Installation

Intallation guides

Getting started

To succesfully install Soffid IAM, please, choose your installatin and follow the next steps:

Server

  1. Initialize database
  2. Installing Soffid IAM on your own server
  3. Configure TLS for IAM Console

Docker

  1. Initialize database
  2. Installing Soffid IAM on Docker

Kubernetes

  1. Initialize database
  2. Installing Soffid IAM on Kubernetes

 

We also recommend reading the Soffid architecture section before proceeding with the installation.

 

System architecture

Soffid 3 system is composed of up to five different components:

image-1611038913621.png

IAM Console

Is the portal used by administrators and users to manage identitiy management objects. It's 100% web and can be deployed in any Windows or Linux server. Kubernetes and Docker deployments are supported as well.

Repository

Is a relational database that stores all the information about configuration, policies and identity objects, including users, accounts and permissions.

Any of the following repositories are supported:

Sync server

Is the responsible for connecting the repository with the managed systems. The integration can be in both ways, fetching changes from managed system and pushing changes from Soffid repository.

The sync server can be deployed in many different ways, allowing central, distributed and hybrid deployments, both on cloud or on premise.

PAM Jump server

Is a piece used to allow access to privileged accounts, recording the screen and every keystroke, file or clipboard transfer.

It can only be installed on a Linux server with Docker.

Directory server

Is a directory server based on OpenLDAP. It can only be installed on a Linux server with Docker.

 

 

 

Database initialization

How to install and initialize database

Database initialization

Initialize database

The purpose of this tutorial is to show how to initialize a database required for Soffid IAM installation.

Prerequisites

First of all, you sould install a database required in the Soffid IAM installation.

The supported databases are:

MySQL/MariaDB

In order to configure MySQL database you need access to the database administration tool (mysql) with superuser permissions using a TCP/IP connection. If needed, please create a user for the Soffid installation. If you don't have such a user, or don't know its password, please access MySQL as root, execute the mysql tool and create the user with grant command (where ADMIN_USER is the user to be used during the installation process to create the soffid repository database and ADMIN_PASSWORD is the required password).

create database soffid;
use soffid;
grant all privileges on *.* to ADMIN_USER@localhost identified by 'ADMIN_PASSWORD' with grant option;

In addition, in order to be able to manage big files, like process definition or software addons, we have to modify max_allowed_packet parameter on MySQL. This parameter is commonly allocated on the /etc/mysql/my.cnf file.

[mysqld]
max_allowed_packet=128M

If the version of MariaDB is 10.1.38, or newer, the recommended value for max_allowed_packet  is 512M

Note: in the case we will obtain the next 'The size of BLOB/TEXT data inserted in one transaction is greater than 10% of redo log size. Increase the redo log size using innodb_log_file_size.' error trying to upload an addon, we may update the default value of this mysql/mariadb parameter. This parameter is commonly allocated on the /etc/mysql/my.cnf file.

[mysqld]
innodb_log_file_size=256M

If you are installing on a Ubuntu 18.04 server, default character set is set to utf8mb4. Using this character set can cause problems, as many index sizes will exceed maximum key size of 767 bytes. To prevent this problem, change following settings:

[mysqld]
character-set-server  = Latin1
collation-server      = Latin1_general_ci

Alternatively, if UTF character set is required, write the following  settings:

[mysqld]
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci
innodb_large_prefix   = 1
innodb_file_format    = Barracuda
innodb_file_per_table = 1

Following this link  you will find the steps to setup a two nodes database cluster.

Video Tutorial

MariaDB initialization using Docker

MariaDB initialization in Kubernetes

Oracle

A new database instance should be created. Optionally two tablespaces should be created (SOFFID_DATA and SOFFID_INDEX) to separate soffid tables and indexes.

CREATE TABLESPACE SOFFID_DATA DATAFILE '/app/oracle/oradata/project/soffid_data.dbf SIZE 200M EXTENT MANAGEMENT LOCAL AUTOALLOCATE

To create the tablespace is necessary to provide the full path name, its size and MANAGEMENT AUTOALLOCATE option. The autoallocate option is needed because the tables are not sized by database creation scripts. Also, the Oracle Listener must have a TCP/IP port accepting connections.

Microsoft SQLServer

You must enable the SQL Server Browser Service at startup and the authentication method have to be set to “SQL Server and Windows Authentication mode”.

In addition, you must ensure that 'READ_COMMITTED_SNAPSHOT" parameter is enabled, you can do so with the following command:

ALTER DATABASE [database_name] SET READ_COMMITTED_SNAPSHOT ON

 

Database initialization

Creating a multimaster MariaDB replica

This topic will cover the process to create a two node Maria DB cluster. The cluster will be configured to allow Soffid console to use either database node, which in turn will replicate data changes to the other one.

 

Node 1 action
Node 2 action
Create and setup a Maria DB in node 1.  

Configure Maria DB to generate binary log files. Add the following lines to /etc/mysql/my.cnf:

server-id = 1
log-bin
binlog-format=row
expire_logs_days = 15
max_binlog_size = 1000M
replicate-ignore-table = soffid.SC_SEQUENCE
slave-skip-errors = 1032,1053,1062

 

Restart MariaDB:

service mysql restart

 

  Create and setup a Maria DB in node 2.
 

Configure Maria DB to generate binary log files. Add the following lines to /etc/mysql/my.conf:

server-id = 2
log-bin
binlog-format=row
expire_logs_days = 15
max_binlog_size = 1000M
replicate-ignore-table = soffid.SC_SEQUENCE
slave-skip-errors = 1032,1053,1062

 

Restart MariaDB:

service mysql restart
 

Create a user for node 1 to fetch data from node 2. From mysql, execute:

grant replication slave on *.* to replication_user@<NODE1-IP>

 

set password for replication_user@1<NODE1-IP> = password('<NODE1-PASS>')

Create a user for node 2 to fetch data from node 1. From mysql, execute:

grant replication slave on *.* to replication_user@<NODE2-IP>

 

set password for replication_user@1<NODE2-IP> = password('<NODE2-PASS>')

 

Query current binary log position:

MariaDB [(none)]> show master status;

 

The result should look like this:

File
Position
Binlog_Do_DB
Binlog_Ignore_DB
mysqld-bin.000030 68175    

The got values will be used on node 2 to start replica process.

 
 

Start replication from node 1 to node 2. From mysql, execute the following sentence, replacing proper values:

CHANGE MASTER TO
MASTER_HOST='<NODE1-IP>',
MASTER_USER='replication_user',
MASTER_PASSWORD='<NODE2-PASS>',
MASTER_PORT=3306,
MASTER_LOG_FILE='<NODE1-FILE>' , /** i.e. mysql-bin.000030 **/
MASTER_LOG_POS=<NODE1-POSITION>, /** i.e. 68175 **/
MASTER_CONNECT_RETRY=10;

 

Verify replica is working right, by executing

SHOW SLAVE STATUS \G 

 

Check following lines:

Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0

 

Query current binary log position:

MariaDB [(none)]> show master status;

 

The result should look like this:

File
Position
Binlog_Do_DB
Binlog_Ignore_DB
mysqld-bin.000060 98325    

The got values will be used on node 1 to start replica process.

Now, start replication from node 2 to node 1. From mysql, execute the following sentence, replacing proper values:

CHANGE MASTER TO
MASTER_HOST='<NODE2-IP>',
MASTER_USER='replication_user',
MASTER_PASSWORD='<NODE1-PASS>',
MASTER_PORT=3306,
MASTER_LOG_FILE='<NODE2-FILE>', /** i.e. mysql-bin.000060 **/
MASTER_LOG_POS=<NODE2-POSITION>, /** i.e. 98325 **/
MASTER_CONNECT_RETRY=10;

 

Verify replica is working right, by executing

SHOW SLAVE STATUS \G 

 

Check following lines:

Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0

 

Now, create and start SC_SEQUENCE table in node 1. This sequence will generate values 1, 11, 21, 31, 41, and so on:

CREATE TABLE `SC_SEQUENCE` (
`SEQ_NEXT` bigint(20) NOT NULL,
`SEQ_CACHE` bigint(20) NOT NULL,
`SEQ_INCREMENT` bigint(20) NOT NULL

);

 

INSERT INTO SC_SEQUENCE VALUES (1, 100, 10);

 
 

Now, create and start SC_SEQUENCE table in node 2. This sequence will generate values 2, 12, 22, 32, 42, and so on::

CREATE TABLE `SC_SEQUENCE` (
`SEQ_NEXT` bigint(20) NOT NULL,
`SEQ_CACHE` bigint(20) NOT NULL,
`SEQ_INCREMENT` bigint(20) NOT NULL

);

 

INSERT INTO SC_SEQUENCE VALUES (2, 100, 10);

