Pre-Installation Checklist for Installing the Cloud Platform on Multiple Servers

Pre-Installation Checklist for Installing the Cloud Platform on Multiple Servers Last Updated for Apprenda 6.8.0 Before beginning your Platform installation, make sure that you have fulfilled these requirements and filled in the information relevant to your Platform configuration. This checklist is intended to give you an at-a-glance assessment of installation prerequisites. NOTES If you are upgrading to 6.7.0 or later, you must have Platform version 6.5.1 or later CONTENTS Platform Configuration Options 2 Hardware and Infrastructure Requirements 2 Primary Domain Controller, Active Directory, and Network Requirements 2 SSL and Signing Certificates 4 *Certificates for TLS Encryption of Internal Platform Traffic 4 Platform Repository 6 Infrastructure and Hardware Requirements for Platform Servers 8 Windows Software and Setup Checklist 10 Software Requirements for All Windows Servers 10 Software and Setup Requirements According to Platform Role 10 *Linux Software and Setup Checklist 18 *Oracle 11g Software and Setup Checklist 21 *Oracle 12C Software and Setup Checklist 21

2 PLATFORM CONFIGURATIO N OPTIONS At least one Windows server is required for all Platform installations (multiple are recommended for HA purposes). This means that most of the Windows-related setup detailed below is required. Some Windows setup (and all Linux and Oracle setup), however, is required only if you choose to implement the corresponding configuration options below; setup required for optional configuration will be clearly marked with a *. Please check options that your installation will implement: AD FS (for federated authentication and implementation of an external user store) TLS encryption for internal Platform traffic SQL Server Windows Authentication for single-tenant.net guest applications Audit Logs for Apprenda Platform Operations Linux Linux with JBoss or custom Tomcat version support Oracle 11g Oracle 12c Consult your Client Services representative if you have questions about these options. HARDWARE AND INFRASTR UC TUR E REQUIREMENTS Primary Domain Controller, Active Directory, and Network Requirements As noted below, the Platform requires a number of network-level security accounts as determined by the specific configuration of your installation (all configurations require what are called the Apprenda System and Apprenda Administrator accounts). The specific permissions that each account requires are listed in the checklist. Notably, the user under which the Platform Installer is run must be part of the Administrators group (i.e., have local admin rights) on all Windows servers that are provisioned for use by the Platform, as various portions of Platform installation operations require the ability to modify the system registry, copy & delete files, and run Windows Services. Using Active Directory to establish an authentication mechanism for these accounts ensures that effective permissions are consistent across all Platform nodes. Please refer to Microsoft documentation for configuring Active Directory and DNS servers. Note: Platform components cannot be installed on a Domain Controller. IMPORTANT: In addition to granting the required permissions for the accounts listed be low, Group Policy must also be configured to allow the appropriate permissions. Platform installation and operation will be negatively affected if Group Policy removes a necessary permission.

3 REQUIRED ACTIVE DIRECTORY ACCOUNTS User account under which the Platform Installer will be run (the Apprenda Admin or System account may be used, or a separate account can be created for installation purposes) created in Active Directory and granted the following: o Username: o Password: o Local admin rights on all Windows machines where Platform services will run o Read/write access to the Apprenda Repository Shares Apprenda Admin user account created in Active Directory o Username: o Password: o Read/write access to the Apprenda Repository Shares o Allow log on locally rights on certain Windows servers/nodes as specified in the Windows Software and Setup Checklist below Apprenda System user account created in Active Directory o Username: o Password: o Allow log on locally rights on certain Windows servers/nodes as specified in the Windows Software and Setup Checklist below o Impersonate a client after authentication rights on certain Windows servers/nodes as specified in the Windows Software and Setup Checklist below *If Platform configuration includes SQL Server Windows Authentication ( available for singletenant.net guest applications only) User account under which the SQL DB Engine service will be run Username: This account must be part of the Built-In Windows Authorization Access Group (needed only for SSPI only SQL instances) User account under which the storage manager will run; by default the Platform will use the Apprenda Admin account (but this can be changed) o Username: o In Platform versions before 6.5.3, the Apprenda Admin account must be given the sysadmin and serveradmin roles. Platform versions 6.5.3 and later require a reduced set of permissions for the Apprenda Admin account if DB Throttling is disabled. If DB Throttling is enabled, sysadmin and serveradmin are still required. DNS AND NETWORKING REQUIREMENTS URL for your Platform (provide one entry per cloud if installing on multiple clouds) o cloudurl: Path-based URL host (subdomain) for your Platform, which is configurable in the Installer (the default value is apps ) o Path-based URL host:

