Deploying via Docker
This section describes how to deploy the OpenIAM platform in a Docker Swarm
environment. The procedures described in this section must be performed in the order that they are presented. Some steps in this installation require root
level privileges to the system where OpenIAM will be deployed.
What is Docker?
Docker is a tool for creating, deploying, and running applications using containers. Docker Compose is a tool for defining and running multi-container Docker applications. Docker provides a standardized, lightweight, execution environment that maintains all dependencies within it. It can be run on either physical or virtualized environments which are on-premise or in the cloud. For more information about docker, please see see the Docker website and Docker Documentation.
OpenIAM on Docker
The OpenIAM Docker deployment method enables you to deploy on OpenIAM using a series of pre-configured containers in a short amount of time without the complexity of deploying a series of dependencies. The simplified deployment method requires:
- Installing the Docker software
- Configuring environment variables
- Running scripts for setting up and starting up the OpenIAM instance. Running the deployment scripts automatically takes care of all component dependencies and release updates.
OpenIAM docker containers are maintained on Docker hub. Once these containers have been pulled into your environment using the details below, you will also need:
- Docker client - Docker Community Edition (CE) versions 19.03.12 or higher
- Docker compose - Defines and enables the operation of a multi-container Docker application. OpenIAM uses
docker-compose
file format 3.2
OpenIAM Solution Stacks
The OpenIAM solution consists of several stacks that are deployable the Docker Swarm. Docker swarm is a container orchestration tool, meaning that it allows for the manage multiple containers deployed across multiple host machines. The content of each stack is described below
Critical Infrastructure stacks
The infrastructure stacks are used across the OpenIAM solution regardless of the functionality that you are enabling. These components must be operational for the OpenIAM solution to function correctly.
Stack Name | Description |
---|---|
Elasticsearch | Runs Elasticsearch. Elasticsearch is an enterprise-level search engine. Elasticsearch uses an index-based search approach, which allows for fast searching. The architecture allows for scalability, flexibility, and multi-tenancy support |
Redis | Runs Redis. Redis is an in-memory data structure store used as a database, cache, and message broker by OpenIAM |
MariaDB / PostgresSQL | Runs either MariaDB or PostgreSQL as the product repository. MariaDB is configured as the default repository. Aside from these two databases, you can also use a remote database |
RabbitMQ | Runs RabbitMQ. RabbitMQ is the message brokering software service for sending and receiving messages between systems |
Vault | Runs Hashicorp's Vault. Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets |
Etcd | Runs Etcd, which is used to store Vault data. Etcd is a distributed key-value store. |
MariaDB is the default Database. You can change this to PostgreSQL if you prefer. You will not enable both database
Service stacks
Stack Name | Description |
---|---|
OpenIAM core services | Runs services shared across the product. |
Identity manager | Runs the identity manager application. Identity manager automates the task of managing identities across various devices and applications used by the enterprise. |
Workflow | Runs the workflow application. A workflow is a repeatable process during which documents, information, or requests are passed from one participant to another for action, according to a set of procedural rules. A participant can be a person, machine, or both. |
Groovy manager | Runs Groovy Manager, an application for managing Groovy scripts in OpenIAM. Apache Groovy is a dynamic programming language for the Java platform. allows you to add, update, edit, and modify Groovy scripts to extend the identity governance and web access management functionality to meet specific, complex requirements. |
Synchronization | Runs the synchronization application. Synchronization allows you to synchronize data from one or more authoritative sources to a set of managed systems. Synchronization configuration enables monitoring a source system for changes and then updating target systems at scheduled periodic intervals. |
Reconciliation | Runs the reconciliation application. This is two side synchronization between OpenIAM and the target system |
Authorization manager | Runs the authorization manager. This module handles RBAC authorization via relationships between Users, Organizations, Roles, Groups, and Resources. |
E-mail Manager | Runs the email manager. Handles sending and receiving email. |
UI Stack
Stack Name | Description |
---|---|
Tomcat with three applications | Three web applications which are described below |
- IdP - The OpenIAm web application which provides centralized authentication and self-service password reset functionality. This application also allows OpenIAM to be configured as both an Identity Provider and a Service Provider
- Webconsole - The OpenIAM web application for administrators for managing identities across various devices and applications used by an enterprise, and for controlling access to these devices and applications.
