Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Steps to Setup On-Premise IDP

The miniOrange identity provider (IdP) is a service that stores and verifies user identity. IdPs are typically cloud-hosted services, and they often work with single sign-on (SSO) providers to authenticate users. The purpose of this guide is to get you up and running on Linux as quickly as possible so that you can play with and test-drive various features that miniOrange has. It is a standalone application with default database and packaged tomcat and does not cover any complex deployment options.

This short tutorial walks you through starting up the server in standalone mode, setting up the initial admin account, and logging into the miniOrange admin dashboard.


System Requirements

miniOrange On-Premise server has the following system requirements. This section lists recommended versions and requirements.

Operating System
(Linux preferred)		 Any operating system that runs minimum Java 8
CPU Core 4 Core
RAM 16GB and above
Storage 32GB or above
JAVA Environment jdk1.8.0_381 and above
Server Access Policies Port 80 - HTTP
Port 1812 & 1813 - Radius UDP (optional)
Port 22 - SSH (Linux Server) - For login
Database Find the list of all supported versions here.
Server Ports Ensure the following ports are available on the server for installing the required services:
6379 - Redis
5672 - RabbitMq

Install On-Premise Server

You can download miniOrange On-Premise server from here

Follow the steps to deploy miniOrange On-Premise server on your operating system:

Linux Installer

1. Prerequisites and Setup

    1.1. Pre-requisites

    • a. Database Setup:
      • Ensure you have a database configured with an empty schema.
      • Supported databases: PostgreSQL, MySQL, MSSQL.
      • e.g., PostgreSQL Installation Guides:
      • Create a Database (PostgreSQL Example):
        • To Enter psql, run the following command: sudo -u postgres psql
        • In the prompt, enter the following command: create database <databasename>;
          (Replace 'databasename' with your desired database name)
    • b. Install RabbitMQ using the relevant guide:
    • c. To verify the RabbitMQ installation, use the following command:
      • systemctl status rabbitmq-server.service

    1.2. Running the Installer

    • To download the installer, Click here.
    • Unzip mo-installer.zip.
    • To add permissions to the executables, run this command: chmod +x *.sh
    • For running the script, run this command sudo sh mo-installer.sh

    1.3. Starting the Identity Provider (IdP)

    • Start the IdP service sudo systemctl start mo-idp-miniorange.service
    • Open a web browser and navigate to: https://<IP/DNS> (e.g.: https://192.168.1.2)
      (Ignore SSL warnings if prompted due to a self-signed certificate.)

    1.4. Database Configuration

    • Enter the following details on the setup page:
      Database Type PostgreSQL/ MySQL/ MSSQL
      Database Host localhost
      Database Username, Password, and Database Name as set during installation

    1.5. Admin Account Setup

    • Configure the admin username and password.
    • Click Next to create the admin account.

    1.6. Use-Case Selection

    • Choose a predefined template that suits your requirements.
    • If unsure, you can skip this step.
    • Upon completion, the admin dashboard should be displayed.

2. Starting Accessory Services

  • Unzip mo-installer.zip file to get the start-services script.
  • To add permissions to the start-services script, run this command: ./start-services.sh When prompted, enter start.
  • To check status of services, navigate to http://<IP/DNS>:8070 and see that all services should come up.

3. FAQs & Troubleshooting

1. One or more services are not running

  • Restart the services using the start-services script with the restart prompt.
  • Check service status at: http://<IP/DNS>:8070.

2. Start or Stop any service manually

If you want to start/stop any service manually, you can start them in the following order:

  • miniOrange Eureka Service
  • miniOrange Config Service
  • miniOrange Gatekeeper Service
  • miniOrange Apps Service
  • miniOrange Auditing Service
  • miniOrange Provisioning Service
  • miniOrange Directory Service

4. Import SSL Certificate into JDK Truststore (Required for Workflows)

Workflows require secure communication over HTTPS.