4 DNS entries (for the cloud URL value(s) provided above) for one of the following. The DNS entries should point to the Load Balancer (if used); otherwise they should point to the Load Manager(s): o (Preferred method): Wildcard subdomain (*.cloudurl) OR o The path-based URL host followed by the cloudurl (subdomain.cloudurl). When choosing this option, additional DNS entries will be required for each guest application that developers deploy using a subdomain-based URL (e.g., myapp.cloudurl ) Email account that will be used for the Platform (you may instead use Apprenda s free email provider if you prefer, although this is not recommended for production installs): o Sender Name: o Sender Address: o SMTP Host: o SMTP Port: o SMTP User (if authentication is required): o SMTP Password (if authentication is required): SSL and Signing Certificates SSL certificate(s) generated by the Platform Installer will be used OR an SSL certificate (provided as a PFX file) with one of the following certificate subjects has been provided for each cloud: o (Preferred method) Wildcard subdomain (*.cloudurl) OR o The path-based URL host followed by the cloudurl (subdomain.cloudurl) Signing certificate generated by the Platform Installer will be used OR a certificate (provided as a PFX file) has been provided that can be used for signing claims. Note: the same certificate should NOT be used for both the SSL certificate and the signing certificate (if using certificates generated by the Platform Installer, a separate certificate will be generated for SSL and signing). *Certificates for TLS Encryption of Internal Platform Traffic The Apprenda Platform can be configured to enforce encryption of internal traffic among Platform servers/nodes. When installing a Platform version of 6.5.x or later you will be able to configure your Platform s internal encryption settings. This setting will be used throughout the lifetime of the Platform and you will not be able to enable/disable internal Platform encryption in future upgrades. When choosing to enable this feature, one of the following issuer/host certificate options must be selected (and certificates provided accordingly). Note: All user generated certificates must be Cryptographic Service Provider (CSP) compliant. One of the issuer/host certificate options has been selected and pre-requisites fulfilled:

5 o Issuer and host certificates generated by the Platform will be used; the Platform will install all certificates. Pre-requisites: None OR o Issuer certificate (provided as a PFX file) and password will be provided; the Platform will create corresponding host certificates and install the host and issuer certificates as needed. Pre-requisites: Issuer certificate obtained and meets the requirements outlined in the Issuer Certificate Requirements section OR o Issuer certificate will be provided as a PEM or CER file; host certificates must be created manually and installed prior to running the Platform Installer; the Platform will install only the issuer certificate as needed. Pre-requisites: Issuer certificate obtained and meets the requirements outlined in the Issuer Certificate Requirements section. Host certificate created and installed on all Load Managers, Windows Application Servers, Windows Web Servers, and Linux Servers. The host certificate need not be installed on standalone Cache and Platform Coordination Nodes Issuer Certificate Requirements When an issuer certificate is provided, the certificate must be issuer-capable. To confirm that a certificate is issuer capable, double-click on the certificate in MMC on a Windows machine. Look under the General tab and find the Certificate Information section. Under the statement "This certificate is intended for the following purpose(s)," you should see "All issuance policies."

6 Platform Repository The Platform requires a single location which will serve as the repository for all Platform and guest application binaries. The repository can be located as follows: on a network share on one of the Windows Application servers on the Platform, which can be configured by the Platform Installer on a network share (ideally located on a SAN or NAS), which must be configured manually on a mapped drive that can be accessed by all servers/nodes managed by the Platform, which must be configured manually Thumbnail caching should be disabled for any server hosting the Platform Registry. AUTOMATIC SHARE CONFIGURATION (USING THE PLATFORM INSTALLER) If one of the Windows Application servers specified in the Installer is chosen for the Platform Repository, during validation the Installer will attempt to create the necessary folder and shares on the specified server. Account Setup (Automatic Configuration) The account under which the Installer will be run must have permission to create the folder and shares on the Windows server. The Installer will grant read/write permissions to the repository share folders to the Apprenda Administrator account. The Installer will create a folder called Partitions on the drive specified for Platform content, and will create three separate shares within this folder: Applications Apprenda SAC If for some reason the user account under which the Platform Installer will be running does not have enough permissions to create the folder and shares, follow the steps in the Manual Share Configuration section. MANUAL SHARE CONFIGURATION If you need to manually configure the share location, create the following three folders: Applications Apprenda SAC The folders may be created as three folders within a single share or as three separate shares accessible through the same base path. Due to character path limits in Windows, the base path to these folders must contain no more than 50 characters.

