--- title: Read-only installation description: One method of locking down the server is to install IDM on a read-only filesystem. To accomplish this, complete the procedure on this page. component: pingidm version: 8.1 page_id: pingidm:security-guide:read-only-volume canonical_url: https://docs.pingidentity.com/pingidm/8.1/security-guide/read-only-volume.html keywords: ["Security", "Volumes", "Filesystem"] section_ids: prep: Prep redirect_audit_and_logging_data: Redirect audit and logging data finishing_touches: Finishing touches --- # Read-only installation One method of locking down the server is to install IDM on a read-only filesystem. To accomplish this, complete the procedure on this page. This procedure assumes that you have prepared the read-only volume appropriate for your Linux/UNIX installation environment and that you have set up a regular Linux user named `idm` and a dedicated volume for the `/idm` directory. ## Prep 1. Configure the dedicated volume device, `/dev/volume` in the `/etc/fstab` file, as follows: ```properties /dev/volume/idm ext4 ro,defaults 1,2 ``` When you run the `mount -a` command, the `/dev/volume` volume device is mounted on the `/idm` directory. 2. You can switch between read-write and read-only mode for the `/idm` volume with the following commands: ```bash sudo mount -o remount,rw /idm sudo mount -o remount,ro /idm ``` 3. Confirm the result with the `mount` command, which should show that the `/idm` volume is mounted in read-only mode: ```properties /dev/volumeon /idm type ext4 (ro) ``` 4. Set up the `/idm` volume in read-write mode: ```bash sudo mount -o remount,rw /idm ``` 5. With the following commands, you can unpack the IDM binary in the `/idm` directory, and give user `idm` ownership of all files in that directory: ```bash sudo unzip /idm/IDM-8.1.0.zip sudo chown -R idm.idm /idm ``` ## Redirect audit and logging data After you have installed IDM on a read-only filesystem, redirect audit and logging data to writable volumes. This procedure assumes a user `idm` with Linux administrative (superuser) privileges. 1. Create an external directory where IDM can send logging, auditing, and internal repository information: ```bash sudo mkdir -p /var/log/openidm/audit sudo mkdir /var/log/openidm/logs sudo mkdir -p /var/cache/openidm/felix-cache sudo mkdir /var/run/openidm ``` Alternatively, route audit data to a remote data store. For an example of how to send audit data to a MySQL repository, refer to [Direct audit information to MySQL](../samples-guide/audit-jdbc.html). 2. Give the `idm` user ownership of the newly created directories: ```bash sudo chown -R idm.idm /var/log/openidm sudo chown -R idm.idm /var/cache/openidm sudo chown -R idm.idm /var/run/openidm ``` 3. Modify the following configuration files: * conf/audit.json Make sure the `handlerForQueries` is the JSON audit event handler and change the `logDirectory` property to the `/var/log/openidm/audit` subdirectory: ```json "eventHandlers" : [ { "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler", "config" : { "name" : "json", "logDirectory" : "/var/log/openidm/audit", ... }, ... } ] ``` * conf/logback.xml Add a writable log directory property and point the [`RollingFileAppender`](../monitoring-guide/server-logs.html#logging-file-appender) to that directory: ```xml ... (1) ... ${LOG_DIR}/openidm.log (2) ... ${LOG_DIR}/openidm-%d{yyyy-MM-dd}.log (3) ... ... ``` | | | | ----- | --------------------------------------------------------- | | **1** | Define a property for the writable log directory. | | **2** | Redirect the log file appender to the writable directory. | | **3** | Redirect the rolling log files to the writable directory. | * conf/config.properties Activate and redirect the `org.osgi.framework.storage` property as follows: ```properties # If this value is not absolute, then the felix.cache.rootdir controls # how the absolute location is calculated. (See buildNext property) org.osgi.framework.storage=&{felix.cache.rootdir|&{user.dir}}/felix-cache # The following property is used to convert a relative bundle cache # location into an absolute one by specifying the root to prepend to # the relative cache path. The default for this property is the # current working directory. felix.cache.rootdir=/var/cache/openidm ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Your setup may require additional redirection for the following:- Connectors. Depending on the connector, and the read-only volume, consider configuring connectors to direct output to writable volumes. - Scripts. If you are using Groovy, examine the script configuration *(tooltip: You can manage the script configuration over REST at the config/script endpoint, or directly in the conf/script.json file.)* for your project. Make sure that output such as to the `groovy.target.directory` is directed to an appropriate location, such as `idm.data.dir`. | ## Finishing touches 1. Adjust the value of the `OPENIDM_PID_FILE` in the `startup.sh` and `shutdown.sh` scripts. To do so for a default bash shell, set the value of `OPENIDM_PID_FILE` for user `idm` by adding the following line to `/home/idm/.bashrc`: ```bash export OPENIDM_PID_FILE=/var/run/openidm/openidm.pid ``` | | | | - | -------------------------------------------------- | | | For other shells, adjust your changes accordingly. | When you log in again as user `idm`, your `OPENIDM_PID_FILE` variable should redirect the process identifier file, `openidm.pid` to the `/var/run/openidm` directory, ready for access by the `shutdown.sh` script. 2. While the volume is still mounted in read-write mode, start IDM normally: ```bash path/to/openidm/startup.sh -p project-dir ``` The first startup of IDM either processes the signed certificate that you added, or generates a self-signed certificate, and encrypts any passwords in the various configuration files. 3. Stop IDM. 4. You can now mount the `/idm` directory in read-only mode. The configuration in `/etc/fstab` ensures that Linux mounts the `/idm` directory in read-only mode on next system boot. ```bash sudo mount -o remount,ro /idm ``` 5. Reboot the system. 6. You can now start IDM, configured on a secure read-only volume. ```bash path/to/openidm/startup.sh -p project-dir ```