Overview
OpenIAM is a software that helps organizations manage user access securely. This guide will walk you through a simple way to install OpenIAM on a Single VM (Virtual Machine) without needing deep technical knowledge.
In this document we cover these topics.
1.Prepare your system (check system requirements).
- 1.1 Minimum System Requirements
- 1.2 Commands to Verify System Resources
2.Download and set up a Linux operating system (CentOS).
- 2.1 Where to Download CentOS
3. Connect to your VM.
- 3.1 Choose a Virtualization Platform
- 3.2 Find Your VM’s IP Address
- 3.3 Connect to the VM Using SSH or PuTTY
4. Install necessary system tools.
- 4.1 Why Install
tar
?
5. Start the OpenIAM installation.
- 5.1 Choose Installation Method (Online vs. Offline)
- 5.2 Download the RPM Installer
- 5.3 Install the RPM Package
6. Install the MariaDB Database
- 6.1 Prompt for MariaDB Installation
- 6.2 Prepare for MariaDB Setup
7. Infrastructure Services Setup
8. OpenIAM Schemas
9.Database Credentials Setup Prompts
- 9.1 Set Username and Password for
openiam
- 9.2 Set Username and Password for
activiti
10. RabbitMQ Password Setup
- 10.1 Setting the RabbitMQ Password
11.Redis Password Setup
- 11.1 Setting the Redis Password
12.Elasticsearch Credentials Setup
13.Cassandra Service Initialization
14. Database Schema Initialization
15. Reverse Proxy Installation
16. Initialization and SQL Scripts
17. Startup Process
- 17.1 Overview and Duration
- 17.2 UI Container Startup Order
- 17.3 Monitoring the Startup Progress
18. Validating OpenIAM UI
- 18.1 Using curl to Check UI Availability
19. First-Time Login to OpenIAM
20. Post Installation Information
- 20.1 Utilizing the OpenIAM Command Line Utility
21. OpenIAM Core Services Overview
- 21.1 RAM Allocation per Service
22. Troubleshooting Tips
1.Prepare your system (check system requirements).
When setting up OpenIAM, you have two deployment options based on your needs.
If you are developing, testing, or experimenting, you can use a Non-Production setup with lower system requirements.
If you are running OpenIAM in a live environment with real users and high traffic, you should use a Production setup with higher resources for stability and performance.
Choose the appropriate option based on your environment and requirements.
1.1 Minimum System Requirements
Non-Production
Use when testing, developing, or running environments where performance, high availability, and scalability are not critical.
-
Memory:
48 GB
-
CPU:
8 CPUs
-
Disk:
80 GB
Production
Use when running a live, high-availability environment with significant traffic, real users, and critical security needs.
-
Memory:
64 GB
-
CPU:
12 CPUs
-
Disk:
200 GB
1.2 Commands to Verify System Resources
To check your system, run these commands:
lscpu # Checks CPU
free -m # Checks memory
cat /etc/os-release # Shows OS version
df -H # Checks disk space
Example Outputs:
Check CPU
[root@server ~]# lscpu
Architecture: x86_64
CPU(s): 8
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 8
CPU MHz: 2199.994
Hypervisor vendor: KVM
Check Memory
[root@server ~]# free -m
total used free shared buff/cache available
Mem: 31959 221 31473 16 264 31341
Swap: 511 0 511
Check Operating System
[root@server ~]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
VERSION_ID="8"
PRETTY_NAME="CentOS Stream 8"
Check Disk Space
[root@server ~]# df -H
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/cs-root 52G 2.4G 49G 5% /
/dev/mapper/cs-home 25G 209M 25G 1% /home
/dev/sda1 1.1G 295M 769M 28% /boot
2.Download and set up a Linux operating system (CentOS).
2.1 Where to Download CentOS
OpenIAM works best with CentOS (a version of Linux). If you don’t have it yet, download it here:
➡ [https://vault.centos.org/8-stream/)
3.Connect to your VM.