- Self-service - The OpenIAM end-user web application that allows users to create new requests, reset and change passwords, manage their profiles, manage access requests, manage challenge response security questions, look up corporate users through a directory search, and reset their accounts if they are locked out. Authorized users can also use the request approval functionality.
Reverse Proxy Stack
Stack Name | Description |
---|---|
Apache Web server with rProxy | Gateway between clients and a server for managing inbound traffic to a server. |
System requirements
The table below specifies the minimum system requirements for deploying a non-production OpenIAM v4.2.x instance using Docker.
MINIMUM Hardware requirements
Configuration | Non-Production | Production (may increase based on sizing) |
---|---|---|
Memory | 48 GB | 64 GB |
CPU | 8 CPUs | 12 CPUs |
Disk | 80 GB | 200 GB |
Please ensure that you are environment is aligned with the minimum system requirements described above. These parameters are not optional. OpenIAM will not start if system resources are below the minimum levels.
For production use: Customers with active subscriptions and partners, should contact OpenIAM Support (techsupport@openiam.com) for assistance with sizing requirements.
Software requirements
Specification | Requirement |
---|---|
OS | Ubuntu (20.04 LTS) or CentOS 8 Stream/RHEL 8.5+ |
Docker client | 23.0.1 or higher |
Docker compose | 1.28.2 or higher |
Supported Browsers | Google Chrome (v89.0.4389.114 and later), Microsoft Edge, Mozilla Firefox (v87 and later). Note: Internet Explorer (IE) is not supported. |
Preparing your system
The OpenIAM application requires the configurations described below to be performed prior to installing the application.
Install pre-requisite packages
Prior to installing the OpenIAM, please execute the commands below to install the required packages. If you have already logged in as root
, you do not need to prefix them with “sudo”. If you have used another account, then you need to use “sudo”
Description | Command on CentOS 8 Stream | Command on Ubuntu |
---|---|---|
Update the OS | dnf update | apt-get update |
Install Nano | dnf install nano | apt-get install nano |
Install wget | dnf install wget | apt-get install wget |
Install git | dnf install git | apt-get install git |
Example for CentOS 8 Stream
dnf updatednf install nano wget git
Example for Ubuntu 20.04
apt-get updateapt-get upgradeapt-get install nano wget git
Update the hosts file
Make sure that your /etc/hosts
file contains a value for the hostname that you defined earlier. To edit the hosts file, use an editor like Nano.
127.0.0.1 iam-nonprod
Settings for ElasticSearch and Docker
ElasticSearch
OpenIAM uses ElasticSearch as a search engine. To enable fast access, ElasticSearch maps portions of an index into its memory address space. This is done through nmap
, a Unix system call that maps files or devices into memory. To use mmap effectively, ElasticSearch requires sufficient mmap counts. The default operating system limits on mmap counts are inadequate for the required performance and this may result in out of memory exceptions. The required mmap value can be configured by setting the vm.max_map_count
value in /etc/sysctl.conf
to be at least 262144. To ensure that the vm.max_map_count persists across restarts, set this value in the /etc/sysctl.conf file
Disabling IPv6 on Docker Host
By default, IPv6 is disabled in Docker. Disabling IPv6 on Docker host(s) prevents any potential network issues. To disable IPv6 on host(s) where Docker is running, ensure that the Docker host(s) have the following value set in /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6=1
and net.ipv6.conf.default.disable_ipv6 = 1
To summarize, the /etc/sysctl.conf file must have the following changes:
vm.max_map_count=262144net.ipv6.conf.all.disable_ipv6=1net.ipv6.conf.default.disable_ipv6=1
Save the above changes and then run sudo sysctl -p
to apply these settings without restarting the system.
Install the Docker engine
Docker Engine is a containerization technology for building and containerizing applications. Docker Engine acts as a client-server application with:
- A server with a long-running daemon process
dockerd.
- APIs which specify interfaces that programs can use to talk to and instruct the Docker daemon.
