abas Cloud Connect installation guide

abas Cloud Connect runs on the customer end of the abas hybrid cloud setup and connects the customer’s ERP software to the abas cloud services.

This setup does not install abas Business Apps or abas BPM.

Introduction

Cloud Connect connects the abas cloud with an existing on-premise system. It provides the infrastructure for the abas Web Client and creates a secured tunnel to the abas cloud. Cloud Connect uses a connection via the outbound HTTPS port and acts as a reverse proxy between the on-premise network and the abas cloud. This has the following advantages:

No inbound port is required.
The on-premise infrastructure can be accessed securely via the Internet.
The abas Web Client and abas BPM can be accessed securely via the Internet.
You can access the abas REST API and connect your ERP system with different third-party cloud applications or remote locations without the need of a VPN.
You can access abas ERP via the Mobile Apps.

Security

Cloud Connect creates a secured connection between the on-premise installation and the abas cloud infrastructure. It uses a cryptographic protocol that provides authentication and data encryption between the on-premise installation and the abas cloud servers. The latest version of TLS, 1.3, is used.

For the authorization between the clients and the abas cloud, OAuth 2.0 is used, which is the industry standard protocol for authorization. This allows the connection of various enterprise identity providers, such as Active Directory, LDAP, SAML, and OpenID Connect.

Network

abas Cloud Connect must be able to communicate with the following applications: * abas ERP via EDP protocol, TCP on port 6550 (or the port that is configured for your abas ERP installation).

abas Business Apps via HTTP/HTTPS protocol, TCP on port 9280 (or the port that is configured for your Business Apps installation).
Workflow Engine via HTTP/HTTPS protocol, TCP on port 9990 (or the port that is configured for your Business Apps installation).

abas ERP must be able to communicate with Cloud Connect:

The abas ERP server with the JWT token validator on port 19950.
The License Controller via port 8912.

Installation requirements

Before starting the installation, ensure that all requirements listed in the following are met.

Administrative

You have access to the Tenant Management (see Pre-installation).
A hostname for the new tenant has already been provided by the customer (e.g., https://my-company.abas.cloud).

Hardware

At least 4 GB of free RAM must be available if you want to connect the abas ERP client to the cloud. 1 GB of RAM must be calculated for each additional abas ERP client.
At least 10 GB of free disk space is required.

Infrastructure

Ensure a connection of at least 1 Mbit per user and a stable ping of 200 ms maximum.
The abas cloud services must be accessible on port 443 via an outgoing TCP connection from the company network. In addition, the following domains are permitted:
- Token verification
  - Europe: abas.eu.auth0.com
  - USA: abas.auth0.com
  - APAC: abas.au.auth0.com
- Monitoring
  - Europe: monitoring.eu-central-1.amazonaws.com
  - USA: monitoring.us-east-1.amazonaws.com
  - APAC: monitoring.ap-southeast-1.amazonaws.com
- Log upload
  - Europe: logs.eu-central-1.amazonaws.com
  - USA: logs.us-east-1.amazonaws.com
  - APAC: logs.ap-southeast-1.amazonaws.com
- Tenant domain
  - Europe: <TENANT>.eu.abas.cloud
  - USA: <TENANT>.abas.cloud
  - APAC: <TENANT>.apac.abas.cloud
- AWS Security Token Service (AWS STS)
  - Europe: sts.eu-central-1.amazonaws.com
  - USA: sts.us-east-1.amazonaws.com
  - APAC: sts.ap-southeast-1.amazonaws.com
- https://abasartifactory.jfrog.io/customer: provides the latest version of Cloud Connect
- https://abasartifactory.jfrog.io: for downloading ESDK apps
- licensing.prod.eu-central-1.api.eu.abas.cloud: licensing endpoint
- TLS tunnel endpoint
  - Europe: agent.prod.eu-central-1.api.eu.abas.cloud, *.agent.prod.eu-central-1.api.eu.abas.cloud
  - USA: agent.prod.us-east-1.api.abas.cloud, *.agent.prod.us-east-1.api.abas.cloud
  - APAC: agent.prod.ap-southeast-1.api.apac.abas.cloud, *.agent.prod.ap-southeast-1.api.apac.abas.cloud

Proxy connections are currently not supported. TCP traffic is sent via port 443, which cannot be handled by HTTP proxy servers.

