Start Here/ ForgeRock Identity Platform 6.5

Latest update: 6.5.2

David GoldsmithShankar Raman

ForgeRock AS.201 Mission St., Suite 2900

San Francisco, CA 94105, USA+1 415-599-1100 (US)

www.forgerock.com

Copyright © 2018-2019 ForgeRock AS.

Abstract

Introduction to using ForgeRock's DevOps artifacts for cloud deployments.

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

ForgeRock® and ForgeRock Identity Platform™ are trademarks of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. Trademarks are the property of their respective owners.

UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS,IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENTOR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCHEXCLUSION MAY NOT APPLY TO YOU.

EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARYDAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

DejaVu Fonts

Bitstream Vera Fonts Copyright

Copyright (c) 2003 by Bitstream, Inc. All Rights Reserved. Bitstream Vera is a trademark of Bitstream, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of the fonts accompanying this license ("Fonts") and associated documentation files (the "Font Software"), to reproduce and distribute the FontSoftware, including without limitation the rights to use, copy, merge, publish, distribute, and/or sell copies of the Font Software, and to permit persons to whom the Font Software is furnished to do so, subject to the followingconditions:

The above copyright and trademark notices and this permission notice shall be included in all copies of one or more of the Font Software typefaces.

The Font Software may be modified, altered, or added to, and in particular the designs of glyphs or characters in the Fonts may be modified and additional glyphs or characters may be added to the Fonts, only if the fonts arerenamed to names not containing either the words "Bitstream" or the word "Vera".

This License becomes null and void to the extent applicable to Fonts or Font Software that has been modified and is distributed under the "Bitstream Vera" names.

The Font Software may be sold as part of a larger software package but no copy of one or more of the Font Software typefaces may be sold by itself.

THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BITSTREAM OR THE GNOME FOUNDATION BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE ORINABILITY TO USE THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.

Except as contained in this notice, the names of Gnome, the Gnome Foundation, and Bitstream Inc., shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Font Software without priorwritten authorization from the Gnome Foundation or Bitstream Inc., respectively. For further information, contact: fonts at gnome dot org.

Arev Fonts Copyright

Copyright (c) 2006 by Tavmjong Bah. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of the fonts accompanying this license ("Fonts") and associated documentation files (the "Font Software"), to reproduce and distribute the modificationsto the Bitstream Vera Font Software, including without limitation the rights to use, copy, merge, publish, distribute, and/or sell copies of the Font Software, and to permit persons to whom the Font Software is furnished to do so,subject to the following conditions:

The above copyright and trademark notices and this permission notice shall be included in all copies of one or more of the Font Software typefaces.

The Font Software may be modified, altered, or added to, and in particular the designs of glyphs or characters in the Fonts may be modified and additional glyphs or characters may be added to the Fonts, only if the fonts arerenamed to names not containing either the words "Tavmjong Bah" or the word "Arev".

This License becomes null and void to the extent applicable to Fonts or Font Software that has been modified and is distributed under the "Tavmjong Bah Arev" names.

The Font Software may be sold as part of a larger software package but no copy of one or more of the Font Software typefaces may be sold by itself.

THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL TAVMJONG BAH BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING ANYGENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR INABILITY TO USE THE FONTSOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.

Except as contained in this notice, the name of Tavmjong Bah shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Font Software without prior written authorization from Tavmjong Bah.For further information, contact: tavmjong @ free . fr.

FontAwesome Copyright

Copyright (c) 2017 by Dave Gandy, https://fontawesome.com/.

This Font Software is licensed under the SIL Open Font License, Version 1.1. See https://opensource.org/licenses/OFL-1.1.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. iii

Table of Contents..................................................................................................................................... iv

Take Stock of Your Readiness Level ..................................................................... ivIntroducing the CDK and CDM ............................................................................. ivTry Them Out ........................................................................................................ vBuild Your Own Service ....................................................................................... viiAssess Your Skill Level ......................................................................................... xi

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. iv

Take Stock of Your Readiness LevelForgeRock provides several resources to help you get started in the cloud. These resourcesdemonstrate how to deploy ForgeRock Identity Platform™ (the platform) on Kubernetes. Before youproceed, review the following precautions:

• Deploying ForgeRock software in a containerized environment requires advanced proficiency inmany technologies. See "Assess Your Skill Level" for details.

• If you don't have experience with complex Kubernetes deployments, then either engage a certifiedForgeRock consulting partner or deploy the platform on traditional architecture.

• Don't deploy ForgeRock software in Kubernetes in production until you have successfully deployedand tested the software in a non-production Kubernetes environment.

