Jaxon DSAIL Platform - Usage Instructions

This guide walks through the complete buyer experience: launching the platform from AWS Marketplace, accessing it for the first time, and day-to-day operations.

Prerequisites

Launching the Platform

Step 1: Subscribe and Configure

From the AWS Marketplace product page, click Continue to Subscribe, then Continue to Configuration.

Select the deployment region:

RegionID
US East (N. Virginia)us-east-1
US East (Ohio)us-east-2
US West (N. California)us-west-1
US West (Oregon)us-west-2

Click Continue to Launch, then choose Launch CloudFormation as the launch action.

Step 2: Fill in Stack Parameters

The CloudFormation template creates all required infrastructure. Fill in the following:

Instance Configuration

ParameterDescription
Instance TypeDefault: r8i.2xlarge (8 vCPU, 64 GiB RAM). Minimum recommended for production workloads.
VPC IDSelect the VPC to deploy into.
Subnet IDSelect a public subnet (must have internet access for LLM API calls).

Platform Configuration

ParameterDescription
OpenAI API KeyYour API key for LLM access. This is stored securely and never exposed in logs or outputs.
External URLOptional. Enter your domain (e.g., https://jaxon.example.com) if you have DNS configured. Leave empty to auto-detect from the instance public IP.

SSH Access (Optional)

SSH is disabled by default. The platform uses AWS Systems Manager Session Manager for shell access -- no keys or open ports needed.

ParameterDescription
Enable SSHSet to true only if you need traditional SSH access.
SSH Key PairRequired if SSH is enabled. Select an existing EC2 key pair.
SSH Access CIDRRequired if SSH is enabled. Your IP address in CIDR notation (e.g., 203.0.113.5/32). Find your IP at https://checkip.amazonaws.com and append /32.

SSL/TLS (Optional)

ParameterDescription
SSL CertificateBase64-encoded certificate. Leave empty to auto-generate a self-signed cert.
SSL Private KeyBase64-encoded private key. Leave empty for self-signed.

Storage Encryption (Optional)

ParameterDescription
Encrypt EBS VolumeDefault: true. Encrypts the root volume at rest.
EBS Encryption KMS Key IDOptional. Leave empty to use the default aws/ebs key.

Step 3: Launch the Stack

Review the parameters and check the IAM capabilities acknowledgment box. Click Create stack.

The stack takes approximately 2-3 minutes to reach CREATE_COMPLETE in CloudFormation.

Important: CREATE_COMPLETE means the infrastructure is provisioned, but the platform is not ready yet.

1. In the EC2 console, wait for the instance Status Check to display 3/3 checks passed before attempting to connect. While status checks are still Initializing, the instance is not yet accepting connections.

2. After status checks pass, first-boot initialization continues in the background for an additional 5-10 minutes. During this time, the platform generates credentials, initializes Vault, and starts all services. The .credentials file and login page will not be available until first-boot finishes.

You can monitor progress by connecting to the instance and running:
tail -f /var/log/jaxon-first-boot.log

Connecting to the Instance

AWS Systems Manager Session Manager (Default)

No SSH keys or open ports required. This is the recommended access method.

From the AWS Console:

  1. Go to EC2 > Instances
  2. Select the Jaxon instance
  3. Click Connect
  4. Choose the Session Manager tab
  5. Click Start session

From the AWS CLI:

aws ssm start-session --target <instance-id> --region <region>

The instance ID is available in the CloudFormation Outputs tab.

SSH (If Enabled)

If you set EnableSsh=true during launch:

ssh -i <key-file>.pem ubuntu@<public-ip>

The public IP and SSH command are shown in the CloudFormation Outputs tab.

Accessing the Platform

Step 1: Get the Platform URL

After the stack reaches CREATE_COMPLETE, find the PlatformUrl in the CloudFormation Outputs tab.

If you left External URL empty, this will be https://<public-ip>. If using a self-signed certificate, your browser will show a security warning -- this is expected. Proceed through the warning to access the platform.

Step 2: Retrieve Credentials

Login credentials are written to a file on the instance during first boot. Connect to the instance (see Connecting to the Instance above) and switch to the ubuntu user before retrieving credentials or running any platform shell scripts:

sudo su - ubuntu
cat /opt/jaxon/dsail/.credentials

The file path is also shown in the CloudFormation Outputs tab as CredentialsFile.

The file contains passwords for:

CredentialDescription
akadmin userAuthentik bootstrap admin.
admin userFull administrative access. Use this for initial setup.
jaxon userStandard user account for day-to-day use.

This file has restricted permissions (0600, owner-only).

Step 3: Log In

  1. Open the admin login page at https://<host>/if/admin/, where <host> is the instance public IP address or your configured domain hostname
  2. Log in with the admin credentials from the .credentials file
  3. You will see the Jaxon platform dashboard

Getting Started with the Platform

Once logged in, the platform is ready to use. The built-in documentation is available via the Platform Docs link in the sidebar.

