OpenIDM Repository Requirement

This topic has 6 replies, 5 voices, and was last updated 6 years, 7 months ago by Bill Nelson.

  • Author
    Posts
  • #7656
     craigbuo
    Participant

    I was not able to find anything in the current documentation but wanted to reach out regarding database configurations for OpenIDM. Is there a requirement documented stating the db need sot be hosted on the same server as OpenIDM or can be a cluster (or other) db instance on another resource server. Thank you.

    #7657
     ssripathy
    Participant

    No there is no requirement that states that DB needs to co-hosted on the OpenIDM server. It can be on another resource server and also the instances can be clustered.
    In terms of support (at least in v3.1), I remember that ForgeRock didn’t support AWS RDS. But that may have changed as of 4.0.

    #7658
     tim.sedlack
    Participant

    Hi Craig – did you see the installation guide included in OpenIDM 4? There’s a section on installing the repository (http://openidm.forgerock.org/doc/bootstrap/install-guide/index.html#chap-repository). If you’re looking for information on high availability of OpenIDM (and it’s interaction with a clustered repo), you can find that in the integrators guide here: http://openidm.forgerock.org/doc/bootstrap/integrators-guide/index.html#chap-cluster

    Hope that helps,
    Tim

    #7670
     Rajesh R
    Participant

    @craigbuo If it helps, I have a screen-cast on configuring OpenIDM 4 to use a repository (MySQL) that runs on a remote machine:

    https://forgerock.org/2016/02/forgerock-openidm-4-installing-repository-production-mysql/

    No difficult task as all you need to do is to change the connection parameters in the configuration files with the hostname/portnumber etc. of your database. I did follow up the above article with an example using PostgreSQL, but opted to use a database running on the same host as OpenIDM.

    #7673
     craigbuo
    Participant

    Thank you @rajeshr. I am not a complete Linux person so in the conf file where the DB server configuration detail is required how can you obfuscate or encrypt the username and password so it is not in clear text. In addition is there performance issues, known, with leveraging a resource db server instead of locally hosting the db? Thank you.

    #7674
     Rajesh R
    Participant

    @craigbuo Lifted verbatim from the 16.2.3 section of Security Section of OpenIDM Integrators Guide is [ https://backstage.forgerock.com/#!/docs/openidm/4/integrators-guide/chap-security ]:

    “OpenIDM automatically encrypts sensitive data in configuration files, such as passwords. OpenIDM replaces clear text values when the system first reads the configuration file. Take care with configuration files having clear text values that OpenIDM has not yet read and updated.”

    I’ve seen this happening for the SMTP Configuration in OpenIDM, but don’t have a first hand experience around the same, when it comes to DB configuration files.

    From 16.2.10 section of the documentation mentioned above, what I understand is that the DB configuration file needs to be protected using appropriate file permissions.

    It would be good to know your observations around the same.

    #7710
     Bill Nelson
    Participant

    You can use the “encrypt” subcommand to generate an encrypted password for the repo, same as you would any other resource.

    $ cd /path/to/openidm/
    $ cli.sh encrypt newpwd


    —–BEGIN ENCRYPTED VALUE—–
    {
    “$crypto” : {
    “value” : {
    “iv” : “TCoC/YrmiRmINw6jCPB5LQ==”,
    “data” : “nCFvBIApIQ7C6k+UPzosaA==”,
    “cipher” : “AES/CBC/PKCS5Padding”,
    “key” : “openidm-sym-default”
    },
    “type” : “x-simple-encryption”
    }
    }
    ——END ENCRYPTED VALUE——

    And yes, you can use this for the repo configuration.

    For some reason, this information was dropped from the OpenIDM 4.0 documentation. It appears in the 3.1 docs, however, here: https://backstage.forgerock.com/#!/docs/openidm/3.1.0/integrators-guide/chap-security.

    Regarding performance impacts by hosting the repo on a separate server, the only impact might be introduced with network latency between the server hosting OpenIDM and the server hosting the repo. I would trade that latency for high availability, however, any time. Stated another way, in all of the implementations we have performed, we have never used hosted the repo on a local server – it has always been hosted on other servers and the performance has been just peachy!

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?