CAM Azure Stack utilizes Microsoft Azure services and resources to provide the ability to move documents and content and sync metadata between multiple Document Management Systems (DMS). CAM Content Mover and Data Sync (Content Sync) use Azure storage blobs as an intermediary place while moving content between the supported Document Management Systems.

To deploy the CAM Azure Stack, you need to deploy the Azure template into your Azure environment. The template deploys a complete solution that contains multiple resources such as function apps, MySQL instances, Blob Storages, and others. These resources are provided and hosted by Microsoft Azure in your Azure account to provide more control over moving content.

Azure & CAM Integration Notes

As of January 30, 2021, Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license in Azure. See the Microsoft link here.

CAM Azure Stack Architecture

Content Mover in CAM uses REST APIs to work with 7 functions, 4 queues, and two triggers to move content.
Data Sync (Content Sync) uses REST APIs to work with 3 functions, 1 queue, and one trigger to sync content.

Prerequisites to the CAM Azure Stack Deployment

Requirements

Administrative access to an Azure subscription where you plan to deploy the CAM Azure stack (http://portal.azure.com )
Administrative access to your organization’s CAM instance.
Your CAM instance Tenant Id, Client Encrypted Key, and CAM Secret Key. You need to contact Litera’s Customer Care team (Support@litera.com) to obtain the Tenant Id before you start the deployment process. Those keys are unique for each CAM instance. If your organization has multiple CAM instances, then you need to request the keys for each instance separately. If you do not have the Tenant Id create a ticket with Litera’s DevOps or Support team before deploying the Azure Client stack. The Encrypted keys and secret key you can obtain in Microsoft.

Deploying and Configuring the CAM Azure Stack

Create a Resource Group

From the Azure services section, on the Azure portal home page, click on Resource groups to open the resource groups page.

2. Click Create from the Resource groups toolbar.

3. Enter the following resource group details on the Create a Resource group page:

Fields	Description
Subscription	Select the appropriate Azure subscription from the dropdown list. A P1 license and Azue Standard must be set as minimal.
Resource groups	Enter a unique name for your resource group in the Resource group field. Note: Resource group names must have only alphanumeric characters, periods, underscores, hyphens, and parentheses and must not have a full stop (.) at the end.
Region	Select the region where you want to create your resource group from the Region drop-down list.

4. Click Review + Create to validate and create new resource groups.

5. Click Next: Tags > to navigate to the next screen. Please skip entering any tags as they aren’t required.

6. Click Review + Create to validate and create new Resource groups successfully. The Validation passed message is displayed if validation passes successfully.

When validation passes successfully, click Create to add new Resource groups.

Deploying CAM Azure Stack to the Azure Subscription

Using a browser, navigate to the CAM Azure Stack GitHub repository using the URL https://github.com/Prosperoware/cam-azure-deployment -
Navigate to the repository home page and click on the Deploy to Azure button as the image shows in this section.
The link redirects you to the MS Azure Portal and displays the CAM Azure Stack deployment form.
Click the Deploy to Azure button. Log into the Azure user portal. The Custom Deployment screen is displayed.

