2.1 Installing OpenText Identity Console CE 24.4 (v1.9)

2.1.1 Installing Standalone OpenText Identity Console (Non-Docker)

You can install the OpenText Identity Console in one of the following ways:

NOTE:To ensure proper functionality, we recommend you install OpenText Identity Console and OpenText eDirectory on the same machine, which must have at least one instance of OpenText eDirectory available.

The OpenText Identity Console 1.9 installer is compatible with eDirectory 9.2.8 or 9.2.9. It does not upgrade OpenSSL to version 3.0.15 or NICI to version 3.3.0 when installed on the same server as eDirectory 9.2.8 or 9.2.9.

Performing an Interactive Installation

This section covers how to install standalone OpenText Identity Console using the interactive installation method.

  1. Log in to the Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: OpenText eDirectory

    • Product Name: OpenText eDirectory per User Sub SW E-LTU

    • Version: 9.2, 9.3

  3. Download and extract the latest build for OpenText Identity Console.

  4. Navigate to the directory where you extracted the OpenText Identity Console build > IdentityConsole_<version>_Linux.

  5. Run the following command while logged in as root or root-equivalent user:

    ./identityconsole_install

  6. Read the Introduction, and then click ENTER.

  7. Enter 'y' to accept the License Agreement. This installs all the required RPMs on your system.

  8. Enter the Identity Console server’s hostname (FQDN)/IP address. For example, 10.10.33.100

    If you press Enter without specifying an IP address, your system's IP address/hostname is used by default.

  9. Enter the port number for Identity Console to listen. The default value is 9000.

  10. Specify which eDirectory-hosts to connect. You can provide either IP address or domain name. For example: localhost:636,xx.xx.xx.xx:636 or edir.domain.com:636

  11. (Conditional) Choose one of the following options based on your requirements:

    • If you do not want to integrate OSP with OpenText Identity Console, choose “n” and continue with Step 12.

    • If you want to integrate OSP with OpenText Identity Console, choose “y” and provide inputs for the following steps:

      1. Enter the eDirectory/Identity Vault server’s Domain name/IP address with LDAPS port number.

        For example:

        192.168.1.1:636

      2. Enter the eDirectory/Identity Vault username.

        Example:

        cn=admin,ou=org_unit,o=org

      3. Enter the eDirectory/Identity Vault password.

      4. Enter the eDirectory/Identity Vault password again to confirm the password.

      5. Enter the OSP server domain name/IP address with SSO server SSL port number.

      6. Enter the OSP client ID and OSP client password.

      7. Enter the eDirectory/Identity Vault tree name.

  12. (Conditional) Choose one of the following options based on your requirements:.

    • If you want to auto fetch the CA certificates, choose auto fetch as y.

    • If you do not want to auto fetch the CA certificates, choose auto fetch as n.

  13. (Conditional) Choose one of the following options based on your requirements:

    • If you want to import the CA certificate from the server, input y and press Enter.

      CA certificate gets copied successfully in /etc/opt/novell/eDirAPI/cert.

      To manually fetch or add the CA certificate, refer Generate CA Certificate

    • If you do not want to import the CA certificate from the server, input n and press Enter.

    • If you enter “q”, the installation is terminated.

  14. (Conditional) Choose one of the following options to generate a Server Certificate:

    • If you want to generate the Server Certificate, input “y” and press Enter. Provide inputs for the following steps:

      1. Enter the eDirectory user name. Example: cn=admin,o=novell.

      2. Enter the eDirectory user password.

      3. Re-enter the eDirectory user password.

      4. Enter the server certificate name.

        Example: servercert

      5. Enter the server certificate password.

        Example: password@123

      6. Re-enter the server certificate password.

        Example: password@123

    • If you already have a Server Certificate that you want to use, input “n” and press Enter. Provide inputs for the following steps:

      1. Specify the location of your Server Certificate directory path manually.

        For example, /home/cert/keys.pfx

      2. Enter the server certificate password.

      3. Re-enter the server certificate password.

NOTE:

  • You can find the following log files in the /var/opt/novell/eDirAPI/log directory:

    • edirapi.log - This file logs edirapi events and debugging issues.

    • edirapi_audit.log - This file logs edirapi audit events. The logs follow a CEF auditing format.

    • identityconsole_install.log - This file logs OpenText Identity Console events.

  • You can check the logs for OpenText Identity Console start and stop operations in the /var/log/messages file.

  • If installation fails, use the following command to reconfigure:

    /usr/bin/identityconsoleConfigure

Utilities to Generate Certificates

You have the option to obtain CA Certificates and Server Certificates for other trees using the following tools or utilities.

NOTE:The scripts for CA and Server certificate is available in opt/novell/eDirAPI/sbin path.

