This section includes the following procedures:
Docker containers do not have any resource constraints by default. This provides every container with the access to all the CPU and memory resources provided by the host’s kernel. You must also ensure that one running container should not consume more resources and starve other running containers by setting limits to the amount of resources that can be used by a container.
Docker container should ensure that a Hard Limit is applied for the memory used by the container using the --memory flag on Docker run command.
Docker container should ensure that a limit is applied to the amount of CPU used by a running container using the --cpuset-cpus flag on the Docker run command.
--pids-limit should be set to 300 to restrict the number of kernel threads spawned inside the container at any given time. This is to prevent DoS attacks.
You must set the on-failure container restart policy to 5 using the --restart flag on Docker run command.
You must only use the container once the health status shows as Healthy after the container comes up. To check the container’s health status, run the following command:
docker ps <container_name/ID>
Docker container will always start as non-root user (nds). As an additional security measure, enable user namespace remapping on the daemon to prevent privilege-escalation attacks from within the container. For more information on user namespace remapping, see Isolate containers with a user namespace.
NOTE:Identity Console can be configured with or without OSP. If you choose to configure it with OSP, you must first deploy the OSP container, followed by the Identity Console container. Make sure to modify the edirapi.conf file to include your desired values for deployment.
To deploy Identity Console as a Docker container:
The configuration parameters, sample values and examples mentioned in this procedure are for reference purposes only. You must ensure not to use them directly in your production environment.
Log in to the Software License and Download portal and navigate to the Software Downloads page.
Select the following:
Product: eDirectory
Product Name: eDirectory per User Sub SW E-LTU
Version: 9.2
Download the IdentityConsole_<version>_Container.tar.zip.
The image has to be loaded into the local Docker registry. Extract and load the IdentityConsole_<version>_Containers.tar.gz file using the below commands:
tar -xvf IdentityConsole_version_Containers.tar.gz
docker load --input identityconsole.tar.gz
Create the Identity Console Docker container using the following command:
docker create --name identityconsole-container-name --env ACCEPT_EULA=Y --network=network-type --volume volume-name:/config/ identityconsole:version
For example,
docker create --name identityconsole-container-1 --env ACCEPT_EULA=Y --network=host --volume IDConsole-volume:/config/ identityconsole:version
NOTE:
You can accept the EULA by setting ACCEPT_EULA environment variable to 'Y'. You can also accept the EULA from the on-screen prompt while starting the container by using -it option in the Docker create command for interactive mode.
--volume parameter in the above command will create a volume for storing configuration and log data. In this case, we have created a sample volume called IDConsole-volume.
Copy the server certificate file from your local file system to the container as /etc/opt/novell/eDirAPI/cert/keys.pfx using the following command. For more information on creating the server certificate, see Prerequisites:
docker cp <absolute path of server certificate file> <identityconsole-container-name>:/etc/opt/novell/eDirAPI/cert/keys.pfx
For example,
docker cp /home/user/keys.pfx identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/keys.pfx
When you connect to multiple eDirectory trees, you must ensure to obtain at least one keys.pfx server certificate for all the connected trees.
Copy the CA certificate file (.pem) from your local file system to the container as /etc/opt/novell/eDirAPI/cert/SSCert.pem using the following command. For more information on obtaining the CA certificate, see Prerequisites:
docker cp absolute path of CA certificate file identityconsole-container-name:/etc/opt/novell/eDirAPI/cert/SSCert.pem
For example,
docker cp /home/user/SSCert.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert.pem
If the user need to connect to multiple eDirectory trees, refer section: Multi-tree with Identity Console as Docker.
Depending on whether you want to configure Identity Console with or without OSP, modify the edirapi.conf configuration file as needed. Then use the following command to copy it from your local file system to the container at /etc/opt/novell/eDirAPI/conf/edirapi.conf:
docker cp absolute path of configuration file identityconsole-container-name:/etc/opt/novell/eDirAPI/conf/edirapi.conf
For example,
docker cp /home/user/edirapi.conf identityconsole-container-1:/etc/opt/novell/eDirAPI/conf/edirapi.conf
A sample configuration file is shown below:
listen = ":9000" pfxpassword = "novell" bcert = "/etc/opt/novell/eDirAPI/cert/" ospmode=false edir-hosts = "<ip_address>:636"
NOTE:To access the eDirectory through Identity Console, it is required to add the edir-hosts="x.x.x.x:ldaps_port in the edirapi.conf file.
