PaaS Support Coverage

Barra de búsqueda

Legacy PaaS Support Coverage

This article is a compilation of the legacy Liferay PaaS Support Coverage policies.

 

Best Practices for Configuring Liferay Cloud for Auto-Scaling Based on CPU

Auto-scaling is a critical feature for managing resource utilization and ensuring the optimal performance of your applications in Liferay Cloud. While traditionally auto-scaling can be based on both CPU and memory thresholds, certain applications, especially those that are memory-intensive, can face inefficiencies with memory-based auto-scaling. This article will guide you through the best practices for configuring auto-scaling based on CPU utilization and discuss the benefits of upgrading to the latest Liferay version.

CPU-Based and Memory-Based Auto-Scaling

Some Liferay applications and the JVM are known for their memory-intensive nature. Configuring auto-scaling based on memory thresholds can sometimes lead to inefficiencies due to the JVM's behavior in memory allocation and deallocation. The JVM does not always release memory back to the operating system promptly, which can result in auto-scaled instances remaining active longer than necessary, driving up costs and complicating resource management.

By focusing on CPU utilization for auto-scaling, you can achieve a more responsive and cost-effective scaling behavior, better aligning with the performance needs of your applications. However, memory-based auto-scaling can still be effective for certain applications. For more information on configuring memory-based auto-scaling, please refer to the Liferay Cloud Auto-Scaling Documentation.

Configuration Steps

1. Update the LCP.json File

To configure auto-scaling based on CPU, you need to update the LCP.json file in your Liferay Cloud setup. Here is an example configuration:

{
  "autoscale": {
    "cpu": 60,
    "memory": 95
  }
}

In this setup, the auto-scaler will add more instances when CPU utilization reaches 60%. While memory is still a factor, it plays a secondary role to CPU utilization. For more information, please refer to Liferay Cloud Auto-Scaling Documentation.

2. Monitor and Adjust CPU Thresholds

Regularly monitor the CPU performance of your Liferay Cloud instances. Based on your application's load and performance profile, you might need to adjust the CPU threshold to achieve optimal scaling.

Benefits of Upgrading to the Latest Liferay Version

Upgrading to the latest version of Liferay offers numerous performance improvements and enhanced features. Some of the key benefits include:

  • Improved Memory Management: Newer versions of Liferay come with optimized memory management, which can help reduce the inefficiencies caused by JVM memory allocation.
  • Enhanced Performance: Each new release includes performance enhancements that can help your applications run more smoothly and efficiently.
  • Advanced Features: Take advantage of the latest features and security updates that come with newer versions of Liferay.

Future Improvements in Auto-Scaling and Telemetry

We understand the limitations of current auto-scaling configurations and are actively working to enhance these capabilities. Here are some of the upcoming improvements:

  • Custom Metrics for Auto-Scaling: Starting in late 2024, customers will be able to select custom metrics for auto-scaling. This will allow more granular control over scaling decisions, enabling users to tailor auto-scaling triggers based on specific application performance indicators.
  • Enhanced Telemetry: We are integrating improved telemetry features to provide better insights and real-time visualizations for critical performance metrics, enabling better resource management and operational insights.
  • Manual Horizontal Scaling: The new manual scaling feature will allow customers to actively and responsively scale their Liferay services during periods of anticipated increased traffic. This will help in managing sudden spikes in traffic more effectively.

These new features are expected to be released between Q3 and Q4 of 2024.

Conclusion

Configuring auto-scaling based on CPU utilization is an efficient approach for many Liferay Cloud environments. While memory-based scaling can be effective for certain applications, focusing on CPU thresholds ensures a more responsive and cost-effective scaling behavior for a broader range of scenarios. Upgrading to the latest Liferay version further enhances performance and takes advantage of the newest features. Stay tuned for upcoming improvements in auto-scaling configurations and telemetry, which will provide even greater control and insight into your application's performance.

For further assistance or questions, please reach out to our support team.

