Installing Aginity Premium consists of accessing and setting up an environment based on an Ubuntu O/S or Red Hat Enterprise Linux (RHEL). You can either do this on an existing Ubuntu Server or set up a Virtual Machine that will host the shared catalog database and Team application server.
If you have not yet done so download the software from here.
Once you register and download the software you can begin the installation process. Upon registration you the software will automatically download. The software should be titled aginity-team-<version#>-amd64.deb.
Pre-Requisites and Getting to a Server
Aginity Premium is installed on an Ubuntu or RHEL Server or Virtual Machine environment. The machine Ubuntu or RHEL is installed on must meet the following requirements
- Minimum 200 GB of disk workspace
- 4 CPU x 16GB RAM
- Running Ubuntu 18.04.2 LTS (Bionic Beaver) or RHEL version 8
- Must have network access to databases being connected to
- HTTPS certificate (company provided or self-signed)
Desktop requirements
- Chrome browser
- HTTPS access to the Team Server
Note
If you are trying to install an evaluation of the Aginity Team or just getting started
there are several options for accessing a server environment in which to install the
Aginity Team server.
- You can ask your IT representative who is responsible for server infrastructure if there is a Ubuntu Linux server or VM available to use.
- You can install it locally for trial purposes using personal virtualization software such as Parallels or an open source equivalent like Oracle VirtualBox.
If you would prefer, we are happy to schedule a free install for you. Please click on the link below to schedule that install.
Click here to schedule an install with an Aginity Consultant
The Installation Process
The following steps should be executed in order
Step 1: SSH into the Linux server as root or you can also sudo to root once in with another that has administrative rights.
Note
In our case for documentation we are working with a Parallels Ubuntu 18.04 VM
and have an account called Parallels.
ssh <username>@<ip_address>
Step 2: SFTP the aginity-team-<version#>-amd64.deb file to the logged in users home directory. Below is a sample command to do that.
sftp <username>@<ip_address>
put aginity-team-<version#>-amd64.deb
exit
Step 3: Running the install
Issue the following command to initiate the install.
// on Ubuntu
sudo apt-get install aginity-team-<version#>-amd64.deb
// on RHEL
sudo yum install aginity-team-<version#>-amd64.rpm
This image below is what you should see after the install is complete.

Note
We will generate an encryption key to ensure all information for connections and
your catalog are encrypted.
The installation will automatically generate and store that key
on the /etc/aginity-team/service.conf file.
Step 4: Installing SSL certificate
You have a few options to add an SSL certificate to the application which are:
- Configuring Aginity Premium to use a keystore containing a certificate
- Importing an SSL certificate to default Aginity Premium's keystore
- Generating a self-signed certificate by executing a script provided as part of installation package
Configuring Aginity Premium to use external keystore
Note
Aginity Team supports keystore only in format PKCS12.
To add a keystore containing a certificate to be used by the application, you should set values of SERVICE_KEYSTORE_PATH, KEYSTORE_PASSWORD and CERTIFICATE_ALIAS in /etc/aginity-team/service.conf. Read section General Configuration Parameters to find more information about the 3 parameters.
Importing SSL certificate to default Aginity Premium keystore
If you already have an SSL certificate and an RSA private key used by the certificate then you may want to import the certificate to default Aginity Team’s keystore which is /etc/aginity-team/cacerts. Imported certificate has alias aginity_cert in the Aginity keystore. Aginity Team supports importing certificates in PEM, DER and PKCS12 formats.
Warning
We strongly recommend that you change the password of the Aginity Premium’s keystore right after installation of the application. Default Aginity Premium’s keystore password is changeit.
The procedure of changing keystore password is as follows:
- Change the store password:
# this will change Aginity keystore password
sudo /opt/aginity-team/jre/bin/keytool -storepasswd -keystore /etc/aginity-team/cacerts
Enter keystore password: changeit
New keystore password: *new password*
Re-enter new keystore password: *new password*
- Set the value of KEYSTORE_PASSWORD in /etc/aginity-team/service.conf to new password.
To import SSL certificate run the following command:
# this will import certificate
sudo /opt/aginity-team/bin/import-ssl-certificate.sh
Generating self-signed certificate
The SSL certificate generation can be called using
# this will generate certificate
sudo /opt/aginity-team/bin/ssl-certificate-gen.sh
You will be asked for the following information
- First and last name
- Name of organization unit
- Name of organization
- Name of City or Locality
- Name of State or Province
- Name of Country code
- Finally when asked to “Enter key password for <aginity_cert> (RETURN if same as keystore password): ” press RETURN
Configuring Aginity Premium Server
You can adapt Aginity Premium Server to your needs by changing settings in /etc/aginity-team/service.conf and /etc/aginity-team/application.yml configuration files.
The service.conf file contains settings of a linux service running Aginity Premium. It is in a plain text file format. Here are the parameters in the /etc/aginity-team/service.conf file:
General Configuration Parameters
SERVICE_KEYSTORE_PATH
The path to a keystore file in format PKCS12. Aginity Premium generates this file when you run /opt/aginity-team/bin/ssl-certificate-gen.sh. You can use your own keystore file by setting a path to the file by replacing default one.
Default: /etc/aginity-team/cacerts
KEYSTORE_PASSWORD
A password to the keystore file.
Default: changeit
CERTIFICATE_ALIAS
A keystore alias.
Default: aginity_cert
JVM_MEMORY_LIMIT
The value of JVM maximum heap size. The number has to be an integer. You should specify its value using one of the letters “m” or “M” for MB, or “g” or “G” for GB. Examples: 1024m, 1024MB, 12g, 12GB.
Default: 1024m
AGINITY_ENCRYPTION_KEY
The value of the encryption key which is used to encrypt H2 database used by the application. This value is generated by Aginity Team.
Note
We recommend that you copy the encryption key to a safe
place as you may need it to recover Aginity Team Server using a database backup.
AGINITY_CONFIG_PATH
The path to the application configuration yml-file. Do not change its value.
Default: /etc/aginity-team/application.yml
DB_PATH
The path to a directory to deploy Aginity Team’s H2 database in.
Default: /var/lib/aginity-team/
Default: /var/lib/aginity-team
Configuring the YML Application File
Aginity Premium server can be customized through a number of settings of the /etc/aginity-team/application.yml file. It uses YAML format. Depending on your needs Aginity Team can be configured to use either embedded H2 database or PostgreSQL database server. You may want to change TCP port the server is accepting HTTP request on or integrate Aginity Team with external identity providers.
Note
YAML does not support tab characters for indentation.
You should use spaces for that.
For the reason of backward compatibility, some settings in application.yml use parameter expansions. The basic form of parameter expansion is ${parameter:-}. The parameter is a key from /etc/aginity-team/service.conf. You can replace any ${parameter:-} with your custom value. There are default values for some parameters in the configuration file:
${parameter:-defaultValue}
If parameter is unset in /etc/aginity-team/service.conf, the expansion of defaultValue is substituted. Otherwise, the value of the parameter is substituted.
Webserver Options
Server Options
server:
port: ${SERVICE_PORT:-8080}
publicUrl: ${PUBLIC_URL:-'http://localhost:8080'}
server.port
TCP port Aginity Team uses to accept HTTP requests. You may want to setup Aginity Team to listen on 443 to simplify URL users should use to access Aginity Team. In this case, the server section looks like as follows:
Default: 8080
server:
port: 443
publicUrl: https://my.example.com
server.publicUrl
publicUrl is a URL of a server running the Aginity Team. It is a public URL available outside your corporate network.
publicUrl has the following format {scheme}://{host}:{port} where {scheme} can be either http or https, {host} is hostname of the server running Aginity Team, {port} is TCP port Aginity Team is using.
Default: http://localhost:8080
Catalog Database Options
Database Options
database:
# BEGIN H2 database configuration
h2:
dbFilePath: ${DB_PATH:-}
# END H2 database configuration
#
# BEGIN PostgreSQL configuration
#
# This section is commented out by default since only one type of database could be enabled
# to enable PostgreSQL, comment out the H2 database configuration section and uncomment the section below
# postgres:
# user: {user}
# password: {password}
# jdbcUrl: jdbc:postgresql://{host}:{port}/{database_name}
# properties: # any properties specific to your JDBC driver:
# ssl: true # connect using SSL. SSL support must be enabled on the database server side.
# sslmode: require
#
# END PostgreSQL configuration
By default, Aginity Team installs an embedded H2 database to store application data. Another option is to use a PostgreSQL database. In this case, you have to deploy PostgreSQL server and create a database by yourself. Here is an example of the database section with enabled PostgreSQL database:
database:
# BEGIN H2 database configuration
# h2:
# dbFilePath: ${DB_PATH:-}
# END H2 database configuration
#
# BEGIN PostgreSQL configuration
#
postgres:
user: db_user
password: db_passowd
jdbcUrl: jdbc:postgresql://my.example.com:5432/aginity_team_database
properties:
ssl: true
sslmode: require
#
# END PostgreSQL configuration
Note
Only one type of database could be enabled. To enable PostgreSQL, comment out the H2 database configuration section and uncomment the PostgreSQL configuration section.
database.h2.dbFilePath
The path to a directory to deploy Aginity Team’s H2 database in.
database.postgres.user
The database user.
database.postgres.password
The database user’s password.
database.postgres.jdbcUrl
The connection URL.
jdbcUrl has the following format jdbc:postgresql://{host}:{port}/{database_name} where {host} is the IP address or the hostname of the database server, {port} is TCP port the database server is listening, {database_name} is the name of Aginity Team database created by you.
database.postgres.properies
This section may contain any number of additional connection parameters which PostgreSQL JDBC driver supports. You can read about the jdbc driver parameters at jdbc.postgresql.org
Logging Options
logging Options
logging: pathToLogFile: ${PATH_TO_LOG_FILE:-/var/log/aginity-team} maxFilesCount: ${MAX_FILES_COUNT:-100MB} maxFileSize: ${MAX_FILE_SIZE:-1}
logging.pathToLogFile
The path to a directory to store application log files in.
Default: /var/log/aginity-team
logging.maxFilesCount
The maximum number of the log files the Aginity Team creates.
Default: 1
logging.maxFileSize
The maximum size of a log file. The number has to be an integer. You should specify its value using one of the letters ‘KB’, ‘MB’ or ‘GB’ after the number. Examples: 200KB, 35MB, 1GB.
Default: 100MB
Platform Options
This section is used to set up OAuth for the Snowflake databases. Please refer to the specific Snowflake section in the documentation Enabling Snowflake SSO.
Security Configuration Options
userDirectory Options
This section allows you to integrate Aginity Team with your LDAP system to import users, sync user information and delegate user authentication to LDAP server.
userDirectory:
name: "LDAP Server"
enabled: true
serverSettings:
host: ldapserver.example.com
port: 389
bindDN: cn=admin,dc=example,dc=com
bindPassword: admin_password
encryption: PLAIN
verifyCertificates: false
tlsOptions:
trustStorePath: /path/to/trustStore/file
trustStorePassword: my_password
trustStoreType: PKCS12
connectionRule:
connectTimeout: 0
responseTimeout: 0
userSchema:
baseDN: ou=users,dc=example,dc=com
userFilter:
usernameAttribute: uid
firstNameAttribute: givenName
lastNameAttribute: sn
emailAttribute: mail
searchScope: SUB_TREE
sync:
interval: 60
groupSchema:
baseDN: ou=groups,dc=company,dc=com
groupFilter: (objectClass=groupOfUniqueNames)
nameAttribute: cn
descriptionAttribute: description
searchScope: SUB_TREE
membershipSchema:
type: GROUP_LISTS_USERS
groupMembersAttribute: uniqueMember # in case of GROUP_LISTS_USERS
memberOfGroupsAttribute: memberOf # in case of USER_LISTS_GROUPS
userDirectory.name
A descriptive name of the LDAP connection.
userDirectory.enabled
Flag to indicate whether LDAP authentication is on or off.
userDirectory.serverSettings.host
The IP address or hostname of the LDAP server.
userDirectory.serverSettings.port
TCP port of the LDAP server.
userDirectory.serverSettings.bindDN
The distinguished name of the user that the application will use when connecting to the directory server. Example: cn=admin,dc=example,dc=com
userDirectory.serverSettings.bindPassword
The user password.
userDirectory.serverSettings.encryption
Type of connection encyption. Can be set to PLAIN, START_TLS or SIMPLE_TLS. START_TLS is preferred option. START_TLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to SSL/TLS.
userDirectory.serverSettings.verifyCertificates
If set to true, Aginity Team verifies the certificate used for SSLTLS connection to the LDAP server. A java truststore configured in userDirectory.serverSettings.tlsOptions is used to verify the certificate. If you use a self-signed certificate, you must import the certificate to the truststore before starting Aginity Team.
userDirectory.serverSettings.tlsOptions
Use this section to configure your java truststore that is used to verify the LDAP server certificate.
userDirectory.serverSettings.tlsOptions.trustStorePath
The path to the Java trust store where certificates are stored.
userDirectory.serverSettings.tlsOptions.trustStorePassword
The password to the java trust store.
userDirectory.serverSettings.tlsOptions.trustStoreType
The type of the trust store. The most common are JKS and PKCS12.
userDirectory.connectionRule.connectTimeout
Timeout in milliseconds for connection to LDAP server. 0 means no timeout.
userDirectory.connectionRule.responseTimeout
Timeout in milliseconds for response time from LDAP server. 0 means no timeout.
userDirectory.userSchema.baseDN
The root distinguished name (DN) to use when running queries against the directory server.
userDirectory.userSchema.userFilter
An LDAP search filter to be used when searching user objects from the LDAP server within the base DN. Example: “(&(objectCategory=Person)(sAMAccountName=*))”
userDirectory.userSchema.usernameAttribute
Defines which attributes on an LDAP user entry will be used as its username.
userDirectory.userSchema.firstNameAttribute
Defines which attributes on an LDAP user entry will be used as its first name.
userDirectory.userSchema.lastNameAttribute
Defines which attributes on an LDAP user entry will be used as its last name.
userDirectory.userSchema.emailAttribute
Defines which attributes on an LDAP user entry will be used as its email address.
userDirectory.userSchema.searchScope
Specify strategy to use when doing a search. Possible options: SUB_TREE (search request should be performed against the search base and all entries below), ONE (search request should be performed against entries that are immediate subordinates of the entry specified as the search base DN), BASE (search request should only be performed against the entry specified as the search base DN).
Sync settings
Allowed values are from 10 minutes to 43200 (30 days).
The default value is 60 minutes.
Group Schema settings
SUB_TREE (search request should be performed against the search base and all entries below),
ONE (search request should be performed against entries that are immediate subordinates of the entry specified as the search base DN),
BASE (search request should only be performed against the entry specified as the search base DN).
More info at https://ldapwiki.com/wiki/LDAP%20Search%20Scopes
Membership Schema settings
type
Membership strategy type to be used when matching users and groups from User Directory.
Possible values are:
GROUP_LISTS_USERS: Specifies whether the group entry in User Directory lists the users that belong to it
USER_LISTS_GROUPS: Specifies whether the user entry in User Directory lists the groups that they belong to.
groupMembersAttribute
Required if type is GROUP_LISTS_USERS.
Groups's entry attribute name which specifies the users that belong to it.
Example: uniqueMember
memberOfGroupsAttribute
Required if type is USER_LISTS_GROUPS.
User's entry attribute name which specifies the groups that a user or a group belongs to. Example: memberOf
Starting Aginity Team Server
Prior to starting the Aginity Premium server you must create the administrator username and password.
You can do this by running the team-create-superuser script in the /opt/aginity/bin/ directory on the server.
# this will create a user with the administrator role
sudo /opt/aginity-team/bin/team-create-super-user.sh
Step 5: You are now ready to start Aginity Premium
We use the following commands to start Aginity Premium in the background and with logging turned on.
sudo systemctl start aginity-team
You can check if Aginity Premium is running by issuing this command
sudo systemctl status aginity-team
Accessing Aginity Premium for the First Time
Step 6: Step 6: Open browser and navigate to https://<ip or team server name>:<server port>/login. You will see the following image
- Enter credentials you used to create the administrator to enter the application.
Step 7: Register and Apply License Key
When you open the application it will ask you to register the software and then you will be asked to apply the license key.

If it does not ask for the license key you can click on Help -> Register again and the license key box should pop open as shown below.

Note
It is imperative that all users be created with valid business email addresses.
Send the link to the team to any new user along with their username/password combination.
Stopping Aginity Premium Services
Log in as the team user and issue the following command
sudo systemctl stop aginity-team
# check to see if it is stopped Using
sudo systemctl status aginity-team