Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updates in Prerequisites

This article describes how to deploy the Smart ID Digital Access component on Red Hat Enterprise Linux (RHEL) 8 using Ansible and Podman.

Expandall

Prerequisites

Expand
titlePrerequisites
  • Ansible should be present on the control system (the terminal from where you would like to run the ansible playbook).
    Make sure that containers.podman is installed. If not -> Run the below command

    Code Block
    ansible-galaxy collection install containers.podman


  • Target system should be RHEL 8 with podman installed on it.
  • Enable SSH communication between control and target systems (Check ssh using the key)
  • The UDP ports shall be open to traffic of each of authentication method servers.
    • You can locate these ports in Digital Access Admin under Manage System > Authentication Methods > Registered Authentication Method Servers for each added Authentication method.
  • External Database setup
  • ansible_DA.tgz

Step-by-step instructions

Expand
titleSet up Ansible playbook
  1. Copy and extract ansible_DA.tgz file on the control system (the terminal from where you would like to run the Ansible playbook).
  2. Before running the playbook: 
    1. Add the target hosts in the inventory file present inside the ansible folder.
    2. If you want to setup Digital Access configuration from the beginning, then copy the config folder which is inside the ansible folder on the control system.
      1. For HA mode: change LocalConfiguration.xml of the service (Policy, Authentication, Distribution, Access Point) and replace "Administration service" mHost to Host's IP of Digital Access where administration service will be running.

        Code Block
        titleSnippet from LocalConfiguration.xml
        <node>
        <object key="c000ejp1m5" name="Administration Service" trans="ivjq0838gkxs" ver="50600">
        <attribute name="mAllInterfaces" type="boolean" value="false"/>
        <attribute name="mPort" type="integer" value="8300"/>
        <attribute name="mHost" type="string" value="198.160.x.x"/>
        <attribute name="mType" type="integer" value="5"/>
        <attribute name="mId" type="integer" value="1"/>
        </object>


    3. By default, the playbook looks for the config folder in the */ansible/ folder. If you want to have the config folder elsewhere, go to the ansible/roles/create_da_config_folders/vars folder and modify the path variable accordingly.
    4. If you also want to copy the Digital Access docker images (in case of offline setup) to the target systems, then copy them to the */ansible/images folder. Similar to step c. if you want to store the images elsewhere, modify the path variable.
  3. Change the current working directory to ansible in the terminal.

    Code Block
    titleChange working directory
    cd ansible


  4. Run the ansible playbook using this command:

    Code Block
    titleRun ansible playbook
    ansible-playbook -i inventory <yml_file_name> --ask-become-pass


  5. It will ask for root password and then execute the playbook.
  6. If the setup is successful, it should show a status as the below screenshot. Make sure it shows 0 in the failed and unreachable values.


Expand
titleSet up Digital Access
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the Administration Service internal host from "admin" to 127.0.0.1 or machine IP for HA mode.

  3. Connect the HAG, OATH, OAUTH databases.

  4. To change report database, follow the steps here Change report database for Digital Access component.
  5. If the services can not listen on 0.0.0.0:8090, then restart the services.

Instructions for High Availability

Expand
titlePrerequisites
  • Databases are available and connected.
  • Multiple Digital Access component are running. in the examples in this article they are called DA-1, DA-2, DA-3, and DA-4:
    • Only one Administration service is installed. This is done on DA-1.
  • The IP addresses of all four nodes must be known.


Expand
titleChange hosts and add services
  1. Log in to Digital Access Admin with an administrator account.
  2. Change the host of all the registered services:

    Change the host of registered Policy service:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Select the registered Policy Service.
    3. Change the Internal Host from 127.0.0.1 to DA-1's IP Address.
    4. Check Distribute key files automatically.
    5. Click Save.


  3. Add new Services  for DA-2/ DA-3/DA-4:

    1. In Digital Access Admin of DA-1, go to Manage System > Policy Services.
    2. Click Add Policy Service…
    3. In Display Name enter "Policy Service 2".
    4. In Internal Host enter the IP address of DA-2.
    5. Check Distribute key files automatically.
    6. Select the Server Certificate and Add it.
    7. Note down the Service ID of newly added Policy Service. This is used as mID in later steps 



Expand
titleSet up services

There will be only one administration service running at DA-1, so all other Digital Access instances need to have administration service at disabled state. 

  1. Stop the administration service of the other Digital Access instances

    Code Block
    titleStop service
    sudo podman stop admin


  2. Change serviceId of services of the other Digital Access instances:
    1. Open LocalConfiguration.xml (opt/nexus/config/<service>/config/LocalConfiguration.xml)
    2. Search for the <service> section
    3. Replace mID with the new mID:

      <?xml version="1.0" encoding="UTF-8"?><com>

        <portwise>

          <core>

            <id>3</id>

          </core>

          <policy>

            <node>

              <object key="c000ejp1m5" name="Administration Service" trans="s4x1qgx4q5fk" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8300"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mType" type="integer" value="5"/>

                <attribute name="mId" type="integer" value="1"/>

              </object>

              <object key="5t02k8rn7jwg" name="Policy Service" trans="t4x6zmbhkjr4" ver="50600">

                <attribute name="mAllInterfaces" type="boolean" value="false"/>

                <attribute name="mPort" type="integer" value="8301"/>

                <attribute name="mHost" type="string" value="10.0.0.10"/>

                <attribute name="mHTTPLogSettings" type="container" value="logsettings">

                  <attribute name="mEventLogLevel" type="string" value="OFF"/>

                  <attribute name="mLocalCount" type="integer" value="2"/>

                  <attribute name="mAuthenticationTiming" type="boolean" value="false"/>

                  <attribute name="mFileLogLevel" type="string" value="OFF"/>

                  <attribute name="mFileSizeRotationEnabled" type="boolean" value="true"/>

                  <attribute name="mCentralLimit" type="integer" value="15000000"/>

                  <attribute name="mLocalLimit" type="integer" value="5000000"/>

                  <attribute name="mDateRotationEnabled" type="boolean" value="false"/>

                  <attribute name="mCentralCount" type="integer" value="5"/>

                </attribute>

                <attribute name="mType" type="integer" value="1"/>

                <attribute name="mId" type="integer" value="3"/>

                <attribute name="mK8sServiceHost" type="string" value=""/>

              </object>

            </node>

          </policy>

        </portwise>

      </com>


  3. Restart all services

    Code Block
    titleRestart services
    sudo podman restart <service>



Expand
titleCheck setup
  1. Start all the required services.
  2. Publish the configuration.
  3. Check that all services are connected.
  4. Do a login to the portal and check if all works as expected and that you can see the portal items and display names properly.
  5. In case of any failure, check if sha1sum of shared.key and internal.key for all connected services are the same. The keys can be found under /opt/nexus/config/<service>/keys/
  6. Inspect logs and address any unexpected errors.


Expand
titleSet up load balancer

To set up high availability for Digital Access component, an external load balancer must be used. In this example, we use HAProxy.

  1. Log in to Digital Access Admin of DA-1 with an administrator account.
  2. In Digital Access Admin, go to Manage System > Access Points.
  3. For each added access point:
    1. Add a listener by clicking Add Additional Listener…
    2. In Host, enter the IP address of the Access Point. Enter a Port, and set Type to Load Balance.
    3. Click Add.
  4. Go to Manage System > Access Points.
  5. Select Configure Load Balancing…
  6. Check Enable multi-host sessions and Send sticky cookies. Enter a Name of Sticky Cookie to be used by the load balancer service.
  7. Click Save.
  8. Select Configure Load Balancing…
  9. Click Add Pair of Mirrored Access Points...
  10. Select Access Point 1 and Access Point 2 as Primary and Secondary server.
  11. Click Save.

Configure external storage for logging

Expand
titleConfigure external storage
  1. Mount external storage on host linux machine on mount path /mnt/<some directory> and change its permission to pwuser:root.
  2. Write the mapping of the volume mount in the docker-compose.yml file under volumes for admin.

    [*For Ansible and Podman, write the mapping of the volume mount in the /ansible/roles/podman_deploy_da/tasks/main.yml]

For example: /mnt/logs:/etc/LogsDir  
where /mnt/logs is the external path and /etc/LogsDir is inside the admin container.

  1. In Digital Access Admin, go to Monitor system > Logging > Manage Global Logging Settings > Log Directory
  2. Enter the <inside container directory path> here. In this case, /etc/LogsDir
  3. Publish and restart the Administration service.


This article is valid for Smart ID 21.10 and later and Digital Access 6.1.0 and later.

Related information