Account Management Deployment Overview
note
Account Management API is now deprecated and we recommend that you use Account Management functionality built into Elastic Path Commerce 8.2 and later.
Elastic Path Account Management deployment needs the following software components and its dependencies deployed and provisioned:
- Account Management API: Helix REST API service that performs logical operations of Account Management service. The REST API service includes a developer tool kit, Admin studio for debugging and development of Account Management APIs
- Account Management user interface: The user interface for managing accounts in Elastic Path Account Management
- Keycloak: An open source identity and access management service to authenticate users that use Account Management user interface, store front, or other touch points
- MySQL server: Storage of the Account Management data
Prerequisites
Before deploying Elastic Path Account Management service:
- Ensure that you have access to the build artifact file,
account-management-1.0.0.zip
, at the Elastic Path Public Nexus repository - Ensure that Elastic Path Commerce 7.4.1 or later version is deployed with Elastic Path CloudOps for AWS (Amazon Web Services) 3.2
- Elastic Path Commerce must be running with User ID mode 3. This setting value can be viewed and editted from Elastic Path Commerce Manager
COMMERCE/SYSTEM/userIdMode
- Ensure that the domain names for storefronts that will utitize Account Management functionality are available
Requirements
New DNS records
- For accessing the Account Management user interface
- The primary entry point and landing page for the users. This domain name is visible to end-users
- For accessing the Account Management API
- The Hypermedia REST endpoints that are used by the user interface, store fronts, and touch points. This domain name is not typically visible to users, but developers and system administrators may access Account Managementstudio using this domain name
- For accessing Keycloak
- This service is responsible for handling login of all users, and so the domain name will be visible to users
SSL certificates
Three SSL Certificates For the Account Management user interface, Account Management API, and Keycloak.
SMTP-compatible server
Users will be required to receive e-mails that are sent by Keycloak, in order to create accounts. You may use a service like Amazon SES (Simple Email Service). You must configure the name and the e-mail address to use when sending e-mails to the buyer divisions.
MySQL compatible server
For Account Management data storage. Elastic Path supports the following services:
- MySQL 5.7 on Amazon RDS (Relational Database Service)
- Amazon Aurora RDS (MySQL 5.6-compatible)
A computer connected to the MySQL server with Liquibase 3.5.5 and the MySQL connector 8.0.13 For initializing the schema using liquibase. You can use a local machine or a hosted machine within AWS.
Docker
A computer with Docker installed, for building docker images.
JWT RS256 private and public key pair
A key pair to enable secure communication between Elastic Path Commerce and the Account Management service. Elastic Path recommends using openssl
to generate the key. However, you can use any mechanism to generate the RS256 key. The private key must be in PKCS #8 format.
For example the following command generates a private and public key pair in the format required for Account Management and Commerce:
#Create temp directory
TMPDIR=$(mktemp -d --suffix=encryption-key)
#Generate JWT Key in PKCS8 format
openssl genpkey -out $TMPDIR/jwtRS256.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
#Generate Public Key in PEM format
openssl rsa -in $TMPDIR/jwtRS256.key -pubout -outform PEM -out $TMPDIR/jwtRS256.key.pub
#Output format
echo "
AM_AUTH_JWT_PRIVATE_KEY=$(cat $TMPDIR/jwtRS256.key | grep -v "^----" | tr -d "\n")
AM_AUTH_JWT_PUBLIC_KEY=$(cat $TMPDIR/jwtRS256.key.pub | grep -v "^-----" | tr -d "\n")
"
# Delete keys from disk
rm $TMPDIR/jwtRS256.key $TMPDIR/jwtRS256.key.pub
# Delete directory
rmdir $TMPDIR