Installing IG in Standalone Mode
For information about how to install IG in standalone mode (installed from a .zip file, and run outside of a web container), see "Downloading and Starting IG in Standalone Mode". The following sections describe other installation options for IG in standalone mode:
Configuring IG For HTTPS (Server-Side)
This section describes how to set up IG to run as a server over HTTPS. IG uses a KeyManager and a private key to prove its identity to the client.
For information about the set up for HTTPS (client-side), see "Configuring IG For HTTPS (Client-Side)".
Before you start, install IG in standalone mode, as described in "Downloading and Starting IG in Standalone Mode".
Locate the keystore directory,
ig_keystore_directory, and in a terminal create an environment variable for it:$
export ig_keystore_directory=/path/to/secretsCreate a keystore holding a self-signed certificate:
$
keytool \ -genkey \ -alias https-connector-key \ -keyalg RSA \ -keystore $ig_keystore_directory/IG-keystore \ -storepass password \ -keypass password \ -dname "CN=openig.example.com,O=Example Corp,C=FR"Note
Because KeyStore converts all characters in its key aliases to lower case, use only lowercase in alias definitions of a KeyStore.
In the secrets directory, add a file called
keystore.pass, containing the keystore passwordpassword:$
cd $ig_keystore_directory$echo -n password > keystore.passAdd the following line to
$HOME/.openig/bin/env.sh, replacing the path with your path to the keystore directory:$ export IG_KEYSTORE_DIRECTORY='/path/to/secrets'
Add the following file to IG:
$HOME/.openig/config/admin.json
%appdata%\OpenIG\config\admin.json
{ "connectors": [ { "port": 8080 }, { "port": 8443, "tls": "ServerTlsOptions-1" } ], "heap": [ { "name": "ServerTlsOptions-1", "type": "ServerTlsOptions", "config": { "keyManager": { "type": "SecretsKeyManager", "config": { "signingSecretId": "key.manager.secret.id", "secretsProvider": "ServerIdentityStore" } } } }, { "type": "FileSystemSecretStore", "name": "SecretsPasswords", "config": { "directory": "&{ig_keystore_directory}/", "format": "PLAIN" } }, { "type": "KeyStoreSecretStore", "name": "ServerIdentityStore", "config": { "file": "&{ig_keystore_directory}/IG-keystore", "storePassword": "keystore.pass", "secretsProvider": "SecretsPasswords", "mappings": [ { "secretId": "key.manager.secret.id", "aliases": ["https-connector-key"] } ] } } ] }Notice the following features of the file:
IG starts on port
8080, and on8443over TLS.IG's private keys for TLS are managed by the SecretsKeyManager, which references the KeyStoreSecretStore that holds the keys.
The password of the KeyStoreSecretStore is provided by the FileSystemSecretStore.
The KeyStoreSecretStore maps the keystore alias to the secret ID for retrieving the private signing keys.
The path to the keystore is provided by an environment variable.
Start IG:
$
/path/to/identity-gateway/bin/start.sh... ... started in 1234ms on ports : [8080 8443]Access the IG welcome page on https://openig.example.com:8443.
If you see warnings that the site is not secure, or that the self-signed certificate is not valid, respond to the warnings to access the site.
Adding .jar Files for IG Extensions
IG includes a complete Java application programming interface for extending your deployment with customizations. For more information, see "Extending IG Through the Java API"
Create the directory $HOME/.openig/extra, and add .jar files for IG extensions to the directory.
When IG starts up, .jar files in $HOME/.openig/extra are loaded by the JVM.