!!!! ACTIVELY UNDER CONSTRUCTION !!!!
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. With this value proposition in mind, customers want to leverage cloud databases such as RDS to become the ForgeRock Identity Management (IDM) repository. This guide describes how to configure the Postgres flavor of RDS as an IDM repository.
Add the steps involved:
Before starting, some key configuration details are needed:
The above highlights changes from default settings. These are to create new security groups, VPC, subnets and to make the instance publicly available.
In production tighter control over the network may be desired, but the scope of this paper is not to illustrate a hardened configuration, but rather provide an easy configuration example for understanding.
|Ensure network connectivity is accessible from the Identity Management instance. This includes settings in RDS setup that configure the specific, Amazon VPC, Availability Zones and Security Groups.|
In the ForgeRock Installation Guide regarding the topic of Postgres repository configuration, there is a step that details how to setup security related to client connections. This step details how to edit the Postgres client authentication configuration file, pg_hba.conf. This step can be ignored as a step in the configuration, as it cannot be performed in the AWS RDS service. The functional equivalent is to setup an AWS Security Group configuration that allows remote clients (Identity Management process) to connect.
Inbound rules should look like this:
Outbound rules should look like this:
Note there is a relationship with the Amazon concept of Virtual Private Cloud (VPC) settings and the associated Amazon concept of a Security Group. Both are key to connectivity to services, including RDS.
To test network connectivity: From the environment that ForgeRock IDM runs:
nc -zv my-rds-instance.us-east-1.rds.amazonaws.com 5432 Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Connected to 172.30.0.250:5432. Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.
The above command will prove connectivity to the AWS RDS instance of Postgres from the IDM environment as shown in the response, or there will be a timeout. Timeout means something in network needs to be debugged.
There exist some RDS nuances, that require modification to the createuser.psql script.
edit this file in Identity Management (AKA OpenIDM) environment:
copy the createuser.pgsql to create-user-aws-rds.pgsql and edit as below.
create USER openidm with password 'openidm'; grant openidm TO postgres; create database openidm encoding 'utf8' owner openidm; grant all privileges on database openidm to openidm;
execute the create-user-aws.pgsql script
psql -U postgres < /path/to/openidm/db/postgresql/scripts/createuser.pgsql
After this runs a new user called openidm will exist and can be used the execute the remaining scripts.
From this point the steps in the ForgeRock Installation Guide regarding the topic of Postgres as a repository can be completed as prescribed.
In summary the two details that change from the guide are:
The remaining steps detailed here: https://backstage.forgerock.com/docs/idm/6.5/install-guide/#repository-postgresql, in brief are:
Execute remaining scripts:
psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U opening < openidm.pgsql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -U openidm < audit.pgsql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.engine.sql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.history.sql psql -h my-rds-instance.us-east-1.rds.amazonaws.com -p 5432 -d openidm -U openidm < activiti.postgres.create.identity.sql
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.