Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes how to deploy the Smart ID Digital Access component on Red Hat Enterprise Linux (RHEL) 8 using Ansible and Podman.

Expand/Collapse All

Prerequisites

  • Ansible should be present on the control system (the terminal from where you would like to run the ansible playbook).
    Make sure that containers.podman is installed. If not -> Run the below command

    ansible-galaxy collection install containers.podman
  • Target system should be RHEL 8 with podman installed on it.
  • Enable SSH communication between control and target systems (Check ssh using the key)
  • External Database setup
  • ansible_DA.tgz

Step-by-step instructions

  1. Copy and extract ansible_DA.tgz file on the control system (the terminal from where you would like to run the Ansible playbook).
  2. Before running the playbook: 
    1. Add the target hosts in the inventory file present inside the ansible folder.
    2. If you want to setup Digital Access configuration from the beginning, then copy the config folder which is inside the ansible folder on the control system.
      1. For HA mode: change LocalConfiguration.xml of the service (Policy, Authentication, Distribution, Access Point) and replace "Administration service" mHost to Host's IP of Digital Access where administration service will be running.

        Snippet from LocalConfiguration.xml
        <node>
        <object key="c000ejp1m5" name="Administration Service" trans="ivjq0838gkxs" ver="50600">
        <attribute name="mAllInterfaces" type="boolean" value="false"/>
        <attribute name="mPort" type="integer" value="8300"/>
        <attribute name="mHost" type="string" value="198.160.x.x"/>
        <attribute name="mType" type="integer" value="5"/>
        <attribute name="mId" type="integer" value="1"/>
        </object>
    3. By default, the playbook looks for the config folder in the */ansible/ folder. If you want to have the config folder elsewhere, go to the ansible/roles/create_da_config_folders/vars folder and modify the path variable accordingly.
    4. If you also want to copy the Digital Access docker images (in case of offline setup) to the target systems, then copy them to the */ansible/images folder. Similar to step c. if you want to store the images elsewhere, modify the path variable.
  3. Change the current working directory to ansible in the terminal.

    Change working directory
    cd ansible
  4. Run the ansible playbook using this command:

    Run ansible playbook
    ansible-playbook -i inventory <yml_file_name> --ask-become-pass
  5. It will ask for root password and then execute the playbook.
  6. If the setup is successful, it should show a status as the below screenshot. Make sure it shows 0 in the failed and unreachable values.
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the Administration Service internal host from "admin" to 127.0.0.1 or machine IP for HA mode.

  3. Connect the HAG, OATH, OAUTH databases.

  4. To change report database, follow the steps here Change report database for Digital Access component.
  5. If the services can not listen on 0.0.0.0:8090, then restart the services.

Instructions for High Availability

  • Databases are available and connected.
  • Multiple Digital Access component are running. in the examples in this article they are called DA-1, DA-2, DA-3, and DA-4:
    • Only one Administration service is installed. This is done on DA-1.
  • The IP addresses of all four nodes must be known.
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the host of all the registered services:

    Change the host of registered Policy service:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Select the registered Policy Service.
    3. Change the Internal Host from 127.0.0.1 to DA-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.
  3. Add new Services  for DA-2/ DA-3/DA-4:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Click Add Policy Service…
    3. In Display Name enter "Policy Service 2".
    4. In Internal Host enter the IP address of DA-2.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Policy Service. This is used as mID in later steps 

There will be only one administration service running at DA-1, so all other Digital Access instances need to have administration service at disabled state. 

  1. Stop the administration service of the other Digital Access instances

    Stop service
    sudo podman stop admin
  2. Change serviceId of services of the other Digital Access instances:
    1. Open LocalConfiguration.xml (opt/nexus/config/<service>/config/LocalConfiguration.xml)
    2. Search for the <service> section
    3. Replace mID with the new mID:

      <?xml version="1.0" encoding="UTF-8"?><com>

        <portwise>

          <core>

            <id>3</id>

          </core>

          <policy>

            <node>

              <object key="c000ejp1m5" name="Administration Service" trans="s4x1qgx4q5fk" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8300"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mType" type="integer" value="5"/>

                <attribute name="mId" type="integer" value="1"/>

              </object>

              <object key="5t02k8rn7jwg" name="Policy Service" trans="t4x6zmbhkjr4" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8301"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mHTTPLogSettings" type="container" value="logsettings">

                  <attribute name="mEventLogLevel" type="string" value="OFF"/>

                  <attribute name="mLocalCount" type="integer" value="2"/>

                  <attribute name="mAuthenticationTiming" type="boolean" value="false"/>

                  <attribute name="mFileLogLevel" type="string" value="OFF"/>

                  <attribute name="mFileSizeRotationEnabled" type="boolean" value="true"/>

                  <attribute name="mCentralLimit" type="integer" value="15000000"/>

                  <attribute name="mLocalLimit" type="integer" value="5000000"/>

                  <attribute name="mDateRotationEnabled" type="boolean" value="false"/>

                  <attribute name="mCentralCount" type="integer" value="5"/>

                </attribute>

                <attribute name="mType" type="integer" value="1"/>

                <attribute name="mId" type="integer" value="3"/>

                <attribute name="mK8sServiceHost" type="string" value=""/>

              </object>

            </node>

          </policy>

        </portwise>

      </com>

  3. Restart all services

    Restart services
    sudo podman restart <service>
  1. Start all the required services.
  2. Publish the configuration.
  3. Check that all services are connected.
  4. Do a login to the portal and check if all works as expected and that you can see the portal items and display names properly.
  5. In case of any failure, check if sha1sum of shared.key and internal.key for all connected services are the same. The keys can be found under /opt/nexus/config/<service>/keys/
  6. Inspect logs and address any unexpected errors.

To set up high availability for Digital Access component, an external load balancer must be used. In this example, we use HAProxy.

  1. Log in to Digital Access Admin of DA-1 with an administrator account.
  2. In Digital Access Admin, go to Manage System > Access Points.
  3. For each added access point:
    1. Add a listener by clicking Add Additional Listener…
    2. In Host, enter the IP address of the Access Point. Enter a Port, and set Type to Load Balance.
    3. Click Add.
  4. Go to Manage System > Access Points.
  5. Select Configure Load Balancing…
  6. Check Enable multi-host sessions and Send sticky cookies. Enter a Name of Sticky Cookie to be used by the load balancer service.
  7. Click Save.
  8. Select Configure Load Balancing…
  9. Click Add Pair of Mirrored Access Points...
  10. Select Access Point 1 and Access Point 2 as Primary and Secondary server.
  11. Click Save.