Configuring Remote Staging in Liferay PaaS

Introduction

Remote staging in Liferay Cloud allows you to manage and preview content in a staging environment before publishing it to a live environment. This setup ensures content accuracy and security, particularly useful for organizations with complex content management needs.

Before enabling Remote Live staging, you must configure the Liferay servers you want to use for your staging and live environments. You must also create a new blank site or asset library on your remote server and use its ID during staging configuration.

Prerequisites

Before configuring remote staging, ensure the following:

  1. Both the staging and live environments must have an admin user with identical credentials.
  2. All servers must be updated to the same update and patching level to ensure remote staging works correctly.

Cluster Outbound IP

You can retrieve your Liferay PaaS outbound IP by accessing the Liferay Cloud console, going into the Liferay service's shell and running the following command:

curl https://ifconfig.me

Note: The outbound IP address will depend on the location of your Liferay PaaS environment.

Live Environment Ingress IP

You can retrieve your Liferay Live Environment Ingress IP by accessing the Liferay Cloud console on your network endpoints page:

https://console.liferay.cloud/projects/YOUR_PROJECT_ID/network/endpoints

Configuration Steps

1. Configure portal-ext.properties

Add the following properties to the portal-ext.properties file and deploy them in both the staging and live environments:

tunneling.servlet.shared.secret=[abcdefghijklmnop]
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP,[CLUSTER_OUTBOUND_IP]

Notes: Replace [abcdefghijklmnop] with your preferred secret value. Using environment variables and secrets is recommended for better security. Also replace [CLUSTER_OUTBOUND_IP] with the value you retrieved in previous steps.

2. System Settings Configuration

In both environments:

  1. Navigate to System Settings → Security → API Authentication → Tunnel Authentication.
  2. Click on /api/liferay/do.
  3. Under Hosts Allowed, add your Cluster Outboud IP in the end of the curent configuration: 127.0.0.1,SERVER_IP,[CLUSTER_OUTBOUND_IP]
  4. Click Save.

3. Enable Remote Staging

In the staging environment:

  1. Go to the site you want to enable remote staging for.
  2. Navigate to Publishing → Staging.
  3. Select Remote Live.
  4. Enter the Live Environment Ingress IP of your live instance:
    1. If you face javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address exception, use your live instance domain name instead, eg: webserver-[MY_INSTANCE].lfr.cloud
  5. Set Remote Port to 443.
  6. Retrieve the Remote Site ID from the live environment:
    • Go to Configuration → Site Settings → Site Configuration to find the Site ID.
    • Alternatively, look for the groupId in the Group_table.
  7. Ensure the Use a Secure Network Connection checkbox is checked.
  8. Select the content to be staged and click Save.

Licensing and Environments

Licensing

  • In a self-hosted environment, there is an added cost for additional production licenses to be used for remote staging environments. The same principle applies to Liferay Cloud.
  • This means that Liferay Cloud customers must purchase an additional production environment in order to use remote staging.

Environments

  • UAT environments can be used for staging, but DEV environments cannot.
  • If a customer uses DEV as a remote staging environment, Support will not be able to assist with issues relating to this setup.

Additional Considerations

Large LAR Files

  • The import/export process uses LAR files. Ensure the web server can handle the file size to prevent connection issues.
  • Test with smaller files to avoid potential timeouts and errors.

Secret Management

  • For Liferay PaaS customers, consider making the secret configurable through the Instance Settings.
  • Use tunneling.servlet.shared.secret.hex=true for added security.

Troubleshooting and Common Issues

Lock Wait Timeout

This issue may occur during publishing, especially with large files. Investigate the underlying infrastructure to ensure it can handle the load.

DuplicateFriendlyURLEntryException

Address any specific errors that may arise during staging.

Summary

Remote staging in Liferay Cloud involves configuring both staging and live environments with appropriate properties, system settings, and ensuring secure connections. Address infrastructure limitations and potential errors to ensure a smooth staging process.

