Environment
OrderFlow Environment
OrderFlow is a modular, layered, multi-interface application, which exposes desktop, mobile and handheld user interfaces (via HTTP or HTTPS), accessible from a web browser. It also exposes an XML over HTTP application programming interface (API).
It is typically deployed within its own standalone Jetty web server, but can
also be deployed to run within a separate web server (e.g. Apache Tomcat).
It is almost exclusively deployed in Linux-based environments, most commonly
using Debian or Ubuntu distributions.
This section details the environment in which OrderFlow runs in greater detail, and provides details on how to set up the environment for OrderFlow deployment.
For more details of the technical architecture of the OrderFlow system, see the OrderFlow Technical Architecture document.
Hardware Resources
OrderFlow is typically deployed in a 'cloud' environment, i.e. on a virtual server within an internet-based hosting service. Such environments are usually dynamic in terms of the resources that can be made available to the virtual server, so it makes little sense to dictate the hardware that is required for OrderFlow to run.
Instead, other resources such as system memory, CPU speed and disk space can be specified. These resources will be required in different amounts for different customers, since the system usage will vary depending upon order volumes, user numbers, warehouse processes etc. For example, a paper-based warehouse may require fewer resources than a warehouse that uses handheld devices. Disk space requirements will be influenced by the database location(s) and any customer requirements on log file rotation.
The following ranges are typical for live deployments of OrderFlow:
- System Memory - from 2Gb to 65Gb. This is the memory available to the virtual machine that hosts OrderFlow.
- JVM Heap memory - from 800Mb to 7.5Gb. This is the memory available to the Java Virtual Machine, which is exclusively used by OrderFlow.
- CPU - anything from dual-core 2.67Ghz to 24-core 1.9GHz processors. The amount of CPU power a virtual machine has a directly-proportional effect on the responsiveness of the OrderFlow system. More users will require more CPU power.
Operating System
Although OrderFlow runs within a platform-agnostic Java Virtual Machine (within a Jetty web server), most OrderFlow deployments are on Linux-based operating systems. This is for the following reasons:
- Simplicity
- Consistency (with both the development environment and in between deployed environments)
- Cost
For deployments that we host (via a hosting provider), we use the latest stable ubuntu release. In customer-hosted environments, the choice of operating system lies with the customer, although we do recommend ubuntu to standardise our support.
To deploy OrderFlow, there needs to be an rtdadmin user created. This can be done
(by the root
user) by issuing the following command:
adduser rtdadmin
Once created, the password for this user should be changed (using the following
command when logged in as rtdadmin
), to a value that is recorded in
RemoteMan.
sudo passwd
Note
RemoteMan is OrderFlow's configuration and monitoring system. Further details can be found in the RemoteMan Guide.
Once created the ''rtdadmin'' user should either be given 'sudo' access or if this is not appropriate be configured with the ability to:
- read,write,delete,execute permissions to the OrderFlow home directory (typically /usr/share/orderflow)
- The ability to start and stop the OrderFlow system through the init.d scripts
Software
OrderFlow is almost exclusively deployed within its own standalone Jetty web server. Therefore OrderFlow's system requirements are as follows:
Java Runtime Environment
The Java Runtime Environment currently needs to be compatible with version 8, either OpenJDK or Oracle. This applies for OrderFlow versions to 4.2.1. From OrderFlow 4.2.2 onwards, Java 11 is recommended for new environments but Java 8 is also supported.
To install version 8 of the OpenJDK Java Runtime Environment, run the following commands:
sudo apt-get update
sudo apt-get install openjdk-8-jre
To install OpenJDK 11, instead run:
sudo apt-get update
sudo apt-get install openjdk-11-jre
To install version 8 of the Oracle Java Runtime Environment, download the JRE (or Server JRE) from the Java SE 8 Archive Downloads page. Follow the instructions from either Oracle or WikiHow to install.
The JRE version in use can (currently) easily be switched by using the following command:
sudo update-alternatives --config java
From OrderFlow 4.2.2 onwards, Java 11 is recommeded
Strong Encryption
In order to support strong encryption in some Linux environments, the
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files need to be put in lib/security/
under the JRE home directory.
We hold local copies of these files (local_policy.jar and US_export_policy.jar) in our source control system.
