Standalone Deployment

New
  • Published on Oct 27, 2025
  • 3 minute(s) read
Prev Next

The Standalone installation enables you to deploy the PlainID Policy Authorization Agent (PAA) directly on a virtual machine or local server, without Kubernetes. This setup is suited for smaller environments, isolated deployments, or scenarios that require more control over local resources.

This guide walks you through the full installation process — from preparing the host system and configuring environment variables, to enabling SSL and upgrading to newer versions. Follow the steps in order to ensure a smooth deployment and proper configuration.

Prerequisites

Before installing, create a dedicated system user for managing the PAA installation.

  1. Create the plainid user and set permissions:
useradd plainid -U
passwd plainid
  1. Create the installation folder (for example /opt/plainid):
mkdir /opt/plainid
  1. Set up permissions:
sudo visudo

In the sudoers configuration file, add the following under the root entry:

plainid ALL=(ALL) NOPASSWD:ALL
  1. Save and exit, then run:
sudo chown -Rf plainid.plainid /opt/plainid

Installation Guide

  1. Export the following environment variables:

    Edit the init/aliases file and add:

export PLAINID_HOME=PATH # The plainid-paa folder path (or unzip to /opt/plainid)
export JAVA_HOME=location of java JDK # Optional if using a custom JDK
export CLIENT_SECRET_KEY=YOUR_AUTH_SECRET # Found under Hybrid Agent Keys
export TENANT_ID=YOUR_TENANT_ID # Found under Hybrid Agent Keys
export PAA_ID=YOUR_PAA_ID # Found under Policy Authorization Agents
  1. Source the aliases file:
source init/aliases
  1. Start the application:
start_plainid_paa
  1. Check the status:
pid_status

Logs are located in the /logs folder.

Aliases

Alias Description
start_plainid_paa Starts the PAA services
stop_plainid_paa Stops the PAA services
pid_status Displays component health/status

Default Ports

Service Name Server Port Management Port
Runtime 8010 8010
PlainID-Agent 8761 8082
PIP-Operator 8083 8089
IDP-Webhook 8020 8020
Secrets-mgmt 8072 8077

Runtime SSL Configuration

  1. Convert the private key and certificate to PKCS12 format:
openssl pkcs12 -export \
  -in "combined.pem" \
  -inkey "privkey.pem" \
  -out "certtemp.p12" -passout pass:"plainid" \
  -name "plainid"
  1. Create a Java keystore using keytool:
$JAVA_HOME/bin/keytool -importkeystore \
  -srckeystore "certtemp.p12" -srcstoretype PKCS12 \
  -srcstorepass "plainid" \
  -destkeystore "keystore.jks" \
  -deststorepass "plainid" \
  -destkeypass "plainid" \
  -alias "plainid"
  1. Export the SSL environment variables:
export HTTP_SSL_ENABLED=true
export HTTP_SSL_KEYSTORE_PATH="./keystore.jks"
export HTTP_SSL_KEYSTORE_PASSWORD=plainid

Additional Runtime Configuration

UUID Attribute Type Support

export RUNTIME_SUPPORT_UUID_ASSET_ATTRIBUTE=true
export RUNTIME_SUPPORT_UUID_IDENTITY_ATTRIBUTE=true

Include IP and Time in Cache Key

export RUNTIME_INCLUDE_IP_HEADER_IN_SCOPE_CACHE_KEY=false
export RUNTIME_INCLUDE_REQUEST_TIME_IN_SCOPE_CACHE_KEY=false

Secret Management Integration

The secrets-mgmt service is not enabled by default. To enable secret fetching, configure the following Runtime parameters:

Attribute Environment Variable Default Value Description
enableSecretsFetching ENABLE_SECRETS_FETCHING false Enables secret retrieval from a secret store
secretsProvider.connection.url SECRETS_LIST_URL http://127.0.0.1:8072/1.0/secrets/list URL to the secret-mgmt service. Update this value to match your deployment URL or IP.

To connect to the Secrets Management service, add the following configuration blocks in both the Agent and PIP-Operator application.yaml files (under their respective conf directories):

Redis Configuration

spring:
  redis:
    username: ${REDIS_USER:}

Secrets Management Configuration

secretMgmtClient:
  url: ${SECRET_MGMT_CLIENT_URL:http://127.0.0.1:8072/1.0/secrets/list}
  apiClient:
    timeoutSeconds: ${SECRET_MGMT_CLIENT_API_CLIENT_TIMEOUT_SECONDS:30}
  cacheManager:
    durationSeconds: ${SECRET_MGMT_CLIENT_CACHE_MANAGER_DURATION_SECONDS:3600}

System Requirements

Item Minimum Requirement
OS RHEL 8
CPU 8 Core
RAM 16 GB
Disk Space 20 GB

Increase RAM, CPU, and disk space for heavy workloads or large cache requirements.

Troubleshooting

Error: -bash: ../plainid/**/bin/**.sh: Permission denied

Solution:
Run the following command inside the PlainID folder and retry:

find . -type f -exec chmod 755 {} +

Upgrading to a New Version

Minor Upgrades (2.x → 5.x)

Version 5.x introduces time-based versioning but no breaking changes.

  1. Stop the running PAA: stop_plainid_paa
  2. Delete the existing directory
  3. Source the new alias file
  4. Reconfigure environment variables (Tenant ID, PAA ID, etc.)
  5. Start the new version: start_plainid_paa

Major Upgrades (1.x → 2.x)

Major version upgrades introduce breaking changes and require manual steps.

  1. Stop the PAA
  2. Delete the old directory
  3. Load the new alias file
  4. Set environment variables (Tenant ID, PAA ID, etc.)
  5. Start the new PAA

Remote API URL change:

Parameter Old Value New Value
remoteApi https://remote.us1.plainid.io/ or https://remote.eu1.plainid.io/ wss://remote.us1.plainid.io/wstunnel or wss://remote.eu1.plainid.io/wstunnel

Conclusion

The Standalone deployment provides a straightforward, fully controlled way to run the PAA outside Kubernetes environments. By following this guide, you can deploy, secure, and maintain your PAA instance while maintaining flexibility for future scaling or integration with secret management and monitoring tools.

Would you like me to create a short “Deployment Checklist” at the end (with all key commands, file paths, and variables)? It’d make this section easier to reference for quick installs.