Installation with Internet Access

This section builds on the initial installation steps described in the RPM install section. Please ensure that you have completed the steps in that section before proceeding.

Installation with Internet access

This type of installation is suitable for environments where the servers running the OpenIAM software will have internet access and can reach the OpenIAM website to download the software. You can validate internet connection by running the command below.

curl https://openiam.com/; echo $?

You should see 0 as a result. If you see non-zero result, its means that you CANNOT reach the OpenIAM web site from your deployment server. Please resolve the internet access or use the offline installation instructions.

The RPM installation for OpenIAM 4.2.1.12+ now supports Enterprise Linux 9 (EL9). During the installation process, you will be prompted to install MariaDB RDBMS as the default database.

Database Recommendations

MariaDB Usage: MariaDB is suitable for Demo, Proof-of-Concept (POC), or small-scale deployments. However, for production environments, we strongly recommend using a corporate-standard database that aligns with your organization’s IT policies and is fully supported operationally.
MariaDB in Production: If you choose to use MariaDB in a production setting, ensure that:
- It is properly sized for your workload
- It is deployed in a high-availability (HA) configuration to enhance reliability.

Using an Existing Database Infrastructure

If you already have a database infrastructure you prefer to use, select N when prompted during the installation. This option allows you to integrate OpenIAM with your preferred database system.

The following sections will guide you through the OpenIAM installation process step by step.

Download the RPM installer using the following command.

curl https://download.openiam.com/release/enterprise/4.2.1.12/rpm/openiam-4.2.1.12.noarch.x86_64.rpm --output openiam-4.2.X.noarch.x86_64.rpm

Once the download is complete, install OpenIAM using the following command. This step will also update the initial ulimit settings, which are required for the subsequent installation process

sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm

You should see the output like one given below.

openiam/
openiam/utils/
openiam/utils/autodb.sh
openiam/utils/autoinit.sh
openiam/utils/cassandra_tombstones_issue_fix.sh
openiam/utils/cluster_healthcheck.sh
openiam/utils/elasticsearch/
openiam/utils/elasticsearch/archive.sh
openiam/utils/elasticsearch/default.policy.diff
openiam/utils/elasticsearch/elasticsearch
openiam/utils/elasticsearch/elasticsearch.service
openiam/utils/elasticsearch/init.sh
openiam/utils/elasticsearch/jvm.options
openiam/utils/graph/
openiam/utils/graph/alter_table.cql
openiam/utils/graph/cassandra.service
openiam/utils/graph/cassandra.yaml
openiam/utils/graph/gremlin-server.yaml
openiam/utils/graph/healthcheck.groovy
openiam/utils/graph/init.sh
openiam/utils/graph/janusgraph-cql.properties
openiam/utils/init.sh
openiam/utils/init_vault_cluster.sh
openiam/utils/sas/
openiam/utils/sas/init.sh
openiam/utils/shutdown.sh
openiam/utils/start-openiam.sh
openiam/utils/start.sh
...

Your VM will reboot to apply changes to ulimit. After it reboots, reconnect to your VM by executing the following command and providing your credentials when prompted.

ssh [username]@[IP address of your VM]

Start the initialization process which will download files required for installation from OpenIAM server. Please follow the instructions on the screen.

sudo openiam-cli init

You will be asked about Internet access on this box, as shown below.

Type y and press Enter.

The system will download additional files, extract them locally, update your repository, and install essential base packages. You will see output similar to the snippet below.

