Install a Single Node Target

The install assumes that you have CentOS 7 as your operating system. Check your CentOS 7 version.

$ sudo cat /etc/centos-release

Set the user for the target machine to a username of your choice. For example, autoid.

$ sudo adduser autoid

Set the password for the user you created in the previous step.

$ sudo passwd autoid

Configure the user for passwordless sudo.

$ echo "autoid  ALL=(ALL)  NOPASSWD:ALL" | sudo tee /etc/sudoers.d/autoid

Add administrator privileges to the user.

$ sudo usermod -aG wheel autoid

Change to the user account.

$ su - autoid

Install yum-utils package on the deployer machine. yum-utils is a utilities manager for the Yum RPM package repository. The repository compresses software packages for Linux distributions.

$ sudo yum install -y yum-utils

The install assumes that you have CentOS 7 as your operating system. Check your CentOS 7 version.

$ sudo cat /etc/centos-release

Set the user for the target machine to a username of your choice. For example, autoid.

# sudo adduser autoid

Set the password for the user you created in the previous step.

$ sudo passwd autoid

Configure the user for passwordless sudo.

$ echo "autoid  ALL=(ALL)  NOPASSWD:ALL" | sudo tee /etc/sudoers.d/autoid

Add administrator privileges to the user.

$ sudo usermod -aG wheel autoid

Change to the user account.

$ su - autoid

Install yum-utils package on the deployer machine. yum-utils is a utilities manager for the Yum RPM package repository. The repository compresses software packages for Linux distributions.

$ sudo yum install -y yum-utils

Create the installation directory. Note that you can use any install directory for your system as long as your run the deployer.sh script from there. Also, the disk volume where you have the install directory must have at least 8GB free space for the installation.

$ mkdir ~/autoid-config

On the target machine, set up the Docker-CE repository.

$ sudo yum-config-manager \
     --add-repo https://download.docker.com/linux/centos/docker-ce.repo

Install the latest version of the Docker CE, the command-line interface, and containerd.io, a containerized website.

$ sudo yum install -y docker-ce docker-ce-cli containerd.io

Enable Docker to start at boot.

$ sudo systemctl enable docker

Start Docker.

$ sudo systemctl start docker

Check that Docker is running.

$ systemctl status docker

Add the user to the Docker group.

$ sudo usermod -aG docker ${USER}

On the deployer machine, change to the SSH directory.

$ cd ~/.ssh

On the deployer machine, run ssh-keygen to generate an RSA keypair, and then click Enter. You can use the default filename. Enter a password for protecting your private key.

$ ssh-keygen -t rsa -C "autoid"

The public and private rsa key pair is stored in home-directory/.ssh/id_rsa and home-directory/.ssh/id_rsa.pub.

Copy the SSH key to the autoid-config directory.

 $ cp ~/.ssh/id_rsa ~/autoid-config

Change the privileges and owner to the file.

$ chmod 400 ~/autoid-config/id_rsa

Copy your public SSH key, id_rsa.pub, to the target machine's ~/.ssh/authorized_keys file. If your system does not have an /authorized_keys directory, create it using mkdir -p ~/.ssh/authorized_keys.

$ ssh-copy-id -i id_rsa.pub autoid@<Target IP Address>

On the deployer machine, test your SSH connection to the target machine. This is a critical step. Make sure the connection works before proceeding with the installation.

$ ssh -i ~/.ssh/id_rsa <username>@34.70.190.144
Last login: Sun Jun 14 23:23:36 2020 from 74.125.45.78

On the target machine, set the privileges on your ~/.ssh and ~/.ssh/authorized_keys.

$ chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

If you successfully accessed the remote server, enter exit to end your SSH session.

On the deployer machine, change to the installation directory.

$ cd ~/autoid-config

Log in to the ForgeRock Google Cloud Registry (gcr.io) using the registry key. The registry key is only available to ForgeRock Autonomous Identity customers. For specific instructions on obtaining the registry key, see How To Configure Service Credentials (Push Auth, Docker) in Backstage.

$ docker login -u _json_key -p "$(cat autoid_registry_key.json)" https://gcr.io/forgerock-autoid

Run the create-template command to generate the deployer.sh script wrapper. Note that the command sets the configuration directory on the target node to /config. Note that the --user parameter eliminates the need to use sudo while editing the hosts file and other configuration files.

$ docker run --user=$(id -u) -v ~/autoid-config:/config -it gcr.io/forgerock-autoid/deployer:2020.6.4 create-template
     ...
d6c7c6f3303e: Pull complete
Digest: sha256:15225be65417f8bfb111adea37c83eb5e0d87140ed498bfb624a358f43fb48bf
Status: Downloaded newer image for gcr.io/forgerock-autoid/autoid/dev-compact/deployer@sha256:15225be65417f8bfb111a
dea37c83eb5e0d87140ed498bfb624a358f43fb48bf
Config template is copied to host machine directory mapped to /config

Make the script executable.

$ chmod +x deployer.sh

To see the list of commands, enter deployer.sh.

$ ./deployer.sh
Usage: deployer <command>

Commands:
  create-template
  download-images
  import-deployer
  encrypt-vault
  decrypt-vault
  run
  create-tar
  install-docker
  install-dbutils

The create-template command creates a number of configuration files, including ansible.cfg. Open a text editor and edit the ansible.cfg to set up the remote user and SSH private key file location on the target node. Make sure that the remote_user exists on the target node and that the deployer machine can ssh to the target node as the user specified in the id_rsa file.

[defaults]
host_key_checking = False
remote_user = autoid
private_key_file = id_rsa

Open a text editor and enter the target host's public IP addresses in the ~/autoid-config/hosts file. Make sure the target machine's external IP address is accessible from the deployer machine. The following is an example of the ~/autoid-config/hosts file for a single-node target deployment:

[docker-managers]
34.70.190.144

[docker-workers]
34.70.190.144

[docker:children]
docker-managers
docker-workers

[cassandra-seeds]
34.70.190.144

[cassandra-workers]
34.70.190.144

[spark-master]
34.70.190.144

[spark-workers]
34.70.190.144

[analytics]
34.70.190.144

If your external and internal IP addresses are different, for example, when deploying the target host in a cloud, define a mapping between the external IP address and the private IP address in the ~/autoid-config/vars.yml file.

If your external and internal IP addresses are the same, you can skip this step.

On the deployer node, add the private_ip_address_mapping property in the ~/autoid-config/vars.yml file. You can look up the private IP on the cloud console, or run sudo ifconfig on the target host. Make sure the values are within double quotes. The key should not be in double quotes and should have two spaces preceding the IP address.

private_ip_address_mapping:
  external_ip:  "internal_ip"

For example:

private_ip_address_mapping:
  34.72.28.214:  "10.128.0.52"

Edit other properties in the ~/autoid-config/vars.yml file, specific to your deployment, such as the following:

The default Autonomous Identity URL will be: https://autoid-ui.forgerock.com. To customize your domain name and target environment, see Customize the Domain and Namespace.

Open a text editor and set the Autonomous Identity passwords for the configuration service, LDAP backend, and Cassandra database. The vault passwords file is located at ~/autoid-config/vault.yml.

configuration_service_vault:
  basic_auth_password: Welcome123

openldap_vault:
  openldap_password: Welcome123

cassandra_vault:
  cassandra_password: Welcome123
  cassandra_admin_password: Welcome123

Encrypt the vault file that stores the Autonomous Identity passwords, located at ~/autoid-config/vault.yml. The encrypted passwords will be saved to /config/.autoid_vault_password. The /config/ mount is internal to the deployer container.

$ ./deployer.sh encrypt-vault

Download the images. This step downloads software dependencies needed for the deployment and places them in the autoid-packages directory.

$ ./deployer.sh download-images

Run the deployment.

$ ./deployer.sh run

Configure your DNS servers to access Autonomous Identity dashboard and self-service applications on the target node. The following domain names must resolve to the IP address of the target node: <target-environment>-ui.<domain-name> and <target-environment>-selfservice.<domain-name>.

If DNS cannot resolve target node hostname, edit it locally on the machine that you want to access Autonomous Identity using a browser. Open a text editor and add an entry in the /etc/hosts file for the self-service and UI services for each managed target node.

target-ip-address  <target-environment>-ui.<domain-name> <target-environment>-serlfservice.<domain-name>

For example:

34.72.28.214  autoid-ui.forgerock.com autoid-selfservice.forgerock.com

If you set up a custom domain name and target environment, add the entries in /etc/hosts. For example:

34.72.28.214  myid-ui.abc.com  myid-selfservice.abc.com

For more information on customizing your domain name, see Customize the Domain and Namespace.

Open a browser, and point it to https://autoid-ui.forgerock.com/ (or your customized URL: https://myid-ui.abc.com).

Log in as a test user: bob.rodgers@forgerock.com. Enter the password: Welcome123.

SSH to the target node.

Check that the analytics service is running.

$ docker ps | grep analytics

If the previous step returns blank, start the analytics. For more information, see Data Preparation.

$ docker start analytics

Once you have verified that the analytics service has started, you can run the analytics commands. For more information, see Run the Analytics Pipeline.