Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to deploy the Smart ID Digital Access component on Red Hat Enterprise Linux (RHEL) 8 using Ansible and Podman.

Expand/Collapse All

Prerequisites

  • A VM which will be a control RHEL 8 system with ansible version 2.0 or above for running the ansible playbook.
    Make sure that containers.podman is installed. If not -> Run the below command

    ansible-galaxy collection install -f containers.podman
  • Target systems should have RHEL 8 with podman installed on it.
  • Enable SSH communication between controlling VM and target systems (Check ssh using the key)
  • The UDP ports shall be open to traffic of each of authentication method servers.
    • You can locate these ports in Digital Access Admin under Manage System > Authentication Methods for each added Authentication method.
  • External Database setup
  • ansible_DA.tgz

Step-by-step instructions

  1. Copy and extract ansible_DA.tgz file on the controlling VM.
  2. Before running the playbook: 
    1. Add the target host IPs in the inventory file present inside the ansible folder depending on the distribution of DA services.
    2. If you want to setup Digital Access configuration from the beginning, then copy the config folder which is inside the ansible folder on the control system.
      1. For HA mode: change LocalConfiguration.xml of the service (Policy, Authentication, Distribution, Access Point) and replace "Administration service" mHost to Host's IP of Digital Access where administration service will be running.

        Snippet from LocalConfiguration.xml
        <node>
        <object key="c000ejp1m5" name="Administration Service" trans="ivjq0838gkxs" ver="50600">
        <attribute name="mAllInterfaces" type="boolean" value="false"/>
        <attribute name="mPort" type="integer" value="8300"/>
        <attribute name="mHost" type="string" value="198.160.x.x"/>
        <attribute name="mType" type="integer" value="5"/>
        <attribute name="mId" type="integer" value="1"/>
        </object>
    3. By default, the playbook reads the config folder in the */ansible/ folder and the images of DA services in the */ansible/images folder. 
  3. Change the current working directory to ansible in the terminal.

    Change working directory
    cd ansible
  4. Run the ansible playbook using this command:

    Run ansible playbook
    ansible-playbook -i inventory <yml_file_name> --ask-become-pass
  5. It will ask for root password and then execute the playbook.
  6. If the setup is successful, it should show a status as the below screenshot. Make sure it shows 0 in the failed and unreachable values.
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the Administration Service internal host from "admin" to machine public IP for HA mode.

  3. Connect to the HAG, OATH, OAUTH and Reporting databases as mentioned here - Configure all databases in Digital Access.

  4. If the services can not listen on 0.0.0.0:8090, then restart the services.

Instructions for High Availability

  • Databases are available and connected.
  • Multiple Digital Access component are running. in the examples in this article they are called DA-1, DA-2, DA-3, and DA-4:
    • Only one Administration service is installed. This is done on DA-1.
  • The IP addresses of all four nodes must be known.
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the host of all the registered services:

    Change the host of registered Policy service:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Select the registered Policy Service.
    3. Change the Internal Host from 127.0.0.1 to DA-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.
  3. Add new Services  for DA-2/ DA-3/DA-4:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Click Add Policy Service…
    3. In Display Name enter "Policy Service 2".
    4. In Internal Host enter the IP address of DA-2.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Policy Service. This is used as mID in later steps 

There will be only one administration service running at DA-1, so all other Digital Access instances need to have administration service at disabled state. 

  1. Stop the administration service of the other Digital Access instances

    Stop service
    sudo podman stop admin
  2. Change serviceId of services of the other Digital Access instances:
    1. Open LocalConfiguration.xml (opt/nexus/config/<service>/config/LocalConfiguration.xml)
    2. Search for the <service> section
    3. Replace mID with the new mID:

      <?xml version="1.0" encoding="UTF-8"?><com>

        <portwise>

          <core>

            <id>3</id>

          </core>

          <policy>

            <node>

              <object key="c000ejp1m5" name="Administration Service" trans="s4x1qgx4q5fk" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8300"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mType" type="integer" value="5"/>

                <attribute name="mId" type="integer" value="1"/>

              </object>

              <object key="5t02k8rn7jwg" name="Policy Service" trans="t4x6zmbhkjr4" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8301"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mHTTPLogSettings" type="container" value="logsettings">

                  <attribute name="mEventLogLevel" type="string" value="OFF"/>

                  <attribute name="mLocalCount" type="integer" value="2"/>

                  <attribute name="mAuthenticationTiming" type="boolean" value="false"/>

                  <attribute name="mFileLogLevel" type="string" value="OFF"/>

                  <attribute name="mFileSizeRotationEnabled" type="boolean" value="true"/>

                  <attribute name="mCentralLimit" type="integer" value="15000000"/>

                  <attribute name="mLocalLimit" type="integer" value="5000000"/>

                  <attribute name="mDateRotationEnabled" type="boolean" value="false"/>

                  <attribute name="mCentralCount" type="integer" value="5"/>

                </attribute>

                <attribute name="mType" type="integer" value="1"/>

                <attribute name="mId" type="integer" value="3"/>

                <attribute name="mK8sServiceHost" type="string" value=""/>

              </object>

            </node>

          </policy>

        </portwise>

      </com>

  3. Restart all services

    Restart services
    sudo podman restart <service>
  1. Start all the required services.
  2. Publish the configuration.
  3. Check that all services are connected.
  4. Do a login to the portal and check if all works as expected and that you can see the portal items and display names properly.
  5. In case of any failure, check if sha1sum of shared.key and internal.key for all connected services are the same. The keys can be found under /opt/nexus/config/<service>/keys/
  6. Inspect logs and address any unexpected errors.

To set up high availability for Digital Access component, an external load balancer must be used. In this example, we use HAProxy.

  1. Log in to Digital Access Admin of DA-1 with an administrator account.
  2. In Digital Access Admin, go to Manage System > Access Points.
  3. For each added access point:
    1. Add a listener by clicking Add Additional Listener…
    2. In Host, enter the IP address of the Access Point. Enter a Port, and set Type to Load Balance.
    3. Click Add.
  4. Go to Manage System > Access Points.
  5. Select Configure Load Balancing…
  6. Check Enable multi-host sessions and Send sticky cookies. Enter a Name of Sticky Cookie to be used by the load balancer service.
  7. Click Save.
  8. Select Configure Load Balancing…
  9. Click Add Pair of Mirrored Access Points...
  10. Select Access Point 1 and Access Point 2 as Primary and Secondary server.
  11. Click Save.

Configure external storage for logging

  1. Mount external storage on host linux machine on mount path /mnt/<some directory> and change its permission to pwuser:root.
  2. Write the mapping of the volume mount in the docker-compose.yml file under volumes for admin.

    [*For Ansible and Podman, write the mapping of the volume mount in the /ansible/roles/podman_deploy_da/tasks/main.yml]

For example: /mnt/logs:/etc/LogsDir  
where /mnt/logs is the external path and /etc/LogsDir is inside the admin container.

  1. In Digital Access Admin, go to Monitor system > Logging > Manage Global Logging Settings > Log Directory
  2. Enter the <inside container directory path> here. In this case, /etc/LogsDir
  3. Publish and restart the Administration service.

This article is valid for Smart ID 21.10 and later and Digital Access 6.1.0 and later.

Related information