Setup Access Manager lab using plain docker

0 Likes

I wanted to play around with AM version 5, so I need to set up a lab. Of course, easiest way would be to set up appliance, but since latest versions also supports containers, I said to myself, “Why not”, and started installing Linux server with docker.

I got my docker server set up and then faced another issue. Access Manager is supported on Kubernetes container orchestrator, not just plain docker installation.

I don’t know much about docker and almost nothing about Kubernetes, but I was convinced that there must be a way to run AM containers without Kubernets. So, I dug into provided Helm charts.

Actually, reading charts was not that hard and eventually I compiled list of commands which I could use to spawn simple AM lab. As mentioned previously, I'm no Kubernetes or docker expert, so I might have missed something, but for now my lab works Blush.

Prerequisites

My choice of poison was Ubuntu 20.04.3, which is currently latest LTS version.

To not fill OS disk with my tests, I have mounted two additional data disks to server, one for /var/lib/docker (docker images can take quite some disk space) and other as a docker data disk mounted to /media/dockerdata.

Docker was installed using official installation instructions found on docker site: https://docs.docker.com/engine/install/ubuntu/.
Note that as with supported Kubernetes setup, all AM docker containers we will create will run using host networking (https://docs.docker.com/network/host/).

Get AM docker images

Disclaimer: If you want to play with AM, you need to own Access Manager license. Maybe you can also request evaluation license, but I cannot find that option on existing Micro focus web site (it was quite easy with old NetIQ web…).

There are two ways of getting AM docker images. One is using docker pull command and other is to manually download Access manager docker images from Microfocus SLD (file AM_501_Containers.tar.gz) and then load them into docker using command

docker load --input AM_501_Containers.tar.gz

I’ve decided for first.

Link to docker hub repositories is stored in values.yaml file and points to https://hub.docker.com/u/mfaccess. There you can find links to all images with current tags, but to make it simple, you should run following commands (to get AM 5.0.1):

docker pull mfaccess/am-edir:9.2.4.0
docker pull mfaccess/am-ac:5.0.1.0-147
docker pull mfaccess/am-idp:5.0.1.0-147
docker pull mfaccess/am-ag:5.0.1.0-147

After they are downloaded, we can check locally stored images:

root@gnl-docker-am1:/media/dockerdata/am# docker image ls
REPOSITORY              TAG           IMAGE ID       CREATED        SIZE
mfaccess/am-ac          5.0.1.0-147   ec2fbcdd26d1   3 months ago   1.26GB
mfaccess/am-ag          5.0.1.0-147   f6b9f134b452   3 months ago   1.31GB
mfaccess/am-idp         5.0.1.0-147   5da6c15e5c18   3 months ago   1.24GB
mfaccess/am-edir        9.2.4.0       68e253e35cbf   9 months ago   636MB

For each image you can see repository (e.g. mfaccess/am-ag) and tag (e.g. 5.0.1.0-147). This information will be used later for running actual containers (using docker run command).

Note: If you download images from SLD and import them into docker, images will have different repository name (IMAGE ID is still the same):

root@gnl-docker-am1:/media/dockerdata/am# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
security-accessmanager-docker.btpartifactory.swinfra.net/am-ac 5.0.1.0-147 ec2fbcdd26d1 3 months ago 1.26GB
security-accessmanager-docker.btpartifactory.swinfra.net/am-ag 5.0.1.0-147 f6b9f134b452 3 months ago 1.31GB
security-accessmanager-docker.btpartifactory.swinfra.net/am-idp 5.0.1.0-147 5da6c15e5c18 3 months ago 1.24GB
security-accessmanager-docker.btpartifactory.swinfra.net/am-edir 9.2.4.0 68e253e35cbf 9 months ago 636MB

You can either rename (retag) images or use different names in docker run commands.

Set up helper variables and prepare persistent DATA folders

Each docker container needs persistent data. Deploying AM using Kubernetes will create persistent volumes, but for simple docker deployment I used folders in /media/dockerdata.

We also need to set up helper variables. Those will store AM admin username and password, also docker hosts IP address which will be used for all AM components (remember, containers will run using host networking).