5. Enter the following project details for your Azure deployment:

Fields	Description
Project Details
Subscription	Selects the subscription from the dropdown list. Selects the same subscription used to create the resource group.
Resource groups	Pick the resource group that you created from section 1
Instance Details (Template Parameters) - Includes the following parameters
Region	Displays the region automatically on your created Resource group selection.
Litera Tenant Id	Enter the Tenant id from the received mail.
Litera Encrypted Key	Enter Litera Encrypted Key from the received mail.
Litera Secret Key	Enter Litera Secret Key from the received mail.
Features	You can select one of the features while deploying the Azure Stack: ETL: Deploys Azure Stack for only Content Mover. You can use this feature when you want to move content across DMS systems permanently. Content Sync: Deploys Azure Stack for only Content Sync. You can use this feature when you want to move content to the Azure blob storage temporarily. Both: Deploys both Content Mover and Content Sync operations or features with the Azure Stack. For business continuity, one sets the Content Sync option.
Is Production	Selects the Boolean value from the dropdown list. Tip: Litera recommends to select the True option, if your environment is a production environment. This parameter controls some Azure resources tier.
Note: The Environment Stage, Instance Unique Name, and Top-Level Domain are related to your CAM instance URL. For example: if your CAM instance URL is: http://yourenvironment.prosperowaredev.com, then the Environment Stage is dev, the Instance Unique Name is yourenvironment, and the Top-Level Domain is com.
Environment Stage	Enter the environment stage name. In continuation with the above mentioned example: The Environment Stage would be like: yourenvironment.prosperowaredev.com
Instance Unique Name	Enter an unique instance name. In continuation with above mentioned example: The Instance Unique Name would be like: yourenvironment.prosperowaredev.com Important: The Instance Unique Name must be unique globally which generates your Azure URL like “(instance_name).azurewebsites.net - test.azurewebsites.net”. For subsequent Azure Stack deployments, enter the same instance name that you used during your first deployment in case you are deploying the Azure Stack again. If you enter a different name subsequently, the Azure Stack deployment fails.
Top Level Domain	Enter the Top Level Domain. The Top Level Domain would be like: yourenvironment.prosperowaredev.com
Administrator Login	Enter a new username for Azure CAM Stack MySQL Database admin user.
Administrator Login Password	Provide a password for Azure CAM Stack MySQL Database admin user. Tip: The password must contain at least 9 characters with 2 upper case and 2 numbers. The following special characters are allowed: ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] / < > , . ; ? ' : \| (space)

6. Click Review + Create - Validates and create the template if the validation passes as displayed in the following screen.

7. If the form is valid, then the message Validation passed will be displayed. Now, click the Create button to start the deployment process.

Click Previous to navigate to the previous screen.

2. The deployment process takes a few minutes to complete. The resources are created one after the other.

Fields	Description
Resource	Displays the name of the created resources.
Type	Displays the type of the resources.
Status	Displays the status of resource creation.
Operation details	You can view the details against created resources.

Information: By deploying this template, Microsoft can identify the installation of CAM with the deployed Azure resources. Microsoft can correlate these resources used to support the CAM software. Microsoft collects this information to provide the best product experience and for business operations. Data is collected and governed by Microsoft's policies. Such policies are located at https://www.microsoft.com/trustcenter .

3. Once the deployment is completed successfully, you can see the following screen.

Options	Description
Delete	Click Delete to remove the deployment. Important - DO NOT delete the deployment, Litera or the firm might need the log information in the future to troubleshoot.
Cancel	Click Cancel to cancel the deployment. Warning: Once the deployment is completed successfully, you cannot cancel the deployment. The Cancel option will be disabled.
Redeploy	Click Redeploy to redeploy the template, if the deployment isn’t successfully completed.
Refresh	Click Refresh to re-load all the resources.

Flexible Server from Single Server Configuration

These steps are used to convert a single server deployment to the flexible server as designated by Azure.

1. Follow the Microsoft tutorial steps. Tutorial: Migrate Azure Database for MySQL - Single Server to Flexible Server online using DMS via the Azure portal - Azure Database Migration Service | Microsoft Learn

Update the server configuration within the CAM config yml file next.

Go to Storage account container.
Find application config container (<instanceUniqueName-topLevelDomain>-application-config eg:tenantname-io-application-config).
Go to yml folder.
Update 3 attributes (host, username, password) with the new flexible server configuration in appconfig yml (appconfig-<environmentStage>.yml) which is in the yml folder.

Note: Single server username format is username@servername eg: abc@mysql-clientname-io

Flexible Server FAQs

Why do I need to create a new resource for flexible server and migrate the data?
Azure Database for MySQL - Single Server is on the retirement path and is scheduled for retirement by September 16, 2024. For more details see this article: https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server
How is the connection established to this sql instance?
CAM Azure functions connect to this SQL instance using the connection string stored in the YML config file.
I can’t find any relevant config in the account?
In the storage account, there should be a bucket with a name ending with “-application-config”, in that bucket, there should be a file with a name that follows the convention “appconfig-<environmentStage>.yml”, that is the file they need to update.

Initialize CAM Azure Stack Configuration

After the deployment is completed successfully, CAM Azure Stack needs to be initialized. The initialization URL is in the template deployment output.

Tip: if you have closed the template deployment page, you can still access it by navigating to the created resource group > Click Deployments > Click the link with the name “Microsoft.Template-{deployment_date_time}”.

2. Click Outputs, from the template deployment page left panel.

3. The following screen is displayed. Copy the initializeFunctionUrl and paste it into your Internet browser’s URL address bar.

4. The initialization function process URL will respond with the initialization status in JSON format. A successful response looks like the following:

5. Display the bucketname.

6. Display the apiEndPointBaseUrl.

Tip: If Azure resources are not responding in a timely manner or if you receive an error message, then you can retry the initialization process via the same URL after few minutes.

Updating the Client Stack

Prerequisites

Azure CLI: Ensure Azure CLI is installed on your machine. You can download it from Microsoft here: https://learn.microsoft.com/en-us/cli/azure/
Administrator Access: Open Powershell with the “Run as administrator“ privilege.
Go to the Github repo: https://github.com/Prosperoware/cam-azure-deployment .
Download functionAppsCodeUpdate.ps1
Function App: The function app should already be created in the Client stack otherwise this Powershell script will fail.

Important notes:
a). Ensure that there is only one function app of each type in the resource group.
E.g. There must be only one {}-contentsync-api Function app.
Having multiple function apps of the same type will cause the script to upgrade the jar file in the incorrect function app.
b) A .log file will be created automatically if you execute this script for the first time.

Executing the Script

Azure login:

If you haven’t logged in via az login , The script will prompt you to log in through a browser. Please use the Azure account associated with your client stack deployment.
1. If the wrong account is used , you will be prompted to log in again , with up to three attempts allowed.

Resource group Input:

The script will prompt you to enter the resource group name where your stack is deployed.
1. If an incorrect resource group is entered, you will be prompted to re-enter the correct name, with up to three attempts allowed.

Function App Identification:

The script will list all function apps targeted for the JAR upgrade.
It will automatically determine whether to update ETL (Content Mover), ContentSync (Data Sync), or both options, based on the function apps present in your resource group.

Logging:

The script will maintain a log file named CAM_Azure_Stack_log_timestamp.txt to record the latest operations
Older logs will be deleted each time the script runs.

File Management:

The script will download and upload the ZIP file from the same directory where 'functionAppsCodeUpdate.ps1' is located.

Upgrading Jar Files:

After running the functionappsCodeupdate script the jar files will be updated automatically.

Configure CAM Content Mover

Configure CAM Content Mover to Utilize your Azure Stack

Warning: Before starting this process, you need some information from the template deployment output as well as the keys from the email received from Litera Customer Care.

The below steps can be done for Content Mover or Data Sync (Content Sync).

2. Navigate to your CAM instance, click Administration > click Content Mover. The following screen appears:

3. Navigate to the Configuration tab, the following screen appears:

Fields	Description
Choose Cloud Provider	Selects “Azure“ from the list.
Choose Storage	Displays automatically based on cloud provider value.
Choose Storage Type	Selects the Private Encrypted Storage as storage type.
Bucket Name	Enter the Bucket name.
API Endpoint Base Url	Enter the API Endpoint Base Url.
API Secret Key	Enter the API Secret key which is received in your email.
Validate	Click “Validate” to validate the form data. If the form data is correct, then the message “Validated successfully” will be displayed.

4. Click Save to save the configuration.

5. Click Cancel to close the configuration screen without saving any changes to the fields.

6. If using Data Sync, repeat the above steps but after clicking Administration- Data Sync

Configure CAM Data Sync

Configure CAM Data Sync to Utilize your Azure Stack

Warning: Before starting this process, you need some information from the template deployment output as well as the keys from the email received from Litera Customer Care.

The below steps can be done for Content Mover or Data Sync (Content Sync).