- A command line interface (CLI) client
docker
To install the docker engine, follow the OS specific steps below. For, additional information related to the installation of the docker engine can be found at:
Ubuntu
Setup the repository
Update the apt package index and install packages to allow apt to use a repository over HTTPS
sudo apt-get install \ca-certificates \curl \gnupg \lsb-release
Add Docker's official GPG Key
sudo mkdir -p /etc/apt/keyringscurl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
Use the following command to setup the repository
echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install the docker engine
- Update the apt package index
sudo apt-get update
Note: If you receive a GPG error when running apt-get update, then follow the steps below. Your default umask may be incorrectly configured, preventing detection of the repository public key file.
sudo chmod a+r /etc/apt/keyrings/docker.gpgsudo apt-get update
- Install the Docker engine,
containerd
, and Docker compose plugin
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
CentOS 8 Stream / RHEL 8.5+
Setup the repository
Install the yum-utils package (which provides the yum-config-manager utility) and set up the stable repository
yum install -y yum-utilsyum-config-manager \--add-repo \https://download.docker.com/linux/centos/docker-ce.repo
Install the Docker engine
Install the latest version of Docker Engine and containerd. The next step is to start the engine.
yum install docker-ce docker-ce-cli containerd.iosystemctl start dockersystemctl enable docker.servicesystemctl enable containerd.service
Install Docker compose
Compose is a tool for defining and running multi-container Docker applications such as OpenIAM. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. The procedure described below installs version 1.28.2 of Docker Compose on your system
- Run the command below to download the current stable release of Docker Compose
curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- Apply executable permissions to the binary
chmod +x /usr/local/bin/docker-compose
- To check the version of docker compose, run the command below
docker-compose --version
Verify that Docker engine is installed correctly
Run the hello-world
image.
docker run hello-world
Note: If you get the following response when running docker run hello-world
, then use the work-around below:
Status: Downloaded newer image for hello-world:latest docker: Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown. ERRO[0001] error waiting for container: context canceled
Solution:
mkdir /sys/fs/cgroup/systemdmount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemddocker run hello-world
After successfully running the hello-world
test, log in to Docker hub using the command shown below. Use our hub.docker.com credentials.
sudo docker login
You will be prompted for your Docker userID and password.
Note: Without successfully authenticating with the docker repository, you will not be able to pull the docker images required to install OpenIAM.
Installing the OpenIAM Application
The installation process allows for a significant amount of flexibility. The steps below describe the minimum number of parameters which need to be configured to install on a single VM. Additional details in the sections referenced by the table below. If you are new to OpenIAM, we recommend starting with the simpler path with a more limited set of options.
Clone the OpenIAM Docker repository
Next, we need to clone the "OpenIAM docker compose" repository from OpenIAM's Git Repository. This project contains scripts that set environment variables, start and stop the container services. To clone the repository, follow the steps below.
They should be performed in a Linux terminal window.
mkdir -p /usr/local/openiamcd /usr/local/openiamgit clone https://bitbucket.org/openiam/openiam-docker-compose.gitcd openiam-docker-compose/git checkout RELEASE-4.2.1.5
The cloned repository will contain the following scripts.
Script | Description |
---|---|
env.sh | File containing environment variables. The required environment variables can be updated and added in this file. The env.sh file is sourced during the installation process and the export statements in this file are executed. |
setup.sh | Script for setting up and updating the OpenIAM configuration. During the initial OpenIAM deployment, this script initializes the network and pulls the latest images from the OpenIAM repository (openiamdocker) on Docker Hub. When updating the OpenIAM deployment, running this script pulls newer images from the OpenIAM repository on Docker Hub |
startup.sh | Script for starting up the OpenIAM instance.When updating the OpenIAM deployment, running this script updates the configuration on your system with the latest release updates. |
Warning: Please do not modify this script in any way. | |
shutdown.sh | Script for shutting down all OpenIAM stacks, except volumes. |
teardown.sh | Script for tearing down all OpenIAM stacks, volumes, and networks. |
generate.cert.sh | Script to generate certificates or Vault authentication. |
Additional configuration options
Section | Description |
---|---|
Yaml Files | YAML configuration files are provided for the services and infrastructure components used within OpenIAM. These files provide configuration information for the containers. |
Configuration options | Configuration options which will be used during installation. |
Initialize Vault
OpenIAM uses Vault in order to store secrets, such as database passwords, redis passwords, etc. Communication with Vault occurs via a certificate.