Operating system

Before starting the installation, ensure that the following packages are installed:

Docker Engine (version >= 1.17)
curl, wget, md5sum, base64, python

The programs jq and Docker Compose are downloaded by Cloud Connect and stored the download folder.

For security reasons, do not use the root user to run Cloud Connect. Further information can be found under "How do I create a Cloud Connect Unix user?".

abas ERP

abas ERP ⇒ latest patch of 2019r4 or higher with SSO enabled, see https://find.abas.de/inno/en/ShowInno.html#query=nummer:20170009
abas ERP ⇒ latest patch of 2100r8n10 for the abas Web Client
The abas ERP EDP port 6550 is configured.
If you want to configure multiple clients, they must all have a technical user with the same password. This user is used to access abas ERP.
Each user currently requires access to the ERP workspace ow1 (due to the ScreenFetcher infosystem).
postkonfig must be disabled in abas ERP when using the user synchronization mode Full.
The ERP server must be able to communicate with the JWT token validator on the configured port.

Pre-installation

Creating a new tenant

Ensure that you have access to the Tenant Management. Further information can be found in the FAQ: Why can't I log in to the Tenant Management?

Currently, Google Chrome is the only supported browser for the abas Tenant Management. Third-party cookies need to be enabled. In an incognito tab these will be blocked by default which will make the login fail.

Request access to the abas Tenant Management application in the region of your choice from the abas Cloud team:

https://manage.abas.cloud/v2/ (USA)
https://manage.eu.abas.cloud/v2/ (Europe)
https://manage.apac.abas.cloud/v2/ (APAC)

Proceed as follows:

First, create a new tenant in the Web UI of the abas Tenant Management. Use the red + button in the upper right corner for this.
Enter the name of the tenant. Use the company name for a company tenant. The field must contain at least 3 characters. Lowercase letters, numbers and the "-" character are permitted. For a demo system, it is recommended to use the user and the version of the abas ERP installation: maxmu-demo-2017r4.
Assign the tenant to a customer or yourself. The combobox should display a list of all your customers known to abas Software GmbH. If no customers can be selected, there may be a connection failure. Try again after a few minutes. If the problem persists, please contact abas Software GmbH for support.
Select a tenant type:
- Self Hosted Instance: for on-premise or demo system installations that should use the cloud services
- Managed Instance: for cloud demo abas ERP installations. Use this option, if you want to try out the new Web Client or want to present the Web Client to customers.
Select Lifetime: After the specified period of time has elapsed, the tenant will be deleted automatically. Select No Expiration as the value for productive operation.
Select the Auth0 connection type. Details on user synchronization can be found under How does user synchronization work?.
- Database: uses a separate user database in Auth0
- AD/LDAP: integrates with Active Directory/LDAP through the Active Directory/LDAP connector that you install in your network. A download link will be provided in the tenant details after the tenant has been created. Further information on installing the AD/LDAP connector can be found here.
- OAuth2: uses the OAuth 2.0 protocol
- ADFS: not yet supported automatically. Contact abas Software GmbH for further support.
The administrator email address will be preset to your email address.
Click Save.

Creating self-hosted instances requires 1-2 minutes. Creating managed instances requires approx. 20 minutes.

Creating a configuration token

An email will be sent if the creation of your tenant was successful and it is ready to be used. Then you can create a configuration token for your tenant:

Go to your tenant’s management UI (e.g., https://manage.abas.cloud/v2/).
Click your tenant in the tenant list. This will take you to the details page.
There, you can find the "Create new configuration" button.
Click this button and copy the contents to your clipboard or to a secure place. You will require them during the setup process.