  • To ensure the Workflow service trusts your domain certificate, you must import the certificate into the JDK’s cacerts truststore.
  • Default keystore password: changeit

    • [Note: The location of the cacerts file depends on your JDK installation.]

  • Use the below command to import your domain certificate into the JDK truststore: sudo keytool -import \ -alias miniorange-wildcard \ -file /home/abhishek/Downloads/certificates/domain.crt \ -keystore /usr/lib/jvm/java-8-openjdk/jre/lib/security/cacerts \ -storepass changeit
  • If your JDK is installed at a different path, update the -keystore location accordingly.
  • Common alternate paths: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /usr/lib/jvm/java-11-openjdk/lib/security/cacerts /opt/jdk/jre/lib/security/cacerts

5. Register Workflow Module with Scheduler

To enable workflow execution, you must register the Workflow module with the Scheduler service. Follow the steps based on your operating system.

  • Go to the installed miniOrange directory.
  • Navigate to: /services/linux/scheduler-mq-register.sh
  • Example navigation: cd /opt/mo-idp-server/services/linux/
  • Run the registration script: sudo ./scheduler-mq-register.sh

Run miniOrange IDP server over SSL



How to Apply a SSL Certificate for Nginx:

  • Supported Certificate Formats for Nginx:
    • PEM format (recommended: .crt, .cer, .pem)
    • Private key must be in PEM format (.key).
    • Nginx does not support certificates in DER or PFX formats directly. Use OpenSSL to convert them before using.

Generate SSL Certificate (optional if you don't have a CA-Signed Certificate)

1. Requirements

Ensure you have OpenSSL installed on your system:

  • Run: sudo apt install openssl.
2. Generate a Self-Signed Certificate
  • Run this command in your terminal: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt -subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=example.com"

    Command Breakdown:

    Flag Description
    -x509 Generates a self-signed certificate
    -nodes No password for the private key
    -days 365 Certificate valid for 1 year
    -keyout Path to save the private key
    -out Path to save the certificate
    -subj Set certificate details without prompts
  • -subj Format: /C=US/ST=State/L=City/O=Company/OU=Org/CN=example.com
    Field Meaning Example
    C Country code (2 letters) US, IN, DE
    ST State/Province California, Karnataka
    L City San Francisco, Bangalore
    O Organization Acme Corp
    OU Department IT, Engineering
    CN Domain name example.com
  • Apply SSL Certificate in Nginx

    1. Locate nginx.conf

    • Run: /etc/nginx/nginx.conf

    2. Edit the Server Block

    server { listen 443 ssl; server_name example.com; # Replace with your domain ssl_certificate /path/to/nginx-selfsigned.crt; ssl_certificate_key /path/to/nginx-selfsigned.key; location / { # Your application settings } }

    3. Restart Nginx

    • Run:
      sudo nginx -t # Test configuration sudo systemctl restart nginx

⚠ Note: Self-signed certificates will show a browser warning because they are not issued by a trusted Certificate Authority (CA). Use only for local development or internal testing.


    1. Generate a Keystore
    • Open a command prompt or terminal. And go to <Path to JAVA_HOME/bin> path and enter the command given below.
      keytool -genkey -alias onpremssoidp -keyalg RSA -keystore onpremssoidp.jks
    • If you get a permission error in this step.Then change the location in command prompt or terminal to Desktop or any other location of your choice.
    • Enter your convenient password and remember it.(If the password you entered didn’t work then keep the password as “changeit” ).
    2. Generate SSL Certificate
    • After Pressing the Return key it will prompt for a password for <onpremssoidp>. Hit Return to continue.
      (Note: firstname and lastname needs to be the server DNS name/hostname of the server)
      • generate ssl certificate

    • SSL self-signed certificate is generated at the given location.
    3. Configure Tomcat with above-generated Keystore

      1. Open Tomcat Configuration:

      • Navigate to the conf directory within the miniOrange installation folder.
      • Open the server.xml file in a text editor.

