ForgeRock Full Stack Configuration

This blog post was first published @ www.fedji.com, included here with permission.

If you’re in a hurry to know what each of the ForgeRock Identity Platform Components is meant to do, try the Full Stack Configuration. In just over fifteen minutes, you’ll see:

– Installation of ForgeRock OpenDJ
– Deployment of ForgeRock OpenAM
– Configuration of OpenDJ as an Identity Repository in ForgeRock OpenAM
– Installation of ForgeRock OpenIDM
– Configuring OpenDJ as External Resource in OpenIDM
– Running a reconciliation in OpenIDM from OpenDJ
– Provisioning a User from OpenIDM to OpenDJ
– Using OpenAM as the Authentication Module for OpenIDM

With a much awaited weekend around the corner, I couldn’t really get over the laziness to create a better illustration than the one below to help visualize what’s mentioned above.

ForgeRockFullStack

Please watch it, if you have some time. Enjoy!

Thanks: ForgeRock Product Documentation

Configuring Database Table Connector in ForgeRock OpenIDM 4

This blog post was first published @ www.fedji.com, included here with permission.

The video embedded below is quite straight forward. It demonstrates how to configure Database Table Connector in ForgeRock OpenIDM 4 to connect to provision/deprovision Users in a Database Table (MySQL):

Enjoy!

Stream application logs to FireEye TAP using rSyslog File Monitoring

Introduction to FireEye TAP

The FireEye Threat Analytics Platform is a cloud-based solution that enables security teams to identify and effectively respond to cyber threats by layering enterprise-generated event data with real-time threat intelligence from FireEye. The platform increases the overall visibility into the threat landscape by leveraging the FireEye Threat Prevention Platforms’ rich insights into threat actor profiles and behavior. More details can be found here:

FireEye Threat Analytics Platform

Use Cases

Addressing a business need is the concept of “Identity Explorer”, using which administrators and case analysts can review the identity related incidents from the enterprise. The ForgeRock-FireEye TAP based solution will help heighten the sense of security, especially one related to BYOD, such as new mobile device registrations.

 

A sample case for detecting fraudulent device registrations is documented here. This is a typical use case wherein a user registers a new device or logs in with the new device from an unknown location. This is deemed a fraudulent login. The key to correctly detecting fraud in this case is knowing that the new location is not one the user would normally login from.

Sample rSyslog Configuration

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

$InputFileName /home/ec2-user/openam12/openam/debug/Authentication
$InputFileTag debugAuth:
$InputFileStateFile stat-debugAuth12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

$InputFileName /home/ec2-user/openam12/openam/log/amSSO.access
$InputFileTag amSSO:
$InputFileStateFile stat-amSSO12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

$InputFileName /opt/demo/tomcat7b/bin/access.log
$InputFileTag tomcat7baccess:
$InputFileStateFile stat-tomcat7baccess12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Add a tag for file events
$template TAPFormatFile,"<%pri%>%protocol-version% %app-name% %procid% %msgid% %msg%n"

# Send to TAP then discard
if $programname == 'debugAuth' then @@127.0.0.1:516;TAPFormatFile
if $programname == 'amSSO' then @@127.0.0.1:516;TAPFormatFile
if $programname == 'tomcat7baccess' then @@127.0.0.1:516;TAPFormatFile

OpenAM Debug Logging

Enable debug logging for Category: Authentication in /openam/Debug.jsp

FireEye Communications Broker Setup

You would setup a proprietary software on your unix server that listens on TCP:516 and routes incoming data to the FireEye TAP servers.

Viewing Parsed Log Messages in TAP

Search for class:forgerock (this would be the name of your integration as agreed upon with FireEye), and for program:amauth. Other examples are program:amsso and program:ampolicy.

If parsing is working correctly, the TAP administration would see messages corresponding to the program name show up. In this screen shot the client’s IP is hidden. The next step is to create ALERTS that key off on certain field values parsed out of the logs.

Here is a sample alert for a user logging on from an unknown location:

 

The following screenshot shows a list of locations the user, User.120 has signed on from over the past month.

 

The logins from Tokyo, Frankfurt and Singapore could be deemed anomalous, and corresponding logs added to a new incident to investigate this behavior.

