Install i-refactory Server
In this section we will guide you through the setup and configuration of the i-refactory server, the web application and optionally the OAuth2 server. The Solution Overview briefly introduces what these components do and how they interact.
Before you begin
Before you continue installing i-refactory server please make sure the following prerequisites are met.
1. A host system is available
You should have system administrator access to a host system on which NodeJS is supported. The host system should have at least the following minimal resources.
- Minimal 2 Gbyte of internal memory. In extreme high load scenario's you should increase the amount of memory.
- A dedicated fast quad core CPU.
- A low latency network connection to your database server.
{info} As a best practice you should install a single i-refactory server per (virtual) host.
2. Required SSL certificates are available
Our i-refactory servers run as HTTPS servers. You need to have a valid SSL certificate and SSL key file available. Our servers need read access to these files. You should check with your security officer regarding the policies of generating SSL certificates.
For development and testing you could create a self signed certificate. If you have openssl available here is an example how to create a certificate for the localhost domain.
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.key \
-new \
-out server.crt \
-subj /CN=localhost \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
-sha256 \
-days 365This command generates two files server.key and server.crt.
The client operating system or browser now needs to have the CA certificate added to its list of trusted root authority certificates. The instructions vary by operating system and browser but instructions for a few major clients are listed below. For all these steps the 'certificate' referred to is the 'server.crt'.
| Client | Instruction |
|---|---|
| Windows | Right click the server.crt certificate file and select 'Install Certificate'. Follow the prompts to add the certificate to the trust store either for the current user only or all users of the computer. |
| Mac | Open KeyChain and drag the file server.crt into KeyChain. Set the certificate to trusted. |
| Linux - Ubuntu | sudo cp ~/server.crt/usr/local/share/ca-certificates/sudo update-ca-certificatesSee Ubunbtu help for more information. |
3. You have access to the SQL Server instance
Your DBA should provide you with:
- The hostname and port of the SQL Server instance where the i-refactory metadata repository is installed.
- The application username and password with which you can connect to the SQL Server instance.
- The name of the database where the i-refactory metadata repository is installed.
4. OAuth2 Server
The i-Refactory requires an Identity and Access Management (IAM) system that supports the OAuth2 protocol for the authentication and authorization. In the absence of an external IAM system, the i-Refactory comes with a slim OAuth2 server.
External Identity and Access Management system
When using an external Identity and Access Management system, it needs to support the OAuth2 protocol to integrate it with the i-Refactory. For the configuration you need to require the following information:
- Authorization endpoint URI. This is the URI of your OAuth2 server we will use in our web application for an authorization request.
- Token endpoint URI. This is the URI of your OAuth2 server we will use for a token request.
- The public key file, the location and the encryption method used, or the JSON Web Key Set (JWKS) uri containing the public keys. Our i-refactory server needs access to the public key(s) so it can decrypt the access token and check it's validity.
- Whether the authorization server mandates the use of the Proof Key for Code Exchange (PKCE) extension in the Authorization code grant flow.
- The scope value the authorization server expects in order to request the permissions (roles) of the user.
- Which access token claim the UI server should utilize for displaying the authenticated user
- (optional) The expected value that the OAuth server sets in the
issuer&audienceclaim of the access token. - (optional) The Sign out endpoint URI. This is the URI of the OAuth2 server we will use for a sign out request.
i-Refactory OAuth2 server
For using the i-refactory OAuth2 server we need to have read access to a private and public RSA key pair.
There are many ways to create RSA keys. OpenSSL is one of the most popular libraries for key creation and management:
# Generate a private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
# Derive the public key from the private key
openssl rsa -pubout -in private_key.pem -out public_key.pemThe private key file private_key.pem will be used in our OAuth2 server to sign the JWT token.
The publicy key file public_key.pem will be used in our i-refactory server to check if the generated JWT token is not tampered with.
5. NodeJS
The i-refactory server, i-refactory OAuth2 server and i-refactory web application are all build in NodeJS. NodeJS applications can be run on almost any platform. All of these components run as HTTPS servers.
The i-refactory servers always run against a Long Term Support release of NodeJS. In our Release Notes Overview you can see which NodeJS version is required for the given i-refactory server release.
You can download the LTS version of NodeJS at Download NodeJS. To download a previous LTS version check this Download Previous Releases of NodeJS.
