Deploying Claris Server

Claris Server is the equivalent of FileMaker Server but part of the new Claris Platform and, as such, directly tied to your Claris subscription or ‘org.’

Unlike FileMaker Server, Claris Server is only available for Ubuntu 20.04, and its setup is currently more intricate than setting up FileMaker Server.

Specifically, Claris Server requires you to log into your Claris ID, and that necessitates a desktop and Google Chrome to make that initial connection.

However, don’t choose Ubuntu Desktop when you set out to install a new machine. You still need to pick Ubuntu Server. Ubuntu Desktop is meant for laptops and workstations. Ubuntu Server is the only correct version to run Claris Server of FileMaker Server. Ubuntu Server does not come with a GUI:Ubuntu Server or Unbuntu Desktop?

Screenshot when installing Ubuntu Server, which does not install a graphical user interface.

You will add a desktop temporarily as part of the installation.

First, install the Ubuntu Server version as per normal.

Install a Desktop

Once you have Ubuntu Server, there are any number of desktops available to install, but there is only one that will work because the Claris Server installer has a hard-coded check for it: ubuntu-desktop.

The lightweight version of this desktop (ubuntu-desktop-core), however, does not work. Unfortunately, you need to install the full desktop, which – if you are not careful – comes with a lot of unnecessary software such as Gimp, LibreOffice, media players, etc. A grand total of about 3GB worth of applications that are totally unnecessary.

We sincerely hope that Claris updates the Claris Server to allow for Claris ID login through the admin command line or API so that the desktop requirement and its increased attack surface can be left behind.

SSH into your Ubuntu Server and run these two commands:

sudo apt update
sudo apt install --no-install-recommends ubuntu-desktop

The –no-install-recommends prevents Ubuntu from installing all the unnecessary recommended software and cuts down the total desktop size from nearly 3GB to just over 1GB.

And because Ubuntu Server does not automatically boot into GUI mode, run this command:

sudo systemctl set-default graphical.target

The Claris installer will also error out if this setting is not set.

Install RDP

The desktop is now installed, but you still need a way to get to it remotely if your server is not a physical server with a screen.

You can, of course, install a VNC server instead, but we have a whole fleet of FileMaker Server Windows machines where we use RDP, so it fits more naturally for us to install an RDP-compatible client. We will also remove it once we are done. Run these two commands to install xRDP and set it to automatically start when the machine starts

sudo apt install xrdp
sudo systemctl enable --now xrdp

The machine is now available through the normal RDP port 3389.

Depending on your initial server setup, you may need to set a password for the default user. For AWS instances, for instance, that user is ‘ubuntu’ but does not have a password since most access through SSH is passwordless by using a key instead. Run this command and set a password when prompted:

sudo passwd ubuntu

Reboot the machine at this point to consolidate all the changes:

sudo reboot now

Be Careful — Do Not Upgrade to Ubuntu 22!

When you RDP into Ubuntu for the first time, you will see a dialog that tells you that there is a new version of Ubuntu available. DO NOT UPGRADE. The message is about upgrading from Ubuntu 20.04 to Ubuntu 22.04, and Claris Server is not compatible with 22.

Dialog that appears when you RDP into Ubuntu prompting you to upgrade to 22.04 -- Do not upgrade as Claris Server is not compatible with 22.

Similarly, do not follow the prompt you can see on the command line when you SSH into Ubuntu:

Screenshot of the command line prompt when you SSH into Ubuntu -- do not run the upgrade.

Install Google Chrome

You can now log into the server and install Chrome the usual graphical way by using the desktop’s browser (which is Firefox for Ubuntu desktop).

It is also very easy to install from the command line though with these two commands:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install ./google-chrome-stable_current_amd64.deb

Install Claris Server

The Claris Server installer is still a zip file, and the easiest way to install it is still through the command line in an SSH session or on the server.

Unzip the archive into a folder (named fms in the example below)

unzip cs-40.0.2.19-amd64-Ubuntu20.zip -d fms

cd into the new folder and run the installer:

sudo apt install -y ./claris-server-40.0.2.19-amd64.deb

The Claris Server install process is very similar to the one for FileMaker Server: you’ll be asked for the Admin Console username and password, and you will set a PIN.

If the installer detects that something is not ready, then you will see an error like below. During testing, we got these when we were using incompatible desktop versions.

=== Perform pre-installation of claris-server_40.0.2.19 (install)
  Error! Installation can only proceed in a desktop environment with a web browser.
  Please run the commands' sudo apt install ubuntu-desktop' to install a desktop environment.
  Run the commabnd 'sudo systemctl set-default graphical.target'.
  Reboot the system in graphical mode with desktop environment and install Google Chrome Browser.
dpkg: error processing archive /home/ubuntu/Downloads/fms/claris-server-40.0.2.19-amd64.deb (--unpack):
 new claris-server package pre-installation script subprocess returned error exit status 21
=== Perform post-uninstallation of claris-server-40.0.2.19 (abort-install)
Errors were encountered while processing:
 /home/ubuntu/Downloads/fms/claris-server-40.0.2.19-amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

If this happens, use sudo apt autoremove <what you just installed> to uninstall the desktop you have just installed and install the ubuntu-desktop package.