Initialize openiam
Does this box have Internet access ? [y/n]:y
It is default configuration in env.conf
Download file openiamrepo.tar.gz from OpenIAM website
Download file backend.tar.gz from OpenIAM website
Download file frontend.tar.gz from OpenIAM website
openiamrepo/
openiamrepo/mariadb/
openiamrepo/mariadb/perl-MIME-Base64-3.15-396.el8.x86_64.rpm
openiamrepo/mariadb/perl-Math-BigInt-1.9998.11-7.el8.noarch.rpm
openiamrepo/mariadb/perl-Pod-Usage-1.69-395.el8.noarch.rpm
openiamrepo/mariadb/mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+f0897f98.x86_64.rpm
openiamrepo/mariadb/perl-IO-1.38-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-DBD-MySQL-4.046-3.module+el8.1.0+2938+301254e2.x86_64.rpm
openiamrepo/mariadb/mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-interpreter-5.26.3-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-Term-ANSIColor-4.06-396.el8.noarch.rpm
openiamrepo/mariadb/perl-Time-Local-1.280-1.el8.noarch.rpm
openiamrepo/mariadb/perl-Unicode-Normalize-1.25-396.el8.x86_64.rpm
openiamrepo/mariadb/perl-Scalar-List-Utils-1.49-2.el8.x86_64.rpm
openiamrepo/mariadb/perl-Mozilla-CA-20160104-7.module+el8.3.0+6498+9eecfe51.noarch.rpm
openiamrepo/mariadb/compat-openssl11-1.1.1k-4.el9.x86_64.rpm
openiamrepo/mariadb/mariadb-connector-c-3.1.11-2.el8_3.x86_64.rpm
openiamrepo/mariadb/perl-podlators-4.11-1.el8.noarch.rpm
openiamrepo/mariadb/perl-Exporter-5.72-396.el8.noarch.rpm
openiamrepo/mariadb/mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-Math-Complex-1.59-422.el8.noarch.rpm
openiamrepo/mariadb/perl-Text-ParseWords-3.30-395.el8.noarch.rpm
openiamrepo/mariadb/perl-Digest-MD5-2.55-396.el8.x86_64.rpm
openiamrepo/mariadb/libaio-0.3.112-1.el8.x86_64.rpm
openiamrepo/mariadb/perl-File-Path-2.15-2.el8.noarch.rpm
openiamrepo/mariadb/mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-PathTools-3.74-1.el8.x86_64.rpm
openiamrepo/mariadb/perl-Pod-Escapes-1.07-395.el8.noarch.rpm
openiamrepo/mariadb/perl-libs-5.26.3-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-Socket-2.027-3.el8.x86_64.rpm
openiamrepo/mariadb/perl-Carp-1.42-396.el8.noarch.rpm
openiamrepo/mariadb/perl-threads-shared-1.58-2.el8.x86_64.rpm
openiamrepo/mariadb/mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-IO-Socket-IP-0.39-5.el8.noarch.rpm

...

================================================================================
 Package        Architecture   Version                  Repository         Size
================================================================================
Installing:
 m4             x86_64         1.4.19-1.el9             appstream         294 k
 telnet         x86_64         1:0.17-85.el9            appstream          63 k

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 357 k
Installed size: 703 k
Downloading Packages:
(1/2): telnet-0.17-85.el9.x86_64.rpm            327 kB/s |  63 kB     00:00
(2/2): m4-1.4.19-1.el9.x86_64.rpm               1.0 MB/s | 294 kB     00:00
--------------------------------------------------------------------------------
Total                                           988 kB/s | 357 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : m4-1.4.19-1.el9.x86_64                                 1/2
  Installing       : telnet-1:0.17-85.el9.x86_64                            2/2
  Running scriptlet: telnet-1:0.17-85.el9.x86_64                            2/2
  Verifying        : telnet-1:0.17-85.el9.x86_64                            1/2
  Verifying        : m4-1.4.19-1.el9.x86_64                                 2/2

Installed:
  m4-1.4.19-1.el9.x86_64               telnet-1:0.17-85.el9.x86_64

Complete!
workflow.jar
synchronization.jar
reconciliation.jar
openiam-esb.jar
idm.jar
groovy-manager.jar
email-manager.jar
device-manager.jar
auth-manager.jar
business-rule-manager.jar
sas-manager.jar
sas-lib.zip
idp.war
openiam-ui-static.war
selfservice-ext.war
selfservice.war
webconsole.war
reportviewer.war

You will be asked if you want to install MariaDB as the default database.

