Deployment Requirements

All Enterprise Server services are based on similar technology. Therefore, deployment requirements are also similar. Where additional requirements exist, they’ll be highlighted in the deployment documentation for that particular service.

Type	Requirement
OS	Recent versions of Ubuntu, Debian, RedHat, Fedora, or CentOS.
SSL Certs	Either a set of valid SSL certs, or an SSL-terminating reverse proxy.
Runtime	OpenJDK 17+
Hardware	Minimum 4GB RAM and one full CPU core per instance.
Cluster deployment	When deploying more than one instance as a cluster, an off-the-shelf load balancer is needed to distribute the load evenly among running instances.
License	Active software licensing subscription for any production use.

Networking

Each of the services expects to have its own accessibility requirements when it comes to firewalling and allowing/disabling access.

In all cases, the service must be ultimately accessible over HTTPS. No part of your network should be transferring incoming requests over plain HTTP. This means either using api.https.enabled=true directly, or false combined with an HTTPS-terminating reverse proxy on the same machine.

Service	Required	Network Access
Email Key Manager, EKM client API	Always	The API must ONLY be accessible on local LAN (or over authenticated/encrypted VPN if on the public internet).
Email Key Manager, EKM API for WKD	For WKD Pull-Sync	The API must be accessible by the WKD.
Web Key Directory, WKD client API	When deploying WKD	The API must be accessible from the public internet at `https://openpgpkey.example.com/`
Web Key Directory, WKD API for EKM	For WKD Push-Sync	The API must be accessible by the EKM.
External Service, FES client API	When deploying FES	The API must be accessible by the client, typically over the public internet, at `https://fes.example.com/` address
Enterprise Admin Panel, EAP web app	Always	It’s recommended to only run the EAP on an internal LAN, however, it’s safe to expose on the public internet.