Introduction
OpenIAM is a software that helps organizations manage user access securely. This guide will walk you through a simple way to install OpenIAM on a Single VM (Virtual Machine) without needing deep technical knowledge.
Installation Overview
You will:
- Prepare your system (check system requirements).
- Download and set up a Linux operating system (CentOS).
- Connect to your VM.
- Install necessary system tools.
- Start the OpenIAM installation.
Step 1: System Requirements
When setting up OpenIAM, you have two deployment options based on your needs.
- If you are developing, testing, or experimenting, you can use a Non-Production setup with lower system requirements.
- If you are running OpenIAM in a live environment with real users and high traffic, you should use a Production setup with higher resources for stability and performance.
Choose the appropriate option based on your environment and requirements.
Non-Production
Use when testing, developing, or running environments where performance, high availability, and scalability are not critical.
- Memory: 48 GB
- CPU: 8 CPUs
- Disk: 80 GB
Production
Use when running a live, high-availability environment with significant traffic, real users, and critical security needs.
- Memory: 64 GB
- CPU: 12 CPUs
- Disk: 200 GB
To check your system, run these commands:
lscpu # Checks CPU
free -m # Checks memory
cat /etc/os-release # Shows OS version
df -H # Checks disk space
Example Outputs
Check CPU
[root@server ~]# lscpu
Architecture: x86_64
CPU(s): 8
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 8
CPU MHz: 2199.994
Hypervisor vendor: KVM
Check Memory
[root@server ~]# free -m
total used free shared buff/cache available
Mem: 31959 221 31473 16 264 31341
Swap: 511 0 511
Check Operating System
[root@server ~]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
VERSION_ID="8"
PRETTY_NAME="CentOS Stream 8"
Check Disk Space
[root@server ~]# df -H
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/cs-root 52G 2.4G 49G 5% /
/dev/mapper/cs-home 25G 209M 25G 1% /home
/dev/sda1 1.1G 295M 769M 28% /boot
Step 2: Download CentOS
OpenIAM works best with CentOS (a version of Linux). If you don’t have it yet, download it here:
➡ CentOS Download
Step 3: Choose a Virtualization Platform
You can use one of the following platforms to create a VM:
VirtualBox (Free, cross-platform)
VirtualBox is a free and open-source virtualization software that works on multiple operating systems including Windows, macOS, and Linux. Ideal for beginners and casual users.VMware Workstation Player (Free for personal use)
VMware Workstation Player is a free version of VMware’s virtualization software for non-commercial use. It’s easy to use and supports advanced features for virtual environments.Hyper-V (Built into Windows Pro/Enterprise)
Hyper-V is a Microsoft virtualization technology available in Windows Pro and Enterprise editions. It's useful for creating and managing virtual machines directly from your Windows OS.Proxmox (For advanced users, open-source)
Proxmox VE is an open-source virtualization platform that combines KVM for virtual machines and LXC for containers. It’s a powerful solution for data centers or more advanced use cases.KVM/QEMU (Linux-based, powerful for server environments)
KVM (Kernel-based Virtual Machine) and QEMU (Quick Emulator) are popular virtualization technologies for Linux servers. They’re ideal for creating high-performance virtual machines on Linux-based systems.
Step 4: Connect to Your VM
You can use SSH to securely access and manage your VM remotely. SSH is essential because most VMs run without a graphical interface, and it allows encrypted communication over the network. Before connecting, ensure the SSH port is open and OpenSSH is installed; otherwise, the connection won’t work.
- Find your VM’s IP Address Run this command:
ip addr
-
Connect to your VM
Use SSH (a remote login tool) to connect. Replace
[your VM's IP]with your actual VM address:
ssh root@[your VM's IP]
Example:
ssh root@172.16.101.128
If you're using Windows, you can use PuTTY (a simple and effective tool for managing remote servers securely).
Download PuTTY here: PuTTY Download
Step 5: Install Necessary Tools
Before installing OpenIAM, install some basic system tools. Run:
dnf install -y tar wget curl vim
Why Install tar?
The tar command is essential because it allows you to extract installation files that are often distributed as compressed archives (.tar.gz or .tar.bz2). Without tar, you may not be able to properly extract and install OpenIAM.
