Configure ARIS server

After the ARIS server installation has completed on a Linux operating system, the aris10 user is locked and has no password. Command-line tools (sh files), such as ARIS server Administrator or ARIS Cloud Controller can only be started by the aris10 user related to the ARIS agent.

After installation please check the system.To prevent unauthorized access, you must change initial passwords and optionally define security settings for passwords. Depending on the features you want to use in ARIS additional modifications are required.

Procedure

  1. Due to the current Tomcat (Ghostcat) vulnerability, block all ports except the load balancer HTTPPS port.

  2. If you use an external database management system and you have created empty schemes for additional tenants, you must assign additional tenants to these schemes after the ARIS server setup is completed. The default tenant and the master tenant were assigned automatically.

  3. If you use an external load balancer (LB), you must reconfigure ARIS LB to prevent system failiure caused by ARIS brute-force protection.

  4. Make sure that all fonts are available.

  5. To check the installation, start ARIS server.

    To do so, start ARIS Cloud Controller (su -c acc10.sh aris10). If you have changed the ARIS agent's default user credentials during this procedure, you will be prompted for that password you have chosen.

    As the internal ARIS user running all runnables has no root privileges all privileged ports (<1024) cannot be used. To run ARIS under a privileged port you need to redirect the ports.

  6. Enter startall. This process will take a while.

  7. Enter list to monitor the status of all runnables.

    The state of all runnables represented by their instance IDs is listed. Possible states are:

    • UNKNOWN

      The runnable state is not yet known. This state is shown directly after the ARIS agent was started.

    • STARTING

      The runnable is starting, but this process is not complete yet.

    • STARTED

      The runnable is running.

    • DEACTIVATED

      The runnable is not in use. It has been deactivated manually and can be activated if necessary.

      This runnable is deactivated if ARIS server was installed without ARIS Aware.

    • DOWN

      This runnable started and crashed. The ARIS agent will attempt to automatically restart the runnable momentarily.

    • FAILED

      This runnable has crashed. The ARIS agent has given up trying to restart the runnable.

      If you want more detailed information on health checks, please refer to the ARIS System Monitoring guide. If a runnable does not start properly, read the Basic Troubleshooting guide.

  8. After all runnables have started, open your browser and enter localhost or http://<IP address or fully-qualified host name>:<load balancer port>/#<tenant name>/adminSettings. You must enter the port number only if you have changed or redirected the standard port. The login dialog opens.

  9. Enter the user name superuser and the password superuser. This user only has access to the ARIS Administration of the tenant.

  10. Click OK. ARIS Administration opens.

  11. Click Licenses Licenses and check whether the licenses were properly imported during setup. If you have not imported licenses during setup, do so now. For detailed information on license and user management and security settings refer to the Manage ARIS online help chapter.

  12. Click User management User management. The list of users is displayed. It contains all default users.

  13. Make sure to assign all required license privileges to the system user, such as ARIS Designer. Otherwise, the system user cannot perform administrative actions, such as running scheduled reports. For detailed information on license and user management and security settings refer to the Manage ARIS online help chapter.

  14. Change all default passwords and customize the password policy (see Configure user management).

    Warning

    To prevent unauthorized access to the ARIS system, after installation or data migration, always change the default passwords of all users that are automatically created (arisservice user, guest user, system user, superuser user) on all operational tenants, as well as on the infrastructure tenant (master). It is mandatory to provide administrator permissions to different users and/or make sure to not lose the superuser's password. Otherwise, the system will not allow administrator access. If you did not change the ARIS agent user's credentials during the setup process, please at least change the ARIS agent user's password manually.

    Warning

    To prevent unauthorized access to the ARIS system, after installation or data migration, always change the default passwords of all users that are automatically created (arisservice user, guest user, system user, superuser user) on all operational tenants, as well as on the infrastructure tenant (master).

    'system' user

    The system user is created automatically. By default, the system user has all function privileges. This user can log in to Process administration Process administration, ARIS Administration, User Management, and ARIS Process Board. In ARIS Designer and ARIS Designer, this user has all access privileges for all database groups of all databases. This user only uses up a license if a license privilege is activated for this user. The default password is manager. You should change the default password to prevent unauthorized access. You can change all user data except for the user name.

    Having more than one system user can avoid problems, if, for example, your single system user has forgotten his password. You can create additional system users or copy the existing system user. If your only system user was deleted accidentally, create a new one by using the superuser. The user can only be deleted individually. Enable the Generate, if not available option (Application launcher Application launcher > Administration Administration > Configuration > User management > Users >) so that the user is automatically generated again at startup with the last saved password.

    'superuser'

    The user superuser is created automatically. By default, this user is assigned the User management, License management, and Configuration administrator function privileges. This user can also enable this function privilege for other users. Users of the superuser type do not use up a license. They manage the system administration, but cannot use ARIS products due to license restrictions. The default password is superuser. You should change the default password to prevent unauthorized access. The password of the superuser is very important, as it is the only user who cannot be deleted. You can change all user data except for the user name. The superuser can recreate the other default users (system, arisservice, guest) if they were deleted.

    'arisservice' user

    The user arisservice is created automatically. By default, this user is assigned the Database administrator and Process Governance administrator function privileges. This user only uses up a license if a license privilege is activated for this user. The default password is arisservice. You should change the default password to prevent unauthorized access. You can change all user data except for the user name. The user can only be deleted individually. Enable the Generate, if not available option (Application launcher Application launcher > Administration Administration > Configuration > User management > Users >) so that the user is automatically generated again at startup with the last saved password.

    'guest' user

    The user guest is created automatically. By default, no function or license privileges are assigned to this user. This user serves technical purposes only. It is not for use by end users. Logging in to ARIS or other Software AG products with this user is not allowed. Further information is available in the Software AG license terms (http://softwareag.com/licenses). The user can only be deleted individually. Enable the Generate, if not available option (Application launcher Application launcher > Administration Administration > Configuration > User management > Users >) so that the user is automatically generated again at startup with the last saved password.

    By default, the elastic_<s, m, or l> runnable (Elasticsearch) uses generic user credentials required for communication with other ARIS runnables. You can check and change the user name and the password if required.

  15. Create users or import LDAP users and assign privileges and licenses for the default tenant. For detailed information on user management and security settings refer to the Manage ARIS online help chapter.

    If you have created additional tenants, users and licenses must be managed for each additional tenant.

  16. Create additional system users and superusers for each tenant holding all required administrator permissions. This will allow access to the ARIS system in case of password loss.

  17. Optionally customize the password policy. You can define passwords to expire after a period of time, define length or strength of a password or you can force users to change their passwords before first login.

  18. If you use functionalities and extension packs as listed, you must customize ARIS accordingly.

    • To provide ARIS for SAP® Solutions, refer to the ARIS for SAP Solutions document (see \documents\4 Administration\41 Basic).

    • To make dashboards available, refer to the online help (see ARIS online help: Use ARIS > Use dashboard).

  19. Click Logout.

  20. Send the URL https://<IP address or fully-qualified host name>:<load balancer port>/#<tenant name>/home to all users.

ARIS server is installed and running.

You can stop ARIS server using the Stop ARIS server link in the Windows start menu or enter stopall in the ARIS Cloud Controller (see ARIS Cloud Controller (ACC) Command-line Tool).