OpenEndpoints is software written in Java. The code is open source and licensed under Apache License with Commons Clause - see https://openendpoints.io/license.

For the deployment we recommend using Docker. A public Docker container is available at:

public.ecr.aws/x1t6d0t7/endpoints-he

Using Saxon-PE

By default the public Docker container will install the free XSLT processor Saxon-HE. This is sufficient for most purposes.

In order to deploy OpenEndpoints with the commercial version Saxon-PE you are required to buy a license for Saxon-PE (Professional Edition) and create a Docker container using that edition. The license isn't expensive and it's absolutely worth the money.

Here are the steps you need to take:

1. Purchase a Saxon-PE license at https://www.saxonica.com/shop/shop.html. You will get two files: the JAR file containing the Saxon-PE code, and also a Saxon-PE license file.

2. Install Java 21 and Maven on your computer if you have not already done so.

3. Check out the OpenEndpoints Git repo to your computer if you have not already done so.

4. Execute the following command to install the Saxon-PE JAR that you have purchased into your local Maven repository on your computer: mvn install:install-file -Dfile=<path to your Saxon-PE file> -DgroupId=net.sf.saxon -DartifactId=Saxon-PE -Dversion=9.7.0.18 -Dpackaging=jar replacing your path to your downloaded file as appropriate. Keep the -Dversion the same, no matter what version you've actually downloaded.

5. Copy the Saxon-PE license file to your Git checkout, placing it in the path saxon-pe/saxon-license.lic.

6. Execute the following command to build OpenEndpoints with Saxon-PE: mvn -DSaxon=PE clean package

7. Build the Docker image using a command like docker build -t endpoints-pe .

8. Push the Docker image to your Docker repository. Note that the terms of the Saxon-PE license do not allow you to make this Docker image public in any way.

A PostgreSQL database is required prior to installing OpenEndpoints.

Database schema creation is not necessary; the software does that on startup.

The following data is saved in it:

• Request log: This saves metadata for each call, but not the data explicitly transmitted when the call is made. An exception is the debug mode, in which, as an exception, the data transferred when the call is made can also be saved.

• Incremental IDs: If the feature is used to provide incremental IDs, the last ID used is saved in the database.

• Forward-to-Endpoint-URL: OpenEndpoints can generate short URLs, which, when called, cause a request to a previously-specified endpoint including previously-saved request parameters.

• Service Portal: Application Data and Logins.

Get Access to an AWS Account

Firstly you need to either create an AWS account, or you need to have access to an AWS account.

Decide on Domain

Decide on what internet domain the new Endpoints deployment should be reachable at. For example https://endpoints.myservice.com/.

This can either be a domain such as myservice.com or a subdomain such as endpoints.myservice.com. In either case, you must own the main domain you wish to host on (myservice.com in this example). Purchasing this domain is out-of-scope of this document.

Apply for an HTTPS Certificate via AWS

AWS offers free HTTPS certificates for use with their own services.

1. In the AWS Management Console (web interface), navigate to the Certificate Manager product.

2. Click “Request a Certificate”

3. On the form that is displayed, select “Request a Public Certificate” as this will be a publicly visible service.

4. Type in the domain name of the certificate; this is the full domain name, from the example above this would be endpoints.myservice.com There is no https:// part or trailing slash or dot.

5. Click on the “Review and Request” button, then the “Confirm and Request” button.

6. This will either send an email to the owner of the domain (containing a link), or it will request that a particular DNS entry is made in the DNS settings for that domain. This is to prove that you own the domain that AWS will create the HTTPS certificate for. Either click on the link in the email or set up the DNS entry. After having set up the DNS entry, a few minutes later the screen on the AWS Management Console will show the certificate has been issued.

Create VPC and Subnets

A VPC is a part of the network managed by AWS. If this AWS account will do nothing more than serve Endpoints, you can use the default VPC. If it is shared with other services, for security we recommended creating a separate VPC for the Endpoints installation. If you decide to use a default VPC, you can skip this section. If you decide to use a separate VPC, follow the following steps to create it:

1. In the AWS Management Console (web interface), navigate to the VPC product.

2. Create a new VPC, with the appropriate IP address range, such as 10.100.0.0/16. (Ignore the options about IPv6.) You can use any internal IP address range you like, as long as it doesn't conflict with any other internal IP addresses that the VPC may need to have access to (e.g. if Endpoints needs to be configured to access any databases or services internal to your company). If in doubt, talk to the department which manages IP addresses in your company. If the VPC does not need to access any other internal services, there is no reason not to proceed with the example given here.