- Edit the
/usr/local/openiam/openiam-docker-compose/env.sh
file which was downloaded from the openiam-docker-compose project above. - Set
BUILD_ENVIRONMENT="dev"
to BUILD_ENVIRONMENT="prod" - Set the
VAULT_JKS_PASSWORD
in the env.sh file. This password can be anything that you want. - Run the command, shown below, to generate a CA Certificate.
- In the Enterprise version, you have the option to use an existing CA Certificate from a trusted CA.
cd /usr/local/openiam/openiam-docker-composesudo ./generate.cert.sh
You should see output similar to the example shown below:
SQL Files existThis script will generate a key-pair that vault will use. Make sure to first set VAULT_JKS_PASSWORD in env.shPress enter to continueGenerating RSA private key, 2048 bit long modulus (2 primes).......+++++.....................................+++++e is 65537 (0x010001)Generating RSA private key, 2048 bit long modulus (2 primes)...+++++.........+++++e is 65537 (0x010001)Signature oksubject=C = CZ, ST = Test, L = Test, O = Test, OU = Test, CN = vaultGetting CA Private Keywriting RSA key
Upon successful completion of the above operation, you should also see several certificates related files as shown in the image below.
Define database ports
Starting with V4.2.0, OpenIAM uses Flyway to manage database schema generation and migrations from one version to the next. This ensures that your database is properly versioned and up-to-date. OpenIAM supports Flyway versioning for MariaDB, PostgreSQL, and MSSQL, and Oracle 12.2+
The env.sh
file defines properties which will be used by Flyway.
At a minimum, you will need to define to set the following parameters: To enable Flyway, set the following properties in env.sh
- DB_TYPE - This parameter define the type of database that you will be using as the OpenIAM product repository. My default this value is set to "MariaDB" which is installed by default .
- FLYWAY_OPENIAM_HOST - Host where the OpenIAM database will be residing. This is the primary product schema. If you are using MariaDB or PostgreSQL in a docker container, set it to
database
- FLYWAY_OPENIAM_PORT - Port where the OpenIAM database will be running. Default ports for the supported databases include:
- MariaDB=3306
- Postgres=5432
- Oracle=1521
- Microsoft SQL Server=1433
- FLYWAY_ACTIVITI_HOST - Host where the Activti database will be residing. Activiti, is the database used by the workflow engine. If you are using MariaDB or PostgreSQL in a docker container, set it to
database
- FLYWAY_ACTIVITI_PORT - Port where Activiti database, which is used by the workflow engine, will be running.
Initialize Docker Swarm
Docker uses swarms for cluster management and orchestration features of Docker Engine, the technology for containerizing applications. Docker engines participating in a cluster run in the swarm mode. The swarm mode is enabled by either initializing a swarm, as in the command above, or by joining an existing swarm. For more information, see docker swarm and Swarm mode key concepts documentation.
Make sure that you initialize the Docker swarm. Log into Docker and initialize the swarm by entering the following command in a terminal:
sudo docker swarm init
You will see output similar to this:
Swarm initialized: current node (7risfc2161nwzir4a65po3lro) is now a manager.To add a worker to this swarm, run the following command:docker swarm join --token SWMTKN-1-15mdug8xi71uap0dgaayqi2ohhl8qxaaeg7m8k6q015yiuqt0j-6ip90bh1rm2td8y9baoya4qlx 173.231.56.82:2377To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
Open ports for Docker Swarm
By default, the shell scripts provided by OpenIAM deploy to the docker swarm. You must ensure that the necessary ports are opened otherwise the manager and worker node(s) will not be able to communicate with each other.
Important: Please see this information about ports above 30000 used by the swarm from the load balancing section of Docker documentation: The swarm manager uses ingress load balancing to expose the services you want to make available externally to the swarm. The swarm manager can automatically assign the service a PublishedPort or you can configure a PublishedPort for the service. You can specify any unused port. If you do not specify a port, the swarm manager assigns the service a port in the 30000-32767 range.
Pull the docker images
To setup (and/or update) your configuration, you can run the setup.sh script. This will initialize the network, and pull the latest images from Docker Hub.
For users, familiar with OpenIAM, you can modify the script as required by your internal needs.
