Skip to content

Installation instructions

Make sure you have installed the requirements before you continue.

Configure Docker

Edit the docker configuration file /etc/sysconfig/docker

1
DOCKER_OPTIONS = --host=unix:///var/run/docker.sock --bip=172.16.0.1/24

Login

To download the containers you first need to login with the Docker client using your login credentials.

1
$ docker login release.onewelcome.com

NOTE: If you did not receive any login credentials, please contact Onegini support.

Create docker-compose.yml file

Create /etc/onegini/docker-compose.yml with the following content

version: "2"
services:
  proxy:
    image: release.onewelcome.com/onegini/security-proxy:<SECURITY_PROXY_VERSION>
    mem_limit: 512mb
    restart: always
    environment:
      # Java options
      - JAVA_OPTS=-Djava.net.preferIPv4Stack=true
      - SP_JAVA_OPTS=-Xmx256m -Xms256m
      - TVS_JAVA_OPTS=-Xmx128m -Xms128m

      # Enabled properties provisioning
      - SECURITY_PROXY_PROVISIONING_ENABLED=true

      # Discovery backend
      - CONSUL_HTTP_ADDR=consul:8500

      # Security Proxy property encryption password
      - SECURITY_PROXY_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3

      # Security Proxy backends
      - SECURITY_PROXY_BACK_END_TOKEN_SERVER_HOSTS=engine:8080
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS=admin:8080
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT=/admin
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME=http
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW=0.0.0.0/0

      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_HOSTS=client:8080
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_CONTEXT_ROOT=/client
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_PROXY_SCHEME=http
      - SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_ALLOW=0.0.0.0/0

      - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_HOSTS=gateway:8080
      - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_CONTEXT_ROOT=/resource
      - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_PROXY_SCHEME=http
      - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_ALLOW=0.0.0.0/0
      - SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_TOKEN_VALIDATION_ENABLED=false

      - SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID=Eec61WVhtOjesj7BiLTKljdaKdmsc48D2oZKhsroqs
      - SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET=p4XfUcvkwULWsxs7C8sQIg5egZb1bvjNSZpNC2sp8M

      # Cache
      - SECURITY_PROXY_CACHE_ENCRYPTION_PASSWORD=WeerM68pac7fjrnKfUNHEeAHbPeEBy
      - SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_DURATION_IN_MINUTES=1

      - SECURITY_PROXY_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
      - SECURITY_PROXY_REDIS_SENTINEL_MASTER_ID=mymaster
    depends_on:
      - redis-master-sentinel
      - consul
    networks:
      overlay:
        ipv4_address: 192.168.100.1
    ports:
      - "80:8080"

  engine:
    image: release.onewelcome.com/onegini/token-server-engine:<TOKEN_SERVER_VERSION>
    restart: always
    environment:
      # Java options
      - JAVA_OPTS=-Xms512m -Xmx512m

      # Token Server property encryption password
      - TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3

      # Token server url
      - TOKEN_SERVER_URL=http://<SERVER IP>

      # Database
      - DATABASE_TYPE=mysql
      - SPRING_DATASOURCE_USERNAME=onegini
      - SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
      - DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
      - SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
      - SPRING_FLYWAY_ENABLED=true

      # Redis
      - TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
      - TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
    ports:
      - 8080
      - 8443
    depends_on:
      - database
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.2

  admin:
    image: release.onewelcome.com/onegini/token-server-admin:<TOKEN_SERVER_VERSION>
    restart: always
    environment:
      # Java options
      - JAVA_OPTS=-Xms256m -Xmx256m

      # Token Server url
      - TOKEN_SERVER_URL=http://<SERVER IP>

      # Token Server property encryption password
      - TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3

      # Database
      - DATABASE_TYPE=mysql
      - SPRING_DATASOURCE_USERNAME=onegini
      - SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
      - DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
      - SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
      - SPRING_FLYWAY_ENABLED=true

      # Ldap
      - TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=onegini,dc=com
      - TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://192.168.100.7:1389
      - TOKEN_SERVER_ADMIN_LDAP_BIND_DN=cn=admin,dc=example,dc=org
      - TOKEN_SERVER_ADMIN_LDAP_BIND_PWD=adminpassword
      - TOKEN_SERVER_ADMIN_LDAP_USER_DNS=cn={0},ou=users
      - TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_BASE=cn=admins,ou=users
      - TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_FILTER=member={0}
      - TOKEN_SERVER_ADMIN_LDAP_GROUPS_ADMIN_GROUP_NAME=admins

      # Redis
      - TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
      - TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
    depends_on:
      - database
      - ldap
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.3

  client:
    image: release.onewelcome.com/onegini/token-server-test-client:<TOKEN_SERVER_VERSION>
    restart: always
    environment:
      # Java options
      - JAVA_OPTS=-Xms256m -Xmx256m

      # Token Server url
      - TOKEN_SERVER_URL=http://192.168.100.1:8080
      - TOKEN_SERVER_TEST_CLIENT_URL=https://<SERVER IP>
      - TOKEN_SERVER_CLIENT_AUTHORIZE_URI=https://<SERVER IP>/oauth/authorize
    networks:
      overlay:
        ipv4_address: 192.168.100.4

  database:
    image: mariadb:latest
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=bc6928048afd11ab649b1876253bb5d16efacfc8d29d7fb11fdebf7d9cc52795
      - MYSQL_DATABASE=tokenserver
      - MYSQL_USER=onegini
      - MYSQL_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
    ports:
      - 3306
    networks:
      overlay:
        ipv4_address: 192.168.100.5

  ldap:
    image: bitnami/openldap:latest
    restart: always
    environment:
      - LDAP_ROOT=dc=onegini,dc=com
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=adminpassword
      - LDAP_USERS=user1,user2
      - LDAP_PASSWORDS=pass1,pass2
      - LDAP_GROUP=admins
    ports:
      - 1389
    networks:
      overlay:
        ipv4_address: 192.168.100.7

  redis-master:
    image: release.onewelcome.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_PORT=6379
      - REDIS_ANNOUNCE_IP=192.168.100.8
      - REDIS_ANNOUNCE_PORT=6379
    networks:
      overlay:
        ipv4_address: 192.168.100.8

  redis-slave:
    image: release.onewelcome.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_PORT=6379
      - REDIS_ANNOUNCE_IP=192.168.100.9
      - REDIS_ANNOUNCE_PORT=6379
      - REDIS_SLAVE=True
      - REDIS_SLAVEOF_IP=192.168.100.8
      - REDIS_SLAVEOF_PORT=6379
    depends_on:
      - redis-master
    networks:
      overlay:
        ipv4_address: 192.168.100.9

  redis-master-sentinel:
    image: release.onewelcome.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.10
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.100.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master
    networks:
      overlay:
        ipv4_address: 192.168.100.10

  redis-slave-sentinel:
    image: release.onewelcome.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.0.11
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.0.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.11

  redis-slave-sentinel-failover:
    image: release.onewelcome.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.12
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.100.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.12

  consul:
    image: consul:latest
    restart: always
    ports:
      - 8500:8500

networks:
  overlay:
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.100.0/24

Note: Replace <SECURITY_PROXY_VERSION> and <TOKEN_SERVER_VERSION> with the actual version numbers. You can find the version numbers on the Releases page in Onegini docs.

Configure Token Server via Docker Compose environment variables

The Onegini Token Server uses Docker Compose environment variables to manage application properties. You can find all properties which can be configured in the Properties section of the Token Server Documentation.

For example, consider a following environment variable described in the docs:

Environment variable Default Example Description
TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL /onegini/admin URL to which the user is redirected after successful logout.

To configure this Token Server Admin property with the example value, add the following line in the environment admin service section of the docker-compose file:

  admin:
    ...
    environment:
      - TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL=/onegini/admin
    ...

Note: Properties common for Admin and Engine Token Server need to be provided for both docker compose images (admin and engine). Not all properties are mandatory to configure. Some of them have their default values.

Start the Token Server

Now it is time to start the Token Server

1
$ docker-compose -f /etc/onegini/docker-compose.yml up -d

Open the browser and got to http://<SERVER IP>/admin. you can now login with username and password admin, operator or helpdesk

Next steps

To customise your installation please have a look at the configuration section.