Generate CA Certificate

  1. Download and extract the latest OpenText Identity Console build.

  2. Navigate to the directory /opt/novell/eDirAPI/sbin to fetch, delete or view the list of CA certificates.

  3. Run the following command while logged in as root or root-equivalent user.

    ./get_cacert fetch <ip address/DNS:ldaps port>

    For example:

    ./get_cacert fetch 10.10.10.10:636

  4. To manually add the CA certificate in cert folder, navigate to /etc/opt/novell/eDirAPI/cert copy and paste the CA certificate.

    <IP address/DNS_ldaps port.pem>

    For example:

    10.10.10.10_636.pem

Generate Server Certificate

  1. Download and extract the latest OpenText Identity Console build.

  2. Navigate to the directory to fetch, delete or view the list of CA certificates > /opt/novell/eDirAPI/sbin

  3. Run the following command while logged in as root or root-equivalent user.

    ./get_servercert <eDirectory IP address with LDAPS port number> <eDirectory/Identity Vault username> <userpassword> <server certificate name> <server certificate password>

    Example:

    ./get_servercert 10.10.10.10:636 cn=admin,ou=org_unit,o=org password keys password

Performing a Silent Installation

Silent installation enables you to install OpenText Identity Console without any interactive input. To use this method, you must define your options for installing OpenText Identity Console in the silent_properties file and then run the installation process from the command line. After you modify the properties file, the system uses the information from it to complete the installation silently.

Before starting the silent installation, ensure that you meet all the prerequisites.

To edit the silent properties file:

  1. Navigate to the IdentityConsole_<version>_Linux directory in the location where you have extracted the OpenText Identity Console build.

  2. Open the silent_properties file and modify the values as per your requirement:

    • If auto fetch is Yes,

      1. Enter the following details in the silent_properties file:

        export AUTOGENERATE_CACERT="Yes"
export AUTOGENERATE_SERVERCERT="Yes"
export EDIR_HOST=""
export IDC_IP=""
export IDC_PORT="9000"
export OSP_CLIENT_ID="identityconsole"
export OSP_CLIENT_PASSWD="novell"
export OSP_IP=""
export OSP_MODE="No"
export AUTO_FETCH="Yes"
export SERVERCERT_NAME="cert"
export SERVERCERT_PASSWORD="novell"
export SERVERCERT_USERNAME="cn=admin,o=novell"
export SERVERCERT_USER_PASSWORD="novell"
export TREENAME="my_tree"
export VAULT_IP=""
export VAULT_USERNAME="cn=admin,o=novell"
export VAULT_PASSWD="novell"

      2. Run the following command to install in silent mode:

        ./identityconsole_install -s silent_properties

    • If auto fetch is No,

      1. Enter the following details in silent_properties file:

        export AUTOGENERATE_CACERT="No"
export AUTOGENERATE_SERVERCERT="No"
export EDIR_HOST=""
export IDC_IP=""
export IDC_PORT="9000"
export OSP_CLIENT_ID="identityconsole"
export OSP_CLIENT_PASSWD="novell"
export OSP_IP=""
export OSP_MODE="No"
export AUTO_FETCH="No"
export SERVERCERT_LOCATION="/etc/opt/novell/eDirAPI/cert/SSCert.pem"
export SERVERCERT_NAME="cert"
export SERVERCERT_PASSWORD="novell"
export SERVERCERT_USERNAME="cn=admin,o=novell"
export SERVERCERT_USER_PASSWORD="novell"
export TREENAME="my_tree"
export VAULT_IP=""
export VAULT_USERNAME="cn=admin,o=novell"
export VAULT_PASSWD="novell"

      2. Manually copy the CA certificate to the folder /etc/opt/novell/eDirAPI/cert/.

      3. Run the following command to install the rpm:

        ./identityconsole_rpm_install

      4. After installing rpm, run the following command to run the installer in silent mode:

        ./identityconsoleConfigure -s silent_properties

You can find installation-related logs in the Identity Console installation > identityconsole_install.log file.

Multi-tree with Standalone OpenText Identity Console

To connect OpenText Identity Console with multiple OpenText eDirectory trees when the auto-fetch is disabled, you must copy the CA certificates from all the OpenText eDirectory trees to the /etc/opt/novell/eDirAPI/cert/ directory.

Copy the CA certificates as follows:

cp /home/user/<ip address1_ldap port.pem> /etc/opt/novell/eDirAPI/cert/<ip address1_ldap port.pem>

cp /home/user/<ip address2_ldap port.pem> /etc/opt/novell/eDirAPI/cert/<ip address2_ldap port.pem>

To fetch CA certificate using the get_cacert utility, refer the section Generate CA Certificate.

Run one of the following command to restart OpenText Identity Console:

  • /usr/bin/identityconsole restart
  • systemctl restart netiq-identityconsole.service

When the auto-fetch is enabled, the CA certificates are automatically copied to the cert folder.

Replacing the Server Certificate in Standalone OpenText Identity Console

Perform the following steps to replace server certificate in Standalone OpenText Identity Console:

  1. Run NLPCERT to store the keys:

    su - nds -c "/opt/novell/eDirAPI/sbin/decryptor /Expiredcert/noexpire/new-keys.pfx novell /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem"

  2. Restart the OpenText Identity Console:

    systemctl restart netiq-identityconsole.service

Stopping, Restarting and Status of Standalone OpenText Identity Console

  • To stop, run one of the following command:

    /usr/bin/identityconsole stop

    or

    systemctl stop netiq-identityconsole.service

  • To restart, run one of the following command:

    /usr/bin/identityconsole restart

    or

    systemctl restart netiq-identityconsole.service

  • To check the status, run one of the following command:

    /usr/bin/identityconsole status

    or

    systemctl status netiq-identityconsole.service

  • To start, run one of the following command:

    /usr/bin/identityconsole start

    or

    systemctl start netiq-identityconsole.service

2.1.2 Installing OpenText Identity Console Workstation on Windows

OpenText Identity Console can be launched on Windows as workstation, and requires the REST services running. Therefore, when it is launched, an eDirAPI process runs in the edirapi.exe cmd prompt. If you close edirapi.exe terminal, OpenText Identity Console will no longer function.

The following procedure describes how to run OpenText Identity Console on Windows.

  1. Log in to the Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: OpenText eDirectory

    • Product Name: OpenText eDirectory per User Sub SW E-LTU

    • Version: 9.2, 9.3

  3. Download and extract the IdentityConsole_<version>_workstation_win_x86_64.zip.

  4. Navigate to the extracted folder and install NICI_wx64.

  5. (Optional) Open the edirapi_win.conf file and edit the port number for OpenText Identity Console to listen.

  6. (Conditional) If you already have the keys.pfx and SSCert.pem files that you want to use, change the CA certificate filename to <ipaddress_ldap>.pem(xx.xx.xx.xxx_636.pem), and then copy the files manually into cert folder located in C:\IdentityConsole_<version>_workstation_win_x86_64\eDirAPI\cert.

    Then proceed to step 9.

  7. (Conditional) If you want to generate the CA certificate, navigate to the eDirAPI folder, run the get_cacert.exe fetch <IP address_port.pem> binary in command prompt, located in C:\IdentityConsole_version_workstation_win_x86_64\eDirAPI\cert, and provide the OpenText eDirectory/Identity Vault server Domain name/IP address with LDAPS port number.

    For example,

    get_cacert.exe fetch 10.10.10.125:636

    10.10.10.125_636.pem file is generated.

  8. (Conditional) If you want to generate the Server Certificate, run get_servercert.exe help binary through command prompt along with the following details:

    • eDirectory/Identity Vault server Domain name/IP address with LDAPS port number.

    • eDirectory/Identity Vault user name.

    • eDirectory/Identity Vault password.

    • Server certificate name.

    • Server certificate password.

    For example,

    get_servercert.exe 10.10.10.125:636 cn=admin,o=novell novell keys novell

    A keys.pfx file is generated.

  9. Navigate to the extracted folder, double-click the configure.bat file and enter the server certificate (keys.pfx) password in the command prompt.

    NOTE:If the server certificate is changed, then re-run the configure.bat file with the password of the new certificate.

  10. Navigate to the extracted folder and double-click the run.bat file.

    The eDirAPI process terminal (edirapi.exe) starts running, and the OpenText Identity Console login page appears.

NOTE:

  • For subsequent logins to the OpenText Identity Console application, double click the run.bat. The login page will appear.

    If the eDirAPI process terminal (edirapi.exe) is already running, then run identityconsole.exe from the build extracted folder.

  • Users can find the following logs in: \IdentityConsole_<version>_workstation_win_x86_64\eDirAPI\log

    edirapi.log - This is used for logging different events in edirapi and debugging issues.

    edirapi_audit.log - This is used for logging audit events of edirapi. The logs follow CEF auditing format.

  • OSP based logins are not supported in workstation mode.

  • If the port number is already in use, edit the listen parameter in the edirapi_win.conf file with a new port number and double-click the run.bat to successfully log in to the OpenText Identity Console.

Utilities to Generate Certificates

You have the option to obtain CA Certificates and Server Certificates for other OpenText eDirectory Trees using the following utilities.

NOTE:The scripts for CA and Server certificate is available in opt/novell/eDirAPI/sbin path.

Generate CA Certificate

  1. Download and extract the latest OpenText Identity Console build.

  2. Navigate to the directory where you extracted the OpenText Identity Console build. Example: C:\IdentityConsole_<version>_workstation_win_x86_64\eDirAPI

  3. Run the following binary through command prompt.

    get_cacert.exe fetch <ip address:port>

    Provide the OpenText eDirectory IP address and LDAPS port number.

