1.1 System Requirements and Prerequisites for Docker Installation

1.1.1 System Requirements

As OpenText Identity Console can be run as a Docker container, for more information about system requirements and supported platforms for installing OpenText Identity Console, see Docker Documentation.

1.1.2 Prerequisites

Install Docker 20.10.9-ce or later. For more information on how to install Docker based of your platform, see Docker Installation.
You must obtain a pkcs12 server certificate with the private key to encrypt/decrypt data exchange between the OpenText Identity Console server and the back-end server. This server certificate is used to secure the http connection. You can use server certificates generated by any external CA. For more information, see Creating a Server Certificate Object. The server certificate should contain the Subject Alternative Name with IP address and DNS of the OpenText Identity Console server. Once the server certificate object is created, you must export it in.pfx format.
You must obtain a CA certificate for all the trees in .pem format to validate the CA signature of the server certificates obtained in the previous step. This root CA certificate also ensures establishing a secured ldap communication between the client and the OpenText Identity Console server. For example, you can obtain the OpenText eDirectory CA certificate (SSCert.pem) from /var/opt/novell/eDirectory/data/SSCert.pem.
(Optional) Using the One SSO Provider (OSP), you can enable the single sign-on authentication for your users to the OpenText Identity Console portal. You must install OSP before installing OpenText Identity Console. To configure OSP for OpenText Identity Console, follow the on-screen prompts and provide the required values for configuration parameters. To register OpenText Identity Console to an existing OSP server, you must manually add the following to the ism-configuration.properties file in /opt/netiq/idm/apps/tomcat/conf/ folder:
```
com.netiq.edirapi.clientID = identityconsole
com.netiq.edirapi.redirect.url = https://<Identity Console Server IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/authcoderedirect
com.netiq.edirapi.logout.url = https://<Identity Console Server IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/logoutredirect
com.netiq.edirapi.logout.return-param-name = logoutURL
com.netiq.edirapi.response-types = code,token
com.netiq.edirapi.clientPass._attr_obscurity = NONE
com.netiq.edirapi.clientPass = novell
```
NOTE:
- With OSP, you can connect to only a single OpenText eDirectory tree as OSP does not support multiple OpenText eDirectory trees.
- Third party OSP is not supported in OpenText Identity Console.
- In a NAM integrated environment, OpenText Identity Console with OSP is currently not supported.
Ensure that you have a proper DNS entry available for your host machine in /etc/hosts with a fully qualified host name.
If you want to use OpenText Identity Console in Edge browser, you must download the latest version of Microsoft Edge for full functionality.

NOTE:While using OpenText Identity Console in Mozilla Firefox, the operation might fail with Origin Mismatch error message. To troubleshoot, perform the following steps:

Update Firefox to the latest version.
Specify about:config in the Firefox URL field and press Enter.
Search for Origin.
Double-click on network.http.SendOriginHeader and change its value to 1.

1.1.3 Setting Up Your Environment

You might need to create a configuration file containing certain parameters. If you want to configure OpenText Identity Console with OSP, you must specify the OSP specific parameters in the configuration file. For example, create the below edirapi.conf file with OSP parameters:

NOTE:You must provide your OpenText eDirectory tree name in the osp-redirect-url field.

listen = ":9000"
ldapserver = "192.168.1.1:636"
ldapuser = "cn=admin,ou=sa,o=system"
ldappassword = "novell"
pfxpassword = "novell"
ospmode = "true"
osp-token-endpoint = "https://10.10.10.10:8543/osp/a/idm/auth/oauth2/getattributes"
osp-authorize-url = "https://10.10.10.10:8543/osp/a/idm/auth/oauth2/grant"
osp-logout-url = "https://10.10.10.10:8543/osp/a/idm/auth/app/logout"
osp-redirect-url = "https://10.10.10.10:9000/eDirAPI/v1/edirtree/authcoderedirect"
osp-client-id = "identityconsole"
ospclientpass = "novell"
ospcert = "/etc/opt/novell/eDirAPI/cert/SSCert.pem"
bcert = "/etc/opt/novell/eDirAPI/cert/"
loglevel = "error"
check-origin = "true"
origin = "https://10.10.10.10:9000,https://192.168.1.1:8543"

In case, you want to configure OpenText Identity Console without OSP, create a configuration file as shown below, without the OSP parameters:

[OpenText Identity Console 1.9]

listen = ":9000"
pfxpassword = "novell"
ospmode = "false"
bcert = "/etc/opt/novell/eDirAPI/cert/"
auto-fetch = false

NOTE:

Remove the edir-hosts parameter from the configuration file and add the auto-fetch parameter.
If auto-fetch = false, you must manually copy the CA certificate to cert folder.

