Installing IG in Standalone Mode

For information about how to install IG in standalone mode (installed from a .zip file, and run outside of a web container), see "Downloading and Starting IG in Standalone Mode". The following sections describe other installation options for IG in standalone mode:

Configuring IG For HTTPS (Server-Side)

This section describes how to set up IG to run as a server over HTTPS. IG uses a KeyManager and a private key to prove its identity to the client.

For information about the set up for HTTPS (client-side), see "Configuring IG For HTTPS (Client-Side)".

Configure IG For HTTPS (Server-Side)

Before you start, install IG in standalone mode, as described in "Downloading and Starting IG in Standalone Mode".

  1. Locate the keystore directory, ig_keystore_directory, and in a terminal create an environment variable for it:

    $ export ig_keystore_directory=/path/to/secrets
  2. Create a keystore holding a self-signed certificate:

    $ keytool \
    -genkey \
    -alias https-connector-key \
    -keyalg RSA \
    -keystore $ig_keystore_directory/IG-keystore \
    -storepass password \
    -keypass password \
    -dname "CN=openig.example.com,O=Example Corp,C=FR"

    Note

    Because KeyStore converts all characters in its key aliases to lower case, use only lowercase in alias definitions of a KeyStore.

  3. In the secrets directory, add a file called keystore.pass, containing the keystore password password:

    $ cd $ig_keystore_directory
    $ echo -n password > keystore.pass
  4. Add the following line to $HOME/.openig/bin/env.sh, replacing the path with your path to the keystore directory:

    $ export IG_KEYSTORE_DIRECTORY='/path/to/secrets'

  5. Add the following file to IG:

    $HOME/.openig/config/admin.json
    %appdata%\OpenIG\config\admin.json
    {
      "connectors": [
        {
          "port": 8080
        },
        {
          "port": 8443,
          "tls": "ServerTlsOptions-1"
        }
      ],
      "heap": [
        {
          "name": "ServerTlsOptions-1",
          "type": "ServerTlsOptions",
          "config": {
            "keyManager": {
              "type": "SecretsKeyManager",
              "config": {
                "signingSecretId": "key.manager.secret.id",
                "secretsProvider": "ServerIdentityStore"
              }
            }
          }
        },
        {
          "type": "FileSystemSecretStore",
          "name": "SecretsPasswords",
          "config": {
            "directory": "&{ig_keystore_directory}/",
            "format": "PLAIN"
          }
        },
        {
          "type": "KeyStoreSecretStore",
          "name": "ServerIdentityStore",
          "config": {
            "file": "&{ig_keystore_directory}/IG-keystore",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [
              {
                "secretId": "key.manager.secret.id",
                "aliases": ["https-connector-key"]
              }
            ]
          }
        }
      ]
    }

    Notice the following features of the file:

    • IG starts on port 8080, and on 8443 over TLS.

    • IG's private keys for TLS are managed by the SecretsKeyManager, which references the KeyStoreSecretStore that holds the keys.

    • The password of the KeyStoreSecretStore is provided by the FileSystemSecretStore.

    • The KeyStoreSecretStore maps the keystore alias to the secret ID for retrieving the private signing keys.

    • The path to the keystore is provided by an environment variable.

  6. Start IG:

    $ /path/to/identity-gateway/bin/start.sh
    ...
    ... started in 1234ms on ports : [8080 8443]
  7. Access the IG welcome page on https://openig.example.com:8443.

    If you see warnings that the site is not secure, or that the self-signed certificate is not valid, respond to the warnings to access the site.

Adding .jar Files for IG Extensions

IG includes a complete Java application programming interface for extending your deployment with customizations. For more information, see "Extending IG Through the Java API"

Create the directory $HOME/.openig/extra, and add .jar files for IG extensions to the directory.

When IG starts up, .jar files in $HOME/.openig/extra are loaded by the JVM.

Read a different version of :