Follow the install instructions for your platform.
You can check if NodeJS is available by entering the following command in your terminal:
node --versionIt should return the installed LTS version, for example: v12.14.1.
6. ODBC driver
The i-refactory uses an ODBC for the file based export functionality.
Microsoft provides a installation guide for the SQL Server ODBC driver (manager) for various platforms Microsoft ODBC Driver for SQL Server.
Follow the install instructions for your platform.
You can check if ODBC Driver Manager and the ODBC driver for SQL Server is available by entering the following command in your terminal:
odbcinst -q -dIt should return the installed ODBC for SQL Server version, for example: ODBC Driver 18 for SQL Server.
7. Configure the DSN
The connection properties for the ODBC driver are specified in the DSN. The i-Refactory will reference to a DSN to establish the connection to the database.
A DSN can be on system, user or file based level defined. The different types are explained in the Microsoft documentation: Documentation DSN
Depended on the Operating System and additional installed tools the DSN can be configured using a GUI. If not installed, it can configured using a text editor. The following command can be used to obtain the location of the DSN config files.
odbcinst -jThe documentation of DSN parameters for SQL Server are specified on Microsoft ODBC DSN parameters.
An example of the DSN configuration,
[dsn-sql-server-db] # Name of the DSN
Driver=ODBC Driver 18 for SQL Server # The used SQL Server driver.
Server=sql-server-db # The host address of the SQL Server
APP=iRefactory export # Name of the application.
ApplicationIntent=ReadOnly # Informs SQL Server that it can be routed to a read-only replica (if exists).
Database=IR_GDAL # The database to connect to.
TrustServerCertificate=yes # To trust self-signed certificates. i-Refactory installation steps
1. Create a folder
You should create a folder on your host filesystem where we are going to install the i-refactory server software and where you can store your configuration files and optionally store your SSL certificates and required key files.
The folder structure we suggest:
i-refactory\
config\
crypto\
dist\In the config folder you should store your configuration files.
In the crypto folder you should store the SSL certificate and key file and the public RSA key file.
2. Unpack i-refactory server folder
From the provided installation zip file unpack the folder i-refactory-engine to the folder i-refactory\dist.
3. Create a configuration file
Our i-refactory server requires a configuration file. The configuration file is a JSON document which contains mandatory and optional configuration settings.
We have provided a sample configuration file which you can find in i-refactory\dist.
config.example.json: This configuration file can be used as a template. Copy it to a convenient location and filename.
4. Modify the configuration file
With a text editor of choice edit your configuration file. When you have opened the file you will see something like this:
{
"boot": {
"database": {
"code": "IREFACTORY",
"description": "i-refactory metadata repository",
"connection": {
"driverConnectionProperties": {
"server": "",
"authentication": {
"options": {
"userName": "",
"password": ""
}
}
}
}
}
},
"httpRestApi": {
"enabled": true,
"https": {
"port": 3000,
"host": "localhost",
"key": "crypto/ssl.key",
"cert": "crypto/ssl.crt"
},
"accessToken": {
"publicKey": "crypto/key_public.pem",
"signatureAlgorithm": "RS256"
}
},
...The configuration file is in JSON format.
Follow the steps below to change your configuration setting.
Step a. Set the connection parameters for SQL Server
In your editor go to the section "boot". You should see something similar like below.
{
"boot": {
"database": {
"code": "IREFACTORY",
"description": "i-refactory metadata repository",
"connection": {
"driverConnectionProperties": {
"server": "",
"authentication": {
"options": {
"userName": "",
"password": ""
}
}
}
}
}
}
}Change the following configuration settings:
| parameter | instruction |
|---|---|
code |
Change the default value to the name of the database where the i-refactory metadata repository is installed. |
server |
Set the value to hostname where your SQL Server Instance is running. |
userName |
Set the value to the SQL Server login name who is authorized to access the i-refactory metadata repository. |
password |
Set the value to the SQL Server login password. |
Step b. Configure the i-refactory rest API server settings
In your editor go to section "httpRestApi" You should see something similar like below.
