To allow users and 3rd party applications to identify and find objects in arveo you should define a unique and immutable unique identifier property ( Data Modelling). The property must be @Unique to ensure that a user or business application can clearly identify the item. The unique identifier should use the taxonomy of business processes and contain all information to clearly recognize the document. Make the property @Readonly to ensure that the identifier is always set and immutable.

The minimizes the risk of incorrect indexing and undetectability of documents because the index is immutable, duplicate identifiers are rejected and the compliant taxonomy ensures that every user can find documents easy and fast. We strongly recommend building a documented, simple but clear taxonomy.

Your business application or the user must set the value when the object is created (@Mandatory annotation), or you can let arveo create a unique value by adding counter annotations. Add the @Autoincrement annotation if a simple sequential Long id meets your requirements.

If you need a more sophisticated unique identifier you can use the annotation _@FormattedCounter which allows you to create e.g. String identifiers like <year>-<sequence> (Unique Identifier Example)

List data types allow you to store more than String or long value for a property. You can search for each value using the array search operation of the arveo query language (Data Types).

Enumeration data types allow you to set one or more values from a fixed set of values.

Enable that the statutory retention periods are assigned to the records, cases and document types (Retention Periods, Retention Rules) and ensure that the storage container are configured correctly (Retention Container) .

Check if the technically assigned retention periods also correspond to the statutory retention periods. Monitor the audit logs to ensure that the retention period is set and is correct. Monitoring could be automated or could be a random control by an employee.

The operating team must ensure that storage container contain only documents with the same retention period. Please do not use the same bucket in different storage profiles or assign a storage profile containing content with retention to different document types.

Grant the deletion right for your storage containers to arveo. If arveo cannot delete the containers, your operating team is in charge of this task, and you must set the option delete rows only.

Configuring storage containers in arveo-service.yaml and your content storage is an ongoing task for your operating team. Eitco will try to create the buckets or subdirectory on your storage system but can also use already existing ones.

It must be ensured that the system time cannot be manipulated (e.g. NTP server). Suitable map measures that a change in the system time is detected promptly.

Because the new legal data privacy / protection act makes it necessary to erase data even before the expected retention period has expired arveo please take care that the content storage has no default hardware retention activated.

All documents in arveo that are subject to retention are available by the REST API and can be downloaded. The integrity and availability of the content is the responsibility of the provider and operator of the platform. The provider must ensure that failures of the storage systems for database and content are identified at an early stage and take appropriate countermeasures. See chapter Fail Safety for technical and organizational measures for high availability of the arveo platform.

In the event that data has to be migrated, arveo offers an extensive export API that enables content and metadata to be exported. arveo saves the hash value (https://en.wikipedia.org/wiki/Cryptographic_hash_function) in the database that was determined when the content was first uploaded (Upload Data). This hash value can be used as a checksum to detect accidental or intentionally corruption of data. If the hash value of the content after the migration is identical to the original hash the migration report proves the correctness of the migration process. To report the completeness of the migration process the arveo API allows you to export a list of all records, cases and documents in a document type.

Legally Compliant Migration

arveo guarantees high availability, reliability and high performance at all times. The system has to be protected from manipulation attempts by proven and well-thought concepts. The data that is stored and managed in the system is protected via the API. The access and editing rights are managed via ACLs. User rights are based on the developed concepts for roles, groups and ACLs. More detailed information on this is provided in the relevant chapters of this manual.

Access to all data (documents, metadata) takes place exclusively via the API, with the corresponding protection mechanisms so that the security of the data is guaranteed at all times.

The system operator is responsible for data security and recovery. He must ensure that the backups of the data are checked regularly and that recovery is reliably possible in the event of a failure. The IT processes that ensure the secure, redundant and highly available storage of arveo data in databases and object or file system storage systems are particularly decisive for the proper operation of the platform. These are the responsibility of the operator of the platform, who must implement the availability and security of the systems in accordance with legal and organizational requirements.

We strongly recommend using a redundant file system or object storage system. If you do not at least backup your data periodically a data loss is likely. For high availability with almost zero data loss our storage system should replicate the written content and data synchronously. The operating team of the platform must ensure that an appropriate replication is set up and monitored.

Object storages with REST APIs are designed for the cloud. If you decide to use storage from the Cloud (public or private) we recommend to use object storage via S3 API. Object storages provide a high level of redundancy (even geo redundant) and fail safety. The REST S3 API is very tolerant against network and infrastructure failures.

For the best high availability the provider of your storage system must protect the stored data against accidental, malicious, or disaster-induced loss of data. The better your data replication the better is your availability in case of a failure.

