Addons

Strict Mode

Updated: November 15, 2024

This page gives all the necessary steps to install the Retention Management addon in strict mode.

Prerequisites

Using the Retention Management addon requires storing files in Amazon S3. Other cloud platforms or storage options are not supported.

Installation

This addon requires no specific installation steps. It can be installed like any other package with nuxeoctl command line or from the Marketplace.

Configuration

Nuxeo Server

In strict mode, the Nuxeo Retention Management addon requires to disable the attachments, versioning, and comments features.

This is done adding the parameter nuxeo.retention.strictmode.enabled=true in the server nuxeo.conf.

This must be done prior to any usage of the Nuxeo instance to guarantee the data consistency.

Since LTS 2021 HF41, this property replaces and supersedes the property nuxeo.retention.compliance.enabled: if both are set, the value of nuxeo.retention.strictmode.enabled will be used.

Amazon S3

In strict mode, Nuxeo Platform with Nuxeo Retention Management addon requires the usage of 2 Amazon S3 buckets:

  • A standard S3 bucket as for any other standard Nuxeo instance: this bucket is used to store the standard documents. You can refer to Amazon S3 Online Storage documentation to configure this bucket.

  • A S3 bucket dedicated to the records that is configured with Object Lock in Compliance mode: this bucket is used to store the records only.

Amazon S3 Configuration Requirements

Compliance with SEC Rule 17a-4 requires to configure Nuxeo Platform to use Amazon S3 Compliance Buckets to store records required by regulation, thereby establishing the foundation for meeting the requirements of the Rule.

Specifically:

  • Direct writes to the Amazon S3 storage system must be disabled, to ensure all documents transit through Nuxeo Platform for compliant processing.

  • The Amazon S3 Object Lock feature must be enabled in Compliance Mode on the bucket intended to store objects that are marked as final records.

  • Amazon S3 Versioning must be enabled (it is automatically enabled when enabling Object Lock).

  • The default retention value for Amazon S3 Compliance Buckets intended to retain compliant record objects must not be set (or at least set to zero).

  • No Min/Max range should be established for Amazon S3 Compliance Buckets intended to retain compliant record objects.

  • Amazon S3 Lifecycle Policies must not be configured for use within the Nuxeo Platform storage subsystem.

Configure the Records Bucket in Amazon S3 Online Storage

Through XML Configuration File

Once the standard Amazon S3 bucket is installed as described in Amazon S3 Online Storage, you have to add an XML extension file to configure the bucket dedicated to the records and how to dispatch files in each bucket (documents vs records):

  • The file has to be added into $NUXEO_HOME/nxserver/config
  • The file name has to be ended with -config.xml
  • The file must contain a specific component name:
<component name="records-s3-compliance">
  • The file must contain a blob manager extension with the configuration of the S3 bucket dedicated to the records and the following parameters:
<extension target="org.nuxeo.ecm.core.blob.BlobManager" point="configuration">
    <blobprovider name="records">
      <class>org.nuxeo.ecm.blob.s3.S3BlobProvider</class>
      <property name="record">true</property>
  • The file must contain a blob dispatcher extension as described here:
<extension target="org.nuxeo.ecm.core.blob.DocumentBlobManager" point="configuration">
    <blobdispatcher>
      <class>org.nuxeo.ecm.core.blob.DefaultBlobDispatcher</class>
      <property name="records">records</property>
      <property name="default">default</property>
    </blobdispatcher>
</extension>

The configuration provided here is applicable for use with the Nuxeo Retention addon in strict mode. Please refer to the appropriate examples if you picked the standard mode.

Complete XML extension file example:

<?xml version="1.0"?>
<component name="records-s3-compliance">

  <require>default-repository-config</require>

  <extension target="org.nuxeo.ecm.core.blob.BlobManager" point="configuration">
    <blobprovider name="records">
      <class>org.nuxeo.ecm.blob.s3.S3BlobProvider</class>
      <property name="record">true</property>
      <property name="awsid">${nuxeo.s3storage.awsid}</property>
      <property name="awssecret">${nuxeo.s3storage.awssecret}</property>
      <property name="awstoken">${nuxeo.s3storage.awstoken}</property>
      <property name="bucket">Your S3 bucket for records</property>
      <property name="region">${nuxeo.s3storage.region}</property>
      <property name="endpoint">${nuxeo.s3storage.endpoint}</property>
      <property name="pathstyleaccess">${nuxeo.s3storage.pathstyleaccess}</property>
      <property name="accelerateMode">${nuxeo.s3storage.accelerateMode}</property>
      <property name="bucket_prefix">Prefix for your S3 bucket for records</property>
      <!-- min file age, in second, to be removed from cache if the size max size is reached, default is 3600 -->
      <property name="cacheminage">60</property>
      <property name="cachesize">100MB</property>
      <property name="connection.max">50</property>
      <property name="connection.retry">3</property>
      <property name="connection.timeout">50000</property>
      <property name="socket.timeout">50000</property>
    </blobprovider>
  </extension>

  <extension target="org.nuxeo.ecm.core.blob.DocumentBlobManager" point="configuration">
    <blobdispatcher>
      <class>org.nuxeo.ecm.core.blob.DefaultBlobDispatcher</class>
      <property name="records">records</property>
      <property name="default">default</property>
    </blobdispatcher>
  </extension>
</component>
Through nuxeo.conf Properties

Alternatively, you can add the s3retention template to the nuxeo.templates property in your nuxeo.conf file:

nuxeo.templates=default,s3binaries,retention,s3retention

This will enable the s3-retention-config.xml which allows to define these properties in your nuxeo.conf file:

  • nuxeo.retention.s3storage.bucket
    (required)
  • nuxeo.retention.s3storage.bucket_prefix
    (optional)
  • nuxeo.retention.s3storage.awsid
    (fallback on nuxeo.s3storage.awsid)
  • nuxeo.retention.s3storage.awssecret
    (fallback on nuxeo.s3storage.awssecret)
  • nuxeo.retention.s3storage.awstoken
    (fallback on nuxeo.s3storage.awstoken)
  • nuxeo.retention.s3storage.region
    (fallback on nuxeo.s3storage.region)
  • nuxeo.retention.core.blobstore.digestAsync
    (fallback on nuxeo.core.blobstore.digestAsync)
  • nuxeo.retention.s3storage.cacheminage
    (fallback on nuxeo.s3storage.cacheminage)
  • nuxeo.retention.s3storage.cachesize
    (fallback on nuxeo.s3storage.cachesize)
  • nuxeo.retention.s3storage.cachecount
    (fallback on nuxeo.s3storage.cachecount)
  • nuxeo.retention.s3storage.connection.max
    (fallback on nuxeo.s3storage.connection.max)
  • nuxeo.retention.s3storage.connection.retry
    (fallback on nuxeo.s3storage.connection.retry)
  • nuxeo.retention.s3storage.connection.timeout
    (fallback on nuxeo.s3storage.connection.timeout)
  • nuxeo.retention.s3storage.socket.timeout
    (fallback on nuxeo.s3storage.socket.timeout)
  • nuxeo.retention.s3storage.endpoint
    (fallback on nuxeo.s3storage.endpoint)
  • nuxeo.retention.s3storage.pathstyleaccess
    (fallback on nuxeo.s3storage.pathstyleaccess)
  • nuxeo.retention.s3storage.accelerateMode
    (fallback on nuxeo.s3storage.accelerateMode)