Installing Soffid using Docker

Guide to show the installation process os Soffid IAM using Docker

Installing IAM Console

Guide to install IAM Console using Docker. 

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-console/

Prerequisites

Video Tutorial

Installation

To configure IAM console, the following environment variables can be set:

Variable Description Example
DB_URL JDBC URL

jdbc:mariadb://dbcontainer/soffid

jdbc:oracle:thin:@HOST:PORT:SID
jdbc:oracle:thin:@//HOST:PORT/SERVICENAME

DB_USER Database user Soffid
DB_PASSWORD Database password 5uper5ecret
JAVA_OPT Java virtual machine options -Xmx4096m
SECURE (optional) Enables the Java Security Manager true
SOFFID_TRUSTED_SCRIPTS

(optional) Allows you to use insecure classes. 

Available since console version 3.5.6

true

false

HIDE_MENU

(optional) Allows you to hide the Console menu options. 

Available since console version 3.5.6

soffid.admin

You can choose the proper option from the Console.yaml file.

AUTH_METHODS

(optional) Allows to force the authentication mechanisms. This configuration overrides the one configured in the authentication option of the Soffid console.

Available since console version 3.5.6

Options

SAML

PASSWORD

SAML PASSWORD

EXTERNAL_URL

(optional) Allows to override host name configuration when there are two Consoles.

Available since console version 3.5.9.5

https://soffid.lab.internal.com

Additional parameters to configure the database connections. Allows you to establish the min and the max of database connections: 

Variable Description Example
DBPOOL_MIN_IDLE The minimum number of connections should be kept in the pool at all times. 1 or 2
DBPOOL_MAX_IDLE The maximum number of connections should be kept in the pool at all times. between 10 and 15
DBPOOL_INITIAL The connection number will be established when the connection pool is started. 3 or 4
DBPOOL_MAX

The maximum number of active connections that can be allocated. If no value is indicated, the default value is 30.

The transaction fails if the maximum connections are reached within 30 seconds and no connection is released.

25

The following volumes must be defined by default:

Volume Usage
/opt/soffid/iam-console-3/logs Console log files /opt/soffid/iam-console-3/logs
/opt/soffid/iam-console-3/index

Text search engine index files. It can be erased at any time. The engine will regenerate the search engine. /opt/soffid/iam-console-3/index/

/opt/soffid/iam-console-3/conf Configuration files, including server.xml and tomee.xml files /opt/soffid/iam-console-3/conf

Here you have a sample command to start a docker container running IAM console, in this case the docker will be in a docker network, previously created. MariaDB docker is at the same network.

docker run -d \
   -e DB_URL=jdbc:mariadb://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   --name=iam-console \
   --publish=8080:8080 \
   --network=soffidnet \
   soffid/iam-console

To see console log files, execute:

docker logs -f iam-console
By default, the 8080 port will be exposed. When the TLS connection is going to be configured, add the tag --publish=443:443 to publish the TLS port.

When the console is created, the password for the user admin will be changeit and it will be valid for 24 hours.

Now you can connect the Soffid Console http://localhost:8080/soffid/The first thing you must do is to change the admin user password. 

Next Step: Installing Sync server


Installing Sync server

Guide to install Sync server using Docker.

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-sync

Prerequisites

Soffid IAM sync server requires the following requirements:

Video Tutorial

Linux

Installation

Install first Sync server

To configure the first IAM Sync server, the following environment variables can be set for the first server:

Variable Description Example
DB_URL JDBC URL jdbc:mariadb://dbcontainer/soffid
DB_USER Database user Soffid
DB_PASSWORD Database password 5uper5ecret
SOFFID_HOSTNAME The hostname used to access the sync server syncserver01.soffid.com
SOFFID_PORT TCP port used for incoming connections 760
SOFFID_MAIN Set to yes for the first sync server, no for the next ones yes

Additional parameters to configure the database connections. Allows you to establish the min and the max of database connections: 

Variable Description Example
DBPOOL_MIN_IDLE The minimum number of connections should be kept in the pool at all times. 1 or 2
DBPOOL_MAX_IDLE The maximum number of connections should be kept in the pool at all times. between 10 and 15
DBPOOL_INITIAL The number of connections will be established when the connection pool is started. 3 or 4
DBPOOL_MAX

The maximum number of active connections that can be allocated. If no value is indicated, the default value is 30.

The transaction fails if the maximum connections are reached within 30 seconds and no connection is released.

25
DBPOOL_MAX_IDLE_TIME

Number of seconds that a connection to a DB that is not in use is maintained.

Available since Sync Server version 3.5.4.3

3600

Install next Sync servers

To configure the next sync servers, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain. If you are working in a tenant, the user of the tenant. admin
SOFFID_PASS Soffid user password. If you are working in a tenant, the user password of the tenant. changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_PORT TCP port used for incomming connections 760
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no

Install Sync server in a private network

To configure a sync server in a private network, not directly accessible from the main sync server, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain admin
SOFFID_PASS Soffid user password changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no
SOFFID_REMOTE Flag to enable cloud protocol yes

You can use this configuration when the main sync server is located in the cloud.

The following volumes are defined by default

Volume Usage
/opt/soffid/iam-sync/conf Configuration files, including private keys and certificates

Command

Here you have a sample command to start a docker container running IAM sync server. Mind to specify the port number to expose the sync server docker to the outside world. It is not needed when using the cloud connectivity:

docker run -d \
   -e DB_URL=jdbc:mysql://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   -e SOFFID_PORT=1760 \
   -e SOFFID_HOSTNAME=iam-sync.soffidnet \
   -e SOFFID_MAIN=yes \
   --name=iam-sync \
   --publish 1760:1760 \
   --network=soffidnet \
   soffid/iam-sync:latest

To see sync server log file, execute:

docker logs -f iam-sync

You can also view the log files inside the container. To do this, first enter the container, then you should find the log files in the /var/log/soffid/ directory.

root@soffid:~# docker exec -it iam-sync /bin/bash
root@e1a90ff25d99:/# less /var/log/soffid/syncserver.log


Now you can connect to the IAM console http://localhost:8080/soffid  and chek if Console and Syncserver are connected.