As of January 30, 2021, Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license in Azure. See the Microsoft link here.

Requirements

• Administrative access to an Azure subscription where you plan to deploy the CAM Azure stack (http://portal.azure.com )

• Administrative access to your organization’s CAM instance.

• Your CAM instance Tenant Id, Client Encrypted Key, and CAM Secret Key. You need to contact Litera’s Customer Care team (Support@litera.com) to obtain the Tenant Id before you start the deployment process. Those keys are unique for each CAM instance. If your organization has multiple CAM instances, then you need to request the keys for each instance separately. If you do not have the Tenant Id create a ticket with Litera’s DevOps or Support team before deploying the Azure Client stack. The Encrypted keys and secret key you can obtain in Microsoft.

Create a Resource Group

1. From the Azure services section, on the Azure portal home page, click on Resource groups to open the resource groups page.

2. Click Create from the Resource groups toolbar.

3. Enter the following resource group details on the Create a Resource group page:

4. Click Review + Create to validate and create new resource groups.

5. Click Next: Tags > to navigate to the next screen. Please skip entering any tags as they aren’t required.

6. Click Review + Create to validate and create new Resource groups successfully. The Validation passed message is displayed if validation passes successfully.

7. When validation passes successfully, click Create to add new Resource groups.

Deploying CAM Azure Stack to the Azure Subscription

1. Using a browser, navigate to the CAM Azure Stack GitHub repository using the URL https://github.com/Prosperoware/cam-azure-deployment -

2. Navigate to the repository home page and click on the Deploy to Azure button as the image shows in this section.

3. The link redirects you to the MS Azure Portal and displays the CAM Azure Stack deployment form.

4. Click the Deploy to Azure button. Log into the Azure user portal. The Custom Deployment screen is displayed.

5. Enter the following project details for your Azure deployment:

6. Click Review + Create - Validates and create the template if the validation passes as displayed in the following screen.

7. If the form is valid, then the message Validation passed will be displayed. Now, click the Create button to start the deployment process.

1. Click Previous to navigate to the previous screen.

2. The deployment process takes a few minutes to complete. The resources are created one after the other.

3. Once the deployment is completed successfully, you can see the following screen.

Flexible Server from Single Server Configuration

These steps are used to convert a single server deployment to the flexible server as designated by Azure.

1. Follow the Microsoft tutorial steps. Tutorial: Migrate Azure Database for MySQL - Single Server to Flexible Server online using DMS via the Azure portal - Azure Database Migration Service | Microsoft Learn

Update the server configuration within the CAM config yml file next.

1. Go to Storage account container.

2. Find application config container (<instanceUniqueName-topLevelDomain>-application-config eg:tenantname-io-application-config).

3. Go to yml folder.

4. Update 3 attributes (host, username, password) with the new flexible server configuration in appconfig yml (appconfig-<environmentStage>.yml) which is in the yml folder.

Note: Single server username format is username@servername eg: abc@mysql-clientname-io

Flexible Server FAQs

1. Why do I need to create a new resource for flexible server and migrate the data?
   Azure Database for MySQL - Single Server is on the retirement path and is scheduled for retirement by September 16, 2024. For more details see this article: https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server

2. How is the connection established to this sql instance?
   CAM Azure functions connect to this SQL instance using the connection string stored in the YML config file.

3. I can’t find any relevant config in the account?
   In the storage account, there should be a bucket with a name ending with “-application-config”, in that bucket, there should be a file with a name that follows the convention “appconfig-<environmentStage>.yml”, that is the file they need to update.

Initialize CAM Azure Stack Configuration

1. After the deployment is completed successfully, CAM Azure Stack needs to be initialized. The initialization URL is in the template deployment output.

2. Click Outputs, from the template deployment page left panel.

3. The following screen is displayed. Copy the initializeFunctionUrl and paste it into your Internet browser’s URL address bar.

4. The initialization function process URL will respond with the initialization status in JSON format. A successful response looks like the following:

5. Display the bucketname.

6. Display the apiEndPointBaseUrl.

Important notes:
a). Ensure that there is only one function app of each type in the resource group.
E.g. There must be only one {}-contentsync-api Function app.
Having multiple function apps of the same type will cause the script to upgrade the jar file in the incorrect function app.
b) A .log file will be created automatically if you execute this script for the first time.

Configure CAM Content Mover to Utilize your Azure Stack

1. The below steps can be done for Content Mover or Data Sync (Content Sync).

2. Navigate to your CAM instance, click Administration > click Content Mover. The following screen appears:

3. Navigate to the Configuration tab, the following screen appears:

4. Click Save to save the configuration.

5. Click Cancel to close the configuration screen without saving any changes to the fields.

6. If using Data Sync, repeat the above steps but after clicking Administration- Data Sync

Configure CAM Data Sync to Utilize your Azure Stack

1. The below steps can be done for Content Mover or Data Sync (Content Sync).

2. Navigate to your CAM instance, click Administration >> click Data Sync, and the following screen appears.

3. Navigate to the Content Sync Settings tab, and the following screen appears:

4. Click Save to save the configuration.

5. Click Cancel to close the configuration screen.

When using Azure Stack, Azure Storage bucket retention rules are used to delete the files from the at rest data using Data Sync or Data Uploader appropriately.

The rules are:

#NameOfRule - Example DeleteAfter30Days
#NumberOfDays - 30
#BlobContainerName - Example : tenantname-contentsync-cmk-encrypted-bucket

#daysafterModificationGreaterThan: = #NumberofDays

"rules": [

{

"enabled": true,

"name": "<#NameOfRule>",

"type": "Lifecycle",

"definition": {

"actions": {

"baseBlob": {

"delete": {

"daysAfterModificationGreaterThan": <#NumberOfDays | Integer>

}

}

},

"filters": {

"blobTypes": [

"blockBlob"

],

"prefixMatch": [

"<#BlobContainerName>/etl-action",

"<#BlobContainerName>/etl-process"

]

}

}

}

]

}

Optional Azure Resources Configurations

Deployment Errors, Workarounds, and Solutions

In this section, we are going to document:

• The errors that occur while deploying Content Mover on the Azure Stack.

• Workarounds/solutions on how to handle these errors and scenarios that can occur during deployment

Finding logs and running queries for troubleshooting on MS Azure

On MS Azure, go to the resource group on the left-top corner click on Logs, and select one of the entries. Entries in this list will be tied to one of these: All Queries, Alerts, Browsing Data, Performance, and Reports Failures.   

Workarounds and Solutions for Common Errors

• The estimated cost can be calculated using the pricing calculator provided by Microsoft at https://azure.microsoft.com/en-in/pricing/calculator/ .

• You can adjust some resources, tiers, and configurations based on their usage, but you should maintain the minimum required configurations as explained in the previous section.

• The image below is an example of the estimated costs using the minimum required resources and settings:

All resources created by CAM Azure Stack will be secured using the Azure standard security. Permission will only be granted to the CAM function apps and other CAM Azure Stack resources in the same resource group. No users, accounts, or external apps will be granted access by default except what the Azure subscription administrator has setup previously (inheritance rules).

The details of permissions are as follows:

• Storage account

  • Reader and Data Access Role: the role is granted to all CAM function Apps.

  • Storage Account Key Operator Service Role: the role is granted to all CAM function Apps.

  • Storage Blob Data Owner Role: The role is granted to all CAM function Apps.

• MySQL Server: no roles assignment or Firewall changes are done by CAM Azure Stack. The database is only accessible by CAM function apps (internally within the same resource group) using the admin username/password created during the deployment process.

• All Other resources: no roles assignment or Firewall changes are done by CAM.

• Allow public access to this Azure resource group through the internet using a public IP address

  • This option allows the firewall to permit connections from specific IP addresses or any Azure service. If Public Access is disabled, the Firewall Rules won't be enforced, and any modifications made to the Firewall will be discarded.
    By choosing above option not all public IPs are allowed. We need to specify some IP and azure service is able to communicate with storage without using VPC
    By uncheck above option, we need to create private endpoints to allow hosts in the selected virtual network to access this server. To ensure successful connections to the server, enable public access with firewall rules or create a private link for the server.

  • For cosmos: If clients need to use private access
    Clinet’s need to configure Azure virtual network and integrate with Azure Functions with configured Azure virtual network by using private endpoints.

Except for the CAM Azure Stack function apps, none of the resources in the resource group will be accessed externally. For the MySQL Database, the option to “Allow access to Azure services” is enabled during the deployment process and all other IPs are restricted by default. Even though the function apps will be accessed externally, those will be accessed by CAM instance only. If you plan to restrict the function apps inbound IP’s, the Litera Customer Care team (support@litera.com) can provide the list of IPs that should be whitelisted based on your CAM instance Zone. The current list of IPs can be found at iManage .

For additional security, the data container in the storage account will be encrypted using Microsoft-managed-keys encryption scope. After the template deployment, this encryption scope can be updated to use your managed keys or to use an encryption with a key in the managed HSM as explained in the following MS article (https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault-hsm ).

Managing Security of the Azure Client Stack

In addition to the strong security provided by MS Azure, Litera strengthens data security by controlling and filtering access to even the virtual private clouds hosted by industry-leading cloud services such as MS Azure. While managing the Azure cloud, customers can also take precautions to detect and prevent suspicious activities. Litera helps you to track and monitor logs, audit system calls, and set up alerts for potential intrusions.

Litera’s systems support the latest secure cypher suites, including TLS 1.2 and later protocols, AES256 encryption, and SHA2 signatures.

Litera ensures the safety of data at rest by encrypting the data using 256-bit Advanced Encryption Standard (AES-256). This standard is applied to relational databases, file stores, database backups, and so on. Litera even safeguards the encryption keys and processes by encrypting them securely.

Litera has successfully completed the SOC 2 Type II audit. The customer's sensitive data remains secure. Litera encourages you to use the private subnets to deploy CAM. For more information, see the FAQs section.

As part of our disaster recovery plan, Litera provides secure-tested backups. Data is backed up automatically and the backups are encrypted and stored securely.

Configuring a token expiration of one year is recommended for security purposes. Upon expiration of the token, the token must be refreshed with CAM manually or updates of the Content Mover software will be prevented from automatically deploying to your environment.

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows

Caution: By design, after successfully adding a client token, the userid and password details associated with that user will show empty if a user tries to edit that client token.