Conclusion

By following these steps, you can successfully configure remote staging in Liferay Cloud. This setup allows for secure and efficient content management, ensuring that your live site reflects the latest approved content changes from the staging environment.

Reference

https://learn.liferay.com/w/dxp/site-building/publishing-tools/staging/configuring-remote-live-staging

 

Custom Images and Services

While Liferay Subscription Services provides support for Liferay Cloud in its docker images for the different services and other features which make up the Liferay Experience Cloud stack, it does not extend this support for any custom docker images or services.

Issues that are encountered while leveraging the Liferay Cloud “Custom Images and Services addon” are the responsibility of the customer. This extends towards the setup and configurations of any such custom images and services.

In general, Subscription Services will support all official Liferay Cloud-provided Liferay images, services, and features that run on the Liferay Cloud platform. This also includes any product defects and issues involving the docker or infrastructure layers of Liferay Cloud.

 

Do you support Bitbucket/GitLab integration?

Our Jenkins integration supports Git repositories hosted on GitHub, GitLab, and Bitbucket.

Read the documentation for more information:

 

How is Auto Scaling charged?

By default, the Auto Scaling Feature comes disabled in every Liferay PaaS account. The customer can make use of this functionality by enabling it via the console, within the menu of the "Liferay" service in a production environment.

Once Auto Scaling is enabled, the platform will begin to keep track of the new instances deployed on an hourly basis. There will be an hourly charge for any extra instances deployed due to Auto Scaling. This activation is independent of the Liferay PaaS subscription procurement process.

Liferay will issue an invoice to the customer for the use of Auto Scaling after each quarter that the customer deploys, uses, or executes Auto Scaling instances, and the customer will pay such invoice(s) in accordance with the agreement.

Pricing

Pricing for each Instance of Liferay PaaS Subscription utilized through Auto-Scaling is based on the number of clock hours during which the customer utilizes each such Instance. For pricing purposes, total usage during a calendar quarter will be rounded up to the nearest full clock hour.

Environment Type Price per Instance per Hour
High Availability $12.00 USD
Standard $23.00 USD

 

For clarity, the prices specified above are Liferay’s standard prices for auto-scaling of Liferay PaaS Instances. Such pricing is applicable to such auto-scaling usage unless a customer has entered into a separate written agreement with Liferay as to pricing for such usage.

For further information regarding the Auto Scaling feature, please read our documentation.

 

Liferay PaaS Go-Live Checklist

Introduction

The Liferay Cloud Team is committed to your project launching smoothly and has developed this Go Live Checklist to ensure performance is optimized and potential issues are caught in advance.  This checklist was created from the experience of successfully deploying dozens of customer projects globally.

Priority Items to review (the following services are critical to a successful Go-Live):

  • Plan Quotas
  • Downtime
  • Backup
  • Domains
  • Stress Test
  • Auto Scaling.

Reviewing Your Architecture

Environments

Confirm that the production environment matches the subscription. On the Settings Page of your production environments, there should be a type "production" for the production environment (Environment type is a classification that denotes an environment's configuration). Check here for more information: Understanding Liferay Cloud Environments

Service Versions

Make sure all of your services are using the latest image versions. Check here for the latest versions: Services Changelog

Clustering

In case you purchased a High Availability environment, review to see if clustering is working properly. Check here for more information: Setting Up Clustering in Liferay PaaS

Development Lifecycle

Review if the Software Development Life Cycle (SLDC) is being used properly. Builds should be generated via Jenkins and Deployments should be made via Console UI. Check here for more information: Overview of the Liferay PaaS Deployment Workflow Deploying Changes via the Liferay PaaS Console Deploying Changes via the CLI Tool

Reviewing Your Metrics & Numbers

Alerts

Check existing alerts to see if there's anything that should be addressed before launch. Also, make sure that the main project contributors have changed their preferences to receive alerts via email. Check here for more information: Real-Time Alerts