    Example: get_cacert.exe fetch 10.10.10.125:636

    10.10.10.125_636.pem file is generated and copied to cert folder.

Generate Server Certificate

  1. Navigate to the folder where you have extracted the OpenText Identity Console build.

    Example: IdentityConsole_<version>_win

  2. Run get_servercert.exe help for more help options through command prompt.

    • eDirectory/Identity Vault server Domain name/IP address with LDAPS port number.

    • eDirectory/Identity Vault user name.

    • eDirectory/Identity Vault password.

    • Server certificate name.

    • Server certificate password.

      To generate the Server Certificate, run the following command through command prompt:

      Example:

      get_servercert.exe 10.10.10.125:636 cn=admin,o=novell novell keys novell

      keys.pfx file is generated and copied to cert folder.

Multi-tree with OpenText Identity Console as Workstation

OpenText Identity Console allows user to connect to multiple trees by entering the IP address at the login page.

Closing and Re-launching OpenText Identity Console Workstation

To close the application and the process:

  1. Close the OpenText Identity Console desktop windows application.

  2. Stop the eDirAPI process by closing the eDirAPI process terminal.

To relaunch OpenText Identity Console Workstation, navigate to the folder where the build is extracted and double click the run.bat file (Windows batch file).

NOTE:If the eDirAPI process terminal is already running, then run identityconsole.exe from the build extracted folder to relaunch OpenText Identity Console Workstation.

2.1.3 Installing OpenText Identity Console as Docker Container

This section includes the following procedures:

Security Recommendations

  • Docker containers do not have any resource constraints by default. This provides every container with the access to all the CPU and memory resources provided by the host’s kernel. You must also ensure that one running container should not consume more resources and starve other running containers by setting limits to the amount of resources that can be used by a container.

    • Docker container should ensure that a Hard Limit is applied for the memory used by the container using the --memory flag on Docker run command.

    • Docker container should ensure that a limit is applied to the amount of CPU used by a running container using the --cpuset-cpus flag on the Docker run command.

  • --pids-limit should be set to 300 to restrict the number of kernel threads spawned inside the container at any given time. This is to prevent DoS attacks.

  • You must set the on-failure container restart policy to 5 using the --restart flag on Docker run command.

  • You must only use the container once the health status shows as Healthy after the container comes up. To check the container’s health status, run the following command:

    docker ps <container_name/ID>

  • Docker container will always start as non-root user (nds). As an additional security measure, enable user namespace remapping on the daemon to prevent privilege-escalation attacks from within the container. For more information on user namespace remapping, see Isolate containers with a user namespace.

Installing OpenText Identity Console As a Docker Container

NOTE:OpenText Identity Console can be configured with or without OSP. If you choose to configure it with OSP, you must first deploy the OSP container, followed by the OpenText Identity Console container. Make sure to modify the edirapi.conf file to include your desired values for deployment.

To install OpenText Identity Console as a Docker container:

The configuration parameters, sample values and examples mentioned in this procedure are for reference purposes only. You must ensure not to use them directly in your production environment.

  1. Log in to the Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: OpenText eDirectory

    • Product Name: OpenText eDirectory per User Sub SW E-LTU

    • Version: 9.2, 9.3

  3. Download the IdentityConsole_<version>_Container.tar.zip.

  4. The image has to be loaded into the local Docker registry. Extract and load the IdentityConsole_<version>_Containers.tar.gz file using the below commands:

    tar -xvf IdentityConsole_version_Containers.tar.gz              
    docker load --input identityconsole.tar.gz

  5. Create the OpenText Identity Console Docker container using the following command:

    docker create --name identityconsole-container-name --env ACCEPT_EULA=Y --network=network-type --volume volume-name:/config/ identityconsole:version

    For example,

    docker create --name identityconsole-container-1 --env ACCEPT_EULA=Y --network=host --volume IDConsole-volume:/config/ identityconsole:version

    NOTE:

    • You can accept the EULA by setting ACCEPT_EULA environment variable to 'Y'. You can also accept the EULA from the on-screen prompt while starting the container by using -it option in the Docker create command for interactive mode.

    • --volume parameter in the above command will create a volume for storing configuration and log data. In this case, we have created a sample volume called IDConsole-volume.

  6. Copy the server certificate file from your local file system to the container as /etc/opt/novell/eDirAPI/cert/keys.pfx using the following command. For more information on creating the server certificate, see Prerequisites:

    docker cp <absolute path of server certificate file> <identityconsole-container-name>:/etc/opt/novell/eDirAPI/cert/keys.pfx

    For example,

    docker cp /home/user/keys.pfx identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/keys.pfx

    When you connect to multiple OpenText eDirectory trees, you must ensure to obtain at least one keys.pfx server certificate for all the connected trees.

