Read-only installation
One method of locking down the server is to install IDM on a read-only filesystem. To accomplish this, complete the procedure on this page.
This procedure assumes that you have prepared the read-only volume appropriate for your Linux/UNIX installation environment and that you have set up a regular Linux user named idm
and a dedicated volume for the /idm
directory.
Prep
-
Configure the dedicated volume device,
/dev/volume
in the/etc/fstab
file, as follows:/dev/volume/idm ext4 ro,defaults 1,2
When you run the
mount -a
command, the/dev/volume
volume device is mounted on the/idm
directory. -
You can switch between read-write and read-only mode for the
/idm
volume with the following commands:sudo mount -o remount,rw /idm sudo mount -o remount,ro /idm
-
Confirm the result with the
mount
command, which should show that the/idm
volume is mounted in read-only mode:/dev/volumeon /idm type ext4 (ro)
-
Set up the
/idm
volume in read-write mode:sudo mount -o remount,rw /idm
-
With the following commands, you can unpack the IDM binary in the
/idm
directory, and give useridm
ownership of all files in that directory:sudo unzip /idm/IDM-7.5.0.zip sudo chown -R idm.idm /idm
Redirect audit and logging data
After you have installed IDM on a read-only filesystem, redirect audit and logging data to writable volumes. This procedure assumes a user idm
with Linux administrative (superuser) privileges.
-
Create an external directory where IDM can send logging, auditing, and internal repository information:
sudo mkdir -p /var/log/openidm/audit sudo mkdir /var/log/openidm/logs sudo mkdir -p /var/cache/openidm/felix-cache sudo mkdir /var/run/openidm
Alternatively, route audit data to a remote data store. For an example of how to send audit data to a MySQL repository, refer to Direct audit information to MySQL.
-
Give the
idm
user ownership of the newly created directories:sudo chown -R idm.idm /var/log/openidm sudo chown -R idm.idm /var/cache/openidm sudo chown -R idm.idm /var/run/openidm
-
Modify the following configuration files:
- conf/audit.json
-
Make sure the
handlerForQueries
is the JSON audit event handler and change thelogDirectory
property to the/var/log/openidm/audit
subdirectory:"eventHandlers" : [ { "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler", "config" : { "name" : "json", "logDirectory" : "/var/log/openidm/audit", ... }, ... } ]
- conf/logging.properties
-
Change the
java.util.logging.FileHandler.pattern
property as follows:java.util.logging.FileHandler.pattern = /var/log/openidm/logs/openidm%u.log
- conf/config.properties
-
Activate and redirect the
org.osgi.framework.storage
property as follows:# If this value is not absolute, then the felix.cache.rootdir controls # how the absolute location is calculated. (See buildNext property) org.osgi.framework.storage=&{felix.cache.rootdir|&{user.dir}}/felix-cache # The following property is used to convert a relative bundle cache # location into an absolute one by specifying the root to prepend to # the relative cache path. The default for this property is the # current working directory. felix.cache.rootdir=/var/cache/openidm
Your setup may require additional redirection for the following:
|
Finishing touches
-
Adjust the value of the
OPENIDM_PID_FILE
in thestartup.sh
andshutdown.sh
scripts. To do so for a default bash shell, set the value ofOPENIDM_PID_FILE
for useridm
by adding the following line to/home/idm/.bashrc
:export OPENIDM_PID_FILE=/var/run/openidm/openidm.pid
For other shells, adjust your changes accordingly. When you log in again as user
idm
, yourOPENIDM_PID_FILE
variable should redirect the process identifier file,openidm.pid
to the/var/run/openidm
directory, ready for access by theshutdown.sh
script. -
While the volume is still mounted in read-write mode, start IDM normally:
path/to/openidm/startup.sh -p project-dir
The first startup of IDM either processes the signed certificate that you added, or generates a self-signed certificate, and encrypts any passwords in the various configuration files.
-
Stop IDM.
-
You can now mount the
/idm
directory in read-only mode. The configuration in/etc/fstab
ensures that Linux mounts the/idm
directory in read-only mode on next system boot.sudo mount -o remount,ro /idm
-
Reboot the system.
-
You can now start IDM, configured on a secure read-only volume.
path/to/openidm/startup.sh -p project-dir