Dynatrace

If High Availability or Dynatrace Add-Ons were purchased, check your subscription to see which environments should have a Dynatrace setup to detect problems. The main contributors should have access to the Dynatrace dashboard to facilitate the diagnosis process. To learn more about configuring Dynatrace, check here: Integrating Dynatrace with Production Environments

Plan Quotas

Be sure to deploy to all environments to confirm the quota. If you have changed your quota allocation, revert your changes for the production environment prior to going live. Check here for more information: Quotas

Reviewing Your Continuity Plan

Auto Scaling

We recommend having auto scaling turned on and tested before going to production. Check here for more information: Auto scaling

Disaster Recovery

If a Disaster Recovery environment was purchased, you should run a disaster recovery simulation to see how fast you can recover in case there is a downtime in an entire region. Check here for more information: Disaster Recovery Overview

Backup

Check to see if the backup feature is enabled, check the frequency to make sure it accommodates the project needs, and run a backup and restore to check if everything is working as expected. Check here for more information: Platform Services: Backup Service

Zero Downtime Deployments

Check to see if deployments are working without downtimes. If not, consider adjusting your liveness and readiness probes. Check here for more information: Troubleshooting Self-Healing

Reviewing your Project’s Benchmarks

Performance Comparison

Review to see if the performance of the new application is equivalent to the current installation. Check here for more information: Application Metrics

Stress Test

Run a stress test on the UAT environment and check the results. Please inform Support by opening a ticket on Liferay Help Center.

Reviewing the Final Go Live Details

Custom Domains

Review the DNS entries that are pointing to Liferay Cloud and analyze how the domains are being referenced. Note that Changes or additions to custom domains can take up to 24 hours to propagate. Please plan go-live timelines accordingly. Check here for more information: Custom Domains

VPN

Check if all VPN connections are working as expected. Check here for more information: VPN Integration Overview

Team Members

Review to see if the team members are added with the correct permissions on each environment. Check here for more information: Environment Teams and Roles

Final Thoughts

This Go Live Checklist was prepared with the typical Liferay PaaS configuration in mind. Additional precautions may need to be taken according to any unique customizations or integrations that your project uses. On behalf of the Liferay Cloud Team, we would like to thank you for choosing Liferay PaaS and look forward to partnering with you for years to come!

 

Liferay PaaS Performance and Penetration Test - Advanced Notice

Should we provide advanced notice to the Liferay Cloud team before initiating penetration testing or performance testing against one of our Liferay PaaS environments?

If so, how should we inform the team?

Resolution

When performance and/or penetration testing is performed, it can appear to Liferay that an attack is being executed against a customer environment. In order to avoid intervention by Liferay to protect the environment and/or connected infrastructure, we request that you provide notice of the testing window at least 15 days in advance.

Notice can be provided by opening a support ticket on Help Center.

Additional Information

 

Liferay PaaS Security Checklist

Introduction

This security checklist was created by the Liferay Team to offer another measure of protection for customer projects. The checklist covers best practices for Liferay PaaS. For Liferay PaaS security considerations and best practices, please refer to the Liferay Help Center.

Disclaimer: The items in this checklist are suggested best practices and it will be the end-user’s responsibility to implement.

General Items

Item Description
Repository Migrate the default GitHub repository to a private GitHub/GitLab/Bitbucket repository owned by your organization. The default GitHub repository is provided as a starter template available for 10 days and for privacy regulations it should never be used to commit code owned by your organization. 
Security Patches Apply DXP and Liferay PaaS security-related fixes as soon as they are released. DXP docker images are published here. Liferay PaaS Service Change Logs are published here.
Commits to Repository

Care should be taken that any licenses, credentials, and secrets are not accidentally committed to the repository.