2. Navigate to your CAM instance, click Administration >> click Data Sync, and the following screen appears.

3. Navigate to the Content Sync Settings tab, and the following screen appears:

Fields	Description
Choose Cloud Provider	Selects “Azure“ from the list.
Choose Storage	Displays automatically based on cloud provider value.
Choose Storage Type	Selects the Private Encrypted Storage as storage type.
Bucket Name	Enter the Bucket name.
API Endpoint Base Url	Enter the API Endpoint Base Url.
API Secret Key	Enter the API Secret key which is received in your email.
Validate	Click “Validate” to validate the form data. If the form data is correct, then the message “Validated successfully” will be displayed.

4. Click Save to save the configuration.

5. Click Cancel to close the configuration screen.

Storage Bucket Retention Rules and Deletions

When using Azure Stack, Azure Storage bucket retention rules are used to delete the files from the at rest data using Data Sync or Data Uploader appropriately.

The rules are:

#NameOfRule - Example DeleteAfter30Days
#NumberOfDays - 30
#BlobContainerName - Example : tenantname-contentsync-cmk-encrypted-bucket

#daysafterModificationGreaterThan: = #NumberofDays

"rules": [

{

"enabled": true,

"name": "<#NameOfRule>",

"type": "Lifecycle",

"definition": {

"actions": {

"baseBlob": {

"delete": {

"daysAfterModificationGreaterThan": <#NumberOfDays | Integer>

}

},

"filters": {

"blobTypes": [

"blockBlob"

],

"prefixMatch": [

"<#BlobContainerName>/etl-action",

"<#BlobContainerName>/etl-process"

]

}

]

}

Optional Azure Resources Configurations

Azure Resource	Azure Sub-Resources	CAM Required Configuration (Should not be changed)	Optional Configurations that can be changed without affecting the functionality
Storage Account		Storage Account Name: The auto-generated name Type of storage account: Standard general-purpose v2 Redundancy: RAGRS Minimum TLS Version: TLS 1.2 AllowBlobPublicAccess: True AllowSharedKeyAccess: True Network ACLs: Allows Litera AWS IP addresses Supports Https Traffic Only: True Encryption: File Encryption: True Blob Encryption: True AccessTier: Hot	Tier: Any tier above Standard should be fine.
	Encryption Scopes	Encryption Scope Name: The auto-generate name State: Enabled Source: Microsoft.Storage
	BLOB Service	Name: Standard_RAGRS Tier: Standard Delete Retention Policy: False	CORSRules: Not set out of the box.
	BLOB Service / Configuration Container	DefaultEncryptionScope: $Account-encryption-key DenyEncryptionScopeOverride: False PublicAccess: None
	BLOB Service / Data Container	DefaultEncryptionScope: DataAtRest DenyEncryptionScopeOverride: True PublicAccess: None
	Management Policies	Enabled: True Name: LifecyclePolicy Type: Lifecycle Actions: Delete BlockBlob: DaysAfterModificationGreaterthan: 30
	Role Assignments	principaltype: ServicePrincipal
Azure DB for MySQL	Server	Server Name: The auto-generate name Compute generation: G5 Tier: Basic Family: Gen5 Capacity: 1 Storageautogrow: Enabled SSLEnforcement: Disabled minimalTLSVersion: TLSEnforcementDisabled infrastructureEncryption: Disabled publicNetworkAccess: Enabled	Tier: At least Basic is required. Storage Size: At least 40 GB if used for ETL (Content Mover) only. For Content Sync, the minimum should be 40 GB + the current documents size. Set StorageMB parameter. 30720 is the out of the box MB size. vCores: at least 1 - 2 vCores. Memory per vCore: At least 2 GB. BackupRetentionDays:7 georedundantbackup: Disabled
	FirewallRules	AllowAllWindowsAzureIps: True startipaddress: 0.0.0.0 endipaddress: 0.0.0.0
	Databases	Charset: UTF8 Collation: UTF8_General_ci
	Accounts	DefaultExperience: Core(SQL) PublicNetworkAccess: Enabled EnableMultipleWritelocations: False IsVirtualNetworkFilterEnabled: False VirtualNetworkRules:[] disablekeybasedmetadatawriteaccess: False enablefreetier: False enableanalyticalstorage: False databaseaccountoffertype: Standard Defaultconsistencylevel: Strong maxIntervalinSeconds: 5 MaxStalenessPrefix: 100 failoverpriority: 0 iszoneredundant: False cors name: EnableServerless backuppolicy type: Periodic	backupintervalinminutes: Sets the backup interval in mins. Default is 240 mins. backupretentionintervalinhours: Sets the backup interval in hrs. Default is 8hrs. EnableAutomaticFailover: Sets if an automatic failover is present. Default is false.
	SQLDatabases	resource id: ‘commonid’	useSSL = True, requireSSL = True in appconfig yml
Azure Cosmos DB account	Cosmos Containers: cosmostenantdb -etl-auth -etl-job -etl-job-items -etl-mapping -etl-officesubscription -systemauth -contentsync-auth -contentsync-job -contentsync-notifications -contentsync-tokens -contentsync-users	Indexing mode: consistent automatic: True partitionkey kind: Tash conflictresolutionpolicy mode: LastWriterWins
App Service Plan	Function Apps -etl-api -etl-mapping -etl-process -etl-renewal functionapplogs	enabled: True retentionpolicy enabled: True days: 7
Application Insights	Components	Application_type: Web Ingestionmode: applicationinsights publicnetworkaccessforingestion: Enabled publicnetworkaccessforquery: Enabled enabled: True sslstate: Disabled hosttype: Standard, Repository scmsitealsostopped: False clientaffinityenabled: False clientcertenabled: False hostnamesdisabled: False dailymemorytimequota: 0 httpsonly: False redundancymode: None	containersize: Sets the container size in the component. Default is 1536
ServerFarms		Tier: Dynamic Size: Y1 Family: Y Capacity: 0 persitescaling: False maximumelasticWorkercount: 1 isspot: False reserved: False isXeon: False hyperv: False targetworkercount: 0 targetworkersizeid: 0
Service Bus Namespace	Queues -etl-process-v1 -etl_mapping _worker_start	lockduration: PT5M requiresDuplicateDetection: False requiressession: False defaultmessagetimetolive: P14D deadLetteringonMessageExpiration: False enableBatchedOperations: Frue duplicateDetectionHistoryTimeWindow: PT10M maxdeliverycount: 1 Status: Active AutodeleteonIdle: P10675199DT2H48M5.4775807S Enablepartitioning: False enableexpress: False	Max Size (ETL/ Content Mover) -Sets the size of the queue. Default is 1024MB Max Size (ContentSync) -Sets the size of the queue. Default is 5120MB
	General	Tier: Standard ZoneRedundant: False
	Rules	Rights: Listen, Manage, Send
	Topics	requiresDuplicateDetection: False defaultmessagetimetolive: P14D enableBatchedOperations: True duplicateDetectionHistoryTimeWindow: PT10M Status: Active Supportordering: True AutodeleteonIdle: P10675199DT2H48M5.4775807S Enablepartitioning: False enableexpress: False	Max Size (ETL/ Content Mover) -Sets the size of the queue. Default is 1024MB
	Subscriptions	lockduration: PT30S requiressession: False defaultmessagetimetolive: P14D deadletteringonmessageexpiration: False deadletteringon filterevalutationexceptions: False maxdelverycount: 1 status: Active enablebatchedoperations: True autodeleteonidle: P14D
	Role Assignments	principaltype: ServicePrincipal
Deployments		Scope: Outer Mode: Incremental templatelink: ttps://raw.githubusercontent.com/Prosperoware/cam-azure-deployment/

Deployment Errors, Workarounds, and Solutions

In this section, we are going to document:

The errors that occur while deploying Content Mover on the Azure Stack.
Workarounds/solutions on how to handle these errors and scenarios that can occur during deployment

Finding logs and running queries for troubleshooting on MS Azure

On MS Azure, go to the resource group on the left-top corner click on Logs, and select one of the entries. Entries in this list will be tied to one of these: All Queries, Alerts, Browsing Data, Performance, and Reports Failures.