  7. Copy the CA certificate file (.pem) from your local file system to the container as /etc/opt/novell/eDirAPI/cert/SSCert.pem using the following command. For more information on obtaining the CA certificate, see Prerequisites:

    docker cp absolute path of CA certificate file identityconsole-container-name:/etc/opt/novell/eDirAPI/cert/SSCert.pem

    For example,

    docker cp /home/user/SSCert.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert.pem

    If the user need to connect to multiple OpenText eDirectory trees, refer section: Multi-tree with OpenText Identity Console as Docker.

  8. Depending on whether you want to configure OpenText Identity Console with or without OSP, modify the edirapi.conf configuration file as needed. Then use the following command to copy it from your local file system to the container at /etc/opt/novell/eDirAPI/conf/edirapi.conf:

    docker cp absolute path of configuration file identityconsole-container-name:/etc/opt/novell/eDirAPI/conf/edirapi.conf

    For example,

    docker cp /home/user/edirapi.conf identityconsole-container-1:/etc/opt/novell/eDirAPI/conf/edirapi.conf

    A sample configuration file is shown below (OpenText Identity Console 1.9 and later):

    listen = ":9000"
pfxpassword = "novell"
bcert = "/etc/opt/novell/eDirAPI/cert/"
ospmode=false
auto-fetch=false

    A sample configuration file is shown below (Identity Console 1.8 and earlier):

    listen = ":9000"
pfxpassword = "novell"
bcert = "/etc/opt/novell/eDirAPI/cert/"
ospmode=false
edir-hosts = "<ip_address>:636"

    NOTE:To access the OpenText eDirectory through OpenText Identity Console, it is required to add the edir-hosts="x.x.x.x:ldaps_port in the edirapi.conf file.

    Example: edir-hosts="10.10.10.10:636"

    When you set auto-fetch=true, it is initially required to copy the CA certificate to the container as described in Step 7. After that, the CA certificate gets automatically fetched in subsequent login sessions.

    A sample configuration file when configuring OpenText Identity Console with OSP is shown below:

    listen = ":9000"
ldapserver = "10.71.39.15:636"
ldapuser = "cn=admin,o=novell"
ldappassword = "novell"
pfxpassword = "novell"
osp-token-endpoint = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/getattributes"
osp-authorize-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/oauth2/grant"
osp-logout-url = "https://<osp_ipaddress>:8543/osp/a/idm/auth/app/logout"
osp-redirect-url = "https://<identity_console_ipaddress>:9000/eDirAPI/v1/t/authcoderedirect"
osp-client-id = "identityconsole"
ospclientpass = "novell"
ospcert = "/etc/opt/novell/eDirAPI/cert/SSCert.pem"
bcert = "/etc/opt/novell/eDirAPI/cert/"
ospmode=true
check-origin =true
origin = "https://<identity_console_ipaddress>:9000"

  9. Start the Docker container using the following command:

    docker start identityconsole-container-name

    For example,

    docker start identityconsole-container-1

NOTE:You can find the following log files in /var/lib/docker/volumes/<volume_name>/_data/eDirAPI/var/log directory:

  • edirapi.log - This is used for logging different events in edirapi and debugging issues.

  • edirapi_audit.log - This is used for logging audit events of edirapi. The logs follow CEF auditing format.

  • container-startup.log - This is used for capturing installation logs of OpenText Identity Console Docker container.

Multi-tree with OpenText Identity Console as Docker

To connect OpenText Identity Console 1.9 with multiple OpenText eDirectory trees when the auto-fetch is disabled, you must copy the CA certificates from all the OpenText eDirectory trees to the /etc/opt/novell/eDirAPI/cert/ directory.

OpenText Identity Console 1.8 allows user to connect to Multiple trees by obtaining individual CA certificate of the tree.

For example, if you connect to three OpenText eDirectory trees, then you must copy all the three CA certificates in to Docker Container:

docker cp /home/user/SSCert1.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert1.pem
docker cp /home/user/SSCert2.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert2.pem
docker cp /home/user/SSCert3.pem identityconsole-container-1:/etc/opt/novell/eDirAPI/cert/SSCert3.pem

Run the following commands to restart OpenText Identity Console:

docker restart <identityconsole-container-name>

Example:

docker restart identityconsole-container-1

Deploying the OSP Container

Perform the following steps to deploy the OSP container:

  1. Log in to Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: OpenText eDirectory

    • Product Name: OpenText eDirectory per User Sub SW E-LTU

    • Version: 9.2

    • OpenText Identity Console Standalone

  3. Download and extract the IdentityConsole_<version>_Containers_tar.zip file.

  4. To install OpenText Identity Console in the OSP container, a keystore (tomcat.ks) is required.

    Perform the following steps to generate the keystore:

