Installation without Internet access.

This installation type is suitable for the servers without Internet access (Server from which you can't reach OpenIAM website).

This type of installation is suitable for both el8 RHEL / CentOS version. Also, during the installation you will be prompted to install MariaDB RDBMS. This is suitable for Demo and POC installations. If you have already have the database server you should answer 'N' for the prompt.

1. Download the following files to a server that has internet access.

   curl https://download.openiam.com/prerelease/enterprise/4.2.1.7/rpm/openiam-4.2.1.7.noarch.x86_64.rpm --output openiam-4.2.X.noarch.x86_64.rpm
   curl https://download.openiam.com/prerelease/enterprise/4.2.1.7/dependencies/el8/openiamrepo.tar.gz --output openiamrepo.tar.gz
   curl https://download.openiam.com/release/enterprise/4.2.1.7/binaries/backend.tar.gz --output backend.tar.gz
   curl https://download.openiam.com/release/enterprise/4.2.1.7/binaries/frontend.tar.gz --output frontend.tar.gz
   curl https://download.openiam.com/release/enterprise/infra/httpd-libs.tar.gz --output httpd-libs.tar.gz

2. Create folder /usr/local/openiam on the server.

3. Copy the following files that were downloaded earlier to /usr/local/openiam

   • backend.tar.gz
   • frontend.tar.gz
   • openiamrepo.tar.gz
   • httpd-libs.tar.gz

4. Install from the RPM using command:

   sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm

   You will see output similar to the following:

   openiam/
   openiam/OpenIAM-Base-Local.repo
   openiam/connectors/
   openiam/connectors/shutdown.sh
   openiam/connectors/start.sh
   openiam/env.conf
   openiam/services/
   openiam/services/shutdown.sh
   openiam/services/start.sh
   openiam/source-adapters/
   openiam/source-adapters/shutdown.sh
   openiam/source-adapters/start.sh
   openiam/utils/
   openiam/utils/autodb.sh
   openiam/utils/autoinit.sh
   openiam/utils/cluster_healthcheck.sh
   openiam/utils/curator/
   openiam/utils/curator/init.sh
   openiam/utils/elasticsearch/
   openiam/utils/elasticsearch/default.policy.diff
   openiam/utils/elasticsearch/elasticsearch
   openiam/utils/elasticsearch/elasticsearch.service
   openiam/utils/elasticsearch/init.sh
   openiam/utils/elasticsearch/jvm.options
   openiam/utils/flyway/
   openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mssql.m4
   openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysq.m4
   openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.m4
   openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.rds.m4
   ...
   openiam/janusgraph/javadocs/package-list
   openiam/janusgraph/javadocs/index.html
   openiam/janusgraph/javadocs/constant-values.html
   openiam/janusgraph/javadocs/help-doc.html
   openiam/janusgraph/javadocs/allclasses-frame.html
   openiam/janusgraph/javadocs/allclasses-noframe.html
   openiam/janusgraph/javadocs/stylesheet.css
   openiam/janusgraph/javadocs/overview-summary.html
   /var/tmp/rpm-tmp.ElioLH: line 9: openiam: Is a directory
   No, user openiam does not exist. creating
   useradd: warning: the home directory already exists.
   Not copying any file from skel directory into it.
   shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
   shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
   shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
   The server will be restarted in 1 min to apply ulimit settings ...
   Shutdown scheduled for Wed 2023-11-22 21:20:46 UTC, use 'shutdown -c' to cancel.

   At this point the VM will reboot to initialize a variables that are needed for stack components such as Elasticsearch

5. Execute the initialization step the openiam-cli. During this step the system will be installing and configuring the various components that make up OpenIAM. Please follow the instructions on the screen.

   sudo openiam-cli init

6. The first question: Does this box have Internet access ? [y/n]. Please enter N

7. You will be asked about installing MariaDB as a default database. Would you like to install MariaDB RDBMS locally? Please answer Y if you would like to use local MariaDB RDBMS as a database server (good choice for quick and simple installation, like demo or POC or small size production platform (up to 500 active users)). Otherwise, please, answer N.

7.1. If you answered 'Y' for MariaDB installation, installer will prepare all files and after will ask you about some details:

• Enter current password for root (enter for none): -> Press: 'Enter' button
• Set root password? [Y/n] -> Press 'y' button and after 'Enter'
• New password: -> Type password for the root user. You will need it later during the installation.
• Re-enter new password: -> Type the password for the root user as on the previous
• Remove anonymous users? [Y/n] -> Press 'y' button and after press 'Enter'.
• Disallow root login remotely? [Y/n] -> Press 'y' button and after press 'Enter'.
• Remove test database and access to it? [Y/n] -> Press 'y' button and after press 'Enter'.
• Reload privilege tables now? [Y/n] -> Press 'y' button and after press 'Enter'.

