Installation with Internet access

This section builds on the initial installation steps described in the RPM install section. Please ensure that you have completed the steps in that section before proceeding.

Installation with Internet access

This type of installation is suitable for environments where the servers running the OpenIAM software will have internet access and can reach the OpenIAM website to download the software. You can validate internet connection by running the command below.

curl https://openiam.com/; echo $?

You should see 0 as a result. If you see non-zero result, its means that you CANNOT reach the OpenIAM web site from your deployment server. Please resolve the internet access or use the offline installation instructions. The RPM installation for OpenIAM 4.2.2 supports Enterprise Linux 9 (EL9). During the installation process, you will be prompted to install MariaDB RDBMS as the default database. Database recommendations

• MariaDB Usage: MariaDB is suitable for Demo, Proof-of-Concept (POC), or small-scale deployments. However, for production environments, we strongly recommend using a corporate-standard database that aligns with your organization’s IT policies and is fully supported operationally.
• MariaDB in Production: If you choose to use MariaDB in a production setting, ensure that:
  • It is properly sized for your workload
  • It is deployed in a high-availability (HA) configuration to enhance reliability. Using an existing Database infrastructure If you already have a database infrastructure you prefer to use, select N when prompted during the installation. This option allows you to integrate OpenIAM with your preferred database system. The following sections will guide you through the OpenIAM installation process step by step.

1. Download the RPM installer using the following command. For EL8:

    curl https://download.openiam.com/release/enterprise/4.2.2/rpm/openiam-4.2.2.noarch.x86_64.rpm --output /usr/src/openiam-4.2.2.noarch.x86_64.rpm 

   For EL9:

    curl https://download.openiam.com/release/enterprise/4.2.2/rpm/openiam-4.2.2.noarch.x86_64.rpm --output /usr/src/openiam-4.2.2.noarch.x86_64.rpm 

2. Once the download is complete, install OpenIAM using the following command. This step will also update the initial ulimit settings, which are required for the subsequent installation process

   sudo rpm -i openiam-4.2.2.noarch.x86_64.rpm

   You should see the output like one given below.

openiam/
openiam/vault/
openiam/vault/openiam.cluster.policy.hcl
openiam/vault/openiam.policy.hcl
openiam/vault/secret.policy.hcl
openiam/vault/consul
openiam/vault/medusa
openiam/vault/vault
openiam/services/shutdown.sh
openiam/services/start_auth.sh
openiam/services/start_br.sh
openiam/services/start_device.sh
openiam/services/start_email.sh
openiam/services/start_esb.sh
openiam/services/start_groovy.sh
openiam/services/start_idm.sh
openiam/services/start_idp.sh
openiam/services/start_recon.sh
openiam/services/start_reportviewer.sh
openiam/services/start_sas.sh
openiam/services/start_selfservice.sh
openiam/services/start_selfservice_ext.sh
openiam/services/start_sync.sh
openiam/services/start_ui_static.sh
openiam/services/start_webconsole.sh
openiam/services/start_workflow.sh
openiam/OpenIAM-Base-Local.repo
openiam/env.conf

Your VM will reboot to apply changes to ulimit. After it reboots, reconnect to your VM by executing the following command and providing your credentials when prompted.

ssh [username]@[IP address of your VM]

In case you don't want the VM to reboot for no, you can use shutdown -c command to cancel the server from rebooting. 3. Start the initialization process which will download files required for installation from OpenIAM server. Please follow the instructions on the screen.

sudo openiam-cli init

You will be asked about Internet access on this box, as shown below.

[root@ip-172-16-0-181 ~]# openiam-cli init
Initialize openiam
Does this box have Internet access ? [y/n]:

Type y and press Enter.

The system will download additional files, extract them locally, update your repository, and install essential base packages. You will see output similar to the snippet below.

Initialize openiam
Does this box have Internet access ? [y/n]:y
It is default configuration in env.conf
Download file openiamrepo.tar.gz from OpenIAM website
Download file backend.tar.gz from OpenIAM website
Download file frontend.tar.gz from OpenIAM website
openiamrepo/
openiamrepo/mariadb/
openiamrepo/mariadb/perl-MIME-Base64-3.15-396.el8.x86_64.rpm
openiamrepo/mariadb/perl-Math-BigInt-1.9998.11-7.el8.noarch.rpm
openiamrepo/mariadb/perl-Pod-Usage-1.69-395.el8.noarch.rpm
openiamrepo/mariadb/mariadb-backup-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+f0897f98.x86_64.rpm
openiamrepo/mariadb/perl-IO-1.38-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-DBD-MySQL-4.046-3.module+el8.1.0+2938+301254e2.x86_64.rpm
openiamrepo/mariadb/mariadb-errmsg-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-interpreter-5.26.3-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-Term-ANSIColor-4.06-396.el8.noarch.rpm
openiamrepo/mariadb/perl-Time-Local-1.280-1.el8.noarch.rpm
openiamrepo/mariadb/perl-Unicode-Normalize-1.25-396.el8.x86_64.rpm
openiamrepo/mariadb/perl-Scalar-List-Utils-1.49-2.el8.x86_64.rpm
openiamrepo/mariadb/perl-Mozilla-CA-20160104-7.module+el8.3.0+6498+9eecfe51.noarch.rpm
openiamrepo/mariadb/compat-openssl11-1.1.1k-4.el9.x86_64.rpm
openiamrepo/mariadb/mariadb-connector-c-3.1.11-2.el8_3.x86_64.rpm
openiamrepo/mariadb/perl-podlators-4.11-1.el8.noarch.rpm
openiamrepo/mariadb/perl-Exporter-5.72-396.el8.noarch.rpm
openiamrepo/mariadb/mariadb-server-utils-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-Math-Complex-1.59-422.el8.noarch.rpm
openiamrepo/mariadb/perl-Text-ParseWords-3.30-395.el8.noarch.rpm
openiamrepo/mariadb/perl-Digest-MD5-2.55-396.el8.x86_64.rpm
openiamrepo/mariadb/libaio-0.3.112-1.el8.x86_64.rpm
openiamrepo/mariadb/perl-File-Path-2.15-2.el8.noarch.rpm
openiamrepo/mariadb/mariadb-server-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-PathTools-3.74-1.el8.x86_64.rpm
openiamrepo/mariadb/perl-Pod-Escapes-1.07-395.el8.noarch.rpm
openiamrepo/mariadb/perl-libs-5.26.3-422.el8.x86_64.rpm
openiamrepo/mariadb/perl-Socket-2.027-3.el8.x86_64.rpm
openiamrepo/mariadb/perl-Carp-1.42-396.el8.noarch.rpm
openiamrepo/mariadb/perl-threads-shared-1.58-2.el8.x86_64.rpm
openiamrepo/mariadb/mariadb-10.3.39-1.module+el8.8.0+19673+72b0d35f.x86_64.rpm
openiamrepo/mariadb/perl-IO-Socket-IP-0.39-5.el8.noarch.rpm
...
================================================================================
 Package        Architecture   Version                  Repository         Size
================================================================================
Installing:
 m4             x86_64         1.4.19-1.el9             appstream         294 k
 telnet         x86_64         1:0.17-85.el9            appstream          63 k
Transaction Summary
================================================================================
Install  2 Packages
Total download size: 357 k
Installed size: 703 k
Downloading Packages:
(1/2): telnet-0.17-85.el9.x86_64.rpm            327 kB/s |  63 kB     00:00
(2/2): m4-1.4.19-1.el9.x86_64.rpm               1.0 MB/s | 294 kB     00:00
--------------------------------------------------------------------------------
Total                                           988 kB/s | 357 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : m4-1.4.19-1.el9.x86_64                                 1/2
  Installing       : telnet-1:0.17-85.el9.x86_64                            2/2
  Running scriptlet: telnet-1:0.17-85.el9.x86_64                            2/2
  Verifying        : telnet-1:0.17-85.el9.x86_64                            1/2
  Verifying        : m4-1.4.19-1.el9.x86_64                                 2/2
Installed:
  m4-1.4.19-1.el9.x86_64               telnet-1:0.17-85.el9.x86_64
Complete!
workflow.jar
synchronization.jar
reconciliation.jar
openiam-esb.jar
idm.jar
groovy-manager.jar
email-manager.jar
device-manager.jar
auth-manager.jar
business-rule-manager.jar
sas-manager.jar
sas-lib.zip
idp.war
openiam-ui-static.war
selfservice-ext.war
selfservice.war
webconsole.war
reportviewer.war

4. You will be asked if you want to install MariaDB as the default database.

Would you like to install MariaDB RDBMS locally? [y/n]:

Please answer Y if you would like to use the local MariaDB RDBMS as a database server. To use another database, please enter N. This question enables the installation of MariaDB so that it can be used later in the installation process.

If you answered Y, the MariaDB installer will prepare the files needed to install and configure MariaDB. Once this process is complete, you will be asked the questions below. Answer them and proceed to the next step. 5. Enter current password for root (enter for none):

• Press Enter, as no password has been set yet.
• You will see the following confirmation message.

OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

6. Set root password? [Y/n] > Press y button and after Enter. Type y and press Enter to set a password for the MariaDB root user.
7. New password: >
   • Enter a secure password for the MariaDB root user.
   • Note: You will need this password later in the installation process.
   • Type the same password as in the previous step and press Enter.
8. Re-enter new password:
   • Type the same password as in the previous step and press Enter.
9. Remove anonymous users? [Y/n]
   • Type y and press Enter to remove anonymous database users.
   • This enhances security by ensuring only authenticated users can access MariaDB.
10. Disallow root login remotely? [Y/n]

• Type y and press Enter to prevent remote root login.
• This reduces the risk of unauthorized access.

11. Remove test database and access to it? [Y/n]

* Type `y` and press **Enter** to delete the default test database.
* This prevents potential security risks from an unused database.

12. Reload privilege tables now? [Y/n]

* Type `y` and press **Enter** to apply the changes immediately.

The snippet below provides a view of what you can expect to see in this part of the installation. Note, that for successful installation it is required to set a password for the root user in MariaDB.

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] openiam
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
 ... Success!
Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
 ... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
 ... Success!
Cleaning up...
All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

After MariaDB has been installed, the installer will move forward to a variety of infrastructure services such as the Vault, Redis, RabbitMQ and Cassandra, which is the storage for the graph database used in OpenIAM. This process will take 4-5 min. The snippet below, which follow the installation of MariaDB, shows a certificate being generated and the vault being initialized.

Certificate request self-signature ok
subject=C=US, ST=NY, L=NY, O=OPENIAM, OU=PRODUCTION, CN=localhost
Warning: -clcerts option ignored with -export
writing RSA key
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
[Storing /usr/local/openiam/jdk/lib/security/cacerts]
Starting consul...
Starting vault...
Command flags must be provided before positional arguments. The followingarguments will not be parsed as flags:

The installer will ask several questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. The sections which requires input from the installer are marked with the following message in the console:

Defining database and infrastructure components credentials

OpenIAM has three schemas which are created by default: openiam, activiti and groovy. The openiam schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. activiti is used to store information about workflows and their execution. The first set of questions raised by the installer are related to the creation of database users for each schema. Each question and its intent are listed below. Groovy script metadata, including file details, versioning, and last modified timestamp, is managed in the database to support controlled updates and audit tracking.

Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti
Set OpenIAM username for schema 'groovy'., default: groovy
Set OpenIAM password for schema 'groovy'., default: groovy
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
Set OpenIAM password for REdis Sentinel., default: passwd00
User to Access OpenSearch. If you don't change it on the OS server side, leave it as elastic, default: elastic
Password for elastic to access OpenSearch, default: VlyXHUBDuhgv6BTKjTz7TumtBZL8Zbmu
Please validate information below

Message broker password

OpenIAM uses RabbitMQ as a message broker. RabbitMQ is the primary transport service used within the OpenIAM application. Services are loosely coupled, and they communicate with each other through the message broker. Cross service communication is encrypted. The next question raised by the installer is to define a password for RabbitMQ. As seen in the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00

Memory cache password

Redis is an in-memory distributed cache that is used by OpenIAM to improve system performance. A variety of objects are temporarily stored in Redis including:

• End user web session.
• Database object cache.
• High level application cache. As with other components, access to the cache is secured and the next question asks for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00

If you want to use Redis with TLS select y, else - select n as default parameters and proceed with next steps

   Do you want to enable TLS for Redis? (y/n): n 

OpenSearch credentials

OpenSearch search is used by OpenIAM to enable fast searching of frequently used data. As with the components above, access to OpenSearch is secured through its own set set of credentials. You be prompted for this information as shown below.

OpenIAM Username to access Opensearch: elastic
OpenIAM password for elastic user to access Opensearch: ilm5LjYPAeFWbfLE40dthmEOunN4Cnlz

The information requested above is critical for the installation process. Mistakes in these steps can disrupt the installation process. To minimize such issues, you will be asked to review the above answers. If you agree with the information, select Y. If you need to fix some information, select N and the installer will walk you through this process again.

Cassandra

After processing the above information, the installer will then install Cassandra. Cassandra is the storage engine for Janus Graph DB. You will see output like the example below during this step. There might be an error message at several lines in .java files. Ignore this error - since Cassandra takes a little while to start, an error occurs due to this delay. The installer will wait and then proceed with the installation.

Synchronizing state of cassandra.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable cassandra
Created symlink /etc/systemd/system/default.target.wants/cassandra.service → /etc/systemd/system/cassandra.service.
0
error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?
...
Waiting for cassandra
1
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load       Tokens  Owns (effective)  Host ID                               Rack
UN  127.0.0.1  73.52 KiB  256     100.0%            5a7c7a99-aeaf-4576-9863-f226a7867ef0  rack1
Cassandra alive
Cassandra is ready to use. Continue...

At this point the installer has enough information to complete the installation of: OpenSearch, Redis, and RabbitMQ.

Initialize Database Schema

Once the questions have been answered, the installer will provide a summary of the questions and answers. Please review before proceeding. An example of this is shown below.

Please validate information below 
--------------------------------- 
FLYWAY_BASELINE_VERSION=2.3.0.0 
FLYWAY_OPENIAM_DATABASE_NAME=openiam 
FLYWAY_ACTIVITI_DATABASE_NAME=activiti 
FLYWAY_OPENIAM_HOST=localhost 
FLYWAY_OPENIAM_PORT=3306 
FLYWAY_ACTIVITI_HOST=localhost 
FLYWAY_ACTIVITI_PORT=3306 
FLYWAY_GROOVY_HOST=localhost 
FLYWAY_GROOVY_PORT=3306 
FLYWAY_DATABASE_TYPE=mysql 
Database will be initialized=Y 
Root (Db admin) user name=root 
Root (Db admin) user password=passwd00 
Please validate your input above, if your are OK with that enter 'y'. To repeat an information collecting procedure enter 'n' :y 

If you need to correct any answer, please enter N. Once you select Y, the installer will generate the database schema. Internally, this step is handled by a component called Flyway. Flyway is a database schema management and versioning utility. It's used to generate the schema as well as upgrade from one version to another.

Install reverse proxy

Next, the installer will ask you if you want to install the reverse proxy. The reverse proxy is an Apache web server plugin which has been purpose built for use with the OpenIAM stack and address specific use cases. In virtually all cases, you will want to install the rProxy. The exceptions can arise based on your deployment architecture. The rProxy can co-exist with other infrastructure components such as an F5. Enter y for the question below

Do you want to install OpenIAM reverse proxy module? [y/n]:

After, the system may ask whether you want to update httpd software. httpd is an Apache webserver used to host websites and applications, as well as process and provide response to requests. Enter y for the question below and proceed with installation.

Do you want to update httpd to 2.4.57 ? [y/n]:

The OpenIAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The OpenIAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually, startup takes around 10-15 minutes. You can view the status of the system as it's coming up using the command line tools described below in OpenIAM components and Status. Please, ignore the

HTTP request sent, awaiting response... 404 Not Found
2023-11-09 21:04:58 ERROR 404: Not Found.

line. At this point the installation is completed.

Install Prometheus and Grafana stack for monitoring

For monitoring OpenIAM infrastructure components and application services select y to install in the Linux server.

Do you want to install Prometheus+Grafana stack for monitoring? [y/n]:y 

In the last part of initiation script, nginx will be installed and nginx health check will wait for OpenIAM all services to come up. Please use openiam-cli status monitor command for all services from other console.

Check the startup process

The containers may take 8 to 15 minutes (depending on your environment) to start up completely. You can watch the startup process using the command below. Note that the UI container will take some time and be among the last to start up as it has dependencies on other components being up first.

Monitor the startup process

To check if the services have started, you can use the openiam-cli utility as shown in the example below:

openiam-cli status

You will see output like the example below:

Openiam Status report  
[OK] - openiam-esb - Service working. Application status: [ UP ] 
[OK] - workflow - Service working. Application status: [ UP ] 
[OK] - groovy-manager - Service working. Application status: [ UP ] 
[OK] - idm - Service working. Application status: [ UP ] 
[OK] - reconciliation - Service working. Application status: [ UP ] 
[OK] - email-manager - Service working. Application status: [ UP ] 
[OK] - auth-manager - Service working. Application status: [ UP ] 
[OK] - business-rule-manager - Service working. Application status: [ UP ] 
[OK] - device-manager - Service working. Application status: [ UP ] 
[OK] - synchronization - Service working. Application status: [ UP ] 
[OK] - openiam-webconsole - Service working. Application status: [ UP ] 
[OK] - openiam-idp - Service working. Application status: [ UP ] 
[OK] - openiam-selfservice - Service working. Application status: [ UP ] 
[OK] - openiam-ui-static - Service working. Application status: [ UP ] 
[OK] - openiam-selfservice-ext - Service working. Application status: [ UP ] 
[OK] - openiam-reportviewer - Service working. Application status: [ UP ] 

Verify nginx services with the following command.

 systemctl status nginx 

For any issue in service restart check respective application logs and for infrastructure check journalctl logs. The directory for OpenIAM logs is as follows.

cd /usr/local/openiam/logs  and cd /usr/local/openiam/ui/logs/

For infrastructure logs

 check in /var/logs or journalctl -u <service name> 

Validate the startup

You can use the curl command below to validate whether the UI is up.

curl -k -I -L http://127.0.0.1/idp/login

You should see output like the example below

HTTP/1.1 200
Date: Fri, 21 Feb 2025 21:49:04 GMT
Server: Apache/2.4.61 (Red Hat Enterprise Linux) OpenSSL/3.2.2
Report-To: { "group": "csp-endpoint",  "max_age": 10886400,  "endpoints": [        { "url": "http://127.0.0.1/selfservice/csp/report" }    ] }
Content-Security-Policy: default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' data: https://chart.googleapis.com; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4970
Set-Cookie: SESSION=OWJiZDkwMTMtMDNmZC00NThmLWI5ZWEtYTljYzE4N2VhMTZh; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding

The http 200 indicates that the application is up and running and you can login.

First time login

The final validation of our deployment is to be able to login to the OpenIAM web applications. To do this, you must first find the IP address of our VM. Next open your browser (preferably Chrome or Firefox), and hit: http://[ip address of your installation ]/webconsole Use the following credentials for the first time login: Username: sysadmin Password: passwd00

Enter the username on the field shown below and click Next .

The authentication process is spread over two screens. You will be asked to enter the password on the screen below.

The next screen will force you to change the default password. As you enter your new password, you will see the password policy on the side. Your password must align with this policy. You will be able to change both the password and the policy later.

The next step is to define a content provider using the screen shown below. A Content provider is an alias which represents a domain. Associated with the content provider can be UI themes, authentication policies, etc. You can read more on Content Provider in this document. The table below describes the fields on this screen.

After setting up the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account in case you have locked yourself out. Please make a note of your answers.

After completing the above steps, you will be taken to the admin console landing page shown below. Give the system about 5 min to refresh the internal cache and then you can proceed to configure your solution.

Grafana and Prometheus access

Verify if the following ports are open inside server, if using firewall locally or allow all below ports in external firewall/security group.

    firewall-cmd --add-port=3000/tcp --add-port=9090/tcp --add-port=9100/tcp --permanent 
    firewall-cmd --reload    
ss -tulnp | grep grafana 
ss -tulnp | grep prometheus 

Verify node-exporter metrics with the following command.

curl http://localhost:9100/metrics 

For Grafana access from outside using public IP

For Grafana access, default user will be admin and password will be admin.

http://<Ip of VM>:3000 

For external Prometheus access

Change web.listen-address from 127.0.0.1 to 0.0.0.0 in below service file.

vi /etc/systemd/system/prometheus.service

Now, reload and restart Prometheus using the commands bellow.

systemctl daemon-reexec
systemctl daemon-reload
systemctl restart Prometheus

Try to access using the http://<Ip of VM>:9090 URL.

For node exporter metrics access

Use the http://<Ip of VM>:9100/metrics URL for the access.

Post installation information

Using the OpenIAM command line utility

OpenIAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop, etc. The command is openiam-cli. Just running the command by itself, as shown below, will display the list of all options.

openiam-cli

Output

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}

Check status

To check the status of the components or to confirm that the system is up, please use the following command:

openiam-cli status

Check service logs

To check current logs of any service you can use the following command. You can get the services using the following command: openiam-cli log <service_name>. For example, to check the logs of the openiam-esb module use the following command.

openiam-cli log openiam-esb

Start and stop

You can start and stop OpenIAM using the command line as well. To stop OpenIAM using the following command:

openiam-cli stop

You can check that the services have stopped by using the status command shown above. You can start the application using the following command.

openiam-cli start

Checking the health of the application

Health checks can be used by your monitoring systems to verify the status of OpenIAM. Use the following URL to validate ESB.

curl http://localhost:9080/openiam-esb/actuator/health

Use the following URL to validate the UI.

curl -k http://localhost:9080/idp/actuator/health

Core services and Default Memory configuration

Troubleshooting

It is possible to receive a timeout error during the installation of OpenSearch during initialization. This issue can be rectified by setting the SELinux mode to Permissive. Please refer to Red Hat's documentation for Changing SELinux states and modes. In case there is a need for VM reboot or restarting an application, make sure to shut down OpenIAM with openiam-cli stop command, as shown above. Otherwise, the vault may seal, and the application may fail to start.