8.5 Deploying Containers on a Single Server

In this example, all the Identity Manager containers are deployed on a single Docker host using the host network mode.

8.5.1 Prerequisites

  • Ensure that the hostname is in FQDN format as shown below:

    <IP of the host> <FQDN> <short_name>

    For example:

    172.120.0.1     identitymanager.example.com      identitymanager
    
  • You must generate the silent properties file before you deploy the containers. For more information on generating the silent properties file, see the Creating the Silent Properties File.

The containers must be deployed in the following order:

8.5.2 Deploying Identity Manager Engine Container

  1. Generate the silent properties file. For more information, see Creating the Silent Properties File.

  2. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  3. Run the following command to load the image:

    docker load --input IDM_48_identityengine.tar.gz

  4. Deploy the container using the following command:

    docker run -d --network=host --name=engine-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties identityengine:idm-4.8.0

  5. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/idm/log/idmconfigure.log

  6. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it engine-container bash

NOTE:To run the Identity Vault utilities such as ndstrace or ndsrepair, log in to the container as a non-root user called as nds. These utilities cannot be run if you are logged in as a root user. To log in to the container as a nds user, run the docker exec -it engine-container sudo nds command.

8.5.3 Deploying Remote Loader Container

  1. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  2. Run the following command to load the image:

    docker load --input IDM_48_remoteloader.tar.gz

  3. Deploy the container using the following command:

    docker run -d --network=host --name=rl-container -v /data:/config remoteloader:idm-4.8.0

    This deploys the 64-bit and 32-bit version of the Remote Loader. The driver files can be found at the /opt/novell/eDirectory/lib/dirxml/classes/ directory of the container.

  4. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it rl-container bash

  5. Configure Remote Loader. For more information, see Configuring the Remote Loader and Drivers in the NetIQ Identity Manager Driver Administration Guide.

  6. Ensure that the configuration files are available in the shared volume.

8.5.4 Deploying Fanout Agent Container

  1. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  2. Run the following command to load the image:

    docker load --input IDM_48_fanoutagent.tar.gz

  3. Deploy the container using the following command:

    docker run -d --network=host --name=foa-container -v /data:/config fanoutagent:idm-4.8.0

  4. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it foa-container bash

  5. Configure the Fanout Agent. For more information, see Configuring the Fanout Agent in the NetIQ Identity Manager Driver for JDBC Fanout Implementation Guide.

8.5.5 Deploying iManager Container

  1. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  2. Run the following command to load the image:

    docker load --input IDM_48_iManager320.tar

  3. Create a .env file with the required configuration to suit your environment. For example, the iManager.env is created in the /data directory.

    # Certificate Public Key Algorithm
    # Allowed Values: RSA, ECDSA256, ECDSA384
    CERTIFICATE_ALGORITHM=RSA
    # Cipher Suite
    # Allowed Values:
    # For RSA - NONE, LOW, MEDIUM HIGH
    # For ECDSA256 - SUITEB128ONLY
    # For ECDSA384 - SUITEB128, SUITEB192
    CIPHER_SUITE=NONE
    # Tomcat Server HTTP Port
    TOMCAT_HTTP_PORT=8080
    # Tomcat Server SSL Port
    TOMCAT_SSL_PORT=8743
    # iManager Authorized User (admin_name.container_name.tree_name)
    AUTHORIZED_USER=
  4. Create a sub-directory under the shared volume /data, for example, iManager.

  5. Deploy the container using the following command:

    docker run -d --network=host --name=iman-container -v /data:/config -v /data/iManager.env:/etc/opt/novell/iManager/conf/iManager.env imanager:3.2.0

  6. To install the Identity Manager plug-ins, perform the following steps:

    1. Log in to iManager.

      https://identitymanager.example.com:8743/nps/

    2. Click Configure.

    3. Click Plug-in Installation and then click Available NetIQ Plug-in Modules.

    4. Select all the plug-ins from the NetIQ Plug-in Modules list and then click Install.

    To obtain the plug-ins offline, perform the following steps:

    1. Download the Identity_Manager_4.8_Linux.iso from the NetIQ Downloads website.

    2. Mount the downloaded.iso.

    3. From the mounted location, navigate to the /iManager/plugins directory and obtain the required plug-ins.

    Alternatively, you can install the plug-ins from the iManager plug-ins website.

