VERA Deployment with Docker

Install Prerequisites

Install Docker

VERA is designed to run inside Docker containers.  Use the following instructions to install Docker Engine Enterprise on the installation machine.

Note:  This section can be skipped if Docker is already installed on the machine.

  1. The Docker website provides instructions for installing Docker:
    1. Docker CE (recommended for Linux installations):  https://docs.docker.com/install/
    2. Docker EE (recommended for Windows Server installations):  https://docs.docker.com/ee/supported-platforms/

If the docker info command is recognized, then Docker is correctly installed.

Install Docker Compose

Docker Compose is used to setup orchestration between the VERA Server, the VERA Web Portal, and the VERA database.  Use the following instructions to install Docker Compose on the installation machine.

Note:  This section can be skipped if Docker Compose is already installed on the machine.

  1. Go to the following link and follow the instructions provided:
    1. https://docs.docker.com/compose/install/

If the docker-compose --version command is recognized, then Docker Compose is correctly installed.

Install VERA

Pre-configure Storage Locations

VERA uses folder mapping (volume mounting) to create persistent storage outside of the Docker containers.  The first step of installation is to create a folder location for each storage item listed below.  Tx3's default recommendations are provided, but any storage location (drive and/or folder) may be selected.

  1. Create Storage Locations:  Use the following table as guidance to select storage locations for the VERA items listed. You can choose any location you like, or you can follow Tx3's default recommendation. NOTE: For Linux, paths are case sensitive.

    Storage ItemTx3 Recommended Location (Windows)Tx3 Recommended Location (Linux)Description
    MongoDB Data StorageC:\Data\DB
    /var/lib/tx3_services/data/dbThis location will become the internal storage drive for the MongoDB database.
    Tx3 VERA Server Data DirectoryC:\ProgramData\Tx3 Services\
    /var/lib/tx3_services/The folder containing all inputs and outputs for the VERA Server.
    Tx3 VERA Web Portal Data Directory (optional)C:\ProgramData\Tx3 Services\
    /var/lib/tx3_services/The folder containing all inputs and outputs for the VERA Web Portal. Usually this is the same as the VERA Server Data Directory.


  2. Create Folders:  Create the following folders within the Tx3 VERA Data Directory selected above.

    Required Folder NameDescription
    Certificates
    A folder for placing SSL certificates used to enable HTTPS on the VERA Server, VERA Web Portal and SSO communication.
    Configs
    The folder containing the VERA Web Portal configuration file.
    Logs
    The output directory for log files generated by VERA applications.
    Policies
    The folder containing the VERA Server configuration files, such as the Records Management Policy, Approval Policy, and Synchronization Policy.
    UserImports
    A folder for placing CSV files containing user profiles to import. The VERA Server will monitor this folder for new CSV files that are dropped in.
    Mongo-Setup
    A temporary folder for placing setup scripts for the MongoDB database.

    Create folders (sample script)

    sudo mkdir -p /var/lib/tx3_services/data/db
    sudo mkdir /var/lib/tx3_services/Policies
    sudo mkdir /var/lib/tx3_services/Logs
    sudo mkdir /var/lib/tx3_services/UserImports
    sudo mkdir /var/lib/tx3_services/Certificates
    sudo mkdir /var/lib/tx3_services/Mongo-Setup
    sudo mkdir /var/lib/tx3_services/Configs
  3. Stage VERA Policy Files:  Copy your configured Tx3 Policy Files to the Policies directory created in Step 2.

  4. Stage VERA Web Portal Configurations:  Copy config.yaml to the Configs directory created in Step 2.

  5. Stage MongoDB Setup Script:  Copy mongo-users-setup.js to the Mongo-Setup directory created in Step 2.

    You may want to change the default passwords in the script file. If you do, be sure to use the correct passwords in the docker-compose file below.