Creating tenant managers

Tenant managers are users that can manage a certain tenant. By default, only the tenant owner is a manager. In this case, he is the only one who can manage the relevant tenant. Therefore, it is recommended that you add more managers per tenant.

To add a new tenant manager, select the relevant tenant and click Managers. On the top of the table, enter the email address of the new manager and click the "Check" button to the right of the field. If the manager is not accepted, this is due to one or several of the following reasons:

The provided email address is invalid.
The user has no access to the Tenant Management.
The user has never logged in to the Tenant Management.

Further information can be found in the FAQ: Why can't I log in to the Tenant Management??

Setting up a hybrid tenant

This step is not necessary for managed instances.

Creating a new user

Use the following command to create a new user: useradd -m cloud-connect
Add the user to the Docker group: usermod -a -G docker cloud-connect
Switch to the newly created user: su - cloud-connect
Make sure you're using the correct user: whoami should give you cloud-connect
Create a key pair for the user name. Use an empty password: ssh-keygen -t rsa
Authorize the user cloud-connect to log in as <s3-user>@<erp-server> by using his SSH identity: ssh-copy-id <s3-user>@<erp-server>. If ssh-copy-id is not available in your system, you can copy the SSH identity manually to the authorized_keys of the s3 user.

Installing abas Cloud Connect

You can download abas Cloud Connect when your hybrid tenant has been created.

Manual setup:

Assume your tenant’s name is "cloud-demo" and it was created in the US region. You can download the abas Cloud Connect package here:

https://cloud-demo.abas.cloud/cloud-connect.tgz

For the EU region, you can download here:

https://cloud-demo.eu.abas.cloud/cloud-connect.tgz

Before you continue with the installation of abas Cloud Connect, read the requirements (see below).

Download abas Cloud Connect, extract it and start the installation process in the current directory of your Linux workstation as follows:

(wget -qO- 'https://cloud-demo.abas.cloud/cloud-connect.tgz' | tar xfz -) && ./setup.sh

The package is downloaded and is extracted to the current directory (/u/cloud-connect/), not in a subfolder. The script starts the setup process immediately.

The ./setup.sh script guides you through the setup process. Basically, it generates a configuration file and installs software in the abas Essentials clients. Advanced users can amend the configuration.json file directly for detailed configuration. Invoke ./setup.sh and follow the instructions. This script amends the following for all abas ERP clients:

It sets up the abas REST API.
It generates a new SSO configuration and License Controller settings for abas ERP ($MANDANTDIR/.server.conf).
It installs an ESDK application that contains an infosystem that renders the Web UI screen configurations (ow1/SCREENFETCHER).
It installs and starts a dedicated instance of the abas full text search.
It installs and configures a new full text search index called "quicksearch" for the Web UI.
It adds a cron job to fill the full text search index.

The -g or --generate-configuration-only option enables you to only generate the configuration file without changing the abas Essential installation. You can then apply the configuration by invoking setup.sh -n.

Ensure that always the latest Cloud Connect version is installed (see How can Cloud Connect be updated?).

Hybrid instance in licensing mode

Installation process

In order to simplify or automate the licensing of abas products, abas ERP from version 2018r4n14p10 contains the technical requirements for licensing via the central abas License Server. The use of the abas License Server is

optional for the operation of abas ERP version 2018r4n14 and
a prerequisite for the operation of abas ERP as of version abas ERP 20 (2019r4).

Furthermore, the use of the abas License Server is a prerequisite for the licensing and use of ESDK apps.

