Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Installation

Podman

search

Please Note:

Podman

Prerequisites

This section provides details of the installation files and prerequisites required to deploy SafeNet Access Exchange in the Podman environment.

  • Database: DB for SafeNet Access Exchange should be created in advance with a user who has privileges over it.

  • Hostname: For a production ready installation, you need a machine with IP/hostname that can be used to contact SafeNet Access Exchange.

  • TLS Certificate and associated keys: For securing HTTPS traffic.

  • Podman and podman-compose must be installed on the machine.

Single Node Deployment

Single Node deployment may be used for testing environments as the setup is simple and easy to manage, making it suitable for development, testing, and small-scale deployments.

Deployment Steps

This section provides the instructions to deploy SafeNet Access Exchange as a single node in the Podman environment:

  1. Download the SafeNet Access Exchange zip file in your RHEL machine. It has SafeNet Access Exchange (SAE) image in tar format.

  2. Run following command to unzip the file:

    gunzip <FileName>.tar.gz

  3. Load the image using the following command:

    podman load -i <FileName>.tar

  4. You can view the image that you just loaded using following command:

    podman images

  5. Place the attached compose file in your RHEL machine.

    podman_compose.zip

  6. Make the following changes in the compose file:

    1. Replace the version with podman-compose version. You can identify it by running the following command in your RHEL machine:

      podman-compose --version

    2. Replace image ID in the compose file with the actual image ID of the SafeNet Access Exchange image that you just loaded. It can be found by using following command:

      podman images

    3. Under the volumes tag, make the following changes:

      • Replace certificate.pem with the certificate you use for securing the HTTPS traffic for SAE.

      • Replace privateKey.pem with the corresponding key of the certificate you are using.

      • Ensure that the path of above files is correct. For example, if your certificate is placed at the location /opt/sae/cert/cert.pem in your host machine, then the volume mount will look like: /opt/sae/cert/cert.pem:/opt/keycloak/conf/cert.pem:Z

      Note

      The certificate and key files path should be relative to the path of compose file.

    4. Under the environment tag, make the following changes:

      • Replace the value of KC_HOSTNAME from FQDN or IP of the SAE instance with the actual FQDN/IP that you will use to run SAE solution.

      • Replace the value of KEYCLOAK_ADMIN_PASSWORD from change_me with the password of admin user as per your choice.

      • Replace the value of KC_DB from mssql or mysql (as per your environment) with:

        • If you want to connect SAE with MSSQL, keep the value as mssql.

        • If you want to connect SAE with MySQL, keep the value as mysql.

      • Replace the value of KC_DB_URL from jdbc connection string with the jdbc connection string/URL that will be used to connect SAE with the database.

      • Replace dbUser and password with the database user and password details.

    5. Save the compose file.

    Note

    This is just a sample compose file. You can edit this or prepare your own compose file based on your organizational needs.

  7. Bring up the container by running:

    podman-compose up -d

  8. Check the details of container like container ID, image ID etc. by running following command:

    podman ps -a

    The status should be “UP”.

  9. To check the logs, you can run the following command:

    podman logs <containerID>

  10. Open the Windows machine and access the SafeNet Access Exchange instance by using https://(fqdn or IP OF SAE).

  11. Login using userID and password mentioned in the compose file.

You might face an issue while connecting to MSSQL database. This could be due to the following reasons:

  1. Container cannot load drivers to connect to the DB.

  2. By default, the image does not include the Microsoft JDBC driver for SQL server. You need to add the JDBC driver manually because it is a proprietary driver.

To resolve this issue, you can try the following approach:

  1. Download the JDBC connector jar file for MSSQL from the Microsoft website and place it in your RHEL machine.

  2. Manually, mount the connector in your container by editing the compose file. Add following line in compose file under the volumes tag:

    /path/to/jdbcConnector/<sampleconnector.jar>:/opt/keycloak/providers/<sampleconnector.jar>

  3. Ensure that the path of the above file is correct. For example, if your JDBC connector is placed at the location /opt/sae/jdbc/mssqlconnector.jar in your host machine, then the volume mount will look like: /opt/sae/jdbc/mssqlconnector.jar:/opt/keycloak/providers/mssqlconnector.jar.

High-Availability (HA) Cluster Deployment

High Availability (HA) deployment is typically associated with production environments. The goal of an HA deployment is to ensure that the system remains available and operational even in case of failures, such as hardware failures and network or other unexpected issues.

Deployment Steps

This section provides the instructions to deploy SafeNet Access Exchange as an HA Cluster in the Podman environment:

  1. Download the SafeNet Access Exchange zip file in your RHEL machine. The file contains SafeNet Access Exchange (SAE) image in .tar format.

  2. Run following command to unzip the file:

    gunzip <FileName>.tar.gz

  3. Run following command to load the SAE image:

    podman load -i <FileName>.tar

  4. Run following command to view the image that you just loaded:

    podman images

  5. Download and place the following zip package file in your RHEL machine:

    SAE-HA-Cluster.zip

  6. Make the following changes in the certs folder available in the package:

    • Replace the certificate file cert.pem with the certificate that you use to secure the HTTPS traffic for SafeNet Access Exchange.

    • Replace the private key privkey.pem with the corresponding key of the certificate that you are using.

    Uncomment the # NGINX Load Balancer section in podman-compose.yml to enable NGINX as the load balancer and use relative paths for the certificate and key files for HTTPS traffic. If you are using a physical load balancer and do not want to use NGINX as the load balancer, you can set up the SSL certificate on the physical load balancer for SSL offloading.

  7. In the podman-compose.yml file, replace the image ID with the actual image ID of the SafeNet Access Exchange image that you have just loaded. Run following command to find the image ID:

    podman images

  8. In the nginx.conf file, replace <KC_HOSTNAME> with the Fully Qualified Domain Name (FQDN) or IP address.

  9. Make the following changes in the .env file:

    • Replace <KC_HOSTNAME> with the actual Fully Qualified Domain Name (FQDN) or IP address of the SAE instance that you are setting up.

    • Replace <KEYCLOAK_ADMIN> with the admin username that you want to use for the SAE admin account.

    • Replace <KEYCLOAK_ADMIN_PASSWORD> with the SAE admin user's password.

    • Replace <KC_DB> from the MSSQL or MySQL (depending on your environment) with the following:

      • If you want to connect SAE with MSSQL, keep the value as mssql.

      • If you want to connect SAE with MySQL, keep the value as mysql.

    • Replace the value of <KC_DB_USERNAME> with the database username.

    • Replace the value of <KC_DB_PASSWORD> with the database password.

    • If you are using MSSQL, set the <KC_DB_URL> environment variable with the appropriate JDBC connection string/URL to connect Keycloak to the MSSQL database. For example, jdbc:sqlserver://mssql:1433;databaseName=master;encrypt=false;trustServerCertificate=true

    • If you are using MySQL, set the <KC_DB_URL_DATABASE> environment variable with the JDBC connection string/URL for connecting Keycloak to the MySQL database.

    • Save the .env file.

    Sample values for the environment variables for MySQL and MSSQL are also available in the .env file. If you do not want to use an external MySQL or MSSQL database, you can modify the configurations as per your requirement.

  10. Run following command to bring up the SAE container:

    podman-compose up -d

  11. Run following command to check status details of the SAE container, for example, container ID, image ID etc.:

    podman ps -a

    The status should be “UP”.

  12. Run following command to view the logs of a specific container:

    podman logs <containerID>

  13. On the Windows machine, access the SafeNet Access Exchange instance on a web browser using https://(FQDN or SAE IP).

  14. Login using the KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD credentials mentioned in the custom.env file.

Troubleshooting MSSQL Connectivity

If you encounter any issue while connecting to the MSSQL database, the following could be the possible causes:

  1. Missing Microsoft JDBC driver for SQL Server.

  2. Container is not able to load the database drivers to connect to the DB.

To resolve this issue, you can try the following approach:

  1. Download the JDBC connector jar file for MSSQL from the Microsoft website, rename it to mssqlconnector.jar, and place it in the downloaded package.

  2. Edit the compose file to manually mount the connector in your container. Under the volumes tag, uncomment the following line:

    # volumes:
    # - ./mssqlconnector.jar:/opt/keycloak/providers/mssqlconnector.jar

  3. Ensure that the path of the above file is correct. For example, if your JDBC connector is placed at the location /opt/sae/jdbc/mssqlconnector.jar in your host machine, the volume mapping should look like /opt/sae/jdbc/mssqlconnector.jar:/opt/keycloak/providers/mssqlconnector.jar.

On this page