    1. Create a folder certs in the /opt/ directory.

    2. Run the following command to create a keystore (tomcat.ks):

      keytool -genkey -alias osp -keyalg RSA -storetype pkcs12 -keystore /opt/certs/tomcat.ks -validity 3650 -keysize 2048 -dname "CN=blr-osp48-demo.labs.blr.novell.com" -keypass novell -storepass novell

      NOTE:Ensure that the IP address of the machine is named as CN name or as fully qualified hostname. For example: CN=xx.xx.xx.xx

    3. Run the following command to create a certificate signing request. For example: cert.csr.

      keytool -certreq -v -alias osp -file /opt/certs/cert.csr -keypass novell -keystore /opt/certs/tomcat.ks -storepass novell

    4. Pass the created cert.csr to Identity Console and get the cert.der as explained:

      1. Launch OpenText Identity Console as Administrator.

      2. Click Certificate Management > Issue Certificate and select the file.

      3. Go to Key Usage Specifications > Key Type and select the Custom radio button.

      4. Click Key Usage and select the following check boxes:

        • Data Encipherment

        • Key Encipherment

        • Digital Signature

      5. Click Certificate Parameters > Subject Alternative Names > OSP Server IP address or OSP Server DNS Name > Next > OK.

        The message appears as Certificate has been generated successfully.

      6. Click OK.

      7. Download the issued certificate cert.der and copy it to /opt/certs/.

    5. Copy the SSCert.der from OpenText eDirectory to /opt/certs

    6. Run the following commands to import the CA certificate (SSCert.der) and server certificate (cert.der) into the tomcat.ks keystore.

      keytool -import -trustcacerts -alias root -keystore /opt/certs/tomcat.ks -file /opt/certs/SSCert.der -storepass novell -noprompt
      keytool -import -alias osp -keystore /opt/certs/tomcat.ks -file /opt/certs/cert.der -storepass novell -noprompt

  5. Create a new folder as /data.

  6. Copy the tomcat.ks from /opt/certs and paste it to the data folder.

  7. From the extracted OpenText Identity Console container build, copy the osp-edirapi-silent.properties files in to the data folder.

  8. Modify the osp edirapi silent properties file as per your requirement. A sample silent properties file has been shown below:

    # Silent file for osp with edirapi
## Static contents Do not edit - starts 
INSTALL_OSP=true
DOCKER_CONTAINER=y
EDIRAPI_PROMPT_NEEDED=y
UA_PROMPT_NEEDED=n
SSPR_PROMPT_NEEDED=n
RPT_PROMPT_NEEDED=n
CUSTOM_OSP_CERTIFICATE=y
## Static contents Do not edit - ends

# OSP Details
SSO_SERVER_HOST=osp.example.com (osp confiugred serevr IP address)
SSO_SERVER_SSL_PORT=8543
OSP_COMM_TOMCAT_KEYSTORE_FILE=/config/tomcat.ks
OSP_COMM_TOMCAT_KEYSTORE_PWD=novell
SSO_SERVICE_PWD=novell
OSP_KEYSTORE_PWD=novell
IDM_KEYSTORE_PWD=novell
OSP_CUSTOM_NAME="Identity Console"
USER_CONTAINER="o=novell"
ADMIN_CONTAINER="o=novell"
MASTER_KEYSTORE_PWD=novell

# IDConsole Details 
IDCONSOLE_HOST=192.168.1.1 (IdentityConsole confiugred serevr IP address)
IDCONSOLE_PORT=9000
EDIRAPI_TREENAME=ed913 (Tree name should be in lowercase)

#If ENABLE_CUSTOM_CONTAINER_CREATION is set to y
#ie., when you have user and admin container different from o=data
#    and they need to be created in eDir
#then CUSTOM_CONTAINER_LDIF_PATH should be entered as well
ENABLE_CUSTOM_CONTAINER_CREATION=n
#ENABLE_CUSTOM_CONTAINER_CREATION=y
#CUSTOM_CONTAINER_LDIF_PATH=/config/custom-osp.ldif

# eDir Details
ID_VAULT_HOST=192.168.1.1 (eDir/ID_Vault confiugred serevr IP address)
ID_VAULT_LDAPS_PORT=636
ID_VAULT_ADMIN_LDAP="cn=admin,o=novell"
ID_VAULT_PASSWORD=novell

    NOTE:To avoid space constraints while using the silent properties (DOS text) file, you must convert the DOS text file to UNIX format using the dos2unix tool. Run the below command to convert text file from DOS line endings to Unix line endings:

    dos2unix filename

    For example:

    dos2unix samplefile

  9. Run the following command to load the OSP image:

    docker load --input osp.tar.gz

  10. Deploy the container using the following command:

    docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:<version>

    For example:

    docker run -d --name OSP_Container --network=host -e SILENT_INSTALL_FILE=/config/osp-edirapi-silent.properties -v /data:/config osp:6.6.6

    NOTE:After deploying OSP container, install and configure OpenText Identity Console with OSP server details.

