/
Set up

Set up

Owned by Mischa Imbiscuso
Last updated: Nov. 22, 2024
5 min read

Hosting

DATA UNIT Hosting

The Approval Portal is designed as SaaS (Software-as-a-Service) Application. This means, its hosted and maintained by DATA UNIT AG. The Approval Portal is secured by KeyCloak. Below, you can find infrastructure setup.

In this setup, the whole application is hosted and maintained by DATA UNIT AG. The Application is hosted on a ISO 27001 certified Cluster. If documents are needed, they can be provided.

KeyCloak

KeyCloak is an Identity Provider and provides the user with several possibilities for Single Sign On (SSO). Such as AzureAD, Microsoft Active Directory (LDAP) or other Social Logins (Google, Facebook) or simple SAP Login (Database).

Hybrid Hosted

Because the installation of KeyCloak takes a while, its possible to make a hybrid installation. In this scenario, the Approval will use the KeyCloak hosted on the DATA UNIT AG Servers.

In this case, its not needed to open Ports. Only a valid certificate and internal DNS Settings are required.

In this scenario, KeyCloak is maintained by DATA UNIT AG. The Approval Service, including Ubuntu Server, Kubernetes and the Service its self is not maintained by DATA UNIT AG. Its not possible to install Updates Over the Air.

In this scenario, the Approval Portal is not accessible from outside by default. If the Portal must be accessible from Outside, Firewall Rules are needed.

Self Hosted

As already mentioned, the application is designed as SaaS Application. Sometimes, the customer has some criticial security requirements and does not want to open any ports.

For this purpose, its possible to install the System OnPremise. Due to its non-alignment with the current scenario, additional manpower is required for installation, incurring associated costs. The extent of these costs varies depending on the specifications of the customer's system and will be individually calculated for each installation.

Requirements

  • Ubuntu Server in the latest LTS Version is needed (for best expierence a dedicated VM)

  • Wildcard Certificate for Domain

  • Internal DNS Entries fo

    • keycloak.your-domain.com

    • approval.your-domain.com

In this scenario, KeyCloak, PostgreSQL and the Approval Portal will be installed on a Micro Kubernetes System located on the Ubuntu Server. Everything is maintained by the Customer. Its not possible to install Updates Over the Air.

In this scenario, the Approval Portal is not accessible from outside by default. If the Portal must be accessible from Outside, Firewall Rules are needed.

Summary

Setup

Maintained by DATA UNIT

Maintained by Customer

PRO

Contra

Setup

Maintained by DATA UNIT

Maintained by Customer

PRO

Contra

DATA UNIT Cloud

All Services

n/a

  • No extra costs

  • Always updated Software

  • Fastest Setup

  • Accessible everywhere

  • Clustered and High availability Hosting

  • Customer need to open Ports 8080 / 9090

Hybrid Hosted

KeyCloak

Ubuntu Server, Kubernetes, Approval Service

  • Compared to Self Hosted, faster installation

  • No need to open Ports

  • Not accessible from Outside by Default

  • Customer has to maintain Servers

  • Not clustered

  • No over-the-air Updates

  • Extra Costs if the Customer wants new Updates

Self Hosted

n/a

All Services

  • No need to open Ports

  • Setup costs are the highest

  • Not accessible from Outside by Default

  • Customer has to maintain Servers

  • Not clustered

  • No over-the-air Updates

  • Whole System is maintained by Customer

  • Extra Costs if the Customer wants new Updates

Installation

DATA UNIT Hosted

Following Tasks must be completed before the Approval Service is ready:

  • Create a C-NAME DNS Entry with: approval.my-domain.com → ingress.cloudscale-lpg-2.appuio.cloud

  • Installation Approval on the SAP / B1i System

  • Open Ports 8080 and 9090 and Whitelist the IP-Address: 185.98.123.195

  • Install the PDF-Service (if needed) on the SAP Server

    • It depends on the CMS System

  • Configure the KeyCloak with your preferred Identity Provider (Azure, Microsoft AD…)

    • For local Identity Providers, such as LDAP, the customer has to open a Port

  • Last Configuration on the Approval Portal

  • Run the System

Hybrid Hosted

Following Tasks must be completed before the Approval Service is ready:

  • Install a Ubuntu Server LTS

  • Install Kubernetes

  • Install the Approval Portal on the Kubernetes Cluster

  • Install Traefik on the Kubernetes

  • Create local DNS Entries for approval.my-domain.com → Ubuntu Server IP-Address

  • Install the PDF-Service (if needed) on the SAP Server

    • It depends on the CMS System

  • Configure the KeyCloak with your preferred Identity Provider (Azure, Microsoft AD…)

    • For local Identity Providers, such as LDAP, the customer has to open a Port

  • Last Configuration on the Approval Portal

  • Run the System

Self Hosted

Following Tasks must be completed before the Approval Service is ready:

  • Install a Ubuntu Server LTS

  • Install Kubernetes

  • Install the Approval Portal on the Kubernetes Cluster

  • Install Traefik on the Kubernetes

  • Install the PostgreSQL Database on the Kubernetes Cluster

  • Install the KeyCloak Service on the Kubernetes Cluster

  • Install a valid or self-signed certificate on the Host

  • Create local DNS Entries for approval.my-domain.com → Ubuntu Server IP-Address

  • Install the PDF-Service (if needed) on the SAP Server

    • It depends on the CMS System

  • Configure the KeyCloak with your preferred Identity Provider (Azure, Microsoft AD…)

    • For local Identity Providers, such as LDAP, the customer has to open a Port

  • Last Configuration on the Approval Portal

  • Run the System

Security Information

The Approval Page is build with Blazor Server. The Portal it self does not have any Database connected. It only shows the information, which are sent from the B1i, to the user. There is noch Caching or other optimizer used.

If your legal needs the whole dependency list, please contact service@datatunit.ch.

The Portal it self is hosted on OpenShift. The provider is VSHN. This provider is ISO 27001 certificated. If this certificate is required, please contact service@dataunit.ch. The Cluster it selfs is running on the Infrastructure of Cloudscale, hosted in Lupfig AG, Switzerland.

Currently, each customer has an own running Pod on the OpenShift System. For the Identity Provider, we are using KeyCloak in the latest Version. The stored data in KeyCloak depends on the specific setup of each customer. If the customer does not use any other Identity Provider, KeyCloak will store information such as E-Mail and Password in a Postgres SQL Database. The Database it self is running on the same Cluster. All data are stored only in Switzerland.

The communication between the clients browser and the Approval Service is encrypted by SSL Certificates, which are created and renewed automatically by Letsencrypt. The normal lifespan of a certificated provided by Letsencrypt are three months.

The communication from the Pod to the B1i depends on the customer infrastructure. For the best security approach, the customer should have a Proxy Gateway, a valid DNS Entry and a valid SSL Certificate installed on the Gateway. The approval does not support self signed certificates.