Autonomous Identity 2021.3.1

Deployment Checklist

Use the following checklist to ensure key considerations are covered for your 2021.3.1 deployment:

Deployment Checklist

Check

Requirement

Details

Access

Remote Access

The Autonomous Identity Team is a global team. To support the needs of client teams, remote access to all servers is required for deployment and support of product.

Service Account

The service account must have the ability to run passwordless sudo commands. The deployer will not without this ability.

File Transfer Process

The Autonomous Identity Team require access to a file transfer process, which lets specified packages be transferred from the vendor to the client infrastructure.

Service Account

Service Account Group

The service account group must be the same as the service account name. For example, if the service account name is srv-autoid, that user must be in the group srv-autoid.

Autonomous Identity Team Access

Autonomous Identity team members must be able to switch to this user after logging in to the servers.

Passwordless Sudo

Root access via passwordless sudo is required to run required package installations (YUM), perform Docker installation, Docker Swarm-based installation applicable boxes, and potential troubleshooting.

Please discuss with delivery team if this requirement is a concern. If so, submit a specified contact to run admin tasks.

SSH Ability

The service account must be able to passwordless SSH between all Autonomous Identity servers; preferred method is RSA SSH key authentication.

Default Shell

The default shell of the service account must be Bash.

Directory Ownership

Ownership of the following directories must be given to the Service Account.

  • /data or applicable name of the shared mount (Docker and Spark servers)

  • /opt/autoid (all servers)

  • /tmp (R, W, E required + NOEXEC flag must not be present)

Docker Commands

The service account must have permissions to run Docker commands. Note that Docker should NOT need to be installed as a prerequisite; this will be installed by deployment team.

Networking/Internet

Access to the Internet

If available, the front-end servers downloads the required Docker images from the official Autonomous Identity image repository.

SSL Certificates

If SSL is being implemented, SSL certificates are required for the UI, Cassandra or MongoDB nodes, and Spark nodes. These certificates can be generated using one of the following four options:

  • Self-signed certificates for all 3 components

  • Valid certificate for the UI and self-signed certificates for Cassandra, MongoDB, and Spark nodes (self-signed certs only used in server-server traffic)

  • Valid and separate certificates for the UI, Cassandra, MongoDB, and Spark

  • *.domainname.com certificate (wildcard)

Ports Open (Internal)

All internal ports specified in the Networking section of the Environment Specifications need to be opened for the specified servers.

Ports Open (external browser)

The following ports must be accessible from a web browser within the client network:

  • 443 (Front-end)

  • 8080 (Spark)

  • 8081 (Spark)

For a list of Autonomous Identity ports, see Autonomous Identity Ports.

Required Packages

Dependencies

The following packages must be installed on specified servers as prerequisites:

  • Cassandra Servers: java-1.8.0-openjdk-devel.x86_64

  • MongoDB: see Deployment Prerequisites.

  • Analytics Servers: java-1.8.0-openjdk-devel.x86_64

Other

Infrastructure Support POC

A point-of-contact (POC) with sufficient access to the infrastructure is required. The POC can support in case of infrastructure blockers arise (e.g., proxy, account access, or port issues).

SELinux

SELinux must be disabled on the Docker boxes. The package "container-selinux" must be present (this can be done as part of the root scripts described in the "Root Access" category).

Components Not Pre-installed

The following software must NOT be pre-installed on the box:

  • Docker

  • Cassandra

  • MongoDB

  • Spark

  • Apache Livy

  • Ansible

If any do come pre-installed, discuss the details with the Delivery Team ahead of time.

Copyright © 2010-2022 ForgeRock, all rights reserved.