh key authentication for the admin user.
      3. Network Settings
        • Public IP address - pre-defined public IP resource. You don’t need to change this, the defaults work well for all deployments.
        • Hostname prefix - the server will be available on an Azure hostname, and this is the prefix for that hostname. The hostname must be globally unique, which is immediately validated. If there’s a green validation check, the hostname is not taken.
        • Allow connections from - the ARM template creates a Network Security Group automatically which allows only connections from specific IP ranges to specific ports on the instance. We recommend that you provide a range of IP addresses from which the instance should be available - typically your offices or data centers. For evaluation purposes you can use your public IP, obtained e.g. from myip.com. We do not recommend making the instance visible to the whole internet.
      4. CloverDX Settings
        • Admin user name - specify the user name of CloverDX Server administration user (or keep the default clover). This user is the first user available in Server Console, for administration of the server itself. This is NOT the operating system user - you have already configured that on the Virtual Machine Settings page.
        • Admin user password - specify the password for the above admin user.
        • Confirm password - re-type the above password to confirm it.
      5. Review + Create
        • On this page, all the configuration is validated and summarized. If there are no problems, you can proceed by clicking on the Create button. If any problems are found, you will see a red error with a description. The error description might not be descriptive enough to see what the problem really is. In that case, open up the Web Console of your browser (F12 key) and see if the error messages logged there contain more information.
    3. The deployment will start. You will be redirected to the page in Azure Portal where you can see the deployment progress. This process will take several minutes.

      Azure Portal - Deployment in progress

      Figure 11.8. Azure Portal - Deployment in progress


    Success. CloverDX Server is now available in Azure. You can find its URL in the Outputs tab of the Deployment - the serverHttpsUrl entry.

    Azure Portal - Deployment Outputs

    Figure 11.9. Azure Portal - Deployment Outputs


    On the Server’s URL you will see the login page where you can:

    • Activate the server - the Server is licensed in BYOL (Bring Your Own License) mode, so you need to get your license from us - start here.

    • To login, use the credentials set in the configuration wizard.

      CloverDX Server login page

      Figure 11.10. CloverDX Server login page


    The Server is running with default settings, and is immediately usable. It can be configured further to get it into full production quality (i.e. it should use an external database).

    Architecture

    The CloverDX Server Azure offering consists of a virtual machine image and of an ARM template that orchestrates the required cloud resources:

    Architecture - CloverDX Server in Azure marketplace

    Figure 11.11. Architecture - CloverDX Server in Azure marketplace


    Details of the Azure topology:

    • The Virtual Machine (VM) runs in the Azure cloud, in the Region selected by the user.
    • A new Virtual Network (VNET) is created to isolate the CloverDX instance from other resources present outside (on Azure Cloud or on the Internet).
    • The Virtual Network uses a Network Security Group (NSG) to limit access only to specific ports (22, 80, 443) and only from IP addresses from a defined IP range.
    • The Virtual Machine is assigned a Network Interface Controller (NIC) connected to the Virtual Network to allow network communication with outside.
    • The Virtual Machine is assigned a Public IP Address with configured DNS label. The IP address is dynamic, so it may change between virtual machine restarts, but the DNS label is always the same, so the server is always available on the same hostname.
    • The CloverDX Server is running on the Virtual Machine and uses a built-in Derby database. For full production use we recommend an external DB.

    Virtual machine details (for additional information, see Common cloud architecture):

    • Operating system: CentOS Linux 7.7
    • AdoptOpenJDK 11
    • Tomcat 9
    • 2 disks - OS disk, data disk, both are Premium SSD type.

    Configuration

    For details about CloverDX Server configuration, see Common cloud configuration.

    Memory

    Heap sizes for Server Core and Worker are set automatically based on the instance memory size, see Common cloud memory configuration. It is possible to change the size of the VM and the memory sizes will be re-calculated - for this stop the VM instance in Azure Portal, change its size and start it again.

    Users

    Users available in the virtual machine:

    • <admin user> - the user configured in the wizard before deployment. Use sudo to run commands that require root privileges. Login via SSH using either password or public key defined in the configuration wizard.
    • root - not recommended to be used, cannot login to it directly.
    • clover - user that runs the CloverDX Server (i.e. it runs Tomcat). All files that CloverDX uses are owned by the clover user. It is not possible to login as clover.

    Security

    This section describes security related aspects of the CloverDX Marketplace offering.

    Network Security Group

    The ARM template creates a network security group that serves as a virtual firewall. The security group allows connections to the following ports:

    • 22 - SSH
    • 80 - HTTP for Server Console and Server API
    • 443 - HTTPS for Server Console and Server API

    The connections are allowed only from the IP range specified in the wizard when configuring the deployment.

    The security group settings can be modified - you can find the security group in the Resource Group where the server was deployed.

    HTTPS

    The CloverDX Server has both HTTP and HTTPS enabled by default. You can find the server’s HTTPS URL in the Outputs section of the Deployment under serverHttpsUrl key. The HTTPS connector is running on port 443.

    Let’s Encrypt Certificate

    The default HTTPS connector is using a certificate issued by Let’s Encrypt. It is useful for encryption of communication between client (e.g. Designer) and the Server, and for server identity verification. The certificate is free, but it’s valid only for 90 days because Let’s Encrypt does not support longer validity.

    When certificate expiry time is less than 30 days, the server deployed in Azure will automatically attempt a renewal every time it is started. The renewal process requires external access from Let’s Encrypt servers, which is blocked by default by the Network Security Group. To renew the certificate, you must first allow external network access, then restart the virtual machine and then block external network access again.

    The full process to renew the certificate is:

    1. Locate and open Network Security Group of the server. It’s in the same Resource Group where the server is deployed, next to all the other resources.

      Azure resources - network security group

      Figure 11.12. Azure resources - network security group


    2. Add a new Inbound security rule to allow access from Let’s Encrypt servers. Set following properties:

      • Source - Any
      • Source port ranges - *
      • Destination - Any
      • Destination port ranges - 80
      • Protocol - Any
      • Action - Allow
    3. Find the Virtual Machine resource and restart it. During its startup, the server automatically attempts a certificate renewal if the expiry time is 30 days or less.

    4. Access the Server Console on HTTPS in your browser and verify that certificate has been renewed. You can check it by inspecting the lock icon next to the address box of the browser and checking the certificate validity. Your certificate should be valid for the next 90 days.

    5. Remove the Inbound security rule you added in step 2. It is no longer necessary.

    Using Your Own Certificate

    In case you do not want to use the default Let’s Encrypt certificate for any reason, you can use your own production-quality certificate for the HTTPS connector:

    1. Create /var/clover/conf/customCertificate.jks keystore with your own server certificate. Do not use or modify the already existing file serverCertificate.jks - it is used and overwritten by automation scripts.

    2. Modify the /opt/clover/tomcat/conf/server.xml Tomcat configuration file to use your customCertificate.jks file instead of serverCertificate.jks.

    To disable usage of plain HTTP connectivity, modify the network security group to block all connections to port 80.