Cloud Connect can be installed in two modes:

If you use Cloud Connect in Licensing only mode, you can use License Controller for multiple abas ERP installations. The use of the abas Web Client in the hybrid operating model or the use of other abas cloud services is not possible in this case. Outside access to abas ERP is not possible either.
Cloud Connect Mode: Installs all infrastructure components that are required for hybrid operation as well as License Controller. In Cloud Connect Mode, a secure, bidirectional connection via the Internet from the internal network to the abas cloud is established via an outbound port. This enables, for example, the use of the abas Web Client in the hybrid operating model or the use of other abas cloud services.

Installation number configuration

When the installation process and running the software is completed, you only need to enter the installation number in the .server.conf file.

Cloud Connect adds the .server.conf file to each client, which has the following structure:

[LicenseController]
url = http://<license-controller-host>:8912
installation = <instNum>
; everything after a semicolon is treated as a comment

Add the installation number. The URL will be provided by Cloud Connect during the installation process.

The .server.conf file has the following priority:

$MANDANTDIR/.server.conf
$HOMEDIR/.server.conf
/etc/abas/server.conf (without . at the beginning of the file)

If you have only one installation number for all clients, copy $MANDANTDIR/.server.conf to $HOMEDIR/.server.conf and enter the installation number in $HOMEDIR/.server.conf.

If you have multiple productive clients that have different installation numbers and run in the same s3 environment, enter the installation numbers in $MANDANTDIR/.server.conf.

FAQ

What happens if I upgrade to version 2018r4n14p10 and don’t install the License Controller?

abas ERP continues to work as before.

I installed License Controller, but the installation number in .server.conf is not set. What will happen?

abas ERP continues to work as before. You cannot benefit from the license server in this case.

I’m not using License Controller. How will licensing of abas ERP be handled in this case?

Licensing will be handled manually as usual.

How long will the license over License Controller be valid?

The license will be valid for 60 days. License Controller checks multiple times a day if a new license is available and synchronizes the licenses.

I ordered new licenses and License Controller is installed. How can I receive them?

License synchronization is triggered automatically every 6 hours. If you want to retrieve the license immediately, run the liz program.
The following dialog is displayed: "If you continue, your abas ERP license will be updated."
Click Yes. The synchronization is started.

What happens if License Controller does not have Internet access?

The licenses are valid for 60 days. Then abas ERP works for another 32 days. Four weeks before the license expires abas ERP informs you that the license will expire in 28 days.

What happens if the customer is unable to provide an Internet connection for more than 2 months?

In this case, manual licensing can be provided.

I have an installation with multiple clients that I want to split. What should I do?

You can split the clients into multiple s3 installations. You must configure the .server.conf file in such a way that it points to the same License Controller and specify the correct installation number.

What do I have to do if I create a new client from an existing client using mandcopy.sh?

If License Controller is configuerd via $HOMEDIR, no changes are required. If the configuration is in $MANDANTDIR, you must copy .server.conf and specify the correct installation number.

Is it possible to use License Controller for two installations?

If you use Cloud Connect in Licensing Only Mode, you can use License Controller for multiple abas ERP installations. Note that they must belong to the same customer.

Running the software

When the setup is complete, run the software. Run the ./run.sh script. It downloads and starts the following Docker containers:

Token validator (for the JWT validation in the abas REST API and abas ERP)
abas Client Agent
abas REST API
Cloud Watch Agent

Generating Webclient Screen

Please read the Webclient Documentation

Configuration DMS Connector

To make the DMS Connector accessible via Cloud Connect, the following steps must be carried out:

Edit the file configuration.json. This can be found in the folder cc, in the section Set up hybrid tenant The content of cloud-connect.tgz has been unpacked:

    "dmsapi": {
        "host": "<IP of the host>",
        "port": 8090,
        "enabled": true
}

For host: do not use localhost or 127.0.0.1.
1. Then execute ./run.sh to apply the changes.
2. Optionally, you can use the following command to check whether the configuration has been applied correctly: docker inspect <container ID from Abas client agent> | grep PORT_TRANSLATION The entry 8090:<IP of the host>:8090 should be present in the output of the environment variable PORT_TRANSLATION .

