System Requirements, Application Deployment, and Security Best Practices

Web Browsers

• 1366×768 minimum screen resolution
• We support Google Chrome:
  • We cannot guarantee the performance on Mozilla Firefox, Microsoft Edge, and Apple Safari, but to get the best possible experience, Progeny recommends using a browser that has full HTML-5 compatibility (Chrome, Firefox, Edge). Progeny Web is not compatible with mobile devices.
  • Apple Safari for Windows is not supported. Internet Explorer (all versions) is not supported. Internet Explorer mode in Microsoft Edge is not supported.

The remainder of this article outlines the hardware, software, and storage requirements for deploying Progeny on Windows Server 2019/2022 and Rocky Linux 9 for on-premise installations. It includes partitioning recommendations, security best practices, and deployment guidelines for both consolidated and separated deployments. 

Support Operating Systems

• Windows Server: 2019, 2022
• Linux: Rocky Linux 9

Software Requirements

Web Server Components and Pre-Installation Requirements

• Apache Tomcat: Version 9.0.xx (for web application hosting)
• Java Runtime Environment (JRE): Version 8 (Required for Tomcat)
• SSL Certificate: Required for secure connections (no support for non-SSL installations)
• Ports:
  • 443 (HTTPS) (Required)
  • 8080 (Internal for Tomcat, redirected to 443 externally)

Database Server Components

• MySQL: Latest stable version (Primary database engine)
• MySQL Workbench: Latest stable version (Recommended for DB management)
• Ports:
  • 3306 (MySQL, allow only from trusted sources)

Hardware Requirements

Windows Server 2019/2022:

• CPU: 2-core 2.0 GHz+ (x64)
• RAM: 4 GB minimum
• Storage: 40 GB HDD/SSD
• Network: 1 Gbps NIC

Rocky Linux 9:

• CPU: 2-core 1.8 GHz+ (x86_64)
• RAM: 2 GB minimum
• Storage: 20 GB HDD/SSD
• Network: 1 Gbps NIC

Recommended Hardware Based on User Load (Web Environment)

Consolidated Installation (Web and Database on the Same Server)

Best for smaller deployments or customers without a dedicated database server.

Small Deployment (1-5 Users)

• CPU: 4-core (Windows) / 2-core (Linux)
• RAM: 8 GB (Windows) / 4 GB (Linux)
• Storage: 100 GB SSD or 300 GB 15K HDD

Medium Deployment (5-15 Users)

• CPU: 6-core (Windows) / 4-core (Linux)
• RAM: 16 GB (Windows) / 8 GB (Linux)
• Storage: 250 GB SSD or 500 GB 15K HDD

Large Deployment (15+ Users)

• CPU: 8-core (Windows) / 6-core (Linux)
• RAM: 32 GB (Windows) / 16 GB (Linux)
• Storage: 500 GB SSD or 1 TB 15K HDD

Separated Installation (Web and Database on Different Servers)

Best for performance optimization, scalability, or larger deployments. With Separated deployments focus can be placed on larger Database needs with smaller user requirements. A mix of Web and Database server options can be utilized to best suit the need.

Web Server Requirements

• Small (1-15 Users): CPU: 2-core (Linux) / 4-core (Windows), RAM: 8 GB, Storage: 60 GB SSD / 180 GB 15K HDD
• Medium (15-30 Users): CPU: 4-core (Linux) / 6-core (Windows), RAM: 12 GB, Storage: 100 GB SSD / 300 GB 15K HDD
• Large (30+ Users): CPU: 6-core (Linux) / 8-core (Windows), RAM: 16-24 GB, Storage: 250 GB SSD / 500 GB 15K HDD

Database Server Requirements

• Small: CPU: 4-core (Linux/Windows), RAM: 8 GB, Storage: 150 GB SSD / 300 GB 15K HDD
• Medium: CPU: 6-core (Linux/Windows), RAM: 16 GB, Storage: 250 GB SSD / 500 GB 15K HDD
• Large: CPU: 8-core (Linux/Windows), RAM: 32 GB, Storage: 500 GB SSD / 1 TB 15K HDD

Storage Recommendations (MySQL Database Storage Needs)

• Database Storage: In most situations a Maximum DB allocation of 500GB is sufficient.
  Typical use under 150GB, even with multiple DBs.
• Web Server Storage: Small footprint, typically under 100GB.
• SSD Recommended: For faster IOPS, better performance, and lower latency.
• HDD Option: 15K RPM drives available for users prioritizing capacity over speed.
• Storage Separation (Separated Physical Disk):
  • Database Files → Dedicated SSD or high-speed storage.
  • Logs → Separate partition to prevent excessive disk I/O.
  • Application Binaries → Installed in /opt (Linux) or D:\WebApp\ (Windows).

Security Best Practices for Both Deployment Models

Windows Server Best Practices

• Drive Configuration: (Separate Physical Disk)
  • C:\ → OS
  • D:\WebApp\ → Application files
  • E:\MySQLData\ → MySQL database
  • F:\Logs\ → Logs
• Security Hardening:
  • Enable Windows Firewall and allow only required ports.
  • Set SSL/TLS 1.2+ for Tomcat.
  • Apply NTFS permissions carefully on D:\ and E:.
  • Disable unnecessary services and restrict remote access.

Rocky Linux Best Practices

• Partitioning Scheme:
  • / → 20-40 GB (OS and base applications)
  • /var → 40+ GB (Application logs and MySQL data)
  • /opt → 20-50 GB (Tomcat and application-specific installs)
  • Swap → 2x RAM (max 16GB)
• Security Hardening:
  • Disable root SSH login (PermitRootLogin no).
  • Restrict SSH to specific IP addresses.
  • Enable firewalld and only allow required ports.
  • Enable automatic security updates (dnf-automatic).
  • Configure SELinux in enforcing mode.
    • Use fail2ban to prevent brute-force attacks.
  • Harden MySQL by disabling remote root login and enforcing strong passwords.