To achieve high availability for arveo the provider must guarantee that all required (content services) run as a cluster.

Hash-Check: When you use the upload content API, the client side and content service compute SHA-256 hash for the streamed data. Only if both values are identical the upload process is successful. The upload API allows you to pass the expected SHA-256 value and the API will only return OK if the server side hash matches the expected hash.

Verify: The upload API optionally can verify the uploaded content. The content service downloads the just uploaded stream from the content storage and compares the hash once again with the expected value (Upload Content). arveo stores the hash value in a system property and persists the value in the document type metadata table.

The arveo REST API is stateless and there is no session. That means that all REST API calls are atomic and all database commands are executed within one transaction. arveo guarantees the atomicity of the transactions and to avoid inconsistent states, all aborted transactions are removed and rolled back. Hanging transactions are removed and rolled back to avoid database locks.

When you use the download API (Download Content) the client SDK computes the SHA-256 hash of the downloaded stream and compares it to the hash value in the system property of the document type. If the hash does not match the upload hash value in the database the download fails with a data integrity exception telling the caller that the data on the storage was most likely manipulated.

For both supported storages (S3, file system) you can select between different data replication strategies:

As arveo stores each version of the content as an immutable object it is not possible that clients will get outdated data. If the replication is asynchronous it only can happen that clients get a read error.

In case the storage is offline arveo is not available and the system has an outage. In case the storage allows only read access arveo can download content but upload operations fail.

If the storage node has a long term outage the potential data loss is limited by the time that has passed since the last replication and the number of objects stored since that time.

The relational database postgreSQL 12 is responsible for 100% consistent processing of the structured metadata and transactions.

In case the database cluster is down or allows only read access arveo is not available (Deny Of Service/DOS). If the database has a long term outage and the data files are affected the potential data loss is limited by the time that has passed since the last replication and the number of objects stored since that time.

arveo uses modern NOSQL storage technologies to guarantee high search performance and horizontal scalability at all times. We store semi-structured or dynamic document metadata to a NOSQL document database apache solr 8.6.

Solr is an open source search platform that has been partially integrated into arveo.

Based on the type definitions that are created in arveo, arveo automatically creates a schema that Solr uses. In addition, for each client that is created in arveo, a new collection is also created in Solr, so that there is also a separation of data there.

Setup a cluster of replicated nodes for apache solr 8.6. Refer to the apache solr 8.6 documentation to setup a redundant cluster.

To operate arveo successfully with high availability the operator of the platform must provide the following services as a cluster.

It is possible to empty your recycle bin by an automated job scheduled in the Enterprise Integration Service of arveo.You can activate the predefined empty recycle bin job, and you can change the age from the 6 months default value to the age you choose. The job deletes all entries permanently that have been in the recycle bin for longer than the set age.

In addition to the recycle bin feature, the arveo offers an additional safety layer to recover permanently deleted entities.By annotating a type definition with @Recovery, it is possible to define a time period, in which permanently deleted entities will be kept in a system-wide recovery table before they are removed completely.An entity in such a type definition that is deleted (or purged) will be removed from the type definition’s table (and its version table).A copy of each version of the entity will be stored in the recovery table making it possible to restore it manually.If the entity is a document, its contents will not be deleted from the storage until the entity is removed from the recovery table.

The system management API provides a method to remove expired entities from the recovery table.An entity is considered expired when its keep-until timestamp is in the past compared from the moment the method is invoked.A user who calls this method needs the ECR_PURGE_RECOVERY_TABLE authority (see Access Rights).

The recovery of deleted entities is a manual process. The recovery table contains a JSONB column containing a JSON representation of the entire entity including attributes, content information and modification information. Each version of an entity is contained in the recovery table as a separate row.

In addition, an SMTP server access is required for sending mail, as well as access to the Eitco Puppet Master via VPN. The following parameters must also be provided by the customer so that any error messages from the HL7 Integration Service can be sent by email: • SMTP_SERVER • SMTP_PORT • SMTP_STARTTLS = true / false • SMTP_USER • SMTP_PASSWORD • MAIL_TO • MAIL_FROM MAIL_TO is the address to which the mails are sent and MAIL_FROM is the sender address.

A reference system (in the form of a VM or similar) is required to test the system. There must be the same setup as on the customer client systems (i.e. the same web browser, with the same settings, etc). In addition, a terminal / RDP access is to be provided so that Eitco can test the client installation.

For the administration user interfaces the following web browsers are supported: Safari, Google Chrome, Microsoft Edge, Mozilla Firefox, each in the current version.