- Run the setup.sh script as shown below to pull the docker images form Docker Hub.
sudo ./setup.sh
This process will take several minutes. Upon successful completion, you will see the following lines at the end.
...alpine-4.2.1.5-prod: Pulling from openiamdocker/vault-bootstrap2408cc74d12b: Pull complete8acf04b6840b: Pull complete3beb9345946f: Pull completec1b681de5fde: Pull completedb7adc810805: Pull complete4eb6f4385fdb: Pull complete744c11ede61a: Pull completef9b7e7834164: Pull completefef31eda48d3: Pull complete63e22388991f: Pull completefcfa4f2fe81c: Pull complete92ea156899d8: Pull complete289a5a257de1: Pull completeDigest: sha256:a9dd4f9ea16146d0a23ec9155964fc217f46c652650acf54a9eaa4e6bc128791Status: Downloaded newer image for openiamdocker/vault-bootstrap:alpine-4.2.1.5-proddocker.io/openiamdocker/vault-bootstrap:alpine-4.2.1.5-prod+ docker pull openiamdocker/ui:debian-4.2.1.5-proddebian-4.2.1.5-prod: Pulling from openiamdocker/ui9621f1afde84: Already exists646a8f97c6a8: Already exists903dccdc2fa1: Pull complete961c475e9bbc: Pull complete3f7ec4d00b78: Pull completedd4d8205bd22: Pull completeedaa8faaa609: Pull complete9a546dd50571: Pull completeaf95414d674b: Pull complete3b03b0c99ac4: Pull completef9ea0d006eae: Pull completec4e45447fa2b: Pull completee0db3e4edead: Pull complete7ae746fa2707: Pull complete833d64ad51bb: Pull completedf1922e905f8: Pull complete2290deb87f99: Pull complete725995405dc9: Pull completee9ab11e849cf: Pull completeb49ddc825927: Pull completef25977955834: Pull complete2bde0af5ace2: Pull complete9243dd42ffb3: Pull complete6b0f3fe36d4c: Pull complete6cf40209ddfd: Pull complete190e13292050: Pull complete91d9e7266787: Pull completea822b2a447bd: Pull complete40f08d5d5355: Pull complete9e4511fd196d: Pull complete0ee83895d9a1: Pull complete374f3dfee912: Pull complete6d09b51cce0b: Pull completeDigest: sha256:00160336ce5bab8dbeadbf02071c5bf5e8e522f1e55b9f4e67d83dcea6a2a68dStatus: Downloaded newer image for openiamdocker/ui:debian-4.2.1.5-proddocker.io/openiamdocker/ui:debian-4.2.1.5-prod
Start the OpenIAM Application
Now you are ready to start the OpenIAM containers. Run the startup.sh script to initiate the startup process
sudo ./startup.sh
You should see output similar to the example below
root@localhost:/usr/local/openiam/openiam-docker-compose# ./startup.shSQL Files existUsing MariaDB as the database type...Nothing found in stack: flywayetcd_storagevault_server_storagevault_client_storageconnector_data_storagefilebeat-storageopeniam-janusgraph-storageupload_storageUnable to find image 'busybox:latest' locallylatest: Pulling from library/busybox205dae5015e7: Pull completeDigest: sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627cStatus: Downloaded newer image for busybox:latestCreating service etcd_etcdCreating service vault_vaultCreating service vault-bootstrap_vault_bootstrapCreating service curator_curatorCreating service openiam-elasticsearch-storage_serviceCreating service openiam-jks-storage_serviceCreating service openiam-activiti-storage_serviceCreating service openiam-rabbitmq-storage_serviceCreating service openiam-iamscripts-storage_serviceCreating service redis_serviceCreating service elasticsearch_serviceCreating service cassandra_cassandraWaiting for cassandra to become running, so that we can bring up janusgraphCreating service janusgraph_serviceCreating service rabbitmq_serviceopeniam-mysql-storage_storageCreating service database_databaseCreating service flyway_flywayCreating service openiam_auth-managerCreating service openiam_device-managerCreating service openiam_email-managerCreating service openiam_business-rules-managerCreating service openiam_esbCreating service openiam_workflowCreating service openiam_idmCreating service openiam_synchronizationCreating service openiam_reconciliationCreating service openiam_groovy_managerCreating service ui_uiCreating service ldap-connector_serviceCreating service rproxy_rproxy
Watch the container startup process
The containers may take 8 to 15 minutes (depending your environment) to startup completely. You can watch the start up process using the command below. Note, that the UI container will take sometime and be among the last to start up as it has dependencies on other components being up first.