Now, install heartbeat to create a floating IP address to connect Soffid console to database. Create /etc/ha.d/ha.cf file:

autojoin none
bcast eth0
warntime 3
deadtime 6
initdead 60
keepalive 1
node <NODE1-NAME>
node <NODE2-NAME>
crm respawn

 

Create security token in node 1:

( echo -ne "auth 1\n1 sha1\n"; dd if=/dev/urandom bs=512 count=1 | openssl sha1 | cut --delimiter=' ' --fields=2 ) > /etc/ha.d/authkeys

 

chmod 600 /etc/ha.d/authkeys

 

 
  Copy both files to node 2: /etc/ha.d/ha.cf and /etc/ha.d/authkeys

Restart heartbeat service

Restart pacemater service

 
 

Restart heartbeat service

Restart pacemater service

Check cluster status executing

crm_mon -1


It should look like:

Last updated: Mon Dec 26 19:52:24 2016
Last change: Wed Oct 21 15:11:31 2015 via cibadmin on logpmgid01v
Stack: heartbeat
Current DC: <node 1 name> - partition with quorum
Version: 1.1.10-42f2063
2 Nodes configured
0 Resources configured


Online: [ <node 1 name> <node 2 name>]

 

 
 

Check cluster status executing

crm_mon -1

 

It should look like:

 

Last updated: Mon Dec 26 19:52:24 2016
Last change: Wed Oct 21 15:11:31 2015 via cibadmin on logpmgid01v
Stack: heartbeat
Current DC: <node 1 name>- partition with quorum
Version: 1.1.10-42f2063
2 Nodes configured
0 Resources configured

 

Online: [ <node 1 name> <node 2 name>]

Disable stonith:

crm configure property stonith-enabled=false

 

Add floating IP to the cluster:

crm configure
crm(live)configure# primitive site_one_ip IPaddr params ip=<FLOATING-IP> cidr_netmask="<NETMASK>" nic="eth0"
crm(live)configure# location site_one_ip_pref site_one_ip 100: <NODE1-NAME>
crm(live)configure# commit
crm(live)configure# exit

 
Check floating IP is up and bound to node 1  

 

Database initialization

Configuring database cluster

Once the database replica is setup, it's important to guarantee transactianality rules. To achive it, one database instance must be acting as the master and other as the slave.

Using corosync and pacemaker, you can configure a floating IP address that will mark which one is the active one at each moment.

Node 1
Node 2
Install Corosync and Pacemaker. It is recommended to use apt or yum because these programs will handle dependencies for you, making the process much easier. Install Corosync and Pacemaker.

Cluster nodes need a key in order to authenticate the packages sent between them by corosync.

sudo corosync-keygen

Once the key has been generated, copy it to the other nodes:

sudo scp /etc/corosync/authkey <user>@<other-cluster-node>:/home/<user>
 
  Once the key has been copied, move the copied key from the /home/<user> route to /etc/corosync/authkey
Now we need to tell Corosync which IP to use to communicate with other nodes in the cluster.
Open /etc/corosync/corosync.conf and edit the bindnetaddr field. Set the right IP and save the file.
We need to do this in every node in the cluster, although you can use the same file if you set the right name in your hosts file.
 
  Configure Corosync with the right IP binding as done in node 1.
Configure the /etc/default/corosync file to enable Corosync changing START to yes "START=yes".
Then we can start Corosync using sudo service corosync start.
 
  Enable Corosync and start it as in node 1.

Allow the nodes a few seconds to start, then you can monitor the cluster nodes using sudo crm_mon. The result should be similar to this:

============
Last updated: Mon Mar 31 14:05:23 2015
Stack: corosync
Current DC: yourDC - partition with quorum
Version: 1.x.x-yourversion
2 Nodes configured, 2 expected votes
0 Resources configured.
============

Online: [ node1 node2 ]

 

 

 

 
  Check the nodes with sudo crm_mon

Corosync is ready, now we will tell Pacemaker which resources we want it to handle in HA. These will be the database and a virtual IP (VIP) we will use to address the cluster.

Add the VIP to the node, and then use this to create the resource:
sudo crm configure primitive FAILOVER-ADDR ocf:heartbeat:IPaddr2 params ip="your.virtual.IP" nic="your.network.device" op monitor interval="10s" meta is-managed="true" 

You can check the result using sudo crm status, which should look something like:

Last updated: Wed Jan 18 10:21:12 2017 Last change: Tue Jan 17 13:08:25 2017 by hacluster via crmd on nodename
Stack: corosync
Current DC: nodename(version 1.1.14-70404b0) - partition with quorum
2 nodes and 2 resources configured

Online: [ node1 node2 ]

Full list of resources:

Resource Group: my_cluster
FAILOVER-ADDR (ocf::heartbeat:IPaddr2): Started node2

 

Now we will add the database. We will use:

sudo crm configure primitive FAILOVER-MARIADB lsb::mysql op monitor interval=15s

 

 
   

 

Installing Soffid on your server

Guide to show the installation process os Soffid IAM on your server

Installing Soffid on your server

Installing IAM Console

Guide to install  IAM Console on your own server

Prerequisites

Installing Soffid IAM solution requires the following requirements:

Video Tutorial

Windows

Linux

Installation

Download

You can download Soffid 3 components from our website Soffid Download Manager

Depending on your platform, you can download the MSI, RPM or DEB version.

IAM Console download.png

As soon as the install-x.y.z.sh file is in your computer, copy the file into a path of your server.

Installing IAM Console

Windows

Open the installation file. It will create the operating system level service and will start it. After some seconds, the installation wizard will be up and running in port 8080.

Linux

We recommend to install the package like:

sudo dpkg -i '/your-path/SOFFID 3 Console-Debian_Ubuntu installer-3.0.0.deb'

You can ckeck the IAM Console service status:

systemctl status soffid-iamconsole.service

Configuration

Then, open the web browser pointing to http://localhost:8080

The wizard will ask for the following information:

The next step, allows you to enter the name and password for the initial Soffid user. You must enter:

Manual Configuration

Configuring service startup

If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM console service on boot:

ln -fs /opt/soffid/iam-console-3/bin/catalina.sh /etc/init.d/soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc2.d/S98soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc3.d/S98soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc2.d/K10soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc3.d/K10soffid-iamconsole

If something is not running as expected, please check the log at:

root@localhost:~# cd /opt/soffid/iam-console-3/logs
root@localhost:/opt/soffid/iam-console-3/logs# less soffid.YEAR-MONTH-DAY.log

 

Now you can connect IAM Console http://localhost:8080/soffid The first thing you must do is to configure database parameters and admin user.

Next Step: Installing Sync server

 

 

Installing Soffid on your server

Install Sync server

Guide to install Synchronization server on your own server

Prerequisites

Soffid IAM sync server requires the following requirements:

Video tutorial

Windows

Linux

Installation

Download

First of all, open your favorite browser and open the Soffid Download Manager.

Click on Synchronization server and download the latest version for your OS.

Syncserver download.png

Installing Sync Server

Windows

Open the installation file. It will install the software and will execute the installation wizard.

The installation wizard will ask if it is the first sync server or not.

Linux

sudo dpkg -i '/your-path/SOFFID 3 Sync server-Debian_Ubuntu installer-3.0.0.deb'

The installation wizard will ask if it is the first sync server or not.

Installing the first sync server

If you answer Y to the first question, the wizard will ask for the following information:

After checking the database status, the wizard will register the sync server and will create a new certification authority, as well as a digital certificate for the brand new sync server.

Installing the next sync servers

If you answer N to the first question, the wizard will ask for the following information:

The wizard will connect to the sync server and create a sync server connection request. The administrator must open the "My tasks" page and approve the request. Once the request is approved, the wizard will finish.

Manual Configuration

Manual service configuration

If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM sync server service on boot:

ln -fs /opt/soffid/iam-sync/bin/soffid-sync /etc/init.d/soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc1.d/K01soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc2.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc3.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc4.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc5.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc6.d/K01soffid-sync

Note that if you are running Centos, Redhat7 o version higher than Ubuntu 16.04, you should enable the service in systemctl

sudo systemctl enable soffid-sync

Once you have installed and configured Soffid Sync Server as a service, you could manage it with the following operations

service soffid-sync status
service soffid-sync restart
service soffid-sync start
service soffid-sync stop

First synchronisation server configuration

It is not recommended to install the first sync server on the same host where the database is installed.

To configure the server, please execute the following commands:

On Linux:

/opt/soffid/iam-sync/bin/configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

User and password must be the ones created during the installation process.