  6. (Optional) Stage User Import File:  If desired, copy a CSV file containing initial user definitions into the UserImports directory created in Step 2. See Import VERA users

    Sample User import CSV file(userimport.csv)

    User Name,Full Name,Email,Groups,IdP,IdP User Name
    vera_admin,Default VERA Administrator,vera_admin@tx3services.com,System Administrator,VERA,vera_admin:ChangeThis1Pwd

Open TCP/IP Ports

Both the VERA Web Portal and the VERA Server (API) require the ability to receive inbound HTTP traffic.  Each component can accept traffic via HTTP, HTTPS, or both.  

  1. Select Ports:  Select an HTTP and/or HTTPS port for the VERA Web Portal and the VERA Server (API).  Tx3's default recommendations are provided, but any ports may be selected.

    Port

    Tx3 Recommendation

    (HTTP / HTTPS)

    VERA Web Portal80 / 443
    VERA Server (API)8080 / 8443
  2. Configure the installation machine's firewall to open each selected port for incoming traffic.

Create a JWT Certificate

VERA uses JSON Web Tokens (JWT) to securely transmit information between clients and the VERA Server API. These JWTs are digitally "signed" during creation so that their integrity can be verified on subsequent calls without requiring the user to provide login information. A certificate is required to "sign" the JWT. The certificate must be in the PKCS#12 format and can be from a trusted source or a self-signed certificate. The instructions below will create a self-signed certificate in the proper format and upload it to the appropriate location.

  1. Create a Private Key for use in the certificate.

    openssl genrsa -aes256 -out private.pass.pem 2048
    openssl rsa -in private.pass.pem -out key.pem
  2. Create the Self-Signing Request. Enter the information requested during the certificate creation.

    openssl req -new -key key.pem -out server.csr
  3. Generate the Self-Sign Certificate.

    openssl x509 -req -sha256 -days 3650 -in server.csr -signkey key.pem -out jwt.crt

    The -days parameter above sets the expiration date for the self-signed certificate.  We recommend setting the expiration to be 3650 days (approx. 10 yrs), but this can be modified based on your local security requirements.  Setting a shorter expiration only requires the certificate to be regenerated more frequently.

  4. Generate a PFX file from the certificate and private key. Provide a password for the PFX file, and make note of the password for a later use in the installation.

    openssl pkcs12 -export -out jwt.pfx -inkey key.pem -in jwt.crt

    You must provide a password when creating the PFX file. 

  5. Copy the PFX file to the Certificates directory for VERA Server.

Create or Provide a Service Provider Certificate and Private Key

VERA acts as a SAML Service Provider for Single Sign-On. This requires VERA to have a certificate available for signing SAML Requests that are sent to the SAML Identity Provider. The certificates are required for the Web Portal to start up, even if you are not using the SSO feature. The certificate and key must be in the PEM format. The simpliest way to provide these is to use the certificate and key files created above when creating the JWT certificate. If needed, you can follow the instructions below to create a new certificate and key file for the Service Provider.

  1. Create a Private Key for use in the certificate.

    openssl genrsa -aes256 -out sp-private.pass.pem 2048
    openssl rsa -in sp-private.pass.pem -out sp-privatekey.pem
  2. Create the Self-Signing Request. Enter the information requested during the certificate creation.

    openssl req -new -key sp-privatekey.pem -out sp-server.csr
  3. Generate the Self-Sign Certificate.

    openssl x509 -req -sha256 -in sp-server.csr -signkey sp-privatekey.pem -out sp-publiccert.crt
  4. Copy the certificate and private key files to the Certificates directory for VERA Server.
  5. Ensure that the config.yaml file is updated with the correct filenames for the following parameters:
Config.yaml VariableExample Value
samlPrivateKeyFilesp-privatekey.pem
samlPublicCertFilesp-publiccert.crt

Configure Docker Orchestration (Docker Compose)

  1. Download the VERA Docker Compose file for your corresponding operating system:  docker-compose.yml
  2. Place the file in the Tx3 VERA Data Directory selected previously.
  3. Open the file in a text editor.
  4. Configure Storage Volumes:  The file is pre-configured with the Tx3 default recommendations for storage locations (as described above).  If any non-default storage location was selected previously, then update the Docker Compose file as necessary:

    Docker ServiceConfiguration ItemDefault Configuration (Windows)Default Configuration (Linux)
    Vera.MongoMongoDB Data Storage LocationC:\Data\DB/var/lib/tx3_services/data/db
    Vera.ServerTx3 VERA Data DirectoryC:\ProgramData\Tx3 Services/var/lib/tx3_services
    Vera.Web.PortalTx3 VERA Web Portal Data DirectoryC:\ProgramData\Tx3 Services/var/lib/tx3_services


  5. Configure VERA Server Encryption Key:  VERA Server encrypts stored user passwords. You must supply the encryption key for VERA to use to encrypt and decrypt user passwords. The encryption key is stored in the following environment variable of the docker compose file:

    Docker ServiceConfiguration ItemDefault Configuration
    Vera.ServerVERA_SERVER_ENCRYPTION_KEY<Enter an encryption key>
  6. Configure VERA Server JWT Certificate and Password: VERA Server uses JWTs to authenticate users. A certificate must be present on the server in order to validate incoming JWTs. The certificate is stored in the Certificates directory and must be in the PFX format.  A password-protected PFX certificate file should have been created during an earlier step of these instructions.  Provide the filename and password of the generated PFX file in the following environment variables of the docker compose file:

    Docker ServiceConfiguration ItemDefault Configuration
    Vera.ServerVERA_SERVER_JWT_CERT_NAME<JWT Certificate File Name, eg. jwt.pfx>
    Vera.ServerVERA_SERVER_JWT_CERT_PASSWORD<JWT Certificate Password>

    If you use a $ character in your password, you will need to escape the character with another $. E.g. $ would be $$ in the docker-compose file. Quotes may also be needed if using other special characters.

  7. Configure Ports:  The file is pre-configured with the Tx3 default recommendations for TCP/IP ports (as described above).  If any non-default port was opened previously, then update the Docker Compose file as necessary:

    Configuration ItemDefault Configuration
    VERA Server API Port (HTTP)8080
    VERA Server API Port (HTTPS)8443
    VERA Web Portal Port (HTTP)80
    VERA Web Portal Port (HTTPS)443

    (NOTE:  For each modified configuration, be certain to only update the first number in each pair of mapped ports.  The second port number in each configuration is the internal port number of Docker's internal container network.)

Enable/Disable HTTPS for the VERA Web Portal

Choose whether to enable or disable support for HTTPS in the VERA Web Portal.

To Enable HTTPS for Web Portal

  1. Obtain a valid SSL certificate registered for the installation machine's domain name.
  2. Export the server's certificate as a password-protected PFX file, and store the file in the Certificates directory configured previously.
  3. Edit the docker-compose.yml file as follows:

    Docker Environment VariableValue
    VERA_WEB_HTTPS_FILE<PFX file name>

    Example: My-server.pfx
    VERA_WEB_HTTPS_PASS<PFX Password> example: crypticpassword

To Disable HTTPS for Web Portal

Delete the web portal's SSL port mapping configuration from the docker-compose.yml file.   (Unless previously edited, this configuration mapped port 443 to port 443 inside the vera.web.portal service.)

Enable/Disable HTTPS for the VERA Server (API)

Choose whether to enable or disable support for HTTPS in the VERA Server (API).

