Single VM Install

This section describes how to install OpenIAM on either CentOS / RedHat Enterprise Linux (RHEL) 8.x using a RPM distribution.

OpenIAM provides a RPM distribution which includes all of the dependencies except for the database and system tools to simplify the installation process. The completeness of the RPM file also enables deployments in locked down environments where there is no network.

While both CentOS / RHEL 7 and 8.1+ are supported, OpenIAM recommends using v8.x+ where possible.

You may download CentOS or RHEL from the following locations:

Operating SystemURL
CentOS 7.xhttp://ftp.usf.edu/pub/centos/7.8.2003/isos/x86_64/
CentOS 8.2http://mirror.math.princeton.edu/pub/centos/8.2.2004/isos/x86_64/
RHEL 8.2https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux

The installation instructions provided below require root level privileges on the host where OpenIAM will be deployed. The person or team installing OpenIAM must be familiar with the CentOS/RHEL operating system, databases and services.

The procedures described in this guide must be performed in the order that they have been presented below.

Minimum System requirements

For non-production use, the Linux Host or VM must have the following minimum configuration:

ConfigurationNon-ProductionProduction
Memory24 GB32 GB
CPU6 CPUs8 CPUs
Disk80 GB100+ GB(may increase based on sizing)

Validate your environment

Login to your VM as root or a privileged user. To check the CPUs on your VM use: lscpu To the memory on your VM use: free -m

The result of each of these commands MUST align with the above minimum requirements. For sizing assistance for a production deployment, either open a support ticket or contact your OpenIAM point of contact.

Example of output form the above command

[root@li1262-180 ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 8
NUMA node(s): 1
Vendor ID: AuthenticAMD
BIOS Vendor ID: QEMU
CPU family: 23
Model: 1
Model name: AMD EPYC 7601 32-Core Processor
BIOS Model name: pc-q35-3.1
Stepping: 2
CPU MHz: 2199.994
BogoMIPS: 4399.98
Hypervisor vendor: KVM
Virtualization type: full
L1d cache: 64K
L1i cache: 64K
L2 cache: 512K
L3 cache: 16384K
NUMA node0 CPU(s): 0-7
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw perfctr_core ssbd ibpb vmmcall fsgsbase tsc_adjust bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 xsaves virt_ssbd arat
[root@li1262-180 ~]# free -m
total used free shared buff/cache available
Mem: 31959 221 31473 16 264 31341
Swap: 511 0 511
[root@li1262-180 ~]#

SSH into your VM

To ssh into your newly created VM, follow the steps below: a) First get the IP address of your VM. You can do this using:

ip addr

b) Next use a tool such Putty or the terminal window on Mac and SSH to this linux host:

ssh [username]@[IP address of your VM]

Example: ssh root@172.16.101.128

Prepare the host system for installation

The OpenIAM application requires a few configurations to be performed prior to installing the application. These steps are described below.

Install required packages

Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as “root”, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”

DescriptionCommand CentOS 8+Command CentOS 7+
Update the OSdnf updateyum update
Install Nanodnf install nanoyum install nano
Install wgetdnf install wgetyum install wget
Install tardnf install taryum install tar
Install C compiler-yum install gcc

Example on CentOS 8.x

dnf update
dnf install nano wget tar

Update the Hosts file

Make sure that your /etc/hosts file contains a value for the hostname. To edit the hosts file, use an editor like Nano

nano /etc/hosts

Create an entry like the one below to define the host name.

127.0.0.1 iam-nonprod

Modifying file descriptor limits for RabbitMQ.

OpenIAM uses RabbitMQ for messaging. Most of the services in OpenIAM communicate with each other using this message. RabbitMQ requires file descriptor limits which are much higher than the default limits found on many Linux distributions.

noteNote: OpenIAM requires RabbitMQ version from 3.8.x. Please use the RabbitMQ which has been provided with the distribution.

By default, CentOS and RHEL, set a soft limit (the current allowed) of 1024 file descriptors and a hard limit (the maximum allowed) of 4096 file descriptors for each user. These limits are inadequate for using RabbitMQ in an OpenIAM deployment. A soft limit of 1024 open file descriptors can cause the RabbitMQ service to quickly run out of allocated files, preventing the operating system from accepting new connections.

Perform the following steps to increase limits for file descriptors:

  1. Open a command terminal and log in as the root user or use sudo to gain super user privileges
  2. Edit the /etc/pam.d/login file using an editor such as nano or vi.
sudo nano /etc/pam.d/login
  1. Add the following line at the end of of the file and then save. If you are using nano, use [Ctrl+x] to save:
session required pam_limits.so
  1. Next, edit the /etc/security/limits.conf file
  2. Add the following lines to the end of the file and then save, using [Ctrl+x]
* soft nofile 65536
* hard nofile 65536
  1. Restart the system for the new settings to take effect.
sudo reboot -h 0
  1. Verify the new limits by opening a command terminal and typing the following command:
ulimit -n

The system should respond with 65536

Database installation

OpenIAM uses a relational database as its primary data repository. OpenIAM supports the popular databases listed in the table below.

MariaDB is the default database, and a simplified set of installation instructions have been provided below.

Database typeSupported VersionsInstallation Documentation
MariaDB10.3See Below
MySQLPendingPending
PostgreSQLPendingPending
OraclePendingPending
Microsoft SQL serverPendingPending

Install MariaDB

If you plan to use MariaDB as the OpenIAM repository, then follow the steps below.

First, ensure that MariaDB is available in your yum repository. If its not, add it to the repository using the following steps.

You should run the following as a root user

nano /etc/yum.repos.d/mariadb.repo

Add the following text to the file and save.

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos73-amd64/
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Update your OS and then the install MariaDB server with the commands shown below.

dnf update
dnf install mariadb-server

Next, we need to:

  1. Enable the MariaDB service to start on a system restart
  2. Start MariaDB
  3. Secure the installation.

Execute the commands below to enable tasks 1 and 2 from the list above.

systemctl enable mariadb.service
systemctl start mariadb.service

To validate that the service has started, run the following command systemctl status mariadb.service

Run the utility below to secure your MariaDB installation.

mysql_secure_installation

The utility will ask you a number of questions to reset the root database password and set options which define how MariaDB can be access. Follow the questions. For reference, sample output is provided below.

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorization.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

Installing the OpenIAM RPM package

The steps described up to this point have focused on preparing your environment for installing the OpenIAM product and related dependencies. The subsequent steps will focus on installing the OpenIAM solution from the RPM file and perform a first time login as an admin.

To download the OpenIAM RPM, ssh to your VM or server and download the RPM file as shown below.

wget <enter the downloaded URL>

After the file has been downloaded, use the instructions below to install OpenIAM

Execute the RPM installer

Enter the following command to install the RPM file on CentOS/ RHEL 8.x:

rpm -i openiam-4.2.0.8-1.el8.x86_64.rpm

It may take a minute before you see any output

Upon successful completion of the RPM install, you should see output similar to the excerpt shown below.

openiam/
openiam/connectors/
openiam/connectors/shutdown.sh
openiam/connectors/bin/
openiam/connectors/bin/google-connector-rabbitmq.jar
openiam/connectors/bin/ldap-connector-rabbitmq.jar
openiam/connectors/bin/scim-connector-rabbitmq.jar
openiam/connectors/bin/oracle-connector-rabbitmq.jar
openiam/connectors/bin/linux-connector-rabbitmq.jar
openiam/connectors/start.sh
openiam/services/
openiam/services/shutdown.sh
openiam/services/bin/
openiam/services/bin/idm.jar
openiam/services/bin/workflow.jar
openiam/services/bin/auth-manager.jar
openiam/services/bin/synchronization.jar
openiam/services/bin/device-manager.jar
openiam/services/bin/reconciliation.jar
openiam/services/bin/email-manager.jar
openiam/services/bin/groovy-manager.jar
openiam/services/bin/openiam-esb.jar
openiam/services/start.sh
openiam/utils/
openiam/utils/shutdown.sh
openiam/utils/rabbitmq/
openiam/utils/rabbitmq/init.sh
openiam/utils/flyway/
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mssql.m4
openiam/utils/flyway/mysql.properties.m4
openiam/utils/flyway/init.sh
openiam/utils/flyway/mssql.properties.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysq.m4
openiam/utils/flyway/oracle.sid.properties.m4
openiam/utils/flyway/postgres.properties.m4
openiam/utils/flyway/oracle.service.properties.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.postgres.m4
openiam/utils/init.sh
openiam/utils/elasticsearch/
openiam/utils/elasticsearch/init.sh
openiam/utils/elasticsearch/elasticsearch
openiam/utils/elasticsearch/elasticsearch.yml
openiam/utils/status.sh
openiam/utils/redis/
openiam/utils/redis/init.sh
openiam/utils/proxy/
openiam/utils/proxy/init.sh
openiam/utils/vault/
openiam/utils/vault/bootstrap.sh
openiam/utils/vault/validate.vault.sh
openiam/utils/vault/generate.cert.sh
openiam/utils/vault/init.sh
openiam/utils/vault/vault.properties.m4
openiam/utils/vault/login.sh
openiam/utils/vault/vault.fetch.property.sh
openiam/utils/vault/start.sh
openiam/utils/start.sh
openiam/utils/uninstall.sh
...[verbose output has been skipped for the documentation]...
hotfix_4.2.0.4_3/flyway/drivers/hsqldb-2.5.0.jar
hotfix_4.2.0.4_3/flyway/drivers/ojdbc8.jar
hotfix_4.2.0.4_3/flyway/drivers/put-your-jdbc-drivers-here.txt
hotfix_4.2.0.4_3/flyway/drivers/ojdbc8-19.6.0.0.jar
hotfix_4.2.0.4_3/flyway/drivers/derbyclient-10.15.2.0.jar
hotfix_4.2.0.4_3/flyway/drivers/mssql-jdbc-7.2.0.jre8.jar
hotfix_4.2.0.4_3/flyway/drivers/jaybird-jdk18-3.0.8.jar
hotfix_4.2.0.4_3/flyway/drivers/derbyshared-10.15.2.0.jar
hotfix_4.2.0.4_3/flyway/drivers/mariadb-java-client-2.6.0.jar
hotfix_4.2.0.4_3/flyway/drivers/h2-1.4.200.jar
hotfix_4.2.0.4_3/flyway/drivers/sqlite-jdbc-3.30.1.jar
hotfix_4.2.0.4_3/flyway/conf/
hotfix_4.2.0.4_3/flyway/conf/flyway.conf
hotfix_4.2.0.4_3/V4.2.0.0.029__IAM-3034.sql
hotfix_4.2.0.4_3/V4.2.0.0.021__IAM-3609.sql
hotfix_4.2.0.4_3/proxy/
hotfix_4.2.0.4_3/proxy/init.sh
hotfix_4.2.0.4_3/proxy/sscg-2.3.3-14.el8.x86_64.rpm
hotfix_4.2.0.4_3/V4.1.11.0.001__update_to_4.1.11.sql
hotfix_4.2.0.4_3/utils/
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.postgres.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysql.m4
hotfix_4.2.0.4_3/utils/init.sh
hotfix_4.2.0.4_3/utils/oracle.sid.properties.m4
hotfix_4.2.0.4_3/utils/mssql.properties.m4
hotfix_4.2.0.4_3/utils/mysql.properties.m4
hotfix_4.2.0.4_3/utils/oracle.service.properties.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mssql.m4
hotfix_4.2.0.4_3/utils/V0.0.0.0.000__initialization.sql.mysq.m4
hotfix_4.2.0.4_3/utils/oracle.properties.m4
hotfix_4.2.0.4_3/utils/postgres.properties.m4
hotfix_4.2.0.4_3/utils/datasource.properties.m4
hotfix_4.2.0.4_3/V4.2.0.1.003__IAM-5083.sql
hotfix_4.2.0.4_3/patch.sh
Apply hotfix hotfix_4.2.0.4_3

Validate SELinux configuration

In the next step, the OpenIAM deployment will be initialized. As part of this deployment the rProxy, an Apache web server plugin, will be installed. This component needs to communicate with the OpenIAM service. To enable this communication, we need to configure SELinux if it is enabled.

To check if SELinux is enabled, run sestatus. The output below shows an example of a system where SELinux has been enabled.

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

If SELinux is enabled, then we need to ensure that httpd_can_network_connect is enabled. You can do this by running the command below.

setsebool -P httpd_can_network_connect 1

You can validate your settings by running the command below:

getsebool -a | grep "httpd_can_network"

The following output shows that this parameter is in effect.

httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off

Initialize the installation

After the RPM file has been installed, the next step is to "initialize" the system. The initialization process creates the database schema, deploys the various components and performs initial configuration needed for the system to start. Run the command below to start initialization

openiam-cli init

The initialization process is will take several minutes. As the initialization process proceeds, you will see output similar to the example below. The logs will show that infrastructure components such as etcd and Vault are being installed.

Initialize openiam
package logrotate-3.14.0-4.el8.x86_64 (which is newer than logrotate-3.14.0-3.el8.x86_64) is already installed
file /usr/sbin/logrotate from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64
file /usr/share/man/man8/logrotate.8.gz from install of logrotate-3.14.0-3.el8.x86_64 conflicts with file from package logrotate-3.14.0-4.el8.x86_64
rm: cannot remove '/usr/bin/vault': No such file or directory
Failed to set capabilities on file `/usr/bin/vault' (Invalid argument)
usage: setcap [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file.
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
.........................................................................+++++
e is 65537 (0x010001)
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
...................................................+++++
e is 65537 (0x010001)
Signature ok
subject=C = US, ST = NY, L = NY, O = OPENIAM, OU = PRODUCTION, CN = localhost
Getting CA Private Key
writing RSA key
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
[Storing /usr/local/openiam/jdk/lib/security/cacerts]
rm: cannot remove '/usr/local/openiam/logs/vault.out': No such file or directory
Created symlink /etc/systemd/system/multi-user.target.wants/etcd.service/usr/lib/systemd/system/etcd.service.
Starting etcd...
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-vault.service/etc/systemd/system/openiam-vault.service.
Starting vault...
Wait vault service to wakeup
Vault already initialized....
Vault already unsealed...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 13684 0 --:--:-- --:--:-- --:--:-- 14444
Generate OpenIAM encryption secrets
=============== CRITICAL SECTION ===============
Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none

The installer will ask a number of questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. This section which requires input from the installer is noted with the following message in the console:

noteNote: Important section

Credentials which are captured below for the database, message broker, Redis and SMTP will be securely stored in the Vault.

As mentioned above, the installer will take care of creating the OpenIAM database schema as well. OpenIAM has two schemas which are created by default: openiam and activiti. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used by store information about workflows and their execution.

The first set of questions raised by the installer are related to the creation of database user for each schema. Each question and it intent are listed below.

Question raised by the installerExplanation
Set OpenIAM username for schema 'openiam' , default: idmuserThis is DB user name that will be used to manage the openiam OpenIAM schema. This is the primary schema in the solution data related to OpenIAM are stored. User will be used by the OpenIAM application to communicate with database. The default value is idmuser.
Set OpenIAM password for schema 'openiam' , default: idmuserThis is the password that will be used for username which was provided in the previous step. The default value is: idmuser
Set OpenIAM username for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserThis is DB user name that will be used to manage the activiti schema. User will be used by OpenIAM application to communicate with the database. Default value is idmuser.
Set OpenIAM password for RabbitMQ message broker, default: passwd00RabbitMQ is a message broker. Its role is explained in the architecture section. A default password is provided for simplicity. For production use, please use a strong password.
Set OpenIAM password for Redis., default: passwd00Redis is an in-memory distributed cache. Its role is defined in the architecture sections. A default password is provided for simplicity. For production use, please use a strong password.
Set OpenIAM password for schema 'activiti'. For MySQL it will be the same as for 'openiam', default: idmuserThis is the password that for the user associated with the activiti schema. The default value is idmuser
Set SMTP username. You can change it later., default: noneUsername which will be used by your SMTP service. Entering this information at this point is optional. You will be able to configure this form the OpenIAM Admin interface
Set SMTP password. You can change it later., default: noneUsername which will be used by your SMTP service. Entering this information at this point is optional. You will be able to configure this form the OpenIAM Admin interface
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 25545 681 --:--:-- --:--:-- --:--:-- 26227
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 16250 0 --:--:-- --:--:-- --:--:-- 16250
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 28100 750 --:--:-- --:--:-- --:--:-- 28850
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 7076 0 --:--:-- --:--:-- --:--:-- 7076
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
Created symlink /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service/usr/lib/systemd/system/rabbitmq-server.service.
Starting RabbitMQ...
Enabling plugins on node rabbit@li1262-180:
rabbitmq_delayed_message_exchange
The following plugins have been configured:
rabbitmq_delayed_message_exchange
Applying plugin configuration to rabbit@li1262-180...
The following plugins have been enabled:
rabbitmq_delayed_message_exchange
started 1 plugins.
Enabling plugins on node rabbit@li1262-180:
rabbitmq_management
The following plugins have been configured:
rabbitmq_delayed_message_exchange
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@li1262-180...
The following plugins have been enabled:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
started 3 plugins.
Adding vhost "openiam_am" ...
Adding vhost "openiam_idm" ...
Adding vhost "openiam_audit" ...
Adding vhost "openiam_common" ...
Adding vhost "openiam_connector" ...
Adding vhost "openiam_activiti" ...
Adding vhost "openiam_user" ...
Adding vhost "openiam_groovy_manager" ...
Adding vhost "openiam_synchronization" ...
Adding vhost "openiam_ext_log" ...
Adding vhost "openiam_bulk_synchronization" ...
Adding vhost "openiam_reconciliation" ...
Adding vhost "openiam_bulk_reconciliation" ...
Adding user "openiam" ...
Setting tags for user "openiam" to [administrator] ...
Setting permissions for user "openiam" in vhost "openiam_am" ...
Setting permissions for user "openiam" in vhost "openiam_idm" ...
Setting permissions for user "openiam" in vhost "openiam_audit" ...
Setting permissions for user "openiam" in vhost "openiam_common" ...
Setting permissions for user "openiam" in vhost "openiam_connector" ...
Setting permissions for user "openiam" in vhost "openiam_activiti" ...
Setting permissions for user "openiam" in vhost "openiam_user" ...
Setting permissions for user "openiam" in vhost "openiam_groovy_manager" ...
Setting permissions for user "openiam" in vhost "openiam_synchronization" ...
Setting permissions for user "openiam" in vhost "openiam_ext_log" ...
Setting permissions for user "openiam" in vhost "openiam_bulk_synchronization" ...
Setting permissions for user "openiam" in vhost "openiam_reconciliation" ...
Setting permissions for user "openiam" in vhost "openiam_bulk_reconciliation" ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
Synchronizing state of elasticsearch.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service/usr/lib/systemd/system/elasticsearch.service.
Starting elasticsearch...
/usr/local/openiam/utils/redis/init.sh: line 13: make: command not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 22480 600 --:--:-- --:--:-- --:--:-- 23080
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 8000 0 --:--:-- --:--:-- --:--:-- 8000
vm.overcommit_memory = 1
Created symlink /etc/systemd/system/multi-user.target.wants/redis-server.service/etc/systemd/system/redis-server.service.
Starting Redis server...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 11304 0 --:--:-- --:--:-- --:--:-- 11818
Database access information
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 18733 500 --:--:-- --:--:-- --:--:-- 19233
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 3519 0 --:--:-- --:--:-- --:--:-- 3519
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 22480 600 --:--:-- --:--:-- --:--:-- 23080
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 183 100 183 0 0 9150 0 --:--:-- --:--:-- --:--:-- 9150
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 29578 789 --:--:-- --:--:-- --:--:-- 30368
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 8761 0 --:--:-- --:--:-- --:--:-- 8761
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 577 100 562 100 15 29578 789 --:--:-- --:--:-- --:--:-- 30368
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 184 100 184 0 0 9684 0 --:--:-- --:--:-- --:--:-- 9684
=============== CRITICAL SECTION ===============
Database configuration.
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0
This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiam
This is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activiti
Possible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default: mysql
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]:y
Initialization.
Enter username for Super user (for mysql this is root), default: root
Enter password for super user (sa or root, depend on the db type), default:
Specify hibernate Dialect class, default: org.hibernate.dialect.MySQLDialect
This is the hostname of where the openiam core database is., default: localhost
This is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306
This is the hostname of where the openiam activiti database is., default: localhost
This is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306
Mysql. Try to initialize automatically

The next set of questions questions raised related to the databas service, connectivity and name.. Each question and it intent are listed below.

Question raised by the installerExplanation
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0If this install is an upgrade from an existing deployment, then the current version is important as it will determine which scripts need to be applied to upgrade the schema to the current version. If this is a new deployment, you can leave this blank
This is the name of the openiam core database. If using mariadb, this is most likely 'openiam', default: openiamThis question provides the option to choose the primary database schema. You should leave this blank and let it default to openiam. This value should only be changed if the scripts have been altered by the customer.
This is the name of the openiam Activiti database. If using mariadb, this is most likely 'activiti', default: activitiThis question provides the option to choose the database schema used by the workflow engine. You should leave this blank and let it default to activiti. This value should only be changed if the scripts have been altered by the customer.
Possible values: mysql, postgres, mssql, oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default: mysqlSelect the type of database that you will be using as the OpenIAM product repository. You can leave this blank if you will be using either MariaDB or MySQL. If you are using either PostgreSQL, Oracle or Microsoft SQL server, enter one the following values based on your database type: postgres, oracle, mssql
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]:yIf this is a new installation, then the answer must be y
Enter username for Super user (for mysql this is root), default: rootThe installer needs a super user account or equivalent which has the privileges to create new schema, users, tables, etc.
Enter password for super user (sa or root, depend on the db type), default:Enter the password for account provided in the last step. If you are using MariaDB, then this is root password set during mysql_secure_installaiton.
Specify hibernate Dialect class, default: org.hibernate.dialect.MySQLDialectThis setting ensures that the correct class is used by the database framework. For MariaDB and MySQL using: org.hibernate.dialect.MySQLDialect. for PostgreSQL use:org.hibernate.dialect.PostgreSQLDialect For Oracle use: org.hibernate.dialect.OracleDialect. For Microsoft SQL Server using: org.hibernate.dialect.SQLServerDialect
This is the hostname of where the openiam core database is., default: localhostEnter the host or DNS name of the server where the primary OpenIAM database will be deployed.
This is the port of where the openiam core database is. If using mariadb, this is most likely '3306', default: 3306Enter the port number used by the database server hosting the primary OpenIAM database
This is the hostname of where the openiam activiti database is., default: localhostEnter the host or DNS name of the server where the workflow database will be deployed.
This is the port of where the openiam activiti database is. If using mariadb, this is most likely '3306', default: 3306Enter the port number used by the database server hosting the workflow database

You will see output similar to the example below

Created symlink /etc/systemd/system/multi-user.target.wants/openiam-auth.service/etc/systemd/system/openiam-auth.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-device.service/etc/systemd/system/openiam-device.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-email.service/etc/systemd/system/openiam-email.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-esb.service/etc/systemd/system/openiam-esb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-groovy.service/etc/systemd/system/openiam-groovy.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-idm.service/etc/systemd/system/openiam-idm.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-reconciliation.service/etc/systemd/system/openiam-reconciliation.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-synchronization.service/etc/systemd/system/openiam-synchronization.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-ui.service/etc/systemd/system/openiam-ui.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-workflow.service/etc/systemd/system/openiam-workflow.service.
Openiam Status report Tue Aug 24 21:44:02 UTC 2021
[WARNING] - openiam-esb - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - workflow - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - groovy-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - idm - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - reconciliation - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - email-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[WARNING] - auth-manager - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[WARNING] - openiam-ui - Service working, but Application status: [ DOWN ]. Probably it's still starting. Please check again in few minutes
Do you want to install OpenIAM reverse proxy module? [y/n]:y

The last question, shown below, that will be asked by the installer is about the rProxy.

Question raised by the installerExplanation
Do you want to install OpenIAM reverse proxy module? [y/n]:yIf you are new to OpenIAM, configuring OpenIAM for a POC, or for a single node deployment, you should indicate y and allow the rProxy to be installed.

At this point the installer has enough information to complete the installation of: The OpenIAM components as well as the infrastructure components such as Elasticseach, Redis, Vault and RabbitMQ. Upon successful execution of the installer, you should see the following as the ending entries in the logs.

[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
[/usr/lib/tmpfiles.d/rabbitmq-server.conf:1] Line references path below legacy directory /var/run/, updating /var/run/rabbitmq → /run/rabbitmq; please update the tmpfiles.d/ drop-in file accordingly.
mod_openiam installed
restart httpd to apply changes
success
success
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service/usr/lib/systemd/system/httpd.service.

The services will take several minutes to start. You can view the status of the system as its coming up using the openiam-cli utility. The client supports a number of parameters. To see the status, run the following:

openiam-cli status

If all the services have been started successful, you should see the following output:

Openiam Status report Tue Aug 24 22:26:03 UTC 2021
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[OK] - openiam-ui - Service working. Application status: [ UP ]

You can validate the UI is operational by run the following command in your terminal window curl -k -I -L http://127.0.0.1/idp/login

You should see output similar to the example below.

