DEV Community

hediyeh kianmehr
hediyeh kianmehr

Posted on • Edited on

Installation without Internet Access

Overview:

This document provides a comprehensive, step-by-step guide to installing Irancell IAM (Identity and Access Management) on RHEL/CentOS EL8 servers without Internet access. It is specifically designed for environments such as demo, proof of concept (POC).

In this document we cover these topics.

1.Download Required Packages

2.Prepare Local Directory

3.Install Irancell IAM RPM

4.Initialize Irancell IAM with CLI

5.Database Configuration

6.Message Broker Setup

7.Redis Cache Setup

8.SMTP Configuration (Optional)

9.Initialize Database Schema

10.Finalizing Installation

11.Irancell IAM Core Services Reference

1.Download Required Packages

Note:

This installation type is suitable for the servers without Internet access (server from which you can't reach Irancell IAM website).

This type of installation is suitable for both el8 RHEL / CentOS version. Also, during the installation you will be prompted to install MariaDB RDBMS. This is suitable for Demo and POC installations. If you have already had the database server, you should answer N for the prompt.

EL8 Download Links

Download the following files to a server that has internet access.
For EL8 use the following links.

For EL8 use the following links.

curl https://download.openiam.com/release/enterprise/4.2.1.12/rpm/mod_openiam-4.2.1.12.el8.x86_64.rpm --output openiam-4.2.X.noarch.x86_64.rpm
curl https://download.openiam.com/release/enterprise/4.2.1.12/dependencies/el8/openiamrepo.tar.gz --output openiamrepo.tar.gz
curl https://download.openiam.com/release/enterprise/4.2.1.12/dependencies/el8/openiamrepo.tar.gz --output backend.tar.gz
curl https://download.openiam.com/release/enterprise/4.2.1.12/binaries/frontend.tar.gz --output frontend.tar.gz
curl https://download.openiam.com/release/enterprise/infra/httpd-libs.tar.gz --output httpd-libs.tar.gz
Enter fullscreen mode Exit fullscreen mode

2.Prepare Local Directory

Create Installation Directory

Create folder /usr/local/openiam on the server.

Copy Downloaded Files to Server

Copy the following files that were downloaded earlier to /usr/local/openiam

  • backend.tar.gz;
  • frontend.tar.gz;
  • openiamrepo.tar.gz;
  • httpd-libs.tar.gz.

3.Install Irancell IAM RPM 

sudo rpm -i openiam-4.2.X.noarch.x86_64.rpm
Enter fullscreen mode Exit fullscreen mode

Example Output:

openiam/
openiam/OpenIAM-Base-Local.repo
openiam/connectors/
openiam/connectors/shutdown.sh
openiam/connectors/start.sh
openiam/env.conf
openiam/services/
openiam/services/shutdown.sh
openiam/services/start.sh
openiam/source-adapters/
openiam/source-adapters/shutdown.sh
openiam/source-adapters/start.sh
openiam/utils/
openiam/utils/autodb.sh
openiam/utils/autoinit.sh
openiam/utils/cluster_healthcheck.sh
openiam/utils/curator/
openiam/utils/curator/init.sh
openiam/utils/elasticsearch/
openiam/utils/elasticsearch/default.policy.diff
openiam/utils/elasticsearch/elasticsearch
openiam/utils/elasticsearch/elasticsearch.service
openiam/utils/elasticsearch/init.sh
openiam/utils/elasticsearch/jvm.options
openiam/utils/flyway/
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mssql.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysq.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.m4
openiam/utils/flyway/V0.0.0.0.000__initialization.sql.mysql.rds.m4
...
openiam/janusgraph/javadocs/package-list
openiam/janusgraph/javadocs/index.html
openiam/janusgraph/javadocs/constant-values.html
openiam/janusgraph/javadocs/help-doc.html
openiam/janusgraph/javadocs/allclasses-frame.html
openiam/janusgraph/javadocs/allclasses-noframe.html
openiam/janusgraph/javadocs/stylesheet.css
openiam/janusgraph/javadocs/overview-summary.html
/var/tmp/rpm-tmp.ElioLH: line 9: openiam: Is a directory
No, user openiam does not exist. creating
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
The server will be restarted in 1 min to apply ulimit settings ...
Shutdown scheduled for Wed 2023-11-22 21:20:46 UTC, use 'shutdown -c' to cancel.
Enter fullscreen mode Exit fullscreen mode

At this point the VM will reboot to initialize variables that are needed for stack components such as Elasticsearch.

