Installing IG in Standalone Mode

For information about how to install IG in standalone mode (installed from a .zip file, and run outside of a web container), see "Downloading and Starting IG in Standalone Mode". The following sections describe other installation options for IG in standalone mode:

Configuring IG For HTTPS (Server-Side)

This section describes how to set up IG to run as a server over HTTPS. IG uses a KeyManager and a private key to prove its identity to the client.

For information about the set up for HTTPS (client-side), see "Configuring IG For HTTPS (Client-Side)".

Configure IG For HTTPS (Server-Side)

Before you start, install IG in standalone mode, as described in "Downloading and Starting IG in Standalone Mode".

  1. Locate the keystore directory, ig_keystore_directory, and in a terminal create an environment variable for it:

    $ export ig_keystore_directory=/path/to/secrets
  2. Create a keystore holding a self-signed certificate:

    $ keytool \
    -genkey \
    -alias https-connector-key \
    -keyalg RSA \
    -keystore $ig_keystore_directory/IG-keystore \
    -storepass password \
    -keypass password \
    -dname ",O=Example Corp,C=FR"


    Because KeyStore converts all characters in its key aliases to lower case, use only lowercase in alias definitions of a KeyStore.

  3. In the secrets directory, add a file called keystore.pass, containing the keystore password password:

    $ cd $ig_keystore_directory
    $ echo -n password > keystore.pass
  4. Add the following line to $HOME/.openig/bin/, replacing the path with your path to the keystore directory:

    $ export IG_KEYSTORE_DIRECTORY='/path/to/secrets'

  5. Add the following file to IG:

      "connectors": [
          "port": 8080
          "port": 8443,
          "tls": "ServerTlsOptions-1"
      "heap": [
          "name": "ServerTlsOptions-1",
          "type": "ServerTlsOptions",
          "config": {
            "keyManager": {
              "type": "SecretsKeyManager",
              "config": {
                "signingSecretId": "",
                "secretsProvider": "ServerIdentityStore"
          "type": "FileSystemSecretStore",
          "name": "SecretsPasswords",
          "config": {
            "directory": "&{ig_keystore_directory}/",
            "format": "PLAIN"
          "type": "KeyStoreSecretStore",
          "name": "ServerIdentityStore",
          "config": {
            "file": "&{ig_keystore_directory}/IG-keystore",
            "storePassword": "keystore.pass",
            "secretsProvider": "SecretsPasswords",
            "mappings": [
                "secretId": "",
                "aliases": ["https-connector-key"]

    Notice the following features of the file:

    • IG starts on port 8080, and on 8443 over TLS.

    • IG's private keys for TLS are managed by the SecretsKeyManager, which references the KeyStoreSecretStore that holds the keys.

    • The password of the KeyStoreSecretStore is provided by the FileSystemSecretStore.

    • The KeyStoreSecretStore maps the keystore alias to the secret ID for retrieving the private signing keys.

    • The path to the keystore is provided by an environment variable.

  6. Start IG:

    $ /path/to/identity-gateway/bin/
    ... started in 1234ms on ports : [8080 8443]
  7. Access the IG welcome page on

    If you see warnings that the site is not secure, or that the self-signed certificate is not valid, respond to the warnings to access the site.

Adding .jar Files for IG Extensions

IG includes a complete Java application programming interface for extending your deployment with customizations. For more information, see "Extending IG Through the Java API"

Create the directory $HOME/.openig/extra, and add .jar files for IG extensions to the directory.

When IG starts up, .jar files in $HOME/.openig/extra are loaded by the JVM.

Read a different version of :