2.1. Prerequisites

2.1.1. Operating system

A 64-bit Linux distribution with systemd as the service manager. The server is tested on RHEL 9 and its rebuilds (Rocky, AlmaLinux), and on Debian 12 / Ubuntu 22.04 LTS or newer. Any distribution that provides a JDK 21 and a working systemd should be fine.

2.1.2. Java runtime

A JDK 21 (LTS) runtime is required. Eclipse Temurin is recommended; other vendor builds (Azul Zulu, Amazon Corretto, RedHat build of OpenJDK) work equally well. The server will refuse to start on older major versions.

Confirm the installed version:

$ java -version
openjdk version "21.0.x" 2024-xx-xx LTS

The JDK does not need to be on the shell PATH for the service itself - the systemd unit can reference the java binary by absolute path.

2.1.3. Disk space

Two directories need to be planned for:

  • Installation directory (e.g. /opt/toa-server) - holds the fat jar, the config/ folder and the bundled README. A few tens of megabytes.

  • Data root (toa-server.dataRoot in the configuration) - holds every received import until it is either forwarded to the storage server and cleaned up, or retained for audit. Size this directory for the expected mail volume and retention window; the on-disk layout is one folder per import day (see On-disk layout). The data root and the installation directory may live on different filesystems.

A few hundred MB of RAM is enough for a basic install; a 1 GB heap (-Xmx1g) is a comfortable starting point and covers bursts of large EML uploads (single upload is capped at 100 MB by default).

2.1.4. Network

The server itself listens on a single HTTP port (default 8080, configurable through server.port) and is designed to sit behind a reverse proxy that terminates TLS and serves the Outlook add-in task pane on the same origin. The reverse proxy then forwards /api/* requests to the TOA server - see Hosting the task pane for a full nginx example.

The server does not terminate TLS itself. Exposing the raw :8080 port to the internet is not supported.

Outbound connectivity required by the server:

  • Storage server (e.g. Damis) - HTTP(S) endpoint configured per domain under storageServer.url. Reachable from the server host.

  • Template catalogue URL (optional) - if any domain uses templates.url to fetch its cmserver XML, the server must be able to reach that URL on startup and at the configured refresh interval.

No inbound or outbound database connections are required. The server persists all state on the local filesystem under dataRoot.

2.1.5. Service account

It is strongly recommended to run the server as a dedicated, non-login system user (e.g. toa-server). The user needs:

  • read access to the installation directory;

  • read-write access to the data root;

  • no shell login (/sbin/nologin or /usr/sbin/nologin);

  • no elevated privileges - the server never binds to a privileged port; the reverse proxy does that.

The concrete account creation command is shown in Installing TOA server.

2.1.6. Artifactory access

The release artefacts are distributed through the LightComp Artifactory instance. The customer receives a dedicated account with read access to the distributions repository (base URL https://artifactory.lightcomp.cz/artifactory/distributions/). The credentials are delivered separately and are not documented here.