Install a Single Node Target

This chapter presents instructions on deploying Autonomous Identity in a single-target machine that has Internet connectivity. ForgeRock provides a deployer script that pulls a Docker container image from ForgeRock's Google Cloud Registry (gcr.io) repository. The image contains the microservices, analytics, and backend databases needed for the system.

This installation assumes that you set up the deployer script on a separate machine from the target. This lets you launch a build from a laptop or local server.

Figure 8: A single-node target deployment.

Autonomous Identity single node target deployment.

Let's deploy Autonomous Identity on a single-node target on CentOS 7. The following are prerequisites:

  • Operating System. The target machine requires CentOS 7 and Python 2.6 or later. The deployer machine can use any operating system as long as Docker is installed. For this guide, we use CentOS 7 as its base operating system.

  • Memory Requirements. Make sure you have enough free disk space on the deployer machine before running the deployer.sh commands. We recommend at least a 40GB/partition with 14GB used and 27GB free after running the commands.

  • Deployment Requirements. Autonomous Identity provides a Docker image that creates a deployer.sh script. The script downloads additional images necessary for the installation. To download the deployment images, you must first obtain a registry key to log into the ForgeRock Google Cloud Registry (gcr.io). The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.

  • Database Requirements. Decide which database you are using: Apache Cassandra or MongoDB.

Set Up the Target Machine

Autonomous Identity is configured on a target machine. Make sure you have sufficient storage for your particular deployment. For more information on sizing considerations, see Deployment Planning Guide.

  1. The install assumes that you have CentOS 7 as your operating system. Check your CentOS 7 version.

    $ sudo cat /etc/centos-release
  2. Check your Python version. Autonomous Identity supports Python 2.6 and higher.

    $ python --version
  3. Set the user for the target machine to a username of your choice. For example, autoid.

    $ sudo adduser autoid
  4. Set the password for the user you created in the previous step.

    $ sudo passwd autoid
  5. Configure the user for passwordless sudo.

    $ echo "autoid  ALL=(ALL)  NOPASSWD:ALL" | sudo tee /etc/sudoers.d/autoid
  6. Add administrator privileges to the user.

    $ sudo usermod -aG wheel autoid
  7. Change to the user account.

    $ su - autoid
  8. Install yum-utils package on the deployer machine. yum-utils is a utilities manager for the Yum RPM package repository. The repository compresses software packages for Linux distributions.

    $ sudo yum install -y yum-utils

Set Up the Deployer Machine

Set up another machine as a deployer node. You can use any OS-based machine for the deployer as long as it has Docker installed. For this example, we use CentOS 7.

  1. The install assumes that you have CentOS 7 as your operating system. Check your CentOS 7 version.

    $ sudo cat /etc/centos-release
  2. Check your Python version. Autonomous Identity supports Python 2.6 and higher.

    $ python --version
  3. Set the user for the target machine to a username of your choice. For example, autoid.

    # sudo adduser autoid
  4. Set the password for the user you created in the previous step.

    $ sudo passwd autoid
  5. Configure the user for passwordless sudo.

    $ echo "autoid  ALL=(ALL)  NOPASSWD:ALL" | sudo tee /etc/sudoers.d/autoid
  6. Add administrator privileges to the user.

    $ sudo usermod -aG wheel autoid
  7. Change to the user account.

    $ su - autoid
  8. Install yum-utils package on the deployer machine. yum-utils is a utilities manager for the Yum RPM package repository. The repository compresses software packages for Linux distributions.

    $ sudo yum install -y yum-utils
  9. Create the installation directory. Note that you can use any install directory for your system as long as your run the deployer.sh script from there. Also, the disk volume where you have the install directory must have at least 8GB free space for the installation.

    $ mkdir ~/autoid-config

Install Docker on the Deployer Machine

Install Docker on the deployer machine. We run commands from this machine to install Autonomous Identity on the target machine. In this example, we use CentOS 7.

  1. On the target machine, set up the Docker-CE repository.

    $ sudo yum-config-manager \
         --add-repo https://download.docker.com/linux/centos/docker-ce.repo
  2. Install the latest version of the Docker CE, the command-line interface, and containerd.io, a containerized website.

    $ sudo yum install -y docker-ce docker-ce-cli containerd.io
  3. Enable Docker to start at boot.

    $ sudo systemctl enable docker
  4. Start Docker.

    $ sudo systemctl start docker
  5. Check that Docker is running.

    $ systemctl status docker
  6. Add the user to the Docker group.

    $ sudo usermod -aG docker ${USER}
  7. Reset the privileges on the Docker socket.

    $ sudo chmod 666 /var/run/docker.sock

Set Up SSH on the Deployer

  1. On the deployer machine, change to the SSH directory.

    $ cd ~/.ssh
  2. Run ssh-keygen to generate an RSA keypair, and then click Enter. You can use the default filename. Enter a password for protecting your private key.

    $ ssh-keygen -t rsa -C "autoid"

    The public and private rsa key pair is stored in home-directory/.ssh/id_rsa and home-directory/.ssh/id_rsa.pub.

  3. Copy the SSH key to the autoid-config directory.

     $ cp id_rsa ~/autoid-config
  4. Change the privileges and owner to the file.

    $ chmod 400 ~/autoid-config/id_rsa
  5. Copy your public SSH key, id_rsa.pub, to the target machine's ~/.ssh/authorized_keys file.

    Note

    If your target system does not have an /authorized_keys directory, create it using mkdir -p ~/.ssh/authorized_keys.

    $ ssh-copy-id -i id_rsa.pub autoid@34.70.190.144
  6. On the deployer machine, test your SSH connection to the target machine. This is a critical step. Make sure the connection works before proceeding with the installation.

    $ ssh -i ~/.ssh/id_rsa autoid@34.70.190.144
    Last login: Wed Sep 23 14:06:06 2020
  7. While SSH'ing into the target node, set the privileges on your ~/.ssh and ~/.ssh/authorized_keys.

    $ chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
  8. If you successfully accessed the remote server and changed the privileges on the ~/.ssh, enter exit to end your SSH session.

Install Autonomous Identity

  1. On the deployer machine, change to the installation directory.

    $ cd ~/autoid-config
  2. Log in to the ForgeRock Google Cloud Registry (gcr.io) using the registry key. The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.

    $ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid

    You should see:

    Login Succeeded
  3. Run the create-template command to generate the deployer.sh script wrapper and configuration files. Note that the command sets the configuration directory on the target node to /config. The --user parameter eliminates the need to use sudo while editing the hosts file and other configuration files.

    $ docker run --user=`id -u` -v ~/autoid-config:/config -it gcr.io/forgerock-autoid/deployer:2020.10.0 create-template
         ...
    d6c7c6f3303e: Pull complete
    Digest: sha256:15225be65417f8bfb111adea37c83eb5e0d87140ed498bfb624a358f43fb48bf
    Status: Downloaded newer image for gcr.io/forgerock-autoid/autoid/dev-compact/deployer@sha256:15225be65417f8bfb111a
    dea37c83eb5e0d87140ed498bfb624a358f43fb48bf
    Config template is copied to host machine directory mapped to /config
  4. Make the script executable.

    $ chmod +x deployer.sh
  5. To see the list of commands, enter deployer.sh.

    $ ./deployer.sh
    Usage: deployer <command>
    
    Commands:
      create-template
      download-images
      import-deployer
      encrypt-vault
      decrypt-vault
      run
      create-tar
      install-docker
      install-dbutils
      upgrade

Configure Autonomous Identity

The create-template command from the previous section creates a number of configuration files, required for the deployment.

  1. On the deployer machine, open a text editor and edit the ansible.cfg to set up the remote user and SSH private key file location on the target node. Make sure that the remote_user exists on the target node and that the deployer machine can ssh to the target node as the user specified in the id_rsa file. In most cases, you can use the default values.

    [defaults]
    host_key_checking = False
    remote_user = autoid
    private_key_file = id_rsa
  2. On the deployer machine, open a text editor and edit the ~/autoid-config/vars.yml file to configure specific settings for your deployment:

    1. Domain and Target Environment. Set the domain name and target environment specific to your deployment by editing the /autoid-config/vars.xml file. By default, the domain name is set to forgerock.com and the target environment is set to autoid. The default Autonomous Identity URL will be: https://autoid-ui.forgerock.com. For this example, we use the default values.

      domain_name: forgerock.com
      target_environment: autoid

      If you change the domain name and target environment, you need to also change the certificates to reflect the new changes. For more information, see Customize the Domain and Namespace.

    2. Analytics Data Directory and Analytics Configuration Direction. Although rarely necessary for a single node deployment, you can change the analytics and analytics configuration mount directories by editing the properties in the ~/autoid-config/vars.yml file.

      analytics_data_dir: /data
      analytics_conf_dif: /data/conf

    3. Dark Theme Mode. Optional. By default, the Autonomous Identity UI displays its pages with a light background. You can set a dark theme mode by setting the enable_dark_theme property to true.

    4. Database Type. By default, Apache Cassandra is set as the default database for Autonomous Identity. For MongoDB, set the db_driver_type: to mongo.

      db_driver_type: mongo

    5. Private IP Address Mapping. If your external and internal IP addresses are different, for example, when deploying the target host in a cloud, define a mapping between the external IP address and the private IP address in the ~/autoid-config/vars.yml file.

      If your external and internal IP addresses are the same, you can skip this step.

      On the deployer node, add the private_ip_address_mapping property in the ~/autoid-config/vars.yml file. You can look up the private IP on the cloud console, or run sudo ifconfig on the target host. Make sure the values are within double quotes. The key should not be in double quotes and should have two spaces preceding the IP address.

      private_ip_address_mapping:
        external_ip:  "internal_ip"

      For example:

      private_ip_address_mapping:
        34.70.190.144:  "10.128.0.71"
    6. Authentication Option. Autonomous Identity provides a single sign-on (SSO) feature that you can configure with an OIDC identity provider.

    7. JWT Expiry and Secret File. Optional. By default, the session JWT is set at 30 minutes. To change this value, set the jwt_expiry property to a different value.

      jwt_expiry: "30 minutes"

    8. Elasticsearch Heap Size. Optional. The default heap size for Elasticsearch is 1GB, which may be small for production. For production deployments, uncomment the option and specify 2G or 3G.

      #elastic_heap_size: 1g   # sets the heap size (1g|2g|3g) for the Elastic Servers

    9. OpenLDAP. Optional. Autonomous Identity installs an OpenLDAP Docker image on the target server to hold user data. Administrators can add or remove users or change their group privileges using the phpldapadmin command. You can customize your OpenLDAP domain, base DN, and URL to match your company's environment. For more information, see Configuring LDAP.

  3. Open a text editor and enter the target host's public IP addresses in the ~/autoid-config/hosts file. Make sure the target machine's external IP address is accessible from the deployer machine.

    If you configured Cassandra as your database, the ~/autoid-config/hosts file is as follows for single-node target deployments:

    [docker-managers]
    34.70.190.144
    
    [docker-workers]
    34.70.190.144
    
    [docker:children]
    docker-managers
    docker-workers
    
    [cassandra-seeds]
    34.70.190.144
    
    [cassandra-workers]
    34.70.190.144
    
    [spark-master]
    34.70.190.144
    
    [spark-workers]
    34.70.190.144
    
    [analytics]
    34.70.190.144
    
    [mongo_master]
    
    [mongo_replicas]
    
    [mongo:children]
    mongo_replicas
    mongo_master
    
    # ELastic Nodes
    [odfe-master-node]
    34.70.190.144
    
    [odfe-data-nodes]
    
    [kibana-node]
    34.70.190.144

    If you configured MongoDB as your database, the ~/autoid-config/hosts file is as follows for single-node target deployments:

    [docker-managers]
    34.70.190.144
    
    [docker-workers]
    34.70.190.144
    
    [docker:children]
    docker-managers
    docker-workers
    
    [cassandra-seeds]
    
    [cassandra-workers]
    
    [spark-master]
    34.70.190.144
    
    [spark-workers]
    34.70.190.144
    
    [analytics]
    34.70.190.144
    
    [mongo_master]
    34.70.190.144  mongodb_master=True
    
    [mongo_replicas]
    34.70.190.144
    
    [mongo:children]
    mongo_replicas
    mongo_master
    
    # ELastic Nodes
    [odfe-master-node]
    34.70.190.144
    
    [odfe-data-nodes]
    
    [kibana-node]
    34.70.190.144
  4. Open a text editor and set the Autonomous Identity passwords for the configuration service, LDAP backend, and Cassandra database. The vault passwords file is located at ~/autoid-config/vault.yml.

    configuration_service_vault:
      basic_auth_password: Welcome123
    
    openldap_vault:
      openldap_password: Welcome123
    
    cassandra_vault:
      cassandra_password: Welcome123
      cassandra_admin_password: Welcome123
    
    mongo_vault:
      mongo_admin_password: Welcome123
      mongo_root_password: Welcome123
    
    elastic_vault:
      elastic_admin_password: Welcome123
      elasticsearch_password: Welcome123
  5. Encrypt the vault file that stores the Autonomous Identity passwords, located at ~/autoid-config/vault.yml. The encrypted passwords will be saved to /config/.autoid_vault_password. The /config/ mount is internal to the deployer container.

    $ ./deployer.sh encrypt-vault
  6. Download the images. This step downloads software dependencies needed for the deployment and places them in the autoid-packages directory.

    $ ./deployer.sh download-images

    Make sure you have no failed processes before proceeding to the next step

    PLAY RECAP *****************************************************************************
    localhost  : ok=24  changed=17  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0
  7. Run the deployment. The command installs the packages, and starts the microservices and the analytics service. Make sure you have no failed processes before proceeding to the next step.

    $ ./deployer.sh run

    Make sure you have no failed processes before proceeding to the next step.

    PLAY RECAP ************************************************************************************
    34.70.190.144  : ok=450  changed=236  unreachable=0  failed=0  skipped=30  rescued=0  ignored=2
    localhost      : ok=11   changed=5   unreachable=0  failed=0  skipped=6   rescued=0  ignored=0

Resolve Hostname

After installing Autonomous Identity, set up the hostname resolution for your deployment.

Resolve the hostname:

  1. Configure your DNS servers to access Autonomous Identity dashboard and self-service applications on the target node. The following domain names must resolve to the IP address of the target node: <target-environment>-ui.<domain-name> and <target-environment>-selfservice.<domain-name>.

  2. If DNS cannot resolve target node hostname, edit it locally on the machine that you want to access Autonomous Identity using a browser. Open a text editor and add an entry in the /etc/hosts file for the self-service and UI services for each managed target node.

    target-ip-address  <target-environment>-ui.<domain-name> <target-environment>-selfservice.<domain-name>

    For example:

    34.70.190.144  autoid-ui.forgerock.com autoid-selfservice.forgerock.com
  3. If you set up a custom domain name and target environment, add the entries in /etc/hosts. For example:

    34.70.190.144  myid-ui.abc.com  myid-selfservice.abc.com

    For more information on customizing your domain name, see Customize the Domain and Namespace.

Access the Dashboard

Access the Autonomous Identity console UI:

  1. Open a browser, and point it to https://autoid-ui.forgerock.com/ (or your customized URL: https://myid-ui.abc.com).

  2. Log in as a test user: bob.rodgers@forgerock.com. Enter the password: Welcome123.

Check Apache Cassandra

Check Cassandra:

  1. On the target node, check the status of Apache Cassandra.

    $ /opt/autoid/apache-cassandra-3.11.2/bin/nodetool status
  2. An example output is as follows:

    Datacenter: datacenter1
    =======================
    Status=Up/Down
    |/ State=Normal/Leaving/Joining/Moving
    --  Address       Load       Tokens       Owns (effective)  Host ID                               Rack
    UN  34.70.190.144 1.33 MiB   256          100.0%            a10a91a4-96e83dd-85a2-4f90d19224d9  rack1

Check MongoDB

Check the status of MongoDB:

  • On the target node, check the status of MongoDB.

    $ mongo <IP Address> --username "autoidmongo" --password <MongoDB Vault Password>

Check Apache Spark

Check Spark:

  • SSH to the target node and open Spark dashboard using the bundled text-mode web browser

    $ elinks http://localhost:8080

    You should see Spark Master status as ALIVE and worker(s) with State ALIVE.

    An image showing the Spark Dashboard.

Access Self-Service

The self-service feature lets Autonomous Identity users change their own passwords.

Access self-service:

Start the Analytics

If the previous steps all check out successfully, you can start an analytics pipeline run, where association rules, confidence scores, predications, and recommendations are generated. Autonomous Identity provides a small demo data set that lets you run the analytics pipeline on. Note for production runs, prepare your company's dataset as outlined in Data Preparation.

Start the analytics service:

  1. On the deployer node, SSH to the target node.

    $ ssh autoid@<IP-Address>
  2. Check if the analytics service is running. The ./deployer.sh run command should have started the analytics service.

    $ docker ps | grep analytics
  3. If the previous step returns blank, start the analytics service.

    $ docker start analytics
  4. Once you have verified that the analytics service has started, run the analytics pipeline commands. This may take a bit longer than the install, depending on the size of your dataset. For specific information, see Run the Analytics Pipeline.

Read a different version of :