Configuration Prodaso Service

To make the Prodaso service accessible via Cloud Connect, the following steps must be carried out:

Edit the file configuration.json. This can be found in the folder cc, in the section Set up hybrid tenant The content of cloud-connect.tgz has been unpacked:

    "pac": {
        "host": "<IP of the host>",
        "port": 23456,
        "enabled": true
}

For host: do not use localhost or 127.0.0.1.
1. Then execute ./run.sh to apply the changes.
2. Optionally, you can use the following command to check whether the changes have been applied correctly: docker inspect <container ID from Abas client agent> | grep PORT_TRANSLATION The entry 23456:<IP of the host>:23456 should be present in the output of the environment variable PORT_TRANSLATION .

The configuration in detail

Configuration file

The ./setup.sh script generates an initial configuration file named configuration.json. To create this file manually, copy the configuration.json.template fille and make your changes. It is important to specify the required user name and password properties. The services.erp section should also be adapted to your setup.

{
    "tenant": "",                   # Enter your tenant's name here
    "domain": "eu.abas.cloud",      # Set this to the domain name assigned to you by abas
    "aws_access_key_id": "",        # Set this to the access key id provided by abas
    "aws_secret_access_key": "",    # Set this to the secret key provided by abas
    "options": {
        "dockerRegistry": {
            "username":"",          # Set the docker registry user name or leave it empty for interactive login
            "password":""           # Set the docker registry password or leave it empty for interactive login
        },
        "esdkInstaller": {
            "username":"",          # Set the user name for basic auth to access https://abasartifactory.jfrog.io or leave it empty for interactive login
            "password":""           # Set the password for basic auth to access https://abasartifactory.jfrog.io or leave it empty for interactive login
        },
        "useSSH": true,
        "awslogsEnabled": true    # Upload log files in ./logs to the abas cloud to help with troubleshooting
    },
    "apps": {
        "screenFetcher": {
            "install": true
        }
    },
    "services": {
        "environment": {            # Persistent environment variables
        },
        "erp": {
            "host": "localhost",    # Change this to the host on which abas ERP runs
            "port": 6550,           # EDP port
            "user": null,           # If the technical ERP user for Cloud Connect needs a user name, enter it here
            "ssh": {
                "user": "s3",       # Change this to a valid SSH user for the ERP workstation (needs passwordless login)
                "port": 22          # SSH port
            },
            "clients": [            # ERP clients
            ],
        }
    }
}

Extending the configuration with environment variables

Multiple environment variables are involved in starting Cloud Connect. In the environment section of the configuration.json file, you can store values for the environment during startup.
Example of configuring available heap memory and enabling JMX access to the REST API:

$ cat configuration.json
{
    "tenant": "test",
    "domain": "eu.abas.cloud",
...
    "services": {
        "environment": {
          "MW_JVM_OPTS": "-Xmx4g -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9011 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
        },
...
    }
}

Changing the Docker Compose settings using Docker Compose overrides

For example, if you need to change the default network settings of Docker Compose, you must use an additional custom Docker Compose file. The name of the file must be docker-compose-custom.yml. If the file exists, it will automatically be picked up during the startup and will extend and/or override the default Docker Compose file.
Continuing with the JMX example. Here are the contents of an example file to expose the JMX port locally on a random port:

$ cat docker-compose-custom.yml
version: "2.2"
services:
  rest-api:
    ports:
      - 127.0.0.1::9011

Extending the abas REST API configuration

The abas REST API is a Spring Boot application. To customize the settings and make them persistent (upgrade-safe), create the file ./mw/abasconfig/application-custom.properties. The properties that you set there will override the default properties in ./mw/abasconfig/application.properties.

Disabling the Cloud Connect full text search for a client

The Cloud Connect full text search is used in the abas Web UI to search for abas objects. You can disable the full text search by creating the following file, if you do not want to use it for one or multiple clients (e.g., too much disk space is required, you must copy the client using mandcopy.sh, etc.):

$NOBACKUP/cloudsearch/$MNAME/disabled

If this file exists, the run.sh command will not start the FTS web server (Jetty) for this client. The cron job that is responsible for updating the index will also stop running until you remove this file.

Configuration check

Cloud Connect performs several checks while setup.sh is run to ensure that your system is ready. This includes Internet connectivity and making sure that your tenant configuration token works.

The check can also be performed independently of the setup: ./check-configuration.sh

Table 1. Checks
Name	Description
docker dns	The ERP host (configuration.json: `services.erp.host`) can be resolved from within the Docker containers.
connectivity web-ui*	The tenant domain can be accessed via HTTPS.
time	Your system clock is in sync.
tenant identity	The tenant credentials work and match the tenant name.
connectivity server-agent	SSL connections to the server can be established.
connectivity aws s3*	AWS S3 services can be accessed (tenant credentials are required).
connectivity maven registry	The Maven registry can be accessed via HTTPS.
connectivity docker registry	The Docker registry can be accessed via HTTPS.
connectivity aws logs*	The AWS logs services can be accessed (tenant credentials are required).

Note: See infrastructure requirements or logs for the domain names used.

Note: Checks marked with an asterisk (*) are not performed in Licensing only mode.

Debugging

time fails with Your system clock is out of sync:
- Configure an NTP server on your system to ensure rhat the clock is always in sync.
connectivity web-ui fails with GET https://your-tenant.eu.abas.cloud/configuration.json failed: host not found:
- Do you have Internet access?
- Does name resolution (DNS) work?
- Does the tenant exist in the Tenant Management?
- Is the firewall configured correctly? Details can be found here.
tenant identity fails with Tenant credentials do not match tenant:
- Does the tenant exist in the Tenant Management?
- Ensure that the configuration token is valid or create a new one.
One of the connectivity checks fails with request error:
- Do you have Internet access?
- Is the firewall configured correctly? Details can be found here.
- Does the tenant exist in the Tenant Management?
- Ensure that the configuration token is valid or create a new one.

FAQ

How can Cloud Connect be updated?

You can update Cloud Connect by running run.sh:

./run.sh

It is strongly recommended that you create a nightly cron job and keep Cloud Connect always up to date. For example, a nightly execution at 23:45 can be scheduled with the following cron table entry:

45 23 * * * /home/cloud-connect/run.sh

The job can be scheduled manually with crontab -e or automatically with the following command:

(crontab -l 2>/dev/null; echo "45 23 * * * /home/cloud-connect/run.sh ") | crontab -

How can I avoid an automatic update? Important information for preparing a customer presentation.

Cloud Connect is updated on startup. The following steps are required to ensure that the update is not activated during a presentation:

Before the presentation

Ensure that the latest version of Cloud Connect is installed (see How can Cloud Connect be updated?)

During the presentation

If you must call run.sh, add a parameter to skip the automatic update:

./run.sh --do-not-update

A stable and fast Internet connection is required at all times.

What information should be included in a support request?

If log collection was enabled, only the tenant name is required (e.g., "mytenant.eu.abas.cloud"). Otherwise, access to your logs may be necessary. In this case, you must zip the "./logs/" directory

zip -r cloud-connect-logs.zip ./logs/ VERSION

and provide this archive (cloud-connect-logs.zip).

How to manage the users of a tenant?

Go to the "Tenant details" in the tenant management and press the "Users" button. This will take you to a page that lists all the users of that tenant.

Use the "Create User" button if you want to create a new user.

The last column of the table contains the action buttons for a user, e.g. for resetting the password.

How does user synchronization work?

If you receive the error message invalid token, this is usually due to the problem that Cloud Connect cannot find a password record in abas ERP. The password record is searched using the ssologinname field and is required to operate Cloud Connect.

Cloud Connect ensures that the ssologinname field is filled correctly in the password record. The synchronization for the abas Cloud user you are logged in with takes place after using the Web UI for the first time.
Cloud Connect synchronizes abas Cloud users in abas ERP in two ways:

Update only

Password records are updated if the following applies:

Check if there is a password record for $,ssologinname==${email} and if not,
check if there is a password record for $,pemail==${email}.
If such a password record exists, the email address is entered in the fields ssologinname and pemail.
If no such password record exists, the token is considered invalid.

Full

A password record that acts as a template user is created.
On startup, Cloud Connect searches for a template user where the ssologinname field is set to {unixname} (abas ERP query $,ssologinname=={unixname}).
If this template user does not exist, it is created and used as a template for all other password records that will be created by Cloud Connect.
If no matching password record exists, it is copied and created from the template user, with correctly specified email address.
The following fields are set:
- name is set to name claim from the userinfo endpoint of the identity provider.
- For bezeich, the first 15 characters of the name are used.
- such is set to A, followed by the first 9 characters of the email address. For example, if the email address is john@example.com, the search word is AJOHN@EXAM.
- pemail is set to the email address of the user.
- ssologinname is set to the email address of the user.
- inaktiv is set to false.
Requirements: The configuration contains a reference to the abas Essentials records "Workspace" and "Permissions". These records must exist so that the template user can be created successfully.
The abas ERP group permissions are currently not supported if a template user must be created by Cloud Connect.

Both synchronization types require a technical user, who also uses a license. Therefore, the batch user should be used. If the installation is performed using abas Installer, the user is configured in the abasfile.yml (erp_credentials, jwt_auth_userinfo module). If the installation is performed using Cloud Connect Installer, the user is prompted interactively.

What happens when I use client credentials?

A user synchronization is also performed if you use client credentials. A password record is required in abas ERP, similar to a regular user, as described in previous section. If your client ID is "abcd1234efgh", your SSO login name has the value "abcd1234efgh@clients" and the email address has the value "abcd1234efgh@clients".

In the modes "Update only"and "none", a password record with the above values for ssologinname and email must exist in abas ERP.

In the synchronization mode "Full", this is automatically created for you.

In the synchronization modes "Update only" and "Full", the update mechanism for the user password record is retained, as described in the previous section. In "none" mode, nothing is updated.

What are the minimal permissions for the Cloud Connect ERP user?

The following ERP permissions are currently required:

Default workspaces and the custom workspace "ow1"
Additionally, the following database permissions are required:

Table 2. Database permissions
Database	Group	Permissions	Notes
Company (12)	Configuration (18)	view, select
Company (12)	Password (11)	view, select, update, new, copy	"new" and "copy" are only required for UserSyncMode==full. The priority for this must be at least as high as the highest priority of all cloud users. Otherwise, changes must be made manually.
Infosystem (65)	Infosystem (1)	view, select, update, new	Only if the Web UI is used (import of the ScreenFetcher infosystem)
Permission (85)	Permission (1)	view, select, update, new	Required for ESDK
Permission (85)	Workspace (2)	view, select, update, new	Required for ESDK
PrintParameter (88)	<all groups>	view, select, update, new	Only if the Web UI is used (import of the ScreenFetcher infosystem)

How do I create a Cloud Connect user?

Migration from the root user

Create a new Cloud Connect user. When the user has been created, stop abas Cloud Connect.

Use the following command to change the ownership of the folder where abas Cloud Connect has been installed:
sudo chown -R cloud-connect <path-to-cloud-connect>
Copy the content of the folder to /u/cloud-connect/.
Log in as a Cloud Connect user with su - cloud-connect.
Execute run.sh with ./run.sh.

If you have configured an init.d script, ensure that you have adapted the script to the new path of abas Cloud Connect and that you run run.sh using the Cloud Connect user and not the root user.

How can I set up multiple Cloud Connect installations at the same workstation?

If you want to install Cloud Connect multiple times at the same workstation, you must ensure that the installations do not use the same ports. Currently, the only ports that are exposed are from the token validator and License Controller.

