Versions Compared

Old Version 97

changes.mady.by.user Eric Schullek

Saved on

compared with

New Version 98

changes.mady.by.user Eric Schullek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CAM Azure Stack utilizes Microsoft Azure services and resources to provide the ability to move documents and content and sync metadata between multiple Document Management Systems (DMS). CAM Content Mover and Data Sync (Content Sync) use Azure storage blobs as an intermediary place while moving content between the supported Document Management Systems.

...

Expand
titleCreate a Resource Group

Create a Resource Group

  1. From the Azure services section, on the Azure portal home page, click on Resource groups to open the resource groups page.

2. Click Create from the Resource groups toolbar.

3. Enter the following resource group details on the Create a Resource group page:

Fields

Description

Subscription

Select the appropriate Azure subscription from the dropdown list.  A P1 license and Azue Standard must be set as minimal.

Resource groups

Enter a unique name for your resource group in the Resource group field.

Note: Resource group names must have only alphanumeric characters, periods, underscores, hyphens, and parentheses and must not have a full stop (.) at the end.

Region

Select the region where you want to create your resource group from the Region drop-down list.

4. Click Review + Create to validate and create new resource groups.

5. Click Next: Tags > to navigate to the next screen. Please skip entering any tags as they aren’t required.

6. Click Review + Create to validate and create new Resource groups successfully. The Validation passed message is displayed if validation passes successfully.

  1. When validation passes successfully, click Create to add new Resource groups.

Expand
titleDeploying CAM Azure Stack to the Azure Subscription

Deploying CAM Azure Stack to the Azure Subscription

  1. Using a browser, navigate to the CAM Azure Stack GitHub repository using the URL https://github.com/Prosperoware/cam-azure-deployment -

  2. Navigate to the repository home page and click on the Deploy to Azure button as the image shows in this section.

  3. The link redirects you to the MS Azure Portal and displays the CAM Azure Stack deployment form.

  4. Click the Deploy to Azure button. Log into the Azure user portal. The Custom Deployment screen is displayed.


5. Enter the following project details for your Azure deployment:

Fields

Description

Project Details

Subscription

Selects the subscription from the dropdown list. Selects the same subscription used to create the resource group.

Resource groups

Pick the resource group that you created from section 1

Instance Details (Template Parameters) - Includes the following parameters

Region

Displays the region automatically on your created Resource group selection.

Litera Tenant Id

Enter the Tenant id from the received mail.

Litera Encrypted Key

Enter Litera Encrypted Key from the received mail.

Litera Secret Key

Enter Litera Secret Key from the received mail.

Features

You can select one of the features while deploying the Azure Stack:

ETL: Deploys Azure Stack for only Content Mover. You can use this feature when you want to move content across DMS systems permanently.
Content Sync: Deploys Azure Stack for only Content Sync. You can use this feature when you want to move content to the Azure blob storage temporarily.
Both: Deploys both Content Mover and Content Sync operations or features with the Azure Stack.

  • For business continuity, one sets the Content Sync option.

Is Production

Selects the Boolean value from the dropdown list.

Info

Tip: Litera recommends to select the True option, if your environment is a production environment. This parameter controls some Azure resources tier.

Note: The Environment Stage, Instance Unique Name, and Top-Level Domain are related to your CAM instance URL.

For example: if your CAM instance URL is: http://yourenvironment.prosperowaredev.com, then the Environment Stage is dev, the Instance Unique Name is yourenvironment, and the Top-Level Domain is com.

Environment Stage

Enter the environment stage name. In continuation with the above mentioned example:

The Environment Stage would be like: yourenvironment.prosperowaredev.com

Instance Unique Name

Enter an unique instance name. In continuation with above mentioned example:

The Instance Unique Name would be like: yourenvironment.prosperowaredev.com

Tip

Important:

  • The Instance Unique Name must be unique globally which generates your Azure URL like “(instance_name).azurewebsites.net - test.azurewebsites.net”.

  • For subsequent Azure Stack deployments, enter the same instance name that you used during your first deployment in case you are deploying the Azure Stack again. If you enter a different name subsequently, the Azure Stack deployment fails.