Would you like to install MariaDB RDBMS locally? [y/n]:

Please answer Y if you would like to use the local MariaDB RDBMS as a database server. To use another database, please enter N. This question enables the installation of MariaDB so that it can be used later in the installation process.

4.1. If you answered Y, the MariaDB installer will prepare the files needed to install and configure MariaDB. Once this process is complete, you will be asked the questions below. Answer them and proceed to the next step.

Enter current password for root (enter for none):
- Press Enter, as no password has been set yet.
- You will see the following confirmation message:

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] -> Press y button and after Enter

Type Y and press Enter to set a password for the MariaDB root user.

New password: ->
- Enter a secure password for the MariaDB root user.
- Note: You will need this password later in the installation process.
- Type the same password as in the previous step and press Enter.
Re-enter new password:
- Type the same password as in the previous step and press Enter.
Remove anonymous users? [Y/n]
- Type Y and press Enter to remove anonymous database users.
- This enhances security by ensuring only authenticated users can access MariaDB.
Disallow root login remotely? [Y/n]
- Type Y and press Enter to prevent remote root login.
- This reduces the risk of unauthorized access.
Remove test database and access to it? [Y/n]
- Type Y and press Enter to delete the default test database.
- This prevents potential security risks from an unused database.
Reload privilege tables now? [Y/n]
- Type Y and press Enter to apply the changes immediately.

The snippet below provides a view of what you can expect to see in this part of the installation. Note, that for successful installation it is required to set a password for the root user in MariaDB.

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] openiam
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

After MariaDB has been installed, the installer will move forward to a variety of infrastructure services such as the Vault, Redis, RabbitMQ and Cassandra, which is the storage for the graph database used in OpenIAM. This process will take 4-5 min.

The snippet below, which follow the installation of MariaDB, shows a certificate being generated and the vault being initialized.

...
Certificate request self-signature ok
subject=C=US, ST=NY, L=NY, O=OPENIAM, OU=PRODUCTION, CN=localhost
Warning: -clcerts option ignored with -export
writing RSA key
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
[Storing /usr/local/openiam/jdk/lib/security/cacerts]
Created symlink /etc/systemd/system/multi-user.target.wants/etcd.service → /usr/lib/systemd/system/etcd.service.
Starting etcd...
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-vault.service → /etc/systemd/system/openiam-vault.service.
Starting vault...
Wait vault service to wakeup
Initializing vault.  This will only happen once.  This will output the root token and unseal keys.  Save them!

The installer will ask several questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. The sections which requires input from the installer are marked with the following message in the console:

=============== CRITICAL SECTION ===============

Define database and infrastructure components credentials

OpenIAM has two schemas which are created by default: openiam and activiti. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used to store information about workflows and their execution. The first set of questions raised by the installer are related to the creation of database users for each schema. Each question and its intent are listed below.

Question raised by the installer	Explanation
Set OpenIAM username for schema `openiam`, default: `idmuser`	This is the DB username that will be used to manage the `openiam` OpenIAM schema. This is the primary schema in the solution data related to OpenIAM are stored. Users will be used by the OpenIAM application to communicate with the database. The default value is `idmuser`.
Set OpenIAM password for schema `openiam`, default: `idmuser`	This is the password that will be used for the username which was provided in the previous step. The default value is: `idmuser`.
Set OpenIAM username for schema `activiti`. For MySQL it will be the same as for `openiam`, default: `idmuser`	This is the DB username that will be used to manage the `activiti` schema. Users will be used by OpenIAM application to communicate with the database. Default value is `idmuser`.
Set OpenIAM password for schema `activiti`. For MySQL it will be the same as for `openiam`, default: `idmuser`	This is the password for the user associated with the `activiti` schema. The default value is `idmuser`.

Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
User to Access ElasticSearch. If you don't change it on the ES server side, leave it as elastic, default: elastic
Password for elastic to access ElasticSearch, default: VlyXHUBDuhgv6BTKjTz7TumtBZL8Zbmu

Message broker password

OpenIAM uses RabbitMQ as a message broker. RabbitMQ is the primary transport service used within the OpenIAM application. Services are loosely coupled, and they communicate with each other through the message broker. Cross service communication is encrypted.

The next question raised by the installer is to define a password for RabbitMQ. As seen in the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00

Memory cache password

Redis is an in-memory distributed cache that is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:

End user web session.
Database object cache.
High level application cache.

As with other components, access to the cache is secured and the next question asks for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00

Elasticsearch credentials

Elasticsearch search is used by OpenIAM to enable fast searching of frequently used data. As with the components above, access to Elasticsearch is secured through its own set of credentials. You are prompted for this information as shown below.

User to Access ElasticSearch. If you don't change it on the ES server side, leave it as elastic, default: elastic
OpenIAM password for elastic user to access ElasticSearch: KtmHIv4yEhb4w7VRxhveTIDTHAgPfNmY

The information requested above is critical for the installation process. Mistakes in these steps can disrupt the installation process. To minimize such issues, you will be asked to review the above answers. If you agree with the information, select Y. If you need to fix some information, select N and the installer will walk you through this process again.

Cassandra

After processing the above information, the installer will then install Cassandra. Cassandra is the storage engine for Janus Graph DB. You will see output like the example below during this step.

There might be an error message at several lines in .java files. Ignore this error - since Cassandra takes a little while to start, an error occurs due to this delay. The installer will wait and then proceed with the installation.

Synchronizing state of cassandra.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable cassandra
Created symlink /etc/systemd/system/default.target.wants/cassandra.service → /etc/systemd/system/cassandra.service.
0
error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?

...

Waiting for cassandra
1
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load       Tokens  Owns (effective)  Host ID                               Rack
UN  127.0.0.1  73.52 KiB  256     100.0%            5a7c7a99-aeaf-4576-9863-f226a7867ef0  rack1

Cassandra alive
Cassandra is ready to use. Continue...

At this point the installer has enough information to complete the installation of: Elasticsearch, Redis, and RabbitMQ.

Initialize Database Schema

Question raised by the installer	Explanation
Use default value if this is new installation. If you are doing an update, specify your current (before update) version here, like 4.1.11.0, default: `0.0.0.0`	If this install is an upgrade from an existing deployment, then the current version is important as it will determine which scripts need to be applied to upgrade the schema to the current version. If this is a new deployment, you can leave this blank.
This is the name of the OpenIAM core database. If using MariaDB, this is most likely `openiam`, default: `openiam`	This question provides the option to choose the primary database schema. You should leave this blank and let it default to `openiam`. This value should only be changed if the scripts have been altered by the customer.
This is the name of the OpenIAM Activiti database. If using MariaDB, this is most likely `activiti`, default: `activiti`	This question provides the option to choose the database schema used by the workflow engine. You should leave this blank and let it default to `activiti`. This value should only be changed if the scripts have been altered by the customer.
Possible values: MySQL, Postgres, MSSQL, Oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default: `MySQL`	Select the type of database that you will be using as the OpenIAM product repository. You can leave this blank if you will be using either MariaDB or MySQL. If you are using either PostgreSQL, Oracle or Microsoft SQL server, enter one the following values based on your database type: `postgres`, `oracle`, `mssql`.
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will be required [y/n]	If `Y` then the installer will create schemas in the database and correspond with RDBMS users as well. For Oracle/MSSQL it will generate an SQL script that must be performed manually.
Enter username for Super user (for MySQL this is root), default: `root`	The installer needs a super user account or equivalent which has the privileges to create new schema, users, tables, etc.
Enter password for super user (`sa` or `root`, depend on the DB type), default:	Enter the password for account provided in the last step.
Do you use AWS RDS MariaDB? If Yes, make sure the RDS DB instance has the parameter `log_bin_trust_function_creators = 1 [y/n]:`	Select `N` if AWS RDS MariaDB is not being used for this deployment.
This is the hostname of where the OpenIAM core database is, default: `localhost`	Enter the host or DNS name of the server where the primary OpenIAM database will be deployed.
This is the port of where the OpenIAM core database is. If using MariaDB, this is most likely `3306`, default: `3306`	Enter the port number used by the database server hosting the primary OpenIAM database.
This is the hostname of where the Activiti database is, default: `localhost`	Enter the host or DNS name of the server where the workflow database will be deployed.
This is the port of where the Activiti database is. If using MariaDB, this is most likely `3306`, default: `3306`	Enter the port number used by the database server hosting the workflow database.

Once the questions have been answered, the installer will provide a summary of the questions and answers. Please review before proceeding. An example of this is shown below.

Please validate information below
---------------------------------
FLYWAY_BASELINE_VERSION=0.0.0.0
FLYWAY_OPENIAM_DATABASE_NAME=openiam
FLYWAY_ACTIVITI_DATABASE_NAME=activiti
FLYWAY_OPENIAM_HOST=localhost
FLYWAY_OPENIAM_PORT=3306
FLYWAY_ACTIVITI_HOST=localhost
FLYWAY_ACTIVITI_PORT=3306
FLYWAY_DATABASE_TYPE=mysql
Database will be initialized=Y
Root (Db admin) user name=root
Root (Db admin) user password=openiam
---------------------------------
Please validate your input above, if you are OK with that enter 'y'. To repeat an information collecting procedure enter 'n' :y

If you need to correct any answer, please enter N.

Once you select Y, the installer will generate the database schema. Internally, this step is handled by a component called Flyway. Flyway is a database schema management and versioning utility. It's used to generate the schema as well as upgrade from one version to another.

Install reverse proxy

Next, the installer will ask you if you want to install the reverse proxy. The reverse proxy is an Apache web server plugin which has been purpose built for use with the OpenIAM stack and address specific use cases. In virtually all cases, you will want to install the rProxy. The exceptions can arise based on your deployment architecture. The rProxy can co-exist with other infrastructure components such as an F5. Enter y for the question below

Do you want to install OpenIAM reverse proxy module? [y/n]:

After, the system may ask whether you want to update httpd software. httpd is an Apache webserver used to host websites and applications, as well as process and provide response to requests. Enter y for the question below and proceed with installation.

Do you want to update httpd to 2.4.57 ? [y/n]:

The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually, startup takes around 10-15 minutes. You can view the status of the system as it's coming up using the command line tools described below in OpenIAM components and Status.

Please, ignore the

HTTP request sent, awaiting response... 404 Not Found
2023-11-09 21:04:58 ERROR 404: Not Found.

line. At this point the installation is completed.

Check the startup process

The containers may take 8 to 15 minutes (depending on your environment) to start up completely. You can watch the startup process using the command below. Note that the UI container will take some time and be among the last to start up as it has dependencies on other components being up first.

Monitor the startup process

To check if the services have started, you can use the openiam-cli utility as shown in the example below:

openiam-cli status

You will see output like the example below:

Openiam Status report Fri Feb 21 09:49:32 PM UTC 2025
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - business-rule-manager - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - openiam-ui - Service working. Application status: [ UP ]

Validate the startup

You can use the curl command below to validate whether the UI is up.

curl -k -I -L http://127.0.0.1/idp/login

You should see output like the example below

HTTP/1.1 200
Date: Fri, 21 Feb 2025 21:49:04 GMT
Server: Apache/2.4.61 (Red Hat Enterprise Linux) OpenSSL/3.2.2
Report-To: { "group": "csp-endpoint",  "max_age": 10886400,  "endpoints": [        { "url": "http://127.0.0.1/selfservice/csp/report" }    ] }
Content-Security-Policy: default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' data: https://chart.googleapis.com; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4970
Set-Cookie: SESSION=OWJiZDkwMTMtMDNmZC00NThmLWI5ZWEtYTljYzE4N2VhMTZh; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding

The http 200 indicates that the application is up and running and you can login.

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, you must first find the IP address of our VM.

Next open your browser (preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first time login:

Username: sysadmin
Password: passwd00

Enter the username on the field shown below and click Next

The authentication process is spread over two screens. You will be asked to enter the password on the screen below.

The next screen will force you to change the default password. As you enter your new password, you will see the password policy on the side. Your password must align with this policy. You will be able to change both the password and the policy later.

The next step is to define a content provider using the screen shown below. A Content provider is an alias which represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. You can read more on Content Provider in this document. The table below describes the fields on this screen.

Name	Description
Content Provider Name	You can think of a content provider as an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP
Domain Pattern	This value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed
Application supports SSL?	This configuration determines if the OpenIAM application will be accessed over HTTP or HTTPS. Unless you have already configured the certificate, select `Support on HTTP`. You will be able to update this configuration later.
Application servers	This is the location of the OpenIAM service layer which the UI and rProxy need to communicate with. In most cases, the default value will be correct since each of these components will be deployed on the same host. However, this configuration provides flexibility to have the UI and service layer on separate hosts.

After setting up the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account in case you have locked yourself out. Please make a note of your answers.

Note: You will be able to update your password policy later. At that time you can decide if you want to use challenge questions and/or some other method.

After completing the above steps, you will be taken to the admin console landing page shown below. Give the system about 5 min to refresh the internal cache and then you can proceed to configure your solution.

Post installation information

Using the OpenIAM command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop, etc. The command is openiam-cli.

Just running the command by itself, as shown below, will display the list of all options.

openiam-cli

Output

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

Check status

To check the status of the components or to confirm that the system is up, please use the following command:

openiam-cli status

Check service logs

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli log <service_name>.

For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

Start and stop

You can start and stop OpenIAM using the command line as well. To stop OpenIAM using the following command:

openiam-cli stop

You can check that the services have stopped by using the status command shown above.

You can start the application using the following command.

openiam-cli start

Checking the health of the application

Health checks can be used by your monitoring systems to verify the status of OpenIAM.

Use the following URL to validate ESB.

curl http://localhost:9080/openiam-esb/actuator/health

Use the following URL to validate the UI.

curl -k http://localhost:9080/idp/actuator/health

Core services and Default Memory configuration

Name	Description	Default Memory (RAM)
openiam-esb	The service that provides Web Service API and to the bigger part of functionality	2048m
workflow	The service that provides Business Workflow functionality	768m
groovy-manager	The service that provides Groovy extension functionality	256m
idm	The service that provides provisioning to target systems functionality	512m
reconciliation	The service that provides reconciliation against target systems functionality	512m
email-manager	The service that provides Sending and Receiving email functionality	256m
auth-manager	The service that provides Authorization functionality	1024m
device-manager	The service that provides Device management functionality (IOS and Android)	256m
business-rule-manager	The service that provides Business Rules functionality	512m
openiam-ui	This provides the OpenIAM UI running on an Apache Tomcat server	2048m

Troubleshooting

It is possible to receive a timeout error during the installation of Elasticsearch during initialization. This issue can be rectified by setting the SELinux mode to Permissive. Please refer to Red Hat's documentation for Changing SELinux states and modes.

In case there is a need for VM reboot or restarting an application, make sure to shut down OpenIAM with openiam-cli stop command, as shown above. Otherwise, the vault may seal, and the application may fail to start.

Single VM Install

Installation without Internet Access