• Introduction
  • Delft-FEWS Supported release versions
  • Central database
    • Oracle
    • PostgreSQL
    • SQLServer
• Delft-FEWS components
  • Operating Systems
    • Linux
    • Windows
  • JDK
  • Master Controller Server
  • Admin Interface
    • Support for external authentication (optional)
  • Config Manager
    • Support for external authentication (optional)
  • Operator Client / Stand alone
    • Support for external authentication (optional)
  • Forecasting Shell Server
    • Low duty / Heavy duty FSS Groups
  • Database Proxy
    • Support for external authentication (optional for OC / CM, not available for MC-MC synch)
  • Delft-FEWS Web Services
  • Deltares Open Archive
• General remarks on installation
• Security
  • Tomcat
  • JRE/Java
  • Local databases (Operator Client, Stand Alone)
  • Central Database access
  • Forecasting Shells
  • Operator clients
  • Multi-layered security approach
• End-Of-Life of third party components

Introduction

Many clients wish to know what the hardware and operating system requirements are for a Delft-FEWS client-server system. On this page you can find a list of specifications. If you have any question about the list, or you do not see the operating system of your choice: please contact Delft-FEWS Support. This list is not exhaustive.

Delft-FEWS Supported release versions

All recent Delft-FEWS releases require 64-bit hardware and OS. Deltares supports at maximum 5 versions. If still running a no longer supported version it is strongly recommended to upgrade to a supported version.

Central database

Central storage for operational Forecast data. One instance per Master Controller. 

Minimum requirements

• Follow database vendor requirements for memory and CPU requirements.
• 4 GB RAM for the database server is required for a small FEWS instance with less than 5 users. 8 GB or more for larger systems.
• The database instance(s) can be hosted on an existing database server or cluster.
• See also Database connection count calculator

The Delft-FEWS client-server system is known to run with the following database versions:

Oracle

• No further comments

PostgreSQL

• The maximum size for PostgreSQL database fields in Delft-FEWS is 1 GB. As a result, all big files such as Module config files and ColdStates must respect this limit. WarmStates exceeding this size can be stored externally on the file system. If using pg_dump to make a database dump, the limit is 512 MB. The Configuration Manager will not allow files larger than 500 MB to be uploaded.

SQLServer

• The maximum size for SQLServer database fields in Delft-FEWS is 2 GB. As a result, all big files such as Module config files and ColdStates must respect this limit. WarmStates exceeding this size can be stored externally on the file system.

Delft-FEWS components

Operating Systems

Follow vendor guidelines for minimum requirements. The Delft-FEWS binaries require the x64 instruction set.

Linux

• Red Hat Enterprise Linux 8 / 9
• AlmaLinux 8 / 9

Windows

• Windows 11
• Windows Server 2016  / 2019 / 2022 / 2025; Note Windows Server 2016 security support ends on 12 Jan 2027, see links below.

JDK

Master Controller Server

Server for workflow management, event processing, sending system alerts, and cleaning up expired records. Synchronizes from other Master Controllers in multi-MC systems. Multi-MC systems are useful for redundancy and / or for cooperation between organizations.

Minimum requirements

• OS minimum +1 GB RAM (multi Master Controller systems +2 GB)
• OS minimum +1 CPU per Master Controller instance
• 10 GB free disk space

Admin Interface

Web application for super-users for monitoring, system control and task scheduling.

Minimum requirements

• See Tomcat requirements - 2025.02 and later, +512 MB RAM.

• At least -Xmx512m

• Webbrowser with JavaScript and session cookies enabled.

• Load balancers must use sticky sessions.

• Supported browsers (recent version):

  • Chrome
  • Firefox
  • Edge

Support for external authentication (optional)

• Open ID Connect (OAuth2)

Config Manager

Minimum requirements

• OS minimum  +2 GB RAM
• OS minimum  +1 CPU
• 20 GB free disk space

Support for external authentication (optional)

• Open ID Connect when using Delft-FEWS Database proxy.