MariaDB
MariaDB is a drop-in replacement for MySQL. It is easy to install, offers many speed and performance improvements, and is easy to integrate into most MySQL deployments.
OrderFlow requires MariaDB database server version 5.5. The application has also been tested on the MariaDB 10.0 series.
The simplest configuration is where the database resides on the same machine as the OrderFlow application. In this case, install MariaDB using the MariaDB Repository Generator to find the correct repository for the operating system, for version 5.5.
Our convention is to use the server root password as the database root password, in which case this should be supplied during the installation process. If this convention is not followed, note the database server password used, and record it in RemoteMan.
Note that when other database users are created, their passwords will need to be changed to ensure that the database remains secure.
Note
Sometimes the database is required to reside on a dedicated database server - this is usually the case if a customer is hosting the environment themselves. In this case, the installation of MariaDb is not necessary.
OrderFlow holds PDF courier labels, imported data files and other large file files as database blobs. The database environment should be configured to ensure these can be included in database backups. In MySQL and MariaDB environments this can be done by setting the "max_allowed_packet" parameter to 1GB.
Apache Ant
Apache Ant is used to drive the deployment of OrderFlow. It currently needs to be at version 1.7.0 or greater. It can be installed using the following command:
sudo apt-get install ant
Curl
Curl is used pull files from the OrderFlow servers, both as part of the initial install and in subsequent upgrades. It can be installed using the following command:
sudo apt-get install curl
Zip
Zip is used compress and decompress files, it is used in the initial install and in subsequent upgrades. It can be installed using the following command:
sudo apt-get install zip
Debian Runlevel Configuration Tool
This tool configures system services in connection with system runlevels. It
turns on & off services using the scripts in /etc/init.d/
. We use it to
allow configuration of init.d to enable OrderFlow to autostart after a reboot.
Install using the following command:
sudo apt-get install rcconf
And run using the following command:
sudo rcconf
You will be presented with a screen that lists the executable files in
/etc/init.d/
, alongside a checkbox that shows whether they will be executed
at start-up. Once an OrderFlow instance has been deployed, there will be an
entry here for that instance, allowing it to be set to start up automatically,
if required.
Note that if an error occurs when running rcconf
reporting that
"rcconf needs dialog or whiptail", then create the following symbolic link:
sudo ln -s /bin/whiptail /usr/bin/whiptail
Server Hardening
To enhance the server security, additional measures are taken. The following sections detail these measures; all examples assume the ubuntu operating system.
Admin User Password Change
As detailed in the Operating System section, the
password for the rtdadmin
user should be changed to a value that is recorded
in RemoteMan. This can be done by using the following command (when logged in
as rtdadmin
):
sudo passwd
Move SSH Port
Moving the SSH port from 22 to 91 reduces the risk of the server being seen by
casual scans. To do this, edit /etc/ssh/sshd_config
and ensure that the
Port
key has the value 91
:
# What ports, IPs and protocols we listen for
Port 91
Firewall Configuration
SSH access should be restricted to port 91, and from only the main and backup proxy servers. This means that to SSH onto the OrderFlow server, a user will have to either do this from the proxy server, or "tunnel" through it.
We use ubuntu's Uncomplicated Firewall to configure this, by running the following commands:
sudo ufw allow from 188.65.36.243 to any port 91
sudo ufw allow from 164.177.149.218 to any port 91
sudo ufw allow 443
sudo ufw allow 8443
sudo ufw allow 9595
sudo ufw allow 9696
sudo ufw enable
The output from the last command will be something like:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
443 ALLOW IN Anywhere
8443 ALLOW IN Anywhere
9595 ALLOW IN Anywhere
9696 ALLOW IN Anywhere
91 ALLOW IN 188.65.36.243
91 ALLOW IN 164.177.149.218
443 ALLOW IN Anywhere (v6)
8443 ALLOW IN Anywhere (v6)
9595 ALLOW IN Anywhere (v6)
9696 ALLOW IN Anywhere (v6)
Database Password Changes
To ensure that the database remains secure, any users added to the database need a secure password. Database passwords can be changed by accessing the MariaDB client:
mysql -uroot -p
Then running the following SQL commands, for example:
UPDATE mysql.user SET password=PASSWORD('some decent password') WHERE user='root';
UPDATE mysql.user SET password=PASSWORD('some decent password') WHERE user='rtdadmin';
FLUSH PRIVILEGES;