 The hostname value must be a FQDN (fully qualified domain name), for example "myhost.mydomain.com"  or in a test environment "syncserver.soffid.lab"

Mind the configuration wizard will refuse to register the sync server if this is not really the first sync server. If you really want to register this sync server as the first one, you must open the sync server management page and remove any already registered sync server.

image-1611041442254.png

Next servers configuration

In order to configure the next server syncservers, a two step process is required: first, a normal user installs and configure the sync server software; next, a Soffid administrator allows the sync server to join the sync servers network.

To perform the next step, you do not need to enter the database credentials. Instead, the primary sync server URL and a Soffid console user name and password are required.

For instance, you can execute:

On Linux:

/opt/soffid/iam-sync/bin/configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]


After executing the command, an approval task will appear in Soffid console. The administrator can take ownership of the task and approve or reject it. After approving the server creation, the server will be configured as a proxy sync server (without database access).

The administrator can open the sync servers configuration page to change the sync server role at any time.

Configure a synchronization server proxy without approval in UI

If you want to bypass the appoval process, there is a configuration setting that allows it:

 

Thus, you can bypass the standard workflow needed for a sinchronization server to join the synchronization servers security network. Otherwise, the standard approval  workflow will be required.

Renaming a sync server

You can rename any sync server at any time by removing the conf directory and executing the configure process again, but the main sync server is a special case. If you remove the conf directory, the certification authority managed by the main sync server will be lost, and every single sync server will be thrown out of the security domain.

Instead, to reconfigure the main sync server you can execute

On Linux:

/opt/soffid/iam-sync/bin/configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

User and password must be the ones created during the installation process.

The Soffid installation process changes console setup to reflect the new sync server name

The url connection parameter depends on the database system:

 

Now you can connect to the IAM console http://localhost:8080/soffid  and chek if Console and Syncserver are connected.

 

Installing Soffid on your server

Configure TLS for IAM Console

Introduction

The TLS protection of Soffid IAM Console is applied through the configuration of the Apache TomEE embedded in the installation.

This solution is running under java technology therefore we need a jks file (Java Key Store) or a PKCS#12 file with the information of your certificate.

Once you have the Console installed and your certificate in jks format you can follow this steps to configure it the first time or for an update.

Mind that sometimes, the network encryption algorithm is named as SSL, in fact, the configuration file still displays the word SSL. However, SSL protocol is now outdated, and TLSv1.2 is used instead.

Configuration

The configuration file to modify is the following one:

/opt/soffid/iam-console-2/conf/server.xml

It can contain one or more connectors. Uncomment or add the following one, that enables the TLS configuration:

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150"
           SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/yourcert.jks"
                 certificateKeystorePassword="123456"
                 certificateKeyAlias="yourdomain"
                 type="RSA"
                 xpoweredBy="false"
                 server="Apache TomEE" />
  </SSLHostConfig>
</Connector>

 

These are the attributes that you have to configure.

Attribute
Comment
port You can choose the standard 443 or another custom port
certificateKeystoreFile The source by default starts from /opt/soffid/iam-console-2/ (the installation directory)
certificateKeystorePassword The password used to encrypt the jks file
certificateKeyAlias The alias to identify your key and certificate


Then, copy or replace your jks file into to the file /opt/soffid/iam-console2/conf/yourcert.jks

After that, you have to restart the iam-console services.

sudo systemctl restart soffid-iamconsole

If you have some configuration error, you can search for more information in the Console log (the current day log):
/opt/soffid/iam-console-2/logs/soffid-YYYY-MM-DD.log

 

Load a PKCS#12 (.PFX) file

There are many standard ways to store and transfer private keys and certificates, but the most common one is the PKCS#12 format. Its main advantage is that it contains, in a single file, both the private key and the public certificate.

To transform the .PFX file to a java key store (.JKS), ane can use next command (you have to adapt it to your system):

keytool -v -importkeystore -srckeystore <YOUR_FILE.PFX> -srcstoretype PKCS12 \
  -destkeystore /opt/soffid/iam-console-2/conf/yourcert.jks \
  -destalias yourdomain -deststoretype JKS

Next, you will be asked for the PFX encryption password. It must be provided to you along the PFX file.

Next, you will be asked (probably twice) for the password to be used to encrypt the .JKS file.  This password must be written down in the server.xml file. At the sample SSL configuration file placed at the top of this page, the sample password is 123456.

 

Further information

Additional information can be found at Tomcat website: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

 

 

Installing Soffid using Docker

Guide to show the installation process os Soffid IAM using Docker

Installing Soffid using Docker

Installing IAM Console

Guide to install IAM Console using Docker. 

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-console/

Prerequisites

To install IAM console is required to have a database installed and initialized.

You can check the documentation Initialize database

Video Tutorial

Installation

To configure IAM console, the following environment variables can be set:

Variable Description Example
DB_URL JDBC URL jdbc:mariadb://dbcontainer/soffid
DB_USER Database user Soffid
DB_PASSWORD Database password 5uper5ecret
JAVA_OPT Java virtual machine options -Xmx4096m
SECURE (optional) Enables the Java Security Manager true

The following volumes are defined by default:

Volume Usage
/opt/soffid/iam-console-3/logs Console log files
/opt/soffid/iam-console-3/docs Text search engine index files. It can be erased at any time. The engine will regenerate the search engine 
/opt/soffid/iam-console-3/conf Configuration files, including server.xml and tomee.xml files

Here you have a sample command to start a docker container running IAM console, in this case the docker will be in a docker network, previously created. MariaDB docker is at the same network.

docker run -d \
   -e DB_URL=jdbc:mysql://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   --name=iam-console \
   --publish=8080:8080 \
   --network=soffidnet \
   soffid/iam-console

To see console log files, execute:

docker logs -f iam-console
By default, the 8080 port will be exposed. When the TLS connection is going to be configured, add the tag --publish=443:443 to publisg the TLS port.

Now you can connect IAM Console http://localhost:8080/soffid The first thing you must do is to change the admin user password.

Next Step: Installing Sync server

 

Installing Soffid using Docker

Installing Sync server

Guide to install Sync server using Docker.

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-sync

Prerequisites

Soffid IAM sync server requires the following requirements:

Video Tutorial

Linux

Installation

To configure the first IAM Sync server, the following environment variables can be set for the first server:

Variable Description Example
DB_URL JDBC URL jdbc:mariadb://dbcontainer/soffid
DB_USER Database user Soffid
DB_PASSWORD Database password 5uper5ecret
SOFFID_HOSTNAME The host name used to access to the sync server syncserver01.soffid.com
SOFFID_PORT TCP port used for incomming connections 760
SOFFID_MAIN Set to yes for the first sync server, no for the next ones yes

To configure the next sync servers, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain admin
SOFFID_PASS Soffid user password changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_PORT TCP port used for incomming connections 760
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no

To configure a sync server in a private network, not directly accessible from the main sync server, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain admin
SOFFID_PASS Soffid user password changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no
SOFFID_REMOTE Flag to enable cloud protocol yes

The following volumes are defined by default:

Volume Usage
/opt/soffid/iam-console-3/conf Configuration files, including private keys and certificates

Here you have a sample command to start a docker container running IAM sync server. Mind to specify the port number to expose the sync server docker to the outside world. It is not needed when using the cloud connectivity:

docker run -d \
   -e DB_URL=jdbc:mysql://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   -e SOFFID_PORT=1760 \
   -e SOFFID_HOSTNAME=syncserver.soffid.com \
   -e SOFFID_MAIN=yes \
   --name=iam-sync \
   --publish 1760:1760 \
   --network=soffidnet \
   soffid/iam-sync

To see console log files, execute:

docker logs -f iam-sync

 

Now you can connect to the IAM console http://localhost:8080/soffid  and chek if Console and Syncserver are connected.

 

Installing Soffid on Kubernetes

Guide to show le installation process os Soffid IAM in Kubernetes

Installing Soffid on Kubernetes

Installing IAM Console

Guide to install IAM Console on Kubernetes. 

Prerequisites

To install IAM console is required to have a database installed and initialized.

You can check the documentation Initialize database

Video Tutorial

Linux

Installation

You can use the docker image described at Installing IAM console using Docker. Here you have a sample Kubernets YAML descriptor to deploy it.

Mind that any certificate present in the folder /opt/soffid/iam-console-3/trustedcerts is considered as a trusted certificate. It is important to include the root syncserver certificate or any other certificate the console must connect with.

