Skip to content

OrderFlow System Deployment

OrderFlow Ltd.

Document Version: 4.2.4

Document Built: 2024-02-16

This document and its content is copyright of OrderFlow Ltd. All rights reserved.
You may not, except with our express written permission, distribute, publish or commercially exploit the content.
Any reproduction of part or all of the contents in any form is prohibited.

Environment

OrderFlow Environment

OrderFlow is a modular, layered, multi-interface application, which exposes desktop, mobile and handheld user interfaces (via HTTP or HTTPS), accessible from a web browser. It also exposes an XML over HTTP application programming interface (API).

It is typically deployed within its own standalone Jetty web server, but can also be deployed to run within a separate web server (e.g. Apache Tomcat).
It is almost exclusively deployed in Linux-based environments, most commonly using Debian or Ubuntu distributions.

This section details the environment in which OrderFlow runs in greater detail, and provides details on how to set up the environment for OrderFlow deployment.

For more details of the technical architecture of the OrderFlow system, see the OrderFlow Technical Architecture document.

Hardware Resources

OrderFlow is typically deployed in a 'cloud' environment, i.e. on a virtual server within an internet-based hosting service. Such environments are usually dynamic in terms of the resources that can be made available to the virtual server, so it makes little sense to dictate the hardware that is required for OrderFlow to run.

Instead, other resources such as system memory, CPU speed and disk space can be specified. These resources will be required in different amounts for different customers, since the system usage will vary depending upon order volumes, user numbers, warehouse processes etc. For example, a paper-based warehouse may require fewer resources than a warehouse that uses handheld devices. Disk space requirements will be influenced by the database location(s) and any customer requirements on log file rotation.

The following ranges are typical for live deployments of OrderFlow:

  • System Memory - from 2Gb to 65Gb. This is the memory available to the virtual machine that hosts OrderFlow.
  • JVM Heap memory - from 800Mb to 7.5Gb. This is the memory available to the Java Virtual Machine, which is exclusively used by OrderFlow.
  • CPU - anything from dual-core 2.67Ghz to 24-core 1.9GHz processors. The amount of CPU power a virtual machine has a directly-proportional effect on the responsiveness of the OrderFlow system. More users will require more CPU power.

Operating System

Although OrderFlow runs within a platform-agnostic Java Virtual Machine (within a Jetty web server), most OrderFlow deployments are on Linux-based operating systems. This is for the following reasons:

  • Simplicity
  • Consistency (with both the development environment and in between deployed environments)
  • Cost

For deployments that we host (via a hosting provider), we use the latest stable ubuntu release. In customer-hosted environments, the choice of operating system lies with the customer, although we do recommend ubuntu to standardise our support.

To deploy OrderFlow, there needs to be an rtdadmin user created. This can be done (by the root user) by issuing the following command:

adduser rtdadmin

Once created, the password for this user should be changed (using the following command when logged in as rtdadmin), to a value that is recorded in RemoteMan.

sudo passwd

Note

RemoteMan is OrderFlow's configuration and monitoring system. Further details can be found in the RemoteMan Guide.

Once created the ''rtdadmin'' user should either be given 'sudo' access or if this is not appropriate be configured with the ability to:

  • read,write,delete,execute permissions to the OrderFlow home directory (typically /usr/share/orderflow)
  • The ability to start and stop the OrderFlow system through the init.d scripts

Software

OrderFlow is almost exclusively deployed within its own standalone Jetty web server. Therefore OrderFlow's system requirements are as follows:

Java Runtime Environment

The Java Runtime Environment currently needs to be compatible with version 8, either OpenJDK or Oracle. This applies for OrderFlow versions to 4.2.1. From OrderFlow 4.2.2 onwards, Java 11 is recommended for new environments but Java 8 is also supported.

To install version 8 of the OpenJDK Java Runtime Environment, run the following commands:

sudo apt-get update
sudo apt-get install openjdk-8-jre

To install OpenJDK 11, instead run:

sudo apt-get update
sudo apt-get install openjdk-11-jre

To install version 8 of the Oracle Java Runtime Environment, download the JRE (or Server JRE) from the Java SE 8 Archive Downloads page. Follow the instructions from either Oracle or WikiHow to install.

The JRE version in use can (currently) easily be switched by using the following command:

sudo update-alternatives --config java

From OrderFlow 4.2.2 onwards, Java 11 is recommeded

Strong Encryption

In order to support strong encryption in some Linux environments, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files need to be put in lib/security/ under the JRE home directory.

We hold local copies of these files (local_policy.jar and US_export_policy.jar) in our source control system.

MariaDB

MariaDB is a drop-in replacement for MySQL. It is easy to install, offers many speed and performance improvements, and is easy to integrate into most MySQL deployments.

OrderFlow requires MariaDB database server version 5.5. The application has also been tested on the MariaDB 10.0 series.

The simplest configuration is where the database resides on the same machine as the OrderFlow application. In this case, install MariaDB using the MariaDB Repository Generator to find the correct repository for the operating system, for version 5.5.

Our convention is to use the server root password as the database root password, in which case this should be supplied during the installation process. If this convention is not followed, note the database server password used, and record it in RemoteMan.

Note that when other database users are created, their passwords will need to be changed to ensure that the database remains secure.

Note

Sometimes the database is required to reside on a dedicated database server - this is usually the case if a customer is hosting the environment themselves. In this case, the installation of MariaDb is not necessary.

OrderFlow holds PDF courier labels, imported data files and other large file files as database blobs. The database environment should be configured to ensure these can be included in database backups. In MySQL and MariaDB environments this can be done by setting the "max_allowed_packet" parameter to 1GB.

Apache Ant

Apache Ant is used to drive the deployment of OrderFlow. It currently needs to be at version 1.7.0 or greater. It can be installed using the following command:

sudo apt-get install ant

Curl

Curl is used pull files from the OrderFlow servers, both as part of the initial install and in subsequent upgrades. It can be installed using the following command:

sudo apt-get install curl

Zip

Zip is used compress and decompress files, it is used in the initial install and in subsequent upgrades. It can be installed using the following command:

  sudo apt-get install zip

Debian Runlevel Configuration Tool

This tool configures system services in connection with system runlevels. It turns on & off services using the scripts in /etc/init.d/. We use it to allow configuration of init.d to enable OrderFlow to autostart after a reboot. Install using the following command:

sudo apt-get install rcconf

And run using the following command:

sudo rcconf

You will be presented with a screen that lists the executable files in /etc/init.d/, alongside a checkbox that shows whether they will be executed at start-up. Once an OrderFlow instance has been deployed, there will be an entry here for that instance, allowing it to be set to start up automatically, if required.

Note that if an error occurs when running rcconf reporting that "rcconf needs dialog or whiptail", then create the following symbolic link:

sudo ln -s /bin/whiptail /usr/bin/whiptail

Server Hardening

To enhance the server security, additional measures are taken. The following sections detail these measures; all examples assume the ubuntu operating system.

Admin User Password Change

As detailed in the Operating System section, the password for the rtdadmin user should be changed to a value that is recorded in RemoteMan. This can be done by using the following command (when logged in as rtdadmin):

sudo passwd

Move SSH Port

Moving the SSH port from 22 to 91 reduces the risk of the server being seen by casual scans. To do this, edit /etc/ssh/sshd_config and ensure that the Port key has the value 91:

# What ports, IPs and protocols we listen for
Port 91

Firewall Configuration

SSH access should be restricted to port 91, and from only the main and backup proxy servers. This means that to SSH onto the OrderFlow server, a user will have to either do this from the proxy server, or "tunnel" through it.

We use ubuntu's Uncomplicated Firewall to configure this, by running the following commands: 

sudo ufw allow from 188.65.36.243 to any port 91
sudo ufw allow from 164.177.149.218 to any port 91
sudo ufw allow 443
sudo ufw allow 8443
sudo ufw allow 9595
sudo ufw allow 9696
sudo ufw enable

The output from the last command will be something like:

  Status: active
  Logging: on (low)
  Default: deny (incoming), allow (outgoing)
  New profiles: skip

  To                         Action      From
  --                         ------      ----
  443                        ALLOW IN    Anywhere
  8443                       ALLOW IN    Anywhere
  9595                       ALLOW IN    Anywhere
  9696                       ALLOW IN    Anywhere
  91                         ALLOW IN    188.65.36.243
  91                         ALLOW IN    164.177.149.218
  443                        ALLOW IN    Anywhere (v6)
  8443                       ALLOW IN    Anywhere (v6)
  9595                       ALLOW IN    Anywhere (v6)
  9696                       ALLOW IN    Anywhere (v6)

Database Password Changes

To ensure that the database remains secure, any users added to the database need a secure password. Database passwords can be changed by accessing the MariaDB client:

  mysql -uroot -p

Then running the following SQL commands, for example:

  UPDATE mysql.user SET password=PASSWORD('some decent password') WHERE user='root';
  UPDATE mysql.user SET password=PASSWORD('some decent password') WHERE user='rtdadmin';
  FLUSH PRIVILEGES;