2.3 Deploying Identity Console as Docker Container

This section includes the following procedures:

2.3.1 Security Recommendations

  • Docker containers do not have any resource constraints by default. This provides every container with the access to all the CPU and memory resources provided by the host’s kernel. You must also ensure that one running container should not consume more resources and starve other running containers by setting limits to the amount of resources that can be used by a container.

    • Docker container should ensure that a Hard Limit is applied for the memory used by the container using the --memory flag on Docker run command.

    • Docker container should ensure that a limit is applied to the amount of CPU used by a running container using the --cpuset-cpus flag on the Docker run command.

  • --pids-limit should be set to 300 to restrict the number of kernel threads spawned inside the container at any given time. This is to prevent DoS attacks.

  • You must set the on-failure container restart policy to 5 using the --restart flag on Docker run command.

  • You must only use the container once the health status shows as Healthy after the container comes up. To check the container’s health status, run the following command:

    docker ps <container_name/ID>

  • Docker container will always start as non-root user (nds). As an additional security measure, enable user namespace remapping on the daemon to prevent privilege-escalation attacks from within the container. For more information on user namespace remapping, see Isolate containers with a user namespace.

2.3.2 Deploying Identity Console As a Docker Container

NOTE:Identity Console can be configured with or without OSP. If you choose to configure it with OSP, you must first deploy the OSP container, followed by the Identity Console container. Make sure to modify the edirapi.conf file to include your desired values for deployment.

To deploy Identity Console as a Docker container:

The configuration parameters, sample values and examples mentioned in this procedure are for reference purposes only. You must ensure not to use them directly in your production environment.

  1. Log in to the Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: eDirectory

    • Product Name: eDirectory per User Sub SW E-LTU

    • Version: 9.2

  3. Download the IdentityConsole_<version>_Container.tar.zip.

  4. The image has to be loaded into the local Docker registry. Extract and load the IdentityConsole_<version>_Containers.tar.gz file using the below commands:

    tar -xvf IdentityConsole_<version>_Containers.tar.gz              
    docker load --input identityconsole.tar.gz

  5. Create the Identity Console Docker container using the following command:

    docker create --name <identityconsole-container-name> --env ACCEPT_EULA=Y --network=<network-type> --volume <volume-name>:/config/ identityconsole:<version>

    For example,

    docker create --name identityconsole-container-1 --env ACCEPT_EULA=Y --network=host --volume IDConsole-volume:/config/ identityconsole:1.7.2.0000

    NOTE:

    • You can accept the EULA by setting ACCEPT_EULA environment variable to 'Y'. You can also accept the EULA from the on-screen prompt while starting the container by using -it option in the Docker create command for interactive mode.

    • --volume parameter in the above command will create a volume for storing configuration and log data. In this case, we have created a sample volume called IDConsole-volume.

  6. Copy the server certificate file from your local file system to the container as /etc/opt/novell/eDirAPI/cert/keys.pfx using the following command. For more information on creating the server certificate, see Prerequisites:

    docker cp <absolute path of server certificate file> <identityconsole-container-name>:/etc/opt/novell/eDirAPI/cert/keys.pfx

    For example,

    docker cp /home/user/keys.pfx identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/keys.pfx

    When you connect to multiple eDirectory trees, you must ensure to obtain at least one keys.pfx server certificate for all the connected trees.

  7. Copy the CA certificate file (.pem) from your local file system to the container as /etc/opt/novell/eDirAPI/cert/SSCert.pem using the following command. For more information on obtaining the CA certificate, see Prerequisites:

    docker cp <absolute path of CA certificate file> <identityconsole-container-name>:/etc/opt/novell/eDirAPI/cert/SSCert.pem

    For example,

    docker cp /home/user/SSCert.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert.pem

    If the user need to connect to multiple eDirectory trees, refer section: Multi-tree with Identity Console as Docker.

  8. Depending on whether you want to configure Identity Console with or without OSP, modify the edirapi.conf configuration file as needed. Then use the following command to copy it from your local file system to the container at /etc/opt/novell/eDirAPI/conf/edirapi.conf:

    docker cp <absolute path of configuration file> <identityconsole-container-name>:/etc/opt/novell/eDirAPI/conf/edirapi.conf

    For example,

    docker cp /home/user/edirapi.conf identityconsole-container-1:/etc/opt/novell/eDirAPI/conf/edirapi.conf

    A sample configuration file is shown below:

    listen = ":9000"
pfxpassword = "novell"
bcert = "/etc/opt/novell/eDirAPI/cert/"
ospmode=false
edir-hosts = "<ip_address>:636"

    NOTE:To access the eDirectory through Identity Console, it is required to add the edir-hosts="x.x.x.x:ldaps_port in the edirapi.conf file.

    Example: edir-hosts="10.10.10.10:636"

    A sample configuration file when configuring Identity Console with OSP is shown below:

    listen = ":9000"
ldapserver = "10.71.39.15:636"
ldapuser = "cn=admin,o=novell"
ldappassword = "novell"
pfxpassword = "novell"
osp-token-endpoint = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/getattributes"
osp-authorize-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/grant"
osp-logout-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/app/logout"
osp-redirect-url = "https://<identity_console_ipaddress>:9000/eDirAPI/v1/t/authcoderedirect"
osp-client-id = "identityconsole"
ospclientpass = "novell"
ospcert = "/etc/opt/novell/eDirAPI/cert/SSCert.pem"
bcert = "/etc/opt/novell/eDirAPI/cert/"
ospmode=true
check-origin =true
origin = "https://<identity_console_ipaddress>:9000"

  9. Start the Docker container using the following command:

    docker start <identityconsole-container-name>

    For example,

    docker start identityconsole-container-1

NOTE:You can find the following log files in /var/lib/docker/volumes/<volume_name>/_data/eDirAPI/var/log directory:

  • edirapi.log - This is used for logging different events in edirapi and debugging issues.

  • edirapi_audit.log - This is used for logging audit events of edirapi. The logs follow CEF auditing format.

  • container-startup.log - This is used for capturing installation logs of Identity Console Docker container.

2.3.3 Multi-tree with Identity Console as Docker

Identity console allows user to connect to Multiple trees by obtaining individual CA certificate of the tree.

NOTE:To access the eDirectory through Identity Console, it is required to add the edir-hosts="x.x.x.x:ldaps_port, y.y.y.y:ldaps_port, z.z.z.z:ldaps_port" at the eDirectory configuration file.

edir-hosts="10.10.10.10:636, 20.20.20.20:636, 30.30.30.30:636"

For example, if you connect to three eDirectory trees, then you must copy all the three CA certificates in to Docker Container:

docker cp /home/user/SSCert1.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert1.pem
docker cp /home/user/SSCert2.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert2.pem
docker cp /home/user/SSCert3.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert3.pem

Run the following commands to restart Identity Console:

docker restart <identityconsole-container-name>

Example:

docker restart identityconsole-container-1

2.3.4 Deploying the OSP Container

Perform the following steps to deploy the OSP container:

  1. Log in to Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: eDirectory

    • Product Name: eDirectory per User Sub SW E-LTU

    • Version: 9.2

    • Identity Console Standalone

  3. Download and extract the IdentityConsole_<version>_Containers_tar.zip file.

  4. To deploy Identity Console in the OSP container, a keystore (tomcat.ks) is required.

    Perform the following steps to generate the keystore:

    1. Create a folder certs in the /opt/ directory.

    2. Run the following command to create a keystore (tomcat.ks):

      keytool -genkey -alias osp -keyalg RSA -storetype pkcs12 -keystore /opt/certs/tomcat.ks -validity 3650 -keysize 2048 -dname "CN=blr-osp48-demo.labs.blr.novell.com" -keypass novell -storepass novell

      NOTE:Ensure that the IP address of the machine is named as CN name or as fully qualified hostname. For example: CN=xx.xx.xx.xx

    3. Run the following command to create a certificate signing request. For example: cert.csr.

      keytool -certreq -v -alias osp -file /opt/certs/cert.csr -keypass novell -keystore /opt/certs/tomcat.ks -storepass novell

    4. Pass the created cert.csr to Identity Console and get the cert.der as explained:

      1. Launch Identity Console as Administrator.

      2. Click Certificate Management > Issue Certificate and select the file.

      3. Go to Key Usage Specifications > Key Type and select the Custom radio button.

      4. Click Key Usage and select the following check boxes:

        • Data Encipherment

        • Key Encipherment

        • Digital Signature

      5. Click Certificate Parameters > Subject Alternative Names > OSP Server IP address or OSP Server DNS Name > Next > OK.

        The message appears as Certificate has been generated successfully.

      6. Click OK.

      7. Download the issued certificate cert.der and copy it to /opt/certs/.

    5. Copy the SSCert.der from eDirectory to /opt/certs

    6. Run the following commands to import the CA certificate (SSCert.der) and server certificate (cert.der) into the tomcat.ks keystore.

      keytool -import -trustcacerts -alias root -keystore /opt/certs/tomcat.ks -file /opt/certs/SSCert.der -storepass novell -noprompt
      keytool -import -alias osp -keystore /opt/certs/tomcat.ks -file /opt/certs/cert.der -storepass novell -noprompt

  5. Create a new folder as /data.

  6. Copy the tomcat.ks from /opt/certs and paste it to the data folder.

  7. From the extracted Identity Console container build, copy the osp-edirapi-silent.properties files in to the data folder.

  8. Modify the osp edirapi silent properties file as per your requirement. A sample silent properties file has been shown below:

    # Silent file for osp with edirapi
## Static contents Do not edit - starts 
INSTALL_OSP=true
DOCKER_CONTAINER=y
EDIRAPI_PROMPT_NEEDED=y
UA_PROMPT_NEEDED=n
SSPR_PROMPT_NEEDED=n
RPT_PROMPT_NEEDED=n
CUSTOM_OSP_CERTIFICATE=y
## Static contents Do not edit - ends

# OSP Details
SSO_SERVER_HOST=osp.example.com (osp confiugred serevr IP address)
SSO_SERVER_SSL_PORT=8543
OSP_COMM_TOMCAT_KEYSTORE_FILE=/config/tomcat.ks
OSP_COMM_TOMCAT_KEYSTORE_PWD=novell
SSO_SERVICE_PWD=novell
OSP_KEYSTORE_PWD=novell
IDM_KEYSTORE_PWD=novell
OSP_CUSTOM_NAME="Identity Console"
USER_CONTAINER="o=novell"
ADMIN_CONTAINER="o=novell"

# IDConsole Details 
IDCONSOLE_HOST=192.168.1.1 (IdentityConsole confiugred serevr IP address)
IDCONSOLE_PORT=9000
EDIRAPI_TREENAME=ed913 (Tree name should be in lowercase)

#If ENABLE_CUSTOM_CONTAINER_CREATION is set to y
#ie., when you have user and admin container different from o=data
#    and they need to be created in eDir
#then CUSTOM_CONTAINER_LDIF_PATH should be entered as well
ENABLE_CUSTOM_CONTAINER_CREATION=n
#ENABLE_CUSTOM_CONTAINER_CREATION=y
#CUSTOM_CONTAINER_LDIF_PATH=/config/custom-osp.ldif

# eDir Details
ID_VAULT_HOST=192.168.1.1 (eDir/ID_Vault confiugred serevr IP address)
ID_VAULT_LDAPS_PORT=636
ID_VAULT_ADMIN_LDAP="cn=admin,o=novell"
ID_VAULT_PASSWORD=novell

    NOTE:To avoid space constraints while using the silent properties (DOS text) file, you must convert the DOS text file to UNIX format using the dos2unix tool. Run the below command to convert text file from DOS line endings to Unix line endings:

    dos2unix filename

    For example:

    dos2unix samplefile

  9. Run the following command to load the OSP image:

    docker load --input osp.tar.gz

  10. Deploy the container using the following command:

    docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:<version>

    For example:

    docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:6.6.6

    NOTE:After deploying OSP container, install and configure Identity Console with OSP server details.

2.3.5 Stopping and Restarting Identity Console As Docker Container

To stop Identity Console, run the following command:

docker stop <identityconsole-container-name>

To restart Identity Console, run the following command:

docker restart <identityconsole-container-name>

To start Identity Console, run the following command:

docker start <identityconsole-container-name>

2.3.6 Managing Data Persistence

Along with the Identity Console containers, volumes for data persistence are also created. To use the configuration parameters of an old container using the volumes, perform the following steps:

  1. Stop your current Docker Container using the following command:

    docker stop <identityconsole-container-name>

    Example:

    docker stop identityconsole-container-1

  2. Create the second container using the application data of the old container stored in Docker volume (IDConsole-volume-1).

    docker create --name identityconsole-container-name --network=host --volume IDConsole-volume-1:/config/ identityconsole:< version >

    Example:

    docker create --name identityconsole-container-2 --network=host --volume IDConsole-volume-1:/config/ identityconsole:1.7.1.0000

  3. Start the second container using the following command:

    docker start < identityconsole-container-name >

    Example:

    docker start identityconsole-container-2

  4. (Optional) The first container can be removed using the following command:

    docker rm < identityconsole-container-name >

    Example:

    docker rm identityconsole-container-1

2.3.7 Modifying Server Certificate in Docker Container

Perform the following steps to modify server certificate in Docker Container:

  1. Run the following command to copy the new server certificate in any location of your container.

    Example:

    docker cp /path/to/new-keys.pfx <container_id/name>:/tmp/new-keys.pfx

  2. Login to the container by using the following command:

    docker exec -it <container_name> bash

  3. Run the NLPCERT to store the keys as a pseudo-user:

    LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /tmp/new-keys.pfx -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem

  4. Exit the container console using the command:

    exit

  5. Restart the container by entering:

    docker restart <container name>