[OpenText Identity Console 1.8 and earlier]

listen = ":9000"
pfxpassword = "novell"
ospmode = "false"
bcert = "/etc/opt/novell/eDirAPI/cert/"
edir-hosts = "<ip_address-1>:636,<ip_address-2>:636"

NOTE:When you want to configure OpenText Identity Console with multiple OpenText eDirectory trees, you can skip “ldapserver”, “ldapuser”, and “ldappassword” parameters and create the configuration file.

Table 1-1 Description of the configuration parameters in the configuration file

Configuration Parameters	Description
listen	Specify 9000 as the OpenText Identity Console server’s listener port inside the container.
ldapserver	Specify the OpenText eDirectory host server IP and port number.
ldapuser	Specify the username of the OpenText eDirectory user. This parameter is used as a credential for initiating ldap calls to OpenText eDirectory using proxied authorization control in the case of OSP login. Ldap user must have supervisor rights on the OpenText eDirectory tree.
ldappassword	Specify the password of the LDAP user.
pfxpassword	Specify the password of the pkcs12 server certificate file.
ospmode	Specify true to integrate OSP with OpenText Identity Console. If you set this to false, OpenText Identity Console will use ldap login.
osp-token-endpoint	This URL is used to fetch certain attributes from the OSP server to verify the validity of the authentication token.
osp-authorize-url	This URL is used by the user to provide credentials to obtain an authentication token.
osp-logout-url	Use this URL to terminate the session between the user and the OSP server.
osp-redirect-url	The OSP server re-directs the user to this URL after granting the authentication token. NOTE:Ensure to specify the OpenText eDirectory tree name in lowercase while configuring OpenText Identity Console. In case, the tree name is not specified in lowercase, the login to the OpenText Identity Console server might fail.
osp-client-id	Specify the OSP client ID which was provided at the time of the OpenText Identity Console registration with OSP.
ospclientpass	Specify the OSP client password which was provided at the time of the OpenText Identity Console registration with OSP.
ospcert	Specify the location of OSP server’s CA certificate.
bcert	Specify location of OpenText Identity Console’s CA certificate.
loglevel	Specify the log levels that you want to include in the log file. This parameter can be set to "fatal", "error", "warn" or "info".
check-origin	If this is set to true, the OpenText Identity Console server compares the origin value of requests. Available options are either true or false. The origin parameter is mandatory even if check-origin parameter value is set to false when DNS configuration is used.
origin	OpenText Identity Console compares the origin value of requests with the values specified in this field. NOTE:From OpenText Identity Console 1.4 onward, this parameter is independent of check-origin parameter and is mandatory if DNS configuration is used.
maxclients	Maximum number of concurrent clients who can access IDConsole. Any additional clients beyond this limit have to wait in queue.
auto-fetch	From OpenText Identity Console 1.9 onwards, you can choose to auto fetch the CA certificate.
edir-hosts(1.8 and earlier)	edir-host is a parameter that contains the IP address(s) of OpenText eDirectory which you want to connect through OpenText Identity Console.

NOTE:

The ospmode configuration parameter should be used only if you plan to integrate OSP along with OpenText Identity Console.
If Identity Applications (Identity Apps) is configured in cluster mode in your OpenText Identity Manager setup, you must provide the DNS name of the load balancer server in osp-token-endpoint, osp-authorize-url and osp-logout-url fields in the configuration file. In case, you provide the OSP server details in these fields, the OpenText Identity Console login will fail.
If OpenText Identity Console is configured with the same OSP instance as Identity Apps and OpenText Identity Reporting, the Single Sign-On (authentication service) will take effect when you are logging into the OpenText Identity Console portal.
OSP HTTPS URL should be validated with certificates containing 2048 bit key or higher with OpenText Identity Console 1.4 onwards.
If you want to restrict the access to the OpenText Identity Console portal from different domains, set samesitecookie parameter to strict. If you want to allow access to the OpenText Identity Console portal from different domains, set samesitecookie parameter to lax. If the parameter is not specified during the configuration, the browser settings will be honored by default.

Once you are ready with the configuration file, proceed with deploying the container. For more information, see Installing OpenText Identity Console as Docker Container.