      2. Edit server.xml:

      • Locate the line <Service name=”Catalina”>.
      • Immediately after this line, insert the following snippet: 
        <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="<JKS Keystore Path>" ciphers="ALL" keystorePass="<Password while keystore generation>"/>
      • Replace <JKS Keystore Path> with your keystore file path and <Password while keystore generation> with your keystore password.

        Note: Make sure the .jks file has appropriate permissions/run command prompt as Administrator.

Using a certificate from Trusted CAs like LetsEncrypt, GoDaddy, Comodo SSL.

a) LetsEncrypt

  • The following steps assume that you have a valid certificate generated through Certbot. In case you do not have the certificates, you can use the Certbot commands below to generate the certificate for your domain
    certbot certonly --standalone -d.example.com
  • Once the certificate is generated, the following folder structure will be obtained.
    #:/etc/letsencrypt/live/example.com# ls
    cert.pem chain.pem fullchain.pem privkey.pem README
  • Copy over the cert.pem, chain.pem, fullchain.pem and privkey.pem in the conf directory of the IdP.
  • Edit the conf/server.xml and add the following connector element. 
     <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                      maxThreads="150" SSLEnabled="true">
                      <SSLHostConfig>
                      <Certificate certificateFile="conf/cert.pem"
                      certificateKeyFile="conf/privkey.pem"
                      certificateChainFile="conf/chain.pem" />
                      <SSLHostConfig>
                      <Connector>
  • Restart the IdP. The IdP should now use the valid certificate from LetsEncrypt.

b) Go Daddy

  • The steps below assume that you have downloaded the valid SSL certificates from GoDaddy. The certificates need to be imported in a Java Keystore (JKS). In order to create a JKS, the keytool utility can be used.
    keytool -genkey -alias onpremssoidp -keyalg RSA -keystore onpremssoidp.jks
  • The original certificates need to be removed from the keystore. That can be done using the below command.
    keytool -delete -alias onpremssoidp -keystore onpremssoidp.jks
  • OpenSSL commands can be used to import the certificates downloaded from GoDaddy into the Java Keystore.
    openssl pkcs12 -export -in <GoDaddyCertificate>.crt -inkey <PrivateKey>.key
    -out <PublicPrivateKeyPair>.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root
  • The keystore can now be used to configure the connector in conf/server.xml. 
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
                      clientAuth="false" sslProtocol="TLS" keystoreFile="<JKS Keystore Path>" ciphers="ALL"
                      keystorePass="<Password while keystore generation>"/>
  • Restart the IdP. The IdP should now use the valid certificate from GoDaddy.

c) Comodo SSL

    Creating a New Keystore

  • Navigate to the directory where you plan to locate the new keystore.
  • Enter the following command:
    keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks
  • When prompted, create a password for your new Keystore.
  • Enter the required information (Note: Do not type your own name into the name field, type your FQDN).
  • When finished, verify your information by typing “Y” or “Yes”.
  • Finally, enter the password you just created in step three.

    • Creating a CSR on Tomcat Servers

  • Run the following command:
    keytool -certreq -alias server -file csr.txt -keystore your_site_name.jks
  • Once prompted, enter the password you created in step three of the Keystore instructions
  • Use the information you supplied when creating the keystore. The CSR will be generated and saved in the chosen directory as “CSR.txt.”
  • We recommend saving and backing up the keystore file once you’ve complete generating the CSR. Once you’ve got the CSR complete, choose the SSL certificate you’d like to install on your Tomcat server and then purchase it, copy/pasting the CSR (open the .txt file) into the relevant field (usually the one labelled CSR).
  • Once the purchase and validation are complete, the CA will email you a bundle that includes your SSL certificate and an intermediate certificate that needs to be installed with it.

    • How to Install an SSL Certificate on Your Tomcat Server

  • Save your certificate(s) to the Keystore directory you created.
  • Use the following command to import the keystore:
    keytool -import -alias server -file your_site_name.p7b -keystore your_site_name.jks
  • You should see a confirmation message that says: “Certificate reply was installed in keystore.”
  • Type “Y” or “Yes” to trust the certificate.
  • Now, finally, we just need to configure the Tomcat server to serve the website via HTTPS.

    • Configuring Your SSL/TLS Connector

  • Using a text editor, open your Tomcat server.xml file.
  • Locate the connector you want to secure with your new keystore.
  • Configure the connector to use port 443 (HTTPS), your configuration file should look something like this: 
    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
                      minSpareThreads="25" maxSpareThreads="75"
                      enableLookups="false" disableUploadTimeout="true"
                      acceptCount="100" scheme="https" secure="true"
                      SSLEnabled="true" clientAuth="false"
                      sslProtocol="TLS" keyAlias="server"
                      keystoreFile="/home/user_name/your_site_name.jks"
                      keystorePass="your_keystore_password" />
  • Save the changes to your server.xml file.
  • Restart your Tomcat server.
  • If the above methods don't work follow the link given below
  • Click here to follow the steps if you have any other CA certificates.

Migration from Zip Distribution to Installer

  • Navigate to your current Tomcat Installation Directory and take backup of your current moas directory present in <tomcat-root>
  • Take a backup of your database. In case you are using the internal integrated database, then you can take a backup of the data folder present in the <tomcat-root>. In the case of an external database, you can take a snapshot of the DB.
  • Take backup of <tomcat-root>/conf/server.xml file if you have added additional connectors for SSL in tomcat itself.
    • On-Premise IDP Server Windows Migration from Zip to Installer

  • Delete the current tomcat installation.
  • Download the installer and run the downloaded installer file and install the latest On-Premise Server.
  • Stop the On-Premise service which was just installed.
  • Go to the installed directory root.
  • Go to path <moas-backup-root>/WEB-INF/classes/ and copy db.properties and license files.
  • Go to path <On-Premise-service-root>/moas/WEB-INF/classes/ and paste the db.properties and license files.
  • Start the On-Premise IDP Server service that you installed.

Upgrade On-Premise IDP

    Prerequisites:

    • Login to your admin account and go to Settings>>Product Settings. Copy your Server Base URL.
    • Take a backup of the miniorange db in your db instance.
    • Take a backup of the following files in the server.
      • mo-idp-server-*/moas/WEB-INF/classes/db.properties
      • mo-idp-server-*/moas/WEB-INF/classes/license
    • Go to mo-idp-server-*/bin and Shut down the running tomcat instance. (you can use sh shutdown.sh)

    Steps to upgrade:

    • Download the latest version to your linux server and unzip it.
    • You will find moas folder inside the uncompressed folder. Replace the mo-idp-server-3.3.*/moas with the new moas folder
    • Replace the backups of db.properties and license file on the same path as mentioned above.
    • Go to mo-idp-server-*/bin and Shut down the running tomcat instance. (you can use sh shutdown.sh)
    • Restart the tomcat instance using sh startup.sh
    • Open a browser and go to < Your-Server-Base-URL >/initialize

Uninstall On-Premise IDP

  • Shutdown any running miniOrange tomcat process/ service.
  • Take any backups you might need for the database.
  • Go to the folder mo-idp-server-* and delete it.

Frequently Asked Questions

Error Handling for Keystore Issues

If you encounter the error:"keytool error: java.lang.Exception: Key pair not generated, alias <onpremssoidp> already exists"

This indicates that the keystore file already exists. To resolve this, follow these steps:

  • Delete the existing keystore file located from path <Path to JAVA_HOME/bin> file named as "onpremssoidp.jks"
  • Rerun the key generation command “keytool -genkey -alias onpremssoidp -keyalg RSA -keystore onpremssoidp.jks” and fill in the details.

Further References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More