IAM appliance - iam-app-czechidm

RPM package with CzechIdM identity manager support.

This package depends on iam-czechidm-db service. The IdM authenticates users using iam-cas service.

This package is built "the usual way" using bcv-rpmbuild container.

Service

This RPM adds iam-czechidm service into the IAM appliance.

Adresáře na disku appliance

  • /data/volumes/czechidm/backup - Groovy scripts backups exported from IdM

  • /data/volumes/czechidm/data - attachments and other files thta IdM uses

  • /data/volumes/czechidm/frontend-config - configuration of app frontend, used for customizations

  • /data/volumes/czechidm/frontend-modules - frontend modules, used for customizations

  • /data/volumes/czechidm/frontend-src - overrides for app frontend

  • /data/volumes/czechidm/modules - additional backend modules

  • /data/volumes/czechidm/secrets - db passwords, JWT token and encryption keys are stored here. Password are generated automatically during package %post phase if they don’t already exist.

  • /data/volumes/czechidm/application.properties.d - supplementary application properties are stored here. Filenames must end with .properties to be considered.

  • /data/volumes-shared/cacerts - trusted certificates to import into Java truststore upon application start

  • /data/logs/czechidm - logs

    • This directory has to have correct SElinux labels. RPM package handles that in its %post phase by executing semanage fcontext …​.

Configuration files

  • /data/registry/node-active-config/docker-compose-czechidm.yml - container compose file

  • /etc/rsyslog.d/10_czechidm.conf - syslog configuration for the container to send logs to dedicated files on the filesystem

  • /etc/logrotate.d/czechidm - logrotate configuration

Controlling the service

  • systemd unit is located in /usr/lib/systemd/system/iam-czechidm.service so the command systemctl start/stop/enable/disable works as expected.

  • Start of the service calls docker-compose …​ up, which starts/creates/recreates the container as needed.

Dependencies

  • Service requires iam-czechidm-db and iam-cas to function properly.

Kinks and quirks

  • Java sizing is done in the compose file.

  • After fresh install, it is necessary to edit the compose file and:

    • Set CZECHIDM_ALLOWED_ORIGINS to a hostname which users will use to access the application. See appliance docs for details.

    • Set CZECHIDM_CAS_URL and CZECHIDM_CAS_IDM_URL so the IdM knows where the CAS is running and that it has proper identification.

      When setting those parameters: * Change http to https. * Change localhost to correct service hostname. Keep all slashes / as they are.