Keep in mind that AM administrator username and password must conform to conditions described in documentation (https://www.microfocus.com/documentation/access-manager/5.0/install_upgrade/planning-access-manager-on-k8s.html#username-password):

adminuser="am-admin"
adminpwd="Sup3rS3cr3tPassw0rd!"
hostip=10.10.2.166
edirstorage="/media/dockerdata/am/data-edir" # eDirectory container storage folder
acstorage="/media/dockerdata/am/data-ac" # Admin Console container storage folder
idpstorage="/media/dockerdata/am/data-idp" # Identity Server container storage folder
agstorage="/media/dockerdata/am/data-agw" # Access Gateway container storage folder
timezonestorage="/media/dockerdata/am/timezone" # Timezone storage folder (used by all containers)

AM administrator username and password is passed to each container by creating files in <storage>/config/secret folder.

Create folder structure with "secret" files running following commands:

mkdir -p ${timezonestorage}
cp /etc/localtime ${timezonestorage}/
mkdir -p ${edirstorage}
echo ${adminpwd}>${edirstorage}/admin_password
for secretpath in ${acstorage}/config/secret ${idpstorage}/config/secret ${agstorage}/config/secret; do
mkdir -p ${secretpath}
echo ${adminuser}>${secretpath}/admin_name
echo ${adminpwd}>${secretpath}/admin_password
done

Note: Files with administrator username and password are automatically removed after container configuration.

Running containers

Some containers are dependent on others. For example, Admin Console container needs working eDirectory container. Also, Identity Server needs working Admin Console when first running, or it will not be able to register itself. Same goes for Access Gateway.

Kubernetes can take care of those requirements (described in Helm chart), but since we are using plain docker, it is very important that you do not spawn new containers until previous is fully initialized.

Spawn eDirectory container

Base on AM Helm charts, all files and folders in eDirectory storage also need to have owner set to nds:nds, so we need to update ownership before spawning container:

chown -R 35753:35753 ${edirstorage}

To run eDirectory container, execute following command:

docker run \
--detach --restart=always \
--cap-drop=ALL \
--cap-add=CHOWN --cap-add=KILL --cap-add=FOWNER --cap-add=DAC_OVERRIDE --cap-add=SETGID --cap-add=SETUID --cap-add=AUDIT_WRITE --cap-add=NET_BIND_SERVICE \
--network=host \
--add-host="nam-d-edir1:${hostip}" --add-host="nam-d-ac1:${hostip}" --add-host="nam-d-idp1:${hostip}" --add-host="nam-d-agw1:${hostip}" \
--name=nam-d-edir1 --hostname=nam-d-edir1 \
--volume=${timezonestorage}/localtime:/etc/localtime \
--volume=${edirstorage}:/config/eDirectory \
--env admin_name=${adminuser} \
--env ac_ip=${hostip} \
--env NDSD_DISABLE_CRL_CONFIG=1 \
--user=35753:35753 \
mfaccess/am-edir:9.2.4.0 \
new -t gnl-am-tree -n o=novell -S nam-d-edir1 -B ${hostip}@524 -o 8028 -O 8030 -L 389 -l 636 -a cn=${adminuser}.o=novell -w file:/config/eDirectory/admin_password --configure-eba-now no

Running it will automatically create new eDirectory tree by firing ndsconfig new command.

To see installation progress, run:

docker logs -f nam-d-edir1

Installation is done when you see something like:

Configuring NMAS service... Done
Configuring SecretStore... Done
Configuring HTTP Server with default SSL CertificateDNS certificate... Done
Configuring LDAP Server with default SSL CertificateDNS certificate... Done
The instance at /config/eDirectory/inst/conf/nds.conf is successfully configured.
Creating version file...done
done
Press ctrl+p ctrl+q to continue. This would detach you from the container.

Spawn Admin Console container

To run Admin Console container, execute following command:

docker run \
--detach \
--restart=always \
--cap-drop=ALL \
--cap-add=CHOWN --cap-add=KILL --cap-add=FOWNER --cap-add=DAC_OVERRIDE --cap-add=SETGID --cap-add=SETUID --cap-add=AUDIT_WRITE --cap-add=NET_BIND_SERVICE \
--network=host \
--add-host="nam-d-edir1:${hostip}" --add-host="nam-d-ac1:${hostip}" --add-host="nam-d-idp1:${hostip}" --add-host="nam-d-agw1:${hostip}" \
--name=nam-d-ac1 --hostname=nam-d-ac1 \
--volume=${timezonestorage}/localtime:/etc/localtime \
--volume=${edirstorage}:/var/opt/novell/eDirectory \
--volume=${acstorage}/logs/tomcat:/var/opt/novell/nam/logs/adminconsole/tomcat \
--volume=${acstorage}/logs/volera:/var/opt/novell/nam/logs/adminconsole/volera \
--volume=${acstorage}/logs/configuration:/tmp/novell_access_manager \
--volume=${acstorage}/logs/syslog:/var/opt/novell/syslog \
--volume=${acstorage}/config/certs:/var/opt/novell/novlwww \
--volume=${acstorage}/config/iManager:/var/opt/novell/iManager/nps/WEB-INF/config \
--volume=${acstorage}/config/secret:/opt/novell/nam/docker/secret \
--volume=${acstorage}/config/data:/opt/novell/nam/adminconsole/data \
--volume=${acstorage}/config/default_files:/opt/novell/nam/default_configfiles_productbackup \
--volume=${acstorage}/custom/other_customization:/opt/novell/nam/docker/custom_volume \
--env ac_ip=${hostip} \
mfaccess/am-ac:5.0.1.0-147

To see installation progress, run:

docker logs -f nam-d-ac1

Installation is done when you see something similar to:

For information regarding this installation check the log file directory at /tmp/novell_access_manager.
Installation is complete.
Press ctrl+p ctrl+q to continue. This would detach you from the container.

Now you can log into admin console using URL: https://10.10.2.166:2443/nps (10.10.2.166 is host IP of my docker server).

Spawn Identity Server container

To run Identity Server container, execute following command:

docker run \
--detach --restart=always \
--cap-drop=ALL \
--cap-add=CHOWN --cap-add=KILL --cap-add=FOWNER --cap-add=DAC_OVERRIDE --cap-add=SETGID --cap-add=SETUID --cap-add=AUDIT_WRITE --cap-add=NET_BIND_SERVICE \
--network=host \
--add-host="nam-d-edir1:${hostip}" --add-host="nam-d-ac1:${hostip}" --add-host="nam-d-idp1:${hostip}" --add-host="nam-d-agw1:${hostip}" \
--name=nam-d-idp1 --hostname=nam-d-idp1 \
--volume=${timezonestorage}/localtime:/etc/localtime \
--volume=${idpstorage}/config/jcc:/opt/novell/devman/jcc/conf/runtime \
--volume=${idpstorage}/config/certs:/opt/novell/devman/jcc/certs \
--volume=${idpstorage}/config/nidp:/opt/novell/nids/lib/webapp/WEB-INF/conf/runtime \
--volume=${idpstorage}/config/syslog:/opt/novell/syslog \
--volume=${idpstorage}/config/plugins:/opt/novell/nam/idp/plugins \
--volume=${idpstorage}/config/secret:/opt/novell/nam/docker/secret \
--volume=${idpstorage}/config/default_files:/opt/novell/nam/default_configfiles_productbackup \
--volume=${idpstorage}/logs/tomcat:/var/opt/novell/nam/logs/idp/tomcat \
--volume=${idpstorage}/logs/nidp:/var/opt/novell/nam/logs/idp/nidplogs \
--volume=${idpstorage}/logs/jcc:/opt/novell/devman/jcc/logs \
--volume=${idpstorage}/logs/custom:/opt/novell/nam/docker/log_volume \
--volume=${idpstorage}/logs/configuration:/tmp/novell_access_manager \
--volume=${idpstorage}/logs/syslog:/var/opt/novell/syslog \
--volume=${idpstorage}/custom/other_customization:/opt/novell/nam/docker/custom_volume \
--volume=${idpstorage}/custom/lists:/opt/novell/nam/docker/lists/runtime \
--env ac_ip=${hostip} \
mfaccess/am-idp:5.0.1.0-147

To see installation progress, run:

docker logs -f nam-d-idp1

Installation is done when you see something similar to:

For information regarding this installation check the log file directory at /tmp/novell_access_manager.
To configure the installed service, log into the Administration Console at https://10.10.2.166:8443/nps using the user ID "am-admin".
Installation is complete.
Press ctrl+p ctrl+q to continue. This would detach you from the container.

As you can see, Admin Console URL’s port mentioned in output is wrong (should be 2443, not 8443), but I assume this is just some hardcoded message in installation scripts.

Now log into Admin console and wait until you see Identity Server imported. Be patient since it might take some time:

Spawn Access Gateway container

To run Access Gateway container, execute following command:

docker run \
--detach --restart=always \
--cap-drop=ALL \
--cap-add=CHOWN --cap-add=KILL --cap-add=FOWNER --cap-add=DAC_OVERRIDE --cap-add=SETGID --cap-add=SETUID --cap-add=AUDIT_WRITE --cap-add=NET_BIND_SERVICE \
--network=host \
--add-host="nam-d-edir1:${hostip}" --add-host="nam-d-ac1:${hostip}" --add-host="nam-d-idp1:${hostip}" --add-host="nam-d-agw1:${hostip}" \
--name=nam-d-agw1 --hostname=nam-d-agw1 \
--volume=${timezonestorage}/localtime:/etc/localtime \
--volume=${agstorage}/config/jcc:/opt/novell/devman/jcc/conf/runtime \
--volume=${agstorage}/config/jcc_certs:/opt/novell/devman/jcc/certs \
--volume=${agstorage}/config/esp:/opt/novell/nesp/lib/webapp/WEB-INF/conf/runtime \
--volume=${agstorage}/config/agm:/opt/novell/nam/mag/webapps/agm/WEB-INF/conf/runtime \
--volume=${agstorage}/config/apache_cacerts:/etc/opt/novell/apache2/conf/cacerts \
--volume=${agstorage}/config/apache_certs:/etc/opt/novell/apache2/conf/certs \
--volume=${agstorage}/config/apache_clientcerts:/etc/opt/novell/apache2/conf/clientcerts \
--volume=${agstorage}/config/cache:/var/cache/novell-apache2 \
--volume=${agstorage}/config/syslog:/opt/novell/syslog \
--volume=${agstorage}/config/apache_current:/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current \
--volume=${agstorage}/config/apache_conf:/opt/novell/nam/mag/webapps/agm/WEB-INF/config/apache2 \
--volume=${agstorage}/config/secret:/opt/novell/nam/docker/secret \
--volume=${agstorage}/config/default_files:/opt/novell/nam/default_configfiles_productbackup \
--volume=${agstorage}/logs/custom:/opt/novell/nam/docker/log_volume \
--volume=${agstorage}/logs/tomcat:/var/opt/novell/nam/logs/mag/tomcat \
--volume=${agstorage}/logs/nesp:/var/opt/novell/nam/logs/mag/nesp/nidplogs \
--volume=${agstorage}/logs/amlogging:/var/opt/novell/amlogging/logs \
--volume=${agstorage}/logs/jcc:/var/opt/novell/nam/logs/jcc \
--volume=${agstorage}/logs/apache2:/var/log/novell-apache2 \
--volume=${agstorage}/logs/activemq:/var/log/activemq \
--volume=${agstorage}/logs/proxylogs:/var/log/novell/reverse \
--volume=${agstorage}/logs/configuration:/tmp/novell_access_manager \
--volume=${agstorage}/logs/syslog:/var/opt/novell/syslog \
--volume=${agstorage}/custom/other_customization:/opt/novell/nam/docker/custom_volume \
--volume=${agstorage}/custom/lists:/opt/novell/nam/docker/lists/runtime \
--env ac_ip=${hostip} \
mfaccess/am-ag:5.0.1.0-147

To see installation progress, run:

docker logs -f nam-d-agw1

Installation is done when you see something similar to:

For information regarding this installation check the log file directory at /tmp/novell_access_manager.
To configure the installed service, log into the Administration Console at https://10.10.2.166:8443/nps using the user ID "am-admin".
Installation is complete.
Press ctrl+p ctrl+q to continue. This would detach you from the container.

As you can see, Admin Console port is wrong here, too.

Now log into Admin console and wait until you see Identity Server imported. Again, it might take some time:

It might happen that even after few minutes, Access Gateway will not be properly imported and you will see something similar in Admin Console:

I observed that few times and even if I left it overnight, it never recovered. This could be a consequence of our unsupported environment (most likely), or it is bug in Access Gateway’s installation script.

Either way this is how I fixed it.

First of all, do not click “Repair Import” link. Instead, run following command which is second part of reimport retry process (https://www.microfocus.com/documentation/access-manager/5.0/install_upgrade/b5wvz2g.html#by11lto):

docker exec -it -w /opt/novell/devman/jcc/ nam-d-agw1 bash conf/reimport_ags.sh agm

For first question respond with I (initial configuration), then provide admin LDAP DN (e.g. cn=am-admin,o=novel) and password. Wait for few minutes and Access Gateway will be imported.

Conclusion

I have not played much with my lab setup (yet), but for now it looks like it is working.

But please keep in mind that this setup is useful for lab/test and absolutely not production. And of course, it is probably not supported by MF Blush.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended