Skip to content

Azure Setup

Jump to bottom
Kantemir Tvorogov edited this page Aug 9, 2023 · 1 revision

For now, the only way to set up a full-featured ACUITY instance is to set it up as a bunch of Microsoft Azure applications. A typical ACUITY installation uses several more Azure features. This article describes their setup.

Prerequisites

To follow the instruction, you need a Microsoft Azure account having corresponding access rights in the working directory. You should be able to create and delete app registration entities, virtual machines and network rules for them, storage accounts.

Azure features we use

Virtual Machine

Although ACUITY applications may be installed on any machine with compatible OS and enough resources, normally it is set up on an Azure virtual machine(s). A typical installation looks like this:

  • get to the Virtual Machines service
  • press Add
  • setup and create a new VM (non-mentioned settings may be left in default state):
    • Basics:
      • Resource group should be the same as for all other resources you create for this ACUITY instance
      • Image: Ubuntu Server 18.04 LTS - Gen1
      • Size: Standard_D2s_v3 - 2 vcpus, 8GiB memory
      • Authentication type: Password (enter and keep administration user username and password)
      • Ports: select all available - 22, 80, 443 (but that's not enough; you'll set additional ones later)
    • Disks: 32 Gb standard SSD disk will be enough
    • Networking:
      • Virtual network: create a new one
      • Public IP: create a new one
      • NIC network security group: Basic
      • Public inbound ports: select 22, 80, 443
  • when VM is ready, open its page and:
    • Overview: DNS name - create it
    • Networking: create new rules opening ports 444 and 447 (Add inbound port rule > set corresponding destination port and human-readable name, leave other settings as is) or just update existing rule opening port 443 (you may use comma-separated port lists), or set any other restrictions you need

Enterprise Applications and Active Directory

You need these settings, if you plan to use users authentication and authorization in ACUITY (recommended). You need to create three enterprise application items and update ACUITY Spring configuration files accordingly:

  • get to the App registrations service
  • for each of three main applications (VASecurity, VAHub, AdminUI):
    • press New registration
    • add corresponding human-readable name
    • choose Supported account types: **Accounts in this organizational directory only ** (or another option if it's more suitable in your case)
    • set Redirect URI looking like: https://<your machine DNS name / IP address>:<port>/login (where port is 444 for VASecurity, 443 for VAHub and 447 for AdminUI); if you want to change this setting later, e.g. add more than one redirection URIs, you can find it in the Authentication subpage of your application page
    • press Register
  • open Spring config files: application-azure-sso.yml, vasecurity-azure-sso.yml, vahub-azure-sso.yml, admin-azure-sso.yml (you are going to update them)
  • open page of any newly registered application (e.g. VASecurity) on the Azure portal and then open Overview > Endpoints; application-azure-sso.yml config should be updated with the links on the opened pane:
    • azure.resource.accessTokenUri and azure.client.accessTokenUri: value of OAuth 2.0 token endpoint (v1)
    • azure.resource.userAuthorizationUri and azure.client.userAuthorizationUri: value of OAuth 2.0 authorization endpoint (v1)
    • azure.logoutUrl: use value of OAuth 2.0 authorization endpoint (v1), but REPLACE authorize with logout (result may look like: https://login.microsoftonline.com/b41b8fd0-4e9f-4c26-8a69-f949f367cd6d/oauth2/logout)
    • azure.authorityUrl: use value of OAuth 2.0 authorization endpoint (v1), but REMOVE oauth2/authorize (result may look like: https://login.microsoftonline.com/b41b8fd0-4e9f-4c26-8a69-f949f367cd6d)
  • open page of each newly registered application and fill corresponding Spring config file:
    • azure.resource.clientId and azure.client.clientId: value of Overview > Application (client) ID
    • azure.resource.clientSecret and azure.client.clientSecret: Certificates and secrets > press New client secret and choose a convenient name and suitable expiration period, then press Add, after that copy the Value of new secret (not Secret ID!) and paste it in the Spring config
    • (for VASecurity only) azure.resource.preEstablishedRedirectUri and azure.resource.registeredRedirectUri: Authentication > Redirect URIs > the URI you have configured on the application registration stage

File storage

Source files imported by AdminUI should be placed in some storage, and typically it is a file share in an Azure Storage Account (though other solutions are available too). To set one up and configure ACUITY to use it:

  • get to the Storage account service
  • press New
  • setup and create new storage account (choose a convenient name and suitable region, other settings may basically be kept as they are)
  • open created storage account page and then File shares, create new file share named acuitydata (name does matter in this case)
  • open admin.yml Spring config file
  • open storage account page and then Access keys, press Show keys; admin.yml config should be updated with its data:
    • azure.storage.account: value of Storage account name
    • azure.storage.key: value of key1 > Key

ACUITY Wiki

Deployment and configuration

Actual:

VAHub Overview

Front End

Back End

Q&A

AdminUI Overview

VASecurity Overview

Database

Using application

Get Help

Clone this wiki locally