7 Account Setup (Manual Configuration) The Apprenda Administrator account and the account under which the Installer will be run must have read/ write access to the Repository Share folders. MANUAL MAPPED DRIVE CONFIGURATION Configure the mapped drive so that it can be accessed by all servers/nodes managed by the Platform. (Please contact your Client Services representative if you need assistance with this step.) Create the following three folders on the mapped drive: Applications Apprenda SAC The folders must be accessible through the same base path. Due to character path limits in Windows, the base path to these folders must contain no more than 50 characters. Account Setup (Manual Configuration) The Apprenda Administrator account and the account under which the Installer will be run must have read/ write access to the Repository folders on all Windows servers/nodes managed by the Platform. ADDITIONAL CONFIGURATION FOR EXTENSIBI LI TY SERVICES Once installation is complete, the Extensibility Services application which is necessary for both Add-On and Bootstrap Policy functionality runs by default under the Apprenda System account. For security reasons, it is possible to configure services to run under more limited user accounts. In most cases, these accounts do not require access to the Platform shares; however, in order for Platform Add-On creation to function properly, the user account under which the Extensibility Services runs must have read access to the AddOns folder created during installation within the Apprenda share. If the Apprenda Extensibility Service is configured to run under a user account that does not have full access to the Platform shares, read-only share and security access to the folder for the account under which this service will run should be configured after Platform installation is complete. In addition, the user account must be granted Impersonate a client after authentication rights in order for Bootstrap Policy functionality to work. Account under which the Extensibility Services runs has the following: o Read access to the AddOns folder o Impersonate a client after authentication rights on all Windows servers

8 Infrastructure and Hardware Requirements for Platform Servers The Platform relies on distributing application jobs throughout a grid of networked computers. This creates a scenario where there are no onerous requirements on any specific server, so long as the network as a whole can satisfy demand. In order to accomplish this, the servers that will constitute your Apprenda Platform must adhere to the following requirements. INFRASTRUCTURE REQUIREMENTS FOR ALL SERVERS (WINDOWS AND LINUX) For a given host, the Platform requires the following specs. The Platform may not behave correctly on computers that do not meet these minimum requirements. Note that this is a minimum configuration and is not intended for production environments (please see our Reference Architecture documentation for production environment recommendations): 2 Cores For Windows, 4 GB RAM required For Linux, 2 GB RAM required, plus 0.5 GB RAM for every individual Java Web Application or Linux Services workload the node will host 40 GB Hard Drive Network Interface In order for the Platform to function correctly, it requires the following: Confirm that all servers can resolve each other by host name (not just FQDN) Any potential time skews among nodes should be eradicated by insuring that all nodes are time synced (NTP is recommended for this) Additionally, certain software should be turned off or must be configured in a manner that does not interfere with the Platform: Power management Automatic update services Password expiration (for the Platform accounts) Anti-virus software (e.g., Symantec Anti-Virus, for which live monitoring of the file system interferes with key Platform functions). If disabling Anti-Virus software is not a viable option for security reasons, it must be configured (in some cases via Group Policy) to have an exception for the root Apprenda folder (the location of this folder is configurable in the Installer; the default location is C:\ApprendaPlatform) on each node. FIPS Mode (enabling FIPS Mode will prevent Platform installation and operations by blocking necessary protocols). INFRASTRUCTURE REQUIREMENTS SPECIFIC TO WINDOW SERVERS Windows Firewall and other Firewall software disabled for all profiles (it can be enabled after install if required) Confirm WMI access for every server that will be running Platform services

9 o WMI access can be confirmed by running the following command: get-wmiobject win32_operatingsystem -comp <computername> If a DMZ is to be set for the Load Managers, the machines should be inside the network for Platform installation and then moved out Confirm that File Sharing is allowed across Firewall zones (if applicable) If using a hardware Load Balancer, confirm that incoming traffic is allowed on ports 80 and 443; traffic incoming on port 80 may be redirected to 443. The Load Balancer should point to Load Manager nodes. *INFRASTRUCTURE REQUIREMENTS SPECIFIC TO LINUX SERVERS Firewall Management Any operating firewalls, such as iptables, will likely interfere with the Platform s Application Request Routing service when contacting the node. Either configure these firewalls to allow access to the ARR service (contact your Client Services representative for specific details), or ensure that the firewalls are disabled. For example, to disable iptables run these terminal commands to prevent iptables from starting on reboot, and then to turn it off: chkconfig iptables off service iptables stop Platform Repository Mounts In order for Linux servers to access the Platform Repository Share, uniform mount points must be created on each Linux node. You may use your method of choice for mounting the Apprenda Platform Repository (cifs-utils is a tested method). Create two different directories on each Linux node to use as mount points for Platform Repository share folders. The names and locations of the directories must be identical across all Linux nodes that will be part of your environment. It should be noted that the Apprenda Platform will be installed to /apprenda on each node, so this path must not be on a shared file system. You will need to enter the directory paths you have set for the Application and Apprenda System directories during Platform installation. Suggested mount points: o /repository/apps o /repository/system Mount the Applications and Apprenda Repository shares/folders (listed below), respectively, to the Application and Apprenda System mount points: o //{platformrepohost}/applications o //{platformrepohost}/apprenda Ensure that the shares will be re-mounted in case of server restart/reboot; one method is described here: o http://www.centos.org/docs/5/html/5.2/deployment_guide/s2-nfs-config-autofs.html

10 When installing Platform version 6.5.1 or 6.5.2, if you plan to use the Platform Installer to install Linux servers to the Platform, ensure the user account with access to the Platform Repository Share is also given write access. If you plan to manually install Linux servers, the user will not need write permission on the Platform Repository Share. (AS of Platform versions 6.5.3, all Linux servers must be installed manually) WINDOWS SOFTWAR E AND SETUP CHECKLIS T Complete this checklist before installation of your Apprenda environment. Note: As of Platform version 6.5.2, Microsoft Windows Server 2008 is no longer supported. If you are installing (or upgrading to) 6.5.2 or later, you must have Microsoft Windows Servers 2008 R2 or 2012/R2 to complete the following steps. Software Requirements for All Windows Servers.NET 4.5 installed on every Windows machine (Platform 6.5.1 and later also supports.net 4.6 and 4.6.1) Net.Tcp Port Sharing Service is enabled and set to Automatic startup Any HTTP proxies have been removed or disabled from all Platform servers and from the machine from which the Installer will be run. This includes any proxies for the user under which the Installer will be run, as well as any accounts under which Platform services may run (including the Apprenda Admin account, Apprenda System account, IIS Shared Configuration account, Local Service, and Local System); confirm that no Group Policies are in place that will recreate or re-enable such proxies. Software and Setup Requirements According to Platform Role CACHE NODES AND PLATFORM COORDINATION NODES Software Prerequisites Operating Systems o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) Cache Nodes only: MS Visual C++ Redistributable Packages for Visual Studio 2013 (if not found on designated cache nodes, the Installer will offer a repair option that will attempt to install this)

11 Account Setup For all machines, the Apprenda System account and Apprenda Administrator account should be granted Allow log on locally rights. LOAD MANAGERS Software Prerequisites Operating System o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) IIS 7 or above; IIS request filtering must allow DELETE, GET, POST, and PUT requests For Windows Server 2012/R2 or Windows 8, ARR 3.0 or higher (latest version recommended) and compatible versions of the following ARR dependencies: o External Cache o URL Rewrite Module o Web Farm Framework (Needed only for Platform version 6.5.0 and earlier; it is not required for Platform version 6.5.1 and later when ARR version 3.0 or later is used). Roles Setup Web Server role needs to be installed with the following services turned on: ASP.NET and ASP. Account Setup The Apprenda System account and Apprenda Administrator account should be granted Allow log on locally rights. The Apprenda System account must also have Impersonate a client after authentication rights. Application Request Routing (ARR) Installation Load Managers require ARR and its dependencies. For Load Managers running Windows Server 2008/R2, the Platform Installer will install and configure the appropriate version of ARR and its dependencies. (Note that Windows Server 2008 is not supported on Platform version 6.5.2 and after) For Windows Server 2012/R2, ARR version 3.0 or higher (and its dependencies) must be installed manually. The optimal method of installing ARR is through the MS Web Platform Installer, which will install and configure your selected version of ARR. For some versions, the Web Platform Installer will install all of the ARR dependencies that the Platform requires (as listed in the checklist above) along with the ARR installation. If the ARR installation does not install all of the listed dependencies, you can install a missing dependency separately through the Web Platform Installer.