This will ensure the system can extract files and manage installations efficiently.
Step 6: Choose Installation Method
- With Internet Access: The system will automatically download the required files.
- Without Internet Access: You will need to manually download and transfer the required packages to the server. Note: This document assumes that the installation is being performed with Internet Access.
1. Pre-requisite: Internet Access Check
Before starting the installation, ensure that the server can connect to the OpenIAM website.
Run the command:
curl https://openiam.com/; echo $?
If the output is 0, your server can reach the website, and you're good to proceed. If you get a non-zero result, the server can't reach the website. You'll need to resolve the connectivity issue or consider using offline installation instructions.
2. Download the OpenIAM RPM Installer
Download the installer from OpenIAM using the following command:
curl https://download.openiam.com/release/enterprise/4.2.1.11/rpm/openiam-4.2.1.11.noarch.x86_64.rpm --output openiam-4.2.1.11.noarch.x86_64.rpm
Important Notes:
Version Consistency: Always ensure that both instances of the version number in the command are updated to avoid any issues with downloading the correct installer file.
Replace X: If you need to install a different version, replace the version numbers appropriately.
Example for Version 12:
If you want to install version 4.2.1.12, update the command as follows:
curl https://download.openiam.com/release/enterprise/4.2.1.12/rpm/openiam-4.2.1.12.noarch.x86_64.rpm --output openiam-4.2.1.12.noarch.x86_64.rpm
This practice helps prevent potential errors related to mismatched versions. Always double-check the version numbers before executing the command.
The installation process will also update the system's ulimit ( a command in Unix and Linux systems that allows you to control the user process resource limits).
3. Install the RPM Package
Once the download is complete, install OpenIAM using the following command:
sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm
Example Output
Your output should be like this:
openiam/
openiam/jdk/
openiam/jdk/lib/
openiam/jdk/lib/server/
openiam/jdk/lib/server/libjvm.so
openiam/jdk/lib/server/Xusage.txt
openiam/jdk/lib/server/libjsig.so
openiam/jdk/lib/libmlib_image.so
openiam/jdk/lib/libawt_xawt.so
openiam/jdk/lib/jspawnhelper
openiam/jdk/lib/psfont.properties.ja
openiam/jdk/lib/jli/
openiam/jdk/lib/jli/libjli.so
openiam/jdk/lib/libawt_headless.so
openiam/jdk/lib/librmi.so
openiam/jdk/lib/libfontmanager.so
openiam/jdk/lib/libawt.so
openiam/jdk/lib/libjimage.so
openiam/jdk/lib/libj2pkcs11.so
openiam/jdk/lib/libzip.so
openiam/jdk/lib/libjsound.so
openiam/jdk/lib/psfontj2d.properties
openiam/jdk/lib/security/
openiam/jdk/lib/security/default.policy
openiam/jdk/lib/security/public_suffix_list.dat
openiam/jdk/lib/security/blacklisted.certs
openiam/jdk/lib/security/cacerts
openiam/jdk/lib/libjdwp.so
...
Your VM will reboot to apply changes to the ulimit settings. After it reboots, reconnect to your VM using the following command:
ssh [username]@[IP address of your VM]
4. Initialize the Installation
To start the initialization process and download the required files from the OpenIAM server, use the following command:
sudo openiam-cli init
Internet Access Confirmation
You will be prompted to confirm Internet access on your machine. When asked, type y and press Enter.
