Technical Requirements

Technical Document Technical Requirements Basware EPP Products June 2010 1

Disclaimer Trademarks Information in this document is subject to change without notice and does not represent a commitment on Basware Corporation. Basware Corporation is not liable for errors contained in this document or for incidental or consequential damages in connection with furnishing or use of this material. Basware products are protected by the US and international copyright laws. The Basware name and the Basware logo are trademarks of Basware Corporation. Basware Purchase Management, Basware Invoice Processing, Basware Document Archiving and Basware Business Transactions are trademarks of Basware Corporation. * All third party trademarks are property of their respective owner. Copyright Copyright 2010 Basware Corporation. The copyright of this document is vested in Basware Corporation. No part of this document may be reproduced, translated or transmitted in any form or by any means, electronic or mechanical, for any purpose without the express written permission of Basware Corporation, and then only on the condition that this notice is included in any such reproduction. No information as to the contents of this document may be communicated to any third party without the prior written consent of Basware Corporation. Basware Corporation Address: Linnoitustie 2, Cello Building, FIN-Espoo, Finland Postal address: P.O. Box 97, FIN-02601 Espoo, Finland www.basware.com 2

Contents 1 General... 4 2 Platform Support... 5 3 Product Compatibility... 6 4 Server Hardware Requirements... 9 4.1 Server hardware... 9 4.1.1 Server hardware requirements for catalog management... 14 4.1.2 Server hardware requirements for FastScan FreeForm server... 14 4.2 Backups... 15 4.3 Fault tolerance... 15 4.4 Web application server performance... 15 5 Additional Server Software Requirements... 16 6 Workstation Requirements... 17 6.1 All windows application workstations... 17 6.2 Web Client workstations... 17 6.3 FastScan... 18 7 Network Requirements... 19 7.1 Network latency and bandwidth considerations... 19 7.2 Technical requirements... 19 7.3 Ports needed... 20 8 Scanner Requirements... 22 9 Security Requirements... 23 10 Software distribution... 24 11 Authentication methods... 25 11.1 Known limitations... 25 12 Security overview... 26 12.1 Application security... 26 12.2 System security... 26 13 Support for virtual server environments... 27 14 Support for distributed environments... 28 15 Support for clustering (loadbalancing / failover)... 29 16 APPENDIX A: Terminology... 30 3

1 General This document describes the technical requirements for Basware EPP products. The document is valid for following products (latest released versions): Invoice Processing 5.0.6 (IP) Basware Matching 5.3 Purchase Management 5.2.1 (PM) Contract Life Cycle Management 5.2.1 (CLM) RFX 5.1.5 Supplier Portal 5.2.2 (SP) KPI Reporting tool 5.2 (KPI) Mobile 5.1.1 anyerp Adapter 5.6 Document Archiving 3.0 (DA) Travel & Expense Management 3.7.4 (TEM) The picture below shows the different elements of Basware EPP system architecture on a general level and how they link to other IT systems in customer environment. Note! This picture is an example and the actual customer setup depends on the Basware products to be installed. 4

2 Platform Support The following browsers, databases and operating systems are generally supported with specified limitations. Please see the Product Compatibility-tables later in this chapter for more details. Supported operating systems All Basware EPP products work on 32 bit operating systems. 64 bit operating systems are currently supported by (or later) PM 5.1.3 Patch 3, IP 5.0 Patch 5, Matching 5.2 Patch 1 and TEM 3.7 Patch 3, but please note, that the applications are still 32 bit. Separate database servers are supported on both, 32 bit and 64 bit operating systems. Application Server: Windows Server 2003 (32 bit version only) Windows Server 2003 (64 bit / WoW64): PM 5.1.3 Patch 3 and later Windows Server 2008 (32 bit version only) Windows Server 2008 (64 bit / WoW64): PM 5.1.3 Patch 3, IP 5.0 Patch 5, Matching 5.2 Patch 1 and later Desktop client: Windows XP Professional (32 bit version only) Microsoft Vista (32 bit version only) Windows 7 (32 bit & 64 bit): PM 5.1.3 Patch 3, IP 5.0 Patch 5, Matching 5.2 Patch 1 Supported databases For all database servers 64 bit versions recommended. Database server operating system support as defined by database server vendors. DA 3.0 does not support unicode databases. Microsoft SQL Server 2005, Standard or Enterprise edition (SP2 or later) KPI 5.2 requires Microsoft SQL Server 2005 (SP3) including Database Engine, Agent, Integration Services, Analysis -, Reporting Services which are installed on same server (stand-alone installation) or different server (distributed installation) with KPI web application. Note that KPI integration to other database version or type is however supported. Microsoft SQL Server 2008, Standard or Enterprise edition Oracle 10G, recommended version 10.2.0.3 or later Oracle 11G recommended version 11.1.0.6 or later Note that when using Microsoft SQL Server with multiple processors, it is recommended to split the data into as many data-files as you have processors/cores for performance reasons. Supported Internet browsers Microsoft Internet Explorer 7.0, 8.0 Buyers Tools in PM 5.1.3 uses IE7 compatibility mode, all other parts of PM work in native IE8 standards mode. Mozilla Firefox 2.0, 3.0, 3.5, 3.6 Requirements and the list of supported client devices for Mobile 5.1.1 can be found from the Mobile 5.1.1 specific documentation. 5

3 Product Compatibility 6

For versions released after 1.1.2010 numbering goes major.minor.patch and compatibility between products does not change inside same major releases, so minors and patches retain the same compatibility as major release. Exceptions to this are stated separately. Versions released before 1.1.2010 (stated with * in the table) have different numbering policy and their exceptional compatibility can be seen in the table. 7

8

4 Server Hardware Requirements To ensure good response times and good reliability for Basware Enterprise Purchase to Pay (EPP) system, the server hardware must be sized according to the number of users, number of invoices/purchase orders and the complexity of the configuration. This document does not specify what hardware technologies or vendors should be used, but there are generic requirements for what is needed to run Basware EPP system efficiently. Hardware vendors can provide more information what hardware options are available. Some issues should be taken into account when selecting the hardware for Basware EPP system: Basware Invoice Processing has CPU intensive functions and applications. Especially IIS servers running ThinClient should have as fast CPUs as possible. When using dedicated servers it is recommended to have a minimum of 2 GHz CPUs. There should be enough physical memory to run the database and IIS services. Each server should have a minimum of 2 GB of memory. Hard disks in the application server (that contains the Basware root directory) should be both fast and reliable. The same applies for the database server. Enterprise class SAS/SCSI disks are preferred for performance/reliability reasons. The customer may also use centralized database and file system services, where these performance and reliability issues have probably already been taken care of. If dedicated database and application servers are used, RAID 1+0 (or 0+1) disk system provides a good balance between performance, cost and reliability. Servers running only ThinClient do not need efficient RAID systems. Usually RAID 5 systems should not be used in database servers running Oracle. In general RAID 1+0 is a better choice in all systems. For more explanation, please see: http://www.miracleas.com/baarf/1.millsap2000.01.03-raid5.pdf In all multi-server configurations, the servers should be connected to each other with a 1 Gb/s network (or faster). SMB access to application server (where Basware root-directory is located) is also needed from the IP ThinClient / PM Catalog Client servers. In case there are issues or questions concerning the hardware recommendations customers can contact the Basware sales person or consultant and Basware personnel may request for support from Global Support or Global Product Marketing. 4.1 Server hardware The following table describes minimum and recommended hardware configurations for different customer installations. These recommendations take into account that there are Basware Order Matching, Basware Contract Matching and Basware anyerp Adapter products installed in the same system. If these all (or most) modules are installed, always use the recommended configuration. Recommended configuration is also needed when there are complex customizations, such as row validations, basic data checks, autoflows or similar modules that cause extra load on the application server and/or database server. In case the environment also will have other Basware main products installed (especially Basware Purchase Management), you should first identify the environment for Basware Invoice Processing and then take the next configuration level from the table. 9

The disk sizes have been calculated by using an average of 3 invoice pages per invoice and each invoice page is 50 kb file and invoices are stored for 5 years in the system. If the actual customer environment has different parameters, the disk size of the file server should be re-calculated. Please note, that there exists plenty of other decisive parameters other than the documents per year and the number of concurrent and total users, that affect the sizing of the hardware. Therefore it is important to understand, that these figures are merely recommendations and the actual real world requirements can differ from these, depending on the customers environment and setup. The customer is strongly recommended to contact their local Basware Consulting or Customer Support at any hardware sizing related issues. 10

Hardware configurations: NOTE! The following recommendations are for guidance when considering what kind of hardware resources are needed to run the system if all servers are dedicated for Basware EPP system. In many cases all these servers are not needed if the customer has centralized database server or IIS cluster. Also centralized file storage services (SAN / NAS or similar) may be used. However when these centralized services are used, the services should have enough free capacity for the additional load Basware EPP system will create. When considering how much free capacity there must be available, the hardware recommendations in the following table will give an idea how much capacity may be needed during the highest peak hours. The application server, running Basware EPP system, should be dedicated for Basware use only. Documents per year # of users Server Requirements < 100.000 < 500 Minimum: 1 server running the database, file system, server applications and web application 2 * 2.0 GHz CPU 2 GB RAM 100 GB hard disk, RAID 1+0 (100.000 invoices per year) Recommended: 1 server running the database or database in centralized database cluster 1 * 2.0 GHz CPU 4 GB RAM 20 GB hard disk, RAID 1+0 1 server running file system, server applications and web applications 2 * 2.0GHz CPU 2 GB RAM 80 GB hard disk, RAID 1+0 (100.000 invoices per year) 100.000 200.000 500 1.000 Minimum: 1 server running the database or database in centralized database cluster 2 * 2.0 GHZ CPU 2 GB RAM 20 GB hard disk, RAID 1+0 1 server running the file system, server applications and web applications 2 * 2.0GHz CPU 11

Documents per year # of users Server Requirements 2 GB RAM 150 GB hard disk, RAID 1+0 (200.000 documents per year) Recommended: 1 server running the database or database in centralized database cluster 2 * 2.0 GHz CPU 2 GB RAM 20 GB hard disk, RAID 1+0 1 server running the file system and server applications 2 * 2.0GHz CPU 2 GB RAM 150 GB hard disk, RAID 1+0 (200.000 documents per year) 1 server running web application or web application in centralized IIS cluster 2 * 2.0GHz CPU 2 GB RAM 20 GB hard disk 200.000 400.000 1.000 5.000 Minimum: 1 server running database or database in centralized database cluster 2 * 2.0 GHZ CPU 4 GB RAM 40 GB hard disk, RAID 1+0 1 server running file system and server applications 2 * 2.0GHz CPU 2 GB RAM 300 GB hard disk, RAID 1+0 (400.000 documents per year) 2 servers running web applications or web applications in centralized IIS cluster 2 * 2.0GHz CPU / server 2 GB RAM / server 20 GB hard disk / server Note! The two servers running web application are clustered by using Windows 2003 Server network load balancing or by using other software or hardware based load balancing. Consult Basware Global Support in case you need more information on Windows 2003 Server load balancing. Recommended: 1 server running database or database in centralized database cluster 2 * 2.0 GHZ CPU 4 GB RAM 40 GB hard disk, RAID 1+0 12

Documents per year # of users Server Requirements 1 server running file system and server applications 2 * 2.0GHz CPU 4 GB RAM 300 GB hard disk, RAID 1+0 (400.000 documents per year) 3 servers running web applications or web applications in centralized IIS cluster 2 * 2.0GHz CPU / server 2 GB RAM / server 20 GB hard disk / server Note! The three servers running web applications are clustered by using Windows 2003 Server network load balancing or by using other software or hardware based load balancing. Consult Basware Global Support in case you need more information on Windows 2003 Server load balancing. 400.000 1.000.000 5.000 10.000 Minimum and recommended: 1 server running database or database in centralized database cluster 2 * 2.5 GHZ CPU 4 GB RAM 100 GB hard disk, RAID 1+0 1 server running file system and server applications 2 * 2.5GHz CPU 4 GB RAM 750 GB hard disk, RAID 1+0 (1.000.000 documents per year) 4 servers running web applications or web applications in centralized IIS cluster 2 * 2.5GHz CPU / server 4 GB RAM / server 20 GB hard disk / server Note! The four servers running web applications are clustered by using Windows 2003 Server network load balancing or by using other software or hardware based load balancing. Consult Basware Global Support in case you need more information on Windows 2003 Server load balancing. Over 1.000.000 Over 10.000 Minimum: 1 dedicated server running database or database in centralized database cluster. 4 * CPU (Quadcore) 64 bit 8 GB RAM 250 GB Hard Disk, RAID 1+0 NOTE! Extra attention should be taken so that Oracle is tuned based on Basware DB recommendations. 13

