!!!! ACTIVELY UNDER CONSTRUCTION !!!!
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. With this value proposition in mind, customers want to leverage cloud databases such as RDS to become the ForgeRock Identity Management (IDM) repository. This guide describes how to configure the Postgres flavor of RDS as an IDM repository.
- Setup AWS RDS Postgres instance.
- Configure network and security.
- Modify ForgeRock Postgres script.
- Complete remaining steps for Postgres as an IDM repository.
- Inbound add rules to accommodate the Postgres port (ie 5432) limited by IP addresses (optional)
- Outbound rules "CidrIp": "0.0.0.0/0"
- Enter the RDS ConsoleLogin to AWS admin console and chose to manage RDS
- Create a PostgreSQL DB Instance that matches a version ForgeRock Identity Management supports per our release notes: https://backstage.forgerock.com/docs/idm
- Configure For Postgres, configure based upon https://aws.amazon.com/getting-started/tutorials/create-connect-postgresql-db/
The above highlights changes from default settings. These are to changes open network settings and create new security groups, VPC, subnets and to make the instance publicly available.
In the ForgeRock Installation Guide regarding the topic of Postgres repository configuration, there is a step that details how to setup security related to client connections. This step details how to edit the Postgres client authentication configuration file, pg_hba.conf. This step can be ignored as a step in the configuration, as it cannot be performed in against the AWS RDS service. The functional equivalent is to setup an AWS Security Group configuration that allows remote clients (Identity Management process) to connect.
Outbound rules should look like this:
For reference of the security model that involves Security Groups and VPCs:
Note there is a relationship with the Amazon concept of Virtual Private Cloud (VPC) settings and the associated Amazon concept of a Security Group. Both are key to connectivity to services, including RDS.
The above command will prove connectivity to into the AWS RDS instance of Postgres from the IDM environment as . As shown in the response there will be a status of time taken to test the connection, or instead of output there will be a timeout. Timeout A timeout means something in network needs to be debugged.
There exist some RDS nuances, that require modification to the createuser.psql script from the standard Postgres configuration.
edit this file in Identity Management (AKA OpenIDM) environment:
copy the createuser.pgsql to createCreate a new file to use in place of the createuser.pgsql. Call the new file create-user-aws-rds.pgsql and edit as below.
create USER openidm with password 'openidm'; grant openidm TO postgres; create database openidm encoding 'utf8' owner openidm; grant all privileges on database openidm to openidm;
execute the new create-user-aws.pgsql script
After this runs a new user called openidm will exist and in Postgres and can now be used the execute the remaining scripts.
Execute remaining scripts:
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U opening < openidm.pgsql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U openidm < audit.pgsql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.engine.sql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.history.sql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.identity.sql