Single VM Install
This section describes how to install OpenIAM on either CentOS / Redhat Enterprise Linux (RHEL) 8.x using a RPM distribution.
OpenIAM provides a RPM distribution which includes all of the dependencies except for the database and system tools to simplify the installation process. The completeness of the RPM file also enables deployments locked down environments where there is no network.
The following describes how to prepare your host system for the installation. After the initial steps for preparation, we will focus on installing the OpenIAM application.
While both CentOS / RHEL 7 and 8.1+ are supported, OpenIAM recommends using v8.x+ where possible.
You may download CentOS or RHEL from the following locations:
Operating System | URL |
---|---|
CentOS 7.x | http://ftp.usf.edu/pub/centos/7.8.2003/isos/x86_64/ |
CentOS 8.2 | http://mirror.math.princeton.edu/pub/centos/8.2.2004/isos/x86_64/ |
RHEL 8.2 | https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux |
The installation instructions provided require root level privileges on the host where OpenIAM will be deployed. The person or team installing OpenIAM must be familiar with the CentOS/RHEL operating system, databases and services.
The procedures described in this guide must be performed in the order that they have been presented below.
System requirements
For non-production use, the Linux Host or VM must have the following minimum
configuration:
Configuration | Non-Production | Production |
---|---|---|
Memory | 24 GB | 32 GB |
CPU | 6 CPUs | 8 CPUs |
Disk | 80 GB | 100 GB 100 GB (may increase based on sizing) |
If you are creating a new VM for this installation, then ensure the following minimal tasks are performed during the OS installation process:
- Under network – Ethernet is set to
ON
- You should enter a host name. For the purpose of this install, we will use
iam-nonprod
- Software selection – minimal installation
- Set a root password – For the purpose of this install, we will use:
openiam1
Login to your VM as root
or a privileged user.
To check the CPUs on your VM use: lscpu
To the memory on your VM use: free -m
The result of each of these commands MUST align with the above minimum requirements.
For sizing assistance for a production deployment, either open a support ticket or contact your OpenIAM point of contact.
SSH into your VM
To ssh into your newly created VM, follow the steps below: a) First get the IP address of your VM. You can do this using:
ip addr
b) Next use a tool such Putty or the terminal window on Mac and SSH to this linux host:
ssh [username]@[IP address of your VM]
Example: ssh root@172.16.101.128
Prepare the host system for installation
The OpenIAM application requires a few configurations to be performed prior to installing the application. These steps are described below.
Install required packages
Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as “root”, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”
Description | Command CentOS 8+ | Command CentOS 7+ |
---|---|---|
Update the OS | dnf update | yum update |
Install Nano | dnf install nano | yum install nano |
Install wget | dnf install wget | yum install wget |
Install tar | dnf install tar | yum install tar |
Install C compiler | - | yum install gcc |
Example on CentOS 8.x
dnf updatednf install nano wget tar
Update the Hosts file
Make sure that your /etc/hosts
file contains a value for the hostname. To edit the hosts file, use an editor like Nano
nano /etc/hosts
Create an entry like the one below to define the host name.
127.0.0.1 iam-nonprod
Modifying file descriptor limits for RabbitMQ.
OpenIAM uses RabbitMQ for messaging. Most of the services in OpenIAM communicate with each other using this message. RabbitMQ requires file descriptor limits which are much higher than the default limits found on many Linux distributions.
By default, CentOS and RHEL set a soft limit (the current allowed) of 1024 file descriptors and a hard limit (the maximum allowed) of 4096 file descriptors for each user. These limits are inadequate for using RabbitMQ in an OpenIAM deployment. A soft limit of 1024 open file descriptors can cause the RabbitMQ service to quickly run out of allocated files, preventing the operating system from accepting new connections.
Perform the following steps to increase limits for file descriptors:
- Open a command terminal and log in as the
root
user or usesudo
to gain super user privileges - Edit the
/etc/pam.d/login
file using an editor such as nano or vi.
sudo nano /etc/pam.d/login
- Add the following line at the end of of the file and then save. If you are using nano, use [Ctrl+x] to save:
session required pam_limits.so
- Next, edit the limits.conf file
nano /etc/security/limits.conf
- Add the following lines to the end of the file and then save, using [Ctrl+x]
* soft nofile 65536* hard nofile 65536
- Restart the system for the new settings to take effect.
sudo reboot -h 0
- Verify the new limits by opening a command terminal and typing the following command:
ulimit -n
The system should respond with 65536
Database installation
OpenIAM uses a relational database as its primary data repository. OpenIAM supports the popular databases listed in the table below.
MariaDB is the default database, and a simplified set of installation instructions have been provided below.
Database type | Supported Versions | Installation Documentation |
---|---|---|
MariaDB | 10.3 | See Below |
MySQL | Pending | Pending |
PostgreSQL | Pending | Pending |
Oracle | Pending | Pending |
Microsoft SQL server | Pending | Pending |
Install MariaDB
If you plan to use MariaDB as the OpenIAM repository, then follow the steps below.
First, ensure that MariaDB is available in your yum repository. If its not, add it to the repository using the following steps.
You should run the following as a root
user
nano /etc/yum.repos.d/mariadb.repo
Add the following text to the file and save.
[mariadb]name = MariaDBbaseurl = http://yum.mariadb.org/10.3/centos73-amd64/gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDBgpgcheck=1
Update your OS and then the install MariaDB server with the commands shown below.
dnf updatednf install mariadb-server
Next, we need to:
- Enable the MariaDB service to start on a system restart
- Start MariaDB
- Secure the installation.
Execute the commands below to enable tasks 1 and 2 from the list above.
systemctl enable mariadb.servicesystemctl start mariadb.service
To validate that the service has started, run the following command
systemctl status mariadb.service
To secure your MariaDB installation, use the command below:
mysql_secure_installation
The utility will ask you a number of questions to reset the root database password and set options which define how MariaDB can be access. Follow the questions. For reference, sample output is provided below.
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.Enter current password for root (enter for none):OK, successfully used password, moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorization.Set root password? [Y/n] yNew password:Re-enter new password:Password updated successfully!Reloading privilege tables..... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] y... Success!Normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] y... Success!By default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] y- Dropping test database...... Success!- Removing privileges on test database...... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] y... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB!
Installing the OpenIAM RPM package
The steps described up to this point have focused on preparing your environment for installing the OpenIAM product and related dependencies. The subsequent steps will focus on installing the OpenIAM solution from the RPM file and perform a first time login as an admin.
To download the OpenIAM RPM, ssh to your VM or server and download the RPM file as shown below.
wget <enter the downloaded URL>
After the file has been downloaded, use the instructions below to install OpenIAM
Execute the RPM installer
Enter the following command to install the RPM file on CentOS/ RHEL 8.x:
rpm -i openiam-4.2.0.7-1.x86_64.rpm
Upon successful completion of the RPM install, you should see output similar to the excerpt shown below.
openiam/openiam/connectors/openiam/connectors/shutdown.shopeniam/connectors/bin/openiam/connectors/bin/google-connector-rabbitmq.jaropeniam/connectors/bin/ldap-connector-rabbitmq.jaropeniam/connectors/bin/scim-connector-rabbitmq.jaropeniam/connectors/bin/oracle-connector-rabbitmq.jaropeniam/connectors/bin/linux-connector-rabbitmq.jaropeniam/connectors/start.shopeniam/services/openiam/services/shutdown.shopeniam/services/bin/openiam/services/bin/idm.jaropeniam/services/bin/workflow.jaropeniam/services/bin/auth-manager.jaropeniam/services/bin/synchronization.jaropeniam/services/bin/device-manager.jaropeniam/services/bin/reconciliation.jaropeniam/services/bin/email-manager.jaropeniam/services/bin/groovy-manager.jaropeniam/services/bin/openiam-esb.jaropeniam/services/start.shopeniam/utils/openiam/utils/shutdown.shopeniam/utils/rabbitmq/openiam/utils/rabbitmq/init.shopeniam/utils/flyway/openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mssql.m4openiam/utils/flyway/mysql.properties.m4openiam/utils/flyway/init.shopeniam/utils/flyway/mssql.properties.m4openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.m4openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysq.m4openiam/utils/flyway/oracle.sid.properties.m4openiam/utils/flyway/postgres.properties.m4openiam/utils/flyway/oracle.service.properties.m4openiam/utils/flyway/V0.0.0.0.000__initialization.sql.postgres.m4openiam/utils/init.shopeniam/utils/elasticsearch/openiam/utils/elasticsearch/init.shopeniam/utils/elasticsearch/elasticsearchopeniam/utils/elasticsearch/elasticsearch.ymlopeniam/utils/status.shopeniam/utils/redis/openiam/utils/redis/init.shopeniam/utils/proxy/openiam/utils/proxy/init.shopeniam/utils/vault/openiam/utils/vault/bootstrap.shopeniam/utils/vault/validate.vault.shopeniam/utils/vault/generate.cert.shopeniam/utils/vault/init.shopeniam/utils/vault/vault.properties.m4openiam/utils/vault/login.shopeniam/utils/vault/vault.fetch.property.shopeniam/utils/vault/start.shopeniam/utils/start.shopeniam/utils/uninstall.sh...[verbose output has been skipped for the documentation]...hotfix_4.2.0.4_3/flyway/drivers/hsqldb-2.5.0.jarhotfix_4.2.0.4_3/flyway/drivers/ojdbc8.jarhotfix_4.2.0.4_3/flyway/drivers/put-your-jdbc-drivers-here.txthotfix_4.2.0.4_3/flyway/drivers/ojdbc8-19.6.0.0.jarhotfix_4.2.0.4_3/flyway/drivers/derbyclient-10.15.2.0.jarhotfix_4.2.0.4_3/flyway/drivers/mssql-jdbc-7.2.0.jre8.jarhotfix_4.2.0.4_3/flyway/drivers/jaybird-jdk18-3.0.8.jarhotfix_4.2.0.4_3/flyway/drivers/derbyshared-10.15.2.0.jarhotfix_4.2.0.4_3/flyway/drivers/mariadb-java-client-2.6.0.jarhotfix_4.2.0.4_3/flyway/drivers/h2-1.4.200.jarhotfix_4.2.0.4_3/flyway/drivers/sqlite-jdbc-3.30.1.jarhotfix_4.2.0.4_3/flyway/conf/hotfix_4.2.0.4_3/flyway/conf/flyway.confhotfix_4.2.0.4_3/V4.2.0.0.029__IAM-3034.sqlhotfix_4.2.0.4_3/V4.2.0.0.021__IAM-3609.sqlhotfix_4.2.0.4_3/proxy/hotfix_4.2.0.4_3/proxy/init.shhotfix_4.2.0.4_3/proxy/sscg-2.3.3-14.el8.x86_64.rpmhotfix_4.2.0.4_3/V4.1.11.0.001__update_to_4.1.11.sqlhotfix_4.2.0.4_3/utils/hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.postgres.m4hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysql.m4hotfix_4.2.0.4_3/utils/init.shhotfix_4.2.0.4_3/utils/oracle.sid.properties.m4hotfix_4.2.0.4_3/utils/mssql.properties.m4hotfix_4.2.0.4_3/utils/mysql.properties.m4hotfix_4.2.0.4_3/utils/oracle.service.properties.m4hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mssql.m4hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysq.m4hotfix_4.2.0.4_3/utils/oracle.properties.m4hotfix_4.2.0.4_3/utils/postgres.properties.m4hotfix_4.2.0.4_3/utils/datasource.properties.m4hotfix_4.2.0.4_3/V4.2.0.1.003__IAM-5083.sqlhotfix_4.2.0.4_3/patch.shApply hotfix hotfix_4.2.0.4_3
Initialize the installation
After the RPM file has been installed, the next step is to "initialize" the system. The initialization process creates the database schema, deploys the various components and performs initial configuration needed for the system to start. Run the command below to start initialization
openiam-cli init
The initialization process is will take several minutes. As the initialization process proceeds, you will see output similar to the example below. The logs will show that infrastructure components such as etcd
and Vault
are being installed.
Initialize openiampackage logrotate-3.14.0-4.el8.x86_64 (which is newer than logrotate-3.14.0-3.el8.x86_64) is already installedfile /usr/sbin/logrotate from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64file /usr/share/man/man8/logrotate.8.gz from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64rm: cannot remove '/usr/bin/vault': No such file or directoryFailed to set capabilities on file `/usr/bin/vault' (Invalid argument)usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]Note <filename> must be a regular (non-symlink) file.Generating RSA private key, 2048 bit long modulus (2 primes)............................................................+++++..+++++e is 65537 (0x010001)Generating RSA private key, 2048 bit long modulus (2 primes)...........+++++..........................................+++++e is 65537 (0x010001)Signature oksubject=C = US, ST = NY, L = NY, O = OPENIAM, OU = PRODUCTION, CN = localhostGetting CA Private Keywriting RSA keyWarning: use -cacerts option to access cacerts keystoreCertificate was added to keystore[Storing /usr/local/openiam/jdk/lib/security/cacerts]rm: cannot remove '/usr/local/openiam/logs/vault.out': No such file or directoryCreated symlink /etc/systemd/system/multi-user.target.wants/etcd.service → /usr/lib/systemd/system/etcd.service.Starting etcd...Created symlink /etc/systemd/system/multi-user.target.wants/openiam-vault.service → /etc/systemd/system/openiam-vault.service.Starting vault...Wait vault service to wakeupVault already initialized....Vault already unsealed...% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 260 100 260 0 0 37142 0 --:--:-- --:--:-- --:--:-- 37142Generate OpenIAM encryption secrets<div class="note-box note"><i class="material-icons">note</i><span class="mcFormatColor">Note: </span>Important section</div>=============== CRITICAL SECTION ===============DatabaseSet OpenIAM username for schema 'openiam' , default: idmuserSet OpenIAM password for schema 'openiam' , default: idmuserSet OpenIAM username for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserSet OpenIAM password for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserSet OpenIAM password for RabbitMQ message broker, default: passwd00Set OpenIAM password for Redis., default: passwd00Set SMTP username. You can change it later., default: noneSet SMTP password. You can change it later., default: none% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 62444 1666 --:--:-- --:--:-- --:--:-- 64111% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 260 100 260 0 0 37142 0 --:--:-- --:--:-- --:--:-- 37142% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 184 100 184 0 0 26285 0 --:--:-- --:--:-- --:--:-- 26285[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.Created symlink /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service → /usr/lib/systemd/system/rabbitmq-server.service.Starting RabbitMQ...Enabling plugins on node rabbit@qa42rpm:rabbitmq_delayed_message_exchangeThe following plugins have been configured:rabbitmq_delayed_message_exchangeApplying plugin configuration to rabbit@qa42rpm...The following plugins have been enabled:rabbitmq_delayed_message_exchangestarted 1 plugins.Enabling plugins on node rabbit@qa42rpm:rabbitmq_managementThe following plugins have been configured:rabbitmq_delayed_message_exchangerabbitmq_managementrabbitmq_management_agentrabbitmq_web_dispatchApplying plugin configuration to rabbit@qa42rpm...The following plugins have been enabled:rabbitmq_managementrabbitmq_management_agentrabbitmq_web_dispatchstarted 3 plugins.Adding vhost "openiam_am" ...Adding vhost "openiam_idm" ...Adding vhost "openiam_audit" ...Adding vhost "openiam_common" ...Adding vhost "openiam_connector" ...Adding vhost "openiam_activiti" ...Adding vhost "openiam_user" ...Adding vhost "openiam_groovy_manager" ...Adding vhost "openiam_synchronization" ...Adding vhost "openiam_ext_log" ...Adding vhost "openiam_bulk_synchronization" ...Adding vhost "openiam_reconciliation" ...Adding vhost "openiam_bulk_reconciliation" ...Adding user "openiam" ...Setting tags for user "openiam" to [administrator] ...Setting permissions for user "openiam" in vhost "openiam_am" ...Setting permissions for user "openiam" in vhost "openiam_idm" ...Setting permissions for user "openiam" in vhost "openiam_audit" ...Setting permissions for user "openiam" in vhost "openiam_common" ...Setting permissions for user "openiam" in vhost "openiam_connector" ...Setting permissions for user "openiam" in vhost "openiam_activiti" ...Setting permissions for user "openiam" in vhost "openiam_user" ...Setting permissions for user "openiam" in vhost "openiam_groovy_manager" ...Setting permissions for user "openiam" in vhost "openiam_synchronization" ...Setting permissions for user "openiam" in vhost "openiam_ext_log" ...Setting permissions for user "openiam" in vhost "openiam_bulk_synchronization" ...Setting permissions for user "openiam" in vhost "openiam_reconciliation" ...Setting permissions for user "openiam" in vhost "openiam_bulk_reconciliation" ...Creating elasticsearch group... OKCreating elasticsearch user... OK### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemdsudo systemctl daemon-reloadsudo systemctl enable elasticsearch.service### You can start elasticsearch service by executingsudo systemctl start elasticsearch.serviceCreated elasticsearch keystore in /etc/elasticsearch[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.Synchronizing state of elasticsearch.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.Executing: /usr/lib/systemd/systemd-sysv-install enable elasticsearchCreated symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.Starting elasticsearch.../usr/local/openiam/utils/redis/init.sh: line 13: make: command not found% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 62444 1666 --:--:-- --:--:-- --:--:-- 64111% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 184 100 184 0 0 23000 0 --:--:-- --:--:-- --:--:-- 23000vm.overcommit_memory = 1Created symlink /etc/systemd/system/multi-user.target.wants/redis-server.service → /etc/systemd/system/redis-server.service.Starting Redis server...% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 260 100 260 0 0 32500 0 --:--:-- --:--:-- --:--:-- 32500Database access information% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 183 100 183 0 0 22875 0 --:--:-- --:--:-- --:--:-- 22875% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 577 100 562 100 15 70250 1875 --:--:-- --:--:-- --:--:-- 72125% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 183 100 183 0 0 26142 0 --:--:-- --:--:-- --:--:-- 26142
The installer will ask a number of questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. This section which requires input from the installer is noted with the following message in the console:
Credentials which are captured below for the database, message broker, Redis and SMTP will be securely stored in the Vault.
Database schema generation
As mentioned above, the installer will take care of creating the OpenIAM database schema as well. OpenIAM has two schemas which are created by default: openiam
and activiti
. The openiam
schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti
is used by store information about workflows and their execution.
The first set of questions raised by the installer are related to the creation of database user for each schema. Each question and it intent are listed below.
Question raised by the installer | Explanation |
---|---|
Set OpenIAM username for schema 'openiam' , default: idmuser | This is DB user name that will be used to manage the openiam OpenIAM schema. This is the primary schema in the solution data related to OpenIAM are stored. User will be used by the OpenIAM application to communicate with database. The default value is idmuser . |
Set OpenIAM password for schema 'openiam' , default: idmuser | This is the password that will be used for username which was provided in the previous step. The default value is: idmuser |
Set OpenIAM username for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuser | This is DB user name that will be used to manage the activiti schema. User will be used by OpenIAM application to communicate with the database. Default value is idmuser . |
Set OpenIAM password for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuser | This is the password that for the user associated with the activiti schema. The default value is idmuser |
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0 | If this install is an upgrade from an existing deployment, then the current version is important as it will determine which scripts need to be applied to upgrade the schema to the current version. If this is a new deployment, you can leave this blank |
This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiam | This question provides the option to choose the primary database schema. You should leave this blank and let it default to openiam . This value should only be changed if the scripts have been altered by the customer. |
This is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activiti | This question provides the option to choose the database schema used by the workflow engine. You should leave this blank and let it default to activiti . This value should only be changed if the scripts have been altered by the customer. |
Possible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default:mysql | Select the type of database that you will be using as the OpenIAM product repository. You can leave this blank if you will be using either MariaDB or MySQL . If you are using either PostgreSQL, Oracle or Microsoft SQL server, enter one the following values based on your database type: postgres , oracle , mssql |
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n] | If this is a new installation, then the answer must be Y |
Enter username for Super user (for mysql this is root), default: root | The installer needs a super user account or equivalent which has the privileges to create new schema, users, tables, etc. |
Enter password for super user (sa or root, depend on the db type), default: | Enter the password for account provided in the last step |
This is the hostname of where the openiam core database is., default: localhost | Enter the host or DNS name of the server where the primary OpenIAM database will be deployed. |
This is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306 | Enter the port number used by the database server hosting the primary OpenIAM database |
This is the hostname of where the openiam activiti database is., default: localhost | Enter the host or DNS name of the server where the workflow database will be deployed. |
This is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306 | Enter the port number used by the database server hosting the workflow database |
You will see output similar to the example below
=============== CRITICAL SECTION ===============Database configuration.Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiamThis is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activitiPossible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default: mysqlDo you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]:yInitialization.Enter username for Super user (for mysql this is root), default: rootEnter password for super user (sa or root, depend on the db type), default:Specify hibernate Dialect class, default: org.hibernate.dialect.MySQLDialectThis is the hostname of where the openiam core database is., default: localhostThis is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306This is the hostname of where the openiam activiti database is., default: localhostThis is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306Mysql. Try to initialize automatically/usr/local/openiam/conf/schema/mysql/openiam/Flyway Community Edition 6.5.1 by RedgateDatabase: jdbc:mysql://localhost:3306/openiam (MySQL 5.5)Creating Schema History table `openiam`.`flyway_schema_history` with baseline ...WARNING: DB: Name 'flyway_schema_history_pk' ignored for PRIMARY key. (SQL State: 42000 - Error Code: 1280)Successfully baselined schema with version: 2.3.0.0Successfully validated 983 migrations (execution time 00:00.897s)Current version of schema `openiam`: 2.3.0.0WARNING: outOfOrder mode is active. Migration of schema `openiam` may not be reproducible.Migrating schema `openiam` to version 2.3.0.0.001 - mysql schema commonMigrating schema `openiam` to version 2.3.0.0.002 - mysql schema securityMigrating schema `openiam` to version 2.3.0.0.003 - mysql idm dataMigrating schema `openiam` to version 3.0.0.0.001 - alter table attribute mapMigrating schema `openiam` to version 3.0.0.0.002 - create resource many to many mappingMigrating schema `openiam` to version 3.0.0.0.003 - create group many to many mappingMigrating schema `openiam` to version 3.0.0.0.004 - migrate role idMigrating schema `openiam` to version 3.0.0.0.005 - migrate resource role mappings... [skipping verbose logs for documentation]
Message broker password
OpenIAM uses RabbitMQ as the message broker and is the primary transport service used by OpenIAM application. Services are loosely coupled and they communicate with each other through the message broker. Cross service communication is encrypted.
The next question raised by the installer will define a password for RabbitMQ. As we saw with the above questions, a default password value is provided for simplicity. For production use, please use a strong password.
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Memory cache password
Redis is an in-memory distributed cache which is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:
- End user web session
- Database object cache
- High level application cache.
As with other components, access to the cache is secured and the next question asks for a password which should be used for Redis.
Set OpenIAM password for Redis., default: passwd00
SMTP Credentials
E-mail notifications can be enabled for a broad range of operations in OpenIAM. Configuring a valid SMTP service is a pre-requisite to being able to send e-mail notifications. The next two questions ask the user to provide the SMTP credentials for the account which will be used to send e-mails from the application. These questions are optional at this time and you have the option to configure these later if needed
Set SMTP username. You can change it later., default: noneSet SMTP password. You can change it later., default: none
At this point the installer has enough information to complete the installation of: Elasticseach, Redis, RabbitMQ, and other components
Upon successful execution of the installer, you should see the following as the ending entries in the logs.
Successfully applied 4 migrations to schema `activiti` (execution time 00:01.001s)DoneCreated symlink /etc/systemd/system/multi-user.target.wants/openiam-auth.service → /etc/systemd/system/openiam-auth.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-device.service → /etc/systemd/system/openiam-device.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-email.service → /etc/systemd/system/openiam-email.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-esb.service → /etc/systemd/system/openiam-esb.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-groovy.service → /etc/systemd/system/openiam-groovy.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-idm.service → /etc/systemd/system/openiam-idm.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-reconciliation.service → /etc/systemd/system/openiam-reconciliation.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-synchronization.service → /etc/systemd/system/openiam-synchronization.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-ui.service → /etc/systemd/system/openiam-ui.service.Created symlink /etc/systemd/system/multi-user.target.wants/openiam-workflow.service → /etc/systemd/system/openiam-workflow.service.Openiam Status report Sat May 15 19:43:17 UTC 2021[WARNING] - openiam-esb - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - workflow - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - groovy-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - idm - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - reconciliation - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - email-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[WARNING] - auth-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes[OK] - synchronization - Service working. Application status: [ UP ][OK] - device-manager - Service working. Application status: [ UP ][WARNING] - openiam-ui - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutesDo you want to install OpenIAM reverse proxy module? [y/n]:yInstalling reverse proxy module[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.mod_openiam installedrestart httpd to apply changessuccesssuccessCreated symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually startup takes near 8-12 minutes. You will see these final steps at the end of the initialization process.
You can view the status of the system as its coming up using the openiam-cli
utility. The client supports a number of parameters. To see the status, run the following:
openiam-cli status
If all the services have been started successful, you should see the following output:
Openiam Status report Sat May 15 20:09:50 UTC 2021[OK] - openiam-esb - Service working. Application status: [ UP ][OK] - workflow - Service working. Application status: [ UP ][OK] - groovy-manager - Service working. Application status: [ UP ][OK] - idm - Service working. Application status: [ UP ][OK] - reconciliation - Service working. Application status: [ UP ][OK] - email-manager - Service working. Application status: [ UP ][OK] - auth-manager - Service working. Application status: [ UP ][OK] - synchronization - Service working. Application status: [ UP ][OK] - device-manager - Service working. Application status: [ UP ][OK] - openiam-ui - Service working. Application status: [ UP ]
You can validate the UI is operational by run the following command in your terminal window
curl -k -I -L http://127.0.0.1/idp/login
You should see output similar to the example below.
HTTP/1.1 200Date: Sat, 15 May 2021 20:14:56 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1gContent-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *;Access-Control-Allow-Origin: *X-Frame-Options: sameoriginX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cachePragma: no-cacheExpires: Wed, 31 Dec 1969 23:59:59 GMTX-UA-Compatible: IE=EmulateIE10x-openiam-force-auth: falsex-openiam-login-uri: /idp/loginContent-Type: text/html;charset=utf-8Content-Language: en-USSet-Cookie: SESSION=NWY5ZDYwNWItMWM0NC00YWYyLWI3ODYtMzQyNzI2MGJlZWYz; Path=/idp/; HttpOnly; SameSite=LaxVary: Accept-EncodingTransfer-Encoding: chunked
If you get a "Connection refused" error, then check if port 80 is open.
ss -tulwn
To check if port 80 and 443 are open, use the following command:
firewall-cmd --list-all
First time login
To login to the OpenIAM for the first time, use a browser such as Chrome or Firefox and go to the following URL:
http://[host name]/webconsole
Use the following credentials for the first-time login:
Username: sysadminPassword: passwd00
The next screen will ask you to change the default password. On the side is the password policy. Please enter a new password which complies with this policy. You will be able to change both the password and the policy later
The following screen will ask for answers to a set of challenge questions. The answers to these questions can be used as part of the forgot password functionality. This to can be changed later as you start to configure the solution for your needs.
The last step in the startup process is to define a "Content Provider". A content provider is an important concept in OpenIAM and is explained in more detail in the administration guide. For this initial setp, we only need to provide the following information to define the default content provider.
Name | Description |
---|---|
Content Provider Name | You can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP |
Domain Pattern | This value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed |
Is SSL? | Flag which indicates if communication will be over SSL. For this step, select No . The steps to enable SSL are defined separately |
After setting the content provider, you will be taken to the landing page of the admin interface in OpenIAM called the Webconsole
. You will see the search screen below.
After the content provider is setup, OpenIAM will need a few minutes for the system cache to refresh. During this time, you may see some screens which are blank. Allow for the refresh to complete.
After this time, you instance is ready for additional configuration.
OpenIAM components and status
Using the OpenIAM Command line utility
OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop,etc . The command is openiam-cli
.
Just running the command by itself, as shown below, will display the list of all options.
openiam-cli
Output
Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}
To check the status of the components or the confirm that the system is up, please use the following command:
openiam-cli status
To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli status command
.
openiam-cli log <service_name>
For example, to check the logs of the openiam-esb
module use the following command.
openiam-cli log openiam-esb
OpenIAM core services
Name | Description | Default Memory (RAM) |
---|---|---|
openiam-esb | The service that provides Web Service API and to the bigger part of functionality | 2048m |
workflow | The service that provides Business Workflow functionality | 768m |
groovy-manager | The service that provides Groovy extension functionality | 256m |
idm | The service that provides provisioning to target systems functionality | 512m |
reconciliation | The service that provides reconciliation against target systems functionality | 512m |
email-manager | The service that provides Sending and Receiving emails functionality | 256m |
auth-manager | The service that provides End user Authorization functionality | 1024m |
device-manager | The service that provides Device management functionality (IOS and Android) | 256m |
openiam-ui | This is web server (tomcat) that provides Graphical interface | 2048m |
OpenIAM Connectors
There are several connectors that are distributed with default OpenIAM RPM. To list all of the connectors please run:
openiam-cli list-connectors
The following connectors are predefined and available in the OpenIAM 4.2.0 and later releases.
Connector Name | Description | Default Memory (RAM) |
---|---|---|
google-connector-rabbitmq | G Suite refers to Google Apps that consist of tools for communication, collaboration, storage, and access management. | 256m |
ldap-connector-rabbitmq | Group and user management in OpenLDAP or ActiveDirectory (using ldap/ldaps protocol) | 256m |
linux-connector-rabbitmq | Group and user management in local or remote *UNIX systems | 256m |
oracle-connector-rabbitmq | Manage Oracle RDBMS users | 256m |
scim-connector-rabbitmq | Group and user management using SCIM protocol | 256m |
The table below shows how to execute common commands related to all connectors
Connector operation | Command |
---|---|
Start connector | openiam-cli connector <connector_name> start |
Stop connector | openiam-cli connector <connector_name> stop |
To start a connector automatically after a reboot | openiam-cli connector <connector_name> enable |
To prevent a connector from automatically starting after reboot | openiam-cli connector <connector_name> disable |
OpenIAM Source Adapters
Where as OpenIAM connector are bi-directionaly, Source adapters are a special type of integration service designed largely to recieve (import) data from a source. In the current release, the HTTP Source Adapter is included in the RPM (future releases may include addtional adapters).
Name | Description | Default Memory (RAM) |
---|---|---|
http-source-adapter | Import data to OpenIAM using plain http 1.2 protocol | 256m |
To get a list of all source adatpers, use the following commands:
openiam-cli list-source-adapters
The table below shows how to execute common commands related to all adapters
Connector operation | Command |
---|---|
Start adapter | openiam-cli source-adapter <adapter_name> start |
Stop adapter | openiam-cli source-adapter <adapter_name> stop |
To start an adapter automatically after a reboot | openiam-cli source-adapter <adapter_name> enable |
To prevent an adapter from automatically starting after reboot | openiam-cli source-adapter <adapter_name> disable |
Planned improvements and release versions
- httpd proxy installation with OpenIAM module (4.2.1)
- Reset sysadmin password during initialization (4.2.2)
- Initialization for non mysql (MariaDB) RDBMS (4.2.3)
- OpenIAM Client command line utilities for scripting customization. (4.2.4 LTS)