{
"httpRestApi": {
"https": {
"host": "localhost",
"port": 3000,
"key": "",
"cert": ""
},
"accessToken": {
"publicKey": "crypto/key_public.pem",
"signatureAlgorithm": "RS256"
}
}
}Change the following configuration settings:
| parameter | instruction |
|---|---|
host |
Set the hostname of the i-refactory rest API server. Defaults to localhost. |
port |
Set the port number of the i-refactory server. Defaults to 3000. |
key |
Specify the file location including the filename of the SSL key. You should use your generated or provided SSL key filename. |
cert |
Specify the file location including the filename of the SSL certificate. You should use your generated or provided SSL certificate filename. |
publicKey |
Specify the file location including the filename of the public key filename with which we can verify the validity of the OAuth2 token provided. You should use your generated public key filename for this. |
jwksUri* |
As an alternative for the publickey parameter, specify the JSON Web Key Set (JWKS) url. The i-Refactory will automatically extract and refresh the public key(s) from the provided url.** |
issuer* |
Optional, specify the expected value for the issuer claim in the access token that is provided to the i-Refactory API server. Tokens with an invalid value will be rejected. |
audience* |
Optional, specify the expected value for the audience claim in the access token that is provided to the i-Refactory API server. Tokens with an invalid value will be rejected. |
signatureAlgorithm |
Specify the signature algorithm used. If you use the i-refactory provided OAuth2 server you should keep the default setting RS256. |
{note} *Parameters are not applicable for the i-Refactory OAuth2 server and should be left undefined. Use these parameters only in combination with an external OAuth server when applicable. {note} **When the address can only be reached through a proxy server, set the
https_proxyenvironment variable with the address of the proxy server.
Microsoft Azure AD integration
Guidelines for setting the accessToken section of the config file when integrating the i-Refactory server with Microsoft Azure AD.
- The
jwksUri,issuerandsignatureAlgorithmparameters can be obtained from the Well-Known Configuration Endpoint of your tenant in Microsoft. Visit https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration with the tenant ID of your Microsoft Azure AD environment. - The
audienceis the Application (client) ID of thei-Refactory APIApp registrations page in Microsoft Azure AD.
The example below is based on the v2 common Well-Known Configuration Endpoint of Microsoft, replace with your own values. Remove the comments when used in your config file, JSON does not support comments.
{
"httpRestApi": {
...,
"accessToken": {
"jwksUri": "https://login.microsoftonline.com/common/discovery/v2.0/keys", // The value for the key "jwks_uri" in your Well-Known Configuration Endpoint.
"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0", // The value for the key "issuer", in your Well-Known Configuration Endpoint.
"audience": "{Application (client) ID}", // The application/client ID of the `i-Refactory API` app registration in Microsoft Azure AD.
"signatureAlgorithm": "RS256" // The value for the key "id_token_signing_alg_values_supported" in your Well-Known Configuration Endpoint, assuming there is only a single algorithm is listed.
}
}
}For more information visit the Microsoft Azure AD Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
Step c. Configure the Swagger server settings
In your editor go to section "httpRestApi" You should see something similar like below.
{
"swaggerServer": {
"enabled": true,
"https": {
"host": "localhost",
"port": 3001,
"key": "",
"cert": ""
}
}
}Change the following configuration settings:
| parameter | instruction |
|---|---|
enabled |
If you set this value to true a Swagger server is started. You can access the Swagger documentation of our i-refactory Rest API via the browser. If you set this value to false we do not start a Swagger server and you cannot use your browser to view the i-refactory Rest API specification. |
host |
Set the hostname of the Swagger server. Defaults to localhost. |
port |
Set the port number of the i-refactory server. Defaults to 3001. |
key |
Specify the file location including the filename of the SSL key. You should use your generated or provided SSL key filename. You can use the same SSL key as for the i-refactory Rest API server or opt for a different one. |
cert |
Specify the file location including the filename of the SSL certificate. You should use your generated or provided SSL certificate filename. You can use the same SSL key as for the i-refactory Rest API server or opt for a different one. |
Step d. Configure the UI server settings
In your editor go to section "httpRestApi" You should see something similar like below.
