Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

Smart ID Certificate Manager and OCSP Responder are not included in this instruction. 

All the components in the Smart ID Workforce solution are deployed as Docker containers, except Smart ID Certificate Manager (CM) and Nexus OCSP Responder. To install these, see Install Certificate Manager and Install and upgrade Nexus OCSP Responder

For more information on general Docker commands, see https://docs.docker.com/engine/reference/commandline/docker/.

Upgrade Smart ID

If you shall upgrade Smart ID, see here: Upgrade Smart ID, see also section "Additional steps for a specific version" in that article.

Expand/Collapse All

Smart ID deployment configuration release note


Smart ID deployment configuration release note
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 21.04.2-2021-09-13]
 
### Added
 
- HTTPS support for Physical Access integra. [DEVOPS-1211]
- Environment variable to control debug logging in Physical Access SCIMAPI. [DEVOPS-1211]
 
### Changed
 
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Change Import Logger to correct class. [DEVOPS-1143]
- RabbitMQ now uses external docker image. [DEVOPS-1211]

## [Release 21.04.1-2021-07-02]

### Changed
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Updated SmartID version to 21.04.1

### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-06-10]

### Added
- Added some Let's Encrypt root certificates. [DEVOPS-971]

### Changed
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- Update Language files for IDM. [DEVOPS-1067]

### Removed
- Removed expired Let's Encrypt certificates. [DEVOPS-971]

## [Release 21.04.0-2021-05-28]

### Added
- Added new Let's Encrypt cert. [DEVOPS-946]
- Added hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-05-20]

### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed
- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD_* properties to MESSAGING_*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-22]

### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [2020.11.1-2021-02-18]
 
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+.
 
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1


## [Release 20.11.0-2020-12-22]

### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.


## [Release 20.11.0-2020-12-07]

### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.


## [Release 20.06.1-2020-10-27]

### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin. 
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.

### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.


## [Release 20.06.0-2020-09-28]

### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed
- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.



Prerequisites 

For general recommendations, see Smart ID deployment recommendations.

The following prerequisites apply:

  • Docker version 2.3.0.0 or later
  • Docker Compose version 1.25.5 or later and Docker Compose file version 3.7 or later

    Kubernetes is supported, but no example configuration is available at this point.

  • Supported host operating systems:
    • Linux that supports the Docker and Docker Compose versions above
    • Windows on request 
  • Valid licenses for all components to be used.Go to link
  • A database must be installed and in running mode. Supported databases are listed in Smart ID deployment recommendations.
  • Valid Support account at https://support.nexusgroup.com
  • For online deployment, as described below, your hosts need internet access.
    • If this is a offline deployment, the docker containers needs to be downloaded and transferred to the hosts.
  • DNS records must be created for each application to each Smart ID host:

    DNS examples
    # Identity Manager
    idm.smartid.example.com
    selfservice.smartid.example.com
    admin.smartid.example.com
    tenant.smartid.example.com
    # Digital Access
    access.smartid.example.com
    # Physical Access
    physicalaccess.smartid.example.com
    pa-maintenance.smartid.example.com
    pa-arx.smartid.example.com
    # Messaging Hermod
    mb.smartid.example.com
    

    If you don't have the possibility to create DNS records, for example in a test environment, then you can add the wanted DNS records in your localhost file. Add them both on the Smart ID host and on the clients that you want to use to access Smart ID.

Docker and Docker Compose installation examples

Here are examples on how to install Docker on Ubuntu. Similar installation processes are valid for other Linux distributions. 

  1. Install Docker.

    Install Docker
    sudo apt install docker.io
  2. Enable Docker as a a service.

    Enable docker as a service
    sudo systemctl enable --now docker
  3. Install Docker-Compose.

    Install Docker-Compose
    sudo wget -O  /usr/local/bin/docker-compose https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64
    sudo chmod +x /usr/local/bin/docker-compose

Deploy Smart ID

Configure services

To avoid any permission issues, it is recommended that you create a dedicated Smart ID user account and run the Smart ID applications on the user's home directory.

  1. On each host, create a user account for Smart ID and add that user to the docker group.

    Create Smart ID User Ubuntu
    sudo adduser --disabled-password --gecos "" --shell /bin/bash nexus
    sudo usermod -aG docker nexus
    Create Smart ID User CentOS
    sudo adduser -r -d /home/nexus --shell /bin/bash nexus
    sudo usermod -aG docker nexus

    <SMARTIDHOME>

    In this guide the <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.

