Install Sync server

Guide to install Synchronization server on your own server

Prerequisites

Soffid IAM sync server requires the following requirements:

Video tutorial

Windows

Linux

Installation

Download

First of all, open your favorite browser and open the Soffid Download Manager.

Click on Synchronization server and download the latest version for your OS.

Syncserver download.png

Installing Sync Server

Windows

Open the installation file. It will install the software and will execute the installation wizard.

The installation wizard will ask if it is the first sync server or not.

Linux

sudo dpkg -i '/your-path/SOFFID 3 Sync server-Debian_Ubuntu installer-3.0.0.deb'

The installation wizard will ask if it is the first sync server or not.

Installing the first sync server

If you answer Y to the first question, the wizard will ask for the following information:

  • Database URL: Use the same URL used to install the console.
  • Database user: The user name to connect to the database. It was used during the console installation
  • Database password: The database user password
  • Host name: Enter the fully qualified domain name of the host. IP addresses are not accepted.
  • Port to listen: Enter a TCP port number. The sync server will receive connections from the console or other sync servers through this port. The suggested value is 1760.

After checking the database status, the wizard will register the sync server and will create a new certification authority, as well as a digital certificate for the brand new sync server.

Installing the next sync servers

If you answer N to the first question, the wizard will ask for the following information:

  • Cloud service: You can install an on-premise sync server connected to a cloud instance. In this case, the communication stack works in a slightly different way. If this is the case, enter Y. If you are connecting to an on-premise Soffid deployment, enter N.
  • Server URL: Enter the URL for the first sync server.
  • Tenant name: Enter the tenant name. If the sync server is not intended to work with a single tenant, enter master.
  • User name: Enter an administrator user name.
  • Password: Enter the administrator password.
  • Host name: Enter the fully qualified domain name of the host. IP addresses are not accepted.
  • Port to listen: Enter a TCP port number. The sync server will receive connections from the console or other sync servers through this port. The suggested value is 1760.

The wizard will connect to the sync server and create a sync server connection request. The administrator must open the "My tasks" page and approve the request. Once the request is approved, the wizard will finish.

Manual Configuration

Manual service configuration

If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM sync server service on boot:

ln -fs /opt/soffid/iam-sync/bin/soffid-sync /etc/init.d/soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc1.d/K01soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc2.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc3.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc4.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc5.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc6.d/K01soffid-sync

Note that if you are running Centos, Redhat7 o version higher than Ubuntu 16.04, you should enable the service in systemctl

sudo systemctl enable soffid-sync

Once you have installed and configured Soffid Sync Server as a service, you could manage it with the following operations

service soffid-sync status
service soffid-sync restart
service soffid-sync start
service soffid-sync stop

First synchronisation server configuration

It is not recommended to install the first sync server on the same host where the database is installed.

To configure the server, please execute the following commands:

On Linux:

/opt/soffid/iam-sync/bin/configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]

User and password must be the ones created during the installation process.

 The hostname value must be a FQDN (fully qualified domain name), for example "myhost.mydomain.com"  or in a test environment "syncserver.soffid.lab"

Mind the configuration wizard will refuse to register the sync server if this is not really the first sync server. If you really want to register this sync server as the first one, you must open the sync server management page and remove any already registered sync server.

image-1611041442254.png

Next servers configuration

In order to configure the next server syncservers, a two step process is required: first, a normal user installs and configure the sync server software; next, a Soffid administrator allows the sync server to join the sync servers network.

To perform the next step, you do not need to enter the database credentials. Instead, the primary sync server URL and a Soffid console user name and password are required.

For instance, you can execute:

On Linux:

/opt/soffid/iam-sync/bin/configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]


After executing the command, an approval task will appear in Soffid console. The administrator can take ownership of the task and approve or reject it. After approving the server creation, the server will be configured as a proxy sync server (without database access).

The administrator can open the sync servers configuration page to change the sync server role at any time.

Configure a synchronization server proxy without approval in UI

If you want to bypass the appoval process, there is a configuration setting that allows it:

  • Open console and click on Start → Soffid Configuration → Soffid Parameters:
  • Click on Add New and, then, write the parameter soffid.server.register, set the value to direct and Confirm changes.

  • Execute the configuration of a synchronization server proxy as follows:

    On Linux:

    /opt/soffid/iam-sync/bin/configure -hostname hostname -user usuario -pass pass -server https://<yourserver>:760 -tenant master

    On Windows:

    %ProgramFiles%\soffid\iam-sync\bin\configure -hostname hostname -user usuario -pass pass -server https://<yourserver>:760 -tenant master

    Where hostname is the name of the synchronization server proxy, user and pass are the Soffid console user name and password and, finally, URL is the first synchronization server URL.

 

  • In the Soffid console, go to Start→ Soffid Configuration → Agents and click on Synchronization Servers to check if the synchronization server proxy has been registered.

Thus, you can bypass the standard workflow needed for a sinchronization server to join the synchronization servers security network. Otherwise, the standard approval  workflow will be required.

Renaming a sync server

You can rename any sync server at any time by removing the conf directory and executing the configure process again, but the main sync server is a special case. If you remove the conf directory, the certification authority managed by the main sync server will be lost, and every single sync server will be thrown out of the security domain.

Instead, to reconfigure the main sync server you can execute

On Linux:

/opt/soffid/iam-sync/bin/configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

On Windows:

%ProgramFiles%\soffid\iam-sync\bin\configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid

User and password must be the ones created during the installation process.

The Soffid installation process changes console setup to reflect the new sync server name

The url connection parameter depends on the database system:

 

Now you can connect to the IAM console http://localhost:8080/soffid  and chek if Console and Syncserver are connected.