--- alias: installation-guide-installation description: "This guide outlines the step-by-step process to install Critical Manufacturing MES within an existing OpenShift v4.18 cluster using the DevOps" --- # Installation Installing Critical Manufacturing MES is a streamlined process carried out directly through the [Critical Manufacturing DevOps Center](https://portal.criticalmanufacturing.com/DevOpsCenter), available from the [Critical Manufacturing Customer Portal](https://portal.criticalmanufacturing.com/Home). This environment provides a centralized, guided experience designed to help you deploy, configure, and maintain your MES landscape with confidence. In the section below, you'll find a step-by-step overview of how to perform a full installation of the core MES platform. Additional details on optional modules and complementary components are also provided, allowing you to tailor your installation to the needs of your operation. !!! info If you're looking for broader information on prerequisites, architecture, or infrastructure-related topics, be sure to explore the comprehensive [DevOps Center documentation](https://portal.criticalmanufacturing.com/Help/devops-center/), which offers deeper insights into setup, best practices, and system administration. In this guide you are going to create an MES Customer Environment in an existing Customer Infrastructure with an Infrastructure Agent already deployed and connected to the DevOps Center. Let's consider the Infrastructure Agent with version 11.3.0. This example is configured for an OpenShift v4.18 cluster. ## Step 1: Create an Environment 1. Load the **Environments section** in the main page of the Customer Infrastructure and select **Create**. This opens a transaction wizard. ![Screenshot showing the "Create" button on the Environments section of the Customer Infrastructure main page.](images/installationGuide/create_env_button.png) 1. Set a **Name**, a **Type** and a **Site**. Select **Create**. ![Screenshot showing an environment creation form with fields for "Name", "Type", and "Site".](images/installationGuide/create_action.png) ## Step 2: Define the Target The Customer Environment is now created in the system and ready to be used. The current page should now be its installation view where it is possible to start configuring. The first step group is named **Target** and is related with the configurations' base package and version, opt-in features and the deployment target. ### Package In the first step, you can define the base package and version along with other metadata. Set the following values and select **Next**: * **Deployment Package** - base package to be used. Since you are installing a Critical Manufacturing MES 11.3.0, set the value to `MES 11.3.0`. * **Configuration Level** - different levels which will have an impact in how many configurations will be asked and are possible to configure. Set to `Advanced` so that you are able to configure everything that is currently possible. * **License** - license for the Critical Manufacturing MES installation. Select an available license. ![Screenshot showing a package selection interface with "License" nearby, illustrating the step to select an available license for the Critical Manufacturing MES installation.](images/installationGuide/step_target_package.png) ### Package Configuration Now configure the base package with opt-in features. These can vary based on the license modules and on the base package and version. The available ones for a Critical Manufacturing MES 11.3.0 are the following: * **External dependencies mode** - different modes for ClickHouse, Kafka, RabbitMQ, and S3. These may be: * **None** - ClickHouse, Kafka, RabbitMQ, and S3 are not installed within the MES stack. These components must be available externally to the MES stack. * **Broker and Storage** - ClickHouse and Kafka are not installed within the MES stack, but RabbitMQ and S3 are installed within MES stack (not recommended for Staging or Production environments). * **All** - ClickHouse, Kafka, RabbitMQ, and S3 are installed within the MES stack (not supported in Staging or Production environments). * **Generative AI** - different modes for Generative AI. These may be: * **None** - the dependencies required to enhance the system with Generative AI capabilities will not be installed. * **Generative AI Infrastructure** - all dependencies required to enhance the system with Generative AI capabilities are installed along with the MES stack. * **Database Mode** - different modes for the database installation. These may be: * **None** - base mode where only the Online database is installed in an external MSSQL Server. * **MES Analytics** - enhanced version of the previous mode where more features are available but an external MSSQL Server is still required. These features are: Operational Data Store (ODS), Data WareHouse (DWH), Reporting and Analysis Services. * **MSSQL Server** - similar to the None mode but instead of relying on an external MSSQL Server, a container is deployed along with the rest of the stack, which runs a containerized version of MSSQL Server. !!! warning The Canonical Data Model (CDM) is only generated when the `MES Analytics` mode is selected. If the installation is performed using any other Database Mode option (without ODS and DWH), Data Platform components will not be deployed, and CDM and cube data will not be available. * **Connect to a central Traefik** - configures the stack's Traefik reverse proxy to not be exposed and instead connect to the Traefik that is included in the Infrastructure Agent. This is very useful as many Customer Environments can be deployed and their only entrypoint is the Infrastructure Agent's Traefik reverse proxy, which means less open inbound ports and less networking configurations. When creating a Customer Environment in a Customer Infrastructure with an Infrastructure Agent, this option will be selected by default. To exemplify the feature, keep the **Database mode** set to `MES Analytics`, the **External dependencies mode** set to `None` and the opt-in feature **Connect to a central Traefik** set to `true` since you have an Infrastructure Agent configured and running. Set the values as shown in the example below and select **Next**. ![Screenshot showing a package configuration example with two packages listed, "Package Congueion" and "Package Conpraon".](images/installationGuide/step_target_package_configuration.png) ### Target Set the Target to `OpenShift Remote` as you are using OpenShift as your remote Deployment Target. Select **Next**. ### License Read and Understand all the licenses that are displayed and select **Next**, which advances to the next step group, **Configuration**. ## Step 3: Configuration By now, the base application and its features are set. Before starting the deployment process, you need to configure the base application and features with the required data. The following steps address the available configurations for each different part of the system. Bear in mind that the Configuration Level and License have an impact on how many steps and parameters are shown along with the available Critical Manufacturing MES features. !!! note For configuration purposes, the character double quotes ( **"** ) is not allowed to be inserted on input fields. ### General Data In this wizard, you should add the general information regarding the system, such as: 1. **Details** * **System Name** - name of the system. Also used to set the database(s) name(s). * **Tenant Name** - tenant name of the system. Must not contain blank spaces. 2. **Connect IoT** * **Storage Retention Time** - how long the raw IoT data is retained in storage before being automatically deleted. 3. **Access Information** * **Application Public HTTP Address** - public HTTP address to access the environment. Remember that when using Domain Name System (DNS) providers or Transport Layer Security (TLS) via certificates, such as in the case of an Infrastructure Agent, this field must comply to their specifications, for example, **if configuring a wildcard certificate** for `*.mydomain.com` or using a Cloudflare for that same domain, **this field must be set to** `.mydomain.com`. Do not specify the HTTP Port, since the Agent's Traefik already has the ports 80 and 433 configured and these are the ones that are going to be used. For OpenShift, we should use its native routing mechanism which generally follows the cluster's certificate and domain as well instead of relying on DNS and TLS validation at the Infrastructure Agent or another level. * **Application Public HTTP TLS Enabled** - set to `true` if this environment has TLS enabled. This is just for internal usage, the actual TLS configuration must be set via DNS providers or certificates. 4. **Install Information** * **Package to Install** - root package to be installed by the Environment Manager. If empty, it will use the default base package for the version. This can be set to override and install a different package, for example, a customization package. * **Installation Data Path** - the path that the MSSQL Server can use to access the Installation Data volume. When using an external MSSQL Server, this volume must be a shared location between it and the containers. * **Deployment Mode** - the deployment mode can be Transactional (if the installation fails, the database is guaranteed to be in a stable state and the installation can be retried) or it can be Non-Transactional (if the installation fails, the database is left in an intermediate state and it needs to be restored before retrying, **requiring downtime**. It is much faster than the Transactional mode). 5. **Add Package Source** - defines external sources for retrieving Installation Packages during MES setup. These sources are later referenced by the [Environment Manager](https://help.criticalmanufacturing.com/operationguide/system-administration/container-stack/messtackcomponents/#environment-manager). The Environment Manager uses the configured package sources to download the necessary packages at runtime. If you select the **Add Package Source** button, you must fill in the following information: * **Type** - the type of package source (only NPM is supported). * **Address** - the URL to the NPM repository. * **Username** - the username for accessing the package source. _Applies if authentication is required._ * **Password** - the corresponding password or access token for authentication. _Applies if authentication is required._ ![Screenshot showing a UI with unclear input fields, illustrating the step to configure general data.](images/installationGuide/step_configuration_general_data.png) ### SQL Server Now, add the information regarding database(s) connection(s). 1. **Online** - online database information. * **Address** - database address. _Applies to Database Modes: None and MES Analytics_. * **Port** - database TCP port. _Applies to Database Modes: None and MES Analytics_. **Only set this if the database listens on a fixed non-default port. For named instances, this must be left empty as they use dynamic ports**. * **Username** - database SA user. _Applies to Database Modes: None and MES Analytics_. * **Password** - database SA user password. **Generated when in database mode MSSQL Server**. _Applies to Database Modes: None, MES Analytics and MSSQL Server_. * **File Location** - location where the database files will be persisted. _Applies to Database Modes: None and MES Analytics_. * **Log Location** - location for the Microsoft SQL online database log. _Applies to Database Modes: None and MES Analytics_. * **Encrypt** - encrypted communication with the database can be enforced (Mandatory) or negotiated if requested (Optional). * **Trust Server Certificate** - when disabled and Encrypt is Mandatory (or Optional but the server enforces encryption), the server name in the server's TLS certificate must exactly match the server name specified in the connection string. * **Database Always On Enabled** - whether to enabled Always On mode. _Applies to Database Modes: None and MES Analytics_. **Feature not available with MSSQL Server database mode**. * **External Port** - port to expose the database for remote access. _Applies to Database Modes: MSSQLServer_. 2. **Online Data Store (ODS)** - ODS database information. _Applies to Database Modes: MES Analytics_. * **Address** - database address. If left blank, it will default to the Online database value. * **Port** - database TCP port. If both this and the Address are left blank, it will default to the Online database value. **Only set this if the database listens on a fixed non-default port. For named instances, this must be left empty as they use dynamic ports**. * **Username** - database SA user. If left blank, it will default to the Online database value. * **Password** - database SA user password. If left blank, it will default to the Online database value. * **File Location** - location where database files will be persisted. If left blank, it will default to the Online database value. * **Log Location** - location for the Microsoft SQL online database log. _Applies to Database Modes: None and MES Analytics_. * **Encrypt** - encrypted communication with the database can be enforced (Mandatory) or negotiated if requested (Optional). * **Trust Server Certificate** - when disabled and Encrypt is Mandatory (or Optional but the server enforces encryption), the server name in the server's TLS certificate must exactly match the server name specified in the connection string. 3. **Data WareHouse (DWH)** - DWH database information. _Applies to Database Modes: MES Analytics_. * **Address** - database address. If left blank, it will default to the Online database value. * **Port** - database TCP port. If both this and the Address are left blank, it will default to the Online database value. **Only set this if the database listens on a fixed non-default port. For named instances, this must be left empty as they use dynamic ports**. * **Username** - database SA user. If left blank, it will default to the Online database value. * **Password** - database SA user password. If left blank, it will default to the Online database value. * **File Location** - location where database files will be persisted. If left blank, it will default to the Online database value. * **Log Location** - location for the Microsoft SQL online database log. _Applies to Database Modes: None and MES Analytics_. * **Encrypt** - encrypted communication with the database can be enforced (Mandatory) or negotiated if requested (Optional). * **Trust Server Certificate** - when disabled and Encrypt is Mandatory (or Optional but the server enforces encryption), the server name in the server's TLS certificate must exactly match the server name specified in the connection string. 4. **Analysis Services (AS)** - AS database information. _Applies to Database Modes: MES Analytics_. * **Address** - database address. * **Port** - database TCP port. **Only set this if the database listens on a fixed non-default port. For named instances, this must be left empty as they use dynamic ports**. * **Username** - Windows authentication user. * **Password** - Windows authentication user password. **Example:** ![step configuration database 1](images/installationGuide/step_configuration_database_1.png) ![step configuration database 2](images/installationGuide/step_configuration_database_2.png) ### ClickHouse Add ClickHouse information. _Applies to External dependencies mode: None/Broker and Storage._ 1. **General Data** * **Address** - the hostname or IP address of the ClickHouse server. * **TCP Port** - the TCP port used by ClickHouse. * **HTTP Port** - the HTTP port used by ClickHouse. * **Username** - the username for ClickHouse authentication. * **Password** - the password for ClickHouse authentication. * **Encrypt** - if enabled, the application will wrap all the network traffic into TLS stream. 2. **Users** * **Automatically provision additional ClickHouse users** - if enabled, additional ClickHouse users are automatically created by the system. Advanced users can disable this setting and manage user creation themselves, providing the credentials shown below: * **MES (R/W) Username** - the username for accessing MES datasets with read and write permissions. * **MES (R/W) Password** - the password for the MES (R/W) user. * **Analytics (R) Username** - the username with read-only access to Analytics datasets. * **Analytics (R) Password** - the password for the Analytics (R) user. * **DWH (R) Username** - the username with read-only access to Data Warehouse (DWH) datasets. * **DWH (R) Password** - the password for the DWH (R) user. * **DWH Playground Username** - the Read-only username used to access DWH data via development tools like the ClickHouse Playground. * **DWH Playground Password** - the password for the DWH Playground user. * **Analytics (R/W) Username** - the username with read and write access to Analytics datasets. * **Analytics (R/W) Password** - the password for the Analytics (R/W) user. * **Analytics (R) / DWH (R/W) Username** - the user with read-only access to Analytics and read-write access to DWH datasets. Typically used by hybrid services that both consume and ingest data. * **Analytics (R) / DWH (R/W) Password** - the password for the combined Analytics/DWH user. ![step configuration clickhouse](images/installationGuide/step_configuration_clickhouse.png) ### Dependencies Add the information regarding external MES dependencies. 1. **Kafka** - Kafka information. _Applies to External dependencies mode: None/Broker and Storage._ * **Bootstrap Servers** - the Kafka bootstrap servers. * **Authentication Method** - the authentication method used by Kafka (None, mTLS, SASL_SSL Plain). * **Ssl Certificate Authority** - the certificate authority (CA) file for validating the Kafka server's certificate. _Applies to Authentication Method: mTLS and SASL_SSL Plain_. * **Ssl Certificate** - the public key certificate used for client authentication against Kafka. _Applies to Authentication Method: mTLS_. * **Ssl Key** - the private key certificate used for client authentication against Kafka. _Applies to Authentication Method: mTLS_. * **Validate certificates** - toggle to enable or disable server certificate validation. _Applies to Authentication Method: mTLS_. * **Kafka Username** - the username for Kafka authentication. _Applies to Authentication Method: SASL_SSL Plain_. * **Kafka Password** - the password for Kafka authentication. _Applies to Authentication Method: SASL_SSL Plain_. 2. **RabbitMQ** - RabbitMQ information. _Applies to External dependencies mode: None._ * **Host** - the hostname or IP address of the RabbitMQ server. * **Port** - the port used by RabbitMQ. * **Virtual Host** - the RabbitMQ virtual host name. * **Username** - the username for RabbitMQ authentication. * **Password** - the password for RabbitMQ authentication. * **Use TLS** - toggle to enable or disable TLS for RabbitMQ communication. * **Ssl Certificate** - the public key used for client authentication against RabbitMQ. _Applies to Use TLS: true_. * **Ssl Key** - the private key used for client authentication against RabbitMQ. _Applies to Use TLS: true_. * **Ssl Certificate Authority** - the certificate authority (CA) file for validating the RabbitMQ server's certificate. _Applies to Use TLS: true_. * **Validate Certificate(s)** - toggle to enable or disable server certificate validation. _Applies to Use TLS: true_. 3. **External Storage (S3-compatible)** - S3 information. _Applies to External dependencies mode: None._ * **Address** - the hostname or IP address of the S3-compatible storage service. * **Bucket Name** - the name of the S3 bucket to be used. * **AccessKey Id** - the access key ID for authenticating with the S3-compatible storage. * **Secret Access Key** - the secret access key for authenticating with the S3-compatible storage. * **Use Path Style** - toggle to enable or disable path-style access for S3-compatible storage. **Example:** ![Screenshot showing a toggle button labeled "Path Style" in an S3-compatible storage settings dialog.](images/installationGuide/step_configuration_dependencies_1.png) ![Screenshot showing a UI with options related to enabling or disabling path-style access for S3-compatible storage.](images/installationGuide/step_configuration_dependencies_2.png) ### Security Add the information regarding the Security Portal. 1. **Domain** * **Client Id** - System's Auth Client Id. Defaults to **MES** and cannot be changed. 2. **Active Directory** * **Enable** - whether to enable the Active Directory authentication strategy. * **Domain** - default domain where user information is stored. _Applies if Active Directory is enabled._ * **Address** - AD address to connect. _Applies if Active Directory is enabled._ * **Base DN Address** - base search query. _Applies if Active Directory is enabled._ * **Username** - user to use for searching. _Applies if Active Directory is enabled._ * **Password** - user password to use for searching. _Applies if Active Directory is enabled._ * **Use SSL** - whether to use SSL. _Applies if Active Directory is enabled._ * **Port** - AD port to connect. _Applies if Active Directory is enabled._ * **Validate Certificate** - whether to validate the SSL certificate when establishing a secure connection._Applies if Use SLL is enabled._ **Example:** ![Screenshot showing an active directory with SSL validation settings.](images/installationGuide/step_configuration_security_ad.png) 3. **WebAuthn** * **Enable** - whether to enable the WebAuthn authentication strategy. 4. **Open ID Connect** * **Enable** - whether to enable the OpenID Connect authentication strategy. * **Display Name** - the display name of the strategy in the Security Portal. Defaults to **OpenID**. _Applies if Open ID Connect is enabled._ * **Client ID** - ID of an existing OpenID provider's auth client. _Applies if Open ID Connect is enabled._ * **Metadata URL** - URL of the OpenID provider metadata. _Applies if Open ID Connect is enabled._ * **Extra Scope** - add extra OpenID Connect scope if needed. If empty, the system will use the default scopes. * **Enable Enrollment** - enable or disable user self-enrollment. 5. **Session Options** * **Session Duration** - the duration while a session is still valid for authentication. * **Show Remain Signed In** - whether the option to remain signed in via a session strategy is shown to the user after a login. 6. **CORS (Cross-Origin Resources Sharing)** * **Allowed Origins** - when set, will configure some client containers, such as the UI, Help and Security Portal, with the domains specified here, effectively blocking cross-domain requests by the browser. ### Data Platform Configure the options for the Data Platform. !!! warning This option is only available if your license includes the Data Platform Core module. 1. **Light CDM Events** * **Enabled** - toggle to activate or deactivate Light CDM Events. 2. **UNS** * **Enabled** - toggle to enable or disable UNS integration. * **MQTT Broker Address** - the hostname or IP address of the MQTT broker. _Applies if UNS is enabled._ * **MQTT Broker Port** - the port number used to connect to the MQTT broker. _Applies if UNS is enabled._ * **MQTT Broker Username** - the username used for MQTT broker authentication. _Applies if UNS is enabled._ * **MQTT Broker Password** - the password used for MQTT broker authentication. _Applies if UNS is enabled._ ![step configuration data platform](images/installationGuide/step_configuration_data_platform.png) !!! warning Enabling the Light CDM Events and the UNS options will trigger the deployment of the HouseKeeper CDM Builder Light and the Data Platform UNS Connector containers, respectively. If these containers are not visible in the [Service Resources](#service-resources) step, try refreshing your browser to update the list. ### Reporting Services Reporting Services access information. _Applies to Database Modes: None and MES Analytics_. 1. **Reporting Services** * **Web Portal URL** - URL of the MSSQL Reporting Services Web Portal. * **Web Service URL** - URL of the MSSQL Reporting Services Web Service. * **Username** - user with read and write access for the MSSQL Reporting Services. * **Password** - user password. ![Screenshot showing a Reporting Services interface with a focus on password entry for user authentication.](images/installationGuide/step_configuration_reports.png) ### Cloudflare Configs Add the Cloudflare configuration to be used to create a subdomain for the current Customer Environment. Since we are not using Cloudflare to configure DNS, skip this step. ### Printing Access information of the printing component service or to use a CUPS server. Currently, the service only works in Windows and it is not deployed in a containerized stack. !!! warning It must be installed using the Deployment Framework in a Windows machine. * **Access Information** * **Use CUPS** - Set to true if using a CUPS server. * **Printing Service URL** - URL to a printing service running in a Windows server. _Available if Use CUPS is set to false_. * **CUPS URL** - URL of a CUPS server. _Available if Use CUPS is set to true_. ![Screenshot showing the CUPS URL field, available when "Use CUPS" is enabled.](images/installationGuide/step_configuration_printing.png) ### ECAD Access information of the ECAD component service. Currently, this service only works in Windows and it is not deployed in a containerized stack. !!! warning It must be installed using the Deployment Framework in a Windows machine. * **Access Information** * **HTTP Address** - HTTP address to connect to the ECAD service (deprecated). * **HTTP Port** - HTTP port to connect to the ECAD service (deprecated). * **ECAD Service Endpoints** - Comma-separated list of ECAD service endpoints, example: `http://ecad-server1:5000,http://ecad-server2:6000`. ![Screenshot showing a list of ECAD service endpoints.](images/installationGuide/step_configuration_ecad.png) ### Connect IoT Add the configurations for the Connect Iot module. * **Automation Manager Controller** * **Worker Pool** - defines the pool from which the Automation Manager Controller reads. Only Automation Managers of type `Automatic Deploy` and assigned to this pool will be deployed by the controller. ![Connect IoT configuration step in MES 11.2.0 environment wizard](images/installationGuide/step_configuration_connect_iot.png) ### GenAI Configure the settings required to enable the Generative AI feature. 1. **Validate Certificates** * **Validate Certificates** - if enabled, it validates SSL certificates when making API requests to the selected provider. 2. **Provider** * **Generative AI Provider** - choose the desired provider for the Generative AI. The supported options are: Anthropic, AWS Bedrock, Azure OpenAI, Google, and OpenAI. Depending on the selected Generative AI provider, you must configure the required authentication fields and model options, as detailed below. === "Anthropic" * **API Key** - the Anthropic API key for authentication. * **Models** - the Anthropic model to use. For more information, see [Anthropic models](https://docs.anthropic.com/en/docs/about-claude/models/overview). === "AWS Bedrock" * **Default Region** - The AWS region where the Bedrock service is hosted. * **API Key** - the AWS API key for authentication. * **Models** - the AWS Bedrock model to use. For more information, see [AWS Bedrock models](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html). !!! note Certain AWS Bedrock models are available in specific Regions only through cross-Region inference. For more information, see the [AWS Bedrock User Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-use.html). === "Azure OpenAI" * **Instance Name** - the name of your Azure OpenAI resource (not the full URL), example: `my-company-openai`. * **API Key** - the Azure OpenAI API key for authentication. * **API Version** - the specific API version to use (example: `2024-02-15-preview`). * **Model** - the Azure OpenAI model to use. For more information, see [Azure OpenAI models](https://learn.microsoft.com/en-us/azure/ai-foundry/foundry-models). * **Deployment Name** - the name of the deployment of the Azure OpenAI model. To simplify the configuration, use the name of the model as the deployment name. !!! info "Azure OpenAI Configuration" For step-by-step instructions on how to create Azure OpenAI resources, deploy models, and identify the correct values for each field, see [[user-guide-azure-openai]]. === "Google" * **API Key** - the Google API key for authentication. * **Models** - the Google model to use. For more information, see [Google models](https://ai.google.dev/gemini-api/docs/models). === "OpenAI" * **API Key** - the OpenAI API key for authentication. * **Models** - the OpenAI model to use. For more information, see [OpenAI models](https://openai.com/open-models/). ### Email Add the email server information for the system used by several features. * **Email Server** * **From** - email address to be used to send emails. * **Address** - email server address. * **Port** - email server port. * **TLS Enabled** - whether the email server is configured with TLS or not. * **Username** - email server user. * **Password** - password of the email server user. * **Support Email Address** - email address of the local support team to send emails to. ![Screenshot showing a configuration email with server details and a support email address.](images/installationGuide/step_configuration_email.png) ### SAP Add the ERP SAP connection information: * **Access Information** * **Enabled** - whether the connection to a SAP system is enabled. * **Address** - address of the SAP host. _Applies if SAP is enabled._ * **System Number** - SAP system number. _Applies if SAP is enabled._ * **Service Name** - name of the gateway in SAP. _Applies if SAP is enabled._ * **Program ID** - SAP Program ID. _Applies if SAP is enabled._ * **Username** - user to connect to the SAP system. _Applies if SAP is enabled._ * **Password** - user password to connect to the SAP system. _Applies if SAP is enabled._ * **Client Number** - SAP Client Number. _Applies if SAP is enabled._ * **Connect License** - Theobald ERPConnect license. _Applies if SAP is enabled._ **Example:** !["Screenshot showing access information for SAP configuration."](images/installationGuide/step_configuration_sap.png) ### Service Resources Definition of resources used by stack. You can define the **memory** (GB/GBi) and **CPU** (number of virtual cores) needed to deploy the specific container and maximum available to it. Also, you can specify the number of **replicas** to be deployed. Note that, in the upper right corner, there is a button to restore these configurations to their default values, as defined in the deployment package manifest, depicted in the image below. ![Screenshot showing a service resource configuration with details about replicas, memory, and CPU settings.](images/installationGuide/step_configuration_serviceresources.png) !!! warning If you enabled the Light CDM Events and the UNS options in the [Data Platform](#data-platform) step, the HouseKeeper CDM Builder Light and Data Platform UNS Connector containers should be available in this step. If these containers are not visible, try refreshing your browser to update the list. ### Services Add the generic stack-wide configurations that vary depending on the base deployment package and deployment target. 1. **Environment Manager** * **Stop Installation on External Components Validation Failure** - stops installation if validation against external components fails. 2. **DNS** - allows to set custom DNS domains to use for resolving host names. **It's recommended to use Fully Qualified Domain Names (FQDN) everywhere** instead of short names and configuring this setting since it will impact the performance of hostname resolving and may even lead to unexpected issues. 3. **Container Image Registry Override** - this setting can be used to override the image registry used to pull container images from. Useful in the case that a private registry is preferred. 4. **Custom Certificates** - allows adding new certificates to the running containers. It is possible to add more than one certificate, and all of them will be injected into the containers that accept this feature. Before starting the deployment, a secret for each certificate must be created with the content of the certificate (same logic as external secrets). It is necessary to insert the name of the created secrets in this field. **If there are proxies performing SSL Inspection on the network traffic, the respective certificate should also be added through this feature.** ![Screenshot showing a step configuration for services CACERTS.](images/installationGuide/step_configuration_services_cacerts.png) ### Volumes Add the configuration for each required volumes. The entries here depend on the deployment package, database mode and opt-in features. 1. **Cube** - repository for cube models. _Applies to Database Modes: MES Analytics._ 2. **Dagster** - repository for Dagster Data files. _Applies to Database Modes: MES Analytics._ 3. **ML Platform Agent** - repository to store the ML models binaries that are deployed and in use. 4. **ML Platform Training** - repository to store the ML models' configurations and other associated data such as CSV datasets, transformed data and binaries. 