Installation instructions
Make sure you have installed the requirements before you continue.
- Configure Docker
- Login
- Create
docker-compose.yml
file - Configure Token Server via Docker Compose environment variables
- Start the Token Server
- Next steps
Configure Docker
Edit the docker configuration file /etc/sysconfig/docker
DOCKER_OPTIONS = --host=unix:///var/run/docker.sock --bip=172.16.0.1/24
Login
To download the containers you first need to login with the Docker client using your login credentials.
$ docker login release.onegini.com
NOTE: If you did not not receive any login credentials, please contact Onegini support.
Create docker-compose.yml
file
Create /etc/onegini/docker-compose.yml
with the following content
version: "2"
services:
proxy:
image: snapshot.onegini.com/onegini/security-proxy:snapshot
mem_limit: 512mb
user: onegini
restart: always
environment:
# Java options
- JAVA_OPTS=-Djava.net.preferIPv4Stack=true
- SP_JAVA_OPTS=-Xmx256m -Xms256m
- TVS_JAVA_OPTS=-Xmx128m -Xms128m
# Enabled properties provisioning
- SECURITY_PROXY_PROVISIONING_ENABLED=true
# Discovery backend
- CONSUL_HTTP_ADDR=consul:8500
# Security Proxy property encryption password
- SECURITY_PROXY_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Security Proxy backends
- SECURITY_PROXY_BACK_END_TOKEN_SERVER_HOSTS=engine:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_HOSTS=admin:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_CONTEXT_ROOT=/admin
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_ADMIN_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_HOSTS=client:8080
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_CONTEXT_ROOT=/client
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_TRANSPARENT_PROXIES_CLIENT_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_HOSTS=gateway:8080
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_CONTEXT_ROOT=/resource
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_PROXY_SCHEME=http
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_ALLOW=0.0.0.0/0
- SECURITY_PROXY_BACK_END_RESOURCE_GATEWAYS_RESOURCE_TOKEN_VALIDATION_ENABLED=false
- SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID=Eec61WVhtOjesj7BiLTKljdaKdmsc48D2oZKhsroqs
- SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET=p4XfUcvkwULWsxs7C8sQIg5egZb1bvjNSZpNC2sp8M
# Cache
- SECURITY_PROXY_CACHE_ENCRYPTION_PASSWORD=WeerM68pac7fjrnKfUNHEeAHbPeEBy
- SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_DURATION_IN_MINUTES=1
- SECURITY_PROXY_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- SECURITY_PROXY_REDIS_SENTINEL_MASTER_ID=mymaster
depends_on:
- redis-master-sentinel
- consul
networks:
overlay:
ipv4_address: 192.168.100.1
ports:
- "80:8080"
engine:
image: release.onegini.com/onegini/token-server-engine:<TOKEN_SERVER_VERSION>
restart: always
user: onegini
environment:
# Java options
- JAVA_OPTS=-Xms512m -Xmx512m
# Token Server property encryption password
- TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Token server url
- TOKEN_SERVER_URL=http://<SERVER IP>
# Database
- DATABASE_TYPE=mysql
- SPRING_DATASOURCE_USERNAME=onegini
- SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
- DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
- SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
- SPRING_FLYWAY_ENABLED=true
# Redis
- TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
ports:
- 8080
- 8443
depends_on:
- database
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.2
admin:
image: release.onegini.com/onegini/token-server-admin:<TOKEN_SERVER_VERSION>
restart: always
user: onegini
environment:
# Java options
- JAVA_OPTS=-Xms256m -Xmx256m
# Token Server url
- TOKEN_SERVER_URL=http://<SERVER IP>
# Token Server property encryption password
- TOKEN_SERVER_COMMON_PROPERTY_ENCRYPTION_PASSWORD=3c0b5011a68bfad582576b4380bf65662dc81745c77e3d8d05a8498c67387ed3
# Database
- DATABASE_TYPE=mysql
- SPRING_DATASOURCE_USERNAME=onegini
- SPRING_DATASOURCE_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
- DATABASE_ENCRYPTION_PASSWORD=febc2bce3d4e7082c26e9e57b36f3e0bd71c6e855c173928e476ebcadcff01a9
- SPRING_DATASOURCE_URL=jdbc:mysql://192.168.100.5:3306/tokenserver?autoReconnect=true
- SPRING_FLYWAY_ENABLED=true
# Ldap
- TOKEN_SERVER_ADMIN_LDAP_BASE_DN=dc=onegini,dc=com
- TOKEN_SERVER_ADMIN_LDAP_SERVER_URLS=ldap://192.168.100.7:10389
# Redis
- TOKEN_SERVER_REDIS_SENTINEL_NODES=redis-master-sentinel:26379,redis-slave-sentinel:26379,redis-slave-sentinel-failover:26379
- TOKEN_SERVER_REDIS_SENTINEL_MASTER_ID=mymaster
depends_on:
- database
- ldap
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.3
client:
image: release.onegini.com/onegini/token-server-test-client:<TOKEN_SERVER_VERSION>
restart: always
user: onegini
environment:
# Java options
- JAVA_OPTS=-Xms256m -Xmx256m
# Token Server url
- TOKEN_SERVER_URL=http://192.168.100.1:8080
- TOKEN_SERVER_TEST_CLIENT_URL=https://<SERVER IP>
- TOKEN_SERVER_CLIENT_AUTHORIZE_URI=https://<SERVER IP>/oauth/authorize
networks:
overlay:
ipv4_address: 192.168.100.4
database:
image: mariadb:latest
restart: always
environment:
- MYSQL_ROOT_PASSWORD=bc6928048afd11ab649b1876253bb5d16efacfc8d29d7fb11fdebf7d9cc52795
- MYSQL_DATABASE=tokenserver
- MYSQL_USER=onegini
- MYSQL_PASSWORD=af7a5b7a0d7b858a6d242bb4f3f54d0be65e56853caf71f3321f8fe967b203d1
ports:
- 3306
networks:
overlay:
ipv4_address: 192.168.100.5
ldap:
image: release.onegini.com/library/apacheds:dummy
restart: always
environment:
- JAVA_OPTS=-Xms256m -Xmx256m
ports:
- 10389
networks:
overlay:
ipv4_address: 192.168.100.7
redis-master:
image: release.onegini.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_PORT=6379
- REDIS_ANNOUNCE_IP=192.168.100.8
- REDIS_ANNOUNCE_PORT=6379
networks:
overlay:
ipv4_address: 192.168.100.8
redis-slave:
image: release.onegini.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_PORT=6379
- REDIS_ANNOUNCE_IP=192.168.100.9
- REDIS_ANNOUNCE_PORT=6379
- REDIS_SLAVE=True
- REDIS_SLAVEOF_IP=192.168.100.8
- REDIS_SLAVEOF_PORT=6379
depends_on:
- redis-master
networks:
overlay:
ipv4_address: 192.168.100.9
redis-master-sentinel:
image: release.onegini.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.10
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.100.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master
networks:
overlay:
ipv4_address: 192.168.100.10
redis-slave-sentinel:
image: release.onegini.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.0.11
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.0.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.11
redis-slave-sentinel-failover:
image: release.onegini.com/onegini/redis:1.0.0
user: onegini
environment:
- REDIS_SENTINEL=True
- REDIS_SENTINEL_PORT=26379
- REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.12
- REDIS_SENTINEL_ANNOUNCE_PORT=26379
- REDIS_SENTINEL_MASTER_IP=192.168.100.8
- REDIS_SENTINEL_MASTER_PORT=6379
depends_on:
- redis-master-sentinel
networks:
overlay:
ipv4_address: 192.168.100.12
consul:
image: consul:latest
restart: always
ports:
- 8500:8500
networks:
overlay:
driver: bridge
ipam:
config:
- subnet: 192.168.100.0/24
Note: Replace
<SECURITY_PROXY_VERSION>
and<TOKEN_SERVER_VERSION>
with the actual version numbers. You can find the version numbers on the Releases page in Onegini docs.
Configure Token Server via Docker Compose environment variables
The Onegini Token Server uses Docker Compose environment variables to manage application properties. You can find all properties which can be configured in the Properties section of the Token Server Documentation.
For example, consider a following environment variable described in the docs:
Environment variable | Default | Example | Description |
---|---|---|---|
TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL | /onegini/admin | URL to which the user is redirected after successful logout. |
To configure this Token Server Admin property with the example value, add the following line in the environment
admin service section of the docker-compose file:
admin:
...
environment:
- TOKEN_SERVER_ADMIN_GENERAL_PUBLIC_URL=/onegini/admin
...
Note: Properties common for Admin and Engine Token Server need to be provided for both docker compose images (admin and engine). Not all properties are mandatory to configure. Some of them have their default values.
Start the Token Server
Now it is time to start the Token Server
$ docker-compose -f /etc/onegini/docker-compose.yml up -d
Open the browser and got to http://<SERVER IP>/admin
.
you can now login with username and password admin
, operator
or helpdesk
Next steps
To customise your installation please have a look at the configuration section.