For information about obtaining support for ForgeRock Identity Platform software, see "GettingSupport" in the DevOps Release Notes.

Introducing the CDK and CDMThe forgeops repository and DevOps documentation address a range of our customers' typicalbusiness needs. The repository contains artifacts for two primary resources to help you with clouddeployment:

• Cloud Developer's Kit (CDK). The CDK is a minimal sample deployment for development purposes.Developers deploy the CDK, and then access AM's and IDM's GUI consoles and REST APIs toconfigure the platform and build customized Docker images for the platform.

• Cloud Deployment Model (CDM). The CDM is a reference implementation for ForgeRock clouddeployments. You can get a sample ForgeRock Identity Platform deployment up and running in thecloud quickly using the CDM. After deploying the CDM, you can use it to explore how you mightconfigure your Kubernetes cluster before you deploy the platform in production.

The CDM is a robust sample deployment for demonstration and exploration purposes only. It is nota production deployment.

  CDK CDMFully integrated AM, IDM, and DS installations ✔ ✔

Randomly generated secrets ✔ ✔

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. v

  CDK CDMResource requirement Namespace in a

GKE, EKS, AKS, orMinikube cluster

Dedicated GKE,EKS, or AKS cluster

Can run on Minikube ✔  Multi-zone high availability   ✔

Replicated directory services   ✔

Ingress configuration   ✔

Certificate management   ✔

Prometheus monitoring, Grafana reporting, and alertmanagement

  ✔

ForgeRock's DevOps documentation helps you deploy the CDK and CDM:

• DevOps Developers Guide. (For Minikube | For Shared Clusters) Tells you how to install the CDK,modify the AM and IDM configurations, and create customized Docker images for the ForgeRockIdentity Platform.

• CDM Cookbook. (For GKE | For EKS | For AKS) Tells you how to quickly create a Kubernetescluster on Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure, installthe ForgeRock Identity Platform, access components in the deployment, and run lightweightbenchmarks to test DS, AM, and IDM performance.

• Cloud Deployment Guide. Contains how-tos for customizing monitoring, setting alerts, backing upand restoring directory data, and modifying CDM's default security configuration.

• DevOps Release Notes. Keeps you up-to-date with the latest changes to the forgeops repository.

Try Them OutBefore you start planning a production deployment, deploy either the CDK or the CDM—or both. Ifyou're new to Kubernetes, or new to the ForgeRock Identity Platform, deploying these resources isa great way to learn. And when you've finished deploying them, you'll have sandboxes suitable forexploring ForgeRock cloud deployment.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. vi

Deploy the CDK

The CDK is a minimal sample deployment of the ForgeRock Identity Platform. If you have access toa cluster on GCP, EKS, or AKS, you can install the CDK in a namespace on your cluster. But evenif you don't have access to a cloud-based cluster, you can still deploy the CDK on a local computerrunning Minikube, and when you're done, you'll have a namespace on a local Kubernetes cluster withthe ForgeRock Identity Platform.

Prerequisite technologies and skills:

• Git

• Docker

• Kubernetes, running on a cloud platform or on Minikube

More information:

• DevOps Developer's Guide: Using Minikube

• DevOps Developer's Guide: Using a Shared Cluster

Deploy the CDM

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. vii

Deploy the CDM on GCP, EKS, or AKS to quickly spin up the platform for demonstration purposes.You'll get a feel for what it's like to deploy the platform on a Kubernetes cluster in the cloud. Whenyou're done, you won't have a production-quality deployment. But you will have a robust, referenceimplementation of the platform that you can use to explore optional deployment customizations.1

Prerequisite technologies and skills:

• Git

• GCP, AWS, or Azure

• Kubernetes, running on GCP, AWS, or Azure

More information:

• Cloud Deployment Model Cookbook for GKE

• Cloud Deployment Model Cookbook for Amazon EKS

• Cloud Deployment Model Cookbook for AKS

Build Your Own Service

Perform the following activities to customize, deploy, and maintain a production ForgeRock IdentityPlatform implementation in the cloud:

• "Create a Project Plan"

• "Configure the Platform"

• "Configure Your Cluster"1 Optional customizations are deployment options that you might want to use in production that are not part of the CDM.Examples include, but are not limited to securing SSL with a certificate that's dynamically obtained from Let's Encrypt; usingan ingress controller other than the NGINX ingress controller; resizing the cluster to meet your business requirements;configuring Alert Manager to issue alerts when usage thresholds have been reached.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. viii

• "Stay Up and Running"

Create a Project Plan

After you've spent some time exploring the CDK and CDM, you're ready to define requirements foryour production deployment. Remember, the CDM is not a production deployment. Use the CDM toexplore deployment customizations, and incorporate the lessons you've learned as you build your ownproduction service.

