9.3 Deploying Containers on a Single Server

In this example, all the Identity Manager containers are deployed on a single Docker host using the host network mode.

The containers must be deployed in the following order:

9.3.1 Deploying Identity Manager Engine Container

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. (Conditional) To handle any driver RPM updates or third-party files, perform the steps mentioned in Handling RPM Updates and Third Party Files.

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_identityengine.tar.gz

  6. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=engine-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 identityengine:idm-4.8.7

  7. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/idm/log/idmconfigure.log

  8. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it engine-container bash

NOTE:To run the Identity Vault utilities such as ndstrace or ndsrepair, log in to the container as a non-root user called as nds. These utilities cannot be run if you are logged in as a root user. To log in to the container as a nds user, run the docker exec -it engine-container su nds command.

9.3.2 Deploying Remote Loader Container

  1. (Conditional) To handle any driver RPM updates or third-party files, perform the steps mentioned in Handling RPM Updates and Third Party Files.

  2. (Conditional) To start Remote Loader instances automatically with the container, perform the steps mentioned in Starting Remote Loader Instances Automatically With Remote Loader Container Deployment.

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_remoteloader.tar.gz

  6. (Conditional) If you do not want to use configuration files while deploying the container, deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=rl-container -v /data:/config --stop-timeout 100 remoteloader:idm-4.8.7

    The driver files can be found at the /opt/novell/eDirectory/lib/dirxml/classes/ directory of the container.

    NOTE:The 32-bit Remote Loader is not supported with containers.

  7. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it rl-container bash

  8. Configure Remote Loader. For more information, see Configuring the Remote Loader and Drivers in the NetIQ Identity Manager Driver Administration Guide.

9.3.3 Deploying Fanout Agent Container

  1. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  2. Navigate to the docker-images directory.

  3. Run the following command to load the image:

    docker load --input IDM_487_fanoutagent.tar.gz

  4. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=foa-container -v /data:/config --stop-timeout 100 fanoutagent:idm-4.8.7

  5. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it foa-container bash

  6. Configure the Fanout Agent. For more information, see Configuring the Fanout Agent in the NetIQ Identity Manager Driver for JDBC Fanout Implementation Guide.

9.3.4 Generating Certificate With Identity Vault Certificate Authority

(Conditional) This section applies only if you are using Identity Vault as the Certificate Authority.

The following components require you to generate certificate before they are deployed. Before you generate the certificates for the following components, ensure that you deploy the Identity Manager Engine and Identity Console containers.

  • OSP

  • Identity Applications

  • Identity Reporting

Perform the following steps to generate the certificate:

  1. Ensure that the Java version installed is Azul Zulu 1.8.0_292 or later.

  2. Ensure that you set the Java path. For example, run the following command:

    export PATH=<java installed location>/bin:$PATH

    For example,

    export PATH=/opt/netiq/common/jre/bin/:$PATH

  3. Generate the PKCS keystore:

    keytool -genkey -alias idm -keyalg RSA -storetype pkcs12 -keystore /config/tomcat.ks -validity 3650 -keysize 2048 -dname "CN=identitymanager.example.com" -keypass <password> -storepass <password>

  4. Generate a certificate signing request:

    keytool -certreq -v -alias idm -file /config/idm.csr -keypass <password> -keystore /config/tomcat.ks -storepass <password>

  5. Generate a self-signed certificate:

    1. Launch Identity console and login.

    2. Navigate to Certificate Management > Issue Certificate.

    3. Browse to the .csr file created in step 3. For example, idm.csr.

    4. Click Open.

    5. Under Key Usage Specifications drop-down, Specify the key type.

    6. Under Extended Key Usage Specifications drop-down, Specify the Extended key type.

    7. For the certificate type, select Unspecified under Basic Constrains drop down.

    8. Specify the validity of the certificate under Certificate Parameters drop down.

    9. Select the File in binary DER format under Certificate format drop down.

    10. Click Next.

    11. Click OK.

    12. Download the certificate and copy the downloaded certificate to the /data directory.

  6. Export the root certificate in .der format:

    1. Launch Identity console and login.

    2. Navigate to Certificate Management > Server Certificate Management.

    3. Select the SSL CertificateDNS check box and click Export.

    4. In the Certificates drop-down list, select the Organizational CA.

    5. In the Export Format drop-down list, select DER.

    6. Click OK.

    7. Download the certificate and copy the downloaded certificate to the /data directory.

  7. Import the certificates into the PKCS keystore you created in step 2:

    keytool -import -trustcacerts -alias root -keystore /config/tomcat.ks -file /config/cert.der -storepass <password> -noprompt

    keytool -import -alias idm -keystore /config/tomcat.ks -file /config/idm.der -storepass <password> -noprompt

NOTE:Ensure that the keystore is available in the path that was specified as an input for deployment.

9.3.5 Deploying OSP Container

NOTE:Before you deploy the OSP container, ensure that you generate the required certificate. For more information, see Generating Certificate With Identity Vault Certificate Authority.

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. Ensure that the SSO_SERVER_SSL_PORT property is set to a unique port.

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_osp.tar.gz

  6. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=osp-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 osp:idm-4.8.7

  7. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/osp/log/idmconfigure.log

  8. Stop the container using the following command:

    docker stop osp-container

  9. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 18005:

    sed -i "s~8005~18005~g" /data/osp/tomcat/conf/server.xml

  10. Start the container using the following command:

    docker start osp-container

  11. Run the following command to log in to the container:

    docker exec -it <container> <command>

    For example,

    docker exec -it osp-container bash

  12. Navigate to the /opt/netiq/idm/apps/configupdate/ directory.

  13. Modify the configupdate.sh.properties file.

  14. Set the value of the no_nam_oauth parameter to false.

  15. Save the configupdate.sh.properties file.

  16. Run the following command to exit the container.

    exit

9.3.6 Deploying PostgreSQL Container

  1. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  2. Navigate to the docker-images directory.

  3. Run the following command to load the image:

    docker load --input IDM_487_postgres.tar.gz

  4. Create a sub-directory under the shared directory /data, for example, postgres.

    mkdir postgres

  5. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=postgresql-container -e POSTGRES_PASSWORD=<password> -v /data/postgres:/var/lib/postgresql/data --stop-timeout 100 postgres:12.14

    For example,

    docker run --restart unless-stopped -d --network=host --name=postgresql-container -e POSTGRES_PASSWORD=novell -v /data/postgres:/var/lib/postgresql/data --stop-timeout 100 postgres:12.14

  6. Create the idmdamin user for Identity Applications.

    docker exec -it postgresql-container psql -U postgres -c "CREATE USER idmadmin WITH ENCRYPTED PASSWORD '<password>'"

  7. Create the Identity Applications, Workflow, and Identity Reporting databases.

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE idmuserappdb"

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE igaworkflowdb"

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE idmrptdb"

    NOTE:These databases are used while you configure the Identity Applications and Identity Reporting containers.

  8. Grant all the privileges on the databases for the idmadmin user:

    docker exec -it postgresql-container psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE idmuserappdb TO idmadmin"

    docker exec -it postgresql-container psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE igaworkflowdb TO idmadmin"

  9. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it postgresql-container bash

9.3.7 Deploying Identity Applications Container

NOTE:Before you deploy the Identity Applications container, ensure that you generate the required certificate. For more information, see Generating Certificate With Identity Vault Certificate Authority.

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. Ensure that the UA_SERVER_SSL_PORT property is set to a unique port.

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_identityapplication.tar.gz

  6. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=idapps-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 identityapplication:idm-4.8.7

  7. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/userapp/log/idmconfigure.log

  8. Run the following command to log in to the container.

    docker exec -it <container> <command>

    For example,

    docker exec -it idapps-container bash

  9. Run the following command:

    NOTE:Before performing this step, ensure that the container is deployed successfully.

    /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /config/tomcat.ks -srcstorepass <password> -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>

  10. Run the following command to exit the container.

    exit

  11. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 28005:

    sed -i "s~8005~28005~g" /data/userapp/tomcat/conf/server.xml

  12. Restart the container using the following command:

    docker restart idapps-container

NOTE:To modify any settings in the configuration update utility, launch configupdate.sh from the /opt/netiq/idm/apps/configupdate/ directory of the Identity Applications container. The configuration update utility can be launched in console mode only.

9.3.8 Deploying Form Renderer Container

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  3. Navigate to the docker-images directory.

  4. Run the following command to load the image:

    docker load --input IDM_487_formrenderer.tar.gz

  5. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=fr-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 formrenderer:idm-4.8.7

  6. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it fr-container bash

9.3.9 Deploying ActiveMQ Container

NOTE:This procedure assumes that you will use the ActiveMQ container with the Identity Applications container. To use the ActiveMQ container with the Fanout Agent container, you must deploy a new instance of the ActiveMQ container with different IP address and ports.

  1. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  2. Navigate to the docker-images directory.

  3. Run the following command to load the image:

    docker load --input IDM_487_activemq.tar.gz

  4. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=amq-container -v /data:/config --env-file /data/silent.properties --stop-timeout 100 activemq:idm-4.8.7

  5. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it amq-container bash

9.3.10 Deploying Identity Reporting Container

NOTE:Before you deploy the Identity Reporting container, ensure that you generate the required certificate. For more information, see Generating Certificate With Identity Vault Certificate Authority.

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. Ensure that the TOMCAT_HTTPS_PORT property is set to a unique port.

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_identityreporting.tar.gz

  6. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=rpt-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 identityreporting:idm-4.8.7

  7. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/reporting/log/idmconfigure.log

  8. Run the following command to log in to the container:

    docker exec -it <container> <command>

    For example,

    docker exec -it rpt-container bash

  9. Run the following command:

    NOTE:Before performing this step, ensure that the container is deployed successfully.

    /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /config/tomcat.ks -srcstorepass <password> -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>

  10. Run the following command to exit the container.

    exit

  11. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 38005:

    sed -i "s~8005~38005~g" /data/reporting/tomcat/conf/server.xml

  12. (Conditional) Applies only if you are using Identity Vault as the Certificate Authority.

    Add the -Dcom.sun.net.ssl.checkRevocation=false parameter in the export CATALINA_OPTS entry of the setenv.sh file. In this example, the setenv.sh file is located under the /data/reporting/tomcat/bin/ directory.

  13. Restart the container using the following command:

    docker restart rpt-container

9.3.11 Deploying SSPR Container

Perform the following tasks to deploy the SSPR container:

  1. Use the silent properties file generated in the Creating the Silent Properties File section for deploying the container.

  2. Create a sub-directory under the shared directory /data, for example, sspr.

    mkdir sspr

  3. Navigate to the location where you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.

  4. Navigate to the docker-images directory.

  5. Run the following command to load the image:

    docker load --input IDM_487_sspr.tar.gz

  6. Deploy the container using the following command:

    docker run --restart unless-stopped -d --network=host --name=sspr-container -v /data/sspr:/config --stop-timeout 100 sspr/sspr-webapp:4.7.0.0-ea

  7. Run the following command from the Docker host to copy the silent.properties file from the Docker host to SSPR container:

    docker cp /data/silent.properties sspr-container:/tmp

  8. Load the silent properties file to the SSPR container.

    docker exec -it sspr-container /app/command.sh ImportPropertyConfig /tmp/silent.properties

    NOTE:Check if the SSPRConfiguration.xml is created under the /config directory of SSPR container and verify the content of the file.

  9. Import the OAuth certificate to SSPR:

    1. From the Docker host, edit the SSPRConfiguration.xml file located at /data/sspr/ directory and set the value of the configIsEditable flag to true and save the changes.

    2. Launch a browser and enter the https://identitymanager.example.com:8443/sspr URL.

    3. Click OK.

    4. Log in using administrator credentials, for example, uaadmin.

    5. Click on the user, for example, uaadmin, on the top-right corner and then click Configuration Editor.

    6. Specify the configuration password and click Sign In.

    7. Click Settings > Single Sign On (SSO) Client > OAuth and ensure that all URLs use the HTTPS protocol and correct ports.

    8. Under OAuth Server Certificate, click Import from Server to import a new certificate and then click OK.

    9. Click at the top-right corner to save the certificate.

    10. Review the changes and click OK.

    11. After the SSPR application is restarted, edit the SSPRConfiguration.xml file and set the value of the configIsEditable flag to false and save the changes.

9.3.12 Deploying Identity Console Container

For more information on deploying Identity Console Container, see Deploying Identity Console as Docker Container.