The Identity Service is a component that represents a single point of user authentication.
It provides the following functionality:
- Single login form
- Extended password policies
High-Level Architecture
The Identity Service is a microservice with its own release cycle. It is not included in the CloudBlue Commerce distribution package by default and must be installed to the platform separately.
The Identity Service consists of these three components:
- The Identity Service UI, hosted on the UI node.
- The Identity Service endpoint, hosted in a separate container on the service node with installed Kubernetes.
- The Identity Service database, hosted on the Operations DB node.
Installation Prerequisites
Before installing the Identity Service component, ensure that:
- CloudBlue Commerce platform 20.5 or later is installed.
- A service node with a Kubernetes cluster is configured and registered in the CloudBlue Commerce platform.
- The Identity Service database is prepared.
- Time is synchronized between the UI node and the Kubernetes node.
- The branding UI is deployed. If the branding UI is deployed on VMs, network connection must be set up between each UI node and k8s network; for instructions refer to Connecting the CloudBlue Commerce Management Node to the Component Cluster.
Hardware Requirements
The minimum Kubernetes resources required for the microservice deployment, including on-premise Kubernetes cluster deployment, are:
| Requests: | |
|
500m |
|
1536Mi |
| Limits: | |
|
4000m |
|
4096Mi |
Firewall Requirements
The following ports must be open:
| From | To | Protocol | Port | Purpose |
|---|---|---|---|---|
| CloudBlue Commerce management node | Microservice node | TCP | 8081 | For access to the Identity Service endpoint (HTTPS is used for communication) |
| CloudBlue Commerce UI node | Microservice node | TCP | 8080 | For access to the Identity Service token and authentication endpoint |
| Microservice node | OSS Database node | TCP | 5432 | For connection to the PostgreSQL database |
How to Install the Identity Service
To install the Identity Service component, complete the following steps:
- Log in to the management node under the root user through SSH.
-
Run this command:
/usr/local/bin/helm install a8n/idp-backend --name idp-backend --wait --timeout 900 \ --set dsdbname=a8n_idp \
--set oauthkey=`uuidgen` --set oauthsecret=`uuidgen` \ --set dockerrepo="odindevops-a8n-docker.jfrog.io" \ --set dslogin="<db_login_name>" \ --set dspassword=`echo -n "<db_user_password>" | base64` \ --set dshost="<db_host>" \ --set keycloakadminpassword=`openssl rand -base64 20 | base64`where:
-
<db_login_name>is the login name to the Identity Service database. -
<db_user_password>is the password to the Identity Service database. -
<db_host>is the IP address or host name of the host where the Identity Service database is located.
-
- When installation is complete, the Identity Service will appear in the applications list at Provider Control Panel > Operations > Services > Applications.
The overall time of credential migration might take up to 30 minutes. During the migration procedure, the classic login form will be used, meaning no downtime is expected. To check that the procedure is complete, do the following:
- In Operations PCP, go to Operations > Tasks.
- Find the task named Identity service migration.
- Check that the task is not failed.
Limitation: Changing user passwords during migration is not possible.
How to Upgrade the Identity Service to the Latest Version
To upgrade the Identity Service component, complete the following steps:
- Connect to the management node under the root user through SSH.
-
Run these commands:
-
To upgrade without value change (default):
helm repo update
helm upgrade idp-backend a8n/idp-backend --version <version> -
To upgrade with value change (required in some cases):
helm get values idp-backend -oyaml > idp-values.yaml helm upgrade idp-backend a8n/idp-backend --version <version> -f idp-values.yaml --set newval=abcd
-