For the installation of the product, certain requirements for the hardware, software and infrastructure to be provided must be met. In a typical cloud environment each arveo service is deployed as a containerized application and is hosted and scaled by a cloud operating system. However, a different setup can be used, depending on the customer infrastructure and the load of the system (see Deployment Options)

The following chapter describes the minimum CPU and RAM requirements of each arveo service in a production environment.

Assuming that the installation is performed as spring boot services we recommend to set up a minimum of 3 machines. The database and the document service carry the highest load and should be deployed on separate machines. All other services and 3rd party services can run on one OS instance. Some services like Archive Link, Document Conversion may consume high CPU and RAM and can make it necessary to outsource them to separate machines,

For the arveo services JDK 11, 16 is required. All the other recommendations listed above are non-binding, but they have proven to work well. In some cases, other recommendations can be made, according to your individual project setup as well as the requirements of the project.

These instructions describe the installation procedure, the installation content and the items required for commissioning the product. We recommend controlling the rollout of the _arveo services by a continuous integration process that provides all artefact required for the deployment of the required content services and your web solution and integrations.

Depending on the underlying platform, deployment takes place via binary service artifacts that are deployed on pre-installed VMs or via containerized applications that are made available in the host cloud system.

This chapter describes the compliant On Premise installation provided by Eitco. The configuration and deployment of all required artefacts is performed by Eitco or a partner by the automated deployment tool "Puppet".

The customer provides several virtual machines that are configured by Eitco with the automated deployment tool Puppet (Puppet Deployment) in order to ensure a problem-free software rollout in the customer system.

Depending on the service level agreement Eitco can guarantee high availability, reliability and high performance at all times. The system has to be protected from manipulation attempts by technical or organizational measures. The data that is stored and managed in the system is protected via the API. The access and editing rights are managed via ACLs. User rights are based on the concepts for roles, groups and ACLs. More detailed information on this is provided in the relevant chapters of this manual.

All changes to the system and the data are logged via the API, and the changes are traceable via the audit log. If auditing is activated, every database change is logged. In order to guarantee the atomicity of the transactions and to avoid inconsistent states, all are aborted transactions removed and rolled back.

Access to all data (documents, metadata) is exclusively provided via the API, with the corresponding protection mechanisms so that the security of the data is guaranteed at all times.

Puppet is open source software developed by Puppet Labs and is used for the automated configuration and deployment of software deliveries. It ensures the configuration management of servers with both Unix-like operating systems and the Windows operating system via network. The Ad-min-Tool allows the automated configuration of computers and servers as well as the services installed on them. The arveo services are installed and configured with Puppet. After the server has been provided, see System Requirements, the Puppet Agent is installed on it, which then takes care of setting up the environment and the actual application. The duration of the installation process can vary and requires an adequate internet connection. The individual installation components are installed in the form of .deb packages. The installation is completely automated and carried out remotely.

3rd Party Services

arveo Content Services

Customer Applications & Services

Following you find the order of the service starts. The content services may not work before important services are started.

The services are initially started by Puppet. After the installation of arveo has been successfully completed, the customer applications can be started. Additional information on registration, user management and the use of the web client can be found in the user and admin manual.

If all connections between the services are to be encrypted, SSL certificates are required. The following requirements apply: An X-509 certificate with an associated "private key" is required for each server. The certificate should be signed by an official CA or the company’s own CA. Self-signed certificates can also be used. The following special feature must be observed: the X509 extension “Subject Alternative Name” must contain all DNS names and IP addresses via which the respective systems are accessed.

The client software uses several 3rd party licenses. The list of licenses can be called up via the following link: https://<customername>.eitco.de/3rdpartylicenses.txt.

The logs are on the db server in the directory /var/log/postgresql/backup.log. The database backup script is located at /var/lib/postgresql/backup.sh. This can also be started manually at any time. There should not yet be a folder with the current date under / backup / full /. If such a folder exists, it must be moved beforehand. The script is controlled by cron and is always started automatically at 10 p.m.

When you are inside the company network or the VPN, you can use the internal Nexus that does not require authentication. The following maven settings.xml file shows how to configure the required repositories. The settings.xml file can be found in the .m2 directory in your user home directory.

When you are outside the company network and the VPN, you need to use the public Nexus repository that requires authentication. To do so, maven requires credentials. For security reasons, the credentials should be encrypted. Follow the instructions in the Maven documentation to configure a master password and to create an encrypted password.

You should now have created a settings-security.xml file in the .m2 directory like the one shown below:

Then you have to adapt your maven settings.xml as follows:

Make sure to use only https repositories when using credentials. Current maven versions already block the usage of unencrypted repository connections.