3.1 Choose a Virtualization Platform
You can use one of the following platforms to create a VM:
VirtualBox (Free, cross-platform)
VirtualBox is a free and open-source virtualization software that works on multiple operating systems including Windows, macOS, and Linux. Ideal for beginners and casual users.VMware Workstation Player (Free for personal use)
VMware Workstation Player is a free version of VMware’s virtualization software for non-commercial use. It’s easy to use and supports advanced features for virtual environments.Hyper-V (Built into Windows Pro/Enterprise)
Hyper-V is a Microsoft virtualization technology available in Windows Pro and Enterprise editions. It's useful for creating and managing virtual machines directly from your Windows OS.Proxmox (For advanced users, open-source)
Proxmox VE is an open-source virtualization platform that combines KVM for virtual machines and LXC for containers. It’s a powerful solution for data centers or more advanced use cases.KVM/QEMU (Linux-based, powerful for server environments)
KVM (Kernel-based Virtual Machine) and QEMU (Quick Emulator) are popular virtualization technologies for Linux servers. They’re ideal for creating high-performance virtual machines on Linux-based systems.
3.2 Find Your VM’s IP Address
You can use SSH to securely access and manage your VM remotely. SSH is essential because most VMs run without a graphical interface, and it allows encrypted communication over the network. Before connecting, ensure the SSH port is open and OpenSSH is installed; otherwise, the connection won’t work.
Run this command:
ip addr
3.3 Connect to the VM Using SSH or PuTTY
Use SSH (a remote login tool) to connect. Replace [your VM's IP]
with your actual VM address:
ssh root@[your VM's IP]
Example:
ssh root@172.16.101.128
If you're using Windows, you can use PuTTY (a simple and effective tool for managing remote servers securely).
Download PuTTY here: PuTTY Download
4. Install necessary system tools.
Before installing OpenIAM, install some basic system tools. Run:
dnf install -y tar wget curl vim
4.1 Why Install tar
?
The tar
command is essential because it allows you to extract installation files that are often distributed as compressed archives (.tar.gz
or .tar.bz2
). Without tar
, you may not be able to properly extract and install OpenIAM.
This will ensure the system can extract files and manage installations efficiently.
5. Start the OpenIAM Installation
5.1 Choose Installation Method (Online vs. Offline)
- With Internet Access: The system will automatically download the required files.
- Without Internet Access: You will need to manually download and transfer the required packages to the server.
Note:
This document assumes that the installation is being performed with Internet Access.
Note:
Internet access is required for the installation, and it must not be restricted or subject to any network limitations or sanctions.
Pre-requisite: Internet Access Check
Before starting the installation, ensure that the server can connect to the OpenIAM website.
Run the command:
curl https://openiam.com/; echo $?
If the output is 0
, your server can reach the website, and you're good to proceed. If you get a non-zero result, the server can't reach the website. You'll need to resolve the connectivity issue or consider using offline installation instructions.
5.2 Download the RPM Installer
Download the installer from OpenIAM using the following command:
curl https://download.openiam.com/release/enterprise/4.2.1.12/rpm/openiam-4.2.1.12.noarch.x86_64.rpm --output openiam-4.2.X.noarch.x86_64.rpm
Note:
Version 4.2.1.12 is used in this installation.
The installation process will also update the system's ulimit ( a command in Unix and Linux systems that allows you to control the user process resource limits).
5.3 Install the RPM Package
Once the download is complete, install OpenIAM using the following command:
sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm
Example Output
Your output should be like this:
openiam/
openiam/jdk/
openiam/jdk/lib/
openiam/jdk/lib/server/
openiam/jdk/lib/server/libjvm.so
openiam/jdk/lib/server/Xusage.txt
openiam/jdk/lib/server/libjsig.so
openiam/jdk/lib/libmlib_image.so
openiam/jdk/lib/libawt_xawt.so
openiam/jdk/lib/jspawnhelper
openiam/jdk/lib/psfont.properties.ja
openiam/jdk/lib/jli/
openiam/jdk/lib/jli/libjli.so
openiam/jdk/lib/libawt_headless.so
openiam/jdk/lib/librmi.so
openiam/jdk/lib/libfontmanager.so
openiam/jdk/lib/libawt.so
openiam/jdk/lib/libjimage.so
openiam/jdk/lib/libj2pkcs11.so
openiam/jdk/lib/libzip.so
openiam/jdk/lib/libjsound.so
openiam/jdk/lib/psfontj2d.properties
openiam/jdk/lib/security/
openiam/jdk/lib/security/default.policy
openiam/jdk/lib/security/public_suffix_list.dat
openiam/jdk/lib/security/blacklisted.certs
openiam/jdk/lib/security/cacerts
openiam/jdk/lib/libjdwp.so
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directoryshell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directoryshell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directoryThe server will be restarted in 1 min to apply ulimit settings ...Shutdown scheduled for Wed 2023-11-22 21:20:46 UTC, use 'shutdown -c' to cancel.
...
Your VM will reboot to apply changes to the ulimit settings. After it reboots, reconnect to your VM using the following command:
sudo ssh [username]@[IP address of your VM]
Note:
To identify your username, run the following command.
whoami
Note:
To find the machine's IP address, run:
hostname -I
Example output: 192.168.x.x
After running the SSH command, type yes
when prompted to confirm the connection, then enter the superuser password when requested.
Run the Custom Script
Save your custom script in a file using nano
, and make sure it has a .sh
extension (e.g., setup.sh).
To use the custom script, locate the init.sh file in our repository. You’ll need to extract the files before running the script.
sudo chmod +x [filename].sh
You can find the custom script at the following repository address:
irancell-identity-access-managment/FC0-IAM-Core/src
To execute the script, run the following command:
sudo bash your_script.sh
You will be asked about Internet access on this box, as shown below.
If you have internet access, type Y
and press Enter.
The system will download (backend, frontend, and repo files, totaling approximately 100 GB), extract them locally, update your repository, and install essential base packages.
6. Install the MariaDB Database
When installing OpenIAM, you will be prompted to decide whether to install MariaDB (a popular open-source relational database management system) as your database server.
Important:
6.1 Prompt for MariaDB Installation
You will see a prompt asking if you want to install MariaDB locally:
Would you like to install MariaDB RDBMS locally? [y/n]:
Response:
If you want to use MariaDB (recommended for simple setups, demos, or small production environments), type Y
and press Enter.
If you prefer to use a different database, type N
.
Preparation for Installation:
If you answered Y
, the MariaDB installer will prepare the necessary files for installation and configuration.
6.2 Prepare for MariaDB Setup
After the preparation, you will go through a series of configuration prompts:
Root Password:
Enter current password for root (enter for none):
Action: Press Enter since no password has been set yet.
Note:
If you run this command (sudo bash your_script.sh
), you may be prompted to enter your root password
.
Root Password:
Set Root Password:
Set root password? [Y/n]:
Action: Press Y
and then Enter.
New Password:
You will need to create a new password for the root user:
New password:
Action: Type your desired password.
Note:
You will need this password later in the installation process.
Re-enter New Password:
You will be asked to confirm the new password:
Re-enter new password:
Action: Type the same password
again.
Security Options:
You will be prompted with several security-related questions:
Remove anonymous users?
Action: Press Y
and then Enter.
Note:
This enhances security by ensuring only authenticated users can access MariaDB.
-Disallow root login remotely?
Note:
If you're logging in remotely, press N
and then Enter.
If you're logging in locally, press Y
and then Enter
Note:
This reduces the risk of unauthorized access.
-Remove test database and access to it?
Action: Press Y
and then Enter.
Note:
This prevents potential security risks from an unused database.
-Reload privilege tables now?
Action: Press Y
and then Enter.
7.Infrastructure Services Setup
After MariaDB has been installed, the installer will move forward to a variety of infrastructure services such as the Vault, Redis, RabbitMQ and Cassandra, which is the storage for the graph database used in OpenIAM. This process will take 4-5 min
.
The snippet below, which follow the installation of MariaDB, shows a certificate being generated and the vault being initialized.
...
Certificate request self-signature ok
subject=C=US, ST=NY, L=NY, O=OPENIAM, OU=PRODUCTION, CN=localhost
Warning: -clcerts option ignored with -export
writing RSA key
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
[Storing /usr/local/openiam/jdk/lib/security/cacerts]
Created symlink /etc/systemd/system/multi-user.target.wants/etcd.service → /usr/lib/systemd/system/etcd.service.
Starting etcd...
Created symlink /etc/systemd/system/multi-user.target.wants/openiam-vault.service → /etc/systemd/system/openiam-vault.service.
Starting vault...
Wait vault service to wakeup
Initializing vault. This will only happen once. This will output the root token and unseal keys. Save them!
The installer will ask several questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to OpenIAM. The sections which requires input from the installer are marked with the following message in the console:
=============== CRITICAL SECTION ===============
8.OpenIAM Schemas
OpenIAM uses two primary schemas:
openiam:
This is the main schema that stores various types of information essential for the OpenIAM platform, including:
- User profiles
- Policies
- Other critical data related to identity management.
activiti:
- This schema is specifically designed to manage workflows and their execution within the OpenIAM platform.
9.Database Credentials Setup Prompts
As part of the installation process, the installer asks the user to set up database users for each schema. Below are the key questions posed by the installer along with their explanations:
9.1 Set Username and Password for openiam
Question: What username do you want to set for the openiam schema?
Default: idmuser
Explanation: This is the database username that the OpenIAM application will use to manage the openiam schema. This username allows the application to perform various operations on the database, such as querying and updating user and policy information.
Question: What password do you want to set for the openiam username?
Default: idmuser
Explanation: This is the password associated with the username set in the previous step. It is essential for authenticating the database user when the OpenIAM application connects to the database.
9.2 Set Username and Password for activiti
Question: What username do you want to set for the activiti schema?
Default: idmuser (for MySQL)
Explanation: Similar to the openiam schema, this username will be used by the OpenIAM application to manage the activiti schema. It allows the application to handle workflow-related data.
Question: What password do you want to set for the activiti username?
Default: idmuser
Explanation: This password is for the user associated with the activiti schema. It is used to authenticate the connection between the OpenIAM application and the database for workflow management.
Example Output
Your output should be like this:
Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
User to Access ElasticSearch. If you don't change it on the ES server side, leave it as elastic, default: elastic
Password for elastic to access ElasticSearch, default: VlyXHUBDuhgv6BTKjTz7TumtBZL8Zbmu
10. RabbitMQ Password Setup
RabbitMQ is used in OpenIAM as the message broker. This means it helps different parts of the application talk to each other.
The services in OpenIAM are loosely coupled, meaning they don’t rely on each other directly. Instead, they send messages through RabbitMQ.
All messages sent between services are encrypted (process of converting information), which keeps the data secure.
10.1 Setting the RabbitMQ Password
During installation, the installer will ask you to set a password for RabbitMQ.
A default password is provided for convenience, which ispasswd00
.
However, it’s important to use a strong password when setting this up for a production environment. This helps protect the messaging system from unauthorized access.
Set OpenIAM password for RabbitMQ message broker, default: passwd00
11.Redis Password Setup
Redis(Memory cache password)
Redis is an in-memory distributed cache used by OpenIAM to enhance system performance. This means it temporarily stores data in memory (RAM) for quick access.
It helps speed up operations by caching various types of objects, including:
- End User Web Sessions: Keeps track of user sessions for faster access.
- Database Object Cache: Stores frequently accessed database objects to reduce load times.
- High-Level Application Cache: Caches important application data for quick retrieval.
11.1 Setting the Redis Password
- During installation, you will be prompted to set a password for Redis.
- The default password provided is
passwd00
. - This password is important for securing access to the Redis cache, ensuring that only authorized users can access the cached data.
Set OpenIAM password for Redis., default: passwd00
12.Elasticsearch Credentials Setup
Elasticsearch is used by OpenIAM to perform fast searches on
- frequently used data. It allows users to quickly find information within the application.
- Just like Redis, access to Elasticsearch is secured with its own set of credentials.
Elasticsearch Credentials
You will be asked to provide a username for accessing Elasticsearch:
Default Username: The default username is elastic
. If you haven’t changed it on the Elasticsearch server, you can leave it as is.
You also need to set a password for the elastic
user:
Default Password: The default password is KtmHIv4yEhb4w7VRxhveTIDTHAgPfNmY
.
These credentials ensure that only authorized users can access and perform searches in Elasticsearch.
User to Access ElasticSearch. If you don't change it on the ES server side, leave it as elastic, default: elastic
OpenIAM password for elastic user to access ElasticSearch: KtmHIv4yEhb4w7VRxhveTIDTHAgPfNmY
13.Cassandra Service Initialization
Cassandra serves as the storage engine for Janus Graph DB, which is a graph database designed for handling large amounts of data across many servers.After gathering all necessary information (such as Elasticsearch credentials), the installer will proceed to install Cassandra.
Temporary Errors:
There may be error messages appearing in several lines of the .java files. Please disregard these errors; they occur because Cassandra requires some time to start up. The installer will wait for a while before continuing with the installation process.
Example Output
Your output should be like this:
Synchronizing state of cassandra.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable cassandra
Created symlink /etc/systemd/system/default.target.wants/cassandra.service → /etc/systemd/system/cassandra.service.
0
error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?
...
Waiting for cassandra
1
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
UN 127.0.0.1 73.52 KiB 256 100.0% 5a7c7a99-aeaf-4576-9863-f226a7867ef0 rack1
Cassandra alive
Cassandra is ready to use. Continue...
14. Database Schema Initialization
This process involves setting up the database for OpenIAM. The installer will ask a series of questions, and based on your responses, it will configure the database accordingly.
Questions and Explanations
Current Version
Question: Use default value if this is a new installation. If you are doing an update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0.
Explanation: If upgrading, specify the version to determine which scripts to apply. For new installations, leave it blank.
OpenIAM Core Database Name
Question: This is the name of the OpenIAM core database.
Default: openiam
Explanation: Typically defaults to "openiam". Change only if custom scripts are used.
Activiti Database Name
Question: This is the name of the OpenIAM Activiti database.
Default: activiti
Explanation: Defaults to "activiti". Change only if scripts are altered.
Database Type
Question: Possible values: MySQL, Postgres, MSSQL, Oracle.
Default: MySQL
Explanation: Select the RDBMS type. Default is MySQL. Enter the appropriate value if using PostgreSQL, Oracle, or MSSQL.
Initialize Schema and Users
Question: Do you want to initialize OpenIAM Schema and Users? [y/n]
Explanation: If yes, the installer creates schemas and users. For Oracle/MSSQL, an SQL script will be generated for manual execution.
Super User Username
Question: Enter username for Super user (default: root).
Explanation: Requires a super user account with privileges to create schemas and users.
Super User Password
Question: Enter password for super user.
Explanation: Provide the password for the super user account specified earlier.
AWS RDS MariaDB
Question: Do you use AWS RDS MariaDB? [y/n]
Explanation: If yes, ensure the RDS DB instance has the parameter log_bin_trust_function_creators = 1
Note:
Select N
if AWS RDS MariaDB is not being used for this deployment.
OpenIAM Core Database Hostname
Question: This is the hostname of the OpenIAM core database.
Default: localhost
Explanation: Specify the server's host or DNS name for the primary database.
OpenIAM Core Database Port
Question: This is the port of the OpenIAM core database.
Default: 3306
Explanation: Enter the port number used by the database server.
Activiti Database Hostname
Question: This is the hostname of the Activiti database.
Default: localhost
Explanation: Specify the server's host or DNS name for the workflow database.
Activiti Database Port
Question: This is the port of the Activiti database.
Default: 3306
Explanation: Enter the port number used by the workflow database server.
Example Output
Your output should be like this:
Please validate information below
---------------------------------
FLYWAY_BASELINE_VERSION=0.0.0.0
FLYWAY_OPENIAM_DATABASE_NAME=openiam
FLYWAY_ACTIVITI_DATABASE_NAME=activiti
FLYWAY_OPENIAM_HOST=localhost
FLYWAY_OPENIAM_PORT=3306
FLYWAY_ACTIVITI_HOST=localhost
FLYWAY_ACTIVITI_PORT=3306
FLYWAY_DATABASE_TYPE=mysql
Database will be initialized=Y
Root (Db admin) user name=root
Root (Db admin) user password=openiam
---------------------------------
Please validate your input above, if you are OK with that enter 'y'. To repeat an information collecting procedure enter 'n' :y
Confirmation Process
After answering the questions, the installer will display a summary of your inputs. You need to confirm that everything is correct by selecting Y. When you confirm your inputs by selecting Y
, Flyway (Flyway serves as a utility for managing and versioning database schemas.) takes over the process of generating the database schema based on the configuration you provided. If you want to change any answers, select N to redo the input process.
15. Reverse Proxy Installation
The installer will prompt you with the question:
Do you want to install OpenIAM reverse proxy module? [y/n]:
Recommendation: It's generally advisable to enter y
(yes) to install the reverse proxy. This module is specifically designed for the OpenIAM stack and is beneficial in most deployment scenarios. The reverse proxy can work alongside other infrastructure components, such as F5 load balancers.
You may see this during installation so follow this structure and run commands that’s suggested :
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Installing : elasticsearch-7.17.26-1.x86 64 1/1
Running scriptlet: elasticsearch-7.17.26-1.x86 64 1/1
### NOT starting on installation, please execute the following statements to con figure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
16. Initialization and SQL Scripts
Once you confirm the installations, the OpenIAM RPM installer will proceed to initialize the system. This step involves:
Applying necessary SQL scripts that are essential for the successful startup of the OpenIAM services.
Setting up the database and ensuring all required configurations are in place.
17. Startup Process
17.1 Overview and Duration
After initialization, the OpenIAM services will automatically start the application stack. This process generally takes around 10-15 minutes
.
You can monitor the status of the system as it starts up by using command-line tools that are part of the OpenIAM components. These tools provide insights into the current status of the application stack.
error message:
HTTP request sent, awaiting response... 404 Not Found
2023-11-09 21:04:58 ERROR 404: Not Found.
This error indicates that a requested resource could not be found. However, you are advised to ignore this message at this point in the installation process. It may not be critical to the overall installation and startup of OpenIAM.
The installation process has successfully finished. You are now ready to proceed with the next steps.
17.2 UI Container Startup Order
The containers that make up the OpenIAM application may take 8 to 15 minutes to start up completely. The exact time can vary depending on your environment and resource availability.
UI Container Startup
The UI container is typically one of the last to start because it has dependencies on other services. This means it waits for critical components to be operational before it can initialize.
Once you see the message Initialization completed successfully, you can start OpenIAM.
sudo openiam-cli start
you must see openiam starting
17.3 Monitoring the Startup Progress
Using the openiam-cli Utility
To check the status of the OpenIAM services, you can use the command:
openiam-cli status
This command will provide you with a status report of all OpenIAM components.
Note:
After running the status
command in openiam-cli, you may see some services marked as "down." This is normal — wait a few moments, and they should come up automatically.
Note:
If you run the openiam-cli status command before starting the services with sudo openiam-cli start, you'll see that the services are not running.
However, if you run sudo openiam-cli start and then immediately run openiam-cli status, but still see services marked as down, it may indicate a misconfiguration.
Example Output
Interpreting the Status Report
The output will look something like this:
Openiam Status report Fri Feb 21 09:49:32 PM UTC 2025
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - business-rule-manager - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - openiam-ui - Service working. Application status: [ UP ]
18. Validating OpenIAM UI
18.1 Using curl to Check UI Availability
Using the curl Command
To check if the OpenIAM UI is operational, you can run the following curl command:
curl -k -I -L http://127.0.0.1/idp/login
Expected Output
After executing the command, you should see an output similar to the following:
HTTP/1.1 200
Date: Fri, 21 Feb 2025 21:49:04 GMT
Server: Apache/2.4.61 (Red Hat Enterprise Linux) OpenSSL/3.2.2
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "http://127.0.0.1/selfservice/csp/report" } ] }
Content-Security-Policy: default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' data: https://chart.googleapis.com; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4970
Set-Cookie: SESSION=OWJiZDkwMTMtMDNmZC00NThmLWI5ZWEtYTljYzE4N2VhMTZh; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
HTTP Status Code
The http 200 indicates that the application is up and running and you can login.
First-Time Login to OpenIAM
Find the IP Address of Your VM
Before logging in, you need to determine the IP address of your virtual machine (VM) where OpenIAM is installed. You can usually find this in your cloud provider's dashboard or by using command-line tools.
19. First-Time Login to OpenIAM
Launch a web browser such as Chrome or Firefox.
Access the OpenIAM Web Console
In the address bar, enter the following URL, replacing [ip address of your installation] with the actual IP address of your VM:
http://[ip address of your installation]/webconsole
Login Credentials
You will be prompted to enter your login credentials. Use the following first-time login details:
Username: sysadmin
Password: passwd00
Enter Your Credentials
Enter the username sysadmin in the username field.
Click Next to proceed.
Authentication Process
Initial Password Entry
Upon logging in for the first time, you will be prompted to enter your existing password (the default password: passwd00
).
Password Change Requirement
After entering your initial password, you will be required to change it to a new password.
As you type your new password, a password policy will be displayed on the side, indicating the requirements that your new password must meet (e.g., length, complexity).
You can change both your password and the policy settings later if needed.
The next step involves defining a content provider using the screen displayed below. A content provider acts as an alias that represents a domain. It can be associated with various elements such as UI themes and authentication policies. For more detailed information on content providers, please refer to the documentation provided. The table below outlines the fields present on this screen.
Content Provider Name
Explanation: This field allows you to specify a name for the content provider, which acts as an "alias" for a domain. Essentially, it helps identify and reference the domain within the system.
Example: You might enter something like "Default CP" to represent the primary content provider for your setup. More detailed information can be found in the OpenIAM documentation.
Domain Pattern
Explanation: This field is automatically filled in and should contain the IP address or the DNS name of the server where OpenIAM is installed. It helps the system understand which domain or server to associate with the content provider.
Purpose: Ensures that the content provider is correctly linked to the appropriate server instance.
Application supports SSL?
Explanation: This setting determines whether the OpenIAM application will be accessed over a secure connection (HTTPS) or a standard connection (HTTP).
Recommendation: If you haven’t set up an SSL certificate yet, it’s advisable to select "Support on HTTP." You can change this setting later once the certificate is configured, allowing for secure access.
Application servers
Explanation: This field specifies the location of the OpenIAM service layer, which is essential for communication between the user interface (UI) and the reverse proxy (rProxy).
Default Setting: In most scenarios, the default setting will be correct since the UI and service layer are typically deployed on the same server. However, this option provides the flexibility to configure them on separate servers if needed, allowing for a more distributed architecture.
Once you have configured the content provider, you will proceed to the challenge questions page. The answers to these questions will be utilized to reset your admin account in the event that you become locked out. Please ensure you record your answers.
Note: You will have the option to update your password policy later. At that time, you can choose whether to use challenge questions and/or other methods for account recovery.
Once you reach the admin console landing page ( It provides a user-friendly interface for managing the system, monitoring its status, and configuring various settings. ), it’s important to allow the system approximately 5 minutes to refresh its internal cache. The internal cache is a temporary storage area that helps speed up data retrieval and improve performance.
20. Post Installation Information
20.1 Utilizing the OpenIAM Command Line Utility
OpenIAM offers a command line utility designed to assist you in monitoring the status of all components and executing common tasks, such as viewing logs, starting, and stopping services. The command to access this utility is openiam-cli.
By simply executing the command without any additional parameters, as demonstrated below, you will see a list of all available options:
openiam-cli
Example Output
Your output should be like this:
Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log |list-connectors|list-source-adapters}
Checking Status
To verify the status of the components or to confirm that the system is operational, you can use the following command:
openiam-cli statusCheck service logs
Checking Service Logs
To monitor the activities and troubleshoot issues within the OpenIAM system, you can check the current logs of any service. The logs provide valuable information about the service's operations, errors, and other relevant events.
Command to View Logs:
To view the logs for a specific service, you use the command:
openiam-cli log <service_name>
Replace with the actual name of the service whose logs you want to check.
Getting the List of Services:
Before checking the logs, you may want to know which services are available. You can retrieve the list of services by running the command:
openiam-cli log <service_name>
This command will provide you with the names of the services that you can query for logs.
Example Command:
For instance, if you want to check the logs of the openiam-esb module, you would execute:
openiam-cli log openiam-esb
This command will display the logs specifically related to the openiam-esb service, allowing you to review its activity and identify any potential issues
Start and Stop Services
You can also control the OpenIAM services using the command line. Here’s how:
To Stop OpenIAM:
openiam-cli stop
Purpose: This command stops all running OpenIAM services. You can confirm that the services have stopped by using the status command.
To Start OpenIAM:
openiam-cli start
Purpose: This command starts the OpenIAM application and its associated services.
Checking the Health of the Application
Health checks are essential for monitoring the status of applications like OpenIAM. They allow you to verify that the application components are running correctly and are responsive.
Health Check for the ESB (Enterprise Service Bus)
To validate the health of the openiam-esb component, you can use the following command:
curl http://localhost:9080/openiam-esb/actuator/health
Purpose: This command sends a request to the health endpoint of the openiam-esb service.
Health Check for the UI
To validate the health of the OpenIAM UI, you can use this command:
curl -k http://localhost:9080/idp/actuator/health
Purpose: This command checks the health of the UI component by sending a request to its health endpoint.
21. OpenIAM Core Services Overview
21.1 RAM Allocation per Service
openiam-esb: Provides Web Service API and core functionalities. (2048m RAM)
workflow: Manages Business Workflow functionalities. (768m RAM)
groovy-manager: Supports Groovy extension functionalities. (256m RAM)
idm: Handles provisioning to target systems. (512m RAM)
reconciliation: Performs reconciliation against target systems. (512m RAM)
email-manager: Manages sending and receiving emails. (256m RAM)
auth-manager: Provides end-user authorization functionalities. (1024m RAM)
device-manager: Manages device functionalities for iOS and Android. (256m RAM)
business-rule-manager: Manages business rules functionality. (512m RAM)
openiam-ui: Web server (Tomcat) providing the graphical interface. (2048m RAM)
Troubleshooting
Elasticsearch Timeout Error: Set SELinux mode to Permissive to resolve initialization issues.
VM Reboot/Application Restart: Use openiam-cli stop
to shut down OpenIAM before rebooting or restarting to prevent vault sealing and startup failures.
22. Troubleshooting Tips
Elasticsearch Timeout Error: Set SELinux mode to Permissive to resolve initialization issues.
VM Reboot/Application Restart: Use openiam-cli stop to shut down OpenIAM before rebooting or restarting to prevent vault sealing and startup failures
Top comments (1)
Thank you