Otherwise, please continue from step 5.

8. The installation process will continue. The Cassandra backend as a Graph storage will be installed. Please, be patient as this process can take 4-5 minutes. If you see the ugly exception below, ignore it. This is a byproduct of Cassandra taking some time to start. (This will be addressed in an upcoming point release.)

error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?
    at org.apache.cassandra.dht.Murmur3Partitioner.describeOwnership(Murmur3Partitioner.java:284)
    at org.apache.cassandra.service.StorageService.getOwnershipWithPort(StorageService.java:5166)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:72)
    at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:276)
    at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:112)
    at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:46)
    at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237)
    at com.sun.jmx.mbeanserver.PerInterface.getAttribute(PerInterface.java:83)
    at com.sun.jmx.mbeanserver.MBeanSupport.getAttribute(MBeanSupport.java:206)
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:647)
    at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:678)
    at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1445)
    at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
    at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
    at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1401)
    at javax.management.remote.rmi.RMIConnectionImpl.getAttribute(RMIConnectionImpl.java:639)
    at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
    at sun.rmi.transport.Transport$1.run(Transport.java:200)
    at sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)

Waiting for cassandra

9. The installer will ask a number to questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. The section which requires input from the installer is market with the following message in the console: =============== CRITICAL SECTION ===============

Create the database schema accounts

OpenIAM has two schemas which are created by default: openiam and activiti. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used to store information about workflows and their execution. The first set of questions raised by the installler are related to the creation of database user for every schema. Each question and its intent are listed below.

Message broker password

OpenIAM uses RabbitMQ as the message broker and is the primary transport service used by OpenIAM application. Services are loosely coupled and they communicate with each other through the message broker. Cross service communicaiton is encrypted.

The next question raised by the installer is to define a password for RabbitMQ. As seen in the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00

Memory cache

Redis is an in-memory distributed cache which is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:

• End user web session
• Database object cache
• High level application cache.

As with other components, access to the cache is secured and the next question ask for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00

SMTP Credentials

E-mail notifications can be enabled for a broad range of operations in OpenIAM. Configuring a valid SMTP service is a pre-requisite to being able to send e-mail notifications. The next two questions ask the user to provide the SMTP credentials for the account which will be used to send e-mails from the application. These questions are optional at this time and you have the option to configure these later if needed.

Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none

At this point the installer has enough information to complete the installation of: Elasticseach, Redis, and RabbitMQ.

Initialize Database Schema

The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually startup takes near 6-10 minutes. You can view the status of the system as its coming up using the command line tools described below in OpenIAM components and Status.

Copying downloaded file from local machine to remote server

Use scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2

Example:

• C:\Users\Asus>scp openiam-4.2.1.7.noarch.x86_64.rpm root@10...*:/usr/local/openiam/
• The authenticity of host '10... (10...)' can't be established.
• ECDSA key fingerprint is SHA256:5pP7vxJnDzbQ+Xg1VANjSBYL7HboHyM4RqFKW4qHkPU.
• Are you sure you want to continue connecting (yes/no/[fingerprint])?`
• Warning: Permanently added '10...*' (ECDSA) to the list of known hosts.
• root@10...*'s password:
• openiam-4.2.1.7.noarch.x86_64.rpm 23% 133MB 1.4MB/s 05:12 ETA`

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, you must first find the IP address of our VM.

Next open your browser (preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

Enter the username on the field shown below and click Next

.

The authentication process is spread over two screens. You will be asked to enter the password on the screen below.

The next screen will force you to change the default password. As you enter your new password, you will see the password policy on the side. Your password must align with this policy. You will be able to change both the password and the policy later.

The next step is to define a content provider using the screen shown below. A Content provider is an alias which represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. You can read more on Content Provider in this document. The table below describes the fields on this screen.

After setting the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account in case you have locked yourself out. Please make a note of your answers.

After completing the above steps, you will be taken to the admin console landing page shown below. Allow the system about 5 min to refresh the internal cache and then you can proceed to configure your solution.

OpenIAM components and status

Using the OpenIAM Command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop,etc . The command is openiam-cli.

Just running the command by itself, as shown below, will display the list of all options.

openiam-cli

You will be asked about Internet access on this box, as shown below.

Type 'n' and press 'Enter'.

Output

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

To check the status of the components or the confirm that the system is up, please use the following command:

openiam-cli status

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli status command .

openiam-cli log <service_name>

For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

OpenIAM core services