GrantID - Setup on Docker
For Docker-based setup the following image is provided on DockerHub:
This image requires:
- A SQL Server Database connection: the database collation must be Latin1_General_100_CI_AI or Latin1_General_CI_AI.
- Storage (shared between all instances of the image): see BlobStorage settings bellow for further information.
- A certificate to issue tokens. See GrantID Linux Installation for instructions to generate this certificate using openssl.
- A key to generate temporary tokens sent on emails. See GrantID Linux Installation for instructions to generate this key using openssl.
GrantID is composed of three services (see GrantID Overview) which the image exposes in a single container. Different ports that can be configured using environment variables:
- GRANTID_IDENTITY_SERVICE_PORT: default
- GRANTID_AUTH_SERVER_PORT: default
- GRANTID_CONSOLE_PORT: default
If you need one image per service for fine-grained control of your containers contact us.
The container for this image is configured using Environment variables.
Environment variable names must follow the pattern:
Section__Setting, for instance: for the General section, to
configure the SupportEmailAddress you must set a variable with name:
The required settings are presented below.
Database connection string
Under section ConnectionStrings:
- DefaultConnection: set the connection string to the database. A typical connection string looks like this:
Data Source=SERVER;Initial Catalog=DATABASE;User ID=USERNAME;Password=PASSWORD
If you created the database using advanced features such as log shipping or mirroring, your connection string may be different
ConnectionStrings__DefaultConnection=Server=SERVER;Initial Catalog=DATABASE;User ID=USERNAME;Password=PASSWORD;
Most Server endpoints require the following format for the Data Source/Server parameter:
Defines how the application will store and retrieve files.
See BlobStorage Configuration for details and examples of supported services.
Defines where application logs will be stored.
Please see Serilog Configuration for details and examples of supported services.
Under section PkiSuite:
- SdkLicense: your license for the PKI SDK, in Base64 format (required)
- WebLicense: your license for the Web PKI component in binary (Base64) format. Only required if users will issue certificates on their computers (web issuing procedure)
- WebBrand: if you have a custom setup brand on Web PKI, set it here
- ProductName: the name of the application.
- IdentityServiceUrl: the URL of the IdentityService service.
- ConsoleUrl: the URL of the Console service.
- AuthServerUrl: the URL of the AuthServer service.
- UseReverseProxy: set as
trueif the container will be executed behind a reverse proxy or load balancer. It can be omitted otherwise.
- TempTokenPassword: key to generate temporary tokens.
- ProtectorKeyStorePath: file system path to save data protection keys.
- SigningCertificatePfxPath: file system path to the certificate that will be used to issue tokens.
- SigningCertificatePfxPassword: the password of the certificate that will be used to issue tokens.
Application__ProductName=My App ID Application__IdentityServiceUrl=https://myappid-api.com Application__ConsoleUrl=https://myappid-console.com Application__AuthServerUrl=https://myappid.com Application__ProtectorKeyStorePath=/files/keys Application__SigningCertificatePfxPath=/files/issuer.pfx Application__SigningCertificatePfxPassword=123456 Application__TempTokenPassword=CPPJ66jJqHQ8ykUFEvhNWpfQwrhiGbeCBFNJ2z07yD0= Application__UseReverseProxy=true
Under section Email:
- Enabled: by default, email sending is enabled. To disable it, set this setting to
falseand ignore the remainder of this section
- ServerHost: hostname of the SMTP server
- EnableSsl: by default, the SMTP conversation is performed over SSL. To disable SSL, set this setting to
- ServerPort: by default, the SMTP conversation is performed over port 587. Set this setting to use a different port
- Username and Password: if the SMTP server requires authentication, set these settings
- SenderAddress: email address to be used as sender (from field)
- SenderName: name to be used as the sender name (optional)
- Support: the support email which will be included at the bottom of every email sent by the application.
Email__ServerHost=email-smtp.us-east-1.amazonaws.com Email__Username=USERNAME Email__Password=PASSWORD Email__SenderAddressfirstname.lastname@example.org Email__SenderName=MYAPPNAME Email__Supportemail@example.com
Additional settings can be found at the GrantID Settings page.
Pull the latest stable image, configure the required environment variables and run the container.
Start with only one container as in the first startup, the database tables will be created (more containers could create a race condition). Once the initial startup is complete, you may run as many containers as you want.
Before updating your container, it is recommended to check the Changelog to see what has changed from your current version to the latest one available.
If any of the versions included in the update have database model changes ("Updates database model: yes") then you should procceed carefully as the container will attempt to update the database upon startup.
In this scenario, it is recommended to choose one of the following options:
- Reduce the number of running containers to 1.
- Allow only one container to update the database. This is done by adding the following settings to all but one container:
Finally, to update simply pull the image with tag corresponding to the desired version and run the container.