Change OpenIAM product database

The following sections describe options to switch the OpenIAM product database.

Switch existing installation using another database

Sometimes, during installation customers start with the default MySQL database. This is often due to the simplicity it provides in getting started. However, going forward they might want to use another database, such as MSSQL, Oracle or PostgreSQL.

You must be aware that switching of DB is not the same as a migration. You will in fact be starting with a clean installation with default passwords. All the configuration done via OpenIAM web interface will be lost, as well an users, roles, groups, etc. that have been created.

Part of this activity will be vault clean up, make sure you know all password written there. Please follow provided steps to switch OpenIAM DB.

RPM type of installation

  1. Stop OpenIAM application by running 'openiam-cli stop' command, after please make sure all processes are down.
  2. Modify file in /usr/local/openiam/conf/properties accordingly to new db type.
  3. Modify /usr/local/openiam/env.conf by setting new DB connection details in FLYWAY_% variables
  4. Prepare vault secrets to re-bootstrap them on next steps. You can retrieve current secrets from vault by running script utils/vault/
./ vault.secret.rabbitmq.password
./ vault.secret.redis.password
./ vault.secret.elasticsearch.password
./ vault.secret.elasticsearch.username
  1. Stop vault server by running command pkill -9 vault. Now we need to clean up vault database, for it stop ETCD by running systemctl stop etcd and run rm -rf /var/lib/etcd/default.etcd/member/. Then start etcd by running systemctl start etcd and start vault by running from utils/vault.
  2. Run /usr/local/openiam/utils/vault/ and re-populate new secrets for connection. Secrets for redis, rabbitmq and elasticsearch use ones you fetched on step 4.
  3. Run /usr/local/openiam/utils/flyway/ to install schemas in the new database
  4. Start OpenIAM by running openiam-cli start command
  5. Restart httpd service by running systemctl restart httpd command