Deploying via Docker

This section describes how to deploy the OpenIAM platform in a Docker Swarm environment. The procedures described in this section must be performed in the order that they are presented. Some steps in this installation require root level privileges to the system where OpenIAM will be deployed.

What is Docker?

Docker is a tool for creating, deploying, and running applications using containers. Docker Compose is a tool for defining and running multi-container Docker applications. Docker provides a standardized, lightweight, execution environment that maintains all dependencies within it. It can be run on either physical or virtualized environments which are on-premise or in the cloud. For more information about docker, please see see the Docker website and Docker Documentation.

OpenIAM on Docker

The OpenIAM Docker deployment method enables you to deploy on OpenIAM using a series of pre-configured containers in a short amount of time without the complexity of deploying a series of dependencies. The simplified deployment method requires:

  • Installing the Docker software
  • Configuring environment variables
  • Running scripts for setting up and starting up the OpenIAM instance. Running the deployment scripts automatically takes care of all component dependencies and release updates.

OpenIAM docker containers are maintained on Docker hub. Once these containers have been pulled into your environment using the details below, you will also need:

  • Docker client - Docker Community Edition (CE) versions 19.03.12 or higher
  • Docker compose - Defines and enables the operation of a multi-container Docker application. OpenIAM uses docker-compose file format 3.2

OpenIAM Solution Stacks

The OpenIAM solution consists of several stacks that are deployable the Docker Swarm. Docker swarm is a container orchestration tool, meaning that it allows for the manage multiple containers deployed across multiple host machines. The content of each stack is described below

Critical Infrastructure stacks

The infrastructure stacks are used across the OpenIAM solution regardless of the functionality that you are enabling. These components must be operational for the OpenIAM solution to function correctly.

Stack NameDescription
ElasticsearchRuns Elasticsearch. Elasticsearch is an enterprise-level search engine. Elasticsearch uses an index-based search approach, which allows for fast searching. The architecture allows for scalability, flexibility, and multi-tenancy support
RedisRuns Redis. Redis is an in-memory data structure store used as a database, cache, and message broker by OpenIAM
MariaDB / PostgresSQLRuns either MariaDB or PostgreSQL as the product repository. MariaDB is configured as the default repository. Aside from these two databases, you can also use a remote database
RabbitMQRuns RabbitMQ. RabbitMQ is the message brokering software service for sending and receiving messages between systems
VaultRuns Hashicorp's Vault. Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets
EtcdRuns Etcd, which is used to store Vault data. Etcd is a distributed key-value store.

MariaDB is the default Database. You can change this to PostgreSQL if you prefer. You will not enable both database

Service stacks

Stack NameDescription
OpenIAM core servicesRuns services shared across the product.
Identity managerRuns the identity manager application. Identity manager automates the task of managing identities across various devices and applications used by the enterprise.
WorkflowRuns the workflow application. A workflow is a repeatable process during which documents, information, or requests are passed from one participant to another for action, according to a set of procedural rules. A participant can be a person, machine, or both.
Groovy managerRuns Groovy Manager, an application for managing Groovy scripts in OpenIAM. Apache Groovy is a dynamic programming language for the Java platform. allows you to add, update, edit, and modify Groovy scripts to extend the identity governance and web access management functionality to meet specific, complex requirements.
SynchronizationRuns the synchronization application. Synchronization allows you to synchronize data from one or more authoritative sources to a set of managed systems. Synchronization configuration enables monitoring a source system for changes and then updating target systems at scheduled periodic intervals.
ReconciliationRuns the reconciliation application. This is two side synchronization between OpenIAM and the target system
Authorization managerRuns the authorization manager. This module handles RBAC authorization via relationships between Users, Organizations, Roles, Groups, and Resources.
E-mail ManagerRuns the email manager. Handles sending and receiving email.

UI Stack

Stack NameDescription
Tomcat with three applicationsThree web applications which are described below
  • IdP - The OpenIAm web application which provides centralized authentication and self-service password reset functionality. This application also allows OpenIAM to be configured as both an Identity Provider and a Service Provider
  • Webconsole - The OpenIAM web application for administrators for managing identities across various devices and applications used by an enterprise, and for controlling access to these devices and applications.
  • Self-service - The OpenIAM end-user web application that allows users to create new requests, reset and change passwords, manage their profiles, manage access requests, manage challenge response security questions, look up corporate users through a directory search, and reset their accounts if they are locked out. Authorized users can also use the request approval functionality.