3. Create two Subnets, with IP address schemes like 10.100.10.0/26 and 10.100.10.64/26. Allow “Specify the Availability Zones” explicitly, choose different zones for each Subnet, otherwise they all get created in the same Availability Zones. This allows services to be split across multiple Availability Zones, meaning if one AWS data center encounters issues, then the application will still be available.

4. Create an “Internet Gateway”. This will allow the VPC to send and receive requests from the internet.

   1. After the "Internet Gateway" has been created, select it, use the "Actions" drop-down to select "Attach to VPC" and select the VPC you created earlier.

5. Create a “Route Table”, then after its creation:

   1. Click on the “Routes” tab at the bottom half of the screen. Add a rule from Destination 0.0.0.0/0 to the new Internet Gateway created above.

   2. Click on “Subnet Association” tab and associate all the subnets with the routing table.

Create Security Groups

It is a good idea to create all security group in advance. Security groups can also be created when databases and other resources are created, however then they have useless names such as “rds-launch-wizard-2”.

On the AWS Management Console (web interface), navigate to the Security Group feature. The following table specifies which security groups to create. Each have a name and one or more inbound rules. For outbound rules, allow the default which is to be able to send requests on any port to any location.

Create "Bastion" VM

For various tasks, it is useful to have a VM to connect to via SSH. This is "behind the firewall" and will allow you to access resources such as the database which are not public.

1. In the AWS Management Console (web interface), navigate to EC2 product.

2. If you do not already have an SSH public key then go to the left navigation under "Key Pairs" and create a new Key Pair. If you already have an SSH public key, e.g. created on your computer, you do not need to do this step, you can upload it later.

3. Navigate to the "Instances" section of the left-hand navigation.

4. Click “Create New VM”

5. Select the latest Ubuntu image

6. Select a very small instance size (to save costs)

7. Select the VPC created earlier

8. Set “Auto-assign public IP” to Enable

9. Set the tag “Name” to e.g. “SSH from Internet”

10. Select the “SSH from Internet” Security Group created earlier

11. Select an SSH Key pair that you have access to so that you can log on to the server.

It takes quite a while before a user can log in to a newly created EC2 instance, for example 5 minutes. You might see the error "Permission denied (publickey)" during this time.

To connect to it, use the ssh username ubuntu together with the key you created or uploaded earlier.

Create PostgreSQL Database

Endpoints uses the database to store various things such as which Endpoints "applications" have been installed.

1. In the AWS Management Console (web interface), navigate to RDS product. This is the AWS managed database product.

2. Click “Create a new database”.

3. Name it something like “Endpoints”.

4. We currently support PostgreSQL 14 (although other versions will probably work).

5. Select a random master password.

6. Select “Create new Subnet Group”

7. Set “Public Access” to “No”, as this database should not be publicly visible on the internet.

8. Select the database Security Group that was created earlier.

9. Database schema creation is not necessary; software does that on startup.

10. “Point-in-Time Recovery” is activated by default, so no action is required to enable that.

11. Make sure that “Auto Minor Version Upgrade” is enabled, so that you do not have to take care of manually upgrading the database between minor versions.

Create the Task Definition

A Task Definition is a blueprint of how AWS will install and run the Endpoints software.

1. In the AWS Management Console (web interface), navigate to the ECS product. ECS is the service AWS offers to manage Docker installations.

2. Create a new Task Definition

3. Select type "Fargate". This means that AWS itself will automatically allocate compute resources, as opposed to having to do it manually.

4. Name the Task Definition with a name like "Endpoints"

5. Select the RAM and CPU. We recommend at least 500MB RAM.

6. Add one container within the Task Definition. Give it a name like "endpoints".

7. The URL to the public Docker image of Endpoints is public.ecr.aws/x1t6d0t7/endpoints-he

8. Set a hard memory limit e.g. 450MB RAM.

9. Add a single port mapping to the container. Container port is 8080.

10. 1. ENDPOINTS_JDBC_URL is like jdbc:postgresql://xxxxx/postgres?user=postgres&password=postgres where xxxx is the host value of the RDS database

    2. ENDPOINTS_BASE_URL is the URL of the service e.g. https://endpoints.myservice.com/ with a trailing slash

    3. ENDPOINTS_SERVICE_PORTAL_ENVIRONMENT_DISPLAY_NAME For example “live environment”. This is just text which is displayed on the Service Portal login page. In case you have multiple Endpoints installations, it is convenient to differentiate them with text on the login page.

Create an ECS Cluster

A "Cluster" is a set of compute resources, managed by AWS, where Endpoints will run.

1. In the AWS Management Console (web interface), navigate to the ECS product

2. Create the ECS cluster (not Kubernetes Cluster)

3. Select “Networking only” type.

4. Don’t select creation of a new VPC

Create a Load Balancer (ELB)

The Load Balancer is responsible for taking the user's HTTPS requests, and forwarding them on to the Endpoints software running on a managed ECS cluster created above.

1. In the AWS Management Console (web interface), navigate to the ECS product

2. Go to the “Load Balancers” section.

3. Click “Create Load Balancer”.

4. Select the default “Application Load Balancer” from the two options.

5. Change the listener to be HTTPS only.

6. Select the correct VPC, which was created above.

7. Select all subnets.

8. Select the HTTPS certificate that has been previously created.

9. Select the HTTPS security group previously created.

10. Go to the "Load balancer target group".

    1. Create a new Target Group. However, its settings are not important, later it will be deleted, as each time a Docker instance is registered with it, it will create a new Target Group.

    2. Do not register any targets to the newly created Target Group (as it will be deleted later)

Connect the Domain to the Load Balancer

This is necessary so that when someone navigates to your domain, their requests are sent to the AWS Load Balancer created above, and thus the request can be served by Endpoints.

1. In the AWS Management Console (web interface), go to the EC2 product.

2. In the Load Balancer section, click on the Load Balancer created above. You will see it has a DNS name such as Endpoints-HTTPS-66055465.eu-central-1.elb.amazonaws.com (A Record).

3. In the tool where you administer the domain, create a CNAME DNS record, from the domain or subdomain chosen for this installation, to the domain name you can read off in the last step.

Add Services to the Cluster

This step takes the Task Definition you have created earlier (which is a blueprint for running the software) and installs it on the Cluster created earlier (a set of compute resources).

1. In the AWS Management Console (web interface), go to the ECS product.

2. Navigate to ECS “Clusters” (not Kubernetes Clusters)

3. Select the newly created “Cluster”.

4. Create an service called “Endpoints”

5. Type is Fargate

6. select the Task Definition created above

7. Select the VPC created above

8. Add all subnets

9. Select the “webapp” security group, created above

10. In the Load Balancing section:

    1. Select “Application Load Balancer”

    2. Select the load balancer previously created in the drop-down

    3. Click the “Add to load balancer” button

    4. Select the target group name

    5. Select the existing “production listener”

    6. The URL is /* i.e. slash followed by a star

    7. Health check is /health-check

11. Set the application as "sticky" in the load balancer: (This is required for the Service Portal inc case more than one instance is running as the "state" of the web application is stored in the server memory)

    1. Navigate to the EC2 Product in the Management Interface.

    2. Go to the Target Group section in the left navigation

    3. Select the previously-created Target Group

    4. Navigate to the "Attributes" tab

    5. Click "Edit"

    6. Enable the "Stickiness" checkbox

    7. Select the "Load balancer generated cookie" option.

Create Monitoring Alarms

It is possible, but not necessary, to use CloudWatch to create monitoring alerts for the health of various components such as the database. To create an alarm:

1. In the AWS Management Console (web interface), go to the CloudWatch product.

2. Click “Create Alarm”.

3. Set up the alarm, as described below

4. On the last screen, select that the action should be to send an email to the appropriate person.

Perform the above steps for each of the following alarms:

• CPU: ECS -> CPUUtilization, > 70 (percentage) for 1 period (= 5 minutes)

• Memory: ECS -> MemoryUtilization > 70 (percentage) for 1 period (= 5 minutes)

• Up: ApplicationELB > Per AppELB, per TG Metrics -> UnHealthyHostCount, > 0 for 1 period (= 5 minutes)

• DB Disk: RDB -> Per-Database Metrics -> FreeStorageSpace for digitalservices < 5 (percentage) for 1 datapoint

Use Application

The application is now available under your URL e.g. https://endpoints.myservice.com/

If the application is configured in multi-application mode then the Service Portal is available under https://endpoints.myservice.com/service-portal with username admin/admin.

