System Prep
Amazon Linux 2 is yum-based and based on a fork of RHEL 7. It is older than the other Tier 1 distros and has end-of-support scheduled for June 2026; new deployments should prefer AL2023 or RHEL 8/9.
1.1 Update the system
sudo yum update -y
sudo reboot
1.2 Install EPEL via amazon-linux-extras
sudo amazon-linux-extras install -y epel
sudo yum update -y
1.3 Install required utilities
sudo yum install -y unzip wget curl jq net-tools vim bash-completion tar lsof telnet
1.4 Firewall: use Security Groups
Same approach as AL2023: manage inbound at the EC2 Security Group level. Open ports 8080, 8070, 8071, 8072, 6379, 5672, 15672 in the IDP instance’s SG.
1.5 SELinux
AL2 ships SELinux in permissive mode by default.
getenforce
Database
PostgreSQL 16 on Amazon Linux 2 requires the PGDG EL-7 repository, as AL2 is RHEL 7-derived.
2.1 Add the PGDG repository
sudo yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
2.2 Install PostgreSQL 16
sudo yum install -y postgresql16-server postgresql16 postgresql16-contrib
2.3 Initialise and start
sudo /usr/pgsql-16/bin/postgresql-16-setup initdb
sudo systemctl enable --now postgresql-16
2.4 Create the miniOrange database and user
sudo -u postgres psql <<'SQL'
CREATE USER moadmin WITH PASSWORD 'Password123';
CREATE DATABASE miniorangedb OWNER moadmin;
ALTER USER moadmin WITH SUPERUSER;
SQL
2.5 Switch authentication to md5
sudo sed -i -E 's/^(host\s+all\s+all\s+(127\.0\.0\.1\/32|::1\/128)\s+)ident/\1md5/' \
/var/lib/pgsql/16/data/pg_hba.conf
sudo systemctl restart postgresql-16
2.6 Verify
PGPASSWORD=Password123 psql -h 127.0.0.1 -U moadmin -d miniorangedb -c '\l'
Values for the /initialize wizard
| Field | Value |
|---|---|
| Database Type | PostgreSQL |
| Host | 127.0.0.1 |
| Port | 5432 |
| Database name | miniorangedb |
| Username | moadmin |
| Password | Password123 |
MySQL 8.4 LTS on Amazon Linux 2. Derived from the MySQL community RPM repository.
2.1 Add the MySQL community repository
sudo yum install -y https://dev.mysql.com/get/mysql84-community-release-el7-1.noarch.rpm
sudo yum clean all && sudo yum makecache
2.2 Install MySQL 8.4
sudo yum install -y mysql-community-server mysql-community-client
sudo systemctl enable --now mysqld
2.3 Retrieve the temporary root password
sudo grep 'temporary password' /var/log/mysqld.log
2.4 Secure the installation
sudo mysql_secure_installation
2.5 Create the miniOrange database and user
mysql -u root -p <<'SQL'
CREATE DATABASE miniorangedb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'moadmin'@'localhost' IDENTIFIED BY 'Password123';
CREATE USER 'moadmin'@'%' IDENTIFIED BY 'Password123';
GRANT ALL PRIVILEGES ON miniorangedb.* TO 'moadmin'@'localhost';
GRANT ALL PRIVILEGES ON miniorangedb.* TO 'moadmin'@'%';
FLUSH PRIVILEGES;
SQL
2.6 Place the MySQL JDBC driver (derived)
sudo mkdir -p /opt/miniorange/drivers
cd /tmp
sudo wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.4.0-1.el7.noarch.rpm
sudo yum install -y ./mysql-connector-j-8.4.0-1.el7.noarch.rpm
sudo cp /usr/share/java/mysql-connector-j-8.4.0.jar /opt/miniorange/drivers/
Values for the /initialize wizard
| Field | Value |
|---|---|
| Database Type | MySQL |
| Host | 127.0.0.1 |
| Port | 3306 |
| Database name | miniorangedb |
| Username | moadmin |
| Password | Password123 |
Microsoft SQL Server 2022 on Amazon Linux 2 is not officially supported by Microsoft. AL2 is RHEL 7-derived, but Microsoft’s RHEL 7 packages stopped at MSSQL 2019. The RHEL 8 repo cannot be coaxed onto AL2 because of glibc version differences.
What works today
- MSSQL 2019 can be installed using the Microsoft RHEL 7 repo (
packages.microsoft.com/config/rhel/7/). The IDP supports MSSQL 2017+, so this is a viable downgrade path. - MSSQL 2022 requires a different host. Run MSSQL on RHEL 8/9, SLES 15, or Ubuntu 20.04/22.04, and on this AL2 IDP host place only the JDBC driver.
MSSQL 2019 on AL2 (partial)
sudo curl -o /etc/yum.repos.d/mssql-server.repo \
https://packages.microsoft.com/config/rhel/7/mssql-server-2019.repo
sudo curl -o /etc/yum.repos.d/msprod.repo \
https://packages.microsoft.com/config/rhel/7/prod.repo
sudo yum install -y mssql-server
sudo ACCEPT_EULA=Y yum install -y mssql-tools18 unixODBC-devel
sudo /opt/mssql/bin/mssql-conf setup
sudo systemctl enable --now mssql-server
JDBC-driver-only path (remote MSSQL 2022)
sudo mkdir -p /opt/miniorange/drivers
cd /tmp
sudo curl -L -o mssql-jdbc.tar.gz \
https://download.microsoft.com/download/8/c/d/8cdfd87a-1684-4731-91a9-2ba182c8b0ad/sqljdbc_12.6.4.0_enu.tar.gz
sudo tar -xzf mssql-jdbc.tar.gz
sudo cp sqljdbc_12.6/enu/jars/mssql-jdbc-12.6.4.jre11.jar /opt/miniorange/drivers/
Values for the /initialize wizard
| Field | Value |
|---|---|
| Database Type | MSSQL |
| Host | 127.0.0.1 or <remote-mssql-host> |
| Port | 1433 |
| Database name | miniorangedb |
| Username | moadmin |
| Password | Password123! |
Oracle Database 19c on Amazon Linux 2 is not officially supported by Oracle. The OL7 preinstall RPM works in practice because AL2 is RHEL 7-derived, but Oracle’s matrix does not list AL2.
Recommended path: run Oracle on a separate host
Install Oracle on an OL8 or RHEL 8 EC2 instance using the Oracle Linux 8 → Oracle runbook, then on this AL2 IDP host install only the Instant Client + JDBC driver. The pattern matches the Ubuntu 22.04 → Oracle (Instant Client) page.
If you must run Oracle locally (partial)
sudo yum install -y \
https://yum.oracle.com/repo/OracleLinux/OL7/latest/x86_64/getPackage/oracle-database-preinstall-19c-1.0-3.el7.x86_64.rpm \
--nogpgcheck
Download oracle-database-ee-19c-*.el7.x86_64.rpm from Oracle (login required), then:
cd /opt
sudo yum localinstall -y oracle-database-ee-19c-*.el7.x86_64.rpm
sudo /etc/init.d/oracledb_ORCLCDB-19c configure
The post-configure steps (env vars, PDB open, listener, moadmin user, JDBC driver placement) are identical to the Oracle Linux 8 → Oracle page.
Values for the /initialize wizard
| Field | Value |
|---|---|
| Database Type | Oracle |
| Host | 127.0.0.1 or <remote-oracle-host> |
| Port | 1521 |
| SID / Service | Service |
| Service Name | ORCLPDB1 |
| Username | moadmin |
| Password | Password123 |
Erlang + RabbitMQ
RabbitMQ requires Erlang. On Amazon Linux 2, install both from the official RabbitMQ RPM releases on GitHub, using the el7 builds.
3.1 Install Erlang 26 (el7 build)
sudo yum install -y \
https://github.com/rabbitmq/erlang-rpm/releases/download/v26.2.5.2/erlang-26.2.5.2-1.el7.x86_64.rpm \
--nogpgcheck
3.2 Install RabbitMQ 3.13.7 (el7 build)
sudo yum install -y \
https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.13.7/rabbitmq-server-3.13.7-1.el7.noarch.rpm \
--nogpgcheck
3.3 Enable and start the service
sudo systemctl enable --now rabbitmq-server
3.4 Enable the management plugin
sudo rabbitmq-plugins enable rabbitmq_management
sudo systemctl restart rabbitmq-server
3.5 Verify
sudo rabbitmqctl status
sudo ss -tulnp | grep 5672
Values for the /initialize wizard
| Field | Value |
|---|---|
| RabbitMQ Host | 127.0.0.1 |
| AMQP Port | 5672 |
| Mgmt UI Port | 15672 |
| Default Login | guest / guest |
mo-installer
The miniOrange installer bundles Java 17 and Redis. You don’t install either manually. The installer auto-detects the OS and deploys the IDP services into /opt/tomcat/.
4.1 Download the installer
cd /opt
sudo wget https://miniorange.s3.us-east-1.amazonaws.com/public/installers/mo-installer-5.0.0.zip
sudo unzip mo-installer-5.0.0.zip -d mo-installer-5.0.0
cd /opt/mo-installer-5.0.0
ls -la
You should see:
.env.sh Environment configuration (review before sourcing)
mo-installer.sh Main installer script
moctl/ moctl CLI and bash completion
4.2 Review and source the environment file
less .env.sh
source .env.sh
Note. In v5.0.0,
.env.shdoes not contain database connection details. The DB connection is configured later through the browser UI at/initialize. Source the file as-is.
4.3 Set execute permissions
sudo chmod +x mo-installer.sh moctl/*.sh
4.4 Run the installer
sudo bash mo-installer.sh
Watch the output for failures. The installer covers:
- Java 17 — installed automatically
- Redis — installed and configured automatically
- moctl — installed to
/usr/bin/moctlwith tab completion - IDP services — deployed to
/opt/tomcat/
At the end of the run, the installer will print:
Next step: moctl service start
4.5 Start the four core services
moctl service start
The core services start in this order:
| Service | Port | Purpose |
|---|---|---|
| configserver | 8071 | Configuration |
| eurekaserver | 8070 | Service registry |
| gatekeeper | 8072 | API gateway |
| miniorange | 8080 | Main IDP service |
4.6 Check service status
moctl service status
Only the four core services should be active at this point. Secondary services start after initialisation.
| Symbol | Meaning |
|---|---|
● running | Active and registered in Eureka |
△ registering | Active but not yet registered; wait and recheck |
△ stopped | Inactive |
✗ failed | Failed; check moctl log <service> |
4.7 Open /initialize in a browser
https://<SERVER_IP>/initialize
You will see a self-signed certificate warning. Proceed past it.
Enter the values from the Database section above, plus the Redis and RabbitMQ values from Section 3 (Redis: 127.0.0.1:6379, no password by default).
After the wizard completes, the dashboard loads. Navigate to Settings → Base URL and set it to your final domain:
https://<your-domain>
4.8 Restart all services
This step starts the secondary services that depend on the completed schema.
moctl service restart
Wait 1–2 minutes for everything to register, then verify in the next section.
Verify & Service Enablement
Confirm everything is running and registered. All commands here come from the source v5.0.0 guide.
5.1 Full service status
moctl service status
Every service should show ● running or ● reachable. If anything shows △ registering, wait 30 seconds and re-run.
5.2 Full diagnostics
moctl diagnose
Expected output includes:
Database connectivity reachable
Redis reachable
RabbitMQ reachable
5.3 Individual service status
systemctl status mo-idp-miniorange.service
systemctl status redis
systemctl status rabbitmq-server
5.4 Check all bound ports
sudo ss -tulnp | egrep '8080|8070|8071|8072|6379|5672'
For your DB:
| DB | Port |
|---|---|
| PostgreSQL | 5432 |
| MySQL | 3306 |
| MSSQL | 1433 |
| Oracle | 1521 |
5.5 Preflight
moctl pre checks Java, the DB, Redis, and RabbitMQ reachability in one go.
moctl pre
Quick moctl reference
| Command | Purpose |
|---|---|
moctl service start | Start all services in order |
moctl service stop | Stop all services in reverse order |
moctl service restart | Full ordered restart |
moctl service restart miniorange | Restart one named service |
moctl log <service> -f | Live tail logs |
moctl log <service> --since 1h | Logs from the past hour |
moctl system memory | Per-service RSS memory |
moctl jvm <service> | Heap, threads, open file descriptors |
moctl diagnose ports | Check that core ports are bound |
Common issues
Issue: △ registering after a minute.
The service started but hasn’t completed its handshake with Eureka. Check the gatekeeper log:
moctl log gatekeeper --since 5min
Issue: PostgreSQL peer authentication failed.
You modified pg_hba.conf but didn’t restart. Run sudo systemctl restart postgresql-16.
Issue: SELinux denials in audit.log.
You skipped section 1.5. Set setenforce 0 and re-check getenforce.
Issue: Tomcat stale PID after a crash.
sudo rm -f /opt/tomcat/latest/temp/*.pid
moctl service restart miniorange