{
"uiServer": {
"enabled": true,
"https": {
"host": "localhost",
"port": 3002,
"key": "",
"cert": ""
},
"apiUrl": "https://localhost:3000",
"authorizationServer": {
"clientId": "i-refactory-ui",
"pkceEnabled": false,
"scopeName": "roles",
"claimName": "username",
"authorizationEndPointUri": "https://localhost:3003/authorize",
"tokenEndPointUri": "https://localhost:3003/token"
}
}
}Change the following configuration settings:
| parameter | instruction |
|---|---|
enabled |
If you set this value to true a UI server is started. You can access the i-refactory web application via the browser. If you set this value to false we do not start a UI server and you cannot use our i-refactory web application. |
host |
Set the hostname of the UI server. Defaults to localhost. |
port |
Set the port number of the UI server. Defaults to 3002. |
key |
Specify the file location including the filename of the SSL key. You should use your generated or provided SSL key filename. You can use the same SSL key as for the i-refactory Rest API server or opt for a different one. |
cert |
Specify the file location including the filename of the SSL certificate. You should use your generated or provided SSL certificate filename. You can use the same SSL key as for the i-refactory Rest API server or opt for a different one. |
apiURL |
The web application sends request to the i-refactory Rest API server. It needs to know the URL where to reach the i-refactory Rest API server. Set the value to https:\\ + the host you specified in httpRestApi + ':' + the port you specified in httpRestApi. |
clientId |
The web application needs to be identified by a unique id. This is required for OAuth2. Use the default value i-refactory-ui or change the value to a new string value. You will need this unique id later on when configuring OAuth2. |
pkceEnabled* |
Specify whether the authorization server mandates the use of the Proof Key for Code Exchange (PKCE) extension in the Authorization code grant flow. Defaults to false. |
scopeName* |
Specify the scope value that the authorization server requires in order to request the permissions (roles) of the user. Defaults to roles. |
claimName |
Specify the access token claim the UI server should utilize for displaying the authenticated user. Defaults to username. |
authorizationEndPointUri |
Specify the url of the OAuth2 server authorization end point. |
tokenEndPointUri |
Specify the url of the OAuth2 server token end point. |
signOutEndPointUri* |
Specify the url of the OAuth2 server sign out end point. |
{note}*Parameters are not applicable for the i-Refactory OAuth2 server and should be left undefined. Use these parameters only in combination with your own OAuth server when applicable.
Microsoft Azure AD integration
Guidelines for setting the authorizationServer section of the config file when integrating the i-Refactory server with Microsoft Azure AD:
- The
clientIdis the Application (client) ID of thei-Refactory GUIApp registrations page in Microsoft Azure AD. - The
pkceEnabledshould be set totrue, since Microsoft mandates the PKCE extension for the authorization code grant flow. - The
scopeNameshould be set to{Application ID URI}/.default. The Application ID URI can be retrieved from theExpose an APIpage of thei-Refactory APIApp registrations section in Microsoft Azure AD. - The
claimNameshould be set to access token claim the UI server should utilize for displaying the authenticated user. - The
authorizationEndPointUri,tokenEndPointUriandsignOutEndPointUriparameters can be obtained from the Well-Known Configuration Endpoint of your tenant in Microsoft. Visit https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration with the tenant ID of your Microsoft Azure AD environment.
The example below is based on the v2 common Well-Known Configuration Endpoint of Microsoft, replace with your own values. Remove the comments when used in your config file, JSON does not support comments.
{
"uiServer": {
...,
"authorizationServer": {
"clientId": "{Application (client) ID}", // The application/client ID of the `i-Refactory GUI` app registration in Microsoft Azure AD.
"pkceEnabled": true, // Microsoft mandates the PKCE extension for the authorization code grant flow.
"scopeName": "{Application ID URI}/.default", // The application/client ID of the `i-Refactory API` app registration in Microsoft Azure AD.
"claimName": "email", // As example the claim "email" is used, this does require the `email` API permission of Microsoft Graph.
"authorizationEndPointUri": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", // The value for the key "authorization_endpoint", in your Well-Known Configuration Endpoint.
"tokenEndPointUri": "https://login.microsoftonline.com/common/oauth2/v2.0/token", // The value for the key "token_endpoint", in your Well-Known Configuration Endpoint.
"signOutEndPointUri": "https://login.microsoftonline.com/common/oauth2/logout" // The value for the key "end_session_endpoint", in your Well-Known Configuration Endpoint.
}
}
}Step e. Configure the export delivery settings
In your editor go to azureCredentials and exportSettings.
You should see something similar like below.