5. **Redis Data Folder** - repository for the Redis Data files. Recommended to be a local high-performance disk. 6. **MSSQL Server Data** - volume to persist the database files to. Currently, MSSQL Server does not support restoring a database when persisting the data to a Windows directory. Ensure that the environment is running on Linux. _Applies to Database Modes: MSSQL Server_. Recommended to be a local high-performance disk. 7. **Grafana Folder** - repository to persist the Grafana's data. 8. **Installation Data** - shared location between the MSSQL Server and the Environment Manager. **When using an external database, the shared path must point to the same location as the Installation Data Path setting**. 9. **Connect IoT Repository Share** - repository for Connect IoT compressed files. 10. **Rabbit Data Folder** - repository for RabbitMQ Data files. _Applies to External dependencies mode: All/Broker and Storage._ 11. **Rabbit Log Folder** - repository for RabbitMQ Log files. _Applies to External dependencies mode: All/Broker and Storage._ 12. **Storage Data Folder** - repository for Storage Data files. _Applies to External dependencies mode: All/Broker and Storage._ 13. **Kafka Data Folder** - repository for Kafka Data files. _Applies to External dependencies mode: All_. Recommended to be a local high-performance disk. 14. **ClickHouse Data Folder** - repository for ClickHouse Data files. _Applies to External dependencies mode: All_. 15. **ClickHouse Log Folder** - repository for ClickHouse Data files. _Applies to External dependencies mode: All_. 16. **Documents Folder** - location where the Critical Manufacturing MES documents and attachments are persisted to. Advised to be a shared location, so that when having more replicas of the Critical Manufacturing MES host, the containers maintain data consistency. 17. **Logs Folder** - location to persist logs as files. This is an optional volume, you can set this volume to the type _None_ in order to not use it. Each volume can be configured with a different volume type. These types are Deployment Package specific. For more information on each type and their configurations, see [Kubernetes Volumes Configuration](https://portal.criticalmanufacturing.com/Help/devops-center/deployment-targets/kubernetes-section/kubernetes_volumes_configuration/) documentation. Also, check the requirements for each volume [System Requirements](https://help.criticalmanufacturing.com/11.3/systemrequirements/application-layer/applicationlayercontainers/#persistent-storage). For local volumes, it's recommended to use dynamic provisioning so that all local paths are handled by the cluster and not by you. For more information, see [Local Volumes with dynamic provisioning](https://portal.criticalmanufacturing.com/Help/devops-center/deployment-targets/kubernetes-section/kubernetes_volumes_configuration/). ## Step 4: Deployment Selecting **Next** will trigger the deployment process. It is automatic and you are provided with feedback to follow during the installation. ![Screenshot showing a deployment process with steps 1, 2, and 3 connecting to an OpenShift cluster.](images/installationGuide/step_deploy_connect_to_cluster.png) ![Screenshot showing deployment options.](images/installationGuide/step_deploy_check_installation.png) ![Screenshot showing the deployment settings.](images/installationGuide/step_summary.png) ## Step 5: Termination If, for some reason, you need to terminate the environment, you can do so in this step. ## Step 6: Summary If everything is correct, the last screen should present you with the deployment Summary, which includes information such as the outcome, admin credentials to use to access the environment, and the URL. Accessing this URL should present the Critical Manufacturing MES to be used. In this case, you must log in and because this is the first login, the credentials in the Summary must be used to access the system and the password must be reset after logging in: ![Screenshot showing a critical message.](images/installationGuide/access_mes_reset_password_on_first_login.png) After resetting the password, you'll be redirected to the Home Page which will show there are no Apps installed: ![Screenshot showing a summary of key information on a home page.](images/installationGuide/home_page.png) !!! info At this stage, only Administrator users have access to the MES. To allow other users to access it, you need to assign them the MES **OAuth** Role in the security page: ![Screenshot showing a user's assigned OAuth roles.](images/installationGuide/assign_mes_oauth_role.png) ## Optional Component Installation The Critical Manufacturing MES installation procedure is supported by an installation wizard that is described step-by-step in this section. Depending on whether the installation is performed with or without Internet access, and on the chosen installation package, the setup's interface may present changes. Therefore, you may notice slight differences between the screenshots included in this guide and the version being installed. !!! note Random errors may occur during the Critical Manufacturing MES installation process if it is initialized using a blocked ISO file. This occurs when Windows Attachment Manager marks ISO files as blocked (more information [here](https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738)). Before mounting and starting the installation, execute the following procedure to unblock your ISO file: 1. Open the folder containing the ISO file on Windows Explorer. 2. Right-click on the file and select the **Properties** option. 3. Select the **Unblock** option, if available. 4. Select the **Apply** button and then the **OK** button. ![Screenshot showing a UI with read-only attributes, hidden advanced settings, and an "iso properties" filename hint.](images/installationGuide/iso_properties.png) The image below shows the first screen of the setup wizard: ![Installation - Welcome screen](images/installationGuide/installation_welcome.png) All screens of the setup wizard are divided in three areas: 1. The top area displays all the steps of the installation, and the current step is highlighted. It also displays the name of the user who is logged in to the Customer Portal or **Offline**. If the setup process is launched in **Online** mode without previous valid user authentication for the current user in the Customer Portal, a separate browser tab window is automatically opened for proper user authentication. 2. The middle area shows the information setup step and the text boxes to be filled out with the required setup information. 