12 More information on ARR, including latest version information and instructions for manually installing ARR and its dependencies without using the Web Platform Installer, can be found on the Microsoft IIS website at http://www.iis.net/downloads/microsoft/application-request-routing. ADDITIONAL SETUP IF INSTAL L ING WITH MORE THAN ONE L OAD MANAGER Any existing shared configuration should be disabled in IIS prior to running the Platform Installer (as it will cause the IIS Configuration step to fail). For IIS 8 and later, the Web Server Role may require the Web Server>Security>Centralized SSL Certificate Support option in order to successfully set up Shared Configuration. In environments with more than one Load Manager, Load Manager nodes cannot also serve as Window Web Servers. WINDOWS WEB SERVERS Software Prerequisites Operating System o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) IIS 7 or above; IIS request filtering must allow DELETE, GET, POST, and PUT requests iisnode (see details below) Roles Setup Web Server role needs to be installed with the following services turned on: ASP.NET and ASP. Account Setup For all machines, the Apprenda System account and Apprenda Administrator account should be granted Allow log on locally rights. The Apprenda System account must also have Impersonate a client after authentication rights. iisnode Installation Windows Web Servers require iisnode; the Installer will attempt to install and configure it on any servers designated as Windows Web Servers. As needed, iisnode can be installed prior to the Platform installation. The installer for iisnode is available in your Platform installation package at Installer\IISModules\iisnode-full-v0.2.11-x64.msi or at https://github.com/tjanczuk/iisnode

13 WINDOWS APPLICATION SERVERS Software Prerequisites Operating System o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise (64-bit required in each case) SMO 2012 on Application servers designated as Storage Controlling Services hosts Account Setup For all machines, the Apprenda System account and Apprenda Administrator account should be granted Allow log on locally rights. The Apprenda System account must also have Impersonate a client after authentication rights. SMO Setup for Storage Controlling Services Hosts It is necessary that at least one Windows Application Server per cloud host Apprenda s Storage Controlling Services, which interfaces with SQL Server and Oracle to configure guest application storage. These servers are required to have SQL Server Management Objects (SMO) 2012 installed. At installation, the Platform will mark any Windows Application Servers with SMO installed as capable of hosting the Storage Controlling Services and will deploy this component to those servers. If no suitable host is found, it will install the required SMO version on a single Application Server. In order to control which Application Servers are designated as Storage Controlling Services Hosts on multi-node Platform configurations, it s recommended to install a supported version of SMO (version 11.0 or higher) on Application servers that you would like to designate as Storage Controlling Services hosts prior to running the Platform Installer. As needed, after installation additional Application servers can be configured as Storage Controlling Services hosts by installing SMO on the servers and then designating them as such in the System Operation Center (SOC). Note: If SQL Server 2012 SP3 will be used for SQL Server nodes, an update package from Microsoft will need to be downloaded and installed on all Storage Controlling Services Hosts to fix a known issue with SP3 and SMO. This update can be downloaded from https://support.microsoft.com/en-us/kb/3123299 (recommended for HA purposes) SMO installed on designated Storage Controlling Services hosts For all installations of SMO from SQL Server 2012 R2 SP3, update pack installed SQL SERVER NODES SQL Server should be installed using the planned instance name, and be configured to permit direct database logins (mixed-mode authentication is acceptable). It is recommended that dedicated SQL Server instances are used for your Platform.