Workarounds and Solutions for Common Errors

Error	Solution
504 Gateway Error	Try the deployment again with the same parameters.
Bad Password on MYSQL	Change the password. Do not use reserved keywords such as user, admin, root in username or a very long username. Once the password has been changed, try the deployment again.
Character Length Validation failure	To use a small prefix on the instance unique name.
Stack Failure due to a Git download issues	Try the deployment again with the same parameters.
Stack update/create failure due to locks acquired on the resources	Stop the function app that is currently running and try the deployment again in five minutes. Once the deployment is successful start the function app again.

Azure Pricing and Cost Calculator

The estimated cost can be calculated using the pricing calculator provided by Microsoft at https://azure.microsoft.com/en-in/pricing/calculator/ .
You can adjust some resources, tiers, and configurations based on their usage, but you should maintain the minimum required configurations as explained in the previous section.
The image below is an example of the estimated costs using the minimum required resources and settings:

CAM Azure Stack Security

CAM Azure Stack Security and Permissions

All resources created by CAM Azure Stack will be secured using the Azure standard security. Permission will only be granted to the CAM function apps and other CAM Azure Stack resources in the same resource group. No users, accounts, or external apps will be granted access by default except what the Azure subscription administrator has setup previously (inheritance rules).

The details of permissions are as follows:

Storage account

Reader and Data Access Role: the role is granted to all CAM function Apps.
- Storage Account Key Operator Service Role: the role is granted to all CAM function Apps.
- Storage Blob Data Owner Role: The role is granted to all CAM function Apps.

MySQL Server:

No roles assignments or firewall changes are performed by the CAM Azure Stack. The database should only be accessible by CAM function apps deployed within the same resource group, using the admin username/password created during the deployment process. Configurations to secure the flexible server have changed slightly since the retirement of Single Server instances.
- To configure security for CAM MySQL flexible servers:
  1. Log in to the Azure Portal.
  2. Select the Azure Database for MySQL flexible server instance dedicated to CAM.
  3. On the Azure Database for MySQL flexible server page, under the Settings heading, select Networking.
  4. If a VNet is available in your subscription and you plan to use a private endpoint for secure connectivity:
    1. Under Public access, ensure the checkbox for "Allow public access to this resource through the internet using public IP address" is unchecked.
    2. For the Connectivity method, select "Private endpoint (VNet Integration)" and configure a private endpoint for secure connectivity within your Virtual Network.
    3. Add your VNet or subnet to the VNet firewall rules to enable access for CAM Azure Function Apps.
  5. If VNet is not available in your subscription or you are not planning to use a private endpoint:
    1. Under Public access, ensure the checkbox for "Allow public access to this resource through the internet using public IP address" is checked.
    2. For the Connectivity method, select "Public access (allowed IP addresses) and Private endpoint".
    3. Under Firewall rules, turn on the setting for “Allow access to Azure services” to enable connectivity for Azure services. Be aware this option allows access from any Azure service, not just those within the same resource group.
  For additional information and guidance, please refer to the following Microsoft Knowledge Articles:
- Deny Public Network Access
- Public Network Access
- Manage firewall rules
All Other resources: no roles assignment or Firewall changes are done by CAM.
Allow public access to this Azure resource group through the internet using a public IP address
- This option allows the firewall to permit connections from specific IP addresses or any Azure service. If Public Access is disabled, the Firewall Rules won't be enforced, and any modifications made to the Firewall will be discarded.
  By choosing above option not all public IPs are allowed. We need to specify some IP and azure service is able to communicate with storage without using VPC
  By uncheck above option, we need to create private endpoints to allow hosts in the selected virtual network to access this server. To ensure successful connections to the server, enable public access with firewall rules or create a private link for the server.

