Source: projects/identity-management/environments/sandbox-confluence-page.md
> Source: projects/identity-management/environments/sandbox-confluence-page.md
One Identity Manager Sandbox Environment
Purpose
This page documents the One Identity Manager sandbox environment used for personal lab work, colleague training, demos, and technical testing.
The sandbox runs One Identity Manager 10 with local target systems, a test mail sink, and monitoring. It can be hosted locally either as a VMware VM or as a Hyper-V VM using a VHDX disk.
Users and target systems such as HRSystem, OpenDJ, and Active Directory are based on or reused from the iamdemo environment hosted in the One Identity Skytap portal.
Environment Summary
| Item | Value |
|---|---|
| Hostname | IM |
| FQDN | im.sandbox.local |
| IP address | 192.168.178.146 |
| Windows domain | sandbox.local |
| Operating system | Windows Server 2025 |
| One Identity Manager version | 10 |
| Primary use | Personal lab, training, demos, and sandbox testing |
Credentials
The accounts below use the initial sandbox password:
OIMicc.c0m!
This is an initial lab password for this sandbox. Users may change it when they own or operate their local copy of the environment.
| Area | Username / Login | Password | Purpose |
|---|---|---|---|
| Windows / Active Directory | sandbox\administrator | OIMicc.c0m! | Domain administration, Windows administration, WinRM, AD changes. |
| One Identity Manager service account | sandbox\ser_oim | OIMicc.c0m! | OIM service and synchronization scenarios. |
| SQL Server | sa | OIMicc.c0m! | SQL Server administration for OneIM and HRSystem. |
| One Identity Manager | viadmin | OIMicc.c0m! | OIM administrator login. |
| OpenDJ LDAP | cn=Directory Manager | OIMicc.c0m! | OpenDJ LDAP administration. |
| Grafana | admin | OIMicc.c0m! | Grafana dashboard administration. |
| Mailpit | no authentication | n/a | Test mail web UI and API. |
Main Components
| Component | Purpose |
|---|---|
| Active Directory | Local domain sandbox.local; used as an AD target system for synchronization, account, and entitlement tests. |
| OpenDJ LDAP | LDAP target system for account and group synchronization tests. |
| Microsoft SQL Server | Hosts the One Identity Manager database and the HRSystem source database. |
| One Identity Manager Application Server | Backend and API access. |
| One Identity Manager Web Portal | End-user, approval, and IT Shop testing. |
| Mailpit | Local SMTP capture for OIM notification mail. |
| Prometheus | Metrics collection. |
| Grafana | Monitoring dashboard frontend. |
| windows_exporter | Windows host metrics endpoint for Prometheus. |
URLs and Network Ports
| Service | URL / Port |
|---|---|
| OIM Application Server status | https://im.sandbox.local/AppServer/#/status |
| OIM Application Server API base | https://im.sandbox.local/AppServer/api |
| OIM Web Portal | https://im.sandbox.local/ApiServer/html/qer-app-portal/#/ |
| Mailpit Web UI | http://im.sandbox.local:18025/ |
| Mailpit API | http://im.sandbox.local:18025/api/v1/messages |
| Grafana | http://im.sandbox.local:3000/ |
| Prometheus | http://im.sandbox.local:9090/ |
| windows_exporter metrics | http://im.sandbox.local:9182/metrics |
| Microsoft SQL Server | TCP 1433 |
| WinRM HTTP | TCP 5985 |
| WinRM HTTPS | TCP 5986 |
| SMB admin share | TCP 445 |
| OIM Job Server | TCP 1880 |
| OIM Synchronization Engine | TCP 2880 |
| OpenDJ LDAP plain | TCP 1389 |
| OpenDJ LDAP TLS | TCP 1636 |
The HTTPS services use sandbox certificates. Browser certificate warnings can occur depending on the workstation trust configuration.
Local Hosting Options
VMware
Use VMware when workstation resources and licensing are available.
| Item | Recommendation |
|---|---|
| Networking | Bridged or NAT networking that allows the workstation to resolve im.sandbox.local. |
| Addressing | Keep the VM IP stable or update DNS/hosts entries if it changes. |
| Restore point | Take snapshots before larger OIM changes, connector changes, or data resets. |
Hyper-V / VHDX
Use Hyper-V when the sandbox is provided as a VHDX-based VM.
| Item | Recommendation |
|---|---|
| VM generation | Use a Generation 2 VM unless the image requires otherwise. |
| Networking | Use a virtual switch that allows access from the host workstation. |
| Addressing | Keep hostname, domain, and IP assumptions aligned with this page. |
| Restore point | Create checkpoints before experiments that change target systems or OIM configuration. |
Target System Setup
Active Directory
| Item | Value |
|---|---|
| Domain | sandbox.local |
| Host | local on IM |
| Admin account | sandbox\administrator |
| OIM service account | sandbox\ser_oim |
| Lab object area | OU=OIM-Managed,DC=sandbox,DC=local |
The AD target system follows the iamdemo-style lab setup. It is used for identity synchronization, AD account provisioning, group entitlement tests, and IT Shop testing against AD-backed entitlements.
OpenDJ LDAP
| Item | Value |
|---|---|
| Product | OpenDJ |
| Writable suffix | dc=ldap,dc=com |
| Admin bind DN | cn=Directory Manager |
| Plain LDAP port | 1389 |
| TLS LDAP port | 1636 |
| Lab object area | ou=oim-managed,dc=ldap,dc=com |
OpenDJ is used as the LDAP target system for account provisioning, LDAP group synchronization, LDAP entitlement assignments, and comparison with AD target-system behavior.
HRSystem Database
| Item | Value |
|---|---|
| Database | HRSystem |
| Host | SQL Server on im.sandbox.local |
| Purpose | HR source system simulation |
HRSystem is the lab HR source database reused from the iamdemo-style environment. It is used for source identity import tests, HR-driven lifecycle scenarios, identity attribute changes, and synchronization demos.
One Identity Manager Database
| Item | Value |
|---|---|
| Database | OneIM |
| Host | SQL Server on im.sandbox.local |
| Product | One Identity Manager 10 |
The One Identity Manager database is the central product database for the sandbox.
Mailpit Setup
Mailpit is used as a local SMTP capture service. OIM notification mail is sent to Mailpit instead of leaving the lab.
| Item | Value |
|---|---|
| Web UI | http://im.sandbox.local:18025/ |
| API | http://im.sandbox.local:18025/api/v1/messages |
| Authentication | none |
| Purpose | Test mail capture for OIM notifications. |
Mailpit is a test-only mail sink. It is not configured for external mail delivery.
Grafana, Prometheus, and windows_exporter
The sandbox includes Prometheus-based monitoring for the Windows VM and OIM-related services.
| Component | URL | Purpose |
|---|---|---|
| Grafana | http://im.sandbox.local:3000/ | Dashboard frontend. |
| Prometheus | http://im.sandbox.local:9090/ | Metrics storage and query API. |
| windows_exporter | http://im.sandbox.local:9182/metrics | Windows host metrics endpoint. |
Grafana dashboard:
OIM Environment Overview (Prometheus)
Typical monitoring data includes VM health, Windows service health, CPU, memory, disk usage, and endpoint availability.
One Identity Manager Setup, SDK, and MDK Locations
The VM keeps installation and developer resources under C:\Dev.
| Path | Description |
|---|---|
C:\Dev\OneIdentityManager.10.0 | One Identity Manager 10 setup / installation media. |
C:\Dev\OneIdentityManager.10.0\Modules\QBM\dvd\AddOn\SDK | One Identity Manager SDK. |
C:\Dev\OneIM10.0.0-MDK\MDK | Module Developer Kit. |
C:\Dev\OneIM10.0.0-MDK\MDK\OneIM_MDK_DeveloperGuide.pdf | MDK Developer Guide. |
Use these paths when installing OIM tools, reviewing shipped developer documentation, or preparing a local developer setup.