Child pages
  • Amazon RDS as an Identity Management Repository

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud.  With this value proposition in mind, customers want to leverage cloud databases such as RDS to become the ForgeRock Identity Management (IDM) repository.  This guide describes how to configure the Postgres flavor of RDS as an IDM repository.

Configuration guide

  1. Setup AWS RDS Postgres instance.
  2. Configure network and security.
  3. Modify ForgeRock Postgres script.
  4. Complete remaining steps for Postgres as an IDM repository.

Setup Amazon RDS Postgres


Before starting, some key configuration details are needed:

Postgres

  • Port 5432
  • PubliclyAccessible (true or false)

Security Groups

  • Inbound add rules to accommodate the Postgres port (ie 5432) limited by IP addresses (optional)
  • Outbound rules  "CidrIp": "0.0.0.0/0"


  1. Login to AWS admin console and chose to manage RDS
  2. Create a PostgreSQL DB Instance that matches a version ForgeRock Identity Management supports per our release notes: https://backstage.forgerock.com/docs/idm
  3. For Postgres, configure based upon  https://aws.amazon.com/getting-started/tutorials/create-connect-postgresql-db/


The above highlights changes from default settings.  These changes open network settings and create new security groups, VPC, subnets and to make the instance publicly available.

In production tighter control over the network may be desired, but the scope of this paper is not to illustrate a hardened configuration, but rather provide an easy configuration example for understanding.


Info
Ensure network connectivity is accessible from the Identity Management instance.  This includes settings in RDS setup that configure the specific, Amazon VPC, Availability Zones and Security Groups.


Configure network and security

In the ForgeRock Installation Guide regarding the topic of Postgres repository configuration, there is a step that details how to setup security related to client connections.  This step details how to edit the Postgres client authentication configuration file, pg_hba.conf.  This step can be ignored, as it cannot be performed against the AWS RDS service.  The functional equivalent is to setup an AWS Security Group configuration that allows remote clients (Identity Management process) to connect.  


Inbound rules should look like this:


Outbound rules should look like this:



For reference of the security model that involves Security Groups and VPCs:

Info
titleSecurity Group / VPC Architecture

Note there is a relationship with the Amazon concept of Virtual Private Cloud (VPC) settings and the associated Amazon concept of a Security Group.  Both are key to connectivity to services, including RDS.



To test network connectivity:  From the environment that ForgeRock IDM runs: 

Code Block
languagebash
themeConfluence
titleNetCat test network
nc -zv my-rds-instance.us-east-1.rds.amazonaws.com 5432 
Ncat: Version 7.50 ( https://nmap.org/ncat ) 
Ncat: Connected to 172.30.0.250:5432.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

The above command will prove connectivity into the AWS RDS instance of Postgres from the IDM environment.   As shown in the response there will be a status of time taken to test the connection, or instead of output there will be a timeout.  A timeout means something in network needs to be debugged.


Modify ForgeRock Postgres script

There exist some RDS nuances, that require modification to the createuser.psql script from the standard Postgres configuration.

Create a new file to use in place of the createuser.pgsql.  Call the new file create-user-aws-rds.pgsql and edit as below.

/path/to/openidm/db/postgresql/scripts/create-user-aws-rds.pgsql
Code Block
languagesql
themeConfluence
firstline0001
titlecreate-user-aws-rds.psql
create USER openidm with password 'openidm';
grant openidm TO postgres;
create database openidm encoding 'utf8' owner openidm;
grant all privileges on database openidm to openidm;


execute the new create-user-aws.pgsql script

Code Block
languagebash
themeConfluence
firstline0001
titleExecute script
psql -U postgres < /path/to/openidm/db/postgresql/scripts/createuser.pgsql

After this runs a new user called openidm will exist and in Postgres and can now be used the execute the remaining scripts.

Complete steps for Postgres as an IDM repository

From this point the steps in the ForgeRock Installation Guide regarding the topic of Postgres as a repository can be completed as prescribed.

In summary the two details that change from the guide are:

  1. Instead of configuring a Postgres client authentication file, perform functional equivalent in AWS Security Groups
  2. The createuser.psql script for Postgres needs to be altered. 

The remaining steps detailed here: https://backstage.forgerock.com/docs/idm/6.5/install-guide/#repository-postgresql, in brief are:

Execute remaining scripts:

Code Block
languagebash
themeConfluence
titleExecute scripts
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U opening < openidm.pgsql 
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U openidm < audit.pgsql 
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.engine.sql 
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.history.sql 
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.identity.sql

Content by Label
showLabelsfalse
max5
spacesopenidm
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("repo","cloud","repository","aws","idm","database","rds","amazon","openidm","postgres") and type = "page" and space = "openidm"
labelsIDM openidm postgres AWS RDS Amazon repo repository database cloud

Page properties
hiddentrue
Related issues