By Ravivarma Baru, Senior Specialist at Midships (ravivarma.baru@midships.io)
This article is intended for anyone who is looking migrate PingIdentity (ForgeRock) Identity Manager from using a Database to Directory Service. Midships has been leading these migrations seamlessly since 2019 and we thought it was time to share :-)
Introduction:
ForgeRock’s Identity Management Solution (IDM) makes it easier for organizations to manage the identity of their members. IDM uses managed objects to represent different kinds of identities such as users, groups, devices, credentials, etc.
Attributes of these managed objects are usually synchronised with other systems including ForgeRock’s Directory Service(DS) which is used by Forgerock’s Access Manager(AM) as a identity store to enable authentication and authorisation of identities.
IDM requires a data repository backend such as a database to store the managed objects and metadata (used for syncing).
Problem Statement:
Prior to IDM v6, IDM used a database as it’s primary data repository. Since v6, DS can also be used as IDM’s data repository and this both simplifies the solution by removing the operational overhead of managing a backend database and removes complexity around synchronizing which was previously required between the ForgeRock AM’s userstore and the IDM backend Database containing the managed objects.
Midships has significant experience helping our customers migrate their IDM from using a database to using DS seamlessly and with zero downtime.
In this blog, we will address how we do this.
Challenges:
The main challenges that we encountered at one of the banks at which this migration was performed:
How to design the DS servers, such that:
it can be consumed by both IDM as well as AM, without losing any data?
it doesn’t duplicate any data element, example IDM managed object and AM identity object can be shared?
How to deploy the newly designed DS servers, the IDM + AM servers (configuration updated to consume the new DS servers) without needing additional infrastructure or VMs?
How to reconcile the data from the IDM current backend DB as well as the current Forgerock DS(that was used by AM as idRepo) to the new DS servers?
How to use attributes that were defined in DB to hold certain data but in DS the corresponding attributes are operational and are not subjected to userchange? (More information in solution section)
How to keep the data in sync after performing initial reconciliation to all the way till the traffic is switched over to updated AM, IDM and DS instances?
Our Approach:
Category | Use-case / Issue | Solution |
---|---|---|
Design of DS | The new DS should hold identity data as shared objects such that both IDM and AM can refer a single identity entry without duplication of data. | The new data store (DS) is set up with two backends:
Shared Objects:
Additionally this also facilitates organizations to update schema of existing attributes or to update OU names to align with the realms used by AM, etc. We observed that organizations makes use of this migration to redesign their DS. |
The new DS must be highly performant to serve as both AM userStore and IDM backend idmRepo | DS is highly efficient for search operations. With shared objects used for IDM and AM, even with DS divided into two backends, JVM cache usage remains minimal. However, we recommend allocating extra heap space to the JVM after thorough performance testing for optimal resource use. | |
Deployment of DS | Organizations, particularly financial institutions, often opt to set up a new DS cluster separately to allow for a seamless rollback if needed. This setup is straightforward. However, when dealing with multiple data centres (DCs), one DC can be isolated for deploying changes. Here, we'll explore the process of isolating one DC and deploying the new DS setup. [Note: While we use 2 DCs as an example, this approach applies to scenarios with more than 2 DCs as well.] | For this requirement, we break the replication topology between the two DCs.
The above two options will help in most cases and still if connectivity or address resolution works, the replication port of the new DS servers are updated to completely block the connection between DC1 and DC2 replication servers. Subsequently, a single DS server is deployed in DC2 according to the updated design, after cutting the connectivity with active DS cluster of DC1. |
Data Migration | Reconciliation of Data from DB |
|
Migrating system (operational) attributes, such as account creation time and password change time. Issue with system attributes is that they cannot be modified directly and are created internally by DS. Organizations wants to prefer the original values from DB to new DS, as they can be consumed by other teams, let’s say a call-centre assisting a customer. |
Subsequently, other DS’es are provisioned of DC2 in the topology. Then the updated AM is deployed as well in DC2 to consume DS’es of DC2. | |
Delta Data Migration |
| |
Miscallenous | queryId to queryFilter |
|
IDM Schema | To mitigate the issues encountered during reconciliation and to standardize overall schema of the managed objects, IDM schema is updated. | |
| Making the changes live | Once the Data is migrated, then the traffic is switched to DC2, the updated DC, where new DS’es, AM and IDM are deployed. Post successful business testing, All DC1components are deployed enabling back the connectivity with DC2. |
Conclusion:
Organisations and Enterprises often deem that migrating the IDM backend repo from JDBC to ForgeRock DS is difficult. Particularly with financial institutions, there is always an inertia of thought to stay where they are at, especially when it comes to customer or business data and it is impossible to migrate backend repo without downtime, without losing data or without spending additional cost on new infrastructure. But as discussed above having a holistic approach and defining solid automation will make the transition easy. One caveