Deployment Types
nevisIDM supports the two deployment types "standalone" and "wildfly". You can decide which one to use on instance creation:
Instance creation example
nevisidm inst create <instance> IDM_DEPLOY_TYPE=<selectedDeploymentType>
Remember to change the encryption key for encrypted properties when you install nevisidm in a production environment (execute "nevisidm config", look for nevisidm-prod.properties).Standalone
The standalone deployment type uses an embedded container. There is no need to install a separate container. The standalone deployment type is available on Red Hat Enterprise Linux 7, SUSE Linux Enterprise Server 12 and the nevisAppliance.
Setup
Use the following command to create a standalone instance:
Instance creation example
nevisidm inst create <instance>
This command will create a new instance in the /var/opt/nevisidm/<instance> directory, with the following folder structure:
| Type | Description | Default Location |
|---|---|---|
| config | The location of the configuration files. | /var/opt/nevisidm/<instance>/conf |
| data | The location of the persistent files. | /var/opt/nevisidm/<instance>/data |
| log | The location of the log files. | /var/opt/nevisidm/<instance>/log |
| tmp | The location of the temporary files of the standalone embedded container. | /var/opt/nevisidm/<instance>/tmp |
Unlike the wildfly deployment, the standalone deployment does not support variable replacement on instance creation. Make such adjustments directly to the configuration file.
The following configuration files control the behavior of nevisIDM in the standalone deployment type:
| Configuration file | Deployment type | Remarks |
| --- | --- | --- |
| env.conf | all | Administration command and process environment: JAVA_HOME (optional): use specified JRE/JDK, all other parameters should not be changed. JAVA_OPTS: JVM command-line options. |
| log4j.xml | all | Logging configuration |
| nevisidm-prod.properties | all | Application configuration Server configuration: |
Also, with the standalone mode we do not support all commands yet. Currently, the following commands are supported:
startstopstatusrestartinst create
Environment configuration
As the first priority, nevisIDM uses the Java installation defined by the configuration property JAVA_HOME in the env.conf file. If the JAVA_HOME property is not set, the Java version as defined in the PATH environment variable is used.
To define the usage of a specific Java installation, we recommend setting the configuration property JAVA_HOME in the env.conf file:
Example
JAVA_HOME=/etc/alternatives/jre_1.8.0
Server configuration properties
You can configure the server settings of the standalone deployment type through the properties in the nevisidm-prod.properties.
Standalone server command-line interface
For standalone deployments, the standalone command-line interface (CLI) provides a low level interface to run the server process. You can use the standalone CLI to start nevisIDM without involvement of other system components like for example systemd. You find the standalone script at /opt/nevisidm/bin/nevisidm-server. It provides the following command line options:
| Command line argument | Remarks | Default |
|---|---|---|
| -c, --config PATH | Required. Path to the configuration file nevisidm-prod.properties. | No default. |
| -n, --name NAME | Unique name for that nevisIDM instanceOverrides the value of the property server.name (in the nevisidm-prod.properties file). | See the server.name property in the nevisidm-prod.properties file. |
| -p, --port PORT | The HTTP/S port to listen on. TLS must be configured in the config file and not as an argument. Overrides the value of the property server.port (in the nevisidm-prod.properties file). | See the server.port property in the nevisidm-prod.properties file. |
| -H, --host HOST | The HTTP/S host to bind on. Overrides the value of the property server.host (in the nevisidm-prod.properties file). | See the server.host property in the nevisidm-prod.properties file. |
| --log-config PATH | Log configuration file to be used. If a log configuration is provided, nevisIDM will use the given configuration file to determine how logging should behave. If no configuration file is provided, nevisIDM will log to the console by default. | Not set. |
| -V, --version | Display version and exit with status code 0. | |
| -h, --help | Shows complete and detailed usage and exit with status code 0. |
Command-line arguments always prevail over properties in the nevisidm-prod.properties file.
Example usage of the standalone CLI
Execute the following commands to start an existing nevisIDM instance named "default" without using systemd / init.d to manage the service:
# set working directory
cd /var/opt/nevisidm/default
# 1) set environment variables from env.conf and start nevisidm standalone deployment
# 2) use subshell to not interfere with environment variables
(set -a && source $(pwd)/conf/env.conf && set +a && \
/opt/nevisidm/bin/nevisidm-server \
--config $(pwd)/conf/nevisidm-prod.properties \
--log-config $(pwd)/conf/log4j.xml)
JMS provisioning message persistence
The standalone deployment comes with a build-in JMS queue that can be configured via the nevisidm-prod.properties. The standalone deployment does not include an internal JMS bridge. An external JMS bridge accessing the JMS queue of nevisIDM has to be configured.
WildFly 10 ( Deprecated )
DEPRECATED
The Wildfly 10 deployment type has been deprecated in release 2.72.0.x. For future setups consider using the [standalone deployment type].
The WildFly 10 deployment type uses an adnwildfly container. You may specify the usage of the adnwildfly container during instance creation (or handover).
nevisidm handover IDM_DEPLOY_TYPE=adnwildfly {<param>=<value>}
Via these parameters, you can set some properties such as the DB connection string in advance. This prevents you from having to manually configure them afterwards. Use this command to show a list of parameters:
nevisidm inst create test help
The following configuration files control the behavior of nevisIDM in the WildFly deployment type:
| Configuration file | Deployment type | Remarks |
|---|---|---|
| env.conf | all | Administration command and process environment:* JAVA_HOME (optional): Use specified JRE/JDK. All other parameters should not be changed. |
File location: /var/opt/adnwildfly/instances/<instance>/standalone/configuration/env.conf |
| vmargs.conf | all | JVM environment (JVM command-line options): Heap size Garbage collector |
| standalone.xml | all | Part of adnwildfly. Used for the configuration of application server parameters such as extensions, profiles and subsystems, paths, interfaces, socket bindings and socket binding groups, system properties, etc. |
| log4j.xml | all | Logging configuration |
| nevisidm-prod.properties | all | Application configuration |
The configuration files are located here:
/var/opt/nevisidm/<instance>/conf(instance configuration)/var/opt/adnwildfly/instances/<instance>/standalone/configuration(server configuration)
Environment configuration
As the first priority, nevisIDM uses the Java installation defined in the file env.conf using the configuration property JAVA_HOME. If the JAVA_HOME property is not defined in the file env.conf, adnwildfly will look for adnjdk packages (latest first) and otherwise the Java version as defined in the PATH environment variable is used. Adnwildfly version 10.1.3.1 is required to use a JRE, for older adnwildfly versions a JDK is required.
To define the usage of a specific Java installation, we recommend setting the configuration property to JAVA_HOME in the file env.conf:
Example
JAVA_HOME=/etc/alternatives/jre_1.8.0
JMS provisioning message persistence
nevisIDM supports data provisioning over JMS destinations as described in JMS queue provisioning provider.
In adnwildfly, the JMS is configured in the standalone.xml in the activemq subsystem section (nevisidm config server). The access to JMS queues is controlled by groups (also called roles) of permissions. A JMS user can be part of one or more groups. By default, the following two groups with corresponding permissions are configured on the server:
- A group "producer" with permission "send". This group is allowed to send to JMS queues.
- A group "consumer" with permission "consume". This group is allowed to read from JMS queues.
More activemq permissions exist. For details, visit this website: http://activemq.apache.org/artemis/docs/1.0.0/security.html .
The information about users and their groups are stored in the following two files located in /var/opt/adnwildfly/instances/<instance_name>/standalone/configuration:
- application-roles.properties: Stores a comma-separated list of groups for each user.
- application-users.properties: Stores the hashed authentication information for each user.
Updates to these files are detected only after a server restart.
To add users, run the following command line provided by adnwildfly:
adnwildfly <instance_name> user add <username> <password> <group>
Upon creation of a new nevisIDM instance, the nevisIDM user with the group "producer" is automatically added using information from nevisidm-prod.properties (in particular, from provisioningModule.jmsQueue.username and provisioningModule.jmsQueue.password).
To access the JMS with a client, a user with the group "consumer" has to be added manually with the utility script.
The JMS queue is exposed with a remote netty acceptor over TCP. By default, the JMS port has an offset of 4 from the server port used at instance creation (SERVER_PORT). A client can access JMS on the following URL: tcp://<hostname>:<port>?sslEnabled=true.
Below, find excerpts of a sample JMS configuration using SSL in the standalone.xml:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <server name="default"> <security-setting name="#"> <role name="consumer" consume="true"/> <role name="producer" send="true"/> </security-setting> <address-setting name="#" dead-letter-address="jms.queue.DLQ" expiry-address="jms.queue.ExpiryQueue" max-size-bytes="10485760" page-size-bytes="2097152" message-counter-history-day-limit="10"/> <in-vm-connector name="in-vm" server-id="0"/> <in-vm-acceptor name="in-vm" server-id="0"/> <remote-connector socket-binding="msg" name="netty"/> <remote-acceptor socket-binding="msg" name="netty"> <param name="ssl-enabled" value="true"/> <param name="key-store-path" value"/var/opt/neviskeybox/default/default/node_keystore.jks"/> <param name="key-store-password" value="********"/> <param name="enabled-protocols" value="TLSv1.2"/> </remote-acceptor> <jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/> <jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/> <jms-queue name="Provisioning" entries="java:/jms/queue/Provisioning java:/jboss/exported/jms/queue/Provisioning"/> <connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm"/> </server> </subsystem> ... <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="https" port="8989" fixed-port="true"/> <socket-binding name="msg" port="4"/> </socket-binding-group>
JMS bridge
For setups where messages shall be passed to an external JMS provider a JMS bridge can be configured. The function of the JMS bridge is to consume messages from a source queue and send them to a target queue. Source and target queue may be on different servers.
In the case of Wildfly deployment the ActiveMQ Artemis 1.x JMS bridge is provided by the container. The JMS bridge can be configured in the standalone.xml in the activemq subsystem section (nevisidm config server). Relevant configuration parameters are:
- The URL of the target JMS queue
- The name of the target JMS queue user
- The password of the target JMS queue user
For further information about configuration parameters, see http://activemq.apache.org/artemis/docs/1.5.6/jms-bridge.html.
Below, find an excerpt of a sample JMS bridge configuration in the standalone.xml:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <server name="default"> ..... </server> <jms-bridge name="simple-jms-bridge" max-batch-time="100" max-batch-size="10" max-retries="-1" failure-retry-interval="10000" quality-of-service="ONCE_AND_ONLY_ONCE"> <source destination="jms/queue/Provisioning" connection-factory="ConnectionFactory" /> <target password="********" user="targetuser" destination="idmDataProvisioningOutbox" connection-factory="jms/RemoteConnectionFactory"> <target-context> <property name="java.naming.factory.initial" value="org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory" /> <property name="java.naming.provider.url" value="tcp://jmstarget:61616"/> <property name="connectionFactory.jms/RemoteConnectionFactory" value="tcp://jmstarget:61616"/> <property name="queue.idmDataProvisioningOutbox" value="idmDataProvisioningOutbox"/> </target-context> </target> </jms-bridge> </subsystem>
For further information about configuration of the JMS bridge in the standalone.xml, see https://docs.jboss.org/author/display/WFLY10/Messaging%20configuration.html.
For further information about configuring transport, see http://activemq.apache.org/artemis/docs/1.5.6/configuring-transports.html.