Another aspect to be aware of is the DNS resolution cache implemented by the java virtual machine. Because pods and service names often change its IP address, it suggested to disable the DNS cache adding the -Dsun.net.inetaddr.ttl=-1 parameter.

apiVersion: v1
kind: Secret
metadata:
   name: trusted-certs
data:
   syncserver: MIIC+TCCAeGgAwIBAgIGAWwFI+dWMA0GCSqGSIb3DQEBCwUAMDMxDzANBgNVBAMMBlJvb3RDQTEPMA0GA1UECwwGbWFzdGVyMQ8wDQYDVQQKDAZTb2ZmaWQwHhcNMTkwNzE3MTMwMjE0WhcNMjkwNzE4MTMwMjE0WjAzMQ8wDQYDVQQDDAZSb290Q0ExDzANBgNVBAsMBm1hc3RlcjEPMA0GA1UECgwGU29mZmlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRq5/Kq1a/WlI00xzuxj0CDaH/L3G01dN5tXEFMXnm4VgDaaQXEjxGL0HEO47flDWGvJckLxIHSgEtRaHTquLRYLfHwHw3S0CC/DqdYcMZGG7QkCHDfdGunIoRGvWOAYOaV0pSiqBsfXhqG/7R4Ux7kx7mWoRXHnTyWXZl6tlNl9k2fC47foI5uMsblB3bybNnzLw2JvdwC6I8bbzf1j38r98WevdzQMVYxn10CQjLz2ZN7irYpgHzaBPoZlwKNVBhf7Tke9TDWuGO5G2UXTpys3euyTFw82TeetNTydcVK8SpdGKMlN95Cj2pgwzzz9d+qaMbN0tJu2CuGO+TROwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQApbPFO3fMlLOdvgx+O8w7JJyxOJNG+ogV7QH+ipxM6eyCWLI7euJbRSc7skR61Hw0H6Ka+ExFjHOqe0u/ysIg/ITlWTV6olaD8OpT3GKsZqhiQpBO6dKqPs8JcwMt4gBbQ7YxfYefk3OER6PUG9sk8OPMmdeF+jQu1bWijUNPB0qEPio+NWXc+SF0/Ij1DQF2sW9yDb5LvsbgrkQXewvp6eUJPpwHh+pGqNKKuHkwTCfu5cUtNBMAC6CQjjCm6CUy4BYxRcF3zfzjV2nK3zTeshF7wlK95ZMaC8IGYbYwZ86qT/x/PxX/qYOjRftSr6/Y58heYvfXLFM1pceQYVW9v
   star_soffid_com: MIIGcDCCBVigAwIBAgIRAOFY+IkZ+FTddCqKixlQEIMwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xOTA2MTgwMDAwMDBaFw0yMTA2MTcyMzU5NTlaMFkxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFTATBgNVBAMMDCouc29mZmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnDKURLcT1XfaMjmIU8QtxdhVe1XG1Oo4LrrEyUVBaAA/5RPcWrvkCIf2Kq6/JTBBxbwvJP1pHAninwTGLam2lNTL2jvlyYXC/oA0hqbRxDCBjkq7e7fj6R2rcFJcAx0jUiyzlfgZmP/QX+ju7KrJ33sR4DPAG47Xnz8XgWJMuXdoSvQ8NeaWNAUjK7Pt3vHB/QD40MAAisXuOq1w11R3MzEJv0nHgNPvxqGvVdHTDX5RwHoVEMEHF7lQY0Mh2oIejQgN+VPOJNJh6vd7HiVUlVLXop8qhjJQgy2DQS2VGTUBObTFTgD81UPKzZgRzlziU3RWimZMVgHjzDn9MmzkcCAwEAAaOCAvowggL2MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTPiYczqwQVFTogNEQydqg0WGGnwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIwYDVR0RBBwwGoIMKi5zb2ZmaWQuY29tggpzb2ZmaWQuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWtpdk7pAAAEAwBHMEUCIQCyc83CoGLtckCrDEtAph3U/+XMqwkEPwqEgi9bu7xNBgIgKachYG2OED40K9pd9byRWUjy+BeV+5tVeN+I8JD48XoAdQBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWtpdk7+AAAEAwBGMEQCIFqjuu2Q/TTq48nkobC87nRfgE9FQmlUp4PI98U90ygJAiBoFsiy0kz2ZDNz+BeAVjqAj7UsnrNIv8vwG3V7rh6kxgB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABa2l2Tv4AAAQDAEgwRgIhAMLmnVu4rduXSiaC5pfbk6uQsceV6zEx1fgNjQXNupDwAiEAtCh5VG2lC6iWy0chA/PfC5ejmlgBAmHbYLxsr9uiOWwwDQYJKoZIhvcNAQELBQADggEBABqZ8Stnzkk/abCQTMjOhNsSswSZZ74mszAGrd+emh7/VhLeJ29AaoMiCF5j0uphx/t9id5UmKbqwuapo9E1NuAVQqDOV1N0wV4Awa2nEivbDcuDCTMX6VtOK3DnCnE9yLMdD6GF9xcwzsgz5wKXu2Dxwt4vw05KIM+4Myy91sEpifa62+qdzR/Vfbv6SqeL1IzTDyHMzEtBu/4jL189VeSkTVvdKGT1g6eAMHTX562z7jJgTH23c2zolCEj9YPd+KUbt6/OO+Pljsj0MeTzO1QImj2syqCE/O4tYyHOHOdHJcrVSP951nCu0bkH6MBUhFvgk8a6rjI8tcnZCpsdcNU=
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: soffid-console
  labels:
    app: soffid
    type: console
spec:
  replicas: 1
  selector:
    matchLabels:
      app: soffid
      type: console
  template:
    metadata:
      labels:
        app: soffid
        type: console
    spec:
      containers:
      - name: soffid-console
        image: soffid/iam-console:3.0.0
        imagePullPolicy: Always
        resources:
          limits:
            memory: 4Gi
          requests:
            memory: 2Gi
        volumeMounts:
        - name: trusted-certs-volume
          mountPath: /opt/soffid/iam-console-3/trustedcerts
        ports:
        - containerPort: 8080
        env:
            - name: DB_USER
              value: soffid
            - name: DB_PASSWORD
              value: 5uper5ecret
            - name: JAVA_OPT
              value: "-Xmx4048m -Dsun.net.inetaddr.ttl=1"
            - name: DB_URL
              value: jdbc:mariadb://mariadb-service:3306/soffid
      imagePullSecrets:
      - name: regcred
      volumes:
      - name: trusted-certs-volume
        secret: 
          secretName: trusted-certs
---
apiVersion: v1
kind: Service
metadata:
  name: iam-console-service
spec:
  selector:
      app: soffid
      type: console
  type: loadBalancer
  ports:
  - name: web
    protocol: TCP
    port: 8080
    targetPort: 8080
Linux commands

Apply the YAML file wit the defining Kubernetes resources 

kubectl apply -f syncserver.yaml

Ckeck deployments

kubectl get deployments

Chec pods: yo can check pods and their status

kubectl get pods

View IAM console log

kubectl logs <your-pod-iamconsole-name>

Now you can connect IAM Console http://<Node-Ip>:<publish-port>/soffid The first thing you must do is to change the admin user password.

Next Step: Installing Sync server

Installing Soffid on Kubernetes

Installing Sync server

Guide to install Sync server on Kubernetes.

Prerequisites

Soffid IAM sync server requires the following requirements:

Video Tutorial

Linux

Installation

You can use the docker image described at Installing Sync server using Docker. Here you have a sample Kubernets YAML descriptor to deploy it.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: syncserver-conf-claim
spec:
  storageClassName: standard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: syncserver01
  labels:
    app: soffid
    type: syncserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: soffid
      type: syncserver
  template:
    metadata:
      labels:
        app: soffid
        type: syncserver
    spec:
      containers:
        - name: syncserver
          image: soffid/iam-sync:3.0.0
          ports:
            - containerPort: 760
              name: syncserver-port
          env:
            - name: DB_USER
              value: soffid
            - name: DB_PASSWORD
              value: 5uper5ecret
            - name: SOFFID_HOSTNAME
              value: syncserver01.soffid.com
            - name: SOFFID_MAIN
              value: "yes"
            - name: DB_URL
              value: jdbc:mariadb://mariadb-service/soffid
          volumeMounts:
          - name: conf-storage
            mountPath: /opt/soffid/iam-sync/conf
      volumes:
        - name: conf-storage
          persistentVolumeClaim:
            claimName: syncserver-conf-claim
---
apiVersion: v1
kind: Service
metadata:
  name: syncserver
spec:
  externalTrafficPolicy: Local
  type: LoadBalancer
  selector:
    app: soffid
    type: syncserver
  ports:
  - name: syncserver
    protocol: TCP
    port: 760
    targetPort: 760

Linux commands

Apply the YAML file with the defining Kubernetes resources

kubectl apply -f syncserver.yaml

Check deployments 

kubectl get deployments

Chek pods: you can check pods  and their status

kubectl get pods

View Sync server log

kubectl logs <your-pod-syncserver-name>

 

Now you can connect to the IAM console  http://<Node-Ip>:<publish-port>/soffid  and chek if Console and Syncserver are connected.