4.Initialize Irancell IAM with CLI

Execute the initialization step the Irancell IAM-cli. During this step the system will be installing and configuring the various components that make up Irancell IAM. Please follow the instructions on the screen.

You should execute the custom script located in the script file.
Enter fullscreen mode Exit fullscreen mode

The first question: Does this box have Internet access? [y/n]. Please enter N

5.Database Configuration

You will be asked about installing MariaDB as a default database. Would you like to install MariaDB RDBMS locally? Please answer Y

Note:

if you would like to use local MariaDB RDBMS as a database server (good choice for quick and simple installation, like demo or POC or small size production platform (up to 500 active users)). Otherwise, please, answer N.

If you answer Y for MariaDB installation, installer will prepare all files and after will ask you some details:

Enter current password for root (enter for none): -> Press: Enter button
Set root password? [Y/n] -> Press y button and after Enter
New password:-> Type password for the root user. You will need it later during the installation.
Re-enter new password: -> Type the password for the root user as on the previous
Remove anonymous users? [Y/n] -> Press y button and after press Enter.
Disallow root login remotely? [Y/n] -> Press y button and after press Enter.
Remove test database and access to it? [Y/n] -> Press y button and after press Enter.
Reload privilege tables now? [Y/n] -> Press y button and after press Enter.

Otherwise, please continue from step 5.

The installation process will continue. The Cassandra backend as a Graph storage will be installed. Please, be patient as this process can take 4-5 minutes. If you see the ugly exception below, ignore it. This is a byproduct of Cassandra taking some time to start (this will be addressed in an upcoming release).

error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?
    at org.apache.cassandra.dht.Murmur3Partitioner.describeOwnership(Murmur3Partitioner.java:284)
    at org.apache.cassandra.service.StorageService.getOwnershipWithPort(StorageService.java:5166)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:72)
    at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:276)
    at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:112)
    at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:46)
    at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237)
    at com.sun.jmx.mbeanserver.PerInterface.getAttribute(PerInterface.java:83)
    at com.sun.jmx.mbeanserver.MBeanSupport.getAttribute(MBeanSupport.java:206)
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:647)
    at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:678)
    at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1445)
    at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
    at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
    at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1401)
    at javax.management.remote.rmi.RMIConnectionImpl.getAttribute(RMIConnectionImpl.java:639)
    at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
    at sun.rmi.transport.Transport$1.run(Transport.java:200)
    at sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)
Waiting for cassandra
Enter fullscreen mode Exit fullscreen mode

The installer will ask a number to questions during the initialization process. For most questions, a default value has been provided to simplify the effort for users new to MTNiIAM. The section which requires input from the installer is marked with the following message in the console:

=============== CRITICAL SECTION ===============

Schema Creation: Irancell IAM and activiti

Irancell IAM has two schemas which are created by default: Irancell IAM and activiti. The Irancell IAM schema is the primary schema used by the platform and it stores a variety of information ranging from policies to user profile information and more. Activiti is used to store information about workflows and their execution. The first set of questions raised by the installer are related to the creation of a user database for every schema. Each question and its intent are listed below.

Question Raised by the Installer Explanation
Set Irancell IAM username for Irancell IAM schema, default: idmuser This is the DB username used to manage the Irancell IAM schema. This is the primary schema where data related to Irancell IAM is stored. The Irancell IAM application uses this username to communicate with the DB.
Set Irancell IAM password for Irancell IAM schema, default: idmuser This is the password for the username provided in the previous step. Default value is idmuser.
Set Irancell IAM username for activiti schema, default: idmuser This is the DB username used to manage the activiti schema. For MySQL, it is the same as for the Irancell IAM schema. The Irancell IAM application uses this username to communicate with the DB.
Set Irancell IAM password for activiti schema, default: idmuser This is the password for the user associated with the activiti schema. For MySQL, it is the same as for the Irancell IAM schema. Default value is idmuser.

6.Message Broker Setup

Irancell IAM uses RabbitMQ as the message broker and is the primary transport service used by Irancell IAM application. Services are loosely coupled, and they communicate with each other through the message broker. Cross service communication is encrypted.

The next question raised by the installer is to define a password for RabbitMQ. As seen in the above questions, a default password value is provided for simplicity. For production use, please use a strong password.

Set OpenIAM password for RabbitMQ message broker, default: passwd00
Enter fullscreen mode Exit fullscreen mode

7.Redis Cache Setup

Redis is an in-memory distributed cache which is used by Irancell IAM to improve system performance. A variety of objects are temporarily stored in Redis including:

  • End user web session.
  • Database object cache.
  • High level application cache.

As with other components, access to the cache is secured and the next question asks for a password which should be used for Redis.

Set OpenIAM password for Redis., default: passwd00
Enter fullscreen mode Exit fullscreen mode

8.SMTP Configuration (Optional)

E-mail notifications can be enabled for a broad range of operations in Irancell IAM. Configuring a valid SMTP service is a pre-requisite to being able to send e-mail notifications. The next two questions ask the user to provide the SMTP credentials for the account which will be used to send e-mails from the application. These questions are optional at this time, and you have the option to configure these later if needed.

Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none
Enter fullscreen mode Exit fullscreen mode

Note:
At this point the installer has enough information to complete the installation of: ElasticSearch, Redis, and RabbitMQ.

9.Initialize Database Schema

Question Raised by the Installer Explanation
Use default value if this is new installation. If you are doing an update, specify your current version, default: 0.0.0.0 If this is an upgrade from an existing deployment, specify the current version (e.g., 4.1.11.0). This helps the installer determine the upgrade scripts to apply. Leave as default for new installations.
This is the name of the Irancell IAM core database, default: openiam This defines the primary schema name. For MariaDB, it's typically openiam. Leave as default unless your schema has been customized.
This is the name of the OpenIAM Activiti database, default: activiti This defines the schema used by the workflow engine. For MariaDB, it's typically activiti. Leave as default unless your schema has been customized.
Possible values: MySQL, Postgres, MSSQL, Oracle. Default: MySQL Specifies the type of RDBMS. For MariaDB/MySQL, leave it blank. For others, use: postgres, oracle, or mssql. The RDBMS must already be installed.
Do you want to initialize OpenIAM Schema and Users? [y/n] Select y if schemas and users are not yet created in your RDBMS. The installer will attempt to create them. For Oracle/MSSQL, it will generate SQL scripts to run manually.
Enter username for Super user (for MySQL this is root), default: root Required if you're initializing schemas/users. The super user must have privileges to create schemas, users, and tables.
Enter password for super user (sa or root), default: Provide the password for the super user account entered above.
This is the hostname of where the OpenIAM core database is, default: localhost Specify the host or DNS name where the primary OpenIAM database is running.
This is the port of where the OpenIAM core database is, default: 3306 Specify the port of the server hosting the OpenIAM core database. For MariaDB/MySQL, default is 3306.
This is the hostname of where the OpenIAM Activiti database is, default: localhost Specify the host or DNS name where the Activiti (workflow) database is running.
This is the port of where the OpenIAM Activiti database is, default: 3306 Specify the port of the server hosting the Activiti database. Default is 3306 for MariaDB/MySQL.

10.Finalizing Installation

The Irancell IAM RPM installer will continue with initialization and apply the SQL scripts which are required for successful startup. The Irancell IAM services will automatically run the application stack after successful initialization and will show you the current stack status. Usually, startup takes about 6-10 minutes. You can view the status of the system as it's coming up using the command line tools described below in Irancell IAM components and Status.

Copying downloaded file from local machine to remote server

Use scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2

Example:

  • C:\Users\Asus>scp openiam-4.2.1.10.noarch.x86_64.rpm root@10...*:/usr/local/openiam/
  • The authenticity of host '10... (10...)' can't be established.
  • ECDSA key fingerprint is SHA256:5pP7vxJnDzbQ+Xg1VANjSBYL7HboHyM4RqFKW4qHkPU.
  • Are you sure you want to continue connecting (yes/no/[fingerprint])?`
  • Warning: Permanently added '10...*' (ECDSA) to the list of known hosts.
  • root@10...*'s password:
  • openiam-4.2.1.10.noarch.x86_64.rpm 23% 133MB 1.4MB/s 05:12 ETA`

11.First-Time Web Login

The final validation of our deployment is to be able to login to the Irancell IAM web applications. To do this, you must first find the IP address of our VM.

Next open your browser(preferably Chrome or Firefox), and hit:

http://[ip address of your installation ]/webconsole

Use the following credentials for the first-time login:

Username: sysadmin
Password: passwd00
Enter fullscreen mode Exit fullscreen mode

Enter the username on the field shown below and click Next

The authentication process is spread over two screens. You will be asked to enter the password on the screen below.

The next step is to define a content provider using the screen shown below. A Content provider is an alias which represents a domain. Associated with the content provider can be UI themes, authentication policies, etc.The table below describes the fields on this screen.

Content Provider Configuration

Name Description
Content Provider Name You can think of a content provider as an “alias” representing a domain. This is described in more detail in the OpenIAM documentation. For this setup, enter a value such as: Default CP.
Domain Pattern This value is defaulted in. It should be the IP address or DNS hostname of the server where OpenIAM has been installed.
Application supports SSL? Determines if the OpenIAM application will use HTTP or HTTPS. If you have not configured an SSL certificate yet, choose Support on HTTP. You can update this setting later after SSL is configured.
Application servers Refers to the host of the OpenIAM service layer, which the UI and rProxy connect to. Usually, the default value is correct if all components are on the same host. You can change it if using different hosts for UI and backend.

After setting up the content provider, you will be taken to the challenge questions page. These questions will be used to reset your admin account in case you have locked yourself out. Please make a note of your answers.

Note:
You will be able to update your password policy later. At that time you can decide if you want to use challenge questions and/or some other method.

After completing the above steps, you will be taken to the admin console landing page shown below. Give the system about 5 min to refresh the internal cache and then you can proceed to configure your solution.

Irancell IAM components and status

Using the Irancell IAM Command line utility

Irancell IAM provides a command line utility to help you view the status of all components as well as perform common operations such as view logs, start, stop,etc . The command is Irancell IAM-cli.

Just running the command by itself, as shown below, will display the list of all options.

openiam-cli
Enter fullscreen mode Exit fullscreen mode

You will be asked about Internet access on this box, as shown below.

Type N and press Enter.

Example Output:

Usage: /usr/bin/openiam-cli {start|stop|status|init|log|log <service_name>|list-connectors|list-source-adapters}
Enter fullscreen mode Exit fullscreen mode

To check the status of the components or the confirm that the system is up, please use the following command:

openiam-cli status
Enter fullscreen mode Exit fullscreen mode

To check current logs of any service you can use the following command. You can get the services using the following command: Irancell IAM-cli status command.

openiam-cli log <service_name>
Enter fullscreen mode Exit fullscreen mode

For example, to check the logs of the Irancell IAM-esb module use the following command.

openiam-cli log openiam-esb
Enter fullscreen mode Exit fullscreen mode

11.Irancell IAM Core Services Reference

Name Description Default Memory (RAM)
openiam-esb The service that provides Web Service API and to the bigger part of functionality 2048m
workflow The service that provides Business Workflow functionality 768m
groovy-manager The service that provides Groovy extension functionality 256m
idm The service that provides provisioning to target systems functionality 512m
reconciliation The service that provides reconciliation against target systems functionality 512m
email-manager The service that provides Sending and Receiving emails functionality 256m
auth-manager The service that provides End user Authorization functionality 1024m
device-manager The service that provides Device management functionality (IOS and Android) 256m
business-rule-manager The service that provides Business Rules functionality 512m
openiam-ui This is web server (tomcat) that provides Graphical interface 2048m

Top comments (0)