Reverse Proxy Stack

Stack NameDescription
Apache Web server with rProxyGateway between clients and a server for managing inbound traffic to a server.

System requirements

The table below specifies the minimum system requirements for deploying a non-production OpenIAM v4.2.x instance using Docker.

MINIMUM Hardware requirements

ConfigurationNon-ProductionProduction (may increase based on sizing)
Memory48 GB64 GB
CPU8 CPUs12 CPUs
Disk80 GB200 GB

Please ensure that you are environment is aligned with the minimum system requirements described above. These parameters are not optional. OpenIAM will not start if system resources are below the minimum levels.

For production use: Customers with active subscriptions and partners, should contact OpenIAM Support (techsupport@openiam.com) for assistance with sizing requirements.

Software requirements

SpecificationRequirement
OSUbuntu (22.04 LTS, 20.04 LTS) or CentOS 8 Stream/RHEL 8.7+
Docker client23.0.1 or higher
Docker compose1.28.2 or higher
Supported BrowsersGoogle Chrome (v89.0.4389.114 and later), Microsoft Edge, Mozilla Firefox (v87 and later). Note: Internet Explorer (IE) is not supported.

Preparing your system

The OpenIAM application requires the configurations described below to be performed prior to installing the application.

Install pre-requisite packages

Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as root, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”

DescriptionCommand on CentOS 8 StreamCommand on Ubuntu
Update the OSdnf updateapt-get update
Install Nanodnf install nanoapt-get install nano
Install wgetdnf install wgetapt-get install wget
Install gitdnf install gitapt-get install git

Example for CentOS 8 Stream

dnf update
dnf install nano wget git

Example for Ubuntu 22.04

apt-get update
apt-get upgrade
apt-get install nano wget git

Update the hosts file

Make sure that your /etc/hosts file contains a value for the hostname that you defined earlier. To edit the hosts file, use an editor like Nano.

127.0.0.1 iam-nonprod

Settings for ElasticSearch and Docker

ElasticSearch

OpenIAM uses ElasticSearch as a search engine. To enable fast access, ElasticSearch maps portions of an index into its memory address space. This is done through nmap, a Unix system call that maps files or devices into memory. To use mmap effectively, ElasticSearch requires sufficient mmap counts. The default operating system limits on mmap counts are inadequate for the required performance and this may result in out of memory exceptions. The required mmap value can be configured by setting the vm.max_map_count value in /etc/sysctl.conf to be at least 262144. To ensure that the vm.max_map_count persists across restarts, set this value in the /etc/sysctl.conf file

Disabling IPv6 on Docker Host

By default, IPv6 is disabled in Docker. Disabling IPv6 on Docker host(s) prevents any potential network issues. To disable IPv6 on host(s) where Docker is running, ensure that the Docker host(s) have the following value set in /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6=1 and net.ipv6.conf.default.disable_ipv6 = 1

To summarize, the /etc/sysctl.conf file must have the following changes:

vm.max_map_count=262144
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Save the above changes and then run sudo sysctl -p to apply these settings without restarting the system.

Install the Docker engine

Docker Engine is a containerization technology for building and containerizing applications. Docker Engine acts as a client-server application with:

  • A server with a long-running daemon process dockerd.
  • APIs which specify interfaces that programs can use to talk to and instruct the Docker daemon.
  • A command line interface (CLI) client docker

To install the docker engine, follow the OS specific steps below. For, additional information related to the installation of the docker engine can be found at:

Ubuntu

Setup the repository

Update the apt package index and install packages to allow apt to use a repository over HTTPS

sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release

Add Docker's official GPG Key

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

Use the following command to setup the repository

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install the docker engine

  1. Update the apt package index
sudo apt-get update

Note: If you receive a GPG error when running apt-get update, then follow the steps below. Your default umask may be incorrectly configured, preventing detection of the repository public key file.

sudo chmod a+r /etc/apt/keyrings/docker.gpg
sudo apt-get update
  1. Install the Docker engine, containerd, and Docker compose plugin
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

CentOS 8 Stream / RHEL 8.7+

Setup the repository

Install the yum-utils package (which provides the yum-config-manager utility) and set up the stable repository

yum install -y yum-utils
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo

Install the Docker engine

Install the latest version of Docker Engine and containerd. The next step is to start the engine.

yum install docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker.service
systemctl enable containerd.service

Install Docker compose

Compose is a tool for defining and running multi-container Docker applications such as OpenIAM. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. The procedure described below installs version 1.28.2 of Docker Compose on your system

  • Run the command below to download the current stable release of Docker Compose
curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  • Apply executable permissions to the binary
chmod +x /usr/local/bin/docker-compose
  • To check the version of docker compose, run the command below
docker-compose --version

Verify that Docker engine is installed correctly

Run the hello-world image.

docker run hello-world

Note: If you get the following response when running docker run hello-world, then use the work-around below:

Status: Downloaded newer image for hello-world:latest docker: Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown. ERRO[0001] error waiting for container: context canceled

Solution:

mkdir /sys/fs/cgroup/systemd
mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
docker run hello-world

After successfully running the hello-world test, we can proceed to installing the application.

log in to Docker hub using the command shown below. Use our hub.docker.com credentials.

Installing the OpenIAM Application

The installation process allows for a significant amount of flexibility. The steps below describe the minimum number of parameters which need to be configured to install on a single VM. Additional details in the sections referenced by the table below. If you are new to OpenIAM, we recommend starting with the simpler path with a more limited set of options.

Clone the OpenIAM Docker repository

Next, we need to clone the "OpenIAM docker compose" repository from OpenIAM's Git Repository. This project contains scripts that set environment variables, start and stop the container services. To clone the repository, follow the steps below.

They should be performed in a Linux terminal window.

mkdir -p /usr/local/openiam
cd /usr/local/openiam
git clone https://bitbucket.org/openiam/openiam-docker-compose.git
cd openiam-docker-compose/
git checkout RELEASE-4.2.1.7

The cloned repository will contain the following scripts.

ScriptDescription
env.shFile containing environment variables. The required environment variables can be updated and added in this file. The env.sh file is sourced during the installation process and the export statements in this file are executed.
setup.shScript for setting up and updating the OpenIAM configuration. During the initial OpenIAM deployment, this script initializes the network and pulls the latest images from the OpenIAM repository (openiamdocker) on Docker Hub. When updating the OpenIAM deployment, running this script pulls newer images from the OpenIAM repository on Docker Hub
startup.shScript for starting up the OpenIAM instance.When updating the OpenIAM deployment, running this script updates the configuration on your system with the latest release updates.
Warning: Please do not modify this script in any way.
shutdown.shScript for shutting down all OpenIAM stacks, except volumes.
teardown.shScript for tearing down all OpenIAM stacks, volumes, and networks.
generate.cert.shScript to generate certificates or Vault authentication.

Additional configuration options

SectionDescription
Yaml FilesYAML configuration files are provided for the services and infrastructure components used within OpenIAM. These files provide configuration information for the containers.
Configuration optionsConfiguration options which will be used during installation.

Set the community edition flag

To ensure that the following steps pull the correct container images, update the /usr/local/openiam/openiam-docker-compose/env.sh file so the

  • Production tag is referenced by setting the BUILD_ENVIRONMENT="dev" to BUILD_ENVIRONMENT="prod"
  • IMAGE_SUFFIX is uncommented

The end result should look like the example below.

...
export BUILD_ENVIRONMENT="prod"
export IMAGE_SUFFIX="-ce"
...

Initialize Vault

OpenIAM uses a Vault in order to store secrets, such as database passwords, redis passwords, etc. Communication with the Vault occurs via a certificate. Follow the steps below to generate the certificate.

  • Edit the /usr/local/openiam/openiam-docker-compose/env.sh file which was downloaded from the openiam-docker-compose project above.
  • Set the VAULT_JKS_PASSWORD in the env.sh file. This password can be anything that you want.
  • Run the command, shown below, to generate a CA Certificate.
    • In the Enterprise version, you have the option to use an existing CA Certificate from a trusted CA.
cd /usr/local/openiam/openiam-docker-compose
sudo ./generate.cert.sh

You should see output similar to the example shown below:

SQL Files exist
This script will generate a keypair that vault will use. Make sure to first set VAULT_JKS_PASSWORD in env.sh
Press enter to continue
Certificate request self-signature ok
subject=C = CZ, ST = Test, L = Test, O = Test, OU = Test, CN = vault
Warning: -clcerts option ignored with -export
writing RSA key

Upon successful completion of the above operation, you should also see several certificates related files as shown in the image below.

-rw-r--r-- 1 root root 1302 Jan 29 03:09 vault.ca.crt
-rw------- 1 root root 1704 Jan 29 03:09 vault.ca.key
-rw-r--r-- 1 root root 1180 Jan 29 03:09 vault.crt
-rw-r--r-- 1 root root 985 Jan 29 03:09 vault.csr
-rw-r--r-- 1 root root 2 Jan 29 03:09 vault.file.srl
-rw------- 1 root root 2579 Jan 29 03:09 vault.jks
-rw------- 1 root root 1704 Jan 29 03:09 vault.key
-rw------- 1 root root 1704 Jan 29 03:09 vault.no_pem.key
-rw------- 1 root root 2579 Jan 29 03:09 vault.p12

Define database ports

Starting with V4.2.0, OpenIAM uses Flyway to manage database schema generation and migrations from one version to the next. This ensures that your database is properly versioned and up-to-date. OpenIAM supports Flyway versioning for MariaDB, PostgreSQL, and MSSQL, and Oracle 12.2+

The env.sh file defines properties which will be used by Flyway.

At a minimum, you will need to define to set the following parameters: To enable Flyway, set the following properties in env.sh

  • DB_TYPE - This parameter define the type of database that you will be using as the OpenIAM product repository. My default this value is set to "MariaDB" which is installed by default .
  • FLYWAY_OPENIAM_HOST - Host where the OpenIAM database will be residing. This is the primary product schema. If you are using MariaDB or [[PostgreSQL in a docker container, set it to database
  • FLYWAY_OPENIAM_PORT - Port where the OpenIAM database will be running. Default ports for the supported databases include:
    • MariaDB=3306
    • Postgres=5432
    • Oracle=1521
    • Microsoft SQL Server=1433
  • FLYWAY_ACTIVITI_HOST - Host where the Activti database will be residing. Activiti, is the database used by the workflow engine. If you are using MariaDB or PostgreSQL in a docker container, set it to database
  • FLYWAY_ACTIVITI_PORT - Port where Activiti database, which is used by the workflow engine, will be running.

Example below shows the settings for MariaDB

export DB_TYPE="MariaDB"
...
# port of the activiti database. If using mariadb, this is likely '3306'. If using postgres, this is likely '5432'
export FLYWAY_ACTIVITI_PORT=3306
# host of the activiti database. If using mariadb or postgres in docker, this is likely 'database'
export FLYWAY_ACTIVITI_HOST=database
# port of the openiam database. If using mariadb, this is likely '3306'. If using mariadb, this is likely '3306'. If using postgres, this is likely '5432'
export FLYWAY_OPENIAM_PORT=3306
# host of the openiam database. If using mariadb or postgres in docker, this is likely 'database'
export FLYWAY_OPENIAM_HOST=database

Initialize Docker Swarm

Docker uses swarms for cluster management and orchestration features of Docker Engine, the technology for containerizing applications. Docker engines participating in a cluster run in the swarm mode. The swarm mode is enabled by either initializing a swarm, as in the command above, or by joining an existing swarm. For more information, see docker swarm and Swarm mode key concepts documentation.

Make sure that you initialize the Docker swarm. Log into Docker and initialize the swarm by entering the following command in a terminal:

sudo docker swarm init

You will see output similar to this:

Swarm initialized: current node (7risfc2161nwzir4a65po3lro) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join --token SWMTKN-1-15mdug8xi71uap0dgaayqi2ohhl8qxaaeg7m8k6q015yiuqt0j-6ip90bh1rm2td8y9baoya4qlx 173.231.56.82:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

Open ports for Docker Swarm

By default, the shell scripts provided by OpenIAM deploy to the docker swarm. You must ensure that the necessary ports are opened otherwise the manager and worker node(s) will not be able to communicate with each other.

Important: Please see this information about ports above 30000 used by the swarm from the load balancing section of Docker documentation: The swarm manager uses ingress load balancing to expose the services you want to make available externally to the swarm. The swarm manager can automatically assign the service a PublishedPort or you can configure a PublishedPort for the service. You can specify any unused port. If you do not specify a port, the swarm manager assigns the service a port in the 30000-32767 range.

Pull the docker images

To setup (and/or update) your configuration, you can run the setup.sh script. This will initialize the network, and pull the latest images from Docker Hub.

For users, familiar with OpenIAM, you can modify the script as required by your internal needs.

  • Run the setup.sh script as shown below to pull the docker images form Docker Hub.
sudo ./setup.sh

This process will take several minutes. Upon successful completion, you will see the following lines at the end.

...
Digest: sha256:0bb33339f0c06d781eaffb3e78e296f4ad8d1474915e7872e5a9094a8da9ee76
Status: Downloaded newer image for openiamdocker/vault-ce:alpine-4.2.1.7-prod
docker.io/openiamdocker/vault-ce:alpine-4.2.1.7-prod
+ docker pull openiamdocker/vault-bootstrap-ce:alpine-4.2.1.7-prod
alpine-4.2.1.7-prod: Pulling from openiamdocker/vault-bootstrap-ce
2408cc74d12b: Pull complete
e23a669031d3: Pull complete
58d03b857787: Pull complete
57690cd8fe01: Pull complete
d7ddacc22990: Pull complete
601a9aa2e412: Pull complete
7286a0f9c14c: Pull complete
064aa39d2270: Pull complete
9ac4bee4a2c2: Pull complete
6f8406638991: Pull complete
1a60362ddd04: Pull complete
af7fa38835b7: Pull complete
45dc28dcb82d: Pull complete
Digest: sha256:ef2fadb1bdeded40372a7caf5346e10f9a75b79f4a63db21596ede03c2000ca8
Status: Downloaded newer image for openiamdocker/vault-bootstrap-ce:alpine-4.2.1.7-prod
docker.io/openiamdocker/vault-bootstrap-ce:alpine-4.2.1.7-prod
+ docker pull openiamdocker/ui-ce:debian-4.2.1.7-prod
debian-4.2.1.7-prod: Pulling from openiamdocker/ui-ce
9621f1afde84: Already exists
646a8f97c6a8: Already exists
111ef215ea01: Pulling fs layer
fb4ccfb62028: Pulling fs layer
5780a89424ca: Pulling fs layer
ac405e1bcaf1: Pulling fs layer
c8599e3b267a: Pulling fs layer
45c751205584: Pulling fs layer
d073c823bebc: Pulling fs layer
5cc21ea2eea5: Pull complete
ba7abde15e29: Pull complete
c984fa56e5a0: Pull complete
c384c82e524c: Pull complete
2f54ac6cc048: Pull complete
e571d9818056: Pull complete
0a0cdfc4b537: Pull complete
c738260940dc: Pull complete
9daad2955b32: Pull complete
6221693a634b: Pull complete
7dbe84e43ad2: Pull complete
97e706f13a86: Pull complete
4cae4fc929c4: Pull complete
43828485f417: Pull complete
56bc0ddee1a0: Pull complete
3611f7603357: Pull complete
2b9b44628925: Pull complete
8ac3b6158823: Pull complete
9a5c45fad651: Pull complete
a2e069d4323a: Pull complete
c15344a40a9b: Pull complete
8b829f3b502c: Pull complete
d0c9bb174905: Pull complete
Digest: sha256:91626efa38c2580452f4c7f55732ff4c3038c0bdd1f143012ae209c7611dbcf5
Status: Downloaded newer image for openiamdocker/ui-ce:debian-4.2.1.7-prod
docker.io/openiamdocker/ui-ce:debian-4.2.1.7-prod

Start the OpenIAM Application

Now you are ready to start the OpenIAM containers. Run the startup.sh script to initiate the startup process

sudo ./startup.sh

You should see output similar to the example below

root@localhost:/usr/local/openiam/openiam-docker-compose# ./startup.sh
SQL Files exist
Using MariaDB as the database type...
Nothing found in stack: flyway
etcd_storage
vault_server_storage
vault_client_storage
connector_data_storage
filebeat-storage
openiam-janusgraph-storage
upload_storage
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
9ad63333ebc9: Pull complete
Digest: sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74
Status: Downloaded newer image for busybox:latest
Creating service etcd_etcd
Creating service vault_vault
Creating service vault-bootstrap_vault_bootstrap
Creating service curator_curator
Creating service openiam-elasticsearch-storage_service
Creating service openiam-jks-storage_service
Creating service openiam-activiti-storage_service
Creating service openiam-rabbitmq-storage_service
Creating service openiam-iamscripts-storage_service
Creating service redis_service
Creating service elasticsearch_service
Creating service cassandra_cassandra
Waiting for cassandra to become running, so that we can bring up janusgraph
Creating service janusgraph_service
Creating service rabbitmq_service
openiam-mysql-storage_storage
Creating service database_database
Creating service flyway_flyway
Creating service openiam_device-manager
Creating service openiam_auth-manager
Creating service openiam_groovy_manager
Creating service openiam_reconciliation
Creating service openiam_email-manager
Creating service openiam_synchronization
Creating service openiam_business-rules-manager
Creating service openiam_idm
Creating service openiam_esb
Creating service openiam_workflow
Creating service ui_ui
Creating service ldap-connector_service
Creating service rproxy_rproxy

Watch the container startup process

The containers may take 8 to 15 minutes (depending your environment) to startup completely. You can watch the start up process using the command below. Note, that the UI container will take sometime and be among the last to start up as it has dependencies on other components being up first.

watch -n 5 'docker ps'

You should see output similar to the example below when all containers have started successfully

Every 5.0s: docker ps localhost: Tue Jan 30 02:46:06 2024
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d77654ad06bb openiamdocker/synchronization-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_synchronization.uxe0l47
z26ubeags0f6i2h9yt.x9tb0r4zv5ngp7ezpwxd2gkhw
4ebcb5b5ccb5 openiamdocker/redis-ce:debian-4.2.1.7-prod "redis.sh /run.sh" 3 hours ago Up 3 hours (healthy) 6379/tcp redis_service.1.uyc7pw0n0cqlcxt
a2svqud46c
417519dd58bd openiamdocker/groovy-manager-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_groovy_manager.uxe0l47z
26ubeags0f6i2h9yt.ugf9okpghfwrsbkbeayr2151u
571bbb9cf8b7 openiamdocker/auth-manager-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_auth-manager.uxe0l47z26
ubeags0f6i2h9yt.sxgdv885fhs8kdhe42ujz9fns
90d6b5611335 openiamdocker/mariadb-ce:debian-4.2.1.7-prod "init.sh /opt/bitnam…" 3 hours ago Up 3 hours (healthy) 3306/tcp database_database.1.36foh88mgh2
isusgypvq4mds7
19b6100351f3 openiamdocker/workflow-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_workflow.uxe0l47z26ubea
gs0f6i2h9yt.ja1w84wftb6nej2vlef2lkq6y
93ab34fe4c91 openiamdocker/device-manager-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_device-manager.uxe0l47z
26ubeags0f6i2h9yt.mefg80i4hsn7dx8hlb99s9yb8
d6efe734a8c4 openiamdocker/rabbitmq-ce:alpine-4.2.1.7-prod "docker-entrypoint.s…" 3 hours ago Up 3 hours (healthy) 4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp rabbitmq_service.1.doci1z5ypha5
uahoj11zvn5s1
e2395b97271a openiamdocker/reconciliation-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_reconciliation.uxe0l47z
26ubeags0f6i2h9yt.3jm01yf0sxmasjyhxlot909hc
d1c4abdf8eca openiamdocker/idm-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_idm.uxe0l47z26ubeags0f6
i2h9yt.1r90ew19ev48ra96pqz3ufe9w
9cf6779c52a8 openiamdocker/ldap-connector-rabbitmq-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) ldap-connector_service.uxe0l47z
26ubeags0f6i2h9yt.m0muld83kpqgrd7leklb44lz0
903d5a9ae775 openiamdocker/email-manager-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) openiam_email-manager.uxe0l47z2
6ubeags0f6i2h9yt.626qka38iht4ggcb917iw3wko
df03660737a4 openiamdocker/rproxy-ce:debian-4.2.1.7-prod "httpd-foreground" 3 hours ago Up 3 hours (healthy) 0.0.0.0:80->80/tcp, 443/tcp rproxy_rproxy.uxe0l47z26ubeags0
f6i2h9yt.4m6f8h5sv1khf0v8ncga356ki
4cceeb5c242e openiamdocker/janusgraph-ce:debian-4.2.1.7-prod "init.sh janusgraph" 3 hours ago Up 3 hours (healthy) 8182/tcp janusgraph_service.1.8czw1aew0v
r95cfru5ms9wumh
dc489e4bcf07 bitnami/cassandra:3.11.10 "/opt/bitnami/script…" 3 hours ago Up 3 hours (healthy) 7000/tcp, 9042/tcp cassandra_cassandra.1.n80icn1rv
gxo30787pqporiba
c23454f6c49d openiamdocker/vault-ce:alpine-4.2.1.7-prod "docker-entrypoint.s…" 3 hours ago Up 3 hours (healthy) 8200/tcp vault_vault.1.it6b7du4vp2j9j9nj
00d4vemk
07fda75ba205 openiamdocker/elasticsearch-ce:debian-4.2.1.7-prod "init.sh" 3 hours ago Up 3 hours (healthy) 9200/tcp, 9300/tcp elasticsearch_service.uxe0l47z2
6ubeags0f6i2h9yt.jg4j5rb0hb0cvpdcbu98019ap
443ffe2aaddd openiamdocker/ui-ce:debian-4.2.1.7-prod "docker-entrypoint.s…" 3 hours ago Up 3 hours (healthy) 8080/tcp ui_ui.uxe0l47z26ubeags0f6i2h9yt
.g4fh9r8g1sxabeq5c04zcjhw7
5cbfadbc86ac openiamdocker/esb-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) 9080/tcp openiam_esb.uxe0l47z26ubeags0f6
i2h9yt.ct9wt15av67ub9k486kirjjck
690529bf3076 openiamdocker/business-rule-manager-ce:debian-4.2.1.7-prod "docker-entrypoint.sh" 3 hours ago Up 3 hours (healthy) 9080/tcp openiam_business-rules-manager.
uxe0l47z26ubeags0f6i2h9yt.2pkewzi8f32gvwl352ugi7odj
70c3c5a7ff51 bitnami/etcd:3.3.13 "/entrypoint.sh etcd" 3 hours ago Up 3 hours 2379-2380/tcp etcd_etcd.1.xkby0e1syswnk1kcjam
a6pear

