There are several operations that we recommend to do after deploying a new Opereto server or cluster:


Change default admin password

It is most recommended to modify the default administrator (admin) password to a new, stronger one. To change the password, go to Settings-->Users Management tab. Since it is the first time modifying the administrator credentials, you will be requested to enter the administrator name and email address as well.


Add users, do not use admin for operations

At this point, you may add users that need access to OperetoBox user interface or REST API. It is not recommended to use the default built-in admin account to run processes or log in agents to the cluster. Moreover, agents should log in the box with users of role type “agent” that are only allowed to run processes but may not change settings or other data entities. To learn more about it, please refer to the Users Roles & Permissions page.


Change the default SSL certificate 

Opereto agents and users communicate with the server/cluster via HTTPS only. Opereto server is shipped with a simple self-signed SSL certificate that will probably show an error when connecting via most modern browsers as well as HTTP client code libraries. Although you may continue working with a self-signed certificate, we strongly recommend to get and install a valid SSL certificate. There are many vendors you may buy a certificate from, we recommend buying from a known and reliable one. 


Opereto uses Nginx as a frontend proxy server so you will have to follow your SSL certificate provider to learn how to install the certificate on Nginx servers. Please check the Nginx configuration file on your server to see how the self-signed certificate is currently configured. Pay attention to the following lines:


/etc/Nginx/nginx.conf

....
....
listen 443 ssl;
ssl_certificate           /var/lib/opereto/ssl/ssl.crt;
ssl_certificate_key       /var/lib/opereto/ssl/opereto.key;
server_name myserver.mydomain.com;

....
....


Unless you are familiar with Nginx, we recommend not changing any other configuration parameter except the SSL certificate section lines shown above in order to prevent performance or security drawbacks. 


Create external, server independent storage (AWS S3)

Opereto clusters use Amazon S3 Storage by default to share microservices files. However, the Opereto single server stores files and data locally using the standard server file system. It is strongly recommended to change the default server storage and use AWS S3 instead. This will simplify upgrades and server migrations and better protect the microservices and backups data. 


To change your storage specification, please follow these steps:


1. Create your s3 buckets

Opereto requires three bucket names and security credentials: cluster_storage, cluster_dev_storage, cluster_exports_storage.

The first holds the production microservices code, the second holds the development (sandbox) microservices and the third holds the configuration exports. While you may create a single bucket for all, we recommend using a separate bucket for each and also create a different IAM user and security access credentials for each to have a more granular security access control. 


To create a bucket, please see: http://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html


2. Create IAM users and set access permissions

To create a user, please see: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

In the new user Permissions tab, create the following JSON:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my_bucket_name",
                "arn:aws:s3:::my_bucket_name/*"            
            ]
        }
    ]
}


If you want to use the same user for all buckets, you can add them all as follows:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my_production_bucket_name",
                "arn:aws:s3:::my_production_bucket_name/*"           
               "arn:aws:s3:::my_sandbox_bucket_name",
                "arn:aws:s3:::my_sandbox_bucket_name/*",
                "arn:aws:s3:::my_exports_bucket_name",
                "arn:aws:s3:::my_exports_bucket_name/*"   
            ]
        }
    ]
}


For each IAM user, create an access key and keep the credentials to add to Opereto configuration file.



3. Update Opereto configuration

Add the following to your /var/lib/opereto/opereto.conf file (create it if not exists):

cluster_storage_type: s3
cluster_storage_name: BUCKET_NAME
cluster_storage_ak: ACCESS_KEY
cluster_storage_sk: SECRET_KEY
cluster_dev_storage_name: BUCKET_NAME
cluster_dev_storage_ak: ACCESS_KEY
cluster_dev_storage_sk: SECRET_KEY
cluster_exports_storage_name: BUCKET_NAME
cluster_exports_storage_ak: ACCESS_KEY
cluster_exports_storage_sk: SECRET_KEY


4. Restart Opereto

service opereto restart


5. Re-deploy your microservices (if you have any)

Re-deploying your microservices will store them in your new storage.  


Protect your servers against accidental termination

We recommend using AWS termination protection mechanism for that. The following article explains in details how to protect your server and data: https://aws.amazon.com/premiumsupport/knowledge-center/accidental-termination/


Set up email notification service (optional)

Opereto provides a simple email notification mechanism to notify relevant members in case of internal failures, for instance, scheduled processes that fail to initiate for some reason, processes that reached timeout or ended with some errors, etc. To learn more about it, please refer to the System Settings page.


Fix time sync (especially when using opereto cluster)

for example, add the following to crontab (you may use other time server of your choice):

sudo ntpdate -s time.nist.gov