Core Workflow

  1. Create a Project -- Everything in the platform lives inside a project. Use the Project dropdown in the header to create one.
  2. Upload Policy Documents -- Navigate to Documents in the sidebar and upload the policy documents you want to enforce (e.g., regulatory requirements, compliance standards, internal guidelines).
  3. Create Guardrails -- Click + New Guardrails From Policy on the Guardrails page. The wizard walks through document selection, theme extraction, rule extraction, and DSL generation.
  4. Refine Rules -- Open a guardrail in the Ruleset Studio to view, edit, and test individual rules. The three-panel layout provides a rule list, code editor, and live test panel.
  5. Build Test Datasets -- Go to Datasets in the sidebar, create a dataset, and add test documents. Use Generate Records to create synthetic test data.
  6. Run Evaluations -- On the Runs page, create a new run to evaluate your guardrails against a dataset. Review per-rule pass/fail results and variance analysis.

For a detailed walkthrough, see the Getting Started guide and SOX Compliance Tutorial in the Docs tab.

Day-to-Day Operations

Important: All platform shell scripts must be run as the ubuntu user. If connected via Session Manager, run sudo su - ubuntu first.

Start / Stop / Status

# Check platform status
/opt/jaxon/dsail/jaxon-status.sh

# Stop the platform
/opt/jaxon/dsail/jaxon-stop.sh

# Start the platform
/opt/jaxon/dsail/jaxon-start.sh

The platform starts automatically on instance boot -- no manual intervention needed.

Instance Reboot

After sudo reboot, all services come back automatically:

Viewing Logs

# All services
cd /opt/jaxon/dsail && docker compose logs -f

# Specific service
docker compose logs -f platform-api

# First-boot log (for troubleshooting initial setup)
cat /var/log/jaxon-first-boot.log

Changing the External URL

To switch from an auto-detected IP to a DNS domain name:

cd /opt/jaxon/dsail

# 1. Update the URL in .env
sed -i 's|JAXON_EXTERNAL_URL=.*|JAXON_EXTERNAL_URL=https://your-domain.example.com|' .env

# 2. Force Authentik to re-apply configuration with the new URL
touch auth/blueprints/*.yaml

# 3. Restart the stack
/opt/jaxon/dsail/jaxon-stop.sh
/opt/jaxon/dsail/jaxon-start.sh

If using a custom SSL certificate for the new domain, also update SSL_CERT_CONTENT and SSL_KEY_CONTENT in .env before restarting.

Rotating SSL Certificates

To replace the self-signed certificate with a proper certificate:

cd /opt/jaxon/dsail

# Base64 encode your certificate and key
SSL_CERT=$(base64 -w 0 < /path/to/cert.pem)
SSL_KEY=$(base64 -w 0 < /path/to/key.pem)

# Update .env
sed -i "s|^SSL_CERT_CONTENT=.*|SSL_CERT_CONTENT=$SSL_CERT|" .env
sed -i "s|^SSL_KEY_CONTENT=.*|SSL_KEY_CONTENT=$SSL_KEY|" .env

# Restart edge-proxy to pick up the new certificate
docker compose restart edge-proxy

Security

Vault Auto-Unseal

The platform uses AWS KMS for Vault auto-unseal. Vault automatically unseals on every restart -- no manual intervention or unseal keys needed.

Recovery keys (for emergency operations only) are saved at:

/opt/jaxon/dsail/.vault-recovery-keys.txt

This file has restricted permissions (0600, owner-only). Recovery keys are only needed for advanced Vault operations such as generating a new root token.

Hardened Deployment

The platform runs in hardened mode with defense-in-depth security controls:

Sensitive Files

LocationContentsAccess
/opt/jaxon/dsail/.credentialsLogin credentials (akadmin, admin, jaxon users)0600 (owner only)
/opt/jaxon/dsail/.vault-recovery-keys.txtVault recovery keys0600 (owner only)
/opt/jaxon/dsail/customer-config.envLaunch parameters (API key)0600 (owner only)

Troubleshooting

Platform Not Accessible After Launch

  1. Check the first-boot log: 
    cat /var/log/jaxon-first-boot.log
  2. Verify all services are running: 
    /opt/jaxon/dsail/jaxon-status.sh
  3. Check if first-boot completed: 
    ls -la /opt/jaxon/dsail/.initialized
    If this file does not exist, first-boot has not finished. Check the log for errors.
  4. Verify the security group allows inbound HTTPS (port 443) from your network.

Self-Signed Certificate Warning

If you did not provide an SSL certificate, the platform auto-generates a self-signed cert. Your browser will display a security warning -- this is expected. For production use, provide a proper certificate via the SSL parameters or rotate it after launch (see Rotating SSL Certificates above).

Vault Sealed

This should not happen with AWS KMS auto-unseal. If it does:

  1. Verify the instance IAM role has KMS permissions: 
    aws sts get-caller-identity
  2. Check Vault logs: 
    docker compose logs kms
  3. The KMS key ARN should match what is in /opt/jaxon/dsail/vault/config.hcl.

Support

For technical support, contact Jaxon AI at support@jaxon.ai.