Documents per year # of users Server Requirements 1 server running file system and server applications. 4 * CPU (Quadcore) 8 GB RAM 750 GB Hard Disk, RAID 1+0 4 servers running web applications or web applications in centralized IIS cluster. 4 * CPU (Quadcore) / Server 4 GB RAM / Server 20 GB Hard Disk / Server Note! The servers running web applications are clustered by using Windows 2003 Server (or later) network load balancing or by using other software or hardware based load balancing. 4.1.1 Server hardware requirements for catalog management Purchase Management catalog management is very demanding for hardware performance as a lot of data is processed at the same time. These requirements should be considered as minimum requirements when processing catalogs. Maximum size of processed catalogs Server Requirements < 2.000 See requirements above 2.000 20.000 Server should be dedicated to it s own server regardless of requirements otherwise Otherwise see requirements above Over 20.000 Server should be dedicated to it s own server regardless of requirements otherwise Connector should have a dedicated server with the following minimum requirements: 2 * 2.0GHz CPU 1 GB RAM + 512 MB for each 10.000 products in the catalog Otherwise see requirements above 4.1.2 Server hardware requirements for FastScan FreeForm server When FastScan application is used in distributed mode (scan + release) and FreeForm recognition module is used on the server, the FreeForm recognition process can fully reserve one CPU core when doing the recognition. Therefore if the FreeForm server module is installed on the application server with other server applications, the server should have multiple CPU cores and at least one free CPU core that can be used by the FreeForm recognition process. Otherwise the performance of other applications can be affected by the FreeForm recognition. 14

4.2 Backups The system backups should be taken regurarly from the database server and the server running the file system and server applications. The customer is responsible for taking the backups. Usually when centralized database clusters and centralized file storage services are used, the backup and maintenance processes are already in place. If the IIS server only runs web application, the system backup must only be taken when the application has been upgraded or application settings have been changed. In case of a IIS server crash, only temporary data is lost and this data needs not to be recovered. Therefore it is sufficient to restore the system from the last application change point. Basware does not provide backup tools (software or hardware), contact operating system, database vendor and hardware vendor for more information about different backup options. 4.3 Fault tolerance The hardware configurations described in this document are not fault tolerant systems by default. Database fault tolerance is usually achieved by using the centralized database clusters and file system fault tolerance is achieved by using RAID 1+0 disks or centralized file storage services. Please contact your database/storage vendor for clustering and/or fault tolerance solutions. When having two or more IIS servers in a load balancing cluster, the system is fairly fault tolerant by default. If one IIS server is failing the other server(s) will continue serving the users with somewhat lower response times. Only the users currently logged in to the failing server will need to re-login into the system. 4.4 Web application server performance Basware web applications use server CPU resources intensively. To ensure smooth database and other server application operation, it is usually the best option to have a dedicated web application server (or servers). This is especially important when the number of users is more than a few hundred. When there are two (or more) servers in a load balancing configuration running only web application, the system can be made fault tolerant and efficient with inexpensive standard servers. The servers only need to have high speed CPUs, 2 GB memory and fast network connection to both database server and application server. The system is also scalable as the performance can be increased by adding one or more servers to the same cluster. In most systems having two web application servers is efficient enough to serve 200 300 simultaneous users (installation having about 3.000 5.000 users in total). Please note, that RFx does NOT support load balancing / clustered environments. 15

5 Additional Server Software Requirements Application server and Web servers: Microsoft Internet Information Service (IIS) version 6.0 or above. o However, TEM acts as a web server itself, so IIS is only needed if Windows-authentication is used o DA 3.0 does no support IIS 7.0. MDAC (Microsoft Data Access Components) version 2.8 (http://www.microsoft.com/data) ODAC (Oracle Data Access Components) version 11g (http://www.oracle.com/technology/software/tech/windows/odpnet/index.html) Oracle Data Provider for.net 2.x and Oracle Data Provider for OLE DB Also workstations running FastScan, Master, ProClient, Admin and Monitor should be patched. Microsoft.NET Framework version 1.1 and 2.0 installation is required Microsoft.NET Framework version 3.0 is required by PM and CLM as they utilise Windows Communication Framework (WCF). Also anyerp Adapter Service requires Microsoft.NET Framework 3.5 and anyerp Adapter Client requires Microsoft.NET Framework 2.0, RFx requires.net Framework 3.5 and Matching requires Microsoft.NET Framework version 3.5 SP1. ASP.NET AJAX 1.0 is required in server side by PM 5.1.3 and KPI 5.2. Matching Client 5.2 requires AJAX Control Toolkit version 3.0.20820 (or later) installed on the server. Please note, that the Basware Common Components are required to be installed in C:\Program Files\Basware\Shared folder. If they cannot be installed there, the installation will fail. Application server: For sending emails from the Basware application server, the connected mail server needs to support regular SMTP with MIME-encoded attachments, MAPI or VIM with Lotus Notes. 16