  7. Restart the iManager container.

    docker restart iman-container

  8. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it iman-container bash

For more information about deploying the iManager container, see the Deploying iManager Using Docker Container in the NetIQ iManager Installation Guide.

8.5.6 Deploying OSP Container

  1. Generate the silent properties file. For more information, see Creating the Silent Properties File.

  2. Ensure that the SSO_SERVER_SSL_PORT property is set to a unique port.

  3. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  4. Run the following command to load the image:

    docker load --input IDM_48_osp.tar.gz

  5. Deploy the container using the following command:

    docker run -d --network=host --name=osp-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties osp:idm-4.8.0

  6. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/osp/log/idmconfigure.log

  7. Stop the container using the following command:

    docker stop osp-container

  8. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 18005:

    sed -i "s~8005~18005~g" /data/osp/tomcat/conf/server.xml

  9. Start the container using the following command:

    docker start osp-container

  10. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it osp-container bash

8.5.7 Deploying PostgreSQL Container

  1. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  2. Run the following command to load the image:

    docker load --input IDM_48_postgres.tar.gz

  3. Create a sub-directory under the shared volume /data, for example, postgres.

    mkdir postgres

  4. Deploy the container using the following sample command:

    docker run -d --network=host --name=postgresql-container -e POSTGRES_PASSWORD=<password> -v /data/postgres:/var/lib/postgresql/data postgres:9.6.12-alpine

    For example,

    docker run -d --network=host --name=postgresql-container -e POSTGRES_PASSWORD=novell -v /data/postgres:/var/lib/postgresql/data postgres:9.6.12-alpine

  5. Create the idmdamin user for Identity Applications.

    docker exec -it postgresql-container psql -U postgres -c "CREATE USER idmadmin WITH ENCRYPTED PASSWORD '<password>'"

  6. Create the Identity Applications, Workflow, and Identity Reporting databases.

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE idmuserappdb"

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE igaworkflowdb"

    docker exec -it postgresql-container psql -U postgres -c "CREATE DATABASE idmrptdb"

    NOTE:These databases are used while you configure the Identity Applications and Identity Reporting containers.

  7. Grant all the privileges on the databases for the idmadmin user:

    docker exec -it postgresql-container psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE idmuserappdb TO idmadmin"

    docker exec -it postgresql-container psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE igaworkflowdb TO idmadmin"

  8. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it postgresql-container bash

8.5.8 Deploying Identity Applications Container

  1. Generate the silent properties file. For more information, see Creating the Silent Properties File.

  2. Ensure that the UA_SERVER_SSL_PORT property is set to a unique port.

  3. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  4. Run the following command to load the image:

    docker load --input IDM_48_identityapplication.tar.gz

  5. Deploy the container using the following command:

    docker run -d --network=host --name=idapps-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties identityapplication:idm-4.8.0

  6. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/userapp/log/idmconfigure.log

  7. Stop the container using the following command:

    docker stop idapps-container

  8. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 28005:

    sed -i "s~8005~28005~g" /data/userapp/tomcat/conf/server.xml

  9. Start the Docker container using the following command:

    docker start idapps-container

  10. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it idapps-container bash

NOTE:To modify any settings in the configuration update utility, launch configupdate.sh from the /opt/netiq/idm/apps/configupdate/ directory of the Identity Applications container. The configuration update utility can be launched in console mode only.

8.5.9 Deploying Form Renderer Container

  1. Generate the silent properties file. Select Identity Applications while generating the silent properties file. For more information, see Creating the Silent Properties File.