The system will download additional files, extract them locally, update your repository, and install some base packages. You will see output similar to the following:
Initialize openiam
Download file openiamrepo.tar.gz from OpenIAM website
Download file backend.tar.gz from OpenIAM website
Download file frontend.tar.gz from OpenIAM website
workflow.jar
synchronization.jar
reconciliation.jar
openiam-esb.jar
idm.jar
groovy-manager.jar
email-manager.jar
device-manager.jar
business-rule-manager.jar
auth-manager.jar
idp.war
openiam-ui-static.war
selfservice-ext.war
selfservice.war
webconsole.war
reportviewer.war
openiamrepo/
openiamrepo/copy-jdk-configs-3.7-4.el8.noarch.rpm
openiamrepo/graphite2-1.3.10-10.el8.x86_64.rpm
openiamrepo/httpd-tools-2.4.37-39.module_el8.4.0+778+c970deab.x86_64.rpm
openiamrepo/mod_http2-1.15.7-3.module_el8.4.0+778+c970deab.x86_64.rpm
openiamrepo/libXdamage-1.1.4-14.el8.x86_64.rpm
openiamrepo/libXinerama-1.1.4-1.el8.x86_64.rpm
openiamrepo/perl-Math-BigInt-1.9998.11-7.el8.noarch.rpm
openiamrepo/mariadb-10.3.28-1.module_el8.3.0+757+d382997d.x86_64.rpm
openiamrepo/libXau-1.0.9-3.el8.x86_64.rpm
openiamrepo/libXcursor-1.1.15-3.el8.x86_64.rpm
openiamrepo/erlang-24.0.3-1.el8.x86_64.rpm
openiamrepo/oniguruma-6.8.2-2.el8.x86_64.rpm
openiamrepo/mariadb-server-utils-10.3.28-1.module_el8.3.0+757+d382997d.x86_64.rpm
openiamrepo/nss-util-3.53.1-17.el8_3.x86_64.rpm
openiamrepo/apr-util-openssl-1.6.1-6.el8.x86_64.rpm
...
Install 4 Packages
Total download size: 685 k
Installed size: 1.6 M
Downloading Packages:
(1/4): telnet-0.17-76.el8.x86_64.rpm 474 kB/s | 72 kB 00:00
(2/4): oniguruma-6.8.2-2.el8.x86_64.rpm 1.0 MB/s | 187 kB 00:00
(3/4): j q-1.6-8.e18.x86_64.rpm 621 kB/s | 203 kB 00:00
(4/4): m4-l.4.18-7.el8.x86_64.rpm 1.0 MB/s | 223 kB 00:00
-----------------------------------------------------------------------------
Total 1.8 MB/s | 685 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : oniguruma-6.8.2-2.el8.x86_64 1/4
Running scriptlet: oniguruma-6.8.2-2.el8.x86_64 1/4
Installing : jq-1.6-8.el8.x86_64 2/4
Installing : m4-1.4.18-7.el8.x86_64 3/4
Running scriptlet: m4-1.4.18-7.el8.x86_64 3/4
Installing : telnet-1:0.17-76.el8.x86_64 4/4
Running scriptlet: telnet-1:0.17-76.el8.x86_64 4/4
Verifying : jq-1.6-8.el8.x86_64 1/4
Verifying : oniguruma-6.8.2-2.el8.x86_64 2/4
Verifying : telnet-1:0.17-76.el8.x86_64 3/4
Verifying : m4-1.4.18-7.el8.x86_64 4/4
Installed:
j q-1.6-8.el8.x86_64 m4-l.4.18-7.el8.x86_64
oniguruma-6.8.2-2.el8.x86_64 telnet-1:0.17-76.el8.x86_64
Complete!
5. Install the MariaDB
When installing OpenIAM, you will be prompted to decide whether to install MariaDB (a popular open-source relational database management system) as your database server.
1. Prompt for Installation:
You will see a prompt asking if you want to install MariaDB locally:
Would you like to install MariaDB RDBMS locally? [y/n]:
Response:
If you want to use MariaDB (recommended for simple setups, demos, or small production environments), type Y and press Enter.
If you prefer to use a different database, type N.
2. Preparation for Installation:
If you answered Y, the MariaDB installer will prepare the necessary files for installation and configuration.
Configuration Steps
After the preparation, you will go through a series of configuration prompts:
1. Root Password:
Enter current password for root (enter for none):
Action: Press Enter since no password has been set yet.
Root Password:
2.Set Root Password:
Set root password? [Y/n]:
Action: Press Y and then Enter.
3.New Password:
You will need to create a new password for the root user:
New password:
Action: Type your desired password (it is recommended to use passwd00 for consistency with OpenIAM).
4.Re-enter New Password:
You will be asked to confirm the new password:
Re-enter new password:
Action: Type the same password again.
5. Security Options:
You will be prompted with several security-related questions:
Remove anonymous users?
Action: Press Y and then Enter.
-Disallow root login remotely?
Action: Press Y and then Enter.
-Remove test database and access to it?
Action: Press Y and then Enter.
-Reload privilege tables now?
Action: Press Y and then Enter.
Example Output
Your output should be like this:
Important Note
It is crucial for the successful installation of OpenIAM that you set the root password for MariaDB to passwd00 . This ensures that OpenIAM can connect to the database without issues later on.
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED
FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current password
for the root user. If you've just installed MariaDB, and you haven't set
the root password yet, the password will be blank, so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into
the MariaDB root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user,
allowing anyone to log into MariaDB without having to have
a user account created for them. This is intended only for testing,
and to make the installation go a bit smoother. You should
remove them before moving into a production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'.
This ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all
changes made so far will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps,
your MariaDB installation should now be secure.
Thanks for using MariaDB!
Infrastructure Services Setup
After successfully installing MariaDB, the OpenIAM installer will proceed to set up several critical infrastructure services that are essential for the application's functionality. These services include:
Etcd: A distributed key-value store used for configuration management and service discovery.
Vault: A tool for securely accessing secrets, such as API keys and passwords.
Redis: An in-memory data structure store, commonly used as a database, cache, and message broker.
RabbitMQ: A message broker that facilitates communication between different parts of the application.
Cassandra: A NoSQL database that serves as the storage backend for the graph database used in OpenIAM.
Installation Duration
The entire setup process for these infrastructure services typically takes about 4-5 minutes. During this time, you will see various output messages indicating the progress of the installation.
Example Output
You might encounter output messages similar to the following during the installation:
...
Wait vault service to wakeup
Vault already initialized....
Vault already unsealed...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 260 100 260 0 0 26000 0 --:--:-- --:--:-- --:--:-- 26000
Generate OpenIAM encryption secrets
=============== CRITICAL SECTION ===============
OpenIAM Schemas
OpenIAM uses two primary schemas:
openiam:
This is the main schema that stores various types of information essential for the OpenIAM platform, including:
- User profiles
- Policies
- Other critical data related to identity management.
activiti:
- This schema is specifically designed to manage workflows and their execution within the OpenIAM platform.
Database Credentials Setup Prompts
As part of the installation process, the installer asks the user to set up database users for each schema. Below are the key questions posed by the installer along with their explanations:
1. Set OpenIAM username for schema openiam
Question: What username do you want to set for the openiam schema?
Default: idmuser
Explanation: This is the database username that the OpenIAM application will use to manage the openiam schema. This username allows the application to perform various operations on the database, such as querying and updating user and policy information.
2. Set OpenIAM password for schema openiam
Question: What password do you want to set for the openiam username?
Default: idmuser
Explanation: This is the password associated with the username set in the previous step. It is essential for authenticating the database user when the OpenIAM application connects to the database.
3. Set OpenIAM username for schema activiti
Question: What username do you want to set for the activiti schema?
Default: idmuser (for MySQL)
Explanation: Similar to the openiam schema, this username will be used by the OpenIAM application to manage the activiti schema. It allows the application to handle workflow-related data.
4. Set OpenIAM password for schema activiti
Question: What password do you want to set for the activiti username?
Default: idmuser
Explanation: This password is for the user associated with the activiti schema. It is used to authenticate the connection between the OpenIAM application and the database for workflow management.
Example Output
Your output should be like this:
Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser : passwd00
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti: passwd00
RabbitMQ (Message broker password)
RabbitMQ is used in OpenIAM as the message broker. This means it helps different parts of the application talk to each other.
The services in OpenIAM are loosely coupled, meaning they don’t rely on each other directly. Instead, they send messages through RabbitMQ.
All messages sent between services are encrypted (process of converting information), which keeps the data secure.
Password Setup for RabbitMQ
During installation, the installer will ask you to set a password for RabbitMQ.
A default password is provided for convenience, which ispasswd00.
However, it’s important to use a strong password when setting this up for a production environment. This helps protect the messaging system from unauthorized access.
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Redis(Memory cache password)
Redis is an in-memory distributed cache used by OpenIAM to enhance system performance. This means it temporarily stores data in memory (RAM) for quick access.
It helps speed up operations by caching various types of objects, including:
- End User Web Sessions: Keeps track of user sessions for faster access.
- Database Object Cache: Stores frequently accessed database objects to reduce load times.
- High-Level Application Cache: Caches important application data for quick retrieval.
Password Setup for Redis
- During installation, you will be prompted to set a password for Redis.
- The default password provided is
passwd00. - This password is important for securing access to the Redis cache, ensuring that only authorized users can access the cached data.
Set OpenIAM password for Redis., default: passwd00
Elasticsearch
Elasticsearch is used by OpenIAM to perform fast searches on
- frequently used data. It allows users to quickly find information within the application.
- Just like Redis, access to Elasticsearch is secured with its own set of credentials.
Elasticsearch Credentials
You will be asked to provide a username for accessing Elasticsearch:
Default Username: The default username is elastic. If you haven’t changed it on the Elasticsearch server, you can leave it as is.
You also need to set a password for the elastic user:
Default Password: The default password is KtmHIv4yEhb4w7VRxhveTIDTHAgPfNmY.
These credentials ensure that only authorized users can access and perform searches in Elasticsearch.
User to Access ElasticSearch. If you don't change it on the ES server side, leave it as elastic, default: elastic
OpenIAM password for elastic user to access ElasticSearch: KtmHIv4yEhb4w7VRxhveTIDTHAgPfNmY
Cassandra
Cassandra serves as the storage engine for Janus Graph DB, which is a graph database designed for handling large amounts of data across many servers.After gathering all necessary information (such as Elasticsearch credentials), the installer will proceed to install Cassandra.
Temporary Errors:
There may be error messages appearing in several lines of the .java files. Please disregard these errors; they occur because Cassandra requires some time to start up. The installer will wait for a while before continuing with the installation process.
Example Output
Your output should be like this:
...
Waiting for cassandra
4
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
UN 127.0.0.1 73.49 KiB 256 100.0% 9af6453b-2428-4927-9e6a-bb0be15b3fa9 rack1
Cassandra alive
Cassandra is ready to use. Continue...
Database Schema Initialization
This process involves setting up the database for OpenIAM. The installer will ask a series of questions, and based on your responses, it will configure the database accordingly.
Questions and Explanations
Current Version
Question: Use default value if this is a new installation. If you are doing an update, specify your current (before update) version here, like 4.1.11.0, default: 0.0.0.0.
Explanation: If upgrading, specify the version to determine which scripts to apply. For new installations, leave it blank.
OpenIAM Core Database Name
Question: This is the name of the OpenIAM core database.
Default: openiam.
Explanation: Typically defaults to "openiam". Change only if custom scripts are used.
Activiti Database Name
Question: This is the name of the OpenIAM Activiti database.
Default: activiti.
Explanation: Defaults to "activiti". Change only if scripts are altered.
Database Type
Question: Possible values: MySQL, Postgres, MSSQL, Oracle.
Default: MySQL.
Explanation: Select the RDBMS type. Default is MySQL. Enter the appropriate value if using PostgreSQL, Oracle, or MSSQL.
Initialize Schema and Users
Question: Do you want to initialize OpenIAM Schema and Users? [y/n]
Explanation: If yes, the installer creates schemas and users. For Oracle/MSSQL, an SQL script will be generated for manual execution.
Super User Username
Question: Enter username for Super user (default: root).
Explanation: Requires a super user account with privileges to create schemas and users.
Super User Password
Question: Enter password for super user.
Explanation: Provide the password for the super user account specified earlier.
AWS RDS MariaDB
Question: Do you use AWS RDS MariaDB? [y/n]
Explanation: If yes, ensure the RDS DB instance has the parameter log_bin_trust_function_creators = 1.
OpenIAM Core Database Hostname
Question: This is the hostname of the OpenIAM core database.
Default: localhost.
Explanation: Specify the server's host or DNS name for the primary database.
OpenIAM Core Database Port
Question: This is the port of the OpenIAM core database.
Default: 3306.
Explanation: Enter the port number used by the database server.
Activiti Database Hostname
Question: This is the hostname of the Activiti database.
Default: localhost.
Explanation: Specify the server's host or DNS name for the workflow database.
Activiti Database Port
Question: This is the port of the Activiti database.
Default: 3306.
Explanation: Enter the port number used by the workflow database server.
Example Output
Your output should be like this:
Please validate information below
---------------------------------
FLYWAY_BASELINE_VERSION=0.0.0.0
FLYWAY_OPENIAM_DATABASE_NAME=openiam
FLYWAY_ACTIVITI_DATABASE_NAME=activiti
FLYWAY_OPENIAM_HOST=localhost
FLYWAY_OPENIAM_PORT=3306
FLYWAY_ACTIVITI_HOST=localhost
FLYWAY_ACTIVITI_PORT=3306
FLYWAY_DATABASE_TYPE=mysql
Database will be initialized=Y
Root (Db admin) user name=root
Root (Db admin) user password=openiam
---------------------------------
Please validate your input above, if you are OK with that enter 'y'. To repeat an information collecting procedure enter 'n' :y
Confirmation Process
After answering the questions, the installer will display a summary of your inputs. You need to confirm that everything is correct by selecting Y. When you confirm your inputs by selecting 'Y', Flyway (Flyway serves as a utility for managing and versioning database schemas.) takes over the process of generating the database schema based on the configuration you provided. If you want to change any answers, select N to redo the input process.
Reverse Proxy Installation
The installer will prompt you with the question:
Do you want to install OpenIAM reverse proxy module? [y/n]:
Recommendation: It's generally advisable to enter y (yes) to install the reverse proxy. This module is specifically designed for the OpenIAM stack and is beneficial in most deployment scenarios. The reverse proxy can work alongside other infrastructure components, such as F5 load balancers.
Updating Apache (httpd)
After deciding on the reverse proxy installation, the installer may ask:
Do you want to update httpd to 2.4.57 ? [y/n]:
Recommendation: Again, it is usually best to enter y (yes) to update the httpd software to the latest version (2.4.57). This ensures that you have the latest features, security patches, and performance improvements.
Initialization and SQL Scripts
Once you confirm the installations, the OpenIAM RPM installer will proceed to initialize the system. This step involves:
Applying necessary SQL scripts that are essential for the successful startup of the OpenIAM services.
Setting up the database and ensuring all required configurations are in place.
Startup Process
After initialization, the OpenIAM services will automatically start the application stack. This process generally takes around 10-15 minutes.
You can monitor the status of the system as it starts up by using command-line tools that are part of the OpenIAM components. These tools provide insights into the current status of the application stack.
error message:
HTTP request sent, awaiting response... 404 Not Found
2023-11-09 21:04:58 ERROR 404: Not Found.
This error indicates that a requested resource could not be found. However, you are advised to ignore this message at this point in the installation process. It may not be critical to the overall installation and startup of OpenIAM.
The installation process has successfully finished. You are now ready to proceed with the next steps.
Startup Process
Startup Duration
The containers that make up the OpenIAM application may take 8 to 15 minutes to start up completely. The exact time can vary depending on your environment and resource availability.
UI Container Startup
The UI container is typically one of the last to start because it has dependencies on other services. This means it waits for critical components to be operational before it can initialize.
Monitoring the Startup Process
Using the openiam-cli Utility
To check the status of the OpenIAM services, you can use the command:
openiam-cli status
This command will provide you with a status report of all OpenIAM components.
Example Output
Interpreting the Status Report
The output will look something like this:
Openiam Status report Thu May 12 19:05:50 UTC 2022
[OK] - openiam-esb - Service working. Application status: [ UP ]
[OK] - workflow - Service working. Application status: [ UP ]
[OK] - groovy-manager - Service working. Application status: [ UP ]
[OK] - idm - Service working. Application status: [ UP ]
[OK] - reconciliation - Service working. Application status: [ UP ]
[OK] - email-manager - Service working. Application status: [ UP ]
[OK] - auth-manager - Service working. Application status: [ UP ]
[OK] - business-rule-manager - Service working. Application status: [ UP ]
[OK] - synchronization - Service working. Application status: [ UP ]
[OK] - device-manager - Service working. Application status: [ UP ]
[ERROR] - sas-manager - Service is not running.
[OK] - openiam-ui - Service working. Application status: [ UP ]
Explanation:
Each line indicates the status of a specific service:
[OK] means the service is operational and its application status is UP.
[ERROR] indicates that the service is not running.
The SAS-Manager (Service Access System Manager) is a component of the OpenIAM architecture that is responsible for managing integrations with external systems and services.
It typically facilitates the communication and data exchange between OpenIAM and other applications, such as identity providers, authentication services, or any third-party systems that require access to identity management functionalities.
SAS-Manager Error
In the output, you may notice an error related to the sas-manager:
[ERROR] - sas-manager - Service is not running.
Note: This error can be ignored. The SAS-Manager is associated with an integration that is not currently supported and will be removed in future versions of OpenIAM. Therefore, it does not affect the overall functionality of the system.
Validating the Startup of OpenIAM UI
Using the curl Command
To check if the OpenIAM UI is operational, you can run the following curl command:
curl -k -I -L http://127.0.0.1/idp/login
Expected Output
After executing the command, you should see an output similar to the following:
HTTP/1.1 200
Date: Wed, 19 Jan 2022 23:04:10 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "http://127.0.0.1/selfservice/csp/report" } ] }
Content-Security-Policy: default-src 'self' blob: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; form-action 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' *; font-src 'self' *; report-uri /selfservice/csp/report; report-to csp-endpoint
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-UA-Compatible: IE=EmulateIE10
x-openiam-force-auth: false
x-openiam-login-uri: /idp/login
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 4833
Set-Cookie: SESSION=YzgxOGJkYzItNzIwYi00MGYwLTk4OTItM2JlMDY4ZWIwY2Ey; Path=/; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
HTTP Status Code
The key part of the output is the HTTP status code:
HTTP/1.1 200
A status code of 200 indicates that the request was successful, meaning the UI is up and running. You can proceed to log in.
First-Time Login to OpenIAM
Find the IP Address of Your VM
Before logging in, you need to determine the IP address of your virtual machine (VM) where OpenIAM is installed. You can usually find this in your cloud provider's dashboard or by using command-line tools.
Open Your Web Browser
Launch a web browser such as Chrome or Firefox.
Access the OpenIAM Web Console
In the address bar, enter the following URL, replacing [ip address of your installation] with the actual IP address of your VM:
http://[ip address of your installation]/webconsole
Login Credentials
You will be prompted to enter your login credentials. Use the following first-time login details:
Username: sysadmin
Password: passwd00
Enter Your Credentials
Enter the username sysadmin in the username field.
Click Next to proceed.
Authentication Process
Initial Password Entry
Upon logging in for the first time, you will be prompted to enter your existing password (the default password: passwd00).
Password Change Requirement
After entering your initial password, you will be required to change it to a new password.
As you type your new password, a password policy will be displayed on the side, indicating the requirements that your new password must meet (e.g., length, complexity).
You can change both your password and the policy settings later if needed.
The next step involves defining a content provider using the screen displayed below. A content provider acts as an alias that represents a domain. It can be associated with various elements such as UI themes and authentication policies. For more detailed information on content providers, please refer to the documentation provided. The table below outlines the fields present on this screen.
Content Provider Name
Explanation: This field allows you to specify a name for the content provider, which acts as an "alias" for a domain. Essentially, it helps identify and reference the domain within the system.
Example: You might enter something like "Default CP" to represent the primary content provider for your setup. More detailed information can be found in the OpenIAM documentation.
Domain Pattern
Explanation: This field is automatically filled in and should contain the IP address or the DNS name of the server where OpenIAM is installed. It helps the system understand which domain or server to associate with the content provider.
Purpose: Ensures that the content provider is correctly linked to the appropriate server instance.
Application supports SSL?
Explanation: This setting determines whether the OpenIAM application will be accessed over a secure connection (HTTPS) or a standard connection (HTTP).
Recommendation: If you haven’t set up an SSL certificate yet, it’s advisable to select "Support on HTTP." You can change this setting later once the certificate is configured, allowing for secure access.
Application servers
Explanation: This field specifies the location of the OpenIAM service layer, which is essential for communication between the user interface (UI) and the reverse proxy (rProxy).
Default Setting: In most scenarios, the default setting will be correct since the UI and service layer are typically deployed on the same server. However, this option provides the flexibility to configure them on separate servers if needed, allowing for a more distributed architecture.
Once you have configured the content provider, you will proceed to the challenge questions page. The answers to these questions will be utilized to reset your admin account in the event that you become locked out. Please ensure you record your answers.
Note: You will have the option to update your password policy later. At that time, you can choose whether to use challenge questions and/or other methods for account recovery.
Once you reach the admin console landing page ( It provides a user-friendly interface for managing the system, monitoring its status, and configuring various settings. ), it’s important to allow the system approximately 5 minutes to refresh its internal cache. The internal cache is a temporary storage area that helps speed up data retrieval and improve performance.
Post Installation Information
Utilizing the OpenIAM Command Line Utility
OpenIAM offers a command line utility designed to assist you in monitoring the status of all components and executing common tasks, such as viewing logs, starting, and stopping services. The command to access this utility is openiam-cli.
By simply executing the command without any additional parameters, as demonstrated below, you will see a list of all available options:
openiam-cli
Example Output
Your output should be like this:
Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log |list-connectors|list-source-adapters}
Checking Status
To verify the status of the components or to confirm that the system is operational, you can use the following command:
openiam-cli statusCheck service logs
Checking Service Logs
To monitor the activities and troubleshoot issues within the OpenIAM system, you can check the current logs of any service. The logs provide valuable information about the service's operations, errors, and other relevant events.
Command to View Logs:
To view the logs for a specific service, you use the command:
openiam-cli log <service_name>
Replace with the actual name of the service whose logs you want to check.
Getting the List of Services:
Before checking the logs, you may want to know which services are available. You can retrieve the list of services by running the command:
openiam-cli log <service_name>
This command will provide you with the names of the services that you can query for logs.
Example Command:
For instance, if you want to check the logs of the openiam-esb module, you would execute:
openiam-cli log openiam-esb
This command will display the logs specifically related to the openiam-esb service, allowing you to review its activity and identify any potential issues
Start and Stop Services
You can also control the OpenIAM services using the command line. Here’s how:
To Stop OpenIAM:
openiam-cli stop
Purpose: This command stops all running OpenIAM services. You can confirm that the services have stopped by using the status command.
To Start OpenIAM:
openiam-cli start
Purpose: This command starts the OpenIAM application and its associated services.
Checking the Health of the Application
Health checks are essential for monitoring the status of applications like OpenIAM. They allow you to verify that the application components are running correctly and are responsive.
Health Check for the ESB (Enterprise Service Bus)
To validate the health of the openiam-esb component, you can use the following command:
curl http://localhost:9080/openiam-esb/actuator/health
Purpose: This command sends a request to the health endpoint of the openiam-esb service.
Health Check for the UI
To validate the health of the OpenIAM UI, you can use this command:
curl -k http://localhost:9080/idp/actuator/health
Purpose: This command checks the health of the UI component by sending a request to its health endpoint.
OpenIAM Core Services
openiam-esb: Provides Web Service API and core functionalities. (2048m RAM)
workflow: Manages Business Workflow functionalities. (768m RAM)
groovy-manager: Supports Groovy extension functionalities. (256m RAM)
idm: Handles provisioning to target systems. (512m RAM)
reconciliation: Performs reconciliation against target systems. (512m RAM)
email-manager: Manages sending and receiving emails. (256m RAM)
auth-manager: Provides end-user authorization functionalities. (1024m RAM)
device-manager: Manages device functionalities for iOS and Android. (256m RAM)
business-rule-manager: Manages business rules functionality. (512m RAM)
openiam-ui: Web server (Tomcat) providing the graphical interface. (2048m RAM)
Troubleshooting
Elasticsearch Timeout Error: Set SELinux mode to Permissive to resolve initialization issues.
VM Reboot/Application Restart: Use openiam-cli stop to shut down OpenIAM before rebooting or restarting to prevent vault sealing and startup failures.
Troubleshooting
Elasticsearch Timeout Error: Set SELinux mode to Permissive to resolve initialization issues.
VM Reboot/Application Restart: Use openiam-cli stop to shut down OpenIAM before rebooting or restarting to prevent vault sealing and startup failures
Top comments (1)
Thank you