6 Workstation Requirements 6.1 All windows application workstations These requirements are for the workstations running Basware windows-based applications. Hardware recommendations: Recommended CPU minimum is 2.0GHz. Required minimum is 1.0GHz Recommended RAM minimum is 1GB. Required minimum is 512MB. Recommended screen resolution minimum is 1280*1024. Required minimum is 1024*768. For workstations running Purchase Management Admin application with large product catalogs with more than 20.000 products the recommended CPU minimum is 4.0 GHz or similar and recommended RAM minimum is 1 GB + 512 MB / each 20.000 products in the catalog. Additional requirements for the workstation: Adobe Acrobat reader version 6 or later has to be installed on workstation to view PDF invoices and to open print preview. MDAC version 2.8 (Microsoft Data Access Components) or above is required for database connections..net Framework 2.0 or later is required for IP Admin. ODAC (Oracle Data Access Components) version 11g (http://www.oracle.com/technology/software/tech/windows/odpnet/index.html) Oracle Data Provider for OLE DB Application must have write access to the temporary folder in the workstation TCP/IP network connections to servers with HTTP protocol enabled. Please note, that the Basware Common Components are required to be installed in C:\Program Files\Basware\Shared folder. If they cannot be installed there, the installation will fail. 6.2 Web Client workstations Most Basware users use these fully web-based applications, requiring no components installed on the workstation. These include IP ThinClient, PM Client, Contract Approval Client, DA Client, TEM Client, KPI Reporting Tool client, RFx Client and CLM Client. Additional requirements for the workstation: Screen resolution 1024x768 (minimum) is required. 1280 * 1024 (or higher) improves usability significantly. Minium screen resolution for Purchase Management Buyer Tool is 1280*1024. Internet browser requirement: Java-scripts enabled In KPI Reporting Tool client Export to Excel -feature require Microsoft Excel XP or later. RFx requires Adobe Acrobat Reader in order to view and print PDF-documents. 17

anyerp Adapter requires Microsoft.NET Framework version 2.0 or later. 6.3 FastScan These requirements are for the workstations running Basware Invoice Processing FastScan application and where the paper invoices are scanned and/or interpreted. As the OCR is quite heavy operation the workstation running FastScan should have a good performance. Hardware recommendations: Recommended CPU minimum is 2.5GHz. Recommended RAM minimum is 1GB. Required minimum is 512MB. Screen resolution minimum 1280*1024 is required. Recommended 19 display (or larger). The selected scanner should support the specification of ISIS SCSI 2 adapter card or USB 2.0 or firewire, depending on the selected scanner. 3 rd party components: Kofax VRS (virtual re-scan) is required when FastScan is used in FULL or SCAN mode. Kofax VRS is not delivered by Basware, besides in certain countries (mainly Finland) where Basware also resells scanners. Kofax VRS http://www.kofax.com/vrs-virtualrescan/ Additional requirements for the workstation: MDAC version 2.8 (Microsoft Data Access Components) or above is required for database connections. Application must have write access to the temporary folder in the workstation (either to the temporary folder specified by Windows or one folder specified to the application as a registry parameter HKEY_LOCAL_MACHINE\Software\Basware\Eflow\TempPath). TCP/IP network connections to servers with HTTP protocol enabled. 18