The tests are run automatically in a full maven build.The system-test module is configured to automatically start a complete arveo system including all required services and a database.If you want to run the tests manually from the IDE, you can still use maven to start the arveo system.Open a command line in the system-test directory and run mvn -Denv.Maven will start the following processes:

The services will be kept alive until you press enter in the command line.

This will only work if a complete build has been performed at least once (which can be done through mvn install).

Now you can adapt the generated type definition so that it fits the requirements for our project scenario. In this scenario, documents are organized in a two-level folder structure. For example, the project could contain a folder called "invoices" which again contains two folders named "inbound" and "outbound". Each document is contained in exactly one folder and belongs to exactly one project. The document type will contain the following meta data fields:

In addition to these custom fields, the document will contain some system fields like content metadata (filename, size, mimetype…​) and versioning information like creation- and update-timestamps. The two metadata fields name and number that are already contained in DemoModel.java can be removed.

Click Generate and download the zip file containing the generated project. Unzip the file to a directory of your choice and open the project in your IDE. Delete the 'test' directory.

Open the generated pom.xml file and add the following dependencies:

You have to set the version of arveo that was used in the project containing the data model.

Additionally, you have to define a dependency management for the EITCO Commons Spring Security library:

The tool will use the picocli library to make it easy to write a command line application with features like usage help and simple parameter binding. You can read more about picocli here.

Go to the de.eitco.demo.tool package and create a new class called "ArveoCommand". This will contain the business logic behind the commands available in the command line application. In picocli, those commands need to implement Runnable, so we have to implement this interface:

To be able to access arveo, the command line tool will have to authenticate to the arveo service. We will use a simple username/password authentication, so the user must be able to enter credentials. With picocli, we can implement this with some annotated fields in ArveoCommand:

Using the interactive=true option, the user will be prompted to enter username and password when the program is running.

The ArveoCommand class will need to know the directory to import from and (optionally) a customer name. To be able to access the arveo API, we have to get an instance of the TypeDefinitionServiceClient. This can be done using dependency injection:

Now it is time to implement the import. Add the following methods to the ArveoCommand class:

The importProject method will be used to import a project located in the provided root directory. The scenario does not support files located directly in the root of the project, so we will log a warning when we encounter such a file.

The importLevel1 method will collect all files and directories located in the first level of the project structure. Files will be imported directly, directories will be passed to the next importer method.

This method collects all files located in the second level of the project structure. We do not support deeper structures, so we log a warning when we encounter a directory below level 2.

The method used to actually import data into arveo is shown below:

We can now implement the run() method of the ArveoCommand class:

Now we have to adapt the application class that was generated by the spring initializer. Spring provides a CommandLineRunner interface for command line applications. Adapt the DemoToolApplication class as shown below:

In the last step, we have to set some configuration properties for our command line tool. Rename the generated application.properties file in src/main/resource to application.yaml and add the following settings:

Now we can build and run the command line tool. You can either use the IDE or run mvn clean install in a command line for the project containing the demo tool. After the build has finished, you have to start the test system. Open a command line in the system-test module of the type definition project and execute the command mvn -Denv (see Running the tests). Now we can use another command line in the target directory of the command line tool project to run the tool. Running java -jar .\demo-tool-0.0.1-SNAPSHOT.jar prints out usage help for the tool:

The test system already contains a user that can be used for testing. The user’s credentials are:

The following example shows how to use the tool to import projects from a folder:

The warning message can be ignored. The reflective access operation will be replaced in a future version.

Finally, here is a complete listing of the ArveoCommand class for copy&paste:

Your project structure must have a certain structure to be successfully imported and/or archived in arveo.

Here is an example of implementing this structure:

In the last step of the tutorial you executed the Maven command

Now you can replace the last element with your actual project folder:

After this command has been executed, you will see the report about imported files and folders:

This module contains your arveo scenario. An example type will be created with the name <class-name-prefix>Model. You can define more types here, but you will need to register them in register in <class-name-prefix>TypeRegistration. The chapter arveo type definitions describes how to define types.

This module contains tests for your scenario. These tests will be executed in the build. For that a complete arveo environment will be created, so you can add tests, that simply connect to arveo by the http client and can assume that your scenario is deployed.

This module can also be used to set up an arveo environment with your scenario on which you can then run tests manually. In the module run

to set up the environment. It will be torn down when you press <enter> in the console.

This module holds a frame for an asciidoc based documentation of your project.

This module contains the actual source code. It is separated into five submodules.

This module contains delivery artifacts to deliver the service to or with different runtimes. This includes:

This module contains a system test module. When building this module maven will start a complete arveo system (containing all required services) with the newly generated service in the pre-integration-test-phase so that tests written here (like the generated example <class-name-prefix>ClientIT) may simply call the new service via the generated http-client (see above).