Ensure that the JWT and License Controller in the configuration.json file are assigned different ports per installation.

    "services": {
        ...
        "jwt": {
            "port": 19950,
            ...
        },
        "license_server": {
            "port": 8912
        },
        ...
    }

Multiple Cloud Connect installations are supported, but not for the same abas ERP client.

How do I activate additional clients?

You can activate clients by modifying the services.erp.clients element of the configuration.json file. A client description consists of the attributes id, directory, and description. The following snippet configures two clients: demo1 and demo2:

{
  "version": 2,
  "tenant": "erp-demo",
  ...
  "services": {
    ...
    "erp": {
      ...
      "clients": [
        {
          "id": "demo1",
          "directory": "/abas/demo1",
          "description": "demo1"
        },
        {
          "id": "demo2",
          "directory": "/abas/demo2",
          "description": "demo2"
        }
      ]
    },
    ...
  }
}

Note that this change requires a restart of Cloud Connect. This can be achieved by running ./setup.sh followed by ./run.sh.

If Cloud Connect is started and it is not possible to establish a connection to one of the clients, this client is skipped. Only if no client can be reached is Cloud Connect not started.

If you want to configure multiple clients, they must all have a technical user with the same password. This user is used to access abas ERP.

Docker uses the same network range. How can I change this?

Custom endpoints are provided, where you can change the Docker Compose files. These changes are not affected when Cloud Connect is updated. Create the following files in the Cloud Connect installation folder and restart Cloud Connect.

docker-compose-custom.yml

version: '2.2'
networks:
  default:
    driver: bridge
    ipam:
      config:
      - subnet:  10.103.1.1/24

docker-compose-license-controller.yml

version: '2.2'
networks:
  default:
    driver: bridge
    ipam:
      config:
      - subnet:  10.103.0.1/24

When configuring the subnets, ensure that the IP ranges do not overlap.

How do tenant incident alarms work?

If a connection problem with a hybrid tenant is detected, an alarm email is sent to the tenant managers.

The health of the connection between the on-premise installation and the cloud is monitored continuously. If more than 40% of these health checks fail over a period of 15 minutes, an email is sent. E.g.:

All health checks fail because there is a complete outage. The threshold is reached after 6 minutes. Then the alarm is activated.
Half of the health checks fail because there are connectivity problems. In this case, it takes 12 minutes for the alarm to be activated.

These emails are activated by default. If your tenant is disconnected on a regular basis (e.g., in the case of a presentation system that is only started when required), you may wish to not receive the emails for this tenant. This can be configured on the "Tenant managers" page of your tenant.

Before you sign in, synchronize your data with the abas Extranet: Synchronize

Error message while installing infosystems: ow1 workspace doesn’t exist

Ensure that the ow1 workspace exists in all client that will be connected to the abas cloud. Also ensure that all abas users using the abas cloud have access to the ow1 working directory.

This can be achieved by running the following commands as root user:

cd ~s3
eval `sh denv.sh`
zugriff.sh

Warning during update: Because of your ERP version we cannot install all components of the abas Web Client

For the abas Web Client, it is required that several components are installed in your abas Essentials installation.
This message means that these components cannot be updated, since their installation requires a minimum abas Essentials version.
Any currently installed components remain installed but will not be updated. The abas Web Client might stop working if it uses new features that are not included in the installed old version.
To prevent this, you must upgrade your abas Essentials version and invoke the Cloud Connect setup again.

How can I realize the Internet access of License Controller through the DMZ?

In principle, License Controller can also be installed in the DMZ. Further information can be found in the abas Installer documentation.

However, bare in mind that License Controller contains a secret key (tenant identity from the configuration token). In on-premise installations, this key is exclusively used for verification during licensing. In a hybrid setup, the key is generally used for the authentication for the communication with the cloud and is therefore much more valuable to an attacker.