Single VM Install

This section describes how to install OpenIAM on either CentOS / Redhat Enterprise Linux (RHEL) 8.x using a RPM distribution.

OpenIAM provides a RPM distribution which includes all of the dependencies except for the database and system tools to simplify the installation process. The completeness of the RPM file also enables deployments locked down environments where there is no network.

The following describes how to prepare your host system for the installation. After the initial steps for preparation, we will focus on installing the OpenIAM application.

While both CentOS / RHEL 7 and 8.1+ are supported, OpenIAM recommends using v8.x+ where possible.

You may download CentOS or RHEL from the following locations:

Operating SystemURL
CentOS 7.xhttp://ftp.usf.edu/pub/centos/7.8.2003/isos/x86_64/
CentOS 8.2http://mirror.math.princeton.edu/pub/centos/8.2.2004/isos/x86_64/
RHEL 8.2https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux

The installation instructions provided require root level privileges on the host where OpenIAM will be deployed. The person or team installing OpenIAM must be familiar with the CentOS/RHEL operating system, databases and services.

The procedures described in this guide must be performed in the order that they have been presented below.

System requirements

For non-production use, the Linux Host or VM must have the following minimum configuration:

ConfigurationNon-ProductionProduction
Memory24 GB32 GB
CPU6 CPUs8 CPUs
Disk80 GB100 GB 100 GB (may increase based on sizing)

If you are creating a new VM for this installation, then ensure the following minimal tasks are performed during the OS installation process:

  • Under network – Ethernet is set to ON
  • You should enter a host name. For the purpose of this install, we will use iam-nonprod
  • Software selection – minimal installation
  • Set a root password – For the purpose of this install, we will use: openiam1

Login to your VM as root or a privileged user. To check the CPUs on your VM use: lscpu To the memory on your VM use: free -m

The result of each of these commands MUST align with the above minimum requirements.

For sizing assistance for a production deployment, either open a support ticket or contact your OpenIAM point of contact.

SSH into your VM

To ssh into your newly created VM, follow the steps below: a) First get the IP address of your VM. You can do this using:

ip addr

b) Next use a tool such Putty or the terminal window on Mac and SSH to this linux host:

ssh [username]@[IP address of your VM]

Example: ssh root@172.16.101.128

Prepare the host system for installation

The OpenIAM application requires a few configurations to be performed prior to installing the application. These steps are described below.

Install required packages

Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as “root”, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”

DescriptionCommand CentOS 8+Command CentOS 7+
Update the OSdnf updateyum update
Install Nanodnf install nanoyum install nano
Install wgetdnf install wgetyum install wget
Install tardnf install taryum install tar
Install C compiler-yum install gcc

Example on CentOS 8.x

dnf update
dnf install nano wget tar

Update the Hosts file

Make sure that your /etc/hosts file contains a value for the hostname. To edit the hosts file, use an editor like Nano

nano /etc/hosts

Create an entry like the one below to define the host name.

127.0.0.1 iam-nonprod

Modifying file descriptor limits for RabbitMQ.

OpenIAM uses RabbitMQ for messaging. Most of the services in OpenIAM communicate with each other using this message. RabbitMQ requires file descriptor limits which are much higher than the default limits found on many Linux distributions.

noteNote: OpenIAM requires RabbitMQ version from 3.8.x. Please use the RabbitMQ which has been provided with the distribution.

By default, CentOS and RHEL set a soft limit (the current allowed) of 1024 file descriptors and a hard limit (the maximum allowed) of 4096 file descriptors for each user. These limits are inadequate for using RabbitMQ in an OpenIAM deployment. A soft limit of 1024 open file descriptors can cause the RabbitMQ service to quickly run out of allocated files, preventing the operating system from accepting new connections.

Perform the following steps to increase limits for file descriptors:

  1. Open a command terminal and log in as the root user or use sudo to gain super user privileges
  2. Edit the /etc/pam.d/login file using an editor such as nano or vi.
sudo nano /etc/pam.d/login
  1. Add the following line at the end of of the file and then save. If you are using nano, use [Ctrl+x] to save:
session required pam_limits.so
  1. Next, edit the limits.conf file
nano /etc/security/limits.conf
  1. Add the following lines to the end of the file and then save, using [Ctrl+x]
* soft nofile 65536
* hard nofile 65536
  1. Restart the system for the new settings to take effect.
sudo reboot -h 0
  1. Verify the new limits by opening a command terminal and typing the following command:
ulimit -n

The system should respond with 65536

Database installation

OpenIAM uses a relational database as its primary data repository. OpenIAM supports the popular databases listed in the table below.

MariaDB is the default database, and a simplified set of installation instructions have been provided below.

Database typeSupported VersionsInstallation Documentation
MariaDB10.3See Below
MySQLPendingPending
PostgreSQLPendingPending
OraclePendingPending
Microsoft SQL serverPendingPending

Install MariaDB

If you plan to use MariaDB as the OpenIAM repository, then follow the steps below.

First, ensure that MariaDB is available in your yum repository. If its not, add it to the repository using the following steps.

You should run the following as a root user

nano /etc/yum.repos.d/mariadb.repo

Add the following text to the file and save.

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos73-amd64/
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Update your OS and then the install MariaDB server with the commands shown below.

dnf update
dnf install mariadb-server

Next, we need to:

  1. Enable the MariaDB service to start on a system restart
  2. Start MariaDB
  3. Secure the installation.

Execute the commands below to enable tasks 1 and 2 from the list above.

systemctl enable mariadb.service
systemctl start mariadb.service

To validate that the service has started, run the following command systemctl status mariadb.service

To secure your MariaDB installation, use the command below:

mysql_secure_installation

The utility will ask you a number of questions to reset the root database password and set options which define how MariaDB can be access. Follow the questions. For reference, sample output is provided below.

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorization.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

Installing the OpenIAM RPM package

The steps described up to this point have focused on preparing your environment for installing the OpenIAM product and related dependencies. The subsequent steps will focus on installing the OpenIAM solution from the RPM file and perform a first time login as an admin.

To download the OpenIAM RPM, ssh to your VM or server and download the RPM file as shown below.

wget <enter the downloaded URL>

After the file has been downloaded, use the instructions below to install OpenIAM

Execute the RPM installer

Enter the following command to install the RPM file on CentOS/ RHEL 8.x:

rpm -i openiam-4.2.0.7-1.x86_64.rpm

Upon successful completion of the RPM install, you should see output similar to the excerpt shown below.

