Installation instructions¶
Make sure you have installed the requirements before you continue.
Configure Docker¶
Edit the docker configuration file /etc/sysconfig/docker
1 | |
Login¶
To download the containers you first need to login with the Docker client using your login credentials.
1 | |
NOTE: If you did not receive any login credentials, please contact Onegini support.
Create docker-compose.yml file¶
Create /etc/onegini/docker-compose.yml with the following content
version: "2"
services:
proxy:
image: release.onewelcome.com/onegini/security-proxy:<SECURITY_PROXY_VERSION>
mem_limit: 512mb
restart: always
environment:
# Java options
- JAVA_OPTS=-Djava.net.preferIPv4Stack=true
- SP_JAVA_OPTS=-Xmx256m -Xms256m
- TVS_JAVA_OPTS=-Xmx128m -Xms128m
# Enabled properties provisioning
- SECURITY_PROXY_PROVISIONING_ENABLED=true
# Discovery backend
- CONSUL_HTTP_ADDR=consul:8500
# Security Proxy property encryption password
- SECURITY_PROXY_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Security Proxy backends
- SECURITY_PROXY_BACK_END_TOKEN_SERVER_HOSTS=engine:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS=admin:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT=/admin
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_HOSTS=client:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_CONTEXT_ROOT=/client
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_HOSTS=gateway:8080
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_CONTEXT_ROOT=/resource
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_TOKEN_VALIDATION_ENABLED=false
- SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID=Eec61WVhtOjesj7BiLTKljdaKdmsc48D2oZKhsroqs
- SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET=p4XfUcvkwULWsxs7C8sQIg5egZb1bvjNSZpNC2sp8M
# Cache
- SECURITY_PROXY_CACHE_ENCRYPTION_PASSWORD=WeerM68pac7fjrnKfUNHEeAHbPeEBy
- SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_DURATION_IN_MINUTES=1
- SECURITY_PROXY_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- SECURITY_PROXY_REDIS_SENTINEL_MASTER_ID=mymaster
depends_on:
- redis-master-sentinel
- consul
networks:
overlay:
ipv4_address: 192.168.100.1
ports:
- "80:8080"
engine:
image: release.onewelcome.com/onegini/token-server-engine:<TOKEN_SERVER_VERSION>
restart: always
environment:
# Java options
- JAVA_OPTS=-Xms512m -Xmx512m
# Token Server property encryption password
- TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Token server url
- TOKEN_SERVER_URL=http://<SERVER IP>
# Database
- DATABASE_TYPE=mysql
- SPRING_DATASOURCE_USERNAME=onegini
- SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
- DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
- SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
- SPRING_FLYWAY_ENABLED=true
# Redis
- TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
ports:
- 8080
- 8443
depends_on:
- database
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.2
admin:
image: release.onewelcome.com/onegini/token-server-admin:<TOKEN_SERVER_VERSION>
restart: always
environment:
# Java options
- JAVA_OPTS=-Xms256m -Xmx256m
# Token Server url
- TOKEN_SERVER_URL=http://<SERVER IP>
# Token Server property encryption password
- TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Database
- DATABASE_TYPE=mysql
- SPRING_DATASOURCE_USERNAME=onegini
- SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
- DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
- SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
- SPRING_FLYWAY_ENABLED=true
# Ldap
- TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=onegini,dc=com
- TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://192.168.100.7:1389
- TOKEN_SERVER_ADMIN_LDAP_BIND_DN=cn=admin,dc=example,dc=org
- TOKEN_SERVER_ADMIN_LDAP_BIND_PWD=adminpassword
- TOKEN_SERVER_ADMIN_LDAP_USER_DNS=cn={0},ou=users
- TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_BASE=cn=admins,ou=users
- TOKEN_SERVER_ADMIN_LDAP_GROUP_SEARCH_FILTER=member={0}
- TOKEN_SERVER_ADMIN_LDAP_GROUPS_ADMIN_GROUP_NAME=admins
# Redis
- TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
depends_on:
- database
- ldap
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.3
client:
image: release.onewelcome.com/onegini/token-server-test-client:<TOKEN_SERVER_VERSION>
restart: always
environment:
# Java options
- JAVA_OPTS=-Xms256m -Xmx256m
# Token Server url
- TOKEN_SERVER_URL=http://192.168.100.1:8080
- TOKEN_SERVER_TEST_CLIENT_URL=https://<SERVER IP>
- TOKEN_SERVER_CLIENT_AUTHORIZE_URI=https://<SERVER IP>/oauth/authorize
networks:
overlay:
ipv4_address: 192.168.100.4
database:
image: mariadb:latest
restart: always
environment:
- MYSQL_ROOT_PASSWORD=bc6928048afd11ab649b1876253bb5d16efacfc8d29d7fb11fdebf7d9cc52795
- MYSQL_DATABASE=tokenserver
- MYSQL_USER=onegini
- MYSQL_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
ports:
- 3306
networks:
overlay:
ipv4_address: 192.168.100.5
ldap:
image: bitnami/openldap:latest
restart: always
environment:
- LDAP_ROOT=dc=onegini,dc=com
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=adminpassword
- LDAP_USERS=user1,user2
- LDAP_PASSWORDS=pass1,pass2
- LDAP_GROUP=admins
ports:
- 1389
networks:
overlay:
ipv4_address: 192.168.100.7
redis-master:
image: release.onewelcome.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_PORT=6379
- REDIS_ANNOUNCE_IP=192.168.100.8
- REDIS_ANNOUNCE_PORT=6379
networks:
overlay:
ipv4_address: 192.168.100.8
redis-slave:
image: release.onewelcome.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_PORT=6379
- REDIS_ANNOUNCE_IP=192.168.100.9
- REDIS_ANNOUNCE_PORT=6379
- REDIS_SLAVE=True
- REDIS_SLAVEOF_IP=192.168.100.8
- REDIS_SLAVEOF_PORT=6379
depends_on:
- redis-master
networks:
overlay:
ipv4_address: 192.168.100.9
redis-master-sentinel:
image: release.onewelcome.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.10
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.100.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master
networks:
overlay:
ipv4_address: 192.168.100.10
redis-slave-sentinel:
image: release.onewelcome.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.0.11
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.0.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.11
redis-slave-sentinel-failover:
image: release.onewelcome.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.12
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.100.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.12
consul:
image: consul:latest
restart: always
ports:
- 8500:8500
networks:
overlay:
driver: bridge
ipam:
config:
- subnet: 192.168.100.0/24
Note: Replace
<SECURITY_PROXY_VERSION>and<TOKEN_SERVER_VERSION>with the actual version numbers. You can find the version numbers on the Releases page in Onegini docs.
Configure Token Server via Docker Compose environment variables¶
The Onegini Token Server uses Docker Compose environment variables to manage application properties. You can find all properties which can be configured in the Properties section of the Token Server Documentation.
For example, consider a following environment variable described in the docs:
| Environment variable | Default | Example | Description |
|---|---|---|---|
| TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL | /onegini/admin | URL to which the user is redirected after successful logout. |
To configure this Token Server Admin property with the example value, add the following line in the environment admin service section of the docker-compose
file:
admin:
...
environment:
- TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL=/onegini/admin
...
Note: Properties common for Admin and Engine Token Server need to be provided for both docker compose images (admin and engine). Not all properties are mandatory to configure. Some of them have their default values.
Start the Token Server¶
Now it is time to start the Token Server
1 | |
Open the browser and got to http://<SERVER IP>/admin. you can now login with username and password admin, operator or helpdesk
Next steps¶
To customise your installation please have a look at the configuration section.