Only Documents can contain content elements. A Document in the repository can contain several content elements. For example, a document could contain a content element with the original content (like a TIFF image or a Word document) and a PDF rendition. Each content element has a contentName and some more properties like the media type. The contentName is a label that uniquely identifies a single content element contained in a Document. For example, a Document might contain two content elements that are identified by the contentNames 'content' and 'rendition'.

The contentNames are not only relevant for uniquely identifying a content element contained in a document, but serve as reference for further customization of the repository. The repository does accept configuration options that are directly related to contentNames and the Document type definitions define restrictions regarding the allowed contentNames.

Type definitions define which contentNames can be contained in the entities stored in the definition.

Each content element is stored in a storage profile, which defines the place where the actual content will be stored. The contentType parameter can be used to define what kind of content a content element can contain. When the media type is set to application/octet-stream, any kind of content can be used.

It is specified in the type definition, which content elements this type definition may have.

Usually, the content elements of the entities are stored in a JSON field in the database which contains the storage-ID and additional metadata like size, media type and a hash. The actual content data is not stored in the JSON field. If required, a content element can also be stored in a separate field of type text. The separate field will contain only the storage-ID but no additional metadata. Additional metadata for content elements using separate fields have to be handled by the client application, for example by storing them in a custom metadata attribute.

The following example is an object of type Document, for which two content elements are defined: "content" and "LARGE_CONTENT". In this example, "separateField = true" means a separate column in the database, otherwise it is written in the corresponding json field of the database. The name of a separate column in the database is derived from the name of the content element.

Using the contentType attribute of the @ContentElement annotation one can define the required content type for a content element. The content type application/octet-stream is used as a wildcard type for any type of content. For example, if the value of the contentType attribute is set to application/pdf, only PDF files can be stored in the content element.

It is possible to define the content type of a new content element when it is uploaded. The server will trust this information, so the client is responsible to send the correct content type. If the client does not define the content type, the server will automatically detect the content type of the uploaded binary data.

If a type definition of type DOCUMENT does not contain any @ContentElement annotations, the server will automatically assign a content element with the name content to it. This content element’s metadata will be stored in the JSON field of the type definition and it accepts any kind of content type.

The following Table contains an Overview of the available attributes of the @ContentElement annotation.

A StorageProfile defines on which storage the content elements are saved. Access to the storage backends (like filesystem or S3) is handled by storage plugins.

A StoragePlugin is defined in the StorageProfile, which is used to access the connected storage. The same plugin can be used in several StorageProfiles. Each StorageProfile can have a different set of parameters (access data, URls, …​) for the plugin.

Each profile is identified by name and defines the storage plugin to use. Plugin-specific settings can be configured in the pluginSettings map. So the plugin class name determines the storage technology and the plugin settings.

If a content element has been saved using the named StoragePlugin, the plugin defined in the profile will return a contentID, with which the stored data can be retrieved later. This id, which is usually of type String, is saved with the document. It is a task of the storage plugin to implement, which contents this id has. Usually it is a UUID, but it may also be a text string.

A plugin is assigned to each profile based on the fully qualified class name. Any name-value pairs can be specified for the configuration of the plug-in. The profiles are identified by their name.

There are two ways to map a specific content element to a storage profile.

The following example shows the simplest possible configuration. The type definition does not contain any content element. It implicitly uses the default content element named content. The content element will be stored in a storage profile called my_document, or, if no such profile exists, in the default storage profile.

The next example shows the same type definition, but with an annotation that defines which storage profile to use.

The next example shows a type definition that contains two content elements. The "rendition" content element will support only PDF documents. The PDFs contained in the rendition content element will be stored in an S3 storage. The content in the other element will either be stored in a profile called my_document-content, in a profile called my_document or, if neither of those profiles exists, in the default profile.

The service uses a plug-in interface for connection to the specific storage provider. The following plugins are currently available:

Class name: de.eitco.ecr.server.storage.plugins.BucketOrganizerPlugin.

The BucketOrganizer is not specific for a specific storage technology or storage interface but delegates storage requests to other storage plugins.The selection of the target plugin depends on the retention information of the document that contains the content element to be stored.The selection criteria that are used to select the target plugin can be configured in terms of a list of bucket selection rules.

The relevant retention information of the document is defined by the values of the system fields RETENTION_DATE and LITIGATION_HOLD. This value pair is matched against the bucket selection rules.The matching process starts with the first rule and continues to the next rule if the rule does not match the value pair.The matching process ends at the first rule that matches the value pair.The storage profile named in this rule will be used to store the content.Each bucket selection rule consists of three parts that are separated by the pipe (|) symbol:

As mentioned above, arveo uses a plugin interface for the connection to the storage backends. This section describes how to write a new storage plugin.