Top Level Domain

Enter the Top Level Domain.

The Top Level Domain would be like: yourenvironment.prosperowaredev.com

Administrator Login

Enter a new username for Azure CAM Stack MySQL Database admin user.

Administrator Login Password

Provide a password for Azure CAM Stack MySQL Database admin user.

Info

Tip: The password must contain at least 9 characters with 2 upper case and 2 numbers. The following special characters are allowed:

 ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] / < > , . ; ? ' : | (space)

6. Click Review + Create - Validates and create the template if the validation passes as displayed in the following screen.

7. If the form is valid, then the message Validation passed will be displayed. Now, click the Create button to start the deployment process.

  1. Click Previous to navigate to the previous screen.

2. The deployment process takes a few minutes to complete. The resources are created one after the other.

Fields

Description

Resource

Displays the name of the created resources.

Type

Displays the type of the resources.

Status

Displays the status of resource creation.

Operation details

You can view the details against created resources.

Tip

Information: By deploying this template, Microsoft can identify the installation of CAM with the deployed Azure resources. Microsoft can correlate these resources used to support the CAM software. Microsoft collects this information to provide the best product experience and for business operations. Data is collected and governed by Microsoft's policies. Such policies are located at https://www.microsoft.com/trustcenter .

3. Once the deployment is completed successfully, you can see the following screen.

Options

Description

Delete

Click Delete to remove the deployment.

Warning

Important - DO NOT delete the deployment, Litera or the firm might need the log information in the future to troubleshoot.

Cancel

Click Cancel to cancel the deployment.

Note

Warning: Once the deployment is completed successfully, you cannot cancel the deployment. The Cancel option will be disabled.

Redeploy

Click Redeploy to redeploy the template, if the deployment isn’t successfully completed.

Refresh

Click Refresh to re-load all the resources.

Flexible Server from Single Server Configuration

These steps are used to convert a single server deployment to the flexible server as designated by Azure.


1. Follow the Microsoft tutorial steps. Tutorial: Migrate Azure Database for MySQL - Single Server to Flexible Server online using DMS via the Azure portal - Azure Database Migration Service | Microsoft Learn

Update the server configuration within the CAM config yml file next.

  1. Go to Storage account container.

  2. Find application config container (<instanceUniqueName-topLevelDomain>-application-config eg:tenantname-io-application-config).

  3. Go to yml folder.

  4. Update 3 attributes (host, username, password) with the new flexible server configuration in appconfig yml (appconfig-<environmentStage>.yml) which is in the yml folder.

Note: Single server username format is username@servername eg: abc@mysql-clientname-io

Flexible Server FAQs

  1. Why do I need to create a new resource for flexible server and migrate the data?
    Azure Database for MySQL - Single Server is on the retirement path and is scheduled for retirement by September 16, 2024. For more details see this article: https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server

  2. How is the connection established to this sql instance?
    CAM Azure functions connect to this SQL instance using the connection string stored in the YML config file.

  3. I can’t find any relevant config in the account?
    In the storage account, there should be a bucket with a name ending with “-application-config”, in that bucket, there should be a file with a name that follows the convention “appconfig-<environmentStage>.yml”, that is the file they need to update.

Expand
titleInitialize CAM Azure Stack Configuration

Initialize CAM Azure Stack Configuration

  1. After the deployment is completed successfully, CAM Azure Stack needs to be initialized. The initialization URL is in the template deployment output.

Info

Tip: if you have closed the template deployment page, you can still access it by navigating to the created resource group > Click Deployments > Click the link with the name “Microsoft.Template-{deployment_date_time}”.

2. Click Outputs, from the template deployment page left panel.

3. The following screen is displayed. Copy the initializeFunctionUrl and paste it into your Internet browser’s URL address bar.

4. The initialization function process URL will respond with the initialization status in JSON format. A successful response looks like the following:

5. Display the bucketname.

6. Display the apiEndPointBaseUrl.

Info

Tip: If Azure resources are not responding in a timely manner or if you receive an error message, then you can retry the initialization process via the same URL after few minutes.

...