Remember Liferay PaaS environments do not require you to supply a license. The enterprise Liferay DXP license is included as part of the deployment process.
Code Scans Liferay PaaS provides a CI pipeline for builds. Automate and enforce cleaner and safer code practices by customizing the pipeline to run code scans on every build.
Elasticsearch Enable Elasticsearch security features by setting the xpack.security.audit.enable variable to true. Set the ENABLE_XPACK_SECURITY environment variable to true. For more information visit the Elasticsearch security documentation here

 

Account Management

Item Description
Single Sign-On Liferay PaaS can integrate with any SAML 2.0 compliant Single Sign-On Identity Provider to authenticate users to the Liferay PaaS platform. You may set up Multi-factor authentication for development and IT team members through any Identity Provider that supports MFA.
Default Portal Account

If you deploy the out-of-box build of the Liferay portal to your production environment, you should be aware that the default user test@liferay.com is available for sign-in with a weak password ‘test’ and must be changed as soon as possible.

Also, disable the creation of new accounts.

The dev environment has an extra layer of authentication at the webserver layer.
User Activities Perform a periodic audit, at least quarterly, of user activities, in each Liferay PaaS environment as well as DXP portal.
Team Members Audit Team Member access periodically, at least quarterly, making sure to go through each environment and delete inactive team members. The same applies to DXP roles and assignments.

 

Network Controls

Item Description
Egress IP If Liferay DXP accesses your private network, the Liferay Cloud cluster egress IP is available to be whitelisted.
Blacklisting or Whitelisting IPs You can blacklist IP addresses from certain regions by configuring a Deny List in the Nginx web server configuration. For greater control and if the IP addresses of your users are known, you can set up an Allow list instead.
Public Endpoints Although possible, and available for extreme backdoor scenarios,  it is not a recommended practice to expose database endpoints or other service endpoints to the Internet as this bypasses the DDoS protection from the HTTPS load balancer.
Rate Limiting Nginx can be configured to throttle requests from reaching the Liferay service. It is recommended that customers monitor their traffic patterns and acceptable rates of access to configure these settings.
DNS Ensure that your DNS provider implements best practices related to DNS security.

 

Backups

Item Description
Backup download Backups in the Liferay PaaS are always encrypted at rest and in transit. However, if you download backups to a local machine you should ensure that you have mapped out your data flow so you can be in compliance with any regulations that you are required to adhere to.
PII Sanitizing Using production data in non-production environments is helpful for debugging but does pose risks. When restoring backups into non-prod environments - implement scripts for PII data masking. 

 

HTTP Layer

Item Description
Ciphers Depending on your compliance requirements you may request an increase in the restrictions on the cipher policy for SSL to reduce the set of SSL features allowed. By default, the policy is to allow a broad set of clients, including clients that support only out-of-date SSL features, to negotiate SSL.
CORS Cross-origin resource sharing (CORS) can allow requests from an outside domain. It is recommended that you configure your Liferay DXP instance to allow only required domains to interact with your web application. 
Content Security Policy Content Security Policy (CSP) prevents malicious resources from being loaded by a web browser. The Content-Security-Policy header can be configured in the nginx configuration file. 
URL Redirects Ensure that HTTP to HTTPS redirects first redirect to a secure version of the same site to prevent man-in-the-middle redirects to malicious sites. Ensure that redirects never forward to HTTP. URL redirects are configurable via the nginx configuration file.
HSTS HTTP Strict Transport Security (HSTS) header ensures that, after a user's initial visit to the website, they will immediately connect to the HTTPS website. The Strict-Transport-Security header can be inserted via the nginx configuration file.
Web Browsers Nginx can be configured to verify the user agent header and block access to the site from outdated web browsers.

 

Secrets

Item Description
Storage and Rotation Save secrets in a safe storage and rotate them regularly.
Disaster Recovery Master Token The master token used in DR configuration should be created as a secret.
Repository Access The Private Access Token for your git repository (GitHub/GitLab/BitBucket) should be created as a secret.
Dynatrace In case your Liferay PaaS subscription includes Dynatrace, the Dynatrace Tenant and Token should be created as a secret.
SSL Certificates If you’re installing custom SSL certificates, create the key and certificate properties as secrets.
Dev Environment Access The dev environment portal access is protected by default credentials which are shared in the provisioning email. You should customize the dev environment Nginx configuration and set your own credentials. To avoid committing to the repository implement the credentials as a Secret.