3. The bottom area is the navigation area. In this navigation area, you can go to the next screen or return to the previous one. It is also possible to cancel the installation, thus aborting the setup. The **Install** button is only enabled when all the configurations are filled out, and the setup is then ready to start. Completing the text boxes may be mandatory (flagged by :core-static-asterisk-sm:{ style="margin-top: 2px; color: #b83128;" }). Throughout the steps, the existing groups may have an associated **Validate** button which if selected, will check if the entered value is within the expected ranges. See the example below: ![Installation - Field Validation](images/installationGuide/installation_validation.png) ### Main Installation Process If you need to backup existing databases, visit [Database Backup and Restore](../operationguide/system-administration/database/database-backup-and-restore/index.md) for a specific guide for this process. The first step of the installation process is the **License Agreement**. Select **Install or Upgrade** to get started. ### License Agreement In this step, you need to read and agree to the Critical Manufacturing License Agreement. ![Installation - License Agreement review](images/installationGuide/installation_license.png) It is necessary to accept the License Agreement to continue with the installation, otherwise the wizard will display an error message: ![Installation - License Agreement acceptance](images/installationGuide/installation_license_error.png) To accept the License Agreement select **I agree to the License Agreement**. Then, select **Next** to continue. ### Package Sources In the **Package Sources** step, you can add a location to search for installation packages. You can also add multiple package sources, and dependencies are resolved using the provided source order. If the setup is running in **Online** mode, the default process will add the local packages folder, and the server, to the list. The package source can either be a `Server` or a `FileSystem`. The `Server` should be an NPM compatible endpoint. The `FileSystem` should be a folder accessible by the user running the setup, when the installation is started from the installation media, or the user running the master agent windows service is using a master only or master/slave configuration. ![Installation - Package Sources](images/installationGuide/installation_package_sources.png) Select **Next** to continue. ### Package Selection In the **Package Selection** screen, you must select the product and the version to be installed. The available packages are: * **Cmf.ConnectIoT.Packages**: Connect IoT packages to upload to a supported Package Repository. * **Cmf.ECADService.Server**: Critical Manufacturing MES ECAD (Electronic Computer-Aided Design) server to run as a service. * **Cmf.PrintingService.Server**: Critical Manufacturing MES Printing Service. For Critical Manufacturing Connect IoT packages there is only one available option. The product names, versions, and installation options can vary according to the installation packages available on the installation media. ![Installation - Package Selection](images/installationGuide/installation_package_selection.png) Choose the package you wish to install and select **Next** to continue. #### ECAD Service Before installing the **ECAD Service**, ensure that the Visual C++ Redistributable Packages for Visual Studio 2013 are installed. Afterwards, the **ECAD Service** can be installed using several different configurations, as shown in the image. ![ECAD Configuration.1](images/installationGuide/installation_ecad_001.png) !!! info The **Import Installation File** step allows you to load a file with the configuration of the installation. It will automatically fill out the information existing in the selected file. Configure the **Online Database** and **Services User Account** settings: ![ECAD Configuration.2](images/installationGuide/installation_ecad_002.png) Configure the settings for the **ECAD Service**. The **PCBI Floating Service Address** should use the default **IPv4** address and the **PCBI Floating Service Port** can use any available port. ![ECAD Configuration.3](images/installationGuide/installation_ecad_003.png) The current way to get the **PCBI Floating Service License** is by requesting a license file using the **Server ID**. If you do not have the **PCBI Floating Service License** you can keep this field empty and follow the manual steps below (after the setup finishes). ![ECAD Configuration - PCBI Floating Service.2](images/installationGuide/ecad_003.png) Contact the System Administrator by sending the **Server ID** to generate the license. When you get your license, place the file inside a folder and make sure that the configuration properties of **ECAD** are duly set. These configurations can be found inside the **ECAD** folder named `config.xml` and `Cmf.Navigo.ECADServiceAPI.exe.config`. ![ECAD Configuration - PCBI Floating Service.3](images/installationGuide/ecad_004.png) ![ECAD Configuration - PCBI Floating Service.4](images/installationGuide/ecad_005.png) Restart the **PCBI Floating Server** and **Critical Manufacturing ECAD** services. ![ECAD Configuration.6](images/installationGuide/ecad_006.png) !!! note If you have multiple environments in the same machine, all environments should point to the same **PCBI Floating Service** and only one **PCBI Floating Service** can be started. Confirm the settings and select **Next**, where you will be shown the summary of the component you are about ot install. You have the option to force a reinstallation if you have previously installed a version of this component in your system. ![ECAD Configuration Summary](images/installationGuide/installation_ecad_004.png) Select **Next** to complete the installation process configuration. In the **Complete Installation** screen, you can export all the current installation configuration data (including licenses) to a file. To export the current configuration data, select **Export** and then choose a location and a file name. ![ECAD Installation Export](images/installationGuide/installation_ecad_005.png) Select **Install** to start the installation process. #### Printing Service The Critical Manufacturing MES Printing Service is a standalone service that enables containerized environments to perform printing jobs using printers configured in a Windows machine. To achieve this, the Printing Service must be installed in the Windows machine that has access to the printers (which may need permissions to be used by the user running the service). Additionally, when deploying the environment using DevOps Center, the user must select the option to use the external printing service and configure the URL to the Windows machine running the service. !!! info This service is standalone and not coupled to a specific MES installation, which means that multiple MES installations can share the same Printing Service. The Printing Service is installed using the same setup process as the traditional installation and selecting the **Cmf.PrintingService.Server** option in the Package Selection screen. ![Printing Selection](images/installationGuide/printing_service_package_selection.png) !!! info