14 Software Prerequisites Operating System o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2, Microsoft Windows 7 or 8 Home Premium, Professional or Enterprise A supported version of SQL Server: o SQL Server 2008 R2 Express edition or higher o SQL Server 2012 Express edition or higher o SQL Server 2014 Express edition or higher with Cumulative Update Package 6 or later installed (available at https://support.microsoft.com/en-us/kb/3031047) and compatibility mode set to SQL Server 2012 (see https://msdn.microsoft.com/enus/library/bb510680.aspx for information on setting the compatibility mode) SQL Server Browser Service enabled For SQL Server nodes running SQL Server 2012 SP3, an update package from Microsoft must be downloaded and installed to fix a known issue with SP3. This update can be downloaded from https://support.microsoft.com/en-us/kb/3123299 Account Requirements The installer requires a SQL Server account, titled the SQL Server Admin account, for each SQL Server instance. The same account may be used across all SQL Server instances, or a different account may be used for each instance. Note that as of Platform version 6.8.0, the SQL Account Server Admin account must be the same account across all SQL Server instances to rotate the account s credentials during Platform runtime. In Platform versions before 6.5.3, the SQL Server Admin account(s) must be given the sysadmin and serveradmin roles. Platform version 6.5.3 and later, require a reduced set of permissions for the SQL Server account if DB Throttling is disabled. If DB Throttling is enabled, sysadmin and serveradmin are still required. After install of Platform 6.8.0 or later, Platform Operators can separate access to Platform databases using unique SQL Server accounts running with reduced privileges for data-only operations Apprenda SQL Server Admin account created in SQL Server o Username: o Account(s) is given the sysadmin and serveradmin roles OR if you are installing Platform version 6.5.3 or later with DB Throttling disabled the account is granted only the following permissions: ALTER SETTINGS (needed only for install/upgrade) ALTER ANY DATABASE ALTER ANY CONNECTION ALTER ANY LINKED SERVER ALTER ANY LOGIN CONNECT SQL

15 VIEW SERVER STATE o The password should be set to not expire if you are installing a Platform version before 6.8.0 o The account(s) must permit remote access to all SQL Server instance(s) MSDTC Configuration MSDTC must be configured manually for any machines hosting SQL Server instances that do not also host Platform services. MSDTC can be configured as follows (steps should be repeated for each machine hosting a SQL instance): 1. Run "dcomcnfg" from a command prompt; this will open a Component Services configuration window 2. Expand Component Services > Computers > My Computer > Distributed Transaction Coordinator > Local DTC. 3. Right click on "Local DTC" and select Properties. 4. Click on the Security tab. 5. Check the following options, then click "OK: a. Network DTC Access b. Allow Remote Clients c. Allow Inbound d. Allow Outbound e. No Authentication Required f. Enable XA Transactions g. Enable SNA LU 6.2 Transactions (if available) Database Server Connectivity: Allowing Remote Server Connections Configure the database server to allow remote server connections. In SQL Server Management Studio, follow these steps: 1. Right-click on the database server in Object Explorer after connecting and choose Properties. 2. Choose the Connections page. 3. Check Allow remote connections to this server. It may be necessary to adjust the network configuration to permit TCP/IP connections. Using SQL Server Configuration Manager: 1. Locate SQL Server Network Configuration -> Protocols (for your database instance). 2. Ensure TCP/IP is set to Enabled. 3. Restart the SQL Server Service if this setting was changed. * Database Requirements when enabling Audit Logs for Platform Operations Enabling auditing logs requires that you specify a SQL Server instance that will house the Auditing database, which stores the audit logs. The SQL Server instance may be part of the Platform or may reside off-platform.

16 The SQL instance that houses the Auditing database must meet the same software and configuration pre-requisites as those listed above for SQL Server Nodes. This includes the specified role, password, and remote access requirements for the SQL account that the Platform will use to configure and connect to the Auditing database. Auditing database SQL Server instance name: Auditing database SQL Server instance has been configured to meet the pre-requisites listed above for SQL Server Nodes Auditing database SQL Server account created in SQL Server o Username: o In Platform versions before 6.8.0, account is given the sysadmin and serveradmin roles and passwords should not expire o In Platform version 6.8.0 and later, account is given the following permissions ALTER ANY DATABASE (needed only for install/upgrade) CONNECT SQL o The account must permit remote access to the SQL Server instance(s) Note that the Platform does not encrypt the Auditing database by default and it is your responsibility to enable any encryption configurations, like Transparent Data Encryption, on the supplied database. *AD FS NODES (Required only if Platform configuration includes AD FS) Note: AD FS nodes will also act as Windows Application Servers, as they host the Apprenda Windows Host in order to support the Apprenda Federation WCF service. As needed they may also be configured to act as Storage Controlling Service hosts. Software Prerequisites Operating System o For Platform versions before 6.5.2: Microsoft Windows Server 2008/R2 or 2012/R2 Professional or Enterprise (64-bit required in each case) o For Platform version 6.5.2 and after: Microsoft Windows Server 2008 R2 or 2012/R2 Professional or Enterprise (64-bit required in each case) IIS 7 or above (for AD FS 2.0 or 2.1) Supported version of AD FS installed or and configured: o On Windows Server 2008/R2: AD FS 2.0, available for download at http://www.microsoft.com/en-us/download/details.aspx?id=10909 (Note that Windows server 2008 is not supported on Platform version 6.5.2 and after) o AD FS 2.1 (available as a role in Windows Server 2012) o AD FS 3.0 (available as a role in Windows Server 2012 R2). PLEASE NOTE: configuring AD FS 3.0 requires credentials for a domain administrator account (local administrator permissions alone will not suffice).