7 Network Requirements Basware EPP consists of Windows based applications (FastScan, Master, ProClient, Admin and Monitor) and web-based applications (IP ThinClient, PM Catalog Client, CM Approval Client, DA Client, TEM Client, KPI Reporting Tool Client and CLM Client). A majority of the users only use web-applications application to process their invoices, purchase orders or contracts. Typically the system main users use Windows applications (IP FastScan and Master) several hours a day. Admin, Monitor and IP ProClient applications are used less. When considering what network resources are needed to run the Basware system, the number of different client application users must be known. 7.1 Network latency and bandwidth considerations The overall system performance depends on the server hardware resources, network bandwidth and network latency. There are at least these options to improve the system performance: Improve the network quality and bandwidth Use Citrix / Terminal Services systems, which often work well over slow network connections. Basware can not guarantee any performance improvements and therefore the customer should contact vendors of those systems before making decision on using those technologies. Make local installations of the Basware system. This must be considered case by case if the benefits of centralized systems are bigger than the problems caused by the low response times. NOTE! Network problems are almost always related to international / domestic network connections where the network traffic goes outside the local area network. Basware system uses network capacity quite modestly and in local area networks there is usually no problems with the network capacity. 7.2 Technical requirements Basware EPP system needs certain network capabilities to work: TCP/IP network connections between workstations and servers with HTTP protocol enabled. SMB-connection between workstations and file server (application server) as follows: o o From IP/PM Admin -application workstations always From Master-, FastScan- and Monitor- application workstations if HTTP protocol is not used. 1Gb (or faster) network connection between the servers. 100 Mb (or faster) network connection between the servers and the gateway router. From the Master and FastScan workstations there should be a minimum of 512kb/s link to the servers. 2 Mb/s connection is recommended. One 2 Mb/s network connection can support up to 10-20 simultaneous Master/FastScan users. From the ProClient workstations there should be a minimum of 256 kb/s link to the servers. 1Mb/s link is recommended. Due to nature of ProClient usage (occasional), one 1-2 Mb line can be used by a large number of users (tens). The same applies to ThinClient. 19

7.3 Ports needed From the ThinClient workstation there should be a minimum of 256 kb/s link to the servers. 512 kb/s link is recommended. When there are FastScan, Master, ProClient and ThinClient users using the same connection, the network bandwidth should be at least 2 Mb/s. Having a low network latency is also critical (less than 50 ms). At least the following ports are needed for various Basware applications depending on the setup: 1. Ports 20/TCP and 21/TCP - if FTP transfers are used. Some interfaces might use this to transfer files. 2. Port 25/TCP - SMTP for IP / PM Agents mail sending. 3. Port 39/UDP - used in Windows to locate SMB paths real network address (IP address). 4. Ports 80/TCP (HTTP) or 443/TCP (HTTPS) - HTTP(S) used by all applications at least for authentication (BWUA). IP Client uses for getting invoice data and images. E.g BTIPC Connector and IP ThinClient uses for the whole functionality. 5. Port 135/TCP for DCE endpoint resolution and for SQL Server Integration Services 6. Ports 137/TCP, 138/TCP and 139/TCP for NetBIOS in NT environments. 7. Port 445/TCP - This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services. 8. Ports 110/TCP or 143/TCP - depending if POP or IMAP protocol is used to recieve email. If MS Exchange is used, it depends on the server configuration on what ports it's listening for email clients. 9. Ports 1433/TCP or 1521/TCP - for database (SQLServer / Oracle) connections - depends on used db. These are defaults - db might be set to use some other port. 10. Port 8000/TCP default for anyerp Adapter and TEM 11. In case anyerp Adapter is configured with SAP, the SAP.NET Connector requires the following TCP-ports for RFC communication with the SAP R/3 (or ECC) server: Port 3300 + system number (if system number is e.g. 02 then the port is 3302) and the SAP frontend GUI uses port 3200 + system number. 20

12. anyerp Adapter uses the following TCP-port range by default: 4175/TCP 4179/TCP. The ports are used for communication between anyerp Adapter server and anyerp Adapter client and they are user configurable. 13. Port 2353/TCP for SQL Server Analysis Services (KPI) SSAS default instance listens on TCP port 2383 and named instances of SSAS are assigned a port dynamically. 14. Port 8888/TCP for TEM attachment service. 21

8 Scanner Requirements Basically all scanners that support the following drivers can be used with Basware Invoice Processing product: TWAIN support for Master application ISIS support for FastScan application Kofax VRS for FastScan application When selecting scanner, please notice the following: Speed of scanner ADF (automatic document feeder) performance Need for flatbed Support from vendor Image quality enhancement options for scanner (especially VRS support) Some examples of scanners for FastScan use: Low End (*) Middle End (*) High End (*) Without flatbed Canon DR-2080C Fujitsu fi-5120c Canon DR-3080CII Fujitsu fi-5530c Canon DR-7080C Canon DR-9080C With flatbed Fujitsu fi-5220c Fujitsu fi-4340c Fujitsu fi-4750c Fujitsu fi-5750c (*) All these scanners can be used with Kofax VRS. Scanners require either a SCSI-adapter or an USB 2.0 - port. 22