All classes and interfaces required to implement a custom plugin are contained in the dependency

A storage plugin must implement the interface de.eitco.ecr.server.storage.StoragePlugin. There are two abstract implementations that can be extended to simplify the implementation:

In addition to the interface to implement, there are some guidelines to respect when writing a custom storage plugin:

When the creation of a rendition fails, the system will re-try to create the rendition. The number of re-tries can be configured, the default is three (see configuration properties). When all retries have failed, the rendition message will be added to a dead letter queue and the status field of the rendition will be set to -1 (FAILED). For this to work, the message queue in ActiveMQ must be configured to use an individual dead letter queue as described in the ActiveMQ documentation.

The rendition feature can be used to store extracted fulltext data as content elements of a document. To achieve this, simply add a rendition content element with the content type text/plain.

Once you have deployed your new data type with enabled retention, all your data is stored in your default storage profile and has a default retention of 10 years. The following example will define separate buckets containing all your objects with a retention period within one year. Configure the buckets in the ecr-service.yaml of your config service in the section arveo:storage:profiles: You can configure a new storage profile with an unlimited number of data buckets for your content.

Mandatory properties of your new bucket profile:

Find more details about selection rules in Retention Bucket Selection Rules

If the configuration is not correct you will find more information in the startup log and will most likely find a MissingConfigurationException

ecr-service.yaml example snippet for content definitions and storages. Adapt your ecr-service.yaml and replace rules, profile names and cloud storage url, etc. with your values.

For more details on storage profiles and content types see Content Types

Encrypting and decrypting is performed by configurable encryption providers. Each provider is identified by a unique name. The available providers are described below.

The following tables give an overview of encryption settings for a storage profile.

The commons-aes provider supports AES encryption with 256bit keys. When a new content element is created in an encrypted profile, the provider generates a random cipher key for the element. The key is encrypted using a master password that is configured in the profile’s encryption settings. It is then stored in the database, which creates an identifier for the key. The keys are stored in individual tables for each profile called ecr_keys_<profileName>. After that, the content is encrypted and stored using the profile’s storage plugin. The key-id is stored in a header together with the encrypted data. When the data is read, the cipher key is loaded from the database using the key-id read from the header. The key is decrypted using the master password and used to decrypt the data read by the profile’s storage plugin.

In the future, there will be a way to re-encrypt keys. For now, this issue hasn’t been implemented yet.

There is a second database table for each profile called ecr_keys_assoc_<profileName>. This table contains mappings of key IDs to content element IDs and is intended for system administration purposes. The encryption feature is configured as shown in the following example:

The following tables give an overview of encryption settings for the commons-aes provider:

The vault-aes encryption provider uses the transit secrets engine of Hashicorp Vault to encrypt and decrypt a generated random cipher key. The cipher key is generated using a configurable random data generation algorithm and then used to encrypt the content with AES as described below. The cipher key is then encrypted by Vault and stored in a header together with the encrypted content data. When the data is decrypted, the encrypted cipher key is read from the header, decrypted using Vault and then used to decrypt the content. The advantage in comparison to the commons-aes provider is that no master key and no stored encryption keys in the database are required. The keys required to decrypt the cipher keys (and though the data, too) are securely stored in Vault and are never known to arveo.

The following tables give an overview of encryption settings for the vault-aes provider:

The following example shows a storage profile configuration using the vault-aes encryption provider.

The following chapter contains information about the implementation details of the AES encryption used by arveo.

To enable the Authorization Server, the user-service.authorization-server.enabled setting must be enabled and a keystore must be configured. The keystore must contain an RSA keypair under the specified alias:

To obtain a token, a client application must log on to a specific client configured in the Authorization Server. Clients can be created both by API and by configuration. At least one client must have been configured to be able to log in via OAuth. Clients are always stored in the master tenant. In the configuration, clients can be specified as follows:

In the above example, a client with the ID "test-client" is configured to have access to the arveo User Management Service (resourceIds and authorities) and to offer the authorization grants password, client_credentials and refresh_tokens. The grants are the same as those in the OAuth2.0 standard.

By default, the client’s configured authorities are included in the issued tokens. In addition, the user’s authorities (= privileges) configured in the user service are entered in the tokens. To prevent the client’s authorities from being included in the tokens, the user-service.authorization-server.inherit-authorities setting can be set to false.

