17.0 Planning Your Deployment

This section guides you through the process of planning your deployment and provides you with the list of prerequisites required to deploy the containers on Azure.

The Identity Manager containers deployment process requires the following Azure resources:

  1. Ensure your Azure account is provided with the read-write permissions to create an infrastructure.

    1. Azure Kubernetes Service (AKS).

    2. Network creation.

    3. (Optional) Azure PostgreSQL.

      NOTE:These elements are created by the Terraform deployment scripts.

  2. Purchase a domain to access different applications in Identity Manager.

    You can have your own domain within the respective resource group. For example, identitymanager.eastus.cloudapp.azure.com.

    NOTE:For the above example, eastus is the location and cloudapp.azure.com is the general azure suffix domain.

  3. Obtain SSL Certificates (.crt and .key files) for your domain from any CA authority.

  4. (Optional) Generate your own self-signed certificate by running the following command in the command-line interface:

    openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

    1. Specify input for the following prompts:

      Table 17-1

      Prompt

      Description

      Country Name (two letter code)

      Specify the country name with a 2 letter code.

      State or Province Name

      Specify the full name for state or province.

      Locality Name

      Specify the city name.

      Organization Name

      Specify the organization name. For example, Internet Widgits Pty Ltd.

      Organizational Unit Name

      Specify the organizational unit name. For example, section.

      Common Name

      Specify the server Fully qualified domain name (FQDN) name. For example, identitymanager.eastus.cloudapp.azure.com.

      Email Address

      Specify your email address.

      A challenge password

      An optional company name

      Specify a unique password.

      Specify an optional company name.

    2. Run the following command to convert the private key to RSA format:

      openssl rsa -in domain.key -out tls.key

    3. Perform the following steps to obtain the Root certificate.

      1. Log in to https://<IP address or Host name>:9000/identityconsole/#/.

      2. Navigate to Certificate Management > Server Certificate Management.

      3. Click Export.

      4. In the Certificates drop-down, select the Organizational CA.

      5. In the Export format drop-down, select BASE64.

      6. Click OK.

      7. Click Save the exported certificate.

    4. Perform the following steps to submit your CSR to the CA authority and get a signed server certificate.

      1. Log in to https://<IP address or Host name>:9000/identityconsole/#/.

      2. Navigate to Certificate Management > Issue Certificate.

      3. Click Choose File, upload the <domain>.csr file that was generated in Step 4.b.

      4. In the Certificate Parameters drop-down, select the validity period. For example, maximum.

      5. Select the File in Base64 format under Certificate format drop down.

      6. Click Next.

      7. Review the provided inputs and then click OK.

      8. Click Download the issued certificate.

    5. Run the following command to concatenate server certificate and root certificate.

      cat domain.b64 <(echo) cert.b64 <(echo) > tls.crt

  5. To generate the Service Principal Credentials, perform the following steps.

    IMPORTANT:You must have service principal credentials for configuration generation and to push all the sensitive information to the Azure Key vault.

    1. Log in to the Azure Portal.

    2. Click .

    3. In the terminal window, run the following command:

      az ad sp create-for-rbac --skip-assignment

    NOTE:Make a note of the appid, password, and the tenant ID from the command output.