Autonomous Identity 2022.11.3

Deployment Checklist

Use the following checklist to ensure key considerations are covered for your 2022.11.3 deployment:

Deployment Checklist

Check

Requirement

Details

Access

Remote Access

The Autonomous Identity Team is a global team. To support the needs of client teams, remote access to all servers is required for deployment and support of product.

Service Account

The service account must have the ability to run passwordless sudo commands. The deployer will not without this ability.

File Transfer Process

The Autonomous Identity Team require access to a file transfer process, which lets specified packages be transferred from the vendor to the client infrastructure.

Service Account

Service Account Group

The service account group must be the same as the service account name. For example, if the service account name is srv-autoid, that user must be in the group srv-autoid.

Autonomous Identity Team Access

Autonomous Identity team members must be able to switch to this user after logging in to the servers.

SSH Ability

The service account must be able to passwordless SSH between all Autonomous Identity servers; preferred method is RSA SSH key authentication.

Default Shell

The default shell of the service account must be Bash.

Directory Ownership

Ownership of the following directories must be given to the Service Account.

  • /data or applicable name of the shared mount (Docker and Spark servers)

  • /opt/autoid (all servers)

  • /tmp (R, W, E required + NOEXEC flag must not be present)

Docker Commands

The service account must have permissions to run Docker commands. Note that Docker should NOT need to be installed as a prerequisite; this will be installed by deployment team.

Networking/Internet

Access to the Internet

If available, the front-end servers downloads the required Docker images from the official Autonomous Identity image repository.

SSL Certificates

If SSL is being implemented, SSL certificates are required for the UI, Cassandra or MongoDB nodes, and Spark nodes. These certificates can be generated using one of the following four options:

  • Self-signed certificates for all 3 components

  • Valid certificate for the UI and self-signed certificates for Cassandra, MongoDB, and Spark nodes (self-signed certs only used in server-server traffic)

  • Valid and separate certificates for the UI, Cassandra, MongoDB, and Spark

  • *.domainname.com certificate (wildcard)

Ports Open (Internal)

All internal ports specified in the Networking section of the Environment Specifications need to be opened for the specified servers.

Ports Open (external browser)

The following ports must be accessible from a web browser within the client network:

  • 443 (Front-end)

For a list of Autonomous Identity ports, refer to Autonomous Identity Ports.

Required Packages

Dependencies

The following packages must be installed on specified servers as prerequisites:

  • Analytics Servers:

    • OpenJDK version "11.0.16"

    • Python 3.8 with symlinks to Python 3 (sudo ln -s /usr/bin/python3.8 /usr/bin/python3)

Other

Infrastructure Support POC

A point-of-contact (POC) with sufficient access to the infrastructure is required. The POC can support in case of infrastructure blockers arise (e.g., proxy, account access, or port issues).

SELinux

SELinux must be disabled on the Docker boxes. The package "container-selinux" must be present (this can be done as part of the root scripts described in the "Root Access" category).

Copyright © 2010-2024 ForgeRock, all rights reserved.