1.1 System Requirements and Prerequisites for Docker Installation

This section explains the system requirements and prerequisites for installing Identity Console as Docker container.

1.1.1 System Requirements

As Identity Console can be run as a Docker container, for more information about system requirements and supported platforms for installing Identity Console, see Docker Documentation.

1.1.2 Prerequisites

Install Docker 20.10.9-ce or later. For more information on how to install Docker, see Docker Installation.
You must obtain a pkcs12 server certificate with the private key to encrypt/decrypt data exchange between the Identity Console server and the back-end server. This server certificate is used to secure the http connection. You can use server certificates generated by any external CA. For more information, see Creating Server Certificate Objects. The server certificate should contain the Subject Alternative Name with IP address and DNS of the Identity Console server. Once the server certificate object is created, you must export it in .pfx format.
You must obtain a CA certificate for all the trees in .pem format to validate the CA signature of the server certificates obtained in the previous step. This rootCA certificate also ensures establishing a secured ldap communication between the client and the Identity Console server. For example, you can obtain the eDirectory CA certificate (SSCert.pem) from /var/opt/novell/eDirectory/data/SSCert.pem.
(Optional) Using the One SSO Provider (OSP), you can enable the single sign-on authentication for your users to the Identity Console portal. You must install OSP before installing Identity Console. To configure OSP for Identity Console, follow the on-screen prompts and provide the required values for configuration parameters. To register Identity Console to an existing OSP server, you must manually add the following to the ism-configuration.properties file in /opt/netiq/idm/apps/tomcat/conf/ folder:
```
com.netiq.edirapi.clientID = identityconsole
com.netiq.edirapi.redirect.url = https://<Identity Console Server IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/authcoderedirect
com.netiq.edirapi.logout.url = https://<Identity Console Server IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/logoutredirect
com.netiq.edirapi.logout.return-param-name = logoutURL
com.netiq.edirapi.response-types = code,token
com.netiq.edirapi.clientPass._attr_obscurity = NONE
com.netiq.edirapi.clientPass = novell
```
NOTE:With OSP, you can connect to only a single eDirectory tree as OSP does not support multiple eDirectory trees.
Ensure that you have a proper DNS entry available for your host machine in /etc/hosts with a fully qualified host name.
If you want to use Identity Console in Edge browser, you must download the latest version of Microsoft Edge for full functionality.

NOTE:While using Identity Console in Mozilla Firefox, the operation might fail with Origin Mismatch error message. To troubleshoot, perform the following steps:

Update Firefox to the latest version.
Specify about:config in the Firefox URL field and press Enter.
Search for Origin.
Double-click on network.http.SendOriginHeader and change its value to 1.

1.1.3 Setting Up Your Environment

You might need to create a configuration file containing certain parameters. If you want to configure Identity Console with OSP, you must specify the OSP specific parameters in the configuration file. For example, create the below edirapi.conf file with OSP parameters:

NOTE:You must provide your eDirectory tree name in the osp-redirect-url field.

listen = ":9000"
ldapserver = "192.168.1.1:636"
ldapuser = "cn=admin,ou=sa,o=system"
ldappassword = "novell"
pfxpassword = "novell"
ospmode = "true"
osp-token-endpoint = "https://10.10.10.10:8543/osp/a/idm/auth/oauth2/getattributes"
osp-authorize-url = "https://10.10.10.10:8543/osp/a/idm/auth/oauth2/grant"
osp-logout-url = "https://10.10.10.10:8543/osp/a/idm/auth/app/logout"
osp-redirect-url = "https://10.10.10.10:9000/eDirAPI/v1/edirtree/authcoderedirect"
osp-client-id = "identityconsole"
ospclientpass = "novell"
ospcert = "/etc/opt/novell/eDirAPI/cert/SSCert.pem"
bcert = "/etc/opt/novell/eDirAPI/cert/"
loglevel = "error"
check-origin = "true"
origin = "https://10.10.10.10:9000,https://192.168.1.1:8543"