Validate the startup

curl -k -I -L http://127.0.0.1/idp/login

You should see output similar to the example below

HTTP/1.1 200
Date: Tue, 30 Jan 2024 02:46:46 GMT
Server: Apache
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "http://127.0.0.1/selfservice/csp/report" } ] }
Content-Security-Policy: default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' data:; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Referrer-Policy: strict-origin
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4666
Set-Cookie: SESSION=N2EyYTQ0MjMtZmNlMC00OTlmLTg1NjItNDNmMjBmMjI1MmMy; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding

The application is now operational and you can login.

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, must first find the IP address of our VM.

Next open your browser (preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

OpenIAM Login page

The next screen will ask you to change the default password. As you enter your new password, you will see the password policy on the side. You password must align with this policy. You will be able to change both the password and the policy later

Change password

The next step is to define a content provider using the screen shown below. A Content provider is an alias that represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. The table below describes the fields on this screen.

NameDescription
Content Provider NameYou can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP
Domain PatternThis value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed
Application supports SSL?This configuration determines if the OpenIAM application will be accessed over HTTP or HTTPS. Unless, you have already configured the certificate, select Support on HTTP. You will be able to update this configuration later.

Define initial content provider

After setting the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account if you lock yourself out. Make a note of your answers.

noteNote: You will be able to update your password policy later. At that time you can decide if you want to use challenge questions and/or some other method.

Challenge questions

After completing the above steps, you will be taken the admin console landing page shown below. Allow the system about 5 min to refresh in the internal cache and then you can proceed to configure your solution.

Webconsole landing page

Frequently used commands with Docker

The following commands are frequently used with Docker.

CommandDescription
./startup.shStarts the OpenIAM Docker containers
./shutdown.shStops the OpenIAM Docker containers
Ensure that all containers have stopped before restarting. You can validate that the containers have stopped using the docker ps command
docker psShows all the containers which are running
watch -n 5 'docker ps'Allows you to observe the docker containers. The view is refreshed every -n seconds.
docker logs [container id]Shows the logs related to the Container ID. You can get the Container ID from the docker ps command.
docker exec -it [container id] bashAllows you to connect to the container
docker restart -t [time][container id]Allows you to restart a container. Time is the number seconds to wait after stopping a container, but its started again.

Additional resources