This section describes how to deploy the OpenIAM platform in a Docker Swarm environment. The procedures described in this section must be performed in the order that they are presented. Some steps in this installation require root level privileges to the system where OpenIAM will be deployed.

What is Docker?

Docker is a tool for creating, deploying, and running applications using containers. Docker Compose is a tool for defining and running multi-container Docker applications. Docker provides a standardized, lightweight, execution environment that maintains all dependencies within it. It can be run on either physical or virtualized environments which are on-premise or in the cloud. For more information about docker, please see see the Docker website and Docker Documentation.

OpenIAM on Docker

The OpenIAM Docker deployment method enables you to deploy on OpenIAM using a series of pre-configured containers in a short amount of time without the complexity of deploying a series of dependencies. The simplified deployment method requires:

• Installing the Docker software
• Configuring environment variables
• Running scripts for setting up and starting up the OpenIAM instance. Running the deployment scripts automatically takes care of all component dependencies and release updates.

OpenIAM docker containers are maintained on Docker hub. Once these containers have been pulled into your environment using the details below, you will also need:

• Docker client - Docker Community Edition (CE) versions 19.03.12 or higher
• Docker compose - Defines and enables the operation of a multi-container Docker application. OpenIAM uses docker-compose file format 3.2

OpenIAM Solution Stacks

The OpenIAM solution consists of several stacks that are deployable the Docker Swarm. Docker swarm is a container orchestration tool, meaning that it allows for the manage multiple containers deployed across multiple host machines. The content of each stack is described below

Critical Infrastructure stacks

The infrastructure stacks are used across the OpenIAM solution regardless of the functionality that you are enabling. These components must be operational for the OpenIAM solution to function correctly.

MariaDB is the default Database. You can change this to PostgreSQL if you prefer. You will not enable both database

Service stacks

UI Stack

• IdP - The OpenIAm web application which provides centralized authentication and self-service password reset functionality. This application also allows OpenIAM to be configured as both an Identity Provider and a Service Provider
• Webconsole - The OpenIAM web application for administrators for managing identities across various devices and applications used by an enterprise, and for controlling access to these devices and applications.
• Self-service - The OpenIAM end-user web application that allows users to create new requests, reset and change passwords, manage their profiles, manage access requests, manage challenge response security questions, look up corporate users through a directory search, and reset their accounts if they are locked out. Authorized users can also use the request approval functionality.

Reverse Proxy Stack

System requirements

The table below specifies the minimum system requirements for deploying a non-production OpenIAM v4.2.x instance using Docker.

MINIMUM Hardware requirements

Please ensure that you are environment is aligned with the minimum system requirements described above. These parameters are not optional. OpenIAM will not start if system resources are below the minimum levels.

For production use: Customers with active subscriptions and partners, should contact OpenIAM Support (techsupport@openiam.com) for assistance with sizing requirements.

Software requirements

Preparing your system

The OpenIAM application requires the configurations described below to be performed prior to installing the application.

Install required packages

Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as root, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”

Example for CentOS 8.x

dnf update
dnf install nano wget git

Example for Ubuntu 20.04

apt-get update
apt-get upgrade
apt-get install nano wget git

Update the hosts file

Make sure that your /etc/hosts file contains a value for the hostname that you defined earlier. To edit the hosts file, use an editor like Nano.

127.0.0.1 iam-nonprod

Settings for ElasticSearch and Docker

ElasticSearch

OpenIAM uses ElasticSearch as a search engine. To enable fast access, ElasticSearch maps portions of an index into its memory address space. This is done through nmap, a Unix system call that maps files or devices into memory. To use mmap effectively, ElasticSearch requires sufficient mmap counts. The default operating system limits on mmap counts are inadequate for the required performance and this may result in out of memory exceptions. The required mmap value can be configured by setting the vm.max_map_count value in /etc/sysctl.conf to be at least 262144. To ensure that the vm.max_map_count persists across restarts, set this value in the /etc/sysctl.conf file

Disabling IPv6 on Docker Host

By default, IPv6 is disabled in Docker. Disabling IPv6 on Docker host(s) prevents any potential network issues. To disable IPv6 on host(s) where Docker is running, ensure that the Docker host(s) have the following value set in /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6=1 and net.ipv6.conf.default.disable_ipv6 = 1

To summarize, edit the /etc/sysctl.conf file to include the following settings:

vm.max_map_count=262144
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Save the above changes and then run sudo sysctl -p to apply these settings without restarting the system.

Install the Docker engine

Docker Engine is a containerization technology for building and containerizing applications. Docker Engine acts as a client-server application with:

• A server with a long-running daemon process dockerd.
• APIs which specify interfaces that programs can use to talk to and instruct the Docker daemon.
• A command line interface (CLI) client docker

To install the docker engine, follow the OS specific steps below. For, additional information related to the installation of the docker engine can be found at:

• CentOS / RHEL
• [Ubuntu] (https://docs.docker.com/engine/install/ubuntu/)

Ubuntu

Setup the repository

Update the apt package index and install packages to allow apt to use a repository over HTTPS

apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

Use the following command to set up the stable repository.

add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

Note: if you see the following error while running this operation on Ubuntu 20.04LTS, follow the additional steps describe below before installing the docker engine.

Err:5 https://download.docker.com/linux/ubuntu focal InRelease    
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
Reading package lists... Done    
W: GPG error: https://download.docker.com/linux/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
E: The repository 'https://download.docker.com/linux/ubuntu focal InRelease' is not signed.

Open apt sources list in a text editor, like nano:

nano /etc/apt/sources.list

Scroll to the bottom and find the following lines:

deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
# deb-src [arch=amd64] https://download.docker.com/linux/ubuntu focal stable

Comment out that first line with a # at the beginning. Next, copy the same line right below it, except switching out the ubuntu codename focal for eoan. After the changes, it should look like the example below:

# deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
deb [arch=amd64] https://download.docker.com/linux/ubuntu eoan stable
# deb-src [arch=amd64] https://download.docker.com/linux/ubuntu focal stable

Save this file and run the following two commands to install the docker engine.

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Install the docker engine

sudo apt-get update && sudo apt install docker-ce docker-ce-cli containerd.io
sudo systemctl enable docker.service
sudo systemctl enable containerd.service

Verify that Docker Engine is installed correctly by running the hello-world image.

docker run hello-world

Note: If you get the following response when running docker run hello-world, then use the work around below:

Status: Downloaded newer image for hello-world:latest docker: Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown. ERRO[0001] error waiting for container: context canceled

Solution:

mkdir /sys/fs/cgroup/systemd
mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
docker run hello-world

CentOS / RHEL

Setup the repository

Install the yum-utils package (which provides the yum-config-manager utility) and set up the stable repository

yum install -y yum-utils

yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo

Install the Docker engine

Install the latest version of Docker Engine and containerd. The next step is to start the engine.

yum install docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker.service
systemctl enable containerd.service

Install Docker compose

Compose is a tool for defining and running multi-container Docker applications such as OpenIAM. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. The procedure described below installs version 1.28.2 of Docker Compose on your system

• Run the command below to download the current stable release of Docker Compose

curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

• Apply executable permissions to the binary

chmod +x /usr/local/bin/docker-compose

• To check the version of docker compose, run the command below

docker-compose --version

Installing the OpenIAM Application

The installation process allows for a significant amount of flexibility. The steps below describe the minimum number of parameters which need to be configured to install on a single VM. Additional details in the sections referenced by the table below. If you are new to OpenIAM, we recommend starting with the simpler path with a more limited set of options.

Clone the OpenIAM Docker repository

Next, we need to clone the "OpenIAM docker compose" repository from OpenIAM's Git Repository. This project contains scripts that set environment variables, start and stop the container services. To clone the repository, follow the steps below.

They should be performed in a Linux terminal window.

mkdir -p /usr/local/openiam
cd /usr/local/openiam
git clone https://bitbucket.org/openiam/openiam-docker-compose.git
cd openiam-docker-compose/
git checkout RELEASE-4.2.1.2

The cloned repository will contain the following scripts.

Additional configuration options

Set the community edition flag

• Edit the /usr/local/openiam/openiam-docker-compose/env.sh
• Uncomment the following line: IMAGE_SUFFIX="-ce" line so that it reads as shown below:

export IMAGE_SUFFIX="-ce"

Save your changes.

This flag ensure that the setup process pull the community edition images which are public and does not try to pull the EE images which require authentication to the docker.

Initialize Vault

OpenIAM uses a Vault to store secrets, such as database passwords, Redis passwords, etc. Communication with the Vault occurs via a certificate. To generate the required certificates, follow the steps below:

• Edit the /usr/local/openiam/openiam-docker-compose/env.sh file.
• Update the VAULT_JKS_PASSWORD setting in the env.sh file with your password; the password can be anything that you want.
• Run the command, shown below, to generate a CA Certificate.
  • In the Enterprise version, you have the option to use an existing CA Certificate from a trusted CA.

The entry should resemble the line

export VAULT_JKS_PASSWORD=your_password_goes_here

Save your changes.

cd /usr/local/openiam/openiam-docker-compose
sudo ./generate.cert.sh

You should see output similar to the example shown below:

SQL Files exist
This script will generate a key-pair that vault will use.  Make sure to first set VAULT_JKS_PASSWORD in env.sh
Press enter to continue
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
.....................................+++++
e is 65537 (0x010001)
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
.........+++++
e is 65537 (0x010001)
Signature ok
subject=C = CZ, ST = Test, L = Test, O = Test, OU = Test, CN = vault
Getting CA Private Key
writing RSA key

Upon successful completion of the above operation, you should also see several certificates related files as shown in the image below.

Define database ports

Starting with V4.2.0, OpenIAM uses Flyway to manage database schema generation and migrations from one version to the next. This ensures that your database is properly versioned and up-to-date. OpenIAM supports Flyway versioning for MariaDB, PostgreSQL, and MSSQL, and Oracle 12.2+

The env.sh file defines properties which will be used by Flyway.

At a minimum, you will need to define to update the following parameters: To enable Flyway, set the following properties in env.sh

• DB_TYPE - This parameter define the type of database that you will be using as the OpenIAM product repository. My default this value is set to "MariaDB" which is installed by default .
• FLYWAY_OPENIAM_HOST - Host where the OpenIAM database will be residing. This is the primary product schema. If you are using MariaDB or PostgreSQL in a docker container, set it to database
• FLYWAY_OPENIAM_PORT - Port where the OpenIAM database will be running. Default ports for the supported databases include:
  • MariaDB=3306
  • Postgres=5432
  • Oracle=1521
  • Microsoft SQL Server=1433
• FLYWAY_ACTIVITI_HOST - Host where the Activti database will be residing. Activiti, is the database used by the workflow engine. If you are using MariaDB or PostgreSQL in a docker container, set it to database
• FLYWAY_ACTIVITI_PORT - Port where Activiti database, which is used by the workflow engine, will be running.

Initialize Docker Swarm

Docker uses swarms for cluster management and orchestration features of Docker Engine, the technology for containerizing applications. Docker engines participating in a cluster run in the swarm mode. The swarm mode is enabled by either initializing a swarm, as in the command above, or by joining an existing swarm. For more information, see docker swarm and Swarm mode key concepts documentation.

Make sure that you initialize the Docker swarm. Log into Docker and initialize the swarm by entering the following command in a terminal:

sudo docker swarm init

You will see output similar to this:

Swarm initialized: current node (7risfc2161nwzir4a65po3lro) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join --token SWMTKN-1-15mdug8xi71uap0dgaayqi2ohhl8qxaaeg7m8k6q015yiuqt0j-6ip90bh1rm2td8y9baoya4qlx 173.231.56.82:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

Open ports for Docker Swarm

By default, the shell scripts provided by OpenIAM deploy to the docker swarm. You must ensure that the necessary ports are opened otherwise the manager and worker node(s) will not be able to communicate with each other.

Important: Please see this information about ports above 30000 used by the swarm from the load balancing section of Docker documentation: The swarm manager uses ingress load balancing to expose the services you want to make available externally to the swarm. The swarm manager can automatically assign the service a PublishedPort or you can configure a PublishedPort for the service. You can specify any unused port. If you do not specify a port, the swarm manager assigns the service a port in the 30000-32767 range.

Pull the docker images

To setup (and/or update) your configuration, you can run the setup.sh script. This will initialize the network, and pull the latest images from dockerhub.

For users, familiar with OpenIAM, you can modify the script as required by your internal needs.

• Run the setup.sh script as shown below to pull the docker images form Docker Hub.

sudo ./setup.sh

This process will take several minutes. Upon successful completion, you will see the following lines at the end.

+ set -e
+ . env.sh
++ set -e
++++ readlink -f ./setup.sh
+++ dirname /usr/local/openiam/openiam-docker-compose/setup.sh
++ SCRIPTPATH=/usr/local/openiam/openiam-docker-compose
++ POST_SCRIPT=/usr/local/openiam/openiam-docker-compose/post_script
++ ls /usr/local/openiam/openiam-docker-compose/post_script/1.post_script.sql
++ echo 'SQL Files exist'
SQL Files exist
++ cat /usr/local/openiam/openiam-docker-compose/post_script/1.post_script.sql
++ export NUM_MANAGER_NODES=1
++ NUM_MANAGER_NODES=1
++ export NODE_ROLE=manager
++ NODE_ROLE=manager
++ export DISK_DRIVER=local
++ DISK_DRIVER=local
++ export LOGGING_LEVEL=WARN
++ LOGGING_LEVEL=WARN
++ export OPENIAM_BASH_LOG_LEVEL=warn
++ OPENIAM_BASH_LOG_LEVEL=warn
...
Digest: sha256:270a35b4de5e82db20e6559b005959effc3b011f7c16f24ed49b4a4d679c7f55
Status: Downloaded newer image for bitnami/cassandra:3.11.10
docker.io/bitnami/cassandra:3.11.10
+ docker pull openiamdocker/vault-ce:alpine-4.2.1.2-prod
alpine-4.2.1.2-prod: Pulling from openiamdocker/vault-ce
540db60ca938: Pull complete
2e47ca89f619: Pull complete
db20698d79d2: Pull complete
5e539904218d: Pull complete
ca9e9a69a7f1: Pull complete
f276fd4358cb: Pull complete
bd8c65818798: Pull complete
785436aae8c1: Pull complete
20a49e78ef3e: Pull complete
d64b105d0b0e: Pull complete
7bcd3f0ce4c3: Pull complete
dca08ec9d44a: Pull complete
11762c870049: Pull complete
e2d46cc51f00: Pull complete
64dadd81846c: Pull complete
6c5d1b80b2c4: Pull complete
402784c82dcb: Pull complete
40e370fe4424: Pull complete
323eb0ba032b: Pull complete
8f97438fc7ab: Pull complete
Digest: sha256:d8ab5d2dc48f113a6f1cc5149be50fd114de962230a5f3c93135133e6358e2a0
Status: Downloaded newer image for openiamdocker/vault-ce:alpine-4.2.1.2-prod
docker.io/openiamdocker/vault-ce:alpine-4.2.1.2-prod
+ docker pull openiamdocker/vault-bootstrap-ce:alpine-4.2.1.2-prod
alpine-4.2.1.2-prod: Pulling from openiamdocker/vault-bootstrap-ce
2408cc74d12b: Pull complete
043e1fd82f44: Pull complete
eb3ade491245: Pull complete
a70e7a6b32b7: Pull complete
3bbadb916a56: Pull complete
6d705b122cbc: Pull complete
d55dd44f182d: Pull complete
b81a6c2f5d96: Pull complete
b6cb69cb2b62: Pull complete
426df32819e9: Pull complete
506b299499a4: Pull complete
488e7b0521ed: Pull complete
b55033b81ea6: Pull complete
Digest: sha256:93060fa2fb0f07752dd65c5518dc334be387676b7a2dbb0dad075d9fa2d9177e
Status: Downloaded newer image for openiamdocker/vault-bootstrap-ce:alpine-4.2.1.2-prod
docker.io/openiamdocker/vault-bootstrap-ce:alpine-4.2.1.2-prod
+ docker pull openiamdocker/ui-ce:debian-4.2.1.2-prod
debian-4.2.1.2-prod: Pulling from openiamdocker/ui-ce
df9b9388f04a: Already exists
488151d00693: Already exists
3ffd7ecdff4e: Pull complete
83d880ea5c29: Pull complete
e47296b51044: Pull complete
bce0aba193d9: Pull complete
aba32930e50a: Pull complete
88a02b7e3da2: Pull complete
b01d81e86b5a: Pull complete
18bd3bb5c565: Pull complete
08bfdb6ee05f: Pull complete
9541692ef545: Pull complete
a6b1ed8c4e13: Pull complete
24592926960c: Pull complete
f5027931a7d3: Pull complete
9c8c471bf180: Pull complete
55c246c7edaa: Pull complete
7d544680c36e: Pull complete
d9d377c65610: Pull complete
001e2c37ea8d: Pull complete
68c4bc390540: Pull complete
2742032d2e8b: Pull complete
b41f512d5992: Pull complete
d4555716112d: Pull complete
157fcf8ffc5d: Pull complete
c2d643586ee5: Pull complete
1ddfa61b7fe9: Pull complete
d8327f356669: Pull complete
8b9fcafe955b: Pull complete
e26aecb8c833: Pull complete
c2bf3265e80c: Pull complete
2a5d70f4e306: Pull complete
Digest: sha256:7331a3c235a8c0db527a6fb1e441a62bed18b22a8cad60c19d2507b536b62d96
Status: Downloaded newer image for openiamdocker/ui-ce:debian-4.2.1.2-prod
docker.io/openiamdocker/ui-ce:debian-4.2.1.2-prod

Start the OpenIAM Application

Now you are ready to start the OpenIAM containers. Run the startup.sh script to initiate the startup process

sudo ./startup.sh

You should see output similar to the example below

SQL Files exist
Using MariaDB as the database type...
Nothing found in stack: flyway
etcd_storage
vault_server_storage
vault_client_storage
connector_data_storage
filebeat-storage
openiam-janusgraph-storage
upload_storage
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
5cc84ad355aa: Pull complete 
Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
Status: Downloaded newer image for busybox:latest
Creating service etcd_etcd
Creating service vault_vault
Creating service vault-bootstrap_vault_bootstrap
Creating service openiam-elasticsearch-storage_service
Creating service openiam-jks-storage_service
Creating service openiam-activiti-storage_service
Creating service openiam-rabbitmq-storage_service
Creating service openiam-iamscripts-storage_service
Creating service redis_service
Creating service elasticsearch_service
Creating service cassandra_cassandra
Waiting for cassandra to become running, so that we can bring up janusgraph
Creating service janusgraph_service
Creating service rabbitmq_service
openiam-mysql-storage_storage
Creating service database_database
Creating service flyway_flyway
Creating service openiam_synchronization
Creating service openiam_business-rules-manager
Creating service openiam_idm
Creating service openiam_reconciliation
Creating service openiam_device-manager
Creating service openiam_esb
Creating service openiam_auth-manager
Creating service openiam_workflow
Creating service openiam_groovy_manager
Creating service openiam_email-manager
Creating service ui_ui
Creating service ldap-connector_service
Creating service rproxy_rproxy

Watch the container startup process

The containers may take 8 to 15 minutes (depending your environment) to startup completely. You can watch the start up process using the command below. Note, that the UI container will take sometime and be among the last to start up as it has dependencies on other components being up first.

watch -n 5 'docker ps'

You should see output similar to the example below when all containers have started successfully

Every 5.0s: docker ps                                                                                                                                                                                                                                            localhost: Tue Dec 13 23:10:05 2022

CONTAINER ID        IMAGE                                                          COMMAND                  CREATED             STATUS                   PORTS                                                 NAMES
ea09a7b4c275        openiamdocker/rproxy-ce:debian-4.2.1.2-prod                    "httpd-foreground"       6 minutes ago       Up 6 minutes (healthy)   0.0.0.0:80->80/tcp, 443/tcp                           rproxy_rproxy.x07u7lwh0yt8hf5yxqlcogrnd.m18m18dsiqwci694045z4i9j3
033bf1232f90        openiamdocker/ldap-connector-rabbitmq-ce:debian-4.2.1.2-prod   "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         ldap-connector_service.x07u7lwh0yt8hf5yxqlcogrnd.qg3t7qrxb2wvrkd7to8j2n7e1
92fee6f9c753        openiamdocker/ui-ce:debian-4.2.1.2-prod                        "docker-entrypoint.s…"   6 minutes ago       Up 6 minutes (healthy)   8080/tcp                                              ui_ui.x07u7lwh0yt8hf5yxqlcogrnd.5bi96p8zn3a8x9z0hw7ahsm8f
63d8145819b7        openiamdocker/esb-ce:debian-4.2.1.2-prod                       "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)   9080/tcp                                              openiam_esb.x07u7lwh0yt8hf5yxqlcogrnd.d6c0jc0ufqo6tykedfiiwrs77
bffbcdc88cd4        openiamdocker/reconciliation-ce:debian-4.2.1.2-prod            "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_reconciliation.x07u7lwh0yt8hf5yxqlcogrnd.edh20vxbrpwcyhlnus2brq0ek
3dfba7a68e2d        openiamdocker/idm-ce:debian-4.2.1.2-prod                       "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_idm.x07u7lwh0yt8hf5yxqlcogrnd.dcux35en71gqc7qkg7rudiss8
7df0f25b2a68        openiamdocker/synchronization-ce:debian-4.2.1.2-prod           "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_synchronization.x07u7lwh0yt8hf5yxqlcogrnd.n1acr9tubvuq7qtjtklitia5t
b5d0655b9320        openiamdocker/auth-manager-ce:debian-4.2.1.2-prod              "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_auth-manager.x07u7lwh0yt8hf5yxqlcogrnd.jxmr3n4pzsw3krgmmbzthm3d8
b2bf25c6ab38        openiamdocker/email-manager-ce:debian-4.2.1.2-prod             "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_email-manager.x07u7lwh0yt8hf5yxqlcogrnd.8qdpbj8wnh83sw3ja99bw4nob
976a7d10305b        openiamdocker/business-rule-manager-ce:debian-4.2.1.2-prod     "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)   9080/tcp                                              openiam_business-rules-manager.x07u7lwh0yt8hf5yxqlcogrnd.xa8z24bfovwcfho6h63l7am9m
7e5a9ed88ca8        openiamdocker/workflow-ce:debian-4.2.1.2-prod                  "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_workflow.x07u7lwh0yt8hf5yxqlcogrnd.rrpe41itvr1m01m23sd5krblr
2186dc74525a        openiamdocker/groovy-manager-ce:debian-4.2.1.2-prod            "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_groovy_manager.x07u7lwh0yt8hf5yxqlcogrnd.67pvirxw21vpz7sn769fo8kgg
2f5bcdbde715        openiamdocker/device-manager-ce:debian-4.2.1.2-prod            "docker-entrypoint.sh"   6 minutes ago       Up 6 minutes (healthy)                                                         openiam_device-manager.x07u7lwh0yt8hf5yxqlcogrnd.vx33uwyiwxnp9dv5n4grw626z
3f18f9ad13f8        openiamdocker/mariadb-ce:debian-4.2.1.2-prod                   "init.sh /opt/bitnam…"   7 minutes ago       Up 7 minutes (healthy)   3306/tcp                                              database_database.1.tf2t5gf4l56vc3az6xcj1mwa9
1bd7296d6d35        openiamdocker/rabbitmq-ce:alpine-4.2.1.2-prod                  "docker-entrypoint.s…"   7 minutes ago       Up 7 minutes (healthy)   4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp   rabbitmq_service.1.b7796rzwuzspyqoqkaqqw3i0j
250309c47472        openiamdocker/janusgraph-ce:debian-4.2.1.2-prod                "init.sh janusgraph"     7 minutes ago       Up 7 minutes (healthy)   8182/tcp                                              janusgraph_service.1.vbkyvyp31rxfyix90tcozrc0w
a0096e9fa8d2        bitnami/cassandra:3.11.10                                      "/opt/bitnami/script…"   8 minutes ago       Up 8 minutes (healthy)   7000/tcp, 9042/tcp                                    cassandra_cassandra.1.nn81neqb26065m5u2kkpiwvfm
8514d7a15677        openiamdocker/elasticsearch-ce:debian-4.2.1.2-prod             "init.sh"                8 minutes ago       Up 8 minutes (healthy)   9200/tcp, 9300/tcp                                    elasticsearch_service.x07u7lwh0yt8hf5yxqlcogrnd.ss5mtgwa0rhei6bwqr5vl1mju
9a2289463564        openiamdocker/redis-ce:debian-4.2.1.2-prod                     "redis.sh /run.sh"       8 minutes ago       Up 8 minutes (healthy)   6379/tcp                                              redis_service.1.vcqyu4ka1zv2f12z0evuy7en9
5a7ae4c9ef55        openiamdocker/vault-ce:alpine-4.2.1.2-prod                     "docker-entrypoint.s…"   8 minutes ago       Up 8 minutes (healthy)   8200/tcp                                              vault_vault.1.5ue5x1prgwof3bz2ujes2mw1e
c48815dc3780        bitnami/etcd:3.3.13                                            "/entrypoint.sh etcd"    9 minutes ago       Up 9 minutes             2379-2380/tcp                                         etcd_etcd.1.lw1lb0odizelknsbs973ud3yh

Validate the startup

curl -k -I -L http://127.0.0.1/idp/login

You should see output similar to the example below

HTTP/1.1 200
Date: Tue, 13 Dec 2022 23:10:52 GMT
Server: Apache
Report-To: { "group": "csp-endpoint",  "max_age": 10886400,  "endpoints": [        { "url": "http://127.0.0.1/selfservice/csp/report" }    ] }
Content-Security-Policy: default-src 'self' blob: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4569
Set-Cookie: SESSION=OWNhYTU4MWEtNDhlZS00MTcyLWIwMTktNDNhMGNlZTI4YTcz; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding

The application is now operational and you can login.

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, must first find the IP address of our VM.

Next open your browser (preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

The next screen will ask you to change the default password. As you enter your new password, you will see the password policy on the side. You password must align with this policy. You will be able to change both the password and the policy later

The next step is to define a content provider using the screen shown below. A Content provider is an alias that represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. The table below describes the fields on this screen.

After setting the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account if you lock yourself out. Make a note of your answers.

After completing the above steps, you will be taken the admin console landing page shown below. Allow the system about 5 min to refresh in the internal cache and then you can proceed to configure your solution.

Frequently used commands with Docker

The following commands are frequently used with Docker.

Additional resources