openiam/
openiam/connectors/
openiam/connectors/shutdown.sh
openiam/connectors/bin/
openiam/connectors/bin/google-connector-rabbitmq.jar
openiam/connectors/bin/ldap-connector-rabbitmq.jar
openiam/connectors/bin/scim-connector-rabbitmq.jar
openiam/connectors/bin/oracle-connector-rabbitmq.jar
openiam/connectors/bin/linux-connector-rabbitmq.jar
openiam/connectors/start.sh
openiam/services/
openiam/services/shutdown.sh
openiam/services/bin/
openiam/services/bin/idm.jar
openiam/services/bin/workflow.jar
openiam/services/bin/auth-manager.jar
openiam/services/bin/synchronization.jar
openiam/services/bin/device-manager.jar
openiam/services/bin/reconciliation.jar
openiam/services/bin/email-manager.jar
openiam/services/bin/groovy-manager.jar
openiam/services/bin/openiam-esb.jar
openiam/services/start.sh
openiam/utils/
openiam/utils/shutdown.sh
openiam/utils/rabbitmq/
openiam/utils/rabbitmq/init.sh
openiam/utils/flyway/
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mssql.m4
openiam/utils/flyway/mysql.properties.m4
openiam/utils/flyway/init.sh
openiam/utils/flyway/mssql.properties.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysq.m4
openiam/utils/flyway/oracle.sid.properties.m4
openiam/utils/flyway/postgres.properties.m4
openiam/utils/flyway/oracle.service.properties.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.postgres.m4
openiam/utils/init.sh
openiam/utils/elasticsearch/
openiam/utils/elasticsearch/init.sh
openiam/utils/elasticsearch/elasticsearch
openiam/utils/elasticsearch/elasticsearch.yml
openiam/utils/status.sh
openiam/utils/redis/
openiam/utils/redis/init.sh
openiam/utils/proxy/
openiam/utils/proxy/init.sh
openiam/utils/vault/
openiam/utils/vault/bootstrap.sh
openiam/utils/vault/validate.vault.sh
openiam/utils/vault/generate.cert.sh
openiam/utils/vault/init.sh
openiam/utils/vault/vault.properties.m4
openiam/utils/vault/login.sh
openiam/utils/vault/vault.fetch.property.sh
openiam/utils/vault/start.sh
openiam/utils/start.sh
openiam/utils/uninstall.sh
...[verbose output has been skipped for the documentation]...
hotfix_4.2.0.4_3/flyway/drivers/hsqldb-2.5.0.jar
hotfix_4.2.0.4_3/flyway/drivers/ojdbc8.jar
hotfix_4.2.0.4_3/flyway/drivers/put-your-jdbc-drivers-here.txt
hotfix_4.2.0.4_3/flyway/drivers/ojdbc8-19.6.0.0.jar
hotfix_4.2.0.4_3/flyway/drivers/derbyclient-10.15.2.0.jar
hotfix_4.2.0.4_3/flyway/drivers/mssql-jdbc-7.2.0.jre8.jar
hotfix_4.2.0.4_3/flyway/drivers/jaybird-jdk18-3.0.8.jar
hotfix_4.2.0.4_3/flyway/drivers/derbyshared-10.15.2.0.jar
hotfix_4.2.0.4_3/flyway/drivers/mariadb-java-client-2.6.0.jar
hotfix_4.2.0.4_3/flyway/drivers/h2-1.4.200.jar
hotfix_4.2.0.4_3/flyway/drivers/sqlite-jdbc-3.30.1.jar
hotfix_4.2.0.4_3/flyway/conf/
hotfix_4.2.0.4_3/flyway/conf/flyway.conf
hotfix_4.2.0.4_3/V4.2.0.0.029__IAM-3034.sql
hotfix_4.2.0.4_3/V4.2.0.0.021__IAM-3609.sql
hotfix_4.2.0.4_3/proxy/
hotfix_4.2.0.4_3/proxy/init.sh
hotfix_4.2.0.4_3/proxy/sscg-2.3.3-14.el8.x86_64.rpm
hotfix_4.2.0.4_3/V4.1.11.0.001__update_to_4.1.11.sql
hotfix_4.2.0.4_3/utils/
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.postgres.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysql.m4
hotfix_4.2.0.4_3/utils/init.sh
hotfix_4.2.0.4_3/utils/oracle.sid.properties.m4
hotfix_4.2.0.4_3/utils/mssql.properties.m4
hotfix_4.2.0.4_3/utils/mysql.properties.m4
hotfix_4.2.0.4_3/utils/oracle.service.properties.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mssql.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysq.m4
hotfix_4.2.0.4_3/utils/oracle.properties.m4
hotfix_4.2.0.4_3/utils/postgres.properties.m4
hotfix_4.2.0.4_3/utils/datasource.properties.m4
hotfix_4.2.0.4_3/V4.2.0.1.003__IAM-5083.sql
hotfix_4.2.0.4_3/patch.sh
Apply hotfix hotfix_4.2.0.4_3

Initialize the installation

After the RPM file has been installed, the next step is to "initialize" the system. The initialization process creates the database schema, deploys the various components and performs initial configuration needed for the system to start. Run the command below to start initialization

openiam-cli init

The initialization process is will take several minutes. As the initialization process proceeds, you will see output similar to the example below. The logs will show that infrastructure components such as etcd and Vault are being installed.

Initialize openiam
package logrotate-3.14.0-4.el8.x86_64 (which is newer than logrotate-3.14.0-3.el8.x86_64) is already installed
file /usr/sbin/logrotate from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64
file /usr/share/man/man8/logrotate.8.gz from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64
rm: cannot remove '/usr/bin/vault': No such file or directory
Failed to set capabilities on file `/usr/bin/vault' (Invalid argument)
usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file.
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................+++++
..+++++
e is 65537 (0x010001)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
..........................................+++++
e is 65537 (0x010001)
Signature ok
subject=C = US, ST = NY, L = NY, O = OPENIAM, OU = PRODUCTION, CN = localhost
Getting CA Private Key
writing RSA key
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
[Storing /usr/local/openiam/jdk/lib/security/cacerts]
rm: cannot remove '/usr/local/openiam/logs/vault.out': No such file or directory
Created symlink /etc/systemd/system/multi-user.target.wants/etcd.service/usr/lib/systemd/system/etcd.service.
Starting etcd...
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-vault.service/etc/systemd/system/openiam-vault.service.
Starting vault...
Wait vault service to wakeup
Vault already initialized....
Vault already unsealed...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 37142 0 --:--:-- --:--:-- --:--:-- 37142
Generate OpenIAM encryption secrets
<div class="note-box note">
<i class="material-icons">note</i>
<span class="mcFormatColor">Note: </span>Important section
</div>
=============== CRITICAL SECTION ===============
Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuser
Set OpenIAM password for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuser
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 62444 1666 --:--:-- --:--:-- --:--:-- 64111
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 37142 0 --:--:-- --:--:-- --:--:-- 37142
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 26285 0 --:--:-- --:--:-- --:--:-- 26285
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
Created symlink /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service/usr/lib/systemd/system/rabbitmq-server.service.
Starting RabbitMQ...
Enabling plugins on node rabbit@qa42rpm:
rabbitmq_delayed_message_exchange
The following plugins have been configured:
rabbitmq_delayed_message_exchange
Applying plugin configuration to rabbit@qa42rpm...
The following plugins have been enabled:
rabbitmq_delayed_message_exchange
started 1 plugins.
Enabling plugins on node rabbit@qa42rpm:
rabbitmq_management
The following plugins have been configured:
rabbitmq_delayed_message_exchange
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@qa42rpm...
The following plugins have been enabled:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
started 3 plugins.
Adding vhost "openiam_am" ...
Adding vhost "openiam_idm" ...
Adding vhost "openiam_audit" ...
Adding vhost "openiam_common" ...
Adding vhost "openiam_connector" ...
Adding vhost "openiam_activiti" ...
Adding vhost "openiam_user" ...
Adding vhost "openiam_groovy_manager" ...
Adding vhost "openiam_synchronization" ...
Adding vhost "openiam_ext_log" ...
Adding vhost "openiam_bulk_synchronization" ...
Adding vhost "openiam_reconciliation" ...
Adding vhost "openiam_bulk_reconciliation" ...
Adding user "openiam" ...
Setting tags for user "openiam" to [administrator] ...
Setting permissions for user "openiam" in vhost "openiam_am" ...
Setting permissions for user "openiam" in vhost "openiam_idm" ...
Setting permissions for user "openiam" in vhost "openiam_audit" ...
Setting permissions for user "openiam" in vhost "openiam_common" ...
Setting permissions for user "openiam" in vhost "openiam_connector" ...
Setting permissions for user "openiam" in vhost "openiam_activiti" ...
Setting permissions for user "openiam" in vhost "openiam_user" ...
Setting permissions for user "openiam" in vhost "openiam_groovy_manager" ...
Setting permissions for user "openiam" in vhost "openiam_synchronization" ...
Setting permissions for user "openiam" in vhost "openiam_ext_log" ...
Setting permissions for user "openiam" in vhost "openiam_bulk_synchronization" ...
Setting permissions for user "openiam" in vhost "openiam_reconciliation" ...
Setting permissions for user "openiam" in vhost "openiam_bulk_reconciliation" ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
Synchronizing state of elasticsearch.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service/usr/lib/systemd/system/elasticsearch.service.
Starting elasticsearch...
/usr/local/openiam/utils/redis/init.sh: line 13: make: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 62444 1666 --:--:-- --:--:-- --:--:-- 64111
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 23000 0 --:--:-- --:--:-- --:--:-- 23000
vm.overcommit_memory = 1
Created symlink /etc/systemd/system/multi-user.target.wants/redis-server.service/etc/systemd/system/redis-server.service.
Starting Redis server...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 32500 0 --:--:-- --:--:-- --:--:-- 32500
Database access information
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 22875 0 --:--:-- --:--:-- --:--:-- 22875
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142

The installer will ask a number of questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. This section which requires input from the installer is noted with the following message in the console:

noteNote: Important section

Credentials which are captured below for the database, message broker, Redis and SMTP will be securely stored in the Vault.

Database schema generation

As mentioned above, the installer will take care of creating the OpenIAM database schema as well. OpenIAM has two schemas which are created by default: openiam and activiti. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used by store information about workflows and their execution.

The first set of questions raised by the installer are related to the creation of database user for each schema. Each question and it intent are listed below.

Question raised by the installerExplanation
Set OpenIAM username for schema 'openiam' , default: idmuserThis is DB user name that will be used to manage the openiam OpenIAM schema. This is the primary schema in the solution data related to OpenIAM are stored. User will be used by the OpenIAM application to communicate with database. The default value is idmuser.
Set OpenIAM password for schema 'openiam' , default: idmuserThis is the password that will be used for username which was provided in the previous step. The default value is: idmuser
Set OpenIAM username for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserThis is DB user name that will be used to manage the activiti schema. User will be used by OpenIAM application to communicate with the database. Default value is idmuser.
Set OpenIAM password for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserThis is the password that for the user associated with the activiti schema. The default value is idmuser
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0If this install is an upgrade from an existing deployment, then the current version is important as it will determine which scripts need to be applied to upgrade the schema to the current version. If this is a new deployment, you can leave this blank
This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiamThis question provides the option to choose the primary database schema. You should leave this blank and let it default to openiam. This value should only be changed if the scripts have been altered by the customer.
This is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activitiThis question provides the option to choose the database schema used by the workflow engine. You should leave this blank and let it default to activiti. This value should only be changed if the scripts have been altered by the customer.
Possible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default:mysqlSelect the type of database that you will be using as the OpenIAM product repository. You can leave this blank if you will be using either MariaDB or MySQL. If you are using either PostgreSQL, Oracle or Microsoft SQL server, enter one the following values based on your database type: postgres, oracle, mssql
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]If this is a new installation, then the answer must be Y
Enter username for Super user (for mysql this is root), default: rootThe installer needs a super user account or equivalent which has the privileges to create new schema, users, tables, etc.
Enter password for super user (sa or root, depend on the db type), default:Enter the password for account provided in the last step
This is the hostname of where the openiam core database is., default: localhostEnter the host or DNS name of the server where the primary OpenIAM database will be deployed.
This is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306Enter the port number used by the database server hosting the primary OpenIAM database
This is the hostname of where the openiam activiti database is., default: localhostEnter the host or DNS name of the server where the workflow database will be deployed.
This is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306Enter the port number used by the database server hosting the workflow database

You will see output similar to the example below

=============== CRITICAL SECTION ===============
Database configuration.
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0
This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiam
This is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activiti
Possible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default: mysql
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]:y
Initialization.
Enter username for Super user (for mysql this is root), default: root
Enter password for super user (sa or root, depend on the db type), default:
Specify hibernate Dialect class, default: org.hibernate.dialect.MySQLDialect
This is the hostname of where the openiam core database is., default: localhost
This is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306
This is the hostname of where the openiam activiti database is., default: localhost
This is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306
Mysql. Try to initialize automatically
/usr/local/openiam/conf/schema/mysql/openiam/
Flyway Community Edition 6.5.1 by Redgate
Database: jdbc:mysql://localhost:3306/openiam (MySQL 5.5)
Creating Schema History table `openiam`.`flyway_schema_history` with baseline ...
WARNING: DB: Name 'flyway_schema_history_pk' ignored for PRIMARY key. (SQL State: 42000 - Error Code: 1280)
Successfully baselined schema with version: 2.3.0.0
Successfully validated 983 migrations (execution time 00:00.897s)
Current version of schema `openiam`: 2.3.0.0
WARNING: outOfOrder mode is active. Migration of schema `openiam` may not be reproducible.
Migrating schema `openiam` to version 2.3.0.0.001 - mysql schema common
Migrating schema `openiam` to version 2.3.0.0.002 - mysql schema security
Migrating schema `openiam` to version 2.3.0.0.003 - mysql idm data
Migrating schema `openiam` to version 3.0.0.0.001 - alter table attribute map
Migrating schema `openiam` to version 3.0.0.0.002 - create resource many to many mapping
Migrating schema `openiam` to version 3.0.0.0.003 - create group many to many mapping
Migrating schema `openiam` to version 3.0.0.0.004 - migrate role id
Migrating schema `openiam` to version 3.0.0.0.005 - migrate resource role mappings
... [skipping verbose logs for documentation]

Message broker password

OpenIAM uses RabbitMQ as the message broker and is the primary transport service used by OpenIAM application. Services are loosely coupled and they communicate with each other through the message broker. Cross service communication is encrypted.

The next question raised by the installer will define a password for RabbitMQ. As we saw with the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00

Memory cache password

Redis is an in-memory distributed cache which is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:

  • End user web session
  • Database object cache
  • High level application cache.

As with other components, access to the cache is secured and the next question asks for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00

SMTP Credentials

E-mail notifications can be enabled for a broad range of operations in OpenIAM. Configuring a valid SMTP service is a pre-requisite to being able to send e-mail notifications. The next two questions ask the user to provide the SMTP credentials for the account which will be used to send e-mails from the application. These questions are optional at this time and you have the option to configure these later if needed

Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none

At this point the installer has enough information to complete the installation of: Elasticseach, Redis, RabbitMQ, and other components

Upon successful execution of the installer, you should see the following as the ending entries in the logs.

Successfully applied 4 migrations to schema `activiti` (execution time 00:01.001s)
Done
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-auth.service/etc/systemd/system/openiam-auth.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-device.service/etc/systemd/system/openiam-device.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-email.service/etc/systemd/system/openiam-email.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-esb.service/etc/systemd/system/openiam-esb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-groovy.service/etc/systemd/system/openiam-groovy.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-idm.service/etc/systemd/system/openiam-idm.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-reconciliation.service/etc/systemd/system/openiam-reconciliation.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-synchronization.service/etc/systemd/system/openiam-synchronization.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-ui.service/etc/systemd/system/openiam-ui.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-workflow.service/etc/systemd/system/openiam-workflow.service.
Openiam Status report Sat May 15 19:43:17 UTC 2021
[WARNING] - openiam-esb - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - workflow - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - groovy-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - idm - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - reconciliation - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - email-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - auth-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[WARNING] - openiam-ui - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
Do you want to install OpenIAM reverse proxy module? [y/n]:y
Installing reverse proxy module
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
mod_openiam installed
restart httpd to apply changes
success
success
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service/usr/lib/systemd/system/httpd.service.

The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually startup takes near 8-12 minutes. You will see these final steps at the end of the initialization process.

You can view the status of the system as its coming up using the openiam-cli utility. The client supports a number of parameters. To see the status, run the following:

openiam-cli status

If all the services have been started successful, you should see the following output:

Openiam Status report Sat May 15 20:09:50 UTC 2021
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[OK] - openiam-ui - Service working. Application status: [ UP ]

You can validate the UI is operational by run the following command in your terminal window curl -k -I -L http://127.0.0.1/idp/login

You should see output similar to the example below.

HTTP/1.1 200
Date: Sat, 15 May 2021 20:14:56 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *;
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Set-Cookie: SESSION=NWY5ZDYwNWItMWM0NC00YWYyLWI3ODYtMzQyNzI2MGJlZWYz; Path=/idp/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Transfer-Encoding: chunked

If you get a "Connection refused" error, then check if port 80 is open.

ss -tulwn

To check if port 80 and 443 are open, use the following command:

firewall-cmd --list-all

First time login

To login to the OpenIAM for the first time, use a browser such as Chrome or Firefox and go to the following URL:

http://[host name]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

First time login

The next screen will ask you to change the default password. On the side is the password policy. Please enter a new password which complies with this policy. You will be able to change both the password and the policy later

Change password page

The following screen will ask for answers to a set of challenge questions. The answers to these questions can be used as part of the forgot password functionality. This to can be changed later as you start to configure the solution for your needs.

Challenge questions page

The last step in the startup process is to define a "Content Provider". A content provider is an important concept in OpenIAM and is explained in more detail in the administration guide. For this initial setp, we only need to provide the following information to define the default content provider.

NameDescription
Content Provider NameYou can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP
Domain PatternThis value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed
Is SSL?Flag which indicates if communication will be over SSL. For this step, select No. The steps to enable SSL are defined separately

Content provider page

After setting the content provider, you will be taken to the landing page of the admin interface in OpenIAM called the Webconsole. You will see the search screen below.

After the content provider is setup, OpenIAM will need a few minutes for the system cache to refresh. During this time, you may see some screens which are blank. Allow for the refresh to complete.

After this time, you instance is ready for additional configuration.

Webconsole landing page

OpenIAM components and status

Using the OpenIAM Command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop,etc . The command is openiam-cli.

Just running the command by itself, as shown below, will display the list of all options.

openiam-cli

Output

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

To check the status of the components or the confirm that the system is up, please use the following command:

openiam-cli status

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli status command .

openiam-cli log <service_name>

For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

OpenIAM core services

NameDescriptionDefault Memory (RAM)
openiam-esbThe service that provides Web Service API and to the bigger part of functionality2048m
workflowThe service that provides Business Workflow functionality768m
groovy-managerThe service that provides Groovy extension functionality256m
idmThe service that provides provisioning to target systems functionality512m
reconciliationThe service that provides reconciliation against target systems functionality512m
email-managerThe service that provides Sending and Receiving emails functionality256m
auth-managerThe service that provides End user Authorization functionality1024m
device-managerThe service that provides Device management functionality (IOS and Android)256m
openiam-uiThis is web server (tomcat) that provides Graphical interface2048m

OpenIAM Connectors

There are several connectors that are distributed with default OpenIAM RPM. To list all of the connectors please run:

openiam-cli list-connectors

The following connectors are predefined and available in the OpenIAM 4.2.0 and later releases.

Connector NameDescriptionDefault Memory (RAM)
google-connector-rabbitmqG Suite refers to Google Apps that consist of tools for communication, collaboration, storage, and access management.256m
ldap-connector-rabbitmqGroup and user management in OpenLDAP or ActiveDirectory (using ldap/ldaps protocol)256m
linux-connector-rabbitmqGroup and user management in local or remote *UNIX systems256m
oracle-connector-rabbitmqManage Oracle RDBMS users256m
scim-connector-rabbitmqGroup and user management using SCIM protocol256m

The table below shows how to execute common commands related to all connectors

Connector operationCommand
Start connectoropeniam-cli connector <connector_name> start
Stop connectoropeniam-cli connector <connector_name> stop
To start a connector automatically after a rebootopeniam-cli connector <connector_name> enable
To prevent a connector from automatically starting after rebootopeniam-cli connector <connector_name> disable

OpenIAM Source Adapters

Where as OpenIAM connector are bi-directionaly, Source adapters are a special type of integration service designed largely to recieve (import) data from a source. In the current release, the HTTP Source Adapter is included in the RPM (future releases may include addtional adapters).

NameDescriptionDefault Memory (RAM)
http-source-adapterImport data to OpenIAM using plain http 1.2 protocol256m

To get a list of all source adatpers, use the following commands:

openiam-cli list-source-adapters

The table below shows how to execute common commands related to all adapters

Connector operationCommand
Start adapteropeniam-cli source-adapter <adapter_name> start
Stop adapteropeniam-cli source-adapter <adapter_name> stop
To start an adapter automatically after a rebootopeniam-cli source-adapter <adapter_name> enable
To prevent an adapter from automatically starting after rebootopeniam-cli source-adapter <adapter_name> disable

Planned improvements and release versions

  1. httpd proxy installation with OpenIAM module (4.2.1)
  2. Reset sysadmin password during initialization (4.2.2)
  3. Initialization for non mysql (MariaDB) RDBMS (4.2.3)
  4. OpenIAM Client command line utilities for scripting customization. (4.2.4 LTS)