To Enable HTTPS for API

  1. Export the server's certificate as a password-protected PFX file, and store the file in the Certificates directory configured previously.
  2. Edit the docker-compose.yml file as follows:

    Docker Environment VariableValue
    ASPNETCORE_Kestrel__Certificates__Default__Path<PFX file name>

    example: My-server.pfx
    ASPNETCORE_Kestrel__Certificates__Default__Password<PFX Password> example: crypticpassword

To Disable HTTPS for API

Edit the docker-compose.yml file by changing the following configurations;

  1. Delete the server's SSL port mapping configuration.   (Unless previously edited, this configuration mapped port 8443 to port 5001 inside the vera.server service.)
  2. Delete the ASPNETCORE_Kestrel__Certificates__Default__Path environment variable configuration.
  3. Delete the ASPNETCORE_Kestrel__Certificates__Default__Password environment variable configuration.
  4. Edit the ASPNETCORE_URLS environment variable configuration as follows:
    1. Old Value:https://+:5001;http://+:5000
    2. New Value: http://+:5000

Configure Service Account Credentials

  1. Identify a network service account that has been (or will be) configured to allow VERA to login to the target application (e.g. Jira or qTest).
  2. Open the Synchronization Policy.json file from VERA's configuration policy files.
  3. Under the system configurations, edit the Server property to point to the target server's REST API URL.  (example:  http://jira.example.com:8080/rest/api/latest)
  4. Edit the Service Account property to contain the user ID of the network service account.  
  5. Use the Tx3 VERA Password Encryption Utility to encrypt the network service account's password:
    1. Select an encryption key (at random).
    2. Enter and confirm the encryption key in the utility.
    3. Enter and confirm the password.
    4. Copy the encrypted password to the clipboard.
  6. Edit the Server Password property of the Synchronization Policy to contain the encrypted password.
  7. Edit the VERA JIRA Encryption Key variable of the docker-compose.yml file to contain the encryption key used in Step 5.

Configure a MongoDB Container

  1. Download the MongoDB Docker Compose Setup file:  setup-mongo.yaml

    MongoDB Image Tag

    Make sure the image tag selected for the MongoDB image in the setup-mongo.yaml file matches the image tag in the docker-compose.yml file above.

  2. Place the file in the Tx3 VERA Server Data Directory selected previously.  (NOTE:  It is important that the setup-mongo.yaml file be located in the same directory as the docker-compose.yml file.)
  3. Navigate to the Tx3 VERA Server Data Directory.
  4. Execute the following command:  docker-compose -f ./setup-mongo.yaml up
    1. If you get the error: "Couldn't connect to Docker deamon - is it running?"
    2. Log out of the server, log back in, and start Docker with sudo service docker start
  5. Wait for MongoDB to download and extract, and for the script to complete.  When completed, the user will see a message instructing them to press Ctrl+C to exit.
  6. Use Ctrl + C to exit the script and to stop the MongoDB container.

Download/Launch the VERA Containers

  1. Navigate to the Tx3 VERA Server Data Directory.
  2. Execute the following commands:
    1. docker login veraserver20190209075900.azurecr.io -u fc12bdd5-6753-40b3-a4da-32bc5d451b39 -p bhfV1g0RhN1O~xS-R-Osv67~HO.zeKMbHp
    2. docker-compose up -d
  3. Wait for the MongoDB, VERA Server, and VERA Web Portal services to start.
  4. Verify that you can access the VERA Web Portal at the expected port.

Resources

  File Modified

File config.yaml Uploaded from Companion app

May 22, 2020 by John Berek

File docker-compose.yml Uploaded from Companion app

May 12, 2021 by Henry Farris

File Install-Docker.ps1

Jun 11, 2019 by Former user

File Install-Docker-Compose.ps1

Jun 11, 2019 by Former user

JavaScript File mongo-users-setup.js Uploaded from Companion app

Jul 10, 2019 by John Berek

File setup-mongo.yaml Uploaded from Companion app

Sep 02, 2021 by John Berek

Text File setup-vera-folders.sh.txt

May 27, 2021 by Henry Farris

File sp-privatekey.pem

Apr 09, 2020 by John Berek

File sp-publiccert.crt

Apr 09, 2020 by John Berek

File userimport.csv

May 27, 2021 by Henry Farris

Table of Contents