$ docker logout && docker login
username: iriusrisk
password: USE_YOUR_ACCESS_KEY_HERE

Login succeeded

Overview

IriusRisk consists in the next components:

1. A reverse proxy to terminate SSL connections and implement HTTP header security. I.E: Nginx.
2. A Servlet 3.0 compliant Java application server to host the .war. I.E: Tomcat.
3. A python 3.8 application extending Iriusrisk functionalities as a microservice. I.E: Startleft
4. A PostgreSQL database.

To facilitate easy deployment for the OnPrem version, the reverse proxy (Nginx), the application server (Tomcat) and python application (Startleft) are provided through Docker images and downloaded from our private Dockerhub repository. However, even if Docker is used for these two components we recommend using an external PostgreSQL database instead of a Dockerized DB instance.

Hardware Requirements

1. Single Server:
   All three components: reverse proxy, application server and database can be deployed on the same server.  The following hardware is recommended for such a deployment:
   • Quad core Intel Xeon at least 3.0Ghz
   • 16Gb RAM
   • 8 GB of disk space for the Application server
   • 230GB SSD available for the database's data volume

• High Availability configuration:
  The web application is stateful, and either requires a load balancer with sticky sessions enabled, or a clustered Tomcat instance.  We recommend the former due to ease of management and the ability to scale horizontally simply.
  The database can also be deployed in a high availability configuration. You can find PostgreSQL documentation here.
  The general view of the HA configuration would be:
  • Load balancer/reverse proxy with sticky session enabled.
  • Multiple Tomcat instances, either using our docker images or native Tomcat instances.
  • Databases in HA configuration as per the DB vendor guidelines
    
    The hardware requirements for this setup are:
  • Application servers:
    • Quad core Intel Xeon at least 2.0Ghz
    • 8 GB RAM
  • Database servers:
    • Quad core Intel Xeon at least 2.0Ghz
    • 8 GB RAM
    • 230GB SSD available for the database's data volume

Software Requirements

1. A server (Cloud, on premises, etc.) needs to be available with Linux* pre-installed.
2. Root access to the server to install and configure packages. 
3. Docker (20.10+)  and Docker Compose (1.29.x) installed and properly configured. 
4. The server has to have access to hub.docker.com (Docker Hub).
5. An access token provided by IriusRisk to access private repos.
6. PostgreSQL (11+) up and running and a user with admin privileges (on the same system or reachable by the server).  
7. Port 443 needs to be exposed and reachable from the machines that are going to connect to IriusRisk. 
8. We do provide a temporary self-signed certificate for the HTTPS access.Then, a custom certificate is needed (certificate and its private key in PEM format). 

* CentOS-based, Debian-based, AWS Linux are well supported (RHEL 8+ does NOT support docker).

Installation

IriusRisk has docker based installation. We provide you with an updated and optimized for IriusRisk Nginx and Tomcat containers orchestrated with a docker-compose.

The database is a critical component of the stack. For performance reasons we recommend having a separate server with native PostgreSQL database installation.

General PostgreSQL configuration steps

   1. Install the database server following the PostgreSQL official instructions for your distribution: https://www.postgresql.org/download/

Ensure that the database is accessible from the application server (network firewall, security groups, IPtables or other security measures)

(NOTE: For PostgreSQL versions 13 and 14 md5 encryption will need to be enabled in the postgres.conf file BEFORE creating the DB and DB user)

Edit postgres.conf file inside the postgresql data folder, find the line with the listen_address directive and add the proper listening network interface:

listen_addresses = 'localhost, DB_HOSTS_IP_ADDRESS'

If you are unsure what your interface is or you want postgres to listen on all interfaces you can use:

listen_addresses = '*'

To enable password based authentication, edit the hba.conf file and add at the bottom the line:

host all      all  172.17.0.0/24    md5

Substituting "172.17.0.0/24" with the docker network interface address where the Tomcat server will reside.  If you plan to use the Tomcat in Docker option, then "172.17.0.0/24" is correct as is, since that's the address of the docker containers.

If you are unsure what your interface is or you want postgres to allow password authentication from all sources, you can use: 

host all      all  0.0.0.0/0    md5

   2. Run the psql command line tool as the postgres user: 

sudo su - postgres
psql  

    3. Create a database user with createdb privileges using the following PSQL command:

create user iriusprod with createdb password 'alongandcomplexpassword2523';

   4. Create a database and assign it to this user with the following PSQL command:

create database iriusprod with owner='iriusprod';

   5. You may exit psql now and go back to your regular user with:

\q
exit 

   6. Ensure that the database service is started automatically when the server starts using your operating system specific directives (like systemctl enable or chkconfig on).

IriusRisk Docker Stack

1. Install docker using your system repositories or the official docker installation instructions here.
2. Install docker-compose using the official docker-compose installation instructions here.
3. Download the docker-compose file here.
4. Customize the docker-compose file.
   On the Nginx section: You need to edit "NG_SERVER_NAME" with the application endpoint Iriusrisk will be listening (as set in the postgres.conf file, even if the database is installed on the same host as the docker containers, this needs to be a real IP of the DB and not 'localhost').
   On the Tomcat section: You need to edit "IRIUS_DB_URL" with the JDBC string with proper IP and user password to connect to your database and "IRIUS_EXT_URL" with the application endpoint Iriusrisk will be listening (as set in the postgres.conf file, even if the database is installed on the same host as the docker containers, this needs to be a real IP of the DB and not 'localhost'). Also, by default "STARTLEFT_URL" is set up according with provided docker-compose architecture, if this architecture is changed, it could be necessary to edit "STARTLEFT_URL".
5. Generate Elliptic Curve Cryptography (ECC) key to identify the server with:

   $ openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem

6. Create a directory on the server and ensure you have the following files:

$ ls
cert.pem
docker-compose.yml
key.pem
ec_private.pem

The files for the TLS certificate must be named cert.pem and key.pem and must have the certificate and the key in PEM format generated by a trusted CA authority.

"cert.pem" must contain the certificate with the chain and "key.pem" should contain the private key.
If you are evaluating IriusRisk on localhost and a self signed certificate is enough for you, you can use these (WARNING DO NOT USE THIS ON PRODUCTION, JUST FOR TESTING PURPOSES): cert.pem and key.pem

$ docker-compose up -d 

Nginx will listen on ports 80 and 443, all requests to port 80 will be redirected to 443. It will terminate the TLS connection and also inject several HTTP security headers, for more info please see the Nginx config file within the container: 

$ docker exec CONTAINER_ID cat /etc/nginx/conf.d/irius.conf 
#You can get the CONTAINER_ID by executing $ docker ps

Keep in mind the first time IriusRisk runs it can take some time at creating the database tables and items it needs.

Optional: We provide you with Ansible Playbook that is automating this type of IriusRisk deployment. For more info please follow this link.

Alternative installation options

In some production environments there maybe specific needs for installation options that we provide in a separate article.