Troubleshooting

• Go to the ECS Cluster, go to the Service, click on the “Events” tab to see what’s going on, e.g. health check is failing

• Go to CloudWatch, Log Groups, see that there is a new log group which has been created, go into the log file and see if there are any errors.

This is an example installation on . For sure there are many more paths how-to install OpenEndpoints on DigitalOcean.

1. Sign up to DigitalOcean or be invited to an existing account

2. On the left hand navigation go to “API” and “Generate New Token” with a name such as your name. Record the token somewhere for later.

3. Create a Project

   1. Top-left of the navigation all projects are listed

   2. Click on “New Project”

   3. Enter the name “Endpoints”

   4. For “What’s it for” answer “Operational / Developer tooling”

   5. For “Environment” answer “Production”

4. Upload the Endpoints software as a Docker image to DigitalOcean Docker Repository

   1. Go to “Container Registry” on the left hand side navigation

   2. Use a name which is unique to your company or product; this is globally unique across all of DigitalOcean. We use “endpoints” in this example.

   3. On your local computer (e.g. Mac): Install "doctl", see https://docs.digitalocean.com/reference/doctl/how-to/install/

   4. doctl auth init

   5. doctl registry login

   6. docker pull public.ecr.aws/x1t6d0t7/endpoints-he

   7. `docker tag public.ecr.aws/x1t6d0t7/endpoints-he registry.digitalocean.com/endpoints/endpoints

   8. docker push registry.digitalocean.com/endpoints/endpoints

5. Create a database:

   1. Click on “Databases” in left navigation

   2. Click "create"

   3. Choose “PostgreSQL”

   4. Currently we recommend PostgreSQL 14 (although other versions will probably work).

   5. We recommend starting with the cheapest version which is “Basic Node” with 1GB of RAM.

   6. Choose your Data Center.

   7. Under “Choose a unique database cluster name” choose something like “endpoints”.

   8. Click the green “Create a Database Cluster” at the bottom of the screen to actually start the creation process. (The creation process takes a while, e.g. 5-10 minutes.)

   9. After you start the creation process, the resulting screen displays information about the database, with a few tabs such as “Overview”, “Insights” etc.

6. Create the application:

   1. On the left navigation click on “App Platform”

   2. Create a new app

   3. Select "source provider" of “DigitalOcean Container Registry”

   4. Add the following environment variables:

      1. JAVA_OPTIONS is -verbose:gc

      2. ENDPOINTS_BASE_URL- Use whatever domain you want the service to be running under e.g. https://endpoints.mycompany.com/

      3. ENDPOINTS_JDBC_URL

         1. Go to the database settings screen

         2. Go to the bottom right of the screen “Connection Details”

         3. Select the default “Public Network”

         4. Use a format like jdbc:postgresql://<host>:<port>/<database>?user=<username>&password=<password>

      4. ENDPOINTS_SERVICE_PORTAL_ENVIRONMENT_DISPLAY_NAME is e.g. DigitalOcean

   5. Choose an app name, this is used in the internal URL but otherwise doesn’t matter much

   6. Wait for it to deploy

   7. See the URL and check it works

   8. Enter a CNAME in your DNS from the URL you want to the one that DigitalOcean has supplied

   9. Go to Settings, in “App Settings” under “Domains” add the domain you want the service to run under, so that HTTPS certificates work.

The application can be deployed in two different ways.

In both scenarios

• Docker is used to deploy the application.

• A PostgreSQL database is required. No schema is needed, the application creates that itself the first time it runs.

• We recommend using a cloud with managed Docker services, e.g. ECS on AWS, or Kubernetes.

Multiple Application

This is the default option. You deploy the standard Docker image, you don't need to build your own.

The Service Portal is part of the installation:

• Applications are published from Git using the Service Portal.

• Application files are not stored inside the Docker image.

Single Application

This is a special option.

With this deployment mode the application directory is stored directly inside the Docker image. You build your own Docker image with your own Application files being part of that container.

Hence, only a single application will be available with this installation.