In case, you want to configure Identity Console without OSP, create a configuration file as shown below, without the OSP parameters:

listen = ":9000"
pfxpassword = "novell"
ospmode = "false"
bcert = "/etc/opt/novell/eDirAPI/cert/"
edir-hosts = "<ip_address-1>:636,<ip_address-2>:636"

NOTE:When you want to configure Identity Console with multiple eDirectory trees, you can skip “ldapserver”, “ldapuser”, and “ldappassword” parameters and create the configuration file.

Table 1-1 Description of the configuration parameters in the configuration file

Configuration Parameters	Description
listen	Specify 9000 as the Identity Console server’s listener port inside the container.
ldapserver	Specify the eDirectory host server IP and port number.
ldapuser	Specify the username of the eDirectory user. This parameter is used as a credential for initiating ldap calls to eDirectory using proxied authorization control in the case of OSP login. Ldap user must have supervisor rights on the eDirectory tree.
ldappassword	Specify the password of the LDAP user.
pfxpassword	Specify the password of the pkcs12 server certificate file.
ospmode	Specify true to integrate OSP with Identity Console. If you set this to false, Identity Console will use ldap login.
osp-token-endpoint	This URL is used to fetch certain attributes from the OSP server to verify the validity of the authentication token.
osp-authorize-url	This URL is used by the user to provide credentials to obtain an authentication token.
osp-logout-url	Use this URL to terminate the session between the user and the OSP server.
osp-redirect-url	The OSP server re-directs the user to this URL after granting the authentication token. NOTE:Ensure to specify the eDirectory tree name in lowercase while configuring Identity Console. In case, the tree name is not specified in lowercase, the login to the Identity Console server might fail.
osp-client-id	Specify the OSP client ID which was provided at the time of the Identity Console registration with OSP.
ospclientpass	Specify the OSP client password which was provided at the time of the Identity Console registration with OSP.
ospcert	Specify the location of OSP server’s CA certificate.
bcert	Specify location of Identity Console’s CA certificate.
loglevel	Specify the log levels that you want to include in the log file. This parameter can be set to "fatal", "error", "warn" or "info".
check-origin	If this is set to true, the Identity Console server compares the origin value of requests. Available options are either true or false. The origin parameter is mandatory even if check-origin parameter value is set to false when DNS configuration is used.
origin	Identity Console compares the origin value of requests with the values specified in this field. NOTE:From Identity Console 1.4 onward, this parameter is independent of check-origin parameter and is mandatory if DNS configuration is used.
maxclients	Maximum number of concurrent clients who can access IDConsole. Any additional clients beyond this limit have to wait in queue.
edir-hosts	edir-host is a parameter that contains the IP address(s) of eDirectory which you want to connect through Identity Console.

NOTE:

The ospmode configuration parameter should be used only if you plan to integrate OSP along with Identity Console.
If Identity Applications (Identity Apps) is configured in cluster mode in your Identity Manager setup, you must provide the DNS name of the load balancer server in osp-token-endpoint, osp-authorize-url and osp-logout-url fields in the configuration file. In case, you provide the OSP server details in these fields, the Identity Console login will fail.
If Identity Console is configured with the same OSP instance as Identity Apps and Identity Reporting, the Single Sign-On (authentication service) will take effect when you are logging into the Identity Console portal.
OSP HTTPS URL should be validated with certificates containing 2048 bit key or higher with Identity Console 1.4 onwards.
If you want to restrict the access to the Identity Console portal from different domains, set samesitecookie parameter to strict. If you want to allow access to the Identity Console portal from different domains, set samesitecookie parameter to lax. If the parameter is not specified during the configuration, the browser settings will be honored by default.

Once you are ready with the configuration file, proceed with deploying the container. For more information, see Deploying Identity Console as Docker Container.