  2. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  3. Run the following command to load the image:

    docker load --input IDM_48_formrenderer.tar.gz

  4. Deploy the container using the following command:

    docker run -d --network=host --name=fr-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties formrenderer:idm-4.8.0

  5. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it fr-container bash

8.5.10 Deploying ActiveMQ Container

  1. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  2. Run the following command to load the image:

    docker load --input IDM_48_activemq.tar.gz

  3. Deploy the container using the following command:

    docker run -d --network=host --name=amq-container -v /data:/config --env-file /data/silent.properties activemq:idm-4.8.0

  4. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it amq-container bash

  5. Configure ActiveMQ. For more information, see Setting Up ActiveMQ Startup Service in the NetIQ Identity Manager Driver for JDBC Fanout Implementation Guide.

8.5.11 Deploying Identity Reporting Container

  1. Generate the silent properties file. For more information, see Creating the Silent Properties File.

  2. Ensure that the TOMCAT_HTTPS_PORT property is set to a unique port.

  3. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  4. Run the following command to load the image:

    docker load --input IDM_48_identityreporting.tar.gz

  5. Deploy the container using the following command:

    docker run -d --network=host --name=rpt-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties identityreporting:idm-4.8.0

  6. To verify whether the container was successfully deployed, check the log files by running the following command:

    tail -f /data/reporting/log/idmconfigure.log

  7. Stop the container using the following command:

    docker stop rpt-container

  8. Run the following command to modify the Tomcat shutdown port in the server.xml file. In the following example, the port 8005 will be changed to 38005:

    sed -i "s~8005~38005~g" /data/reporting/tomcat/conf/server.xml

  9. (Conditional) Applies only if you are using Identity Vault as the Certificate Authority.

    Add the -Dcom.sun.net.ssl.checkRevocation=false parameter in the export CATALINA_OPTS entry of the setenv.sh file. In this example, the setenv.sh file is located under the /data/reporting/tomcat/bin/ directory.

  10. Start the Docker container using the following command:

    docker start rpt-container

  11. To log in to the container, run the following command:

    docker exec -it <container> <command>

    For example,

    docker exec -it rpt-container bash

8.5.12 Deploying SSPR Container

Perform the following tasks to deploy the SSPR container:

  1. Generate the silent properties file for SSPR. For more information, see Creating the Silent Properties File.

  2. Create a sub-directory under the shared volume /data, for example, sspr.

    mkdir sspr

  3. From the location where you have extracted the Identity_Manager_4.8_Containers.tar.gz file, navigate to the Identity_Manager_4.8_Containers directory.

  4. Run the following command to load the image:

    docker load --input IDM_48_sspr.tar.gz

  5. Deploy the container using the following sample command:

    docker run -d --network=host --name=sspr-container -v /data/sspr:/config sspr/sspr-webapp:latest

  6. Run the following command from the Docker host to copy the silent.properties file from the Docker host to SSPR container:

    docker cp /data/silent.properties sspr-container:/tmp

  7. Load the silent properties file to the SSPR container.

    docker exec -it sspr-container /app/command.sh ImportPropertyConfig /tmp/silent.properties

    NOTE:Check if the SSPRConfiguration.xml is created under the /config directory of SSPR container and verify the content of the file.

  8. Import the OAuth certificate to SSPR:

    1. From the Docker host, edit the SSPRConfiguration.xml file located at /data/sspr/ directory and set the value of the configIsEditable flag to true and save the changes.

    2. Launch a browser and enter the https://identitymanager.example.com:8443/sspr URL.

    3. Log in using administrator credentials, for example, uaadmin.

    4. Click on the user, for example, uaadmin, on the top-right corner and then click Configuration Editor.

    5. Specify the configuration password and click Sign In.

    6. Click Settings > Single Sign On (SSO) Client > OAuth and ensure that all URLs use the HTTPS protocol and correct ports.

    7. Under OAuth Server Certificate, click Import from Server to import a new certificate and then click OK.

    8. Click at the top-right corner to save the certificate.

    9. Review the changes and click OK.

    10. After the SSPR application is restarted, edit the SSPRConfiguration.xml file and set the value of the configIsEditable flag to false and save the changes.