Expand
titleCAM Azure Stack Security and Permissions

All resources created by CAM Azure Stack will be secured using the Azure standard security. Permission will only be granted to the CAM function apps and other CAM Azure Stack resources in the same resource group. No users, accounts, or external apps will be granted access by default except what the Azure subscription administrator has setup previously (inheritance rules).

The details of permissions are as follows:

  • Storage account

    • Reader and Data Access Role: the role is granted to all CAM function Apps.

    • Storage Account Key Operator Service Role: the role is granted to all CAM function Apps.

    • Storage Blob Data Owner Role: The role is granted to all CAM function Apps.

  • MySQL Server: no roles assignment or Firewall changes are done by CAM Azure Stack. The database is only accessible by CAM function apps (internally within the same resource group) using the admin username/password created during the deployment process.

  • All Other resources: no roles assignment or Firewall changes are done by CAM.

  • Allow public access to this Azure resource group through the internet using a public IP address

    • This option allows the firewall to permit connections from specific IP addresses or any Azure service. If Public Access is disabled, the Firewall Rules won't be enforced, and any modifications made to the Firewall will be discarded.
      By choosing above option not all public IPs are allowed. We need to specify some IP and azure service is able to communicate with storage without using VPC
      By uncheck above option, we need to create private endpoints to allow hosts in the selected virtual network to access this server. To ensure successful connections to the server, enable public access with firewall rules or create a private link for the server.

    • For cosmos: If clients need to use private access
      Clinet’s need to configure Azure virtual network and integrate with Azure Functions with configured Azure virtual network by using private endpoints.

Except for the CAM Azure Stack function apps, none of the resources in the resource group will be accessed externally. For the MySQL Database, the option to “Allow access to Azure services” is enabled during the deployment process and all other IPs are restricted by default. Even though the function apps will be accessed externally, those will be accessed by CAM instance only. If you plan to restrict the function apps inbound IP’s, the Litera Customer Care team (support@litera.com) can provide the list of IPs that should be whitelisted based on your CAM instance Zone. The current list of IPs can be found at iManage .

For additional security, the data container in the storage account will be encrypted using Microsoft-managed-keys encryption scope. After the template deployment, this encryption scope can be updated to use your managed keys or to use an encryption with a key in the managed HSM as explained in the following MS article (https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault-hsm ).

Managing Security of the Azure Client Stack

In addition to the strong security provided by MS Azure, Litera strengthens data security by controlling and filtering access to even the virtual private clouds hosted by industry-leading cloud services such as MS Azure. While managing the Azure cloud, customers can also take precautions to detect and prevent suspicious activities. Litera helps you to track and monitor logs, audit system calls, and set up alerts for potential intrusions.

Litera’s systems support the latest secure cypher suites, including TLS 1.2 and later protocols, AES256 encryption, and SHA2 signatures.

Note

Important: Currently, CAM supports and uses TLS 1.2 by default, but allows TLS 1.0/1.1 if the Data Uploader is run on a Windows 2012 Server.

On June 28, 2023, AWS is dropping all support for TLS 1.0/1.1 and this could affect users using Windows Server 2012 or older with the use of Data Uploader.

Windows Server 2016 and above are the natively supported versions with 1.2.


Litera ensures the safety of data at rest by encrypting the data using 256-bit Advanced Encryption Standard (AES-256). This standard is applied to relational databases, file stores, database backups, and so on. Litera even safeguards the encryption keys and processes by encrypting them securely.

Communication in CAM is completely secure as it happens between the AWS and Azure clouds. By default, SSL is set to False in the templates. However, when you set SSL to True, it works only for some regions.


Litera has successfully completed the SOC 2 Type II audit. The customer's sensitive data remains secure. Litera encourages you to use the private subnets to deploy CAM. For more information, see the FAQs section.

As part of our disaster recovery plan, Litera provides secure-tested backups. Data is backed up automatically and the backups are encrypted and stored securely.

...

To Setup SSL on the MYSQL database, set the following on the appconfig.yml in Content Mover:

  • useSSL = True

  • requireSSL = True

...

Syncing Content from M365 to DMS | Configuring Data Sync