| Info |
|---|
This article includes updates for Smart ID 23.04. |
...
Docker client and engine version 20.10.10 or later
Docker Compose version 1.25.5 or later and Docker Compose file version 3.7 or later
...
General prerequisites
Supported host operating systems:
Linux that supports the Docker and Docker Compose versions above
Windows on request
Valid licenses for all components to be used.
A database must be installed and in running mode. Supported databases are listed in Smart ID deployment recommendations.
Valid Support account at https://support.nexusgroup.com
For online deployment, as described below, your hosts need internet access.
If this is a offline deployment, the docker containers needs to be downloaded and transferred to the hosts.
DNS records must be created for each application to each Smart ID host:
DNS examples
Code Block # Identity Manager idm.smartid.example.com selfservice.smartid.example.com admin.smartid.example.com tenant.smartid.example.com # Digital Access access.smartid.example.com # Physical Access physicalaccess.smartid.example.com pa-maintenance.smartid.example.com pa-arx.smartid.example.com # Messaging Hermod mb.smartid.example.com
If you do not have the possibility to create DNS records, for example in a test environment, then you can add the wanted DNS records in your localhost file. Add them both on the Smart ID host and on the clients that you want to use to access Smart ID.
...
Open the environment file <SMARTIDHOME>/compose/smartid.env for editing.
Change timezone (TZ) to fit your environment.
Change
TRAEFIK_ACME_EMAILto fit your deployment. You must do this even if you do not use ACME.Example: Change TRAEFIK_ACME_EMAIL
Code Block TRAEFIK_ACME_EMAIL=smartid@example.com
Change the database host (
DBHOST) for Identity Manager, Hermod, or Digital Access to fit your deployment. If it is a test deployment and database is running on the same host, the host IP-address or the docker-ip of the Postgres deployment must be used.localhostor127.0.0.1will not work.Info title Digital Access Digital Access requires its own host and cannot be deployed at the same hosts as the other applications.
Example: Change timezone and database host
Code Block ### Global variables TZ=Europe/Stockholm DBHOST=jdbc:postgresql://postgresdb:5432 # DBHOST=jdbc:sqlserver://<SMARTID-DB-HOST>:1433 # DBHOST=jdbc:oracle:thin:@//<SMARTID-DB-HOST>:1521
Note If you are using an MSSQL Database, you need to change the format of the Database URLs at the following places:
Code Block title <SMARTIDHOME>/docker/compose/smartid.env DA_DB_URL=${DBHOST}/${DA_DB_NAME_REPORT} # If you are using MSSQL, you need the following DB URL format: #DA_DB_URL=${DBHOST};DatabaseName=${DA_DB_NAME_REPORT} IDM_DB_URL=${DBHOST}/${IDM_DB_NAME} # If you are using MSSQL, you need the following DB URL format: #IDM_DB_URL=${DBHOST};DatabaseName=${IDM_DB_NAME} MESSAGING_DB_URL=${DBHOST}/${MESSAGING_DB_NAME} # If you are using MSSQL, you need the following DB URL format: #MESSAGING_DB_URL=${DBHOST};DatabaseName=${MESSAGING_DB_NAME}Note title MSSQL JDBC SSL encryption The sqlserver jdbc driver has ssl encryption enabled by default. To disable it, see "Example: cod-hermod.yml" under heading "If needed, edit Hermod configuration" in the Hermod configuration in Install Hermod.
Note If you are NOT using certificate authentication with Smart ID Mobile App (the Personal mobile authentication method) but are provisioning users through Digital Access only, you must update this setting:
Code Block language yml title <SMARTIDHOME>/docker/compose/digitalaccess/config/da-auth-customize.conf wrapper.java.additional.30=-Dauthentication.personal.challenge_key_id=signer
Change the version of Smart ID if needed:
Example: Change Smart ID Version
Code Block ### Smart ID Version SMARTID_VERSION=23.04
Change the value of
SMARTID_INGRESS_DOMAINto fit your deployment. It is recommended to use a sub-domain with wildcard for Smart ID. For example *.smartid.example.com and point that domain to your host.Example: Set Smart ID Ingress domain
Code Block ### Ingress Configuration # Change the SMARTID_INGRESS_DOMAIN to your domain for example smartid.example.com ## Smart ID Ingress SMARTID_INGRESS_DOMAIN=<YOUR-SMARTID-DOMAIN> # Identity Manager Ingress IDM_OPERATOR_DOMAIN_PREFIX=idm IDM_ADMIN_DOMAIN_PREFIX=admin IDM_SELFSERVICE_DOMAIN_PREFIX=selfservice IDM_TENANT_DOMAIN_PREFIX=tenant # Hermod Ingress HERMOD_DOMAIN_PREFIX=mb # Physical Access Ingress PA_DOMAIN_PREFIX=physicalaccess PA_RABBITMQ_DOMAIN_PREFIX=pa-rabbitmq PA_MAINTENANCE_DOMAIN_PREFIX=pa-maintenance PA_ARX_DOMAIN_PREFIX=pa-arx
Change database credentials
To change the type or database name or password, change the following variables. If this is a test deployment, you don't have to change anything here. Note that the Physical Access database hosts is specified using the variablePA_DB_HOST.Example: Change database credentials
Code Block # Database credentials IDM_DB_USER=idmuser IDM_DB_PASS= IDM_DB_NAME=idm ## Physical Access databases and Credentials PA_DB_USER=pauser PA_DB_PASS= PA_DB_NAME=pa PA_DB_TYPE=MSSQL # Change to your mssql hostname PA_DB_HOST=mssqldb ## Messaging Hermod database and Credentials HERMOD_DB_USER=hermoduser HERMOD_DB_PASS= HERMOD_DB_NAME=hermod ## Digital Access Databases and Credentials DA_DB_USER=dauser DA_DB_PASS= DA_DB_DRIVER=org.postgresql.Driver DA_DB_NAME_USER=da DA_DB_NAME_REPORT=da_report DA_DB_NAME_OATH=da_oath DA_DB_NAME_OAUTH2=da_oauth2
...
Give permission to use the logs/rabbitmq directory:
Give permission
Code Block cd <SMARTIDHOME>/compose/physicalaccess sudo chmod -R a+rw logs/rabbitmq/
Start Physical Access with one or more PACS connectors. See the list of PACS connector services below.
The servicessmartid-pa-rabbitmq,smartid-pa-scimapiandsmartid-pa-maintenancemust be started for all Physical Access use cases:Syntax: Start Physical Access with PACS connectors
Code Block cd <SMARTIDHOME>/compose/physicalaccess docker-compose up -d smartid-pa-rabbitmq smartid-pa-scimapi smartid-pa-maintenance [PACS_connector1 PACS_connector2]
Example: Start Physical Access with ASSA ARX connector
Code Block cd <SMARTIDHOME>/compose/physicalaccess docker-compose up -d smartid-pa-rabbitmq smartid-pa-scimapi smartid-pa-maintenance smartid-pa-arx
PACS | PACS connector service name | For more information |
|---|---|---|
ASSA ARX | smartid-pa-arx | |
Bewator Omnis | smartid-pa-omnis | |
Bravida Integra | smartid-pa-integra | |
Interflex IF-6040 | smartid-pa-interflex | |
Kaba exos 9300 | smartid-pa-kabaexos | |
RCO R-CARD M5 Admin API | smartid-pa-rcom5 | |
RCO R-CARD M5 | smartid-pa-rco | |
Salto (we have 2 Salto: SALTO ProAccess and SALTO ProAccess SPACE) | smartid-pa-salto | |
Security Shells iSecure | smartid-pa-isecure | Set up integration with Security Shells iSecure for connection with HID controllers |
SiPass | smartid-pa-sipass | |
SiPort | smartid-pa-siport | |
Unilock | smartid-pa-unilock | |
Unison Pacom | smartid-pa-unison | |
PACS demo service | smartid-pa-demo |
Start Digital Access
| Info |
|---|
Digital Access must always be deployed on its own host. It can not be run together with other Smart ID Applications because it will use the hosts network. If you want to configure Digital Access in High availability or distributed mode using bridge network, see Set up high availability for Digital Access deployment (bridge network). The bridge network setup will not work if you want to use an external radius client for authentication. In that case, follow the swarm setup in Deploy Digital Access component on Docker. |
...
| Code Block |
|---|
... docker-compose stop |
Configure Smart ID
Continue with Configure Smart ID.