Setting up IDHub
IDHub components are installed in a distributed environment and is built using microservices architecture. Majority of components are built on java platform and are packaged to run as a single jar file. The web interface is built on Angular and is best suited to run on node server. It may be adapted to be served using most modern HTTP servers.
To build and maintain your IDHub environment you can deploy the component services directly on physical or virtual servers hosting your IDM (Identity Management System) or use Docker containers.
Follow simple setup steps for installing the IDHub Components and get started...
Prerequisites:
Step1: Before we start, review the list of port requirements for IDHub components installation
Ports in use
Ports for the application listed for Sath IDH. Ensure these are available, otherwise provide an alternative set of ports.
Green indicates that these ports must be opened in the firewall.
- 27017 - MongoDB
- 3000 - NGINX
- 3001 - Admin Console
- 3002 -User Application
- 8081 - Auth Server
- 8125 - James Server
- 8080 - RestHeart
- 8091 - Service Discovery
- 9091 - API Gateway
- 9093 - Config Server
- 8086 - Core
- 8088 - Data Services
- 8093 -Notification API
- 9092 - OIMShim 11GR2
- 9098 - OIMShm 12C
Step 2: Next, complete an information checklist
The following details about the existing Infrastructure need to be retrieved and documented.
These details need to be edited in the sample properties files provided. Instruction on how to do this will follow:
AUTH server (Keycloak)
- LDAP
- baseDn (E.g dc=sath,dc=com)
- url (E.g ldap://<Ldap Host Name>:<Ldap Port>)
- userDn (complete dn of user used to authenticate and search in the ldap)
- userPassword
- userDnPatterns (E.g uid={0},cn=Users,dc=sath,dc=com)
- userSearchBase (E.g cn=Users)
- userSearchFilter (E.g uid={0})
OIM server
Type of OIM Server - 11GR2 PS2 or 11GR2 PS3 or 12C
OIM Details
Administrator Username
Administrator Password
OIM Connection URL
- OIM Database Details
- Connection URL (E.g. jdbc:oracle:thin:@127.0.0.1:1521:orcl)
- Username with READ access
- Password
- OIM Schema
- JDBC Driver (E.g. oracle.jdbc.driver.OracleDriver)
- Weblogic Details
- Username
- Password
OIM composite Details
name (E.g. default/DisconnectedProvisioning!1.0)
OIM EJB HOST
- EJB Host (Format: http://<SOA Host Name>:<SOA Port> or https://<SOA Host Name>:<SOA Secure Port>)
- Directory with WRITE access to the user starting the services
Users
List of Users authorized to use the application (Defined by ldap details)
level1 approver for the application (Defined as a ROLE in OIM and mongo DB)
level2 approver for the application (Defined as a ROLE in OIM and mongo DB)
Notification Template
- Sample Email
- The List of Notification parameters sent in the Email
- Email to be replaced
Step 3: Select the type of install- < manual vs docker ? >
Artifact checklist -
Jar Files
11G
- 12C
- apigateway
config-server
- core
- DataService
- notification-api
- servicediscovery
- spring-security-auth-server
Folders
AdminConsole (Frontend / UI)
UserApplication (Frontend / UI)
- config (Sample properties for IDH with following files)
- auth.properties
- core.properties
- oimshim11GR2properties
- oimshim12C.properties
- dataservices.properties
- notify.properties
JamesServer (Modified for IDH) with notificationMailetService-0.0.1-SNAPSHOT.jar and notificationMailet.properties
- lib folder for 12C-<version>.jar
RestHeart (https://restheart.org/)
Java 8
jce8 (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 (https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html))
MongoDB
NGINX
Files
- nginx.conf file
Docker Software
- Docker Engine
- Docker-compose
IDHub Installation
Step 1: IDHub Pre-Install
Create a folder to hold all IDHub installations and assign the correct ownership. Additional folder "logs" can be created to hold all the log files.
Eg: Lets say the user is iamuser, user-group is users and folder for IDH is /apps. Execute the below steps in order
Step 2: Mongo Installation
Any kind of MongoDB installation provided in the official website will work with IDHub however, tarballs require the least amount of access rights and permissions and hence we focus on using .tgz Tarballs for Linux installations.
- Identify any prerequisites for Mongo install
- Go to Mongo Official website https://docs.mongodb.com/manual/administration/install-community/.
- Navigate to Using
.tgzTarballs section. - Check if there is any missing prerequisites mentioned under section under Using
.tgzTarballs. Install the prerequisites if any.
E.g. "libcurl4 libopenssl1_0_0" is a prerequisite for SUSE Linux.
| use admin |
| db.auth("<username>","<password>") |
| use <database> |
| db.createCollection("testing") |
| db.testing.drop() |
| exit |
2. Download Latest MongoDB from https://www.mongodb.com/download-center/community?jmp=docs by selecting specific Operating System.
3. Move the file to /apps and extract the files
4. MongoDB uses /data/db folder by default. Create folder /data/db for MongoDB. If using a different folder for DB, ensure that the folders have correct ownership.
If your MongoDB doesn't start check database path i.e. the permissions of /data folder or the folder provided as an argument in --dbpath
5. Add to PATH variable to ~/.bashrc file using your favorite text editor. Simply add the below line as the last line in the file.
6. To start MongoDB with no authentication.
7. To start MongoDB with authentication.
Pre-Configuration
Before starting, Keep Ready the following- username - Refers to the username that will be used to access MongoDB.
- password - Refers to the password that will be used to access MongoDB.
- database - Refers to the database name that will be used for IDH. Defaults to dev.
Configuration -
Create user for authentication.
Start MongoDB without auth option
nohup mongod & Test : Create collection without Authentication
use <database> db.createCollection("testing") exit If the Step 2 gave an error "Unauthorized", that means that Auth is properly set up in MongoDB
Check logs if MongoDB has successfully started.
tail -100f nohup.out You should see "waiting for connections on port 27017" in logs. If yes, use ctrl+c to exit the tail command.
Now open mongo shell by typing "mongo"
mongo In the shell, Run the below commands. Step B will create user in admin database. Step C will shutdown the server.
A. use admin B. db.createUser(
{
user: "<username>",
pwd: "<password>",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWrite", db: "<database>" } , { role: "readWrite", db: "config-db" }, "readWriteAnyDatabase" ]
}
)
C. db.shutdownServer({timeoutSecs: 5});
D. exit Start MongoDB with Auth
nohup mongod --auth & Test : Create and drop collection with proper Authentication
| use admin |
| db.auth("<username>","<password>") |
| use <database> |
| db.createCollection("testing") |
| db.testing.drop() |
| exit |
If you are able to create a collection and drop the collection. That means that the authentication is successful.
8. Additional Configuration - Connect from external systems
Start MongoDB using --bind_ip_all option. Make sure MongoDB is protected with a strong password for authentication if exposing the database externally to prevent ransomware attacks on your system.
Other options
-h option provides the extensive list of all options for both mongod and mongo commands. Use this to figure out any additional configurations that are necessary.
Intended Audience
- Identity Architects
- Identity Administrators
Recommended Skills
To deploy IDHub familiarity with following technologies is required
- Java 8
- MongoDB
- OAuth
- JSON
- REST
Knowledge of the following technologies is highly recommended
- Docker
- Linux
- SQL
Recommended Tools
- Robo Mongo
- POSTMan
Related Content
Identity Fundamentals
IDHub Components
IDHub Data store