 

Liferay PaaS Shared Activities

Below is a summary of various activities that are shared between your team and the Liferay Cloud team. If you need assistance in understanding or executing these tasks, submit a ticket and Liferay Support will be happy to assist.

Activity Liferay will... As a Customer, I should...
Provide and maintain the Liferay Cloud infrastructure Implement bug fixes, new features, and improvements for the Liferay Cloud Infrastructure and provide status updates for the Liferay Cloud Infrastructure at status.liferay.cloud  
Deploy the Liferay Cloud Service Stack Deploy the default Liferay DXP, Enterprise Search, Database, CI Server, Web Server, Backup Services Iterate, configure, and deploy Services
Develop and implement customizations Provide features and tools to allow for development and deployment of customizations Develop and deploy custom solutions
Upgrade software Update the Liferay Cloud Infrastructure, publish all the Service versions, and make them available Update Service Stack to fully supported versions
Monitor infrastructure Monitor the Liferay Cloud Infrastructure and provide monitoring tools for customer environments Monitor environment and take corrective action based on self-defined thresholds
Autoscaling Provide Autoscaling functionality Activate and deactivate Autoscaling functionality to maintain desired uptime
Backup and restore Provide backup and restore functionality Execute backup, restore, delete, and download functions to adhere to desired data storage, deletion, and archival policies
Security Report Sev 1 Security Vulnerabilities within the Liferay Cloud Service Stack and implement security and authentication best practices for infrastructure Take Liferay recommended action upon receiving report of a vulnerability and implement security best practices for custom solutions

 

Liferay Premium Security for PaaS

The Premium Security add-on for PaaS, was introduced in early 2025 to provide PaaS customers with advanced capabilities that have already been available for our SaaS customers. It consists of two pillars:

  1. Advanced DDoS protection
  2. Vulnerability Management

To improve DDoS protection, the Liferay Security Team will conduct a Premium Security onboarding. During this live meeting, the Liferay Security Team analyzes the specifics of the customer's project, based upon which we will create individualized firewall rulesets for DDoS attack mitigation. Additionally, this package includes autoscaling coverage that allows for up to 5 extra Liferay instances to be automatically launched for a total of up to 24 hours every three months, at no additional cost. The 24-hour limit is tracked on a per-minute basis. The autoscaling coverage makes it easier to maintain application uptime during DDoS attacks.

 

Vulnerability Management consists of both a proactive and a reactive component. On the proactive side, Liferay performs monthly scans of the production environment and proactively notifies Premium Security for PaaS customers if any vulnerabilities are detected.

On the reactive side, customers can submit support tickets with up to four self-generated reports per year, regardless of the report type. Our Security team will review the reports and provide fixes for all confirmed critical and selected major issues.

 

Where are your data center locations?

Below is the list of regions on Liferay PaaS that can be used to host your environments and data:

  • Oregon, USA: us-west1
  • Iowa, USA: us-central1
  • Montreal, Canada: northamerica-northeast1
  • São Paulo, Brazil: southamerica-east1
  • London, England: europe-west2
  • Frankfurt, Germany: europe-west3
  • Hamina, Finland: europe-north1
  • Doha, Qatar: me-central1
  • Dammam, Saudi Arabia: me-central2
  • *Mumbai, India: asia-south1
  • Jurong West, Singapore: asia-southeast1
  • Osaka, Japan: asia-northeast2
  • Tokyo, Japan: asia-northeast1
  • *Sydney, Australia: australia-southeast1

* These regions require special approval for new projects. Please contact your account manager to request access. Choosing one of these regions could delay project creation for up to 5 business days.

On this page