  2. Switch to a Smart ID user: 

    Switch to Smart ID user
    su - nexus
    
  1. Browse to support.nexusgroup.com/ and login with your account
    1. Click on Download Portal and click on Smart ID.
    2. Click on SmartID-<version>-deployment.zip to download the deployment file to your computer. Where <version> represents the version you want to download.
    3. Click on SmartID-<version>-configuration.zip to download the configuration file to your computer. Where <version> represents the version you want to download.
      This file contains standard Smart ID configurations that can later be uploaded to Identity Manager.
    4. Transfer the SmartID-<version>-deployment.zip file to your Smart ID hosts and extract it in your Smart ID home folder <SMARTIDHOME>/:

      Go to home folder of Smart ID user
      cd <SMARTIDHOME>
      unzip SmartID-21.04.2-deployment.zip
    5. The structure of sub folders in the Smart ID home directory, <SMARTIDHOME>/, is as follows: 

      Sub folder structure of Smart ID home
      .
      └── docker
          └── compose
              ├── bootstrap
              │   ├── cacerts
              │   │   ├── DST-Root-CA-X3-b64.cer
              │   │   └── Lets-Encrypt-Authority-X3-b64.cer
              │   ├── conf
              │   │   ├── ca.conf
              │   │   ├── idm-deviceenc.conf
              │   │   ├── idm-encryption.conf
              │   │   ├── idm-signconfig.conf
              │   │   ├── idm-signemail.conf
              │   │   ├── tls-client.conf
              │   │   └── tls-san.conf
              │   └── createca.sh
              ├── digitalaccess
              │   ├── access-point
              │   │   └── docker-compose.yml
              │   ├── administration-service
              │   │   └── docker-compose.yml
              │   ├── authentication-service
              │   │   └── docker-compose.yml
              │   ├── config
              │   │   ├── da-admin-customize.conf
              │   │   └── da-auth-customize.conf
              │   ├── distribution-service
              │   │   └── docker-compose.yml
              │   └── policy-service
              │       └── docker-compose.yml
              ├── identitymanager
              │   ├── admin
              │   │   └── docker-compose.yml
              │   ├── config
              │   │   ├── translations
              │   │   │   ├── general.properties
              │   │   │   ├── general_de.properties
              │   │   │   ├── general_fr.properties
              │   │   │   └── general_sv.properties
              │   │   ├── log4j2.xml
              │   │   ├── log4j2JsonLayout.json
              │   │   ├── signencrypt.xml
              │   │   └── tomcat-server.xml
              │   ├── operator
              │   │   └── docker-compose.yml
              │   ├── tenant
              │   │    └── docker-compose.yml
              │   └── updatedb
              │      └── docker-compose.yml
              ├── messaging
              │   ├── config
              │   │   └── hermod-conf.yml
              │   └── docker-compose.yml
              ├── physicalaccess
              │   ├── data
              │   │   └── demo
              │   │       ├── AccessGroups.json
              │   │       └── Users.json
              │   └── docker-compose.yml
              ├── postgres
              │   ├── init
              │   │   └── init-smartid-databases.sql
              │   └── docker-compose.yml
              ├── selfservice
              │   ├── config
              │   │   ├── branding
              │   │   │   └── default
              │   │   │       ├── logo.png
              │   │   │       └── theme.css
              │   │   ├── translations
              │   │   │   ├── ar.json
              │   │   │   ├── de.json
              │   │   │   ├── en.json
              │   │   │   ├── fr.json
              │   │   │   └── sv.json
              │   │   ├── config.json
              │   │   ├── log4j2.xml
              │   │   ├── log4j2JsonLayout.json
              │   │   └── tomcat-server.xml
              │   └── docker-compose.yml
              ├── tools
              ├── traefik
              │   ├── config
              │   │   └── traefik-tls.yml
              │   └── docker-compose.yml
              ├── init-smartid.sh
              ├── smartid.env
              ├── stop-smartid.sh
              └── tools
                  └── adminer
                      └── docker-compose.yml
      

You must change at least these variables, se instructions below:

  • SMARTID_INGRESS_DOMAIN
  • DBHOST
  • TRAEFIK_ACME_EMAIL

Other variables are optional to change, but in a production environment you must change the credentials.

Set variables in the environment file to match your environment:  

  1. Open the environment file <SMARTIDHOME>/compose/smartid.env for editing. 
  2. Change timezone (TZ) to fit your environment.

  3. Change TRAEFIK_ACME_EMAIL to fit your deployment. You must do this even if you do not use ACME.

    Example: Change TRAEFIK_ACME_EMAIL
    TRAEFIK_ACME_EMAIL=smartid@example.com
  4. Change the database host (DBHOST) for Identity Manager, Hermod or Digital Access to fit your deployment. If it is a test deployment and database is running on the same host, the host IP-address or the docker-ip of the Postgres deployment must be used. localhost or 127.0.0.1 will not work.

    Digital Access

    Digital Access can not be deployed at the same hosts as the other applications. It requires its own host.

    Example: Change timezone and database host
    ### Global variables
    TZ=Europe/Stockholm
    DBHOST=jdbc:postgresql://postgresdb:5432
    # DBHOST=jdbc:sqlserver://<SMARTID-DB-HOST>:1433
    # DBHOST=jdbc:oracle:thin:@//<SMARTID-DB-HOST>:1521

    If you are using a MSSQL Database (DBHOST=jdbc:sqlserver://<SMARTID-DB-HOST>:1433), you need to change the format of the Database URL at the following places:

    <SMARTIDHOME>/docker/compose/config/da-admin-customize.conf
    wrapper.java.additional.31=-Dcom.portwise.core.database.url=${DBHOST}/${DA_DB_NAME_REPORT}
    # If you are using MSSQL, please consider using following DB URL format
    # wrapper.java.additional.31=-Dcom.portwise.core.database.url=${DBHOST};DatabaseName=${DA_DB_NAME_REPORT}
    <SMARTIDHOME>/docker/compose/config/hermod-conf.yml
    url: ${DBHOST}/${HERMOD_DB_NAME}
    # If you are using MSSQL, please consider using following DB URL format
    # url: ${DBHOST};DatabaseName=${HERMOD_DB_NAME}

    <SMARTIDHOME>/docker/compose/identitymanager/admin/docker-compose.yml

    <SMARTIDHOME>/docker/compose/identitymanager/init-db/docker-compose.yml

    <SMARTIDHOME>/docker/compose/identitymanager/operator/docker-compose.yml

    <SMARTIDHOME>/docker/compose/identitymanager/tenant/docker-compose.yml

    <SMARTIDHOME>/docker/compose/identitymanager/**/docker-compose.yml
    - DB_URL=${DBHOST}/${IDM_DB_NAME}
    # If you are using MSSQL, please consider using following DB URL format
    # - DB_URL=${DBHOST};DatabaseName=${IDM_DB_NAME}
  5. Change the version of Smart ID if needed: 

    Example: Change Smart ID Version
    ### Smart ID Version
    SMARTID_VERSION=21.04.2
  6. Change the value of SMARTID_INGRESS_DOMAIN to fit your deployment. It is recommended to use a sub-domain with wildcard for Smart ID. For example *.smartid.example.com and point that domain to your host.

    Example: Set Smart ID Ingress domain
    ### Ingress Configuration
    # Change the SMARTID_INGRESS_DOMAIN to your domain for example smartid.example.com
    ## Smart ID Ingress
    SMARTID_INGRESS_DOMAIN=<YOUR-SMARTID-DOMAIN>
    # Identity Manager Ingress
    IDM_OPERATOR_DOMAIN_PREFIX=idm
    IDM_ADMIN_DOMAIN_PREFIX=admin
    IDM_SELFSERVICE_DOMAIN_PREFIX=selfservice
    IDM_TENANT_DOMAIN_PREFIX=tenant
    # Hermod Ingress
    HERMOD_DOMAIN_PREFIX=mb
    # Physical Access Ingress
    PA_DOMAIN_PREFIX=physicalaccess
    PA_RABBITMQ_DOMAIN_PREFIX=pa-rabbitmq
    PA_MAINTENANCE_DOMAIN_PREFIX=pa-maintenance
    PA_ARX_DOMAIN_PREFIX=pa-arx
  7. Change database credentials
    To change the type or database name or password, change the following variables. If this is a test deployment, you don't have to change anything here. Note that the Physical Access database hosts is specified using the variable PA_DB_HOST.

    Example: Change database credentials
    # Database credentials
    IDM_DB_USER=idmuser
    IDM_DB_PASS=
    IDM_DB_NAME=idm
    
    ## Physical Access databases and Credentials
    PA_DB_USER=pauser
    PA_DB_PASS=
    PA_DB_NAME=pa
    PA_DB_TYPE=MSSQL
    # Change to your mssql hostname
    PA_DB_HOST=mssqldb
    
    ## Messaging Hermod database and Credentials
    HERMOD_DB_USER=hermoduser
    HERMOD_DB_PASS=
    HERMOD_DB_NAME=hermod
    
    ## Digital Access Databases and Credentials
    DA_DB_USER=dauser
    DA_DB_PASS=
    DA_DB_DRIVER=org.postgresql.Driver
    DA_DB_NAME_USER=da
    DA_DB_NAME_REPORT=da_report
    DA_DB_NAME_OATH=da_oath
    DA_DB_NAME_OAUTH2=da_oauth2

To initialize the deployment:

  1. Make the initialization scripts executable:

    Make init scripts executable
    cd <SMARTIDHOME>/docker/compose
    chmod +x init-smartid.sh
  2. Run the initialization script for Smart ID. The script checks if docker and docker-compose are installed; if not, the script will exit. It creates docker networks, symbolic links, directories and users, and sets permissions for Smart ID.

    Run init script
    $ ./init-smartid.sh
    Preflight check: Docker is installed
    Preflight check: Docker-Compose is installed
    ----------------------------------------------------------------------------------------
    Preparing SmartID for deployment...
    ----------------------------------------------------------------------------------------

    Then, the script asks a few questions:

    1. The script asks if a Postgres database should be deployed.

      Script snippet: ask for Postgres
      Should PostgreSQL be deployed (Should only be used for non-production systems)? [Y/n]

      For a production deployment, type n for No. Then, the script will skip this step.

      For a test deployment, type y for Yes. Then the script will create and start a Postgres database.

      Script snippet: ask for Postgres answered Yes
      Should PostgreSQL be deployed (Should only be used for non-production systems)? [Y/n] y
      Creating directories for PostgreSQL
      Deploying and starting PostgreSQL
    2. The script asks if traefik should be used as Ingres/proxy. Typing y for Yes will create acme.json and set the permissions.

      Script snippet: ask for Traefik answered Yes
      Should Traefik be used as Ingress/Proxy? [Y/n] y
      Creating acme.json and setting permissions for ACME
      Copying Let´s Encrypt CA Certificate to ./cacerts
      
    3. The script asks if Digital Access will be deployed to the host. Typing y for Yes will create the user "pwuser" and set permissions.

      Script snippet: ask for Digital Access answered Yes
      Should SmartID Digital Access be deployed on this host? [Y/n] y
      Creating directories for Digital Access
      Creating pwuser for Digital Access and setting permissions to digitalaccess/services
    4. After that, the script finishes and you can proceed to the next step. See Edit environment variables.

      Script snippet: script ran successfully
      ----------------------------------------------------------------------------------------
      Smart ID is now ready for deployment.
      Proceed to the next step by editing smartid.env to make the neccassary changes
      for your deployment.
      
      For documentation check https://doc.nexusgroup.com
      ----------------------------------------------------------------------------------------
  3. To see exactly what steps have been done, see the log file init-smartid.log after executing the script.

If there are any permission issues, for example to access the PostgreSQL database, make sure that you have permissions to access the Smart ID configuration and docker files.

If you are deploying Digital Access on a CentOS >=7 and you want to use port 443, you must redirect the network traffic internally on the host. This can be done in many ways, here is one example. As a result of this you must also change the listening port for the Access Point to 9001. If this is not changed, the startup of the Access Point container will fail. The result after the change is that all incoming traffic on 443 will be redirected internally to 9001.

  1. Redirect traffic from 443 to 9001

    Redirect traffic
    iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 9001
    iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 9001
    
  2. Change listening port for Access Point in Digital Access Admin:
    1. Go to Manage System > Access Points.
    2. Click on the Service ID for the Access Point that you want to edit.
    3. Change Portal Port and Sandbox Port to 9001.

    4. Click Save.
    5. Publish the configuration.

Configure certificates

This instruction is only valid for Identity Manager, Messaging and Physical Access. 

TLS in Digital Access are configured inside the application.

To change TLS Certificate:

  1. Make sure your certificate and key are in PEM format.
  2. Put your certificate and key in <SMARTIDHOME>/compose/certs.
  3. Change permissions of the certificate and key file:

    Example: Change permissions
    chmod 600 smartidtls_cer.pem
    chmod 600 smartidtls_key.pem
  4. Open <SMARTIDHOME>/compose/smartid.env for editing.
  5. Change the default certificates by editing the filenames smartidtls_cer.pem and smartidtls_key.pem:

    Example: Change default certificates
    TRAEFIK_TLS_DEFAULT_CERTIFICATE=smartidtls_cer.pem
    TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY=smartidtls_key.pem

Strict server name indication (SNI) can be used as an extra security measure. By default, strict SNI is set to false.  

  1. Set TRAEFIK_TLS_STRICTSNI to true in smartid.env

    Enable Strict SNI
    TRAEFIK_TLS_STRICTSNI=true
  1. Open <SMARTIDHOME>/docker/compose/traefik/config/traefik-tls.yml for editing.

    traefik-tls.yml
     tls:
      stores:
        default:
          defaultCertificate:
            certFile: /certs/{{env "TRAEFIK_TLS_DEFAULT_CERTIFICATE"}}
            keyFile: /certs/{{env "TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY"}}
      options:
        default:
          sniStrict: {{env "TRAEFIK_TLS_STRICTSNI"}}
          minVersion: VersionTLS12
          maxVersion: VersionTLS12
          cipherSuites:
            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
            - TLS_AES_128_GCM_SHA256
            - TLS_AES_256_GCM_SHA384
            - TLS_CHACHA20_POLY1305_SHA256
            - TLS_FALLBACK_SCSV
  2. Add or delete any Cipher Suites.
  3. To change TLS version for traefik, use minVersion and maxVersionminVersion is the minimum allowed TLS version, and maxVersion is the maximum allowed TLS version. Default, the allowed version of TLS is 1.2.

    Note that some mobile devices do not have full support for TLS 1.3 and can cause compatibility issues.

    TLS Versions
    TLSv10
    VersionTLS12
    VersionTLS13

Start and verify services

This is only required at the first startup: 

  1. Start the ingress/proxy Traefik: 

    Start Traefik
    cd <SMARTIDHOME>/compose/traefik
    docker-compose up -d
    

The ingress Traefik has a dashboard were status can be viewed. It can be accessed at your host IP address at port 8080.

http://<SMARTID-HOST-IPADDRESS>:8080
  1. Start the initialization of the database. This is only required at the first startup: 

    Initialize the database
    cd <SMARTIDHOME>/compose/identitymanager/updatedb
    docker-compose up -d
    
  2. Check the logs of the database initialization:

    Check logs for initialization
    cd <SMARTIDHOME>/compose/identitymanager/updatedb
    docker-compose logs -f
  3. Start Identity Manager components:

    1. Location of services

      Example - Location of Identity Manager services
      <SMARTIDHOME>/compose/identitymanager/admin
      <SMARTIDHOME>/compose/identitymanager/operator
      <SMARTIDHOME>/compose/identitymanager/tenant
    2. Start the services:

      Example - Start Identity Manager Admin
      cd <SMARTIDHOME>/compose/identitymanager/admin
      docker-compose up -d
  1. Start Hermod: 

    Start Hermod
    cd <SMARTIDHOME>/compose/messaging
    docker-compose up -d
    
  1. Start Self-Service: 

    Start Self-Service
    cd <SMARTIDHOME>/compose/selfservice
    docker-compose up -d
    
  1. Give permission to use the logs/rabbitmq directory:

    Give permission
    cd <SMARTIDHOME>/compose/physicalaccess
    sudo chmod -R a+rw logs/rabbitmq/
  2. Start Physical Access with one or more PACS connectors. See the list of PACS connector services below.
    The services smartid-pa-rabbitmq, smartid-pa-scimapi and smartid-pa-maintenance must be started for all Physical Access use cases: 

    Syntax: Start Physical Access with PACS connectors
    cd <SMARTIDHOME>/compose/physicalaccess
    docker-compose up -d smartid-pa-rabbitmq smartid-pa-scimapi smartid-pa-maintenance [PACS_connector1 PACS_connector2]
    
    Example: Start Physical Access with ASSA ARX connector
    cd <SMARTIDHOME>/compose/physicalaccess
    docker-compose up -d smartid-pa-rabbitmq smartid-pa-scimapi smartid-pa-maintenance smartid-pa-arx
    
PACSPACS connector service nameFor more information
ASSA ARX

smartid-pa-arx

Set up integration with ASSA ARX
Bewator Omnissmartid-pa-omnisSet up integration with Bewator Omnis
Bravida Integrasmartid-pa-integraSet up integration with Bravida Integra
Interflex IF-6040smartid-pa-interflexSet up integration with Interflex IF-6040
RCO R-CARD M5 Admin APIsmartid-pa-rcom5Set up integration with RCO R-CARD M5 Admin API
RCO R-CARD M5smartid-pa-rcoSet up integration with RCO R-CARD M5
Salto (we have 2 Salto: SALTO ProAccess and SALTO ProAccess SPACE)

smartid-pa-salto

Set up integration with Salto
Security Shells iSecure

smartid-pa-isecure

Set up integration with Security Shells iSecure for connection with HID controllers
SiPasssmartid-pa-sipassSet up integration with SiPass Integrated
SiPortsmartid-pa-siportSet up integration with SiPort
Unilocksmartid-pa-unilockSet up integration with UniLock
Unison Pacom

smartid-pa-unison

Set up integration with Unison Pacom
PACS demo servicesmartid-pa-demoSet up PACS demo service

Digital Access shall always be deployed on its own host. It can not be run together with other Smart ID Applications because it will use the hosts network.

  1. Start Digital Access sub components, by going into the wanted component folder:

    Digital Access - services location
    <SMARTIDHOME>/compose/digitalaccess/accesspoint
    <SMARTIDHOME>/compose/digitalaccess/policy-service
    <SMARTIDHOME>/compose/digitalaccess/authorization-server
    <SMARTIDHOME>/compose/digitalaccess/administration
    <SMARTIDHOME>/compose/digitalaccess/distribution-service
    
    Example: Start Dígital Access Administration service
    cd <SMARTIDHOME>/compose/digitalaccess/administration
    docker-compose up -d
    

Verify the Smart ID installation: 

  1. Verify each component, by browsing to the DNS names and the configured port, for example:

    Example DNS names
    Smart ID Self-Service: selfservice.smartid.example.com
    Smart ID Identity Manager: idm.smartid.example.com
    Smart ID Digital Access: digitalaccess.smartid.example.com
    Smart ID Physical Access: physicalaccess.smartid.example.com
    Smart ID Messaging (Hermod): hermod.smartid.example.com
    Traefik Ingress Dashboard:  http://<SMARTID-HOST-IPADDRESS>:8080
    1. For Physical Access, verify the started Physical Access services by browsing to the DNS names, for example:

      Example DNS names
      Smart ID Physical Access: physicalaccess.smartid.example.com
      Physical Access RabbitMQ service: pa-rabbitmq.smartid.example.com
      Physical Access SCIM API: pa-scimapi.smartid.example.com
      Physical Access Maintenance: pa-maintenance.smartid.example.com 
      Physical Access ASSA ARX connector: pa-arx.smartid.example.com

      Or browse to the IP address for all started services, for example:

      IP address
      https://<SMARTID-HOST-IPADDRESS>:<PORT>

      The default port for each Physical Access service can be found in Default ports in Smart ID.

  2. List all running docker containers:

    Example: List containers
    docker ps
  3. Check the logs:

    1. To check a log, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager and run this command:

      Example: Check logs
      docker-compose logs -f <CONTAINER>
    2. To check all logs with tail, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager and run this command:

      Example: Check all logs with tail
      docker-compose logs -f

Stop services

  1. To stop a specific service, go to the application folder, for example <SMARTIDHOME>/compose/identitymanager/operator and run this command:

    Stop services
    ...
    docker-compose stop

Configure Smart ID

Continue with Configure Smart ID.

This article is valid for Smart ID 21.04.2 and later.

Related information