Example: edir-hosts="10.10.10.10:636"
A sample configuration file when configuring Identity Console with OSP is shown below:
listen = ":9000" ldapserver = "10.71.39.15:636" ldapuser = "cn=admin,o=novell" ldappassword = "novell" pfxpassword = "novell" osp-token-endpoint = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/getattributes" osp-authorize-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/grant" osp-logout-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/app/logout" osp-redirect-url = "https://<identity_console_ipaddress>:9000/eDirAPI/v1/t/authcoderedirect" osp-client-id = "identityconsole" ospclientpass = "novell" ospcert = "/etc/opt/novell/eDirAPI/cert/SSCert.pem" bcert = "/etc/opt/novell/eDirAPI/cert/" ospmode=true check-origin =true origin = "https://<identity_console_ipaddress>:9000"
Start the Docker container using the following command:
docker start identityconsole-container-name
For example,
docker start identityconsole-container-1
NOTE:You can find the following log files in /var/lib/docker/volumes/<volume_name>/_data/eDirAPI/var/log directory:
edirapi.log - This is used for logging different events in edirapi and debugging issues.
edirapi_audit.log - This is used for logging audit events of edirapi. The logs follow CEF auditing format.
container-startup.log - This is used for capturing installation logs of Identity Console Docker container.
Identity console allows user to connect to Multiple trees by obtaining individual CA certificate of the tree.
NOTE:To access the eDirectory through Identity Console, it is required to add the edir-hosts="x.x.x.x:ldaps_port, y.y.y.y:ldaps_port, z.z.z.z:ldaps_port" at the eDirectory configuration file.
edir-hosts="10.10.10.10:636, 20.20.20.20:636, 30.30.30.30:636"
For example, if you connect to three eDirectory trees, then you must copy all the three CA certificates in to Docker Container:
docker cp /home/user/SSCert1.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert1.pem
docker cp /home/user/SSCert2.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert2.pem
docker cp /home/user/SSCert3.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert3.pem
Run the following commands to restart Identity Console:
docker restart <identityconsole-container-name>
Example:
docker restart identityconsole-container-1
Perform the following steps to deploy the OSP container:
Log in to Software License and Download portal and navigate to the Software Downloads page.
Select the following:
Product: eDirectory
Product Name: eDirectory per User Sub SW E-LTU
Version: 9.2
Identity Console Standalone
Download and extract the IdentityConsole_<version>_Containers_tar.zip file.
To deploy Identity Console in the OSP container, a keystore (tomcat.ks) is required.
Perform the following steps to generate the keystore:
Create a folder certs in the /opt/ directory.
Run the following command to create a keystore (tomcat.ks):
keytool -genkey -alias osp -keyalg RSA -storetype pkcs12 -keystore /opt/certs/tomcat.ks -validity 3650 -keysize 2048 -dname "CN=blr-osp48-demo.labs.blr.novell.com" -keypass novell -storepass novell
NOTE:Ensure that the IP address of the machine is named as CN name or as fully qualified hostname. For example: CN=xx.xx.xx.xx
Run the following command to create a certificate signing request. For example: cert.csr.
keytool -certreq -v -alias osp -file /opt/certs/cert.csr -keypass novell -keystore /opt/certs/tomcat.ks -storepass novell
Pass the created cert.csr to Identity Console and get the cert.der as explained:
Launch Identity Console as Administrator.
Click Certificate Management > Issue Certificate and select the file.
Go to Key Usage Specifications > Key Type and select the Custom radio button.
Click Key Usage and select the following check boxes:
Data Encipherment
Key Encipherment
Digital Signature
Click Certificate Parameters > Subject Alternative Names > OSP Server IP address or OSP Server DNS Name > Next > OK.
The message appears as Certificate has been generated successfully.
Click OK.
Download the issued certificate cert.der and copy it to /opt/certs/.
Copy the SSCert.der from eDirectory to /opt/certs
Run the following commands to import the CA certificate (SSCert.der) and server certificate (cert.der) into the tomcat.ks keystore.
keytool -import -trustcacerts -alias root -keystore /opt/certs/tomcat.ks -file /opt/certs/SSCert.der -storepass novell -noprompt
keytool -import -alias osp -keystore /opt/certs/tomcat.ks -file /opt/certs/cert.der -storepass novell -noprompt
Create a new folder as /data.
