Smart ID Certificate Manager and OCSP Responder are not included in this instruction.
All the components in the Smart ID Workforce solution are deployed as Docker containers, except Smart ID Certificate Manager (CM) and Nexus OCSP Responder. To install these, see Install Certificate Manager and Install and upgrade Nexus OCSP Responder.
For more information on general Docker commands, see https://docs.docker.com/engine/reference/commandline/docker/.
Upgrade Smart ID
If you shall upgrade Smart ID, see here: Upgrade Smart ID, see also section "Additional steps for a specific version" in that article.
Smart ID deployment configuration release note
Docker Compose V2
From Docker Compose V2 the compose features are integrated into the Docker platform. If you use Compose V2, use the command "docker compose" (instead of "docker-compose"), that is, remove the dash and replace it with a space. Smart ID will not be affected by Compose V2 and can be used as today.
For general recommendations, see Smart ID deployment recommendations.
The following prerequisites apply:
- Docker client and engine version 20.10.0 or later
Docker Compose version 1.25.5 or later and Docker Compose file version 3.7 or later
Kubernetes is supported, but no example configuration is available at this point.
- Supported host operating systems:
- Linux that supports the Docker and Docker Compose versions above
- Windows on request
- Valid licenses for all components to be used.
- A database must be installed and in running mode. Supported databases are listed in Smart ID deployment recommendations.
- Valid Support account at https://support.nexusgroup.com
- For online deployment, as described below, your hosts need internet access.
- If this is a offline deployment, the docker containers needs to be downloaded and transferred to the hosts.
DNS records must be created for each application to each Smart ID host:
If you don't have the possibility to create DNS records, for example in a test environment, then you can add the wanted DNS records in your localhost file. Add them both on the Smart ID host and on the clients that you want to use to access Smart ID.
Install Docker and Docker compose
Installation of Docker and Docker compose varies depending on your operating system.
To install Docker, go to the official documentation (Install Docker Engine | Docker Documentation) and chose the system on which you plan to install it. Then follow the installation guide.
To install Docker compose is done in the same way. Follow the installation guide (Install Docker Compose | Docker Documentation).
Docker engine is by default run as root. If you do not want to run containers with root, but with a specific user, read more here:
- Run Smart ID Identity Manager in Docker Rootless mode
- Run Smart ID Messaging in Docker Rootless mode
- Run Smart ID Physical Access in Docker Rootless mode
- Rootless Docker is not supported by Smart ID Digital Access.
Deploy Smart ID
To avoid any permission issues, it is recommended that you create a dedicated Smart ID user account and run the Smart ID applications on the user's home directory.
On each host, create a user account for Smart ID and add that user to the docker group.
In this guide the <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.
Switch to a Smart ID user:
- Browse to support.nexusgroup.com/ and login with your account
- Click on Download Portal and click on Smart ID.
- Click on SmartID-<version>-deployment.zip to download the deployment file to your computer. Where <version> represents the version you want to download.
- Click on SmartID-<version>-configuration.zip to download the configuration file to your computer. Where <version> represents the version you want to download.
This file contains standard Smart ID configurations that can later be uploaded to Identity Manager.
Transfer the SmartID-<version>-deployment.zip file to your Smart ID hosts and extract it in your Smart ID home folder <SMARTIDHOME>/:
The structure of sub folders in the Smart ID home directory, <SMARTIDHOME>/, is as follows:
You must change at least these variables, se instructions below:
Other variables are optional to change, but in a production environment you must change the credentials.
Set variables in the environment file to match your environment:
- Open the environment file <SMARTIDHOME>/compose/smartid.env for editing.
Change timezone (TZ) to fit your environment.
TRAEFIK_ACME_EMAILto fit your deployment. You must do this even if you do not use ACME.
Change the database host (
DBHOST) for Identity Manager, Hermod or Digital Access to fit your deployment. If it is a test deployment and database is running on the same host, the host IP-address or the docker-ip of the Postgres deployment must be used.
127.0.0.1will not work.
Digital Access can not be deployed at the same hosts as the other applications. It requires its own host.
If you are using an MSSQL Database (DBHOST=jdbc:sqlserver://<SMARTID-DB-HOST>:1433), you need to change the format of the Database URL at the following places:
If you are NOT using certificate authentication with Smart ID Mobile App (the Personal mobile authentication method) but are provisioning users through Digital Access only, you must update this setting:
Change the version of Smart ID if needed:
Change the value of
SMARTID_INGRESS_DOMAINto fit your deployment. It is recommended to use a sub-domain with wildcard for Smart ID. For example *.smartid.example.com and point that domain to your host.
Change database credentials
To change the type or database name or password, change the following variables. If this is a test deployment, you don't have to change anything here. Note that the Physical Access database hosts is specified using the variable
To initialize the deployment:
Make the initialization scripts executable:
Run the initialization script for Smart ID. The script checks if docker and docker-compose are installed; if not, the script will exit. It creates docker networks, symbolic links, directories and users, and sets permissions for Smart ID.
Then, the script asks a few questions:
The script asks if a Postgres database should be deployed.
For a production deployment, type n for No. Then, the script will skip this step.
For a test deployment, type y for Yes. Then the script will create and start a Postgres database.
The script asks if traefik should be used as Ingres/proxy. Typing y for Yes will create acme.json and set the permissions.
The script asks if Digital Access will be deployed to the host. Typing y for Yes will create the user "pwuser" and set permissions.
After that, the script finishes and you can proceed to the next step. See heading "Edit environment variables".
- To see exactly what steps have been done, see the log file init-smartid.log after executing the script.
If there are any permission issues, for example to access the PostgreSQL database, make sure that you have permissions to access the Smart ID configuration and docker files.
If you are deploying Digital Access on a CentOS >=7 and you want to use port 443, you must redirect the network traffic internally on the host. This can be done in many ways, here is one example. As a result of this you must also change the listening port for the Access Point to 9001. If this is not changed, the startup of the Access Point container will fail. The result after the change is that all incoming traffic on 443 will be redirected internally to 9001.
Redirect traffic from 443 to 9001
- Change listening port for Access Point in Digital Access Admin:
- Go to Manage System > Access Points.
- Click on the Service ID for the Access Point that you want to edit.
- Change Portal Port and Sandbox Port to 9001.
- Click Save.
- Publish the configuration.
This instruction is only valid for Identity Manager, Messaging and Physical Access.
TLS in Digital Access are configured inside the application.
To change TLS Certificate:
- Make sure your certificate and key are in PEM format.
- Put your certificate and key in <SMARTIDHOME>/compose/certs.
Change permissions of the certificate and key file:
- Open <SMARTIDHOME>/compose/smartid.env for editing.
Change the default certificates by editing the filenames smartidtls_cer.pem and smartidtls_key.pem:
Strict server name indication (SNI) can be used as an extra security measure. By default, strict SNI is set to false.
Set TRAEFIK_TLS_STRICTSNI to
Open <SMARTIDHOME>/docker/compose/traefik/config/traefik-tls.yml for editing.
- Add or delete any Cipher Suites.
To change TLS version for traefik, use
minVersionis the minimum allowed TLS version, and
maxVersionis the maximum allowed TLS version. Default, the allowed version of TLS is 1.2.
Note that some mobile devices do not have full support for TLS 1.3 and can cause compatibility issues.
Start and verify services
This is only required at the first startup:
Start the ingress/proxy Traefik:
The ingress Traefik has a dashboard were status can be viewed. It can be accessed at your host IP address at port 8080.
Start the initialization of the database. This is only required at the first startup:
- Information is written on the screen, and if it was successful, you should see this text at the end:
smartid-idm-updatedb exited with code 0
- To instead write all information only to the log file, add
-dto the command, like this:
docker-compose up -d
- Information is written on the screen, and if it was successful, you should see this text at the end:
Check the logs of the database initialization:
Start Identity Manager components:
Location of services
Start the services:
Give permission to use the logs/rabbitmq directory:
Start Physical Access with one or more PACS connectors. See the list of PACS connector services below.
smartid-pa-maintenancemust be started for all Physical Access use cases:
Digital Access shall always be deployed on its own host. It can not be run together with other Smart ID Applications because it will use the hosts network.
Start Digital Access sub components, by going into the wanted component folder:
Verify the Smart ID installation:
Verify each component, by browsing to the DNS names and the configured port, for example:
For Physical Access, verify the started Physical Access services by browsing to the DNS names, for example:
Or browse to the IP address for all started services, for example:
The default port for each Physical Access service can be found in Default ports in Smart ID.
List all running docker containers:
Check the logs:
To check a log, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager and run this command:
To check all logs with tail, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager and run this command:
To stop a specific service, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager/operator and run this command:
Configure Smart ID
Continue with Configure Smart ID.