Install Sync server
1. Introduction
&&TODO&&
2. Prerequisites
Soffid IAM sync server requires the following requirements:
- Linux or Windows
- Java JDK 8 or higher
- 2GB RAM
- 10GB disk space
- Soffid console installed
3. Video tutorial
Windows
Linux
4. Intallation
Download
First of all, open your favorite browser and open the Soffid Download Manager.
Click on Synchronization server and download the latest version for your OS.
Installing Installation
Sync Server
Open the installation file. It will install the software and will execute the installation wizard.
The installation wizard will ask if it is the first sync server or not.
Installing the first sync server
If you answer Y to the first question, the wizard will ask for the following information:
- Database URL: Use the same URL used to install the console.
- Database user: The user name to connect to the database. It was used during the console installation
- Database password: The database user password
- Host name: Enter the fully qualified domain name of the host. IP addresses are not accepted.
- Port to listen: Enter a TCP port number. The sync server will receive connections from the console or other sync servers through this port. The suggested value is 1760.
After checking the database status, the wizard will register the sync server and will create a new certification authority, as well as a digital certificate for the brand new sync server.
Installing the next sync servers
If you answer N to the first question, the wizard will ask for the following information:
- Cloud service: You can install an on-premise sync server connected to a cloud instance. In this case, the communication stack works in a slightly different way. If this is the case, enter Y. If you are connecting to an on-premise Soffid deployment, enter N.
- Server URL: Enter the URL for the first sync server.
- Tenant name: Enter the tenant name. If the sync server is not intended to work with a single tenant, enter master.
- User name: Enter an administrator user name.
- Password: Enter the administrator password.
- Host name: Enter the fully qualified domain name of the host. IP addresses are not accepted.
- Port to listen: Enter a TCP port number. The sync server will receive connections from the console or other sync servers through this port. The suggested value is 1760.
The wizard will connect to the sync server and create a sync server connection request. The administrator must open the "My tasks" page and approve the request. Once the request is approved, the wizard will finish.
5. Manual Configuration
Manual service configuration
If you are using the RPM, DEB or MSI installers, the service is automatically configured to start up with the computer. If you are using the .tar.gz file, you must enable it manually. Execute these commands as root to start Soffid IAM sync server service on boot:
ln -fs /opt/soffid/iam-sync/bin/soffid-sync /etc/init.d/soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc1.d/K01soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc2.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc3.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc4.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc5.d/S06soffid-sync
ln -fs /etc/init.d/soffid-sync /etc/rc6.d/K01soffid-sync
Note that if you are running Centos, Redhat7 o version higher than Ubuntu 16.04, you should enable the service in systemctl
sudo systemctl enable soffid-sync
Once you have installed and configured Soffid Sync Server as a service, you could manage it with the following operations
service soffid-sync status service soffid-sync restart service soffid-sync start service soffid-sync stop
First synchronisation server configuration
It is not recommended to install the first sync server on the same host where the database is installed.
To configure the server, please execute the following commands:
On Linux:
/opt/soffid/iam-sync/bin/configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]
On Windows:
%ProgramFiles%\soffid\iam-sync\bin\configure -main -hostname [hostname] -port 760 -dbuser [soffid] -dbpass [pass] -dburl [jdbc:mysql://localhost:3306/soffid]
User and password must be the ones created during the installation process.
The hostname value must be a FQDN (fully qualified domain name), for example "myhost.mydomain.com" or in a test environment "syncserver.soffid.lab"
Mind the configuration wizard will refuse to register the sync server if this is not really the first sync server. If you really want to register this sync server as the first one, you must open the sync server management page and remove any already registered sync server.
Next servers configuration
In order to configure the next server syncservers, a two step process is required: first, a normal user installs and configure the sync server softwar; next, a Soffid administrator allows the sync server to join the sync servers network.
To perform the next step, you do not need to enter the database credentials. Instead, the primary sync server URL and a Soffid console user name and password are required.
For instance, you can execute:
On Linux:
/opt/soffid/iam-sync/bin/configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]
On Windows:
%ProgramFiles%\soffid\iam-sync\bin\configure -hostname [hostname] -user [user] -pass [pass] -server [https://yourserver:760] -tenant [master]
After executing the command, an approval task will appear in Soffid console. The administrator can take ownership of the task and approve or reject it. After approving the server creation, the server will be configured as a proxy sync server (without database access).
The administrator can open the sync servers configuration page to change the sync server role at any time.
6. Configure a synchronization server proxy without approval in UI
If you want to bypass the appoval process, there is a configuration setting that allows it:
- Open console and click on Start → Soffid Configuration → Soffid Parameters:
- Click on Add New and, then, write the parameter soffid.server.register, set the value to direct and Confirm changes.
-
Execute the configuration of a synchronization server proxy as follows:
On Linux:
/opt/soffid/iam-sync/bin/configure -hostname hostname -user usuario -pass pass -server https://<yourserver>:760 -tenant master
On Windows:
%ProgramFiles%\soffid\iam-sync\bin\configure -hostname hostname -user usuario -pass pass -server https://<yourserver>:760 -tenant master
Where hostname is the name of the synchronization server proxy, user and pass are the Soffid console user name and password and, finally, URL is the first synchronization server URL.
- In the Soffid console, go to Start→ Soffid Configuration → Agents and click on Synchronization Servers to check if the synchronization server proxy has been registered.
Thus, you can bypass the standard workflow needed for a sinchronization server to join the synchronization servers security network. Otherwise, the standard approval workflow will be required.
Renaming a sync server
You can rename any sync server at any time by removing the conf directory and executing the configure process again, but the main sync server is a special case. If you remove the conf directory, the certification authority managed by the main sync server will be lost, and every single sync server will be thrown out of the security domain.
Instead, to reconfigure the main sync server you can execute
On Linux:
/opt/soffid/iam-sync/bin/configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid
On Windows:
%ProgramFiles%\soffid\iam-sync\bin\configure -main -force -hostname hostname -dbuser soffid -dbpass pass -dburl jdbc:mysql://localhost:3306/soffid
User and password must be the ones created during the installation process.
The Soffid installation process changes console setup to reflect the new sync server name
The url connection parameter depends on the database system:
- For Oracle by SID: jdbc:oracle:thin:@localhost:1571:XXXX
- For Oracle by Service Name: jdbc:oracle:thin:@localhost:1571/XXXX
- For Mysql: jdbc:mysql://localhost:3306/XXXX
- For SQLServer: "jdbc:sqlserver://localhost:1433;databaseName=XXXX"
- For Postglesql: "jdbc:postgresql://localhost:5432/XXXXX