OpenAthens LA support ended on 31 March 2020


Skip to end of metadata
Go to start of metadata

Before installing the OpenAthens LA runtime you should consider the following to ensure a swift and easy installation process. You may also want to check for any known issues or basebuild updates.


You will need a dedicated sub-domain of one of your organisation’s domains - idp is a popular choice, e.g.

If you are using the proxy module, you will need a subdomain for that too, e.g: You can set up the proxy during installation or later - see activating the proxy server function.

System requirements

Our pre-built virtual machine images ship with typical system requirements. If you are expecting to use the proxy module, you may want to increase those at installation time.

For a runtime server with no configured proxy module, the typical settings are usually sufficient:

  • 2GB RAM
  • 10GB free hard-disk space

For a runtime server with the proxy enabled:

  • 4GB RAM plus an extra 1GB for every 100 configured proxy sites
  • 10GB free hard-disk space

In both cases, if you are a large or busy site, say over 20,000 active users, you may want to increase RAM or allow additional hard disk space for statistics and other logs; or consider running additional runtimes behind a load balancer.

Operating System requirements

If you intend to use your own servers to run OpenAthens LA:

The runtime server and administration console are available as 32bit binaries for Red Hat Enterprise Linux 6 and its derivatives (e.g. CentOS). They have not yet been officially tested on RHEL / CentOS 7.

The administration console server is built on Java so is additionally available as a Windows installer for Server 2008 and later (can also run on Vista and later desktops).

Browser requirements

Whilst we do not actively test with anything but the latest versions of Chrome, Firefox and the last couple of versions of Internet Explorer, the login page uses simple HTML and should work well with almost any browser released in the last decade. If you choose to customise the runtime's login templates you should run your own browser compatibility tests.


The Runtime server will need at least one SSL certificate signed by a recognised CA. An existing wildcard certificate can be used if you have one - e.g. *

If you are using the proxy module, you will also need a wildcard certificate covering sub-domains below the proxy's own sub domain - e.g. *


The runtime will need an external IP address that connects or nats to it and a relevant DNS entry - e.g.

If you are using the proxy it will need its own IP and DNS entry, ideally a wildcard for the common name that will resolve back to the IP address of the proxy, e.g. resolves both AND * to the relevant IP.


Our pre-built images already have all the required ports open but your network will still need to be configured to pass traffic to and from them. If you are using the Proxy Module then it is possible that some of the sites you may want to proxy will be available through ports that are not open as part of the standard configuration, and you may need to open ports externally. 

Ports used by the runtime (not including custom proxy configurations):

  • 80, 443 (login pages, metadata)
  • 389, 3268 (LDAP / ActiveDirectory)
  • 22 (SSH access & publishing configurations from the administration console)
  • 5051 (statistics reporting to the administration console)
  • 123 (NTP)

Network diagram

Next steps:


  • No labels