Deployment and Administration guide

This is the INDIGO IAM deployment and administration guide.

Requirements

Docker

The IAM service is currently distributed as a docker image from Dockerhub, so in order to run the service, you will need:

• Docker v. 1.11.1 or greater

If you want to use docker-compose to deploy the service, you will also need

• docker-compose v.1.7.0 or greater

MariaDB/MySQL

The IAM service stores information in a mariadb/mysql database.

NginX

The IAM service is designed to run as a backend Java application behind an NGINX reverse proxy (it could run equally well behing apache, but we tested it behind NGINX).

Configuration

Prerequisites

In order to run a production instance of the IAM, you will need:

• An X.509 certificate, used for SSL termination at the NGINX reverse proxy

• A JSON keystore holding the keys used to sign JSON Web Tokens. You can use

  this handy tool to generate JSON web keys for your service

If you enable SAML login:

• SAML metadata for your SAML federation

• SAML metadata for the IAM service

MySQL configuration

Just create a database and a user that has read/write/schema change access to the database.

NGINX configuration

Configure NGINX to act as a reverse proxy for the IAM backend application.

The example configuration below is taken from the docker file for the IAM development environment:

server {
  listen        443 ssl;
  server_name   YOUR_HOSTNAME_HERE;
  access_log   /var/log/nginx/iam.access.log  combined;

  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_certificate      /path/to/your/ssl/cert.pem;
  ssl_certificate_key  /path/to/your/ssl/key.pem;

  location / {
    proxy_pass              YOUR_BE_HOSTNAME_HERE:8080;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        Host $http_host;
  }

JSON web keys generation

Checkout the json-web-key-generator repository:

git clone https://github.com/mitreid-connect/json-web-key-generator

Build the code with:

mvn package

Generate a key with the following command:

java -jar target/json-web-key-generator-0.3-SNAPSHOT-jar-with-dependencies.jar \
  -t RSA -s 1024 -S -i rsa1
Full key:
{
  "keys": [
    {
      "p": "3oh7ex6zgdmJh5NBD0IplmBDDGC2ECu2A1vcp8e8DqE7OSSpAc1T9tTjJioCGqkNM51JK_MtgCJz1CiysVDOQQ",
      "kty": "RSA",
      "q": "nRmBm5tQ2wmOtd1XUYDRH2qWai6eElt-1cvO5tnTdWZkFaAeaHQ3_xf_PFOjyAv5Y5rNLgf_Xbu9UCo_mSrDMQ",
      "d": "BGHRhQP6ADqqSrM8_mI0YhjGStj1aW9rLi7wXQMJ122kegPxIT7dfP-5UScxykD_BrCCHQVPxdJl5wXy-giZnhaL9wtDkOXb8D8RCi1n02cs3Z1T23xONi_AG47QPBZjM5GcX-oOGCENByuEIdkU_Bn6vvqM3oyVlj5sio7tNAE",
      "e": "AQAB",
      "kid": "rsa1",
      "qi": "RarXtTFCE3hk5ZanLWEapDnn7SLSxAvDcBTmG5SpCI9Eix7cfTigaK6N7OQIN0uGO1GJ-KVWL2v8dyI1jMoU6g",
      "dp": "MtBtieavzMXUzr2ETKyp_GmMxeXLjRO-IzQ1xaYpPhn5AQprATtWofVozQ0on9fcaN3QmJWV3T2Av4BvlWfDQQ",
      "dq": "CWJ7rpsBooQYpV6al8DVPUY1xBQS10_l7MmnC31Zt3qtYelVx7GhoriBQ85PS2UDueKGfUh3BddwQLi1YeX_EQ",
      "n": "iI_fuJq4z_9VQY5EH41sQWOAYUsjtxAFjRnAc1P5-GPOx3Izg9V7yKNmudLUt-jIkv6D5h-AzrhEV6DOdBRoiN4el1mCZ95jiJkjU2kpVOmutDysZkrn667zPd43w7E6IqHnahmMrVUjUyx6pie1SqJHLUXghz8Gle-1yi08_XE"
    }
  ]
}

Save the output of the above command (minus the Full key: initial text) in a file.

IAM docker image

The IAM service is provided on the following Dockerhub repositories:

• indigoiam/iam-login-service

• indigodatacloud/iam-login-service

We keep the images in sync, so the following instructions apply to images fetched from any of the two repositories.

IAM configuration

The IAM service is configured via spring profiles and environment variables.

IAM profiles

IAM profiles are used to enable/disable group of IAM functionalities. Currently the following profiles are defined:

Profile name	Active by default	Description
h2	yes	Enables h2 in-memory database, useful for development and testing
mysql	no	Enables MySQL database backend
google	no	Enables Google authentication
saml	no	Enables SAML authentication
dev	yes	Enables development debugging information
registration	yes	Enables user registration and reset password functionalities

Profiles are enabled by setting the spring.profiles.active Java system property when starting the IAM service. This can be done, using the official IAM docker image, by setting the IAM_JAVA_OPTS environment variable as follows:

IAM_JAVA_OPTS="-Dspring.profiles.active=mysql,google,saml"

Service configuration

All configurable aspects of the IAM are configured via environment variables.

Env. variable	Default value	Meaning
IAM_PORT	8080	The IAM service will listen on this port
IAM_USE_FORWARDED_HEADERS	false	Use forward headers from reverse proxy. Set this to true when deploying the service behind a reverse proxy.
IAM_ISSUER	http://localhost:8080	This is the endpoint on which the IAM will receive requests.
IAM_KEY_STORE_LOCATION	N/A	The path to the JSON key store that holds the keys used to sign the tokens
IAM_X509_TRUST_ANCHORS_DIR	/etc/grid-security/certificates	Where CA certificates will be searched
IAM_X509_TRUST_ANCHORS_REFRESH	14400	How frequently (in seconds) should trust anchors be refreshed

Database access options

Env. variable	Default value	Meaning
IAM_DB_HOST	N/A	The host where the MariaDB/MySQL daemon is running
IAM_DB_PORT	3306	The database port
IAM_DB_NAME	iam	The database name
IAM_DB_USERNAME	iam	The database username
IAM_DB_PASSWORD	pwd	The database password

Google authentication options

Env. variable	Default value	Meaning
IAM_GOOGLE_CLIENT_ID	N/A	The google OpenID-connect client id
IAM_GOOGLE_CLIENT_SECRET	N/A	The Google OpenID-connect client secret
IAM_GOOGLE_REDIRECT_URIS	N/A	The Google OpenID-connect redirect URIs

SAML authentication options

Env. variable	Default value	Meaning
IAM_SAML_ENTITY_ID	N/A	The SAML entity ID
IAM_SAML_KEYSTORE	N/A	The keystore holding SAML certificate and keys
IAM_SAML_KEYSTORE_PASSWORD	N/A	The keystore password
IAM_SAML_KEY_ID	N/A	The identifier of the key that should be used to sign requests/assertions
IAM_SAML_KEY_PASSWORD	N/A	The SAML key password
IAM_SAML_IDP_METADATA	N/A	The path to the SAML federation idp metadata

Notification service options

IAM notification service use an external SMTP server for sending email notifications. The table below contains the options for configure the SMTP server.

Env. variable	Default value	Meaning
IAM_MAIL_HOST	localhost	Hostname of the SMTP server to use for sending notification emails
IAM_MAIL_PORT	25	Port on which SMTP server to use is listening
IAM_MAIL_USERNAME	N/A	Username to use for authentication on SMTP server, if required
IAM_MAIL_PASSWORD	N/A	Password to use for authentication on SMTP server, if required

Specific options:

Env. variable	Default value	Meaning
IAM_NOTIFICATION_DISABLE	false	Turn on the notification service. If set to true, notifications aren't send to mail server, but logged into the log file
IAM_NOTIFICATION_FROM	indigo@localhost	Mail address used as mail sender
IAM_NOTIFICATION_TASK_DELAY	30000	Time interval, in milliseconds, between two consecutive runs of the job that send notifications
IAM_NOTIFICATION_CLEANUP_AGE	30	Retention of delivered messages, in days
IAM_NOTIFICATION_ADMIN_ADDRESS	indigo-alerts@localhost	Mail address used as receiver for administrative notifications

Example configuration

The IAM service is run starting the docker container with the following command:

/usr/bin/docker run \
  --name iam-login-service --net=iam -p 8080:8080 \
  --env-file=/path/to//iam-login-service/env \
   -v /path/to//keystore.jks:/keystore.jks:ro \
  indigodatacloud/iam-login-service

The env file content is the following:

IAM_JAVA_OPTS=-Dspring.profiles.active=google,mysql -Djava.security.egd=file:/dev/urandom
IAM_BASE_URL=https://iam-test.indigo-datacloud.eu
IAM_ISSUER=https://iam-test.indigo-datacloud.eu/
IAM_USE_FORWARDED_HEADERS=true
IAM_KEY_STORE_LOCATION=file:/keystore.jks
IAM_DB_HOST=the_db_host
IAM_DB_NAME=iam_login_service
IAM_DB_USERNAME=iam_test
IAM_DB_PASSWORD=some_super_secure_password
IAM_DB_VALIDATION_QUERY=SELECT 1
IAM_GOOGLE_CLIENT_ID=XXXXXXXXXXXXXXXXX.apps.googleusercontent.com
IAM_GOOGLE_CLIENT_SECRET=***********
IAM_GOOGLE_REDIRECT_URIS=https://iam-test.indigo-datacloud.eu/openid_connect_login
IAM_SAML_ENTITY_ID=https://iam-test.indigo-datacloud.eu
IAM_SAML_KEYSTORE=file:///saml-keystore.jks
IAM_SAML_KEYSTORE_PASSWORD=********
IAM_SAML_KEY_ID=iam-test
IAM_SAML_KEY_PASSWORD=********
IAM_SAML_IDP_METADATA=file:///idp-metadata.xml
IAM_NOTIFICATION_FROM=iam@iam-test.mydomain.eu
IAM_NOTIFICATION_TASK_DELAY=5000
IAM_NOTIFICATION_ADMIN_ADDRESS=iam-admins@mydomain.eu
IAM_MAIL_HOST=mailman.mydomain.eu