Account Management Deployment Overview
note
Account Management API is now deprecated and we recommend that you use Account Management functionality built into Elastic Path Commerce 8.2 and later.
Elastic Path Account Management deployment needs the following software components and its dependencies deployed and provisioned:
- Account Management API: Helix REST API service that performs logical operations of Account Management service. The REST API service includes a developer tool kit, Admin studio for debugging and development of Account Management APIs.
- Account Management user interface: The user interface for managing accounts in Elastic Path Account Management.
- Keycloak: An open source identity and access management service to authenticate users that use Account Management user interface, store front, or other touch points.
- MySQL server: Storage of the Account Management data.
Prerequisites
Before deploying Elastic Path Account Management service:
- Ensure that you have access to the build artifact file,
account-management-2.2.x.zip
, at the Elastic Path Public Nexus repository.
Additional Prerequisites Deploying to AWS
- Ensure that Elastic Path Commerce 7.5.0 or later version is deployed with Elastic Path CloudOps for AWS (Amazon Web Services) 3.3.x.
- Ensure that the domain names for storefronts that utilize Account Management functionality are available.
Requirements
Docker
A computer with Docker installed, for building docker images.
JWT RS256 private and public key pair
A key pair is required to enable secure communication between Elastic Path Commerce and the Account Management service. Elastic Path recommends using openssl
to generate the key. However, you can use any mechanism to generate the RS256 key.
Encode the private key in the following sequence:
The following command generates an example private and public key pair in the format required by the Account Management service and Elastic Path Commerce:
#Create temp directory
TMPDIR=$(mktemp -d --suffix=encryption-key)
#Generate JWT Key in PKCS8 format
openssl genpkey -out $TMPDIR/jwtRS256.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
#Generate Public Key in PEM format
openssl rsa -in $TMPDIR/jwtRS256.key -pubout -outform PEM -out $TMPDIR/jwtRS256.key.pub
#Output format
echo "
AM_AUTH_JWT_PRIVATE_KEY=$(cat $TMPDIR/jwtRS256.key | grep -v "^----" | tr -d "\n")
AM_AUTH_JWT_PUBLIC_KEY=$(cat $TMPDIR/jwtRS256.key.pub | grep -v "^-----" | tr -d "\n")
"
# Delete keys from disk
rm $TMPDIR/jwtRS256.key $TMPDIR/jwtRS256.key.pub
# Delete directory
rmdir $TMPDIR
note
The default Docker Compose deployment includes an example JWT key pair in the environment variables. You must not use the example key in production.
Additional Requirements Deploying to AWS
New DNS records
- A DNS record for accessing the Account Management user interface. The primary entry point and landing page for the users. This domain name is visible to end-users.
- A DNS record for accessing the Account Management API. The Hypermedia REST endpoints that are used by the user interface, store fronts, and touchpoints. Developers and system administrators can access the Account Management studio using this domain name.
- A DNS record for accessing Keycloak. This domain name is visible to all users and is used to manage user logins.
SSL certificates
Three SSL Certificates For the Account Management user interface, Account Management API, and Keycloak.
SMTP-compatible server
Users must receive e-mails from Keycloak to create accounts. You can use email services, such as Amazon SES (Simple Email Service), and configure the name and the e-mail address to use when sending e-mails to the buyer divisions.
MySQL compatible server
For Account Management data storage. Elastic Path supports the following services:
- MySQL 5.7 on Amazon RDS (Relational Database Service)
- Amazon Aurora RDS (MySQL 5.6-compatible)
A computer connected to the MySQL server with Liquibase 3.5.5 and the MySQL connector 8.0.13 for initializing the schema using Liquibase. You can use a local machine or a hosted machine within AWS.