{
"azureCredential": {
"clientId": "",
"clientSecret": "",
"tenantId": ""
},
"exportSettings": {
"dataSourceName": "",
"options": {
"authentication": {
"userName": "",
"password": ""
},
"odbc2parquetBinaryPath": "",
"maxColumnSize": 16000,
"maxMemorySize": "2GB",
"maxRowGroupSize": 1000000
}
},
}The exportResourceSettings are required from Release 3.8, and will be defaulted as shown in the JSON example above. The export functionality uses a multipart-upload of data to files in order to limit the effect on available system resources. The following configuration settings are required :
| parameter | instruction |
|---|---|
dataSourceName |
The name that is used to request a connection to an ODBC data source. The DSN registration contain the connection details. |
userName |
When the selected authentication method in the DSN requires a username, this property must be specified. Any configured username in the DSN is overwritten. |
password |
When the selected authentication method in the DSN requires a password, this property must be specified. Any configured password in the DSN is overwritten. |
odbc2parquetBinaryPath |
Depending on the operating system and system architecture, the correct binary must be used. The system tries to automatically select the required binary. The available binaries are: darwin x64 & arm64, linux x64 & arm64, and win32 x64. Any other combination needs to be configured, by specifying the path to the required binary. |
maxColumnSize |
Used to restrict size of columns with types of unlimited column size like nvarchar(max), varchar(max) and varbinary(max). The default is set to 16.000. |
maxRowGroupSize |
This settings defines the maximum number of rows per row group of an entity. The default is set to 1.000.000 |
maxMemorySize |
The required amount of memory is calculated based on the number of rows to export, or max row group size if exceeded or when row count is disabled. This setting caps the memory allocation by reducing the row group size to fit within the specified memory size. As default set to 2GB, but can be adjusted using SI units. |
{note} *Contact i-Refact support how to obtain a binary for other Operating System and system architecture.
Only if you want to use the option to export files to an Azure Container, it is required to configure azureCredentials. The access to Azure Containers is managed through OAuth with Service Principal authentication method. Change the following configuration settings:
| parameter | instruction |
|---|---|
tenantID |
The identification of the Azure Tenant ID, also known as directory ID |
clientId |
The client that represent the i-refactory application with enough rights to create folders and write files to container(s) within Azure tenant |
clientSecret |
The client secret, if you need some help you can find it here |
Step f. Configure the application settings
There are also some application settings not provided in the config example file. The majority of these settings are advanced settings that require in-depth knowledge of how the application works.
We advise to only opt for modifying two specific settings as shown here :
{
"application": {
"modifierIdProperty": "sub",
"disabledRoles": [],
}
}| parameter | default | instruction |
|---|---|---|
modifierIdProperty |
sub | The property in the OAuth2 token which should be used as the string to register in acm_modifier_id. The default setting for modifierIdProperty (sub) is by default not a valid claim in a Microsoft Azure Access token : either include the sub as a custom claim or alter this property to a claim that is present in the access token (for instance: oid). |
disabledRoles |
empty array | The roles that should be disabled. The disabled roles are ignored when it's checked if a user is authorized to execute a request. Developer role is currently the only allowed role to disable. |
Advanced application settings
Below you find additional advanced settings. The default value is generally the best option. When considering changes it is strongly advised to consult i-Refact support.
| parameter | instruction |
|---|---|
name |
The name of the application. |
interfaceCode |
The code of the interface for which the i-refactory server should be started. |
shutdownCheckInterval |
The amount of time in milliseconds to wait between subsequent checks whether the application can be stopped, when a graceful shutdown of the application is requested. |
cache.cachedEntities |
A list of the entities that are cached in memory. |
cache.keepDeletedRecordsTime |
The amount of time in milliseconds that a deleted record is kept in memory to assure that changes that have been committed shortly after each other are processed in the correct order. |
lockManager.lockWaitTimeOut |
The amount of time in milliseconds to wait for a lock. If the lock cannot be obtained within the specified time period an error is returned to the requestor. |
lockManager.lockWaitTimeOutCheckInterval |
The amount of time in milliseconds to wait between subsequent checks to obtain a lock. |
lockManager.lockPendingWarningInterval |
The amount of time in milliseconds after which a log message is written to the logfile if a pending lock request is not honoured and not timed out |