Powered by Algolia

    Connectors via RPM

    This section describes how to deploy, start and register your connectors in an RPM deployment.

    All the connectors which were part of the RPM distribution can be found in the /usr/local/openiam/connectors/bin/ directory. If the connector you are looking for was not part of the distribution, download it from the OpenIAM website and copy it to the above directory. Ensure that the connector files are owned by openiam

    chown openiam:openiam [file name]

    To start the connector, use the following command

    systemctl start openiam-connector@[connector_name]

    Deploying the remote connector

    A remote connector is a connector deployed outside the OpenIAM environment.

    All Microsoft application connectors are remote connectors. But java (jar files) connectors can be deployed on a remote server.

    Download java connector to remote box and locate in /opt/openiam/connectors/bin/ (create directories if you do not have them) To allow remote connectors to connect to RabbitMQ and Vault, we should allow access to port 5672 and 8200. For example, On CentOS 7 you can open ports with command

    firewall-cmd --add-port=5672/tcp --permanent.
    firewall-cmd --add-port=8200/tcp --permanent.

    Next, run the following command:

    firewall-cmd --reload.

    Also make sure other network configurations do not block this port. Before starting the connector, you can test the connection with the following telnet command:

    telnet 10.98.0.1 5672
    telnet 10.98.0.1 8200

    where 10.98.0.1 is the IP address of the host where RabbitMQ and Vault are installed.

    For java connectors install Java 11. Copy the vault certificate vault.crt and import it. you can then can drop this file from the box.

    keytool -noprompt -import -v -trustcacerts -alias vault_$(pwgen -s 13 1) -file vault.crt -keystore /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-1.el7_9.x86_64/lib/security/cacerts -keypass changeit -storepass changeit

    If you do not want to expose vault port for some reason, it's also possible to disable Vault by adding property -Dorg.openiam.vault.disabled to start file of connector, then do not forget to provide RabbitMQ username and password in properties file because application won't be fetching these from Vault. On the connector server create a directory /opt/openiam/connectors/conf/properties/ and put rabbitmq.properties and vault.properties (if you use vault). Also create a directory /opt/openiam/connectors/conf/vault/client and put vault.jks in it (you have to grab it from the OpenIAM box).

    rabbitmq.properties

    spring.rabbitmq.host=10.98.0.1
    spring.rabbitmq.port=5672
    org.openiam.rabbitmq.hosts=${spring.rabbitmq.host}:${spring.rabbitmq.port}
    

    spring.rabbitmq.username=openiam
    

    org.openiam.rabbitmq.concurrent.consumers=20
    org.openiam.rabbitmq.max.concurrent.consumers=50
    org.openiam.rabbitmq.prefetch.count=2
    

    org.openiam.rabbitmq.channelTransacted=true
    org.openiam.rabbitmq.channelCacheSize=10
    

    org.openiam.mq.broker.encryption.key=ff808181670838e0016708610547001b

    vault.properties

    vault.uri=https://10.98.0.1:8200
    vault.authentication=CERT
    vault.ssl.key-store=file://path_to_/vault.jks
    vault.ssl.key-store-password=passwd00

    Create executable shell script file named start.sh with the following content:

    #!/bin/bash
    export VAULT_CERTS="/opt/openiam/connectors/conf/vault/certs/"
    export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-11.0.11.0.9-1.el7_9.x86_64/"
    

    $JAVA_HOME/bin/java -Dlogging.level.root=ERROR -Dlogging.level.org.openiam=INFO -Dconfpath=/opt/openiam/connectors/ -jar bin/$1 > $HOME_DIR/logs/$1.log

    start connector ./start.sh connector-file-name (attention don't use .jar extension in the argument! ) ex.: ./start.sh jdbc-connector-rabbitmq

    Registering the connector

    After a connector has been started, it must be registered with OpenIAM so that it can receive messages that are being sent by the other services in OpenIAM. These messages will tell the connector what to do. Examples of messages include:

    • find a user;
    • create a user;
    • reset a password.

    To register a connector, go to: webconsole > Provisioning > Connectors.

    You will see a list of connectors that have already been registered out-of-the-box. Unless you are working with a custom connector, your connector should already be registered on this list. To configure, click on the actions button next to the connector and you will see the screen below.

    Connector registration

    Make note of the value in the first Connector Queue as you will need to add this to the server side connector configuration as well.

    Note: You can replace the queue name value with any unique alpha-numeric sequence with no spaces.

    Adding the queue name to the connector configuration

    To add the queue name of the connector configuration, follow the steps described below.

    1. Copy start.sh file into connectors and call it [connector name]_start.sh.
    2. Open new start script file and add the following Java opts.
    -Dorg.openiam.connector.queue=[Connector Queue]_Request
    -Dorg.openiam.connector.queueResponseName=[Connector Queue]_Response
    1. Copy a system service file /etc/systemd/system/openiam-connector\@.service into /etc/systemd/system/openiam-connector-[connector-name].service and change ExecStart property to point on new [connector name]_start.sh.
    2. Start the connector.

    The example for the connector is shown below.

    Connector example

    A new Java opts will look as follows:

    -Dorg.openiam.connector.queue=TestDb_Connector_0001_Request
    -Dorg.openiam.connector.queueResponseName=TestDb_Connector_0001_Response
    Previous
    Deploying and registering connectors
    Next
    Connectors via Docker