watch -n 5 'docker ps'
You should see output similar to the example below when all containers have started successfully
Every 5.0s: docker ps localhost: Fri Mar 3 03:11:53 2023CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES92e5b99d3ce3 openiamdocker/rproxy:debian-4.2.1.5-prod "httpd-foreground" 6 minutes ago Up 6 minutes (healthy) 0.0.0.0:80->80/tcp, 443/tcp rproxy_rproxy.crqbd828zyp6i2hlp2hqsce8j.y6sx3nn9rw0udpmc7i6o56wl16d5e4bcf17ba openiamdocker/ldap-connector-rabbitmq:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) ldap-connector_service.crqbd828zyp6i2hlp2hqsce8j.s4ckaztonjwa07g0ahimm4uu3fc78a2d4d4c9 openiamdocker/ui:debian-4.2.1.5-prod "docker-entrypoint.s…" 6 minutes ago Up 6 minutes (healthy) 8080/tcp ui_ui.crqbd828zyp6i2hlp2hqsce8j.2rlc6tg5xumz05vlb9aazbj2xf2cf2d089ed1 openiamdocker/groovy-manager:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_groovy_manager.crqbd828zyp6i2hlp2hqsce8j.qwtl5ltxbz7m9gugv05i6h0pc750edae3ef32 openiamdocker/reconciliation:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_reconciliation.crqbd828zyp6i2hlp2hqsce8j.qjegsqnpv7i1zmg2zxtoa0mbx4b5fbb6476b6 openiamdocker/synchronization:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_synchronization.crqbd828zyp6i2hlp2hqsce8j.yc2x8qp4w2p6msnnlbotr5gcx2c75591d5eb7 openiamdocker/idm:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_idm.crqbd828zyp6i2hlp2hqsce8j.ar7pjo5fypd62iq7t3g20d58a801cc362e66a openiamdocker/workflow:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_workflow.crqbd828zyp6i2hlp2hqsce8j.x00lzisma2jyybgck04vhkpmje65bb7be6329 openiamdocker/esb:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) 9080/tcp openiam_esb.crqbd828zyp6i2hlp2hqsce8j.kfube8ay1jl756vkh5kjpn0x2f1bebb144729 openiamdocker/business-rule-manager:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) 9080/tcp openiam_business-rules-manager.crqbd828zyp6i2hlp2hqsce8j.z8gqn95k6o1hxvj7s3c49hud3c25d0bf2ea1d openiamdocker/email-manager:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_email-manager.crqbd828zyp6i2hlp2hqsce8j.1c83ii8dr3lmfifi6dz7h9ns7dd0b9f49a08d openiamdocker/device-manager:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_device-manager.crqbd828zyp6i2hlp2hqsce8j.ktv4xygwzjqwhh9gap9r122e6c5f03b303e15 openiamdocker/auth-manager:debian-4.2.1.5-prod "docker-entrypoint.sh" 6 minutes ago Up 6 minutes (healthy) openiam_auth-manager.crqbd828zyp6i2hlp2hqsce8j.fnao004z5nrftc03de7txp8k51d46f7a7dd19 openiamdocker/mariadb:debian-4.2.1.5-prod "init.sh /opt/bitnam…" 7 minutes ago Up 7 minutes (healthy) 3306/tcp database_database.1.rg6ja470ky0c5qwnn1npkc29dc51770501ae1 openiamdocker/rabbitmq:alpine-4.2.1.5-prod "docker-entrypoint.s…" 7 minutes ago Up 7 minutes (healthy) 4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp rabbitmq_service.1.9qtlh8iuj7zztvf8u3v6i53ugbcf8322d555f openiamdocker/janusgraph:debian-4.2.1.5-prod "init.sh janusgraph" 7 minutes ago Up 7 minutes (healthy) 8182/tcp janusgraph_service.1.mkqcove19i6kos1yavpxkd7803be53073e2ac bitnami/cassandra:3.11.10 "/opt/bitnami/script…" 8 minutes ago Up 8 minutes (healthy) 7000/tcp, 9042/tcp cassandra_cassandra.1.uo58kve7xfpa7q2gqbfokar5r43e31a06d942 openiamdocker/elasticsearch:debian-4.2.1.5-prod "init.sh" 8 minutes ago Up 8 minutes (healthy) 9200/tcp, 9300/tcp elasticsearch_service.crqbd828zyp6i2hlp2hqsce8j.a1ksx8188l4h2sqe4rv10pr066fdc65d21306 openiamdocker/redis:debian-4.2.1.5-prod "redis.sh /run.sh" 8 minutes ago Up 8 minutes (healthy) 6379/tcp redis_service.1.tcxn1y11ircdw9sp8o1k8a51p74e1b69006db openiamdocker/vault:alpine-4.2.1.5-prod "docker-entrypoint.s…" 9 minutes ago Up 9 minutes (healthy) 8200/tcp vault_vault.1.efgxrrlrkfst9p0mdnw47ipd6810a0eb96102 bitnami/etcd:3.3.13 "/entrypoint.sh etcd" 9 minutes ago Up 9 minutes 2379-2380/tcp etcd_etcd.1.i8gs6munkns9ec7uq28zhahul