HTTP/1.1 200
Date: Tue, 24 Aug 2021 22:26:44 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *;
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Set-Cookie: SESSION=MzI1YTU4NDAtYzMxNC00NGY1LTgyNzMtZDg5ZmIyNjI1N2E2; Path=/idp/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
Transfer-Encoding: chunked

If you get a "Connection refused" error, then check if port 80 is open.

ss -tulwn

To check if port 80 and 443 are open, use the following command:

firewall-cmd --list-all

If ports 80 and 443 are not open, then use the commands below to open these ports:

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --reload

First time login

To login to the OpenIAM for the first time, use a browser such as Chrome or Firefox and go to the following URL:

http://[host name]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

First time login

The next screen will ask you to change the default password. On the side is the password policy. Please enter a new password which complies with this policy. You will be able to change both the password and the policy later

Change password page

The following screen will ask for answers to a set of challenge questions. The answers to these questions can be used as part of the forgot password functionality. This to can be changed later as you start to configure the solution for your needs.

Challenge questions page

The last step in the startup process is to define a Content Provider. A content provider is an important concept in OpenIAM and is explained in more detail in the administration guide. For this initial setp, we only need to provide the following information to define the default content provider.

NameDescription
Content Provider NameYou can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP
Domain PatternThis value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed
Is SSL?Flag which indicates if communication will be over SSL. For this step, select No. The steps to enable SSL are defined separately

Content provider page

After setting the content provider, you will be taken to the landing page of the admin interface in OpenIAM called the Webconsole. You will see the search screen below.

After the content provider is setup, OpenIAM will need a few minutes for the system cache to refresh. During this time, you may see some screens which are blank. Allow for the refresh to complete.

After this time, you instance is ready for additional configuration.

Webconsole landing page

Post installation Information - OpenIAM components, status and utilities

Using the OpenIAM Command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop,etc . The command is openiam-cli.

Just running the command by itself, as shown below, will display the list of all options.

openiam-cli

Output

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

To check the status of the components or the confirm that the system is up, please use the following command:

openiam-cli status

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli status command .

openiam-cli log <service_name>

For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

OpenIAM core services

NameDescriptionDefault Memory (RAM)
openiam-esbThe service that provides Web Service API and to the bigger part of functionality2048m
workflowThe service that provides Business Workflow functionality768m
groovy-managerThe service that provides Groovy extension functionality256m
idmThe service that provides provisioning to target systems functionality512m
reconciliationThe service that provides reconciliation against target systems functionality512m
email-managerThe service that provides Sending and Receiving emails functionality256m
auth-managerThe service that provides End user Authorization functionality1024m
device-managerThe service that provides Device management functionality (IOS and Android)256m
openiam-uiThis is web server (tomcat) that provides Graphical interface2048m

OpenIAM Connectors

There are several connectors that are distributed with default OpenIAM RPM. To list all of the connectors please run:

openiam-cli list-connectors

The following connectors are predefined and available in the OpenIAM 4.2.0 and later releases.

Connector NameDescriptionDefault Memory (RAM)
google-connector-rabbitmqG Suite refers to Google Apps that consist of tools for communication, collaboration, storage, and access management.256m
ldap-connector-rabbitmqGroup and user management in OpenLDAP or ActiveDirectory (using ldap/ldaps protocol)256m
linux-connector-rabbitmqGroup and user management in local or remote *UNIX systems256m
oracle-connector-rabbitmqManage Oracle RDBMS users256m
scim-connector-rabbitmqGroup and user management using SCIM protocol256m

The table below shows how to execute common commands related to all connectors

Connector operationCommand
Start connectoropeniam-cli connector <connector_name> start
Stop connectoropeniam-cli connector <connector_name> stop
To start a connector automatically after a rebootopeniam-cli connector <connector_name> enable
To prevent a connector from automatically starting after rebootopeniam-cli connector <connector_name> disable

OpenIAM Source Adapters

Where as most OpenIAM connectors are bi-directionaly, the Source adapter is a special type of integration service designed largely to recieve (import) data from a source. In the current release, the HTTP Source Adapter is included in the RPM (future releases may include other types of adapters).

NameDescriptionDefault Memory (RAM)
http-source-adapterImport data to OpenIAM using plain http 1.2 protocol256m

To get a list of all source adatpers, use the following commands:

openiam-cli list-source-adapters

The table below shows how to execute common commands related to all adapters

Connector operationCommand
Start adapteropeniam-cli source-adapter <adapter_name> start
Stop adapteropeniam-cli source-adapter <adapter_name> stop
To start an adapter automatically after a rebootopeniam-cli source-adapter <adapter_name> enable
To prevent an adapter from automatically starting after rebootopeniam-cli source-adapter <adapter_name> disable