9 Security Requirements All underlying operating systems and databases should be up to date with the latest security patches. Operating systems and Microsoft SQL Server should be hardened according to Microsofts best practices and Oracle RDBMS should be secured according to Oracles guidelines. 23

10 Software distribution Basware software can be distributed to workstation using standard Microsoft Installer packages (MSI packages) except for TEM, which is supplied in a simple ZIP-archive, ready to be unpacked in a correct directory. The distribution is needed for the windows-based applications such as Admin application, Master/ProClient applications and scanning applications. However PM Workstation package is auto-updateable, so in most installations it is enough to have at least PM 3.3.1 workstation package which will update the latest version automatically from PM Server. However, for special cases the workstation package is needed (i.e. Citrix -environment). The web clients (IP ThinClient, PM Client, Matching Client (opened from ThinClient), CM Approval Client, DA Client, TEM Client, KPI Reporting Tool Client, RFx Client and CLM Client) don t need separate workstation installation. MSI packages can be pre-configured to enable for example silent workstation installation by customer IT persons. 24

11 Authentication methods Basware user authentication features offer easy to use, secure and simple way to validate users and store database connection strings. Database connection strings are stored in one encrypted file on the server. The file is created with separate BWUAAdmin application. The file will include two connection strings, one for the server applications and one for the front end applications. There are two different methods available for authentication: Windows authentication (WIN) o o This is the default authentication method. When WIN method is in use, client application users are authenticated according the account which is logged on to workstation. Basware user authentication (BW) o o In this method users are validated against the application using user id and password. User credentials are stored in Basware database. This method should be used in all installations where users do not belong to domain (e.g. Novell network is in use). Communication between the worksation and the server is made using HTTP/HTTPS. Note: Supplier Portal authentication mechanism is based on forms authentication against own user store. Basware Supplier Portal does not utilize BW or WIN authentication. 11.1 Known limitations Basware user authentication is not supported by KPI Reporting tool and Mobile applications Basware user authentication is not supported by Matching client 5.0 (or newer) (manual matching), other Matching applications support it Basware user authentication is not supported by TEM. TEM WinClient uses Windows operating system mechanisms for authentication and WebClient utilises IIS in authentication. To use Basware authentication in a mixed environment of IP 3.5 and PM 5.x, minimum of PM 5.0 patch 6 or PM 5.1.2 Patch 1 is required. 25

12 Security overview 12.1 Application security Basware applications internal user rights are set via Admin applications. The Admin application requires a separate user specific lisence. The access to different application is controlled with application specific lisences. Basware uses named lisences so each user has to have a named license in order to use the application. Examples of different licenses are IP ThinClient lisence, PM Client license and IP Master lisence. Once access to certain application is given the rights to different business documents is controlled by user privileges which can be set either on a user level or user group / role level. These rights determine what individual user can do within application. Examples of user privileges are purchase requisition creation, modification, approval (with limits) rights (PM) and rights to review or approve (with limits) an invoice. For approval action there s possibility set a separate user specific approval password which user has to give each time when approving an invoice or purchase requisition. 12.2 System security If Basware authentication method is used the login passwords are stored in Basware database as encypted. The connection string to the Basware database is stored as encypted on a application server. The invoice images stored in a Basware files system are encypted and can be opened only via Basware application. The access rights to Basware file system (bwroot folder NTFS rights) has to be set according Basware instructions in order to have sufficient security. Http(s) is used for communication and data transfer between workstations and servers. 26

13 Support for virtual server environments Basware EPP Products will be primarily tested and developed to work with the operating systems, products and environments mentioned in the EPP Product Compatibility Matrix (found in Chapter 3 - Product Compatibility). Basware also aims to ensure that the EPP Products are compatible and work with the most common and widely used virtualization products and environments. Contact your Basware consultant for more information. 27

14 Support for distributed environments Distributing different software components into different physical or virtual machines is typically the easiest and most affordable way to improve scalability. The increased scalability and other benefits usually more than compensate for the increased complexity of the environment. Contact your Basware consultant for more information. 28

15 Support for clustering (loadbalancing / failover) Clustering provides reliability, high availability and easy scaling for your mission-critical applications and services. Contact your Basware consultant for more information. 29

16 APPENDIX A: Terminology SMB: Server Message Block, an application level protocol used to provide shared access to files, printers and miscellaneous communications between nodes on a network. Often known simply as Microsoft Windows Network. UNC: Uniform Naming Convention, specifies a common syntax to describe the location of a network resource, such as a shared file or directory. 30