Configure Keycloak:

The following configuration can be used to make a service an OAuth2.0 resource and/or an OAuth2.0 client in the service’s application.yaml:

Configure the respective application.yaml of the service like this:

(1) Generally, these parameters shouldn’t be changed.

(2) CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.

Configure the respective application.yaml of the service like this:

Troubleshooting some common error messages and ways to fix them:

Some common error messages and ways to fix them:

OAuth2.0 defines four flows to get an access token. These flows are called grant types. arveo supports two flows for user authentication and service authentication.

In the following paragraphs we describe the flows. The authentication service can either be the arveo User Management Service or Keycloak. If you use Keycloak you must turn off arveo internal authentication service.

Our machine-to-machine content services authenticate and authorize the app not an user. For this scenario, typical authentication schemes like username + password or social logins don’t make sense. Instead, the services use the Client Credentials Flow, in which they pass along their Client ID and Client Secret to authenticate themselves and get a token.

The arveo single-page web applications requests Access Tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone. This is because:

Given these situations, OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE).

The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

This chapter documents the arveo parameters to start the database service, alter schema and stop the service.

The arveo can be started in a special mode that ensures, that this instance changes the schema and prevents other instances from being started or have already been started. If the database schema change fails, the instance terminates in a way that can be easily evaluated by the administrator to be able to react to this exception.

The service does not start if registry query returns other running instances. The service terminates after the liquibase script is executed. The following two parameters are set:

So the maintenance mode can be used to update the database schema. When the maintenance mode is enabled, the arveo starts, performs necessary schema updates, and terminates once the schema was updated. Requests from clients are not processed while the system is in maintenance mode. Clients will receive a HTTP 503 response code. Schema updates must be performed by one single arveo instance to avoid race conditions. The recommended procedure for a schema update is as follows:

The database schema of an existing system can be changed by adapting the type definition classes and restarting the repository service with the setting arveo.server.system.maintenance-mode=true. The service will update the database schema and shut down once the update is finished. It will not accept requests while the schema is updated.

The following list contains the supported schema changes. Note that some changes like removing an attribute or adding constraints might not be possible when the existing data or existing constraints might be violated by the change.

It is also possible to enable certain features on existing type definitions. Disabling the features is not supported.

By setting the properties arveo.server.system.maintenanceMode and arveo.server.system.logSchemaChanges to true, the system will start up, check for required schema changes, write them to a special log file, and shut down again. The database schema will not be changed. This makes it possible to check for unsupported changes to the schema before performing the actual schema update.

The directory used to store the schema update log can be specified using the property arveo.server.system.schemaChangeLogDirectory. The default value is logs. The system will create one logfile for each tenant. The contents of the file will look like the following example:

In this example, there are three supported changes for the type definition named my_document. A unique constraint will be added to or removed from the attributes container_id and document_name and a foreign key will be added to or removed from the attribute container_id. There are no unsupported changes, so the actual schema update should succeed.

Please note that there are some advanced schema checks that can only be done correctly when the types are actually stored in the database. For example, the checks for the correctness of parent- and child- types of a relation type is not possible when the schema update itself is skipped.

To access the audit, the audit service provides a REST API. Access will be restricted depending on the type: If ACLs are activated on a @Type, only users that have read access to an entity will be allowed to audit this entity. If ACLs are deactivated on a @Type, only users with the authority AUDITOR are allowed to audit the entities of this type.

A small tutorial for setting up solr for arveo.

By default, SOLR does not use any kind of authorization or authentication. In productive systems, SOLR must be secured by enabling transport encryption, authentication and authorization.

The transport encryption can be enabled by enabling HTTPs in SOLR. See the SOLR documentation for instructions. When SSL is enabled, the url in the configuration property ecr.server.solr.host must use the https scheme.

arveo can use basic authentication to authenticate requests sent to SOLR. SOLR provides a basic authentication plugin that must be enabled as described in the documentation. Enabling authentication and authorization in SOLR requires uploading a security.json file to Zookeeper. The following example shows a security.json file that enables the basic auth plugin and a rule based authorization plugin.

There is a github project containing a tool to generate the value for the salt and password used in the credentials-property of the basic auth plugin.

To enable basic auth support for the SOLR client used by arveo, you have to set the following parameters in the configuration for arveo:

When searching for ACL protected entities in SOLR, the search result is filtered by ACL right. This is achieved by using a custom SOLR plugin, which must be installed manually by following the steps below:

The plugin requires a JDBC connection to the relational database to load ACL rights. Do not change the name of the query parser. SOLR queries generated by arveo will contain a filter query using the aclright prefix to perform the actual filtering.

Alternatively, the configuration parameters for the ACL filter plugin can be set as Java system properties for the Solr server, as environment variables, or they can be stored as secrets in Vault. To use Vault, set the following parameters either in the solrconfig.xml file, as Java system properties, or as environment variables:

The order in which the plugin loads configuration properties is:

To be able to use SOLR for advanced queries, the entities must be stored in SOLR, too. To enable this, simply add the @NOSql annotation to the attributes to be stored in SOLR to the getters of your type definitions. The annotation can be added to the class to store all attributes in SOLR. arveo will automatically create the required fields in the SOLR schema. All entities of one tenant will be stored in a single collection in SOLR. To avoid name collisions, the names of the fields in SOLR will consist of the name of the type definition and the name of the attribute, separated by a dot. For example, an attribute called "name" in a type definition called "invoice" would be named "invoice.name".

It is also possible to store fulltext data of the content of documents in SOLR. For this, set the fulltextExtraction attribute of the @ContentElement annotation to true (see Content Elements). The fulltext data of the content elements will be stored in a field called <typeDefinitionName>.<contentElementName>.fulltext in SOLR. This field can be used in queries just like any other field.

The fulltext extraction is performed by the document conversion service. Which types of content are supported for fulltext extraction depends on the active plugins of the document conversion service. The open source plugins contained in the document conversion service project support fulltext extraction for PDFs with text content and Microsoft Office documents. The mime type of a content element is required for the fulltext extraction. By default, the mime type is contained in the metadata of a content element. When the content element is stored in a separate field on the database, the mime type is not available in the metadata but it can be defined in the @ContentElement annotation. If the mime type is set to the default value (application/octet-stream), the service will try to auto-detect the mime type.

The arveo API provides methods to perform queries in SOLR. The methods use the EQL just like the regular search methods that perform queries on the relational database. There are some EQL features that are not supported when searching in SOLR:

The behavior of the supported query expressions is dependent from the configuration of the field in SOLR. For example, a text field with a tokenizer that splits text by whitespaces will deliver different results for equality expressions than a text field without such a tokenizer.

To perform a query in SOLR for one specific type definition, use the getNoSqlSearchService method of the service client for the type definition. In the following example, this method is used to find an entity by it’s ID in SOLR:

The next example shows how to search in the fulltext data stored in SOLR.

To search for values in a specific field, the correct field name must be used in the context reference. The auto- generated name constant classes for the type definition interfaces contain a helper method to compute the name. The following example shows how to use this method to search in a specific field of an entity.

When using the getNoSqlSearchService method, the query performed in SOLR will automatically be limited to entities belonging to one single type definition. To search for entities in multiple type definitions, the method de.eitco.ecr.sdk.SearchClient.searchServiceForNoSql can be used.

arveo creates a special multi-valued field called ecr_attributes in SOLR. When a getter (or an entire interface) is annotated with @NOSql(combinedSearch = true), the attribute of the getter (or all attributes of the interface) will be copied in this field. The ecr_attributes field is of type string. The values of the attributes copied into this field, will be converted automatically by SOLR.

The ecr_attributes field can be used for a combined search of all attribute values. This makes it possible to provide a search method where the user does not need to know the name of the attribute to search for:

It is possible to copy the extracted fulltext data of content elements to the combined ecr_attributes field, too. To do so, configure the respective content element as shown below:

The relevant settings are textCombinedSearch=true, which enables the copying of the extracted fulltext data. The textCombinedSearchLimit setting limits the number of characters to copy. This makes it possible to reduce the size of the SOLR index. A value of 0 means no limit.

Relations between entities can be described using relation type definitions. While those relations can be easily resolved in the relational database, NoSQL databases like SOLR are not designed to support a relational data model as shown in the following diagram:

It is still possible to search for Parent entities by the IDs of the related Child entities in SOLR using arveo. To make this possible arveo stores the IDs of the Child entities related to a Parent entity in a multi value field in SOLR. To enable this feature, the type definition interface of the Parent type must be annotated with @NOSqlResolvedRelations. The annotation requires a parameter containing the type definition classes of the relations to store in Solr.

The following example shows how to search for entities by related child IDs:

Currently, there is no automated way to rebuild the SOLR index. If the data in SOLR was lost or corrupted, it can be rebuilt using the NOSql queue tables of the affected type definitions.

When an entity is added or updated in a type definition that is annotated with @NOSql, an entry for this entity is added to a queue table by a trigger on the database. This queue table is named like the main table for the type definition with a _nq suffix. So for example, if the main table is called my_type_definition, the queue table would be called my_type_definition_nq. It contains a column for each attribute that is supposed to be contained in SOLR and the following system fields: