Installation with Internet Access

This section builds on the initial installation steps described in the RPM install section. Please ensure that you have completed the steps in that section before proceeding.

Installation with Internet access.

This type of installation is suitable for environments where the servers running the OpenIAM software will have internet access and can reach the OpenIAM website to download the software. You can validate this by running the command below.

curl; echo $?

You should see 0 as a result. If you see non-zero result, its means that you CANNOT reach the OpenIAM web site from your deployment server. Please resolve the internet access or use the offline installation instructions.

The RPM install for 4.2.1.x now supports both EL8 and EL7 versions of CentOS. During the installation you will be prompted to install MariaDB RDBMS. The use of MariaDB is acceptable for Demo / POC environment or small deployments. If you already have a database infrastructure that you would like to use, then you should answer 'N' at the prompt. The steps below describe how to install OpenIAM.

  1. Download Installer RPM with command

    curl --output openiam-4.2.X.noarch.x86_64.rpm
  2. Install from the RPM with the following command:

    sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm

You should see output similar to:

  1. Start the initialization process which will download files required for installation from OpenIAM server. Please follow the instructions on the screen.
sudo openiam-cli init

System will download additional files, extract them locally, update yum repository and install some base packages. You will see output similar to the snippet below.

Initialize openiam
Download file openiamrepo.tar.gz from OpenIAM website
Download file backend.tar.gz from OpenIAM website
Download file frontend.tar.gz from OpenIAM website
cloud-init-21.1-7.el8_5.3.noarch kernel-tools-4.18.0-348.7.1.el8_5.x86_64
kernel-tools-libs-4.18.0-348.7.1.el8_5.x86_64 kexec-tools-2.0.20-57.el8_5.1.x86_64
libsss_autofs-2.5.2-2.el8_5.3.x86_64 libsss_certmap-2.5.2-2.el8_5.3.x86_64
libsss_idmap-2.5.2-2.el8_5.3.x86_64 libsss_nss_idmap-2.5.2-2.el8_5.3.x86_64
libsss_sudo-2.5.2-2.el8_5.3.x86_64 openssl-1:1.1.1k-5.el8_5.x86_64
openssl-libs-1:1.1.1k-5.el8_5.x86_64 python3-perf-4.18.0-348.7.1.el8_5.x86_64
qemu-guest-agent-15:4.2.0-59.module_el8.5.0+1063+c9b9feff.1.x86_64 selinux-policy-3.14.3-80.el8_5.2.noarch
selinux-policy-targeted-3.14.3-80.el8_5.2.noarch sssd-client-2.5.2-2.el8_5.3.x86_64
sssd-common-2.5.2-2.el8_5.3.x86_64 sssd-kcm-2.5.2-2.el8_5.3.x86_64
sssd-nfs-idmap-2.5.2-2.el8_5.3.x86_64 systemd-239-51.el8_5.2.x86_64
systemd-libs-239-51.el8_5.2.x86_64 systemd-pam-239-51.el8_5.2.x86_64
kernel-4.18.0-348.7.1.el8_5.x86_64 kernel-core-4.18.0-348.7.1.el8_5.x86_64 kernel-modules-4.18.0-348.7.1.el8_5.x86_64
  1. You will be asked if you want to install MariaDB as the default database.
Would you like to install MariaDB RDBMS locally? [y/n]:

Please answer Y if you would like to use the local MariaDB RDBMS as a database server. MariaDB is a good choice for quick and simple installations such as demos, POCs or small size production deployments of less than 500 active users. To use another database, please enter N. This question enables the installation of MariaDB so that it can be used later in the installation process.

4.1. If you answered Y for MariaDB installer will prepare the files needed to install and configure MariaDB. Once this process is complete, you will be asked the questions below. Answer them and proceed to the next step.

  • Enter current password for root (enter for none): -> Press: Enter button since a password has yet to be defined.
  • Set root password? [Y/n] -> Press y button and after Enter
  • New password: -> Type password for the root user. You will need it later during the installation.
  • Re-enter new password: -> Type the password for the root user as on the previous
  • Remove anonymous users? [Y/n] -> Press y button and after press Enter.
  • Disallow root login remotely? [Y/n] -> Press y button and after press Enter.
  • Remove test database and access to it? [Y/n] -> Press y button and after press Enter.
  • Reload privilege tables now? [Y/n] -> Press y button and after press Enter.

The snippet below provides a view of what you can expect to see in this part of the installation. Note, that for suссessful installation it is requires to default OpenIAM password for root user in MariaDB as passwd00. So, when the system asks you to set a new password, type 'passwd00'.

In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB installation should now be secure.
Thanks for using MariaDB!
  1. After MariaDB has been installed, the installer will move forward to a variety infrastructure services including Etcd, Vault, Redis, RabbitMQ and Cassandra, which is the storage for the graph database used in OpenIAM. This process will take 4-5 min. You will see output similar to the example below:
2022-05-12T16:23:21.987Z [INFO] core: usage gauge collection is disabled
2022-05-12T16:23:21.988Z [INFO] core: post-unseal setup complete
2022-05-12T16:23:21.988Z [INFO] core: vault is unsealed
2022-05-12T16:23:22.137Z [INFO] core: successful mount: namespace="\"\"" path=secret/ type=kv
2022-05-12T16:23:22.430Z [INFO] core: enabled credential backend: path=cert/ type=cert
Wait vault service to wakeup
Vault already initialized....
Vault already unsealed...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 12380 0 --:--:-- --:--:-- --:--:-- 12380
Generate OpenIAM encryption secrets
  1. The installer will ask a number to questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. The section which requires input from the installer is marked with the following message in the console: =============== CRITICAL SECTION ===============

Define database and infrastructure components credentials

OpenIAM has two schemas which are created by default: openiam and activiti. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used by store information about workflows and their execution. The first set of questions raised by the installer are related to the creation of database user for each schema. Each question and it intent are listed below.

Question raised by the installerExplanation
Set OpenIAM username for openiam schema, default: idmuserThis is DB user name that will be used to manage the openiam OpenIAM schema. This is the primary schema in the solution data related to OpenIAM are stored. User will be used by the OpenIAM application to communicate with database. The default value is idmuser.
Set OpenIAM password for 'openiam' schema, default: idmuserThis is the password that will be used for username which was provided in the previous step. The default value is: idmuser
Set OpenIAM username for 'activiti' schema. For MySQL it will be the same as for openiam, default: idmuserThis is DB user name that will be used to manage the activiti schema. User will be used by OpenIAM application to communicate with the database. Default value is idmuser.
Set OpenIAM password for activiti schema. For MySQL it will be the same as for openiam, default: idmuserThis is the password that for the user associated with the activiti schema. The default value is idmuser
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser : passwd00
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti: passwd00

Message broker password

OpenIAM uses RabbitMQ as the message broker. RabbitMQ is the primary transport service used within the OpenIAM application. Services are loosely coupled and they communicate with each other through the message broker. Cross service communication is encrypted.

The next question raised by the installer is to define a password for RabbitMQ. As seen in the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00

Memory cache password

Redis is an in-memory distributed cache that is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:

  • End user web session
  • Database object cache
  • High level application cache.

As with other components, access to the cache is secured and the next question ask for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00

Elasticsearch credentials

Elasticsearch search is used by OpenIAM to enable fast searching of frequently used data. As with the components above, access to Elasticsearch is secured through its own set set of credentials. You be prompted for this information as shown below.

OpenIAM Username to access ElasticSearch: elastic
OpenIAM password for elastic user to access ElasticSearch: ilm5LjYPAeFWbfLE40dthmEOunN4Cnlz

The information requested above is critical for the installation process. Mistakes in these steps can disrupt the installation process. To minimize such issues, you will be asked to review the above answers. If you agree with the information, select Y. If you need to fix some information, select N and the installer will walk you through this process again.


After processing the above information, the installer will then install Cassandra. Cassandra is the storage engine for Janus Graph DB. You will see output similar to example below during this step:

Starting cassandra (via systemctl): [ OK ]
nodetool: Failed to connect to '' - ConnectException: 'Connection refused (Connection refused)'.
Waiting for cassandra
nodetool: Failed to connect to '' - ConnectException: 'Connection refused (Connection refused)'.
Waiting for cassandra
error: No nodes present in the cluster. Has this node finished starting up?
Waiting for cassandra
Datacenter: datacenter1
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
UN 73.49 KiB 256 100.0% 9af6453b-2428-4927-9e6a-bb0be15b3fa9 rack1
Cassandra alive
Cassandra is ready to use. Continue...

At this point the installer has enough information to complete the installation of: Elasticsearch, Redis, and RabbitMQ.

Initialize Database Schema

Question raised by the installerExplanation
Use default value if this is new installation. If you are doing update, specify your current (before update) version here, like, default: this install is an upgrade from an existing deployment, then the current version is important as it will determine which scripts need to be applied to upgrade the schema to the current version. If this is a new deployment, you can leave this blank.
This is the name of the OpenIAM core database. If using MariaDB, this is most likely openiam, default: openiamThis question provides the option to choose the primary database schema. You should leave this blank and let it default to openiam. This value should only be changed if the scripts have been altered by the customer.
This is the name of the openiam Activiti database. If using MariaDB, this is most likely activiti, default: activitiThis question provides the option to choose the database schema used by the workflow engine. You should leave this blank and let it default to activiti. This value should only be changed if the scripts have been altered by the customer.
Possible values: MySQL, Postgres, MSSQL, Oracle. Type of the database that you are going to use with OpenIAM. The RDBMS have to be already installed, default:mysqlSelect the type of database that you will be using as the OpenIAM product repository. You can leave this blank if you will be using either MariaDB or MySQL. If you are using either PostgreSQL, Oracle or Microsoft SQL server, enter one the following values based on your database type: postgres, oracle, mssql
Do you want to initialize OpenIAM Schema and Users? Select this if you are not created schema and users in RDBMS yet. Super user (root) password will required [y/n]If 'Y' then installer will create schemas in database and corresponded RDBMS users as well. For Oracle/MSSQL it will generate an SQL script that must be performed manually
Enter username for Super user (for mysql this is root), default: rootThe installer needs a super user account or equivalent which has the privileges to create new schema, users, tables, etc.
Enter password for super user (sa or root, depend on the db type), default:Enter the password for account provided in the last step
Do you use AWS RDS Mariadb? If Yes, make sure the RDS DB instance has the parameter log_bin_trust_function_creators = 1 [y/n]:Select 'n' if AWS RDS MariaDB is not being used for this deployment.
This is the hostname of where the OpenIAM core database is., default: localhostEnter the host or DNS name of the server where the primary OpenIAM database will be deployed.
This is the port of where the OpenIAM core database is. If using MariaDB, this is most likely 3306, default: 3306Enter the port number used by the database server hosting the primary OpenIAM database
This is the hostname of where the activiti database is., default: localhostEnter the host or DNS name of the server where the workflow database will be deployed.
This is the port of where the activiti database is. If using MariaDB, this is most likely 3306, default: 3306Enter the port number used by the database server hosting the workflow database

Once the questions have been answered, the installer will provide a summary of the questions and answers. Please review before proceeding. An example of this is shown below:

Please validate information below
Database will be initialized=Y
Root (Db admin) user name=root
Root (Db admin) user password=passwd00
Please validate your input above, if your are OK with that enter 'y'. To repeat an information collecting procedure enter 'n' :y

If you need to correct an answer, please enter n.

Once you select y, the installer will generate the database schema. Internally, this step is handled by a component called Flyway. Flyway is a database schema management and versioning utility. It's used to generate the schema as well as upgrade from one version to another.

Install reverse proxy

Next, the installer will ask you if you want to install the reverse proxy. The reverse proxy is an Apache web server plugin which has been purpose built for use with the OpenIAM stack and address specific use cases. In virtually all cases, you will want to install the rProxy. The exceptions can arise based on your deployment architecture. The rProxy can co-exist with other infrastructure components such as an F5. Enter y for the question below

Do you want to install OpenIAM reverse proxy module? [y/n]:

After, the system may ask whether you want to update httpd software. httpd is an Apache web-server used to host web-sites and applications, as well as process and provide responce to requests. Enter y for question below and proceed with installation.

Do you want to update httpd to 2.4.54 ? [y/n]:

The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually startup takes near 6-10 minutes. You can view the status of the system as its coming up using the command line tools described below in OpenIAM components and Status.

Check the startup process

The containers may take 8 to 15 minutes (depending your environment) to startup completely. You can watch the start up process using the command below. Note, that the UI container will take sometime and be among the last to start up as it has dependencies on other components being up first.

Monitor the startup process

To check if the services have started, you can use the openiam-cli utility as shown in the example below:

openiam-cli status

You will see output similar to the example below:

Openiam Status report Thu May 12 19:05:50 UTC 2022
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - business-rule-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[OK] - openiam-ui - Service working. Application status: [ UP ]
Note: In version there is a bug with the business-rule-manager healthcheck. You can ignore the warning. This issue has been resolved in

Validate the startup

curl -k -I -L

You should see output similar to the example below

HTTP/1.1 200
Date: Wed, 19 Jan 2022 23:04:10 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "" } ] }
Content-Security-Policy: default-src 'self' blob: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4833
Set-Cookie: SESSION=YzgxOGJkYzItNzIwYi00MGYwLTk4OTItM2JlMDY4ZWIwY2Ey; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, you must first find the IP address of our VM.

Next open your browser (preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00

Enter the username on the field shown below and click Next

OpenIAM Login page .

The authentication process is spread over two screens. You will be asked to enter the password on the screen below.

Change password

The next screen will ask you to change the default password. As you enter your new password, you will see the password policy on the side. You password must align with this policy. You will be able to change both the password and the policy later.

Change password

The next step is to define a content provider using the screen shown below. A Content provider is an alias which represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. The table below describes the fields on this screen.

Content Provider NameYou can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP
Domain PatternThis value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed
Application supports SSL?This configuration determines if the OpenIAM application will be accessed over HTTP or HTTPS. Unless, you have already configured the certificate, select Support on HTTP. You will be able to update this configuration later.
Application serversThis is the location of the OpenIAM service layer which the UI and rProxy need to communicate with. In most cases, the default value will be correct since each of these components will be deployed on the same host. However, this configuration provides the flexibility to have the UI and service layer on separate hosts.

Define initial content provider

After setting the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account incase you have locked yourself out. Please make a note of your answers.

Note: You will be able to update your password policy later. At that time you can decide if you want to use challenge questions and/or some other method.

Challenge questions

After completing the above steps, you will be taken the admin console landing page shown below. Allow the system about 5 min to refresh the internal cache and then you can proceed to configure your solution.

Webconsole landing page

Post installation information

Using the OpenIAM Command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop, etc. The command is openiam-cli.

Just running the command by itself, as shown below, will display the list of all options.



Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

Check status

To check the status of the components or the confirm that the system is up, please use the following command:

openiam-cli status

Check service logs

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli log <service_name> .

For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

Start and stop

You can start and stop OpenIAM using the command line as well. To stop OpenIAM using the following command:

openiam-cli stop

You can check that the services have stopped by using the status command shown above.

You can start the application using the following command:

openiam-cli start

OpenIAM core services

NameDescriptionDefault Memory (RAM)
openiam-esbThe service that provides Web Service API and to the bigger part of functionality2048m
workflowThe service that provides Business Workflow functionality768m
groovy-managerThe service that provides Groovy extension functionality256m
idmThe service that provides provisioning to target systems functionality512m
reconciliationThe service that provides reconciliation against target systems functionality512m
email-managerThe service that provides Sending and Receiving emails functionality256m
auth-managerThe service that provides End user Authorization functionality1024m
device-managerThe service that provides Device management functionality (IOS and Android)256m
business-rule-managerThe service that provides Business Rules functionality512m
openiam-uiThis is web server (tomcat) that provides Graphical interface2048m


It is possible to receive a timeout error during the installation of Elasticsearch during initialization. This issue can be rectified by setting the SELinux mode to Permissive. Please refer to Red Hat's documentation for Changing SELinux states and modes.