Analyze your business requirements and define how the ForgeRock Identity Platform needs tobe configured to meet your needs. Identify systems to be integrated with the platform, such asidentity databases and applications, and plan to perform those integrations. Assess and specifyyour deployment infrastructure requirements, such as backup, system monitoring, Git repositorymanagement, CI/CD, quality assurance, security, and load testing.

Prerequisite technologies and skills:

• Project planning and management

• Git

• Docker

• GCP, AWS, or Azure

• Kubernetes, running on GCP, AWS, or Azure

• ForgeRock Identity Platform

• Applications and databases that you plan to integrate with ForgeRock Identity Platform

• CI/CD for a production deployment in the cloud

• Integration testing

• Deployment hardening and security

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. ix

• Benchmarking and load testing

• Site reliability

More information:

• All the DevOps documentation at https://backstage.forgerock.com/docs/forgeops/6.5

Configure the Platform

With your project plan defined, you're ready to configure the ForgeRock Identity Platform to meetthe plan's requirements. Install the CDK on your developers' computers. Configure AM and IDM. Ifneeded, include integrations with external applications in the configuration. Iteratively unit test yourconfiguration as you modify it. Build customized Docker images that contain the configuration.

Prerequisite technologies and skills:

• ForgeRock Identity Platform

• Git

• Kubernetes, running on a cloud platform or on Minikube

• Docker

More information:

• DevOps Developer's Guide: Using Minikube

• DevOps Developer's Guide: Using a Shared Cluster

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. x

Configure Your Cluster

With your project plan defined, you're ready to configure a Kubernetes cluster that meets therequirements defined in the plan. Install the platform using the customized Docker images developedin "Configure the Platform". Provision the ForgeRock identity repository with users, groups, andother identity data. Load test your deployment, and then size your cluster to meet service levelagreements. Perform integration tests. Harden your deployment. Set up CI/CD for your deployment.Create monitoring alerts so that your site reliability engineers are notified when the system reachesthresholds that affect your SLAs. Implement database backup and test database restore. Simulatefailures while under load to make sure your deployment can handle them.

Prerequisite technologies and skills:

• GCP, AWS, or Azure

• Git

• Kubernetes, running on GCP, AWS, or Azure

• ForgeRock Identity Platform

• CI/CD for a production deployment in the cloud

• Integration testing

• Deployment hardening and security

• Benchmarking and load testing

• Site reliability

More information:

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xi

• Cloud Deployment Guide

• Cloud Deployment Model Cookbook for GKE

• Cloud Deployment Model Cookbook for Amazon EKS

• Cloud Deployment Model Cookbook for AKS

Stay Up and Running

By now, you've configured the platform, configured a Kubernetes cluster, and installed the platformwith your customized configuration in the cluster. Run your ForgeRock Identity Platform deploymentin your cluster, continually monitoring it for performance and reliability. Take backups as needed.

Prerequisite technologies and skills:

• Git

• GCP, AWS, or Azure

• Kubernetes, running on GCP, AWS, or Azure

• ForgeRock Identity Platform

• CI/CD for a production deployment in the cloud

• Site reliability

More information:

• Cloud Deployment Guide

Assess Your Skill Level

Benchmarking and Load TestingI can:

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xii

• Write performance tests, using tools such as Gatling and Apache JMeter, to ensure that systemmeets required performance thresholds and service level agreements (SLAs).

• Resize a Kubernetes cluster, taking into account performance test results, thresholds, and SLAs.

• Run Linux performance monitoring utilities, such as top.

CI/CD for Cloud Deployments

I have experience:

• Designing and implementing a CI/CD process for a cloud-based deployment running in production.

• Using a cloud CI/CD tool, such as Tekton, Google Cloud Build, Codefresh, AWS CloudFormation, orJenkins, to implement a CI/CD process for a cloud-based deployment running in production.

• Integrating GitOps into a CI/CD process.

Docker

I know how to:

• Write Dockerfiles.

• Create Docker images, and push them to a private Docker registry.

• Pull and run images from a private Docker registry.

I understand:

• The concepts of Docker layers, and building images based on other Docker images using the FROMinstruction.

• The difference between the COPY and ADD instructions in a Dockerfile.

Git

I know how to:

• Use a Git repository collaboration framework, such as GitHub, GitLab, or Bitbucket Server.

• Perform common Git operations, such as cloning and forking repositories, branching, committingchanges, submitting pull requests, merging, viewing logs, and so forth.

External Application and Database Integration

I have expertise in:

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xiii

• AM policy agents.

• Configuring AM policies.

• Synchronizing and reconciling identity data using IDM.

• Managing cloud databases.

• Connecting ForgeRock Identity Platform components to cloud databases.

ForgeRock Identity Platform

I have:

• Attended ForgeRock University training courses.

• Deployed the ForgeRock Identity Platform in production, and kept the deployment highly available.

• Configured DS replication.

• Passed the ForgeRock Certified Access Management and ForgeRock Certified Identity Managementexams (highly recommended).

GCP, AWS, or Azure (Basic)

I can:

• Use the graphical user interface for GCP, AWS, or Azure to navigate, browse, create, and removeKubernetes clusters.

• Use the cloud provider's tools to monitor a Kubernetes cluster.

• Use the command user interface for GCP, AWS, or Azure.

• Administer cloud storage.

GCP, AWS, or Azure (Expert)

In addition to the skills and expertise listed in "GCP, AWS, or Azure (Basic)" I can:

• Read the Pulumi scripts in the forgeops repository to see how the CDM cluster is configured.

• Create and manage a Kubernetes cluster using an infrastructure-as-code tool such as Pulumi,Terraform, or AWS CloudFormation.

• Configure multi-zone and multi-region Kubernetes clusters.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xiv

• Configure cloud-provider identity and access management (IAM).

• Configure virtual private clouds (VPCs) and VPC networking.

• Manage keys in the cloud using a service such as Google Key Management Service (KMS), AmazonKMS, or Azure Key Vault.

• Configure and manage DNS domains on GCP, AWS, or Azure.

• Troubleshoot a deployment running in the cloud using the cloud provider's tools, such as GoogleStackdriver, Amazon CloudWatch, or Azure Monitor.

• Integrate a deployment with certificate management tools, such as cert-manager and Let's Encrypt.

• Integrate a deployment with monitoring and alerting tools, such as Prometheus and Alertmanager.

I have obtained one of the following certifications (highly recommended):

• Google Certified Associate Cloud Engineer Certification.

• AWS professional-level or associate-level certifications (multiple).

• Azure Administrator.

Integration Testing

I can:

• Automate QA testing using a test automation framework.

• Design a chaos engineering test for a cloud-based deployment running in production.

• Use chaos engineering testing tools, such as Chaos Monkey.

Kubernetes (Basic)

I've gone through the tutorials at kubernetes.io, and am able to:

• Use the kubectl command to determine the status of all the pods in a namespace, and to determinewhether pods are operational.

• Use the kubectl describe pod command to perform basic troubleshooting on pods that are notoperational.

• Use the kubectl command to obtain information about namespaces, secrets, deployments, andstateful sets.

• Use the kubectl command to manage persistent volumes and persistent volume claims.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xv

Kubernetes (Expert)

In addition to the skills and expertise listed in "Kubernetes (Basic)" I have:

• Configured role-based access to cloud resources.

• Configured Kubernetes objects, such as deployments and stateful sets.

• Configured Kubernetes ingresses.

• Passed the Cloud Native Certified Kubernetes Administrator exam (highly recommended).

Project Planning and Management for Cloud Deployments

I have planned and managed:

• A production deployment in the cloud.

• A production deployment of ForgeRock Identity Platform.

Security and Hardening for Cloud Deployments

I can:

• Harden a ForgeRock Identity Platform deployment.

• Configure TLS, including mutual TLS, for a multi-tiered cloud deployment.

• Configure cloud identity and access management and role-based access control for a productiondeployment.

• Configure encryption for a cloud deployment.

• Configure Kubernetes pod security and network security policies.

• Configure private Kubernetes networks, deploying bastion servers as needed.

• Undertake threat modeling exercises.

• Scan Docker images to ensure container security.

• Configure and use private Docker container registries.

Site Reliability Engineering for Cloud Deployments

I can:

• Manage multi-zone and multi-region deployments.

Start Here ForgeRock Identity Platform 6.5 (2020-05-07)Copyright © 2018-2019 ForgeRock AS. All rights reserved. xvi

• Implement DS backup and restore in order to recover from a database failure.

• Manage cloud disk availability issues.

• Analyze monitoring output and alerts, and respond should a failure occur.

• Obtain logs from all the software components in my deployment.

• Follow the cloud provider's recommendations for patching and upgrading software in mydeployment.

• Implement an upgrade scheme, such as blue/green or rolling upgrades. software in my deployment.

• Create a Site Reliability Runbook for the deployment, documenting all the the procedures to befollowed and other relevant information.

• Follow all the procedures in the project's Site Reliability Runbook, and revise the runbook if itbecomes out-of-date.