Stopping and Restarting OpenText Identity Console As Docker Container

To stop, run the following command:

docker stop identityconsole-container-name

To restart, run the following command:

docker restart identityconsole-container-name

To start, run the following command:

docker start identityconsole-container-name

Managing Data Persistence

Along with the OpenText Identity Console containers, volumes for data persistence are also created. To use the configuration parameters of an old container using the volumes, perform the following steps:

  1. Stop your current Docker Container using the following command:

    docker stop identityconsole-container-name

    Example:

    docker stop identityconsole-container-1

  2. Create the second container using the application data of the old container stored in Docker volume (IDConsole-volume-1).

    docker create --name identityconsole-container-name --network=host --volume IDConsole-volume-1:/config/ identityconsole:< version >

    Example:

    docker create --name identityconsole-container-2 --network=host --volume IDConsole-volume-1:/config/ identityconsole:<version>

  3. Start the second container using the following command:

    docker start identityconsole-container-name

    Example:

    docker start identityconsole-container-2

  4. (Optional) The first container can be removed using the following command:

    docker rm identityconsole-container-name

    Example:

    docker rm identityconsole-container-1

Replacing the Server Certificate in Docker Container

Perform the following steps to replace the server certificate in Docker Container:

  1. Run the following command to copy the new server certificate in any location of your container.

    Example:

    docker cp /path/to/new-keys.pfx <container_id/name>:/tmp/new-keys.pfx

  2. Login to the container by using the following command:

    docker exec -it container_name bash

  3. Run the NLPCERT to store the keys as a pseudo-user:

    LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /tmp/new-keys.pfx -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem

  4. Exit the container console using the command:

    exit

  5. Restart the container by entering:

    docker restart container name

2.1.4 Installing OpenText Identity Console In Azure Kubernetes Services

Azure Kubernetes Service (AKS) is a managed Kubernetes service that enables you to install and manage clusters. This section includes the following procedures:

Installing OpenText Identity Console in AKS Cluster

This section explains the following procedures to install OpenText Identity Console in AKS Cluster:

Creating an Azure Container Registry (ACR)

Azure Container Registry (ACR) is an Azure-based, private registry, for Docker container images.

For more detail steps see Create an Azure container registry using the Azure portal section in the Create container registry - Portal or perform the following steps to create an Azure Container Registry (ACR):

  1. Sign in to Azure Portal.

  2. Go to Create a resource > Containers > Container Registry.

  3. In the Basics tab, specify values for Resource group and Registry name. The registry name must be unique within Azure and contain minimum of 5 and maximum of 50 alphanumeric characters.

    Accept default values for the remaining settings.

  4. Click Review + create.

  5. Click Create.

  6. Sign in to Azure CLI, run the following command to log in to Azure Container Registry.

    az acr login --name registryname

    Example:

    az acr login --name < idconsole >

  7. Retrieve the login server of the Azure Container Registry using the command:

    az acr show --name registryname --query loginServer --output table

    Example:

    az acr show --name < idconsole > --query loginServer --output table

  8. Tag the local image of OpenText Identity Console with the name of the ACR login server (registryname.azureacr.io) using the following command:

    docker tag idconsole-image <login server>/idconsole-image

    Example:

    docker tag identityconsole:<version> registryname.azurecr.io/identityconsole:<version>

  9. Push the tagged image to the registry.

    docker push <login server>/idconsole: <version>

    Example:

    docker push registryname.azurecr.io/identityconsole:<version>

  10. Retrieve the list of images in the registry using the command:

    az acr show --name registryname --query loginServer --output table

Setting a Kubernetes cluster

Create a kubernetes service resource using Azure portal or CLI.

For more detail steps to create a Kubernetes service resource in azure with a node, see Create an AKS Cluster in the Azure Quickstart.

NOTE:

  • Ensure to select Azure CNI as network.

  • Select the existing virtual network (where the OpenText eDirectory server is installed in the subnet).

  • Select the existing container registry where OpenText Identity Console image is available.

Creating a standard SKU public IP address

A Public IP address resource under Kubernetes cluster resource group acts as load Balancer IP for the application.

For detail steps, see the Create a public IP address using the Azure portal in the Create public IP address – Portal.

Setting Up Cloud Shell and Connecting to Kubernetes Cluster

Use cloud Shell which is available in azure portal for all operations.

To setup cloud shell in Azure portal see Start Cloud Shell section in Bash – Quickstart or perform the following steps to set Up Cloud Shell and connect to Kubernetes Cluster:

  1. In the Azure portal, click the button to Open Cloud Shell.

    NOTE:To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl. kubectl is already installed if you use Azure Cloud Shell.

  2. Configure kubectl to connect to your Kubernetes cluster using the following command:

    az aks get-credentials --resource-group "resource group name" --name "Kubernetes cluster name"

    Example:

    az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

  3. Verify the list of the cluster nodes using the command:

    kubectl get nodes

Deploying the Application

To install OpenText Identity Console, you can use idc-services.yaml , idc-statefulset.yaml, idc-storageclass.yaml and idc-pvc.yaml sample files.

You can also create your own yaml files as per the requirement.

  1. Create a storage class resource using below command:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc-storageclass.yaml

    (Optional) For more information on how to dynamically create and use persistence volume with azure files share, see Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS)

    A sample storage class resource file has been shown below:

    kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azurefilesc
provisioner: kubernetes.io/azure-file
mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=0
  - gid=0
  - mfsymlinks
  - cache=strict
  - actimeo=30
parameters:
  skuName: Standard_LRS
  shareName: fileshare
~

    A storage class resource enables dynamic storage provisioning. It is used to define how an Azure file share is created.

  2. View the details of storageclass using below command:

    kubectl get sc

  3. Create a pvc resource using idc-pvc.yaml file:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc.pvc.yaml

    A sample pvc resource file has been shown below:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvcforsc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: azurefilesc
  resources:
    requests:
      storage: 5Gi

    A persistence volume claim resource creates the file share. A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure file share.

  4. Upload the edirapi.conf, CA cert, and the server certificate to the cloud shell.

    Click the Upload/Download files button icon on cloud shell and upload edirapi.conf, SSCert.pem and keys.pfx files.

    NOTE:edirapi.conf has a parameter “origin”. Here we need to provide IP address with which we will access OpenText Identity Console application. (use the IP address which is created in the Creating a standard SKU public IP address section.)

    OpenText Identity Console installation requires server certificate(keys.pfx).

    While creating server certificate make sure to provide valid DNS name in subject Alternative Name.

    Steps to build a valid DNS name:

    A typical pod deployed using StatefulSet has DNS name like below - {statefulsetname}-{ordinal}.{servicename}.{namespace}.svc.cluster.local

    • If StatefulSet name in idconsole-statefulset.yaml file is idconsole-app then statefulsetname = idconsole-app

    • If it is 1st pod, then ordinal = 0

    • If you define serviceName in idconsole -statefulset.yaml file as idconsole then serviceName = idconsole

    • If it is by default namespace, then namespace=default

    Output: idconsole-app-0.idcosole.default.svc.cluster.local

  5. Create a configmap resource in Kubernetes cluster which stores the configuration files along with the certificates.

    Before running the command make sure that files (edirapi.conf, SSCert.pem and keys.pfx) are present in the directory.

    kubectl create configmap <confgimapName> --from-file= "path where the files are present"

    Example:

    kubectl create configmap config-data --from-file=/data

  6. View the details of the configmap object, using kubectl describe command:

    kubectl describe configmap <configmapName>

    Example:

    kubectl describe configmap confg-data

  7. Create StatefulSet resource to deploy container.

    Run the below command to deploy the container:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc-statefulset.yaml

    A sample StatefulSet resource file has been shown below:

    apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: idconsole-app
spec:
  serviceName: idconsole
  selector:
    matchLabels:
      app: idconsole
  replicas: 1
  template:
    metadata:
      labels:
        app: idconsole
    spec:
      containers:
      - name: idconsole-container
        image: registryname.azurecr.io/identityconsole:<version>
        env:
        - name: ACCEPT_EULA
          value: "Y"
        ports:
        - containerPort: 9000
        volumeMounts:
          - name: configfiles
            mountPath: /config/data
          - name: datapersistenceandlog
            mountPath: /config
            subPath: log
      volumes:
        - name: configfiles
          configMap:
            name: config-data
        - name: datapersistenceandlog
          persistentVolumeClaim:
            claimName: pvcforsc

  8. Run the following command to verify the status of the deployed pod:

    kubectl get pods -o wide

  9. Create Service resource of type loadBalancer.

    The type of service specified in yaml file is of loadBalancer.

    Create a service resource using the below command:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f ids-service.yaml

    A sample service resource file has been shown below:

    apiVersion: v1
kind: Service
metadata:
  name: idconsole-service
  labels:
    run: idconsole-service
spec:
  type: LoadBalancer
  loadBalancerIP: xx.xx.xx.xx
  selector:
    app: idconsole
  ports:
   - port: 9000
     targetPort: 9000
     protocol: TCP

    Check the EXTERNAL-IP address (or the loadBalancerIP) using the below command:

    kubectl get svc -o wide

  10. Launch url using EXTERNAL-IP (or the loadBalancerIP address).

    Example:

    https://<EXTERNAL-IP>:9000/identityconsole