Validate the startup
curl -k -I -L http://127.0.0.1/idp/login
You should see output similar to the example below
HTTP/1.1 200Date: Fri, 03 Mar 2023 03:12:56 GMTServer: ApacheReport-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "http://127.0.0.1/selfservice/csp/report" } ] }Content-Security-Policy: default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' data:; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpointAccess-Control-Allow-Origin: *X-Frame-Options: sameoriginX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cachePragma: no-cacheExpires: Wed, 31 Dec 1969 23:59:59 GMTX-UA-Compatible: IE=EmulateIE10x-openiam-force-auth: falsex-openiam-login-uri: /idp/loginContent-Type: text/html;charset=UTF-8Content-Language: en-USContent-Length: 4745Set-Cookie: SESSION=MDA2ZGNkOGQtODljZC00ZjQ2LWI5ZTAtNmIxNTZhNGQyN2Vi; Path=/; HttpOnly; SameSite=LaxVary: Accept-Encoding
The application is now operational and you can login.
First time login
The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, must first find the IP address of our VM.
Next open your browser (preferably Chrome or Firefox), and hit:
http://[ip address of your installation ]/webconsole
Use the following credentials for the first-time login:
Username: sysadminPassword: passwd00
The next screen will ask you to change the default password. As you enter your new password, you will see the password policy on the side. You password must align with this policy. You will be able to change both the password and the policy later
The next step is to define a content provider using the screen shown below. A Content provider
is an alias that represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. The table below describes the fields on this screen.
Name | Description |
---|---|
Content Provider Name | You can think of a content provider an “alias” which represents a domain. This is described in more detail in the OpenIAM documentation. For this setup, please enter a value such as : Default CP |
Domain Pattern | This value is defaulted in. It should be the IP address or host DNS name of the instance where OpenIAM has been installed |
Application supports SSL? | This configuration determines if the OpenIAM application will be accessed over HTTP or HTTPS. Unless, you have already configured the certificate, select Support on HTTP . You will be able to update this configuration later. |
After setting the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account if you lock yourself out. Make a note of your answers.
After completing the above steps, you will be taken the admin console landing page shown below. Allow the system about 5 min to refresh in the internal cache and then you can proceed to configure your solution.
Frequently used commands with Docker
The following commands are frequently used with Docker.
Command | Description |
---|---|
./startup.sh | Starts the OpenIAM Docker containers |
./shutdown.sh | Stops the OpenIAM Docker containers |
Ensure that all containers have stopped before restarting. You can validate that the containers have stopped using the docker ps command | |
docker ps | Shows all the containers which are running |
watch -n 5 'docker ps' | Allows you to observe the docker containers. The view is refreshed every -n seconds. |
docker logs [container id] | Shows the logs related to the Container ID. You can get the Container ID from the docker ps command. |
docker exec -it [container id] bash | Allows you to connect to the container |
docker restart -t [time][container id] | Allows you to restart a container. Time is the number seconds to wait after stopping a container, but its started again. |