The **Import Installation File** step allows you to load a file with the configuration of the installation. It will automatically fill out the information existing in the selected file. After selecting the Printing Service package, the user must fill (or import from a parameters file) the following information: * **Root Installation Directory** - The Directory where the Printing Service will be installed. * **Services User Account** - The user account that will be used to run the service. * **Port** - The port where the service will be exposed. ![Printing Installation](images/installationGuide/printing_service_installation.png) Confirm the settings and select **Next**, where you will be shown the summary of the component you are about ot install. You have the option to force a reinstallation if you have previously installed a version of this component in your system. ![Printing Installation Summary](images/installationGuide/printing_service_summary.png) In the **Complete Installation** screen, you can export all the current installation configuration data (including licenses) to a file. To export the current configuration data, select **Export** and then choose a location and a file name. ![Printing Installation Export](images/installationGuide/printing_service_complete.png) Select **Install** to start the installation process. ### Update Product License The Product License can be updated using the Critical Manufacturing setup program in three ways: * Setup - Online * Setup - Offline * Command Console For the **Setup - Online**, follow the steps below: 1. Mount the Critical Manufacturing MES ISO. 2. Run the **Setup.exe**: ![Screenshot showing the Setup.exe installation process for a product license update, with details on file size and date modified.](images/installationGuide/installation_setup.png) 3. Select **Update License**: ![Screenshot showing the Update License selection step in the Critical Manufacturing installation program.](images/installationGuide/installation_update_license.png) 4. You will be redirected to the Critical Manufacturing Customer Portal and will need to log in with a User that has access to Critical Manufacturing Licenses: ![Screenshot showing the login page for the Critical Manufacturing Customer Portal.](images/installationGuide/installation_authentication1.png) 5. Import the `.json` parameters file used with the original installation: ![Screenshot showing the update product license screen, highlighting the critical manufacturing license details.](images/installationGuide/installation_import_parameter1.png) 6. Select **Next** to continue. 7. The **Environment Data** screen will contain the **System Name** and the connection to the **Online DataBase**: ![Screenshot showing the Update Product License page with system name and online database connection details.](images/installationGuide/installation_import_parameter2.png) !!! note You can also set the parameters manually if you know the settings. 8. Select **Next** to continue. 9. Select the license you want to use: ![Screenshot showing a product license selection menu with options including "Update Critical Manufacturing License".](images/installationGuide/installation_license_select.png) 10. Proceed with the **Update**: ![Screenshot showing the update progress for a manufacturing license during an installation process.](images/installationGuide/installation_license_success.png) For the **Setup - Offline**, follow the steps below: 1. Before selecting **Update License**, select the **Switch to offline** option: ![Installation - Welcome screen](images/installationGuide/installation_welcome.png) 2. After importing the `.json` parameters file used with the original installation or manually setting the **Environment Data**, an activation code is provided: ![Screenshot showing an update license screen with a filename hint "installation activation code" and a heading "Update Product License".](images/installationGuide/installation_activation_code.png) 3. Copy the activation code. 4. With a different device, log in to the Critical Manufacturing Customer Portal with a User that has access to the required license. 5. Open the **Licenses** menu and select **My Licenses**: ![Installation - Activation - Step 2](images/installationGuide/installation_productlicense_activate_step2.png) 6. From here you can: * Select the **Activate License** in the top ribbon: ![Installation - Activation - Step 3](images/installationGuide/installation_productlicense_activate_step3.png) * Paste the **Activation Code** from the Setup - Offline update license operation: ![Installation - Activation - Step 4](images/installationGuide/installation_productlicense_activate_step4.png) * Then select the required Environment License and **Activate** it: ![Installation - Activation - Step 5](images/installationGuide/installation_productlicense_activate_step5.png) 7. A license code will be provided and you should **Download** or **Copy** it: ![Installation - Activation - Step 6](images/installationGuide/installation_productlicense_activate_step6.png) 8. Use the license code with the Setup - Offline installer, accordingly, and then select **Update**: ![Screenshot showing a product license update screen with a highlighted "Update" button.](images/installationGuide/installation_offline1.png) For the **Command Console**, follow the steps below: !!! note This method requires that you know the **License Id** or the **License Name**. You also need to have a valid `json` file with the **Environment data** (original installation `json` file), and online access to the Critical Manufacturing Customer Portal. 1. Mount the Critical Manufacturing MES ISO. 2. Open a console at the mounted ISO root: ![Screenshot showing a console window with a prompt indicating an update product license operation.](images/installationGuide/installation_console1.png) 3. Run the **CmfDeploy.exe** and provide the `licenseId` and the `parameters`: * Command for reference: `.\tools\CmfDeploy.exe installlicense --licenseId="LicenseName" --parameters="OriginalInstallationJsonFilePath"` * Example for reference: `.\tools\CmfDeploy.exe installlicense --licenseId="CMF - CMFLAB_Development_v7.0.0_ED20230901" --parameters="C:\Users\Administrator\Downloads\installation 7.0.2.json"` 4. You will be redirected to the Customer Portal and will need to log in with a User that has access to the provided License. What follows is a successful output example for this operation: ![Screenshot showing an installation console displaying license update options.](images/installationGuide/installation_console2.png) ![Screenshot showing an installation console with a command prompt displaying "Entering execute... update license..."](images/installationGuide/installation_console3.png)