Operator Client / Stand alone

Minimum requirements

• OS minimum  +2 GB RAM
• OS minimum  +1 CPU
• 20 GB free disk space

Support for external authentication (optional)

• Open ID Connect when using Database proxy. For a Stand Alone, external authentication is only available when using Open ID Connect with the Archive Server.

Forecasting Shell Server

Server for execution of forecast runs and import tasks. 

Low duty / Heavy duty FSS Groups

It is good practice to categorize workflows based on CPU/memory requirements into specialized Forecasting Shell Server Groups.  Simple import workflows often require fewer resources than heavy-duty forecast models.

Minimum requirements

• OS minimum +2 GB RAM + model requirements
• OS minimum +1 CPU per FSS instance + model requirements
• 20 GB free disk space + model requirements

Delft-FEWS Database Proxy

Optional server for enabling HTTP(S) access to the central database. Typically used in combination with a reverse proxy server. Typically used for connecting Operator Clients to the central database. Never used by the FSS. Sometimes used for Config Manager / MC-MC synchronization with external networks.

Minimum requirements

• See Tomcat requirements - 2025.02 and later, +1 GB RAM.
• At least -Xmx1024m
• Load balancers must use sticky sessions.

Support for external authentication (optional for OC / CM, not available for MC-MC synch)

• Open ID Connect (OAuth2)

Delft-FEWS Web Services

Optional service that allows PI-REST clients to interact with and retrieve data from the Delft-FEWS system.

Minimum requirements

• See Tomcat requirements - 2025.02 and later, +2 GB RAM +1 CPU

  • Based on the FEWS configuration the memory requirements might be 4 GB RAM or more

• At least -Xmx1536m

Deltares Open Archive

Minimum requirements

• See Tomcat requirements - 2025.02 and later, + 2 GB RAM + 1 CPU
• Load balancers must use sticky sessions.
• Permissions for the file system containing archive data:
  • Must be accessible by the THREDDS server with read permissions.
  • Must be accessible by the Archive Server with full permissions.
  • Must be accessible by the Forecasting Shell Servers with write permissions.

General remarks on installation

The Delft-FEWS components can all be located on one (powerful) server or each on an individual machine, with all possible configurations in between. However, it is common practice to separate the Forecasting Shell Server from the Master Controller Server. When using multiple machines, it is essential that all machines have matching clocks. This can be achieved by using the same NTP server.

A typical configuration is:

• Database Server
• Master Controller server running Master Controller(s),  Apache Tomcat for Admin Interface
• Forecasting Shell Server(s)
• Delft-FEWS WebServices
• Open Archive Server

Typically, in a dual Master Controller setup, each Master Controller has its own machine, allowing maintenance to proceed without offline time.

Security

Read more about the shared responsibility model. Security - Shared responsibility model for Delft-FEWS system installations

Shared responsibility model

Historically, the Delft-FEWS server software was most commonly installed on-premises at the customer site on servers that were not directly connected to the internet. Nowadays, more and more Delft-FEWS applications are being deployed in the cloud. This means that security standards and guidelines for the installation of live systems have become more critical than ever. Delft-FEWS runs on top of a stack of components like 3rd party components: databases, Tomcat, and an embedded JRE.

[!IMPORTANT] It is the primary responsibility of the customer to apply the latest security fixes to the OS, database, Tomcat and all other components.

For updates on the embedded JRE, it is recommended to contact Deltares. The role of Deltares is to provide guidelines and, where possible, facilitate security best practices. Deltares maintains a Delft-FEWS Client-Server System Guide especially for system and database administrators. To view these pages, personal credentials can be supplied. These pages contain highly detailed information on installing and upgrading Delft-FEWS, including security aspects. In the near future, it is expected that more and more managed services from cloud providers (e.g., Tomcat, databases) can be used.  All Delft-FEWS developers are security-aware and regularly evaluate existing and potential vulnerabilities. Together with our colleagues from our ICT department, they meet regularly to discuss (potential) improvements for each Delft-FEWS release.