Copy the tomcat.ks from /opt/certs and paste it to the data folder.
From the extracted Identity Console container build, copy the osp-edirapi-silent.properties files in to the data folder.
Modify the osp edirapi silent properties file as per your requirement. A sample silent properties file has been shown below:
# Silent file for osp with edirapi ## Static contents Do not edit - starts INSTALL_OSP=true DOCKER_CONTAINER=y EDIRAPI_PROMPT_NEEDED=y UA_PROMPT_NEEDED=n SSPR_PROMPT_NEEDED=n RPT_PROMPT_NEEDED=n CUSTOM_OSP_CERTIFICATE=y ## Static contents Do not edit - ends # OSP Details SSO_SERVER_HOST=osp.example.com (osp confiugred serevr IP address) SSO_SERVER_SSL_PORT=8543 OSP_COMM_TOMCAT_KEYSTORE_FILE=/config/tomcat.ks OSP_COMM_TOMCAT_KEYSTORE_PWD=novell SSO_SERVICE_PWD=novell OSP_KEYSTORE_PWD=novell IDM_KEYSTORE_PWD=novell OSP_CUSTOM_NAME="Identity Console" USER_CONTAINER="o=novell" ADMIN_CONTAINER="o=novell" # IDConsole Details IDCONSOLE_HOST=192.168.1.1 (IdentityConsole confiugred serevr IP address) IDCONSOLE_PORT=9000 EDIRAPI_TREENAME=ed913 (Tree name should be in lowercase) #If ENABLE_CUSTOM_CONTAINER_CREATION is set to y #ie., when you have user and admin container different from o=data # and they need to be created in eDir #then CUSTOM_CONTAINER_LDIF_PATH should be entered as well ENABLE_CUSTOM_CONTAINER_CREATION=n #ENABLE_CUSTOM_CONTAINER_CREATION=y #CUSTOM_CONTAINER_LDIF_PATH=/config/custom-osp.ldif # eDir Details ID_VAULT_HOST=192.168.1.1 (eDir/ID_Vault confiugred serevr IP address) ID_VAULT_LDAPS_PORT=636 ID_VAULT_ADMIN_LDAP="cn=admin,o=novell" ID_VAULT_PASSWORD=novell
NOTE:To avoid space constraints while using the silent properties (DOS text) file, you must convert the DOS text file to UNIX format using the dos2unix tool. Run the below command to convert text file from DOS line endings to Unix line endings:
dos2unix filename
For example:
dos2unix samplefile
Run the following command to load the OSP image:
docker load --input osp.tar.gz
Deploy the container using the following command:
docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:<version>
For example:
docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:6.6.6
NOTE:After deploying OSP container, install and configure Identity Console with OSP server details.
To stop Identity Console, run the following command:
docker stop identityconsole-container-name
To restart Identity Console, run the following command:
docker restart identityconsole-container-name
To start Identity Console, run the following command:
docker start identityconsole-container-name
Along with the Identity Console containers, volumes for data persistence are also created. To use the configuration parameters of an old container using the volumes, perform the following steps:
Stop your current Docker Container using the following command:
docker stop identityconsole-container-name
Example:
docker stop identityconsole-container-1
Create the second container using the application data of the old container stored in Docker volume (IDConsole-volume-1).
docker create --name identityconsole-container-name --network=host --volume IDConsole-volume-1:/config/ identityconsole:< version >
Example:
docker create --name identityconsole-container-2 --network=host --volume IDConsole-volume-1:/config/ identityconsole:1.7.1.0000
Start the second container using the following command:
docker start identityconsole-container-name
Example:
docker start identityconsole-container-2
(Optional) The first container can be removed using the following command:
docker rm identityconsole-container-name
Example:
docker rm identityconsole-container-1
Perform the following steps to modify server certificate in Docker Container:
Run the following command to copy the new server certificate in any location of your container.
Example:
docker cp /path/to/new-keys.pfx <container_id/name>:/tmp/new-keys.pfx
Login to the container by using the following command:
docker exec -it container_name bash
Run the NLPCERT to store the keys as a pseudo-user:
LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /tmp/new-keys.pfx -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem
Exit the container console using the command:
exit
Restart the container by entering:
docker restart container name