 

Upgrade Soffid3

Upgrade from version 2

These are the steps to upgrade your Soffid 2 deployment to Soffid 3:

  1. Stop Soffid 2 console
  2. Install and configure Soffid 3 IAM console. It will upgrade the database and perform any upgrade task.
    Have a look and the console log file to check the upgrade process log.
  3. Upgrade optional modules. After the console upgrade, most of them will not work as expected. You must upload Soffid 3 compatible versions through the plugins page.
    After uploading them, restart the console
  4. Upgrade sync servers. Simply install Soffid 3 sync server on top of current Soffid 2 sync server

To upgrade a docker deployment, docker containers must be dropped and created again, using the same parameters used for the initial setup. Tools like Portainer will help you do this task.

To upgrade a kubernetes deployment, simply change the version tag in your kubernetes YAML file. The system will pull the image from docker hub and will start the service

Upgrade from version 3

To upgrade a Soffid 3 IAM console, simply install the new packages downloaded from our downloads site. It will replace any component and will restart the service.

If it's needed, it will upgrade the database and perform any upgrade task.

In the same way, to upgrade a Soffid 3 Sync server install the new packages dowonloaded from our download site. It will replay any component and will restart the service.

Docker and kubernetes notes

To upgrade a docker deployment, docker containers must be dropped and created again, using the same parameters used for the initial setup. Tools like Portainer will help you do this task.

To upgrade a kubernetes deployment, simply change the version tag in your kubernetes YAML file. The system will pull the image from docker hub and will start the service

 

Installing console & sync server &&TODO-DELETE&&

Know how to install Soffid3

Installing console & sync server &&TODO-DELETE&&

Database initialization

First of all, you should install a database required in the Soffid IAM installation.

The supported databases are:

MySQL/MariaDB

In order to configure MySQL database you need access to the database administration tool (mysql) with superuser permissions using a TCP/IP connection. If needed, please create a user for the Soffid installation. If you don't have such a user, or don't know its password, please access MySQL as root, execute the mysql tool and create the user with grant command (where ADMIN_USER is the user to be used during the installation process to create the soffid repository database and ADMIN_PASSWORD is the required password).

create database soffid;
use soffid;
grant all privileges on *.* to ADMIN_USER@localhost identified by 'ADMIN_PASSWORD' with grant option;

 

In addition, in order to be able to manage big files, like process definition or software addons, we have to modify max_allowed_packet parameter on MySQL. This parameter is commonly allocated on the /etc/mysql/my.cnf file.

[mysqld]
max_allowed_packet=128M

If the version of MariaDB is 10.1.38, or newer, the recommended value for max_allowed_packet  is 512M

 

Note: in the case we will obtain the next 'The size of BLOB/TEXT data inserted in one transaction is greater than 10% of redo log size. Increase the redo log size using innodb_log_file_size.' error trying to upload an addon, we may update the default value of this mysql/mariadb parameter. This parameter is commonly allocated on the /etc/mysql/my.cnf file.

[mysqld]
innodb_log_file_size=256M

 

If you are installing on a Ubuntu 18.04 server, default character set is set to utf8mb4. Using this character set can cause problems, as many index sizes will exceed maximum key size of 767 bytes. To prevent this problem, change following settings:

[mysqld]
character-set-server  = Latin1
collation-server      = Latin1_general_ci

 

Alternatively, if UTF character set is required, write the following  settings:

[mysqld]
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci
innodb_large_prefix   = 1
innodb_file_format    = Barracuda
innodb_file_per_table = 1

 

Following this link  you will find the steps to setup a two nodes database cluster.

Video Tutorial

How to initialize MariaDB using Docker

Oracle

A new database instance should be created. Optionally two tablespaces should be created (SOFFID_DATA and SOFFID_INDEX) to separate soffid tables and indexes.

CREATE TABLESPACE SOFFID_DATA DATAFILE '/app/oracle/oradata/project/soffid_data.dbf SIZE 200M EXTENT MANAGEMENT LOCAL AUTOALLOCATE

To create the tablespace is necessary to provide the full path name, its size and MANAGEMENT AUTOALLOCATE option. The autoallocate option is needed because the tables are not sized by database creation scripts. Also, the Oracle Listener must have a TCP/IP port accepting connections.

Microsoft SQLServer

You must enable the SQL Server Browser Service at startup and the authentication method have to be set to “SQL Server and Windows Authentication mode”.

In addition, you must ensure that 'READ_COMMITTED_SNAPSHOT" parameter is enabled, you can do so with the following command:

ALTER DATABASE [database_name] SET READ_COMMITTED_SNAPSHOT ON
Installing console & sync server &&TODO-DELETE&&

Creating a multimaster MariaDB replica

This topic will cover the process to create a two node Maria DB cluster. The cluster will be configured to allow Soffid console to use either database node, which in turn will replicate data changes to the other one.

 

Node 1 action
Node 2 action
Create and setup a Maria DB in node 1.  

Configure Maria DB to generate binary log files. Add the following lines to /etc/mysql/my.cnf:

server-id = 1
log-bin
binlog-format=row
expire_logs_days = 15
max_binlog_size = 1000M
replicate-ignore-table = soffid.SC_SEQUENCE
slave-skip-errors = 1032,1053,1062

 

Restart MariaDB:

service mysql restart

 

  Create and setup a Maria DB in node 2.
 

Configure Maria DB to generate binary log files. Add the following lines to /etc/mysql/my.conf:

server-id = 2
log-bin
binlog-format=row
expire_logs_days = 15
max_binlog_size = 1000M
replicate-ignore-table = soffid.SC_SEQUENCE
slave-skip-errors = 1032,1053,1062

 

Restart MariaDB:

service mysql restart
 

Create a user for node 1 to fetch data from node 2. From mysql, execute:

grant replication slave on *.* to replication_user@<NODE1-IP>

set password for replication_user@1<NODE1-IP> = password('<NODE1-PASS>')

Create a user for node 2 to fetch data from node 1. From mysql, execute:

grant replication slave on *.* to replication_user@<NODE2-IP>

set password for replication_user@1<NODE2-IP> = password('<NODE2-PASS>')

 

Query current binary log position:

MariaDB [(none)]> show master status;

The result should look like this:

File
Position
Binlog_Do_DB
Binlog_Ignore_DB
mysqld-bin.000030 68175    

The got values will be used on node 2 to start replica process.

 
 

Start replication from node 1 to node 2. From mysql, execute the following sentence, replacing proper values:

CHANGE MASTER TO
MASTER_HOST='<NODE1-IP>',
MASTER_USER='replication_user',
MASTER_PASSWORD='<NODE2-PASS>',
MASTER_PORT=3306,
MASTER_LOG_FILE='<NODE1-FILE>' , /** i.e. mysql-bin.000030 **/
MASTER_LOG_POS=<NODE1-POSITION>, /** i.e. 68175 **/
MASTER_CONNECT_RETRY=10;

 

Verify replica is working right, by executing

SHOW SLAVE STATUS \G 

Check following lines:

Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0

 

Query current binary log position:

MariaDB [(none)]> show master status;

The result should look like this:

File
Position
Binlog_Do_DB
Binlog_Ignore_DB
mysqld-bin.000060 98325    

The got values will be used on node 1 to start replica process.

Now, start replication from node 2 to node 1. From mysql, execute the following sentence, replacing proper values:

CHANGE MASTER TO
MASTER_HOST='<NODE2-IP>',
MASTER_USER='replication_user',
MASTER_PASSWORD='<NODE1-PASS>',
MASTER_PORT=3306,
MASTER_LOG_FILE='<NODE2-FILE>', /** i.e. mysql-bin.000060 **/
MASTER_LOG_POS=<NODE2-POSITION>, /** i.e. 98325 **/
MASTER_CONNECT_RETRY=10;

 

Verify replica is working right, by executing

SHOW SLAVE STATUS \G 

Check following lines:

Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0

 

Now, create and start SC_SEQUENCE table in node 1. This sequence will generate values 1, 11, 21, 31, 41, and so on:

CREATE TABLE `SC_SEQUENCE` (
`SEQ_NEXT` bigint(20) NOT NULL,
`SEQ_CACHE` bigint(20) NOT NULL,
`SEQ_INCREMENT` bigint(20) NOT NULL
);

INSERT INTO SC_SEQUENCE VALUES (1, 100, 10);

 
 

Now, create and start SC_SEQUENCE table in node 2. This sequence will generate values 2, 12, 22, 32, 42, and so on::

CREATE TABLE `SC_SEQUENCE` (
`SEQ_NEXT` bigint(20) NOT NULL,
`SEQ_CACHE` bigint(20) NOT NULL,
`SEQ_INCREMENT` bigint(20) NOT NULL
);

INSERT INTO SC_SEQUENCE VALUES (2, 100, 10);

Now, install heartbeat to create a floating IP address to connect Soffid console to database. Create /etc/ha.d/ha.cf file:

autojoin none
bcast eth0
warntime 3
deadtime 6
initdead 60
keepalive 1
node <NODE1-NAME>
node <NODE2-NAME>
crm respawn

 

Create security token in node 1:

( echo -ne "auth 1\n1 sha1\n"; dd if=/dev/urandom bs=512 count=1 | openssl sha1 | cut --delimiter=' ' --fields=2 ) > /etc/ha.d/authkeys

chmod 600 /etc/ha.d/authkeys

 

 
  Copy both files to node 2: /etc/ha.d/ha.cf and /etc/ha.d/authkeys

Restart heartbeat service

Restart pacemater service

 
 

Restart heartbeat service

Restart pacemater service

Check cluster status executing

crm_mon -1


It should look like:

Last updated: Mon Dec 26 19:52:24 2016
Last change: Wed Oct 21 15:11:31 2015 via cibadmin on logpmgid01v
Stack: heartbeat
Current DC: <node 1 name> - partition with quorum
Version: 1.1.10-42f2063
2 Nodes configured
0 Resources configured


Online: [ <node 1 name> <node 2 name>]

 

 
 

Check cluster status executing

crm_mon -1

 

It should look like:

 

Last updated: Mon Dec 26 19:52:24 2016
Last change: Wed Oct 21 15:11:31 2015 via cibadmin on logpmgid01v
Stack: heartbeat
Current DC: <node 1 name>- partition with quorum
Version: 1.1.10-42f2063
2 Nodes configured
0 Resources configured

 

Online: [ <node 1 name> <node 2 name>]

Disable stonith:

crm configure property stonith-enabled=false

Add floating IP to the cluster:

crm configure
crm(live)configure# primitive site_one_ip IPaddr params ip=<FLOATING-IP> cidr_netmask="<NETMASK>" nic="eth0"
crm(live)configure# location site_one_ip_pref site_one_ip 100: <NODE1-NAME>
crm(live)configure# commit
crm(live)configure# exit

 
Check floating IP is up and bound to node 1  

 

Installing console & sync server &&TODO-DELETE&&

Configuring database cluster

Once the database replica is setup, it's important to guarantee transactianality rules. To achive it, one database instance must be acting as the master and other as the slave.

Using corosync and pacemaker, you can configure a floating IP address that will mark which one is the active one at each moment.

Node 1
Node 2
Install Corosync and Pacemaker. It is recommended to use apt or yum because these programs will handle dependencies for you, making the process much easier. Install Corosync and Pacemaker.

Cluster nodes need a key in order to authenticate the packages sent between them by corosync.

sudo corosync-keygen

Once the key has been generated, copy it to the other nodes:

sudo scp /etc/corosync/authkey <user>@<other-cluster-node>:/home/<user>
 
  Once the key has been copied, move the copied key from the /home/<user> route to /etc/corosync/authkey
Now we need to tell Corosync which IP to use to communicate with other nodes in the cluster.
Open /etc/corosync/corosync.conf and edit the bindnetaddr field. Set the right IP and save the file.
We need to do this in every node in the cluster, although you can use the same file if you set the right name in your hosts file.
 
  Configure Corosync with the right IP binding as done in node 1.
Configure the /etc/default/corosync file to enable Corosync changing START to yes "START=yes".
Then we can start Corosync using sudo service corosync start.
 
  Enable Corosync and start it as in node 1.

Allow the nodes a few seconds to start, then you can monitor the cluster nodes using sudo crm_mon. The result should be similar to this:

============
Last updated: Mon Mar 31 14:05:23 2015
Stack: corosync
Current DC: yourDC - partition with quorum
Version: 1.x.x-yourversion
2 Nodes configured, 2 expected votes
0 Resources configured.
============

Online: [ node1 node2 ]

 

 

 

 
  Check the nodes with sudo crm_mon

Corosync is ready, now we will tell Pacemaker which resources we want it to handle in HA. These will be the database and a virtual IP (VIP) we will use to address the cluster.

Add the VIP to the node, and then use this to create the resource:
sudo crm configure primitive FAILOVER-ADDR ocf:heartbeat:IPaddr2 params ip="your.virtual.IP" nic="your.network.device" op monitor interval="10s" meta is-managed="true" 

You can check the result using sudo crm status, which should look something like:

Last updated: Wed Jan 18 10:21:12 2017 Last change: Tue Jan 17 13:08:25 2017 by hacluster via crmd on nodename
Stack: corosync
Current DC: nodename(version 1.1.14-70404b0) - partition with quorum
2 nodes and 2 resources configured

Online: [ node1 node2 ]

Full list of resources:

Resource Group: my_cluster
FAILOVER-ADDR (ocf::heartbeat:IPaddr2): Started node2

 

Now we will add the database. We will use:

sudo crm configure primitive FAILOVER-MARIADB lsb::mysql op monitor interval=15s

 

 
   

 

Installing console & sync server &&TODO-DELETE&&

Install IAM Console

Introduction

Prerequisites

Soffid IAM solution requires the following requirements:

Video tutorial

Procedure

Download

You can download Soffid 3 components from our website: http://www.soffid.com/download

Depending on your platform, you can download the MSI, RPM or DEB version.

image-1611166649107.png

 

As soon as the install-x.y.z.sh file is in your computer, copy the file into a path of your server.

Installation

Open the installation file. It will create the operating system level service and will start it. After some seconds, the installation wizard will be up and running in port 8080.

Then, open the web browser pointing to http://localhost:8080

The wizard will ask for the following information:

The next step, allows you to enter the name and password for the initial Soffid user. You must enter:

Configuring service startup

If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM console service on boot:

ln -fs /opt/soffid/iam-console-3/bin/catalina.sh /etc/init.d/soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc2.d/S98soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc3.d/S98soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc2.d/K10soffid-iamconsole
ln -fs /etc/init.d/soffid-iamconsole /etc/rc3.d/K10soffid-iamconsole

 

If something is not running as expected, please check the log at:

root@localhost:~# cd /opt/soffid/iam-console-3/logs
root@localhost:/opt/soffid/iam-console-3/logs# less soffid.YEAR-MONTH-DAY.log

Installing console & sync server &&TODO-DELETE&&

Install Sync server

Prerequisites

Soffid IAM sync server requires the following requirements:

Video tutorial

Download

First of all, open your favorite browser and open the Soffid Download Manager.

Click on Synchronization server and download the latest version for your OS.

image-1611166667458.png

 

Installation

Open the installation file. It will install the software and will execute the installation wizard.

The installation wizard will ask if it is the first sync server or not.

Installing the first sync server

If you answer Y to the first question, the wizard will ask for the following information:

After checking the database status, the wizard will register the sync server and will create a new certification authority, as well as a digital certificate for the brand new sync server.

Installing the next sync servers

If you answer N to the first question, the wizard will ask for the following information:

The wizard will connect to the sync server and create a sync server connection request. The administrator must open the "My tasks" page and approve the request. Once the request is approved, the wizard will finish.

Manual Configuration

Manual service configuration

If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM sync server service on boot:

ln -fs /opt/soffid/iam-sync/bin/soffid-sync /etc/init.d/soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc1.d/K01soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc2.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc3.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc4.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc5.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc6.d/K01soffid-sync

Note that if you are running Centos, Redhat7 o version higher than Ubuntu 16.04, you should enable the service in systemctl

sudo systemctl enable soffid-sync

Once you have installed and configured Soffid Sync Server as a service, you could manage it with the following operations

service soffid-sync status
service soffid-sync restart
service soffid-sync start
service soffid-sync stop

 

First synchronisation server configuration

It is not recommended to install the first sync server on the same host where the database is installed.

To configure the server, please execute the following commands:

On Linux:

/opt/soffid/iam-sync/bin/configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

User and password must be the ones created during the installation process.

 The hostname value must be a FQDN (fully qualified domain name), for example "myhost.mydomain.com"  or in a test environment "syncserver.soffid.lab"

Mind the configuration wizard will refuse to register the sync server if this is not really the first sync server. If you really want to register this sync server as the first one, you must open the sync server management page and remove any already registered sync server.

image-1611041442254.png

 

 

 

Next servers configuration

In order to configure the next server syncservers, a two step process is required: first, a normal user installs and configure the sync server softwar; next, a Soffid administrator allows the sync server to join the sync servers network.

To perform the next step, you do not need to enter the database credentials. Instead, the primary sync server URL and a Soffid console user name and password are required.

For instance, you can execute:

On Linux:

/opt/soffid/iam-sync/bin/configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]


After executing the command, an approval task will appear in Soffid console. The administrator can take ownership of the task and approve or reject it. After approving the server creation, the server will be configured as a proxy sync server (without database access).

The administrator can open the sync servers configuration page to change the sync server role at any time.

Configure a synchronization server proxy without approval in UI

If you want to bypass the appoval process, there is a configuration setting that allows it:

 

 

Thus, you can bypass the standard workflow needed for a sinchronization server to join the synchronization servers security network. Otherwise, the standard approval  workflow will be required.

Renaming a sync server

You can rename any sync server at any time by removing the conf directory and executing the configure process again, but the main sync server is a special case. If you remove the conf directory, the certification authority managed by the main sync server will be lost, and every single sync server will be thrown out of the security domain.

Instead, to reconfigure the main sync server you can execute

On Linux:

/opt/soffid/iam-sync/bin/configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

User and password must be the ones created during the installation process.

The Soffid installation process changes console setup to reflect the new sync server name

The url connection parameter depends on the database system:

 

Installing console & sync server &&TODO-DELETE&&

Configure TLS for IAM Console

Introduction

The TLS protection of Soffid IAM Console is applied through the configuration of the Apache TomEE embedded in the installation.

This solution is running under java technology therefore we need a jks file (Java Key Store) or a PKCS#12 file with the information of your certificate.

Once you have the Console installed and your certificate in jks format you can follow this steps to configure it the first time or for an update.

Mind that sometimes, the network encryption algorithm is named as SSL, in fact, the configuration file still displays the word SSL. However, SSL protocol is now outdated, and TLSv1.2 is used instead.

Configuration

The configuration file to modify is the following one:

/opt/soffid/iam-console-2/conf/server.xml

It can contain one or more connectors. Uncomment or add the following one, that enables the TLS configuration:

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150"
           SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/yourcert.jks"
                 certificateKeystorePassword="123456"
                 certificateKeyAlias="yourdomain"
                 type="RSA"
                 xpoweredBy="false"
                 server="Apache TomEE" />
  </SSLHostConfig>
</Connector>

 

These are the attributes that you have to configure.

Attribute
Comment
port You can choose the standard 443 or another custom port
certificateKeystoreFile The source by default starts from /opt/soffid/iam-console-2/ (the installation directory)
certificateKeystorePassword The password used to encrypt the jks file
certificateKeyAlias The alias to identify your key and certificate


Then, copy or replace your jks file into to the file /opt/soffid/iam-console2/conf/yourcert.jks

After that, you have to restart the iam-console services.

sudo systemctl restart soffid-iamconsole

If you have some configuration error, you can search for more information in the Console log (the current day log):
/opt/soffid/iam-console-2/logs/soffid-YYYY-MM-DD.log

 

Load a PKCS#12 (.PFX) file

There are many standard ways to store and transfer private keys and certificates, but the most common one is the PKCS#12 format. Its main advantage is that it contains, in a single file, both the private key and the public certificate.

To transform the .PFX file to a java key store (.JKS), ane can use next command (you have to adapt it to your system):

keytool -v -importkeystore -srckeystore <YOUR_FILE.PFX> -srcstoretype PKCS12 \
  -destkeystore /opt/soffid/iam-console-2/conf/yourcert.jks \
  -destalias yourdomain -deststoretype JKS

Next, you will be asked for the PFX encryption password. It must be provided to you along the PFX file.

Next, you will be asked (probably twice) for the password to be used to encrypt the .JKS file.  This password must be written down in the server.xml file. At the sample SSL configuration file placed at the top of this page, the sample password is 123456.

 

Further information

Additional information can be found at Tomcat website: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

 

 

Installing console & sync server &&TODO-DELETE&&

Installing IAM console using Docker

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-console/

Prerequisites

To install IAM console is required to have a database installed and initialized

 

Supported databases are:

 

To configure IAM console, the following environment variables can be set:

Variable Description Example
DB_URL JDBC URL jdbc:mariadb://dbcontainer/soffid
DB_USER Database user
Soffid
DB_PASSWORD Database password
5uper5ecret
JAVA_OPT Java virtual machine options -Xmx4096m
SECURE (optional) Enables the Java Security Manager true


The following volumes are defined by default:

Volume Usage
/opt/soffid/iam-console-3/logs Console log files
/opt/soffid/iam-console-3/docs Text search engine index files. It can be erased at any time. The engine will regenerate the search engine 
/opt/soffid/iam-console-3/conf Configuration files, including server.xml and tomee.xml files

Here you have a sample command to start a docker container running IAM console:

docker run -d \
   -e DB_URL=jdbc:mysql://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   --name=iam-console \
   --publish=8080:8080 \
   soffid/iam-console

To see console log files, execute:

docker logs -f iam-console

By default, the 8080 port will be exposed. When the TLS connection is going to be configured, add the tag --publish=443:443 to publisg the TLS port.

Video Tutorial

 

 

Installing console & sync server &&TODO-DELETE&&

Installing Sync server using Docker

There is a public docker image at docker hub: https://hub.docker.com/r/soffid/iam-sync

Supported databases are:

To configure the first IAM sync server, the following environment variables can be set for the first server:

Variable Description Example
DB_URL JDBC URL jdbc:mariadb://dbcontainer/soffid
DB_USER Database user Soffid
DB_PASSWORD Database password 5uper5ecret
SOFFID_HOSTNAME The host name used to access to the sync server syncserver01.soffid.com
SOFFID_PORT TCP port used for incomming connections 760
SOFFID_MAIN Set to yes for the first sync server, no for the next ones yes

To configure the next sync servers, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain admin
SOFFID_PASS Soffid user password changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_PORT TCP port used for incomming connections 760
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no

To configure a sync server in a private network, not directly accessible from the main sync server, the following environment variables can be set:

Variable Description Example
SOFFID_SERVER First sync server url https://syncserver01.soffid.com:1760
SOFFID_USER Soffid user to join the security domain admin
SOFFID_PASS Soffid user password changeit
SOFFID_HOSTNAME The host name used to access to the sync server syncserver.soffid.com
SOFFID_TENANT Tenant name master
SOFFID_MAIN Set to yes for the first sync server, no for the next ones no
SOFFID_REMOTE Flag to enable cloud protocol yes

The following volumes are defined by default:

Volume Usage
/opt/soffid/iam-console-3/conf Configuration files, including private keys and certificates

Here you have a sample command to start a docker container running IAM sync server. Mind to specify the port number to expose the sync server docker to the outside world. It is not needed when using the cloud connectivity:

docker run -d \
   -e DB_URL=jdbc:mysql://mariadb-service/soffid \
   -e DB_USER=soffid \
   -e DB_PASSWORD=soffid \
   -e SOFFID_PORT=1760 \
   -e SOFFID_HOSTNAME=syncserver.soffid.com \
   -e SOFFID_MAIN=yes \
   --name=iam-sync \
   --publish 1760:1760 \
   soffid/iam-sync

To see console log files, execute:

docker logs -f iam-sync

 

Video Tutorial

 

Installing console & sync server &&TODO-DELETE&&

Deploy IAM Console in Kubernetes

You can use the docker image described at "Installing IAM console using Docker". Here you have a sample Kubernets YAML descriptor to deploy it.

Mind that any certificate present in the folder /opt/soffid/iam-console-3/trustedcerts is considered as a trusted certificate. It is important to include the root syncserver certificate or any other certificate the console must connect with.

Another aspect to be aware of is the DNS resolution cache implemented by the java virtual machine. Because pods and service names often change its IP address, it suggested to disable the DNS cache adding the -Dsun.net.inetaddr.ttl=-1 parameter.

apiVersion: v1
kind: Secret
metadata:
   name: trusted-certs
data:
   syncserver: MIIC+TCCAeGgAwIBAgIGAWwFI+dWMA0GCSqGSIb3DQEBCwUAMDMxDzANBgNVBAMMBlJvb3RDQTEPMA0GA1UECwwGbWFzdGVyMQ8wDQYDVQQKDAZTb2ZmaWQwHhcNMTkwNzE3MTMwMjE0WhcNMjkwNzE4MTMwMjE0WjAzMQ8wDQYDVQQDDAZSb290Q0ExDzANBgNVBAsMBm1hc3RlcjEPMA0GA1UECgwGU29mZmlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkRq5/Kq1a/WlI00xzuxj0CDaH/L3G01dN5tXEFMXnm4VgDaaQXEjxGL0HEO47flDWGvJckLxIHSgEtRaHTquLRYLfHwHw3S0CC/DqdYcMZGG7QkCHDfdGunIoRGvWOAYOaV0pSiqBsfXhqG/7R4Ux7kx7mWoRXHnTyWXZl6tlNl9k2fC47foI5uMsblB3bybNnzLw2JvdwC6I8bbzf1j38r98WevdzQMVYxn10CQjLz2ZN7irYpgHzaBPoZlwKNVBhf7Tke9TDWuGO5G2UXTpys3euyTFw82TeetNTydcVK8SpdGKMlN95Cj2pgwzzz9d+qaMbN0tJu2CuGO+TROwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQApbPFO3fMlLOdvgx+O8w7JJyxOJNG+ogV7QH+ipxM6eyCWLI7euJbRSc7skR61Hw0H6Ka+ExFjHOqe0u/ysIg/ITlWTV6olaD8OpT3GKsZqhiQpBO6dKqPs8JcwMt4gBbQ7YxfYefk3OER6PUG9sk8OPMmdeF+jQu1bWijUNPB0qEPio+NWXc+SF0/Ij1DQF2sW9yDb5LvsbgrkQXewvp6eUJPpwHh+pGqNKKuHkwTCfu5cUtNBMAC6CQjjCm6CUy4BYxRcF3zfzjV2nK3zTeshF7wlK95ZMaC8IGYbYwZ86qT/x/PxX/qYOjRftSr6/Y58heYvfXLFM1pceQYVW9v
   star_soffid_com: MIIGcDCCBVigAwIBAgIRAOFY+IkZ+FTddCqKixlQEIMwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xOTA2MTgwMDAwMDBaFw0yMTA2MTcyMzU5NTlaMFkxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQxFTATBgNVBAMMDCouc29mZmlkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnDKURLcT1XfaMjmIU8QtxdhVe1XG1Oo4LrrEyUVBaAA/5RPcWrvkCIf2Kq6/JTBBxbwvJP1pHAninwTGLam2lNTL2jvlyYXC/oA0hqbRxDCBjkq7e7fj6R2rcFJcAx0jUiyzlfgZmP/QX+ju7KrJ33sR4DPAG47Xnz8XgWJMuXdoSvQ8NeaWNAUjK7Pt3vHB/QD40MAAisXuOq1w11R3MzEJv0nHgNPvxqGvVdHTDX5RwHoVEMEHF7lQY0Mh2oIejQgN+VPOJNJh6vd7HiVUlVLXop8qhjJQgy2DQS2VGTUBObTFTgD81UPKzZgRzlziU3RWimZMVgHjzDn9MmzkcCAwEAAaOCAvowggL2MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTPiYczqwQVFTogNEQydqg0WGGnwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIwYDVR0RBBwwGoIMKi5zb2ZmaWQuY29tggpzb2ZmaWQuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWtpdk7pAAAEAwBHMEUCIQCyc83CoGLtckCrDEtAph3U/+XMqwkEPwqEgi9bu7xNBgIgKachYG2OED40K9pd9byRWUjy+BeV+5tVeN+I8JD48XoAdQBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWtpdk7+AAAEAwBGMEQCIFqjuu2Q/TTq48nkobC87nRfgE9FQmlUp4PI98U90ygJAiBoFsiy0kz2ZDNz+BeAVjqAj7UsnrNIv8vwG3V7rh6kxgB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABa2l2Tv4AAAQDAEgwRgIhAMLmnVu4rduXSiaC5pfbk6uQsceV6zEx1fgNjQXNupDwAiEAtCh5VG2lC6iWy0chA/PfC5ejmlgBAmHbYLxsr9uiOWwwDQYJKoZIhvcNAQELBQADggEBABqZ8Stnzkk/abCQTMjOhNsSswSZZ74mszAGrd+emh7/VhLeJ29AaoMiCF5j0uphx/t9id5UmKbqwuapo9E1NuAVQqDOV1N0wV4Awa2nEivbDcuDCTMX6VtOK3DnCnE9yLMdD6GF9xcwzsgz5wKXu2Dxwt4vw05KIM+4Myy91sEpifa62+qdzR/Vfbv6SqeL1IzTDyHMzEtBu/4jL189VeSkTVvdKGT1g6eAMHTX562z7jJgTH23c2zolCEj9YPd+KUbt6/OO+Pljsj0MeTzO1QImj2syqCE/O4tYyHOHOdHJcrVSP951nCu0bkH6MBUhFvgk8a6rjI8tcnZCpsdcNU=
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: soffid-console
  labels:
    app: soffid
    type: console
spec:
  replicas: 1
  selector:
    matchLabels:
      app: soffid
      type: console
  template:
    metadata:
      labels:
        app: soffid
        type: console
    spec:
      containers:
      - name: soffid-console
        image: soffid/iam-console:3.0.0-beta-1
        imagePullPolicy: Always
        resources:
          limits:
            memory: 4Gi
          requests:
            memory: 2Gi
        volumeMounts:
        - name: trusted-certs-volume
          mountPath: /opt/soffid/iam-console-3/trustedcerts
        ports:
        - containerPort: 8080
        env:
            - name: DB_USER
              value: soffid
            - name: DB_PASSWORD
              value: 5uper5ecret
            - name: JAVA_OPT
              value: "-Xmx4048m -Dsun.net.inetaddr.ttl=1"
            - name: DB_URL
              value: jdbc:mariadb://mariadb-service:3306/soffid
      imagePullSecrets:
      - name: regcred
      volumes:
      - name: trusted-certs-volume
        secret: 
          secretName: trusted-certs
---
apiVersion: v1
kind: Service
metadata:
  name: iam-console-service
spec:
  selector:
      app: soffid
      type: console
  type: loadBalancer
  ports:
  - name: web
    protocol: TCP
    port: 8080
    targetPort: 8080
Installing console & sync server &&TODO-DELETE&&

Deploy Sync server in Kubernetes

You can use the docker image described at "Installing Sync server using Docker". Here you have a sample Kubernets YAML descriptor to deploy it.

Mind that any certificate present in the folder /opt/soffid/iam-sync/trustedcerts is considered as a trusted certificate. It is important to include the root syncserver certificate or any other certificate the sync server must connect with.

Another aspect to be aware of is the DNS resolution cache implemented by the java virtual machine. Because pods and service names often change its IP address, it suggested to disable the DNS cache adding the -Dsun.net.inetaddr.ttl=-1 parameter. Unlike the IAM console, the java options for the Sync server are not placed in the kubernetes descriptor, but in the console page to manage sync servers configuration.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: syncserver-conf-claim
spec:
  storageClassName: standard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: syncserver01
  labels:
    app: soffid
    type: syncserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: soffid
      type: syncserver
  template:
    metadata:
      labels:
        app: soffid
        type: syncserver
    spec:
      containers:
        - name: syncserver
          image: soffid/iam-sync:3.0.0-beta-1
          ports:
            - containerPort: 760
              name: syncserver-port
          env:
            - name: DB_USER
              value: soffid
            - name: DB_PASSWORD
              value: 5uper5ecret
            - name: SOFFID_HOSTNAME
              value: syncserver01.soffid.com
            - name: SOFFID_MAIN
              value: "yes"
            - name: DB_URL
              value: jdbc:mariadb://mariadb-service/soffid
          volumeMounts:
          - name: conf-storage
            mountPath: /opt/soffid/iam-sync/conf
      volumes:
        - name: conf-storage
          persistentVolumeClaim:
            claimName: syncserver-conf-claim
---
apiVersion: v1
kind: Service
metadata:
  name: syncserver
spec:
  externalTrafficPolicy: Local
  type: LoadBalancer
  selector:
    app: soffid
    type: syncserver
  ports:
  - name: syncserver
    protocol: TCP
    port: 760
    targetPort: 760
Installing console & sync server &&TODO-DELETE&&

Upgrade Soffid3

Upgrade from version 2

These are the steps to upgrade your Soffid 2 deployment to Soffid 3:

  1. Stop Soffid 2 console
  2. Install and configure Soffid 3 IAM console. It will upgrade the database and perform any upgrade task.
    Have a look and the console log file to check the upgrade process log.
  3. Upgrade optional modules. After the console upgrade, most of them will not work as expected. You must upload Soffid 3 compatible versions through the plugins page.
    After uploading them, restart the console
  4. Upgrade sync servers. Simply install Soffid 3 sync server on top of current Soffid 2 sync server

To upgrade a docker deployment, docker containers must be dropped and created again, using the same parameters used for the initial setup. Tools like Portainer will help you do this task.

To upgrade a kubernetes deployment, simply change the version tag in your kubernetes YAML file. The system will pull the image from docker hub and will start the service

Upgrade from version 3

To upgrade a Soffid 3 IAM console, simply install the new packages downloaded from our downloads site. It will replace any component and will restart the service.

If it's needed, it will upgrade the database and perform any upgrade task.

In the same way, to upgrade a Soffid 3 Sync server install the new packages dowonloaded from our download site. It will replay any component and will restart the service.

Docker and kubernetes notes

To upgrade a docker deployment, docker containers must be dropped and created again, using the same parameters used for the initial setup. Tools like Portainer will help you do this task.

To upgrade a kubernetes deployment, simply change the version tag in your kubernetes YAML file. The system will pull the image from docker hub and will start the service