Here is the device information shown in TAP:

Here I show how logs from TAP can be added to a previously created, or new incident.

The analyst assigned to service the alert, and incident would need to login to TAP and investigate using session parameters such as timestamp, device name, OpenAM server name and possibly create a request to revoke or temporarily disable access for User.120 in OpenAM.

Modeling user behavior using OpenAM and Guardian Analytics

Guardian’s FraudMAP Access

A brief overview of Guardian’s flagship analytics engine is in order. A range of methods from malware to social engineering to phishing schemes plus combinations of these can be used by cyber criminals to defeat authentication and illegally access accounts. FraudMAP Access is able to detect the fraudster’s unexpected or suspicious activity when it occurs, as compared to the victim’s typical login behavior. FraudMAP Access models the normal behavior of every user or account holder, building and continually updating individual profiles against which all subsequent activity is compared to look for unusual activity. Powered by Guardian Analytics’ Dynamic Account Modeling™ technology, FraudMAP Access continually monitors the following parameters:

  1. Location from which the account is being accessed
  2. The device being used to access the account
  3. IP address
  4. Day of week and time of day
  5. Frequency patterns

From a regulatory standpoint, FraudMAP Access helps credit unions and banks conform to FFIEC guidance by meeting minimum expectation for anomaly detection at login (for banks and credit unions).

We are interested in the Login, Logout and DeviceRegistered events. The Login event can be used to signal both login success and failure events. The Login event can also be used to send device signature creating a signal of user behavior that FraudMAP tracks on a per user and per session basis. The DeviceRegistered event is used to register a new device, using the uuid and signature created by OpenAM’s DevicePrint module.

Event Data

OpenAM is required to send the following bits of information to the FraudMAP SOAP endpoint:

BrowserPlugins Cookie CookiesEnabled DeviceID FontList HTTPAccept HTTPAcceptCharsets HTTPAcceptEncoding HTTPAcceptLanguage HTTPClientIP HTTPCookie HTTPForwarded HTTPForwardedFor HTTPHost HTTPLocation HTTPProxy HTTPReferer HTTPRequestURI HTTPVia HTTPXClusterClientIP HTTPXForwarded HTTPXForwardedFor HTTPXTrusteerRapport ImmutableUserID IPAddress IPv6Address JavaEnabled LanguageBrowser LanguageSystem LanguageUser Latitude Longitude OSPlatform ScreenResolution SessionID SignOnID TimeZoneOffset UserAgentString UserAgentStringDOM UTCTimestamp

The ImmutableUserID is the key in this mapping process, and is defaulted to the SignOnID, which is the username used to login into OpenAM. Due to privacy concerns, the immutable user id or the sign on id are not sent in the clear, but are SHA1 hashed before being included in the SOAP payload.

OpenAM Configuration Overview

External User Repository

Create a new realm in OpenAM, call it “deviceid” for example. Associate a datastore such as an OpenDJ instance. Check the “Load schema when saved” checkbox. This will ensure the device fingerprint schema is added to the data store. We need this schema because the integration relies on the Device Save module.

Device (Id) Match and Save modules

For this integration the Device Id Match and Save modules in OpenAM can be used as-is. No customizations are necessary. Just ensure the OpenAM schema is loaded into the external user repository you configured into the “deviceid” realm.

Post Authentication Plugin

The HttpServletRequest object is passed into the PaP in the case of a login success and login failure. It contains the following sample data:

Header Name: host-> Header Value: http://<openam-server-hostname>:8080
Header Name: content-type-> Header Value: application/x-www-form-urlencoded
Header Name: origin-> Header Value: http://<openam-server-hostname>:8080
Header Name: cookie-> Header Value: JSESSIONID=496706A47350E1294B0B207E1D9A35B3; AMAuthCookie=AQIC5wM2LY4Sfcz8NstUlg1Chv-_gRP2s-Fj2ZHkPQDYTug.*AAJTSQACMDEAAlNLABMxMDY3MTM1NTMyODY1NTQyNjg4*; amlbcookie=01
Header Name: content-length-> Header Value: 979
Header Name: connection-> Header Value: keep-alive
Header Name: accept-> Header Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header Name: user-agent-> Header Value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14
Header Name: referer-> Header Value:  http://<openam-server-hostname>:8080/openam/UI/Login
Header Name: accept-language-> Header Value: en-us
Header Name: accept-encoding-> Header Value: gzip, deflate

The user-agent string could be used to detect the type of device used to login.

The value of IDToken0 is also passed into the post authentication module in a Map variable in the case of a login success and failure. A sample value would be:

{"screenWidth":1440,"screenHeight":900,"screenColourDepth":24,"timezone":420,"installedPlugins":"CitrixOnlineWebDeploymentPlugin.plugin;WebEx64.plugin;Default Browser.plugin;Flash Player.plugin;googletalkbrowserplugin.plugin;JavaAppletPlugin.plugin;o1dbrowserplugin.plugin;QuickTime Plugin.plugin;SharePointBrowserPlugin.plugin;;","installedFonts":"cursive;monospace;serif;sans-serif;fantasy;Arial;Arial Black;Arial Narrow;Arial Rounded MT Bold;Bookman Old Style;Century;Century Gothic;Comic Sans MS;Courier;Courier New;Georgia;Impact;Lucida Console;Monotype Corsiva;Papyrus;Tahoma;Times;Times New Roman;Trebuchet MS;Verdana;"}

The timezone offset is the offset in minutes with sign reversed. We simply massage this value in the post authentication module, reverse the sign to get an offset in hours.

In summary, we are able to send most of the information FraudMAP requires using the HttpServletRequest object and the IDToken0 value.

onLoginSuccess()

In the case of a successful login, we read the HttpServletRequest object, and use a JSON parser to parse the IDToken0 value to extract device signature.

onLoginFailure()

The logic here is very similar to onLoginSuccess() with one difference. OpenAM does not send the accountState usually, however, the AMLoginContext class in OpenAM-Core can be customized to include the accountState- active, inactive or locked out- in the Map variable passed into this method. This is not necessary to achieve a successful integration but I decided to do it to take advantage of the “LockedOut” and “UserAccessRestricted” events that FraudMAP accepts among the reasons for login failure.

onLogout()

We reused the logic from onLoginSuccess() to read the HttpServletRequest object but also checked if the logout was user initiated or was the result of a timeout. FraudMAP cares about the difference and it helps to build a more accurate model of user behavior.

Performance Note

OpenAM synchronously calls the PaP and therefore it is paramount we keep delays in creating and sending events to FraudMAP to a minimum. I created a new PostAuthHandler thread to create and fire the event inside each of the login, logout and login failed methods in the PaP. The PostAuthHandler creates the SOAP message and uses org.apache.commons.httpclient.HTTPClient to post the message to FraudMAP’s endpoint.

OpenAM Configuration

Create a new realm

Log into the console as “amadmin”. On the dashboard under the “Access Control” tab

  • Click on the “New..” button
  • Specify the Name as “deviceid”
  • Click OK

Configure the DataStore

  • Click on the deviceid realm, and then click on the “DataStore” tab
  • Delete the existing datastore, and click “New..”
  • Enter the name “DJ” and check the radio button for “OpenDJ”, hit Next
  • Setup the directory configuration details for your OpenDJ
  • Make sure to check “Load schema when saved” check box
  • Click on Save

Create and Configure the Module Instances and Authentication Chain

  • Click on the Authentication tab (OpenAM 12), or the Menu Item (OpenAM 13)
  • Click on “Module Instances”, and click “New” (OpenAM 12), or “Add Module” (OpenAM 13)
  • Create the match and save modules by selecting Device Id (Match) once and Device Id (Save) next

Module instances

  • Click on the match module instance and select the client-side and server-side scripts:

match

  • Specify “hotp” as the Name and select “HOTP” as type, Click OK
  • Click on the “hotp” module instance to edit its properties

hotp

  • Enter a valid gmail account in “Mail Server Authentication Username”
  • Enter a valid “Mail Server Authentication Password”, confirm it
  • Enter a valid “Email From Address”
  • Leave everything else as-is, and click “Save”
  • Chain the HOTP and Device module instances together as shown

Screen Shot 2016-02-02 at 10.03.56 AM

Note that configuring the “match” module instance in Sufficient mode ensures that if an existing device fingerprint were found on the user profile, HOTP will not be triggered since an acceptable device fingerprint was previously registered by the user.
Configure a new Post Authentication Class