Running Services with Domain Service Accounts on Windows Server (Best Practices & Implementation Guide)

This guide provides step-by-step instructions and best practices for configuring domain service accounts to run Apache Tomcat and MySQL on a Windows Server that is part of a domain.

Overview

In a Windows Server domain environment, it is best practice to run services using domain-based service accounts instead of local system accounts. This approach:

• Enhances security by granting only necessary permissions.
• Supports centralized management via Active Directory (AD).
• Allows easier auditing and password management.

Creating Domain Service Accounts for Tomcat & MySQL

Recommended Service Accounts

Note: Replace DOM\ with your actual domain name.

Creating the Service Accounts in Active Directory

1. Log into your AD Domain Controller.
2. Open Active Directory Users and Computers (dsa.msc).
3. Right-click on the Organizational Unit (OU) where you want to create the service accounts → New → User.
4. Enter the following details:
   • User logon name: tomcat_svc (for Tomcat) or mysql_svc (for MySQL).
   • Full name: Tomcat Service Account (or MySQL Service Account).
5. User logon name (pre-Windows 2000): tomcat_svc or mysql_svc.
6. Set an initial password, then select:
   • User cannot change password
   • Password never expires (Recommended for service accounts)
7. Finish the setup and repeat for the mysql_svc account.

Assigning Proper Permissions to the Service Account

Permissions for Apache Tomcat Service Account (DOM\tomcat_svc)

The tomcat_svc account needs permissions to:

• Run as a service
• Access the Tomcat installation directory (D:\WebApp)
• Read SSL certificates (if stored in the Windows certificate store)

Steps to Grant ‘Log on as a Service’ Permission

1. Open Local Security Policy (secpol.msc) on the Windows Server.
2. Navigate to Local Policies → User Rights Assignment.
3. Find Log on as a service → Right-click → Properties.
4. Add DOM\tomcat_svc → Click OK.

Steps to Set File System Permissions

1. Navigate to D:\WebApp\ (or wherever Tomcat is installed).
2. Right-click → Properties → Security → Edit.
3. Add DOM\tomcat_svc and grant:
   • Read & Execute (for security)
   • Modify (if Tomcat writes logs to its installation directory)

Steps to Assign the Service Account to the Apache Tomcat Service

1. Open Services (services.msc).
2. Find Apache Tomcat → Right-click → Properties.
3. Under the Log On tab:
   • Select ‘This account’
   • Enter DOM\tomcat_svc and its password.
4. Click Apply → OK.
5. Restart the Tomcat service to apply changes.

Permissions for MySQL Service Account (DOM\mysql_svc)

The mysql_svc account requires:

• Log on as a service permission
• Full control of MySQL data directory (E:\MySQLData)
• Access to the MySQL executable (C:\Program Files\MySQL)

Steps to Grant ‘Log on as a Service’ Permission

1. Follow the same steps as Tomcat (secpol.msc → User Rights Assignment → Log on as a service).
2. Add DOM\mysql_svc.

Steps to Set File System Permissions for MySQL

1. Navigate to E:\MySQLData\ (or MySQL’s data directory).
2. Right-click → Properties → Security → Edit.
3. Add DOM\mysql_svc and grant:
   • Full Control (required for MySQL to write data).
4. Navigate to MySQL installation directory (C:\Program Files\MySQL).
5. Repeat step 3, but grant only:
   • Read & Execute permissions.

Steps to Assign the Service Account to MySQL

1. Open Services (services.msc).
2. Find MySQL → Right-click → Properties.
3. Under the Log On tab:
   • Select ‘This account’
   • Enter DOM\mysql_svc and its password.
4. Click Apply → OK.
5. Restart the MySQL service to apply changes.

Best Practices for Managing Service Accounts in Active Directory

General Security Guidelines

• Use a dedicated OU for service accounts in Active Directory to apply Group Policy settings.
• Deny interactive logon to prevent these accounts from being used to log into servers interactively.
• Use long, randomly generated passwords (if you’re not using managed service accounts).
• Monitor service account logins using Event Viewer (Event ID 4624, 4625, 4776).
• Enable Kerberos authentication instead of NTLM where possible.

Using Group Policies to Enforce Restrictions

To prevent unauthorized login, apply a Group Policy Object (GPO):

1. Open Group Policy Management (gpmc.msc).
2. Create a new GPO (e.g., Service Account Restrictions).
3. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
4. Deny log on locally → Add DOM\tomcat_svc and DOM\mysql_svc.
5. Apply the policy to servers where these accounts exist.

Additional Considerations

Using Managed Service Accounts (MSAs) Instead of Traditional Service Accounts

• Group Managed Service Accounts (gMSAs) eliminate the need for manually updating passwords.
• If Windows Server 2012+ and AD 2012+, consider using gMSAs for MySQL and Tomcat.
• To create a gMSA, use PowerShell:
• New-ADServiceAccount -Name gMSA_MySQL -DNSHostName myserver.domain.com
  • PrincipalsAllowedToRetrieveManagedPassword “Domain Servers”

Auditing and Monitoring

• Enable audit policies in AD and Windows Security Logs.
• Set up alerts for failed login attempts on service accounts.
• Use SIEM tools to detect unusual service account activity.

Following this guide ensures secure, scalable, and well-managed domain service accounts for Apache Tomcat and MySQL. By following least privilege access principles, using dedicated service accounts, and applying audit policies, you can maintain security while optimizing performance.