# Installing OpenIAM without internet access
### Installation without Internet access.
This installation type is suitable for servers without Internet access (servers from which you can't reach the OpenIAM website).
This type of installation is suitable for both EL8 RHEL and CentOS versions.\
Also, during the installation you will be prompted to install MariaDB RDBMS. This is suitable for Demo and POC installations. If you already have the database server, answer `N` for the prompt.
{% stepper %}
{% step %}
### Prepare download files (on a machine with Internet)
For EL8 use the following links.
{% code overflow="wrap" %}
```shellscript
curl https://download.openiam.com/release/enterprise/2026.5.1/rpm/openiam-2026.5.1.noarch.x86_64.rpm --output openiam-2026.5.1.noarch.x86_64.rpm
curl https://download.openiam.com/release/enterprise/2026.5.1/dependencies/el8/openiamrepo.tar.gz --output openiamrepo.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/binaries/frontend.tar.gz --output frontend.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/binaries/backend.tar.gz --output backend.tar.gz
curl https://download.openiam.com/release/enterprise/infra/httpd-libs.tar.gz --output httpd-libs.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/connectors/ldap-connector-rabbitmq.jar --output ldap-connector-rabbitmq.jar
```
{% endcode %}
For EL9, make sure to use the following links.
{% code overflow="wrap" %}
```shellscript
curl https://download.openiam.com/release/enterprise/2026.5.1/rpm/openiam-2026.5.1.noarch.x86_64.rpm --output openiam-2026.5.1.noarch.x86_64.rpm
curl https://download.openiam.com/release/enterprise/2026.5.1/dependencies/el9/openiamrepo.tar.gz --output openiamrepo.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/binaries/frontend.tar.gz --output frontend.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/binaries/backend.tar.gz --output backend.tar.gz
curl https://download.openiam.com/release/enterprise/infra/httpd-libs.tar.gz --output httpd-libs.tar.gz
curl https://download.openiam.com/release/enterprise/2026.5.1/connectors/ldap-connector-rabbitmq.jar --output ldap-connector-rabbitmq.jar
```
{% endcode %}
{% endstep %}
{% step %}
### Create directory and copy files
1. Create folder `/usr/local/openiam` on the server.
2. Copy the following files that were downloaded earlier to `/usr/local/openiam`:
* backend.tar.gz
* frontend.tar.gz
* openiamrepo.tar.gz
* httpd-libs.tar.gz
{% endstep %}
{% step %}
### Install RPM
Install from the RPM using the following command:
```shellscript
sudo rpm -i openiam-2026.5.1.noarch.x86_64.rpm
```
You will see output like the following:
{% code expandable="true" %}
```shellscript
openiam/
openiam/vault/
openiam/vault/openiam.cluster.policy.hcl
openiam/vault/openiam.policy.hcl
openiam/vault/secret.policy.hcl
openiam/vault/consul
openiam/vault/medusa
openiam/vault/vault
openiam/services/shutdown.sh
openiam/services/start_auth.sh
openiam/services/start_br.sh
openiam/services/start_device.sh
openiam/services/start_email.sh
openiam/services/start_esb.sh
openiam/services/start_groovy.sh
openiam/services/start_idm.sh
openiam/services/start_idp.sh
openiam/services/start_recon.sh
openiam/services/start_reportviewer.sh
openiam/services/start_sas.sh
openiam/services/start_selfservice.sh
openiam/services/start_selfservice_ext.sh
openiam/services/start_sync.sh
openiam/services/start_ui_static.sh
openiam/services/start_webconsole.sh
openiam/services/start_workflow.sh
openiam/OpenIAM-Base-Local.repo
openiam/env.conf
```
{% endcode %}
At this point the VM will reboot to initialize variables needed for stack components such as OpenSearch. If you don't want the VM to reboot now, you can use `shutdown -c` to cancel the reboot.
{% endstep %}
{% step %}
### Run initialization (`openiam-cli`)
Execute the initialization step with `openiam-cli`. During this step the system will install and configure the various components that make up OpenIAM. Follow the instructions on the screen.
```shellscript
sudo openiam-cli init
```
* The first question: `Does this box have Internet access? [y/n]`. Please enter `N`.
* You will be asked about installing MariaDB as a default database: `Would you like to install MariaDB RDBMS locally?` Answer `Y` to install local MariaDB (recommended for demo/POC or small production up to \~500 active users), otherwise answer `N`.
{% endstep %}
{% step %}
### MariaDB interactive setup (if selected)
If you answer `Y` for MariaDB installation, the installer will prepare files and then ask you details:
* `Enter current password for root (enter for none):` → Press Enter
* `Set root password? [Y/n]` → Press `y` and Enter
* `New password:` → Type password for the `root` user (you will need it later)
* `Re-enter new password:` → Re-type the password
* `Remove anonymous users? [Y/n]` → Press `y` and Enter
* `Disallow root login remotely? [Y/n]` → Press `y` and Enter
* `Remove test database and access to it? [Y/n]` → Press `y` and Enter
* `Reload privilege tables now? [Y/n]` → Press `y` and Enter
Otherwise, continue from the previous step.
{% endstep %}
{% step %}
### Cassandra installation note
The installation will continue and Cassandra (as graph storage) will be installed. This may take 4–5 minutes. If you see the following exception during startup, you can ignore it — it’s due to Cassandra taking time to start:
{% code overflow="wrap" %}
```shellscript
error: No nodes present in the cluster. Has this node finished starting up?
-- StackTrace --
java.lang.RuntimeException: No nodes present in the cluster. Has this node finished starting up?
...
Waiting for cassandra
```
{% endcode %}
{% endstep %}
{% step %}
### Critical configuration prompts
The installer will ask a number of questions. For most, a default value is provided. Sections that require input are marked in the console as:
=============== CRITICAL SECTION ===============
#### Create database schema accounts
OpenIAM creates two schemas by default: `openiam` and `activiti`. `openiam` is the primary schema and `activiti` stores workflow info. The installer first asks questions to create DB users for each schema.
| Question raised by the installer | Explanation |
| --------------------------------------------------------------: | ------------------------------------------------------------- |
| Set OpenIAM username for schema `openiam`, default: `idmuser` | DB username for the `openiam` schema. Default: `idmuser`. |
| Set OpenIAM password for schema `openiam`, default: `idmuser` | Password for the `openiam` DB username. Default: `idmuser`. |
| Set OpenIAM username for schema `activiti`, default: `activiti` | DB username for the `activiti` schema. Default: `activiti`. |
| Set OpenIAM password for schema `activiti`, default: `activiti` | Password for the `activiti` DB username. Default: `activiti`. |
| Set OpenIAM username for schema `groovy`, default: `groovy` | DB username for the `groovy` schema. Default: `groovy`. |
| Set OpenIAM password for the `groovy` schema, default: `groovy` | Password for the `groovy` DB username. Default: `groovy`. |
Example console output:
{% code overflow="wrap" expandable="true" %}
```shellscript
Database
Set OpenIAM username for schema 'openiam' , default: idmuser
Set OpenIAM password for schema 'openiam' , default: idmuser
Set OpenIAM username for schema 'activiti'., default: activiti
Set OpenIAM password for schema 'activiti'., default: activiti
Set OpenIAM username for schema 'groovy'., default: groovy
Set OpenIAM password for schema 'groovy'., default: groovy
Set OpenIAM password for RabbitMQ message broker, default: passwd00
Set OpenIAM password for Redis., default: passwd00
Set OpenIAM password for REdis Sentinel., default: passwd00
User to Access OpenSearch. If you don't change it on the OS server side, leave it as elastic, default: elastic
Password for elastic to access OpenSearch, default: VlyXHUBDuhgv6BTKjTz7TumtBZL8Zbmu
Please validate information below
```
{% endcode %}
#### Message broker password
OpenIAM uses RabbitMQ as the message broker. The installer will ask for a password.
```shellscript
Set OpenIAM password for RabbitMQ message broker, default: passwd00
```
#### Memory cache
OpenIAM uses Redis for in-memory caching. The installer will ask for a Redis password.
```shellscript
Set OpenIAM password for Redis., default: passwd00
```
If you want to use Redis with TLS select `y`, else select `n` (default) and proceed:
```shellscript
Do you want to enable TLS for Redis? (y/n): n
```
#### SMTP Credentials
Optional at this time. You can configure SMTP later.
```shellscript
Set SMTP username. You can change it later., default: none
Set SMTP password. You can change it later., default: none
```
At this point the installer has enough information to install: ElasticSearch, Redis, and RabbitMQ.
{% endstep %}
{% step %}
### Initialize database schema
Installer prompts related to schema initialization:
| Question raised by the installer | Explanation |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------: | ----------------------------------------------------------------------------------------------------------------------------------------------: |
| Use default value if this is new installation. If you are doing an update, specify your current (before update) version here, like 4.1.11.0, default: `0.0.0.0` | If this is an upgrade, provide the current version; if new, leave default. |
| This is the name of the OpenIAM core database. default: `openiam` | Primary database schema; default `openiam`. |
| This is the name of the OpenIAM Activiti database. default: `activiti` | Workflow engine schema; default `activiti`. |
| Possible values: MySQL, Postgres, MSSQL, Oracle. default: `MySQL` | Type of RDBMS you will use with OpenIAM. If using MariaDB/MySQL, leave blank. For PostgreSQL/Oracle/MSSQL use `postgres`, `oracle`, or `mssql`. |
| This is the name of the OpenIAM Groovy database. default: `groovy` | Workflow/groovy schema; default `groovy`. |
| This is the hostname of where the Groovy database is, default: `localhost` | Hostname for the groovy DB. |
| This is the port of where the Groovy database is, default: `3306` | Port for the groovy DB (MariaDB/MySQL default `3306`). |
| Do you want to initialize OpenIAM schema and users? Super user (root) password will be required \[y/n] | If `Y`, installer will create schemas and users. For Oracle/MSSQL it generates an SQL script to run manually. |
| Enter username for super user (for MySQL this is root), default: `root` | Super user account with privileges to create schemas/users/tables. |
| Enter password for super user (`sa` or `root`, depending on the DB type) | Password for the super user account. |
| Do you use AWS RDS MariaDB? If yes, make sure the RDS DB instance has the parameter `log_bin_trust_function_creators = 1` \[y/n] | Select `N` if not using AWS RDS MariaDB. |
| This is the hostname of where the OpenIAM core database is, default: `localhost` | Hostname for the primary OpenIAM DB. |
| This is the port of where the OpenIAM core database is, default: `3306` | Port for the primary OpenIAM DB. |
| This is the hostname of where the Activiti database is, default: `localhost` | Hostname for the Activiti DB. |
| This is the port of where the Activiti database is, default: `3306` | Port for the Activiti DB. |
The RPM installer will continue with initialization and apply SQL scripts required for startup. OpenIAM services will run automatically after initialization and show the current stack status. Startup usually takes about 6–10 minutes. You can view status using the command line tools described below.
{% endstep %}
{% step %}
### Copying files to remote server (scp example)
Use `scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2`
Example:
{% code overflow="wrap" expandable="true" %}
```shellscript
C:\Users\Asus>scp openiam-2026.5.1.noarch.x86_64.rpm root@10.*.*.*:/usr/local/openiam/
The authenticity of host '10.*.*.* (10.*.*.*)' can't be established.
ECDSA key fingerprint is SHA256:5pP7vxJnDzbQ+Xg1VANjSBYL7HboHyM4RqFKW4qHkPU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?`
Warning: Permanently added '10.*.*.*' (ECDSA) to the list of known hosts.
root@10.*.*.*'s password:
* openiam-2026.5.1.noarch.x86_64.rpm 23% 133MB 1.4MB/s 05:12 ETA
```
{% endcode %}
{% endstep %}
{% step %}
### Install Prometheus & Grafana (optional)
To install monitoring (Prometheus + Grafana) select `y` during the init script:
```shellscript
Do you want to install Prometheus+Grafana stack for monitoring? [y/n]:y
```
In the last part of the init script, `nginx` will be installed and `nginx` health check will wait for all OpenIAM services to come up.
Use `openiam-cli status monitor` from another console to view monitoring status.
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs-beta.openiam.com/installing-openiam/installing-openiam-without-internet-access.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.