  • Click on the Authentication tab
  • Click on “All Core Settings…”, and scroll down to “Post Authentication Processing”
  • Scroll down to “Authentication Post Processing Classes”
  • Add the full name of your PaP class, including the package prefix
  • Click on “Save” and click on “Back to Authentication”
  • Click on “Save” and click on “Back to Access Control”

Ensure users are loaded from DataStore

  • Click on the “deviceid” realm
  • Click on “Subjects”
  • You should see a list of users in your directory

Change test user’s phone number and email

  • Click on the test user, say user.1
  • Edit the phone number to your phone number
  • Edit the email address to your email address
  • This will ensure the SMS sent by the HOTP module arrives at your phone

 

Testing

Login to the realm

  • Browse to the url https://<openam-server.domain>/openam/XUI/#login/&realm=deviceid
  • Enter username and password, and login
  • You should see the following page, click on “Request OTP Code”

hotp1

  • You will receive an SMS on your phone, enter it here and click “Submit OTP Code”

Confirm profile save

  • The Device Save module will ask you to confirm to add the device profile to list of trusted devices

register

  • Select “Yes” and click on “Log In”

Login to view your profile

At this point you will be taken to your user profile page, where you can manage all previously registered devices.

dashboard

Under the hood

Device Registered

In this case, I logged in from a linux virtual machine.

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Body><addEvent xmlns="http://com.ga.collector.service/xsd"><requireRiskscore>false</requireRiskscore><serviceId>210057</serviceId><platformId>13</platformId><channel>OLBRetail</channel><payLoad><![CDATA[<?xml version="1.0" encoding="UTF-8"?><GAE:GAEvent xmlns:GAE="http://www.guardiananalytics.com/APIEvents" xmlns:GAET="http://www.guardiananalytics.com/APIEventTypes" xmlns:GAT="http://www.guardiananalytics.com/APIDataTypes"><GAE:DeviceRegistered><GAT:Common><GAT:SchemaVersion>2.00</GAT:SchemaVersion><GAT:TenantID>210057</GAT:TenantID><GAT:Channel>OLBRetail</GAT:Channel><GAT:ProviderEventName>DeviceRegistered</GAT:ProviderEventName></GAT:Common><GAT:RetailSession><GAT:ImmutableUserID>8FC62C1442CC32DAA50D5302E5C997080FB9D747</GAT:ImmutableUserID><GAT:SignOnID>8FC62C1442CC32DAA50D5302E5C997080FB9D747</GAT:SignOnID><GAT:UTCTimestamp>1399562334911</GAT:UTCTimestamp><GAT:IPAddress>127.0.0.1</GAT:IPAddress><GAT:UserAgentString>Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20131029 Firefox/17.0</GAT:UserAgentString><GAT:BrowserHeader><GAT:HTTPAcceptLanguage>en-US,en;q=0.5</GAT:HTTPAcceptLanguage><GAT:HTTPAcceptEncoding>gzip, deflate</GAT:HTTPAcceptEncoding><GAT:HTTPReferer>http://<openam-server.domain>:8080/openam/UI/Login</GAT:HTTPReferer><GAT:HTTPAccept>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</GAT:HTTPAccept></GAT:BrowserHeader></GAT:RetailSession><GAET:DeviceID>790498b4-0f32-4311-960a-629c70ab4424</GAET:DeviceID><GAET:DeviceType>computer</GAET:DeviceType></GAE:DeviceRegistered></GAE:GAEvent>]]></payLoad><key>8d9d0e4c11a19df474c24da34bc6d3c9fd2368ee</key></addEvent></env:Body></env:Envelope>

User Login

I logged in from a mac using a different test user which is the reason the hash of ImmutableUserID is different from the previous example.

LoginStatus: Successful

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Body><addEvent xmlns="http://com.ga.collector.service/xsd"><requireRiskscore>false</requireRiskscore><serviceId>210057</serviceId><platformId>13</platformId><channel>OLBRetail</channel><payLoad><![CDATA[<?xml version="1.0" encoding="UTF-8"?><GAE:GAEvent xmlns:GAE="http://www.guardiananalytics.com/APIEvents" xmlns:GAET="http://www.guardiananalytics.com/APIEventTypes" xmlns:GAT="http://www.guardiananalytics.com/APIDataTypes"><GAE:Login><GAT:Common><GAT:SchemaVersion>2.00</GAT:SchemaVersion><GAT:TenantID>xxxxxx</GAT:TenantID><GAT:Channel>OLBRetail</GAT:Channel><GAT:ProviderEventName>Login Attempt</GAT:ProviderEventName></GAT:Common><GAT:RetailSession><GAT:ImmutableUserID>B093FEED33DB091084355C1A464290EE6339A109</GAT:ImmutableUserID><GAT:SignOnID>B093FEED33DB091084355C1A464290EE6339A109</GAT:SignOnID><GAT:UTCTimestamp>1399392974892</GAT:UTCTimestamp><GAT:IPAddress>x.y.z.w</GAT:IPAddress><GAT:UserAgentString>Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14</GAT:UserAgentString><GAT:BrowserHeader><GAT:HTTPAcceptLanguage>en-us</GAT:HTTPAcceptLanguage><GAT:HTTPAcceptEncoding>gzip, deflate</GAT:HTTPAcceptEncoding><GAT:HTTPReferer>http://<openam-server.domain>:8080/openam/UI/Login</GAT:HTTPReferer><GAT:HTTPAccept>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</GAT:HTTPAccept></GAT:BrowserHeader><GAT:DeviceAttribute><GAT:FontList>cursive| monospace| serif| sans-serif| fantasy| Arial| Arial Black| Arial Narrow| Arial Rounded MT Bold| Bookman Old Style| Century| Century Gothic| Comic Sans MS| Courier| Courier New| Georgia| Impact| Lucida Console| Monotype Corsiva| Papyrus| Tahoma| Times| Times New Roman| Trebuchet MS| Verdana| </GAT:FontList><GAT:BrowserPlugins>CitrixOnlineWebDeploymentPlugin.plugin| WebEx64.plugin| Default Browser.plugin| Flash Player.plugin| googletalkbrowserplugin.plugin| JavaAppletPlugin.plugin| o1dbrowserplugin.plugin| QuickTime Plugin.plugin| SharePointBrowserPlugin.plugin </GAT:BrowserPlugins><GAT:TimeZoneOffset>-7</GAT:TimeZoneOffset><GAT:ScreenResolution>24|900|1440</GAT:ScreenResolution></GAT:DeviceAttribute></GAT:RetailSession><GAET:LoginStatus>Successful</GAET:LoginStatus></GAE:Login></GAE:GAEvent>]]></payLoad><key>65d67a6d0e87d771d5b843f148d9812d2ec95e10</key></addEvent></env:Body></env:Envelope>

LoginStatus: LockedOut

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Body><addEvent xmlns="http://com.ga.collector.service/xsd"><requireRiskscore>false</requireRiskscore><serviceId>210057</serviceId><platformId>13</platformId><channel>OLBRetail</channel><payLoad><![CDATA[<?xml version="1.0" encoding="UTF-8"?><GAE:GAEvent xmlns:GAE="http://www.guardiananalytics.com/APIEvents" xmlns:GAET="http://www.guardiananalytics.com/APIEventTypes" xmlns:GAT="http://www.guardiananalytics.com/APIDataTypes"><GAE:Login><GAT:Common><GAT:SchemaVersion>2.00</GAT:SchemaVersion><GAT:TenantID>xxxxxx</GAT:TenantID><GAT:Channel>OLBRetail</GAT:Channel><GAT:ProviderEventName>Login Attempt</GAT:ProviderEventName></GAT:Common><GAT:RetailSession><GAT:ImmutableUserID>B093FEED33DB091084355C1A464290EE6339A109</GAT:ImmutableUserID><GAT:SignOnID>B093FEED33DB091084355C1A464290EE6339A109</GAT:SignOnID><GAT:UTCTimestamp>1399392974892</GAT:UTCTimestamp><GAT:IPAddress>x.y.z.w</GAT:IPAddress><GAT:UserAgentString>Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14</GAT:UserAgentString><GAT:BrowserHeader><GAT:HTTPAcceptLanguage>en-us</GAT:HTTPAcceptLanguage><GAT:HTTPAcceptEncoding>gzip, deflate</GAT:HTTPAcceptEncoding><GAT:HTTPReferer>http://<openam-server.domain>:8080/openam/UI/Login</GAT:HTTPReferer><GAT:HTTPAccept>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</GAT:HTTPAccept></GAT:BrowserHeader><GAT:DeviceAttribute><GAT:FontList>cursive| monospace| serif| sans-serif| fantasy| Arial| Arial Black| Arial Narrow| Arial Rounded MT Bold| Bookman Old Style| Century| Century Gothic| Comic Sans MS| Courier| Courier New| Georgia| Impact| Lucida Console| Monotype Corsiva| Papyrus| Tahoma| Times| Times New Roman| Trebuchet MS| Verdana| </GAT:FontList><GAT:BrowserPlugins>CitrixOnlineWebDeploymentPlugin.plugin| WebEx64.plugin| Default Browser.plugin| Flash Player.plugin| googletalkbrowserplugin.plugin| JavaAppletPlugin.plugin| o1dbrowserplugin.plugin| QuickTime Plugin.plugin| SharePointBrowserPlugin.plugin </GAT:BrowserPlugins><GAT:TimeZoneOffset>-7</GAT:TimeZoneOffset><GAT:ScreenResolution>24|900|1440</GAT:ScreenResolution></GAT:DeviceAttribute></GAT:RetailSession><GAET:LoginStatus>LockedOut</GAET:LoginStatus></GAE:Login></GAE:GAEvent>]]></payLoad><key>65d67a6d0e87d771d5b843f148d9812d2ec95e10</key></addEvent></env:Body></env:Envelope>
Note that this article was first published in the OpenAM Wiki Confluence site for OpenAM 11: OpenAM and Guardian Analytics using Device module  The technical content has been adapted for OpenAM 13. Please let us know if we can improve it in anyway.

How to boost OAuth2 performance in OpenAM 13

One of the unfortunate issues with OpenAM 13 is that there is a performance problem when performing OAuth2 operations, more namely: OPENAM-8023. Whilst the underlying root cause appears to be a rather complex problem deep in the SMS framework, there is a quite simple, but very effective way to work around this issue.

You’ll need to run the following ssoadm commands for all the realms (where you are using OAuth2):

$ openam/bin/ssoadm add-svc-realm -e  -s ScriptingService -u amadmin -f .pass -D file
$ openam/bin/ssoadm create-sub-cfg -s ScriptingService -g scriptConfigurations -u amadmin -f .pass -D file -e 

Common sense: Please note that you only need to run these commands on versions that are affected by OPENAM-8023.

Deploying a Highly Available ForgeRock Identity Management Solution

This blog post was first published @ www.fedji.com, included here with permission.

We have already discussed on this space the installation of ForgeRock Identity Management Solution and further configuring a Database as its repository. But in those discussions, all the critical components of the Solution namely the ForgeRock OpenIDM 4, MySQL Database were a Single Point of Failure. In an environment where business continuity is critical, we ought to build a solution that has no SPOF in the architecture. So I’m going to take you through that route today. Of course, this is a hint and just a way to understand the different options that you might consider in Configuring ForgeRock OpenIDM 4 for High Availability.

I’ve a rather simple example of HA configuration, mainly meant for understanding and learning it. In a sensitive infrastructure, a great deal of planning goes into building a Highly Available Environment. So what’s the small little setup we’ve here for learning:

ForgeRock OpenIDM 4 High Available Configuration

Two instances of ForgeRock OpenIDM 4 connects to a MySQL Proxy, which in turn talks to a MySQL Replication site. Of course, in this setup, MySQL Proxy is a SPOF, so you should have at least two of it in front of the MySQL Replication site. But if I had attempted to it, the whole thing would have looked a lot more complicated and would have failed the objective of being a learning tool. So if you’ve just under a half an hour to spare, you will know:

– How to use MySQL Proxy
– How to setup MySQL Replication (Master/Slave)
– How to install OpenIDM 4
– How to configure OpenIDM 4 to use a MySQL Database as its Repository
– How to bring up an OpenIDM Cluster environment

Well, the final state is what you get to see in the illustrations above.

Now on to the video. Enjoy!