16.0 Planning Your Deployment

This section guides through the process of planning and the prerequisites you must follow to deploy the containers on Azure.

  1. The Identity Manager containers deployment process requires the following Azure resources. Ensure your Azure account is provided with the read-write permissions to create an infrastructure.

    1. Azure Kubernetes Service (AKS).

    2. Virtual Machine (VM).

    3. Network creation.

    4. Public IP address.

    5. (Optional) Azure PostgreSQL.

      NOTE:The above mentioned infrastructure elements will be created by the Terraform deployment scripts.

  2. To access different applications in the Identity Manager, purchase a domain.

    You can have your own domain within the respective resource group. For example, identitymanager.eastus.cloudapp.azure.com.

    NOTE:For the above example, eastus is the location and cloudapp.azure.com is the general azure suffix domain.

  3. You can obtain an SSL Certificates (.crt and .key files) for your domain from any CA authority.

  4. (Optional) To generate your own self-signed certificate, go to command-line interface and run the following command:

    openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

    1. Specify input for the following prompts:

      Table 16-1

      Prompt

      Description

      Country Name (2 letter code)

      Specify the country name with a 2 letter code.

      State or Province Name

      Specify the full name for state or province.

      Locality Name

      Specify the city name.

      Organization Name

      Specify the organization name. For example, Internet Widgits Pty Ltd.

      Organizational Unit Name

      Specify the organizational unit name. For example, section.

      Common Name

      Specify the server Fully qualified domain name (FQDN) name. For example, identitymanager.eastus.cloudapp.azure.com.

      Email Address

      Specify your email address.

      A challenge password

      An optional company name

      Specify a unique password.

      Specify an optional company name.

    2. Run the following command to convert the private key to RSA format:

      openssl rsa -in domain.key -out tls.key

    3. Perform the following steps to obtain the Root certificate.

      1. Log in to https://<IP address or Host name>:8443/nps/servlet/portal.

      2. Go to Roles and Tasks > NetIQ Certificate Access > Server Certificates, and then select the SSL CertificateDNS check box.

      3. Click Export.

      4. In the Certificates drop-down, select the Organizational CA.

      5. In the Export format drop-down, select BASE64.

      6. Click Next.

      7. Click Save the exported certificate.

    4. Perform the following steps to submit your CSR to the CA authority and get a signed server certificate.

      1. Log in to https://<IP address or Host name>:8443/nps/servlet/portal.

      2. Go to Roles and Tasks > NetIQ Certificate Server > Issue Certificate.

      3. Click Choose File, upload the <domain>.csr file that was generated in Step 4.b.

      4. Click Next thrice.

      5. In the validity period drop-down, select the validity period. For example, maximum.

      6. Click Next.

      7. Select the File in Base64 format radio button.

      8. Click Next.

      9. Review the provided inputs and then click Finish.

      10. Click Download the issued certificate.

    5. Run the following command to concatenate server certificate and root certificate.

      cat domain.b64 <(echo) cert.b64 <(echo) > tls.crt

  5. To generate the Service Principal Credentials, perform the following steps.

    IMPORTANT:You must need service principal credentials for the configuration generation and to push all the sensitive information to the Azure Key vault.

    1. Log in to the Azure Portal.

    2. Click .

    3. In the terminal window, run the following command:

      az ad sp create-for-rbac --skip-assignment

    NOTE:Make a note of the appid, password, and the tenant ID from the command output.