If all went well, then just reboot the server.

sudo reboot now

Adjust the firewall

Claris Server installs a Linux firewall as part of its dependencies and enables it to disallow non-Claris traffic while leaving the SSH port open as well.

You will need to open the RDP port for the next steps.

Check what ports are open with:

sudo firewall-cmd --list-all

add the RDP port:

sudo firewall-cmd --zone=public --permanent --add-port=3389/tcp

and ask the firewall to re-load the rules:

sudo firewall-cmd --reload

If you find that the port is still not open, you can restart the firewall:

sudo systemctl stop firewalld
sudo systemctl start firewalld

Configure Claris Server

RDP into the server and open Chrome. In Ubuntu’s desktop, click on Activities in the top left and type in chrome in the search bar:

Screenshot after using RDP into the server and opening Google Chrome

Type in the usual localhost address to get to Claris/FileMaker Server:

https://localhost:16001

You will be greeted by the usual Admin Console login page. These early versions of Claris Server still have lots of references to FileMaker Server that will get cleaned up in the next few releases.

Admin Console login page

Log in with the username and password you set as part of the installation process. Immediately the browser will ask you to log into your Claris ID:

After logging into the Admin Console, you will need to enter your Claris ID.

After a successful login, you will be presented with the different Claris organizations that you are part of, and you can choose the one that this server belongs to:

Upon successfully logging in, choose the team that the server belongs to.

Select your org and click Next. The Admin Console will now load. From this point forward, you do not need to use the Claris ID anymore; you can log into the admin console locally and remotely with the regular admin console credentials you have set.

Screenshot of the Claris Server Admin Console

Install your custom SSL certificate, and now you can also access the admin console remotely on its usual port 443.

Removing What You Don’t Need

While it is tempting to leave everything in place, there are now a lot of unnecessary applications on your server, and the attack surface is much bigger than it needs to be. Consider these security implications carefully before you decide to leave your server full of unneeded applications.

Removing the desktop and xRDP does not break the Claris Server functionality. It does have one consequence: from this point forward, you will need to use the upgrade-in-place method of installing new Claris Server versions. If you are used to uninstalling-and-reinstalling, then that will require you to re-link your server to a Claris ID, and that requires the desktop and Google Chrome.

Run this command to uninstall both xRDP and ubuntu-desktop and have Ubuntu automatically clean up the unneeded dependencies:

sudo apt purge xrdp ubuntu-desktop
sudo apt autoremove xrdp ubuntu-desktop
sudo apt autoclean

Set Ubuntu to boot by default back into text mode and not GUI mode

sudo systemctl set-default multi-user.target

and remove port 3389 from the firewall rules

sudo firewall-cmd --zone=public --permanent --remove-port=3389/tcp

reboot the machine:

sudo reboot now

What’s Next?

Remember that Claris Server can only host files with the .claris extension; it cannot host regular FileMaker files.

There are other significant differences as well with the FileMaker Server you are used to, and we will cover those in follow-up blog posts.

If you need consulting and support in your adoption, please contact our team.

8 thoughts on “Deploying Claris Server”

  1. great post Wim.. couple of things in there that I missed while doing it by myself. Thanks for all you offer to the community

    1. Unfortunately not. The pre-install script that is part of the CS deb installer explicitly checks to see if ubuntu-desktop is installed and will refuse to install if the desktop is not there:

      So in order to use a tunnel you’d also need to modify the deb installer first.

  2. Brilliant as always Wim, a lot more faff than standard server but your step-by-step guide had me up and running in no time.

  3. Gerard van der Wolf

    Great help for Dummies on Linux (like me).
    The only part that is missing is you need to download the Claris Server software through Chrome. And then you need to navigate to the downloaded file in your terminal. At Claris they don’t seem to realise it might be usefull to have a direct download from the command line.
    Thanks to this guide I managed to install a Claris Server on Linux… but to be honest… installing FileMaker Server on Windows would have taken me much less time…

    1. Good catch. I use a bash shell script to do the actual install and that shell scripts grabs the file from an S3 bucket where we keep our installers. That part of our install process is the same for Linux FileMaker Servers. I could have made that more clear.
      You can also use wget or curl to grab the installer from Claris, without having to use the UI.

  4. Jonathan Nicoletti

    Great post Wim! Along with “The Penguin is Back!” article, this got me up and running for with linux for the first time ever. Regarding security, are there any resources that cover keeping things secure from the AWS side? Additionally, say one keeps the inbound rules for RPD very limited (perhaps just a singular ip), would the attack surface area still be as large with RPD installed?

    1. Thanks, Jonathan!
      The size of the attack surface doesn’t change by limiting access. The fact remains that there are exponentially more packages/apps installed that each can be exploited for execution / persistence / further exploration / defensive evasion / rights escalation / … . The Mitre Attack Matrix gives a good overview of how attacks happen in may layers (https://attack.mitre.org/). By not having things installed, you reduce the surface.
      Limiting access is a must-have defence. But say that I can side-load something through a FM container to take advantage of the many things that come with a desktop? I’ll have more changes of success on a machine with a many applications than on a machine with few applications.

Leave a Comment

Your email address will not be published. Required fields are marked *