17 Account Setup For all machines, the Apprenda System account and Apprenda Administrator account should be granted Allow log on locally rights. The Apprenda System account must also have Impersonate a client after authentication rights. AD FS Setup Platform managed AD FS Host: Platform managed AD FS federation endpoint: DNS entry in place for the identity site SSL certificate available for the identity site Please see our AD FS setup guides for additional AD FS installation and configuration instructions. Additional accounts and setup will be required if using an AD FS web farm.

18 *LINUX SOFTWAR E AND SETUP CHECKLIS T Complete this checklist if your Platform will include at least one Linux server. INSTALL USER ACCOUNT ACCESS REQUIREMENTS So that the Apprenda Platform can access each Linux node with one given set of credentials, ensure that the account you plan to use as the Install User account is created on each node and has an identical password and elevation method (SU or SUDO). If you plan to use the Root account, simply ensure that the account has an identical password on all nodes. Note: In Platform version 6.5.2, you can choose to install Linux servers manually outside the Platform Installer. If you are installing 6.5.2 and plan to install the Linux servers manually, you do not need the Install User account. For Platform version 6.5.3 and later, all Linux servers must be installed manually outside the Platform Installer, therefore the Install User account is not required for each node. During installation you will need to choose a local account to be used as the Default Workload Account for running Java Web App workloads; if you plan on setting Automatic Workload Account Creation to Enabled during installation, then the Platform will auto-create the account for you on all nodes at install time. In that case, you need to ensure that the Install User has the ability to create local accounts. If you plan to set Automatic Workload Account Creation to Disabled, however, you will need to manually create an identical local account on all Linux nodes, and then use this account as the Default Workload Account. For Platform versions before 6.5.3 (unless you are installing 6.5.2 and plan to install Linux nodes manually), account that you plan to use for installing Apprenda on Linux nodes is created identically on each node o Name: o Password: o (If not using the Root account) Elevation method (SU or SUDO): Note: Elevation using SU or SUDO should be configured in a way that does not present a password prompt to the user that is elevating If you plan to allow the Platform to auto-create a default workload account for Java workloads, ensure that the Root account has the ability to create local accounts; if not, the local account you plan to use as a default workload account must be created identically on all Linux nodes. It should be noted that depending on the server and applications hosted, it may be necessary to increase the maximum user process limit per workload account to accommodate hosting requirements on a server. o Account: SOFTWARE REQUIREMENT S One of the following: o CentOS 6 or 7 o Red Hat Enterprise Linux 6 or 7 Any HTTP proxies have been removed or disabled from all servers

19 Libcgroup library is installed (see details below) For Centos/RHEL 7 o iptables-service is installed (see details below) o systemd version 218+ or higher is installed Cgconfig service is started and set to restart on reboot (see details below) Libcgroup Library Installation Details Install the libcgroup library. For installation of necessary libraries on a CentOS node, CentOS s yum package management system is recommended. Example terminal command: yum install libcgroup Note: For Centos/RHEL 7, you will also need to install libcgroup-tools as it is no longer done by default when installing libcgroup. Iptables-Services Installation Details For Centos/RHEL7, `iptables-services` needs to be installed. Using `yum` (described in the previous section) execute the following terminal command: yum install iptables-services Cgconfig Service Management Details Start the cgconfig service and set it to start on reboot: For Centos/RHEL 6: service cgconfig start chkconfig cgconfig on For Centos/RHEL 7: systemctl start cgconfig.service systemctl enable cgconfig.service * If Platform configuration includes Linux with JBoss or custom Tomcat version support By default, Platform installs and uses specific versions of Tomcat as the Java container host for deployed Java Web Applications on Linux servers. If you intend to use JBoss or a custom version of Tomcat instead, ensure that JBoss/Tomcat is installed to an identical install path on each Linux server that will use that version of JBoss or Tomcat. Some post-installation configuration of the Platform is necessary to

20 enable deployment of Java Web Application workloads using JBoss or a custom version of Tomcat: http://docs.apprenda.com/6-5/runtime-versions#hostingcontainer. The versions of Tomcat that are shipped with the Platform are listed at http://docs.apprenda.com/6-5/supported-servers#containers. It is recommended that all containers that are not shipped with the Platform be tested on a dev/test installation of the Platform in order to rule out any container-related issues. JBoss is installed to the same install path on each Linux server that will host that JBoss version. o Install path: and/or Custom version of Tomcat is installed to the same install path on each Linux server that will host that Tomcat version. o Install path:

21 *ORACLE 11G SOFTWARE AND SETUP CHECKLIS T Complete this checklist if your Platform will include at least one Oracle 11g Installation. SOFTWARE REQUIREMENT S No specific OS is required for an Oracle 11g RDBMS installation; Red Hat Enterprise Linux 6 and Windows 7 have been tested successfully. Oracle Database 11g (Oracle RAC is not supported) The Oracle directory object DATA_PUMP_DIR must be mapped to an OS path with sufficient space to accommodate backups of any hosted guest application schemas that may undergo patching at any one time. DATA_PUMP_DIR is created by default when Oracle 11g is installed on Windows or Unix; if the directory object does not exist, it must be created manually. ADMINISTRATOR ACCOUNT REQUIREMENTS Platform Database Administrator account is created on all Oracle nodes and has been granted the appropriate permissions (See instructions below). o Username: o Password: Administrator Account Setup Details 1. Locate the oracle11g_admin.sql script in the Binaries>Oracle folder of your installation package (if running the Express Installer, this folder will appear in a temp>apprenda folder on your primary drive once the Apprenda.Express executable has been launched). 2. Copy the script locally and make the following alterations as needed: a. If the account already exists, comment out the CREATE USER line. b. Replace all instances of the placeholder &APPRENDA_ADMIN_USER with the user name you wish to use. c. Replace the placeholder "&APPRENDA_ADMIN_PASSWORD" with the password you wish to use. 3. Run the updated script against each Oracle node to create the user (if needed) and configure the appropriate permissions. *ORACLE 12C SOFTWARE AND SETUP CHECKLIS T Complete this checklist if your Platform will include at least one Oracle 12c Installation managed by the Platform. All requirements should be completed for on-platform CDBs; off-platform CDBs that will provide storage for Platform-hosted applications should meet the first two software requirements below. It should be noted that any Platform installation that supports Oracle 12c requires a minimum of one on-platform CDB.

22 SOFTWARE REQUIREMENT S No specific OS is required for an Oracle 12c installation; Red Hat Enterprise Linux 7 and Windows 2012R2 have been tested successfully. It should be noted that our testing has uncovered inconsistencies in the behavior of Oracle 12c between Windows and Linux installs; RAC for Oracle Database 12c is supported but not required. (Also recommended for off-platform CDBs.) Oracle installations must be configured as uniformly as possible across all instances. (Also recommended for off-platform CDBs.) Oracle must be configured for OMF (Oracle Managed Files) (Required for on-platform CDBs only) An Oracle directory must be configured to allow for PDB moves (see instructions below). (Required for on-platform CDBs only) An Oracle directory must be configured to allow for PDB moves To create/update the directory, run the following command on each Oracle 12c installation: CREATE OR ALTER DIRECTORY APPRENDA_PDB_DIRECTORY as '{path ending in OS-appropriate slash}' ADMINISTRATOR ACCOUNT REQUIREMENTS (REQUIRED FOR ON PLATFORM ONLY) Platform Database Common User account that will be created on all Oracle 12c nodes (See instructions below); we recommend using the same username across all Oracle 12c instances. o Username: C## o Password: Administrator Account Setup Details 1. Locate the oracle12c_admin.sql script in the Binaries>Oracle folder of your installation package (if running the Express Installer, this folder will appear in a temp>apprenda folder on your primary drive once the Apprenda.Express executable has been launched). 2. Copy the script locally and make the following alterations as needed: a. If the account already exists, comment out the CREATE USER line. b. Replace all instances of the placeholder &APPRENDA_ADMIN_USER with the user name you wish to use. c. Replace the placeholder "&APPRENDA_ADMIN_PASSWORD" with the password you wish to use. 3. Run the updated script against each Oracle node to create the user (if needed) and configure the appropriate permissions.