For cosmos server:

No roles assignments or firewall changes are performed by the CAM Azure Stack. We can connect to Cosmos server using 2 options
1. Public access:
  If a VNet is available in your subscription and you plan to use a private endpoint for secure connectivity:
  a. Select “public access“ under networking.
b. Select "Selected network (VNet Integration)" and configure an endpoint for secure connectivity within your Virtual Network.
c. Add your VNet or subnet to the VNet firewall rules to enable access for CAM Azure Function Apps.
If a VNet is not available in your subscription
- Select “All networks“.
- Please keep in mind this will allow all networks, including the internet, can access this Azure Cosmos DB account.
- Private endpoint
  a. Select “private endpoint“ under networking.
  b. Use private endpoints to privately connect to a service or resource. Your private endpoint must be in the same region as your virtual network but can be in a different region from the private link resource that you are connecting to.
- For additional information
Public access
Private access

Additional info:

Except for the CAM Azure Stack function apps, none of the resources in the resource group will be accessed externally. For the MySQL Database, the option to “Allow access to Azure services” is enabled during the deployment process and all other IPs are restricted by default. Even though the function apps will be accessed externally, those will be accessed by CAM instance only. If you plan to restrict the function apps inbound IP’s, the Litera Customer Care team (support@litera.com) can provide the list of IPs that should be whitelisted based on your CAM instance Zone. The current list of IPs can be found at iManage .

For additional security, the data container in the storage account will be encrypted using Microsoft-managed-keys encryption scope. After the template deployment, this encryption scope can be updated to use your managed keys or to use an encryption with a key in the managed HSM as explained in the following MS article (https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault-hsm ).

Managing Security of the Azure Client Stack

In addition to the strong security provided by MS Azure, Litera strengthens data security by controlling and filtering access to even the virtual private clouds hosted by industry-leading cloud services such as MS Azure. While managing the Azure cloud, customers can also take precautions to detect and prevent suspicious activities. Litera helps you to track and monitor logs, audit system calls, and set up alerts for potential intrusions.

Litera’s systems support the latest secure cypher suites, including TLS 1.2 and later protocols, AES256 encryption, and SHA2 signatures.

Important: Currently, CAM supports and uses TLS 1.2 by default, but allows TLS 1.0/1.1 if the Data Uploader is run on a Windows 2012 Server.

On June 28, 2023, AWS is dropping all support for TLS 1.0/1.1 and this could affect users using Windows Server 2012 or older with the use of Data Uploader.

Windows Server 2016 and above are the natively supported versions with 1.2.

Litera ensures the safety of data at rest by encrypting the data using 256-bit Advanced Encryption Standard (AES-256). This standard is applied to relational databases, file stores, database backups, and so on. Litera even safeguards the encryption keys and processes by encrypting them securely.

Communication in CAM is completely secure as it happens between the AWS and Azure clouds. By default, SSL is set to False in the templates. However, when you set SSL to True, it works only for some regions.

Litera has successfully completed the SOC 2 Type II audit. The customer's sensitive data remains secure. Litera encourages you to use the private subnets to deploy CAM. For more information, see the FAQs section.

As part of our disaster recovery plan, Litera provides secure-tested backups. Data is backed up automatically and the backups are encrypted and stored securely.

While upgrading your Azure Stack deployment with a new build, you can find the parameters of your past deployments on the Inputs tab of the Microsoft Templates page.

SSL for the MySQL Database

To Setup SSL on the MYSQL database, set the following on the appconfig.yml in Content Mover:

useSSL = True
requireSSL = True

Creating a Personal Access Token:

Log into Azure DevOps at the https://dev.azure.com/
In the right-hand corner select User Settings and then Personal access tokens

Create the PAT for the deployment - This token will be used only for the setup and the Expiration can be set for only 1 day.

a. Select the New Token option.

b. Select a Name for the token, and organization where you will deploy, and expiration. For the expiration select one day using the Custom Defined option.

c. In the scope section select:

Agent Pools	Read & manage
Build	Read & execute
Code	Read & write
Connected Server	Connected Server
Deployment Groups	Read & manage
Environment	Read & manage
Project & Team	Read, write & manage
Release	Read, write, execute & manage
Secure Files	Read, create & manage
Service Connections	Read, query & manage
Variable Groups	Read, create & manage

Create PAT for push code (Service account)

a. Select New Token”option.

b. Select a Name for the token, organization where you will deploy, and expiration. For the expiration, select at least 12 months. This token will have to be rotated when it is close to the expiration date.