Tomcat

Tomcat is required for the deployment of the Admin Interface, Database HTTPS Proxy, Fews Webservices and the Deltares Open Archive. Tomcat is installed and maintained by the customer organization. Deltares indicates which version of Tomcat is compatible with / required for which version of Delft-FEWS. All security related aspects available in Tomcat can be applied and are under the responsibility of the customer organization.

[!CAUTION] For Admin Interface clients / proxies that are exposed to the internet it is crucial that the highest stable release version of Tomcat with security fixes is used. This prevents exposure from common vulnerabilities and exposures (CVEs).

For releases up to 2022.02, any tomcat9 version should be able to work for our Admin Interface / HttpProxy / PI Service / ArchiveServer web containers. This requires that the correct Java version matching the indicated JRE version for the Delft-FEWS release version is used and this Java version must be compatible with the Tomcat distribution.

See http://tomcat.apache.org/security-9.html

• Run Tomcat server as an unprivileged user and NOT root / Administrator.
• Tomcat user has read-only permission to the contents of the conf/, bin/, and lib/ directories in ${CATALINA_HOME.}.
• Limit the Tomcat user’s access and permissions to only the needed directories and files work / temp / webapps / logs.
• Uninstall all non-essential web applications in the webapps/ directory, including the applications that come with Tomcat.

JRE/Java

In several components of Delft-FEWS a (stripped down) version of Java/JRE (Java Runtime Environment) is embedded. This JRE folder is a recognizable and standard part of the Delft-FEWS binary package for Operator Clients and Forecasting Shell Servers. This means that Deltares delivers an optimized (and minimal) Java Runtime Environment based on Amazon Corretto's series. This so-called base-build can be updated and Deltares will release new base-builds if required. Since the JRE folder is recognizable within the Delft-FEWS binaries, organizations may decide to replace this JRE folder in favour of another (compatible) version of the JRE. It is certainly possible to use a different provider (e.g. Oracle Sun or the openJDK). Replacing the JRE can be done by creating a soft link to the JRE directory or by replacing the JRE folder.

Local databases (Operator Client, Stand Alone)

In recent versions of Delft-FEWS there is no need for a local database (datastore) for an Operator Client (OC) in a client-server environment. Although it is still possible to have a 'fully synchronized' (local) database in an OC or to create a 'replicate' of the central database to continue working as a standalone (SA). There are two data formats available: Derby or Firebird. These are just local files (just like any other file on the file system) and they do not require any software installed for managing it. The Delft-FEWS Operator Client or Stand Alone application just reads from and writes to this database format. This mechanism cannot be used as a ‘hub’ to enter other server side components.

Central Database access

Delft-FEWS can be equipped with one of three common brands of central databases: Oracle, PostgreSQL or MS SQLServer. Access to the central database is required for several Delft-FEWS servers side components. These components are normally located behind the organization's firewall (same network) or in the secure domain of a data centre or cloud provider. Operator client access to this database is also required, but when set up from 'outside' the organization's network, a https (proxy) server (including IP whitelisting) should be in between. Deltares can provide this.

Forecasting Shells

1. The Delft-FEWS binaries folder should be made read-only.
2. Forecasting Shell Servers (FSS) should have limited permissions (rights). Only write access within their own directory.
3. Only provide access to the data feed shared folders for FSSs.
4. The account for installing should be different than the account running processes
5. When applying external simulation software, ensure the executables and other libraries have only permission to be run locally.

Operator clients

1. The Delft-FEWS binaries folder should be made read-only.
2. When using the optional JCEF browser, white-listing is used to grant access to webpages.

Multi-layered security approach

• The inner layer is the central database (and optionally Deltares Open Archive).
• The middle layer are Delft-FEWS components that communicate directly with the database using encryption.
• The third layer (optional) is a reverse proxy to the database that can be accessed externally.
• The outer layer is the bastion host (optional).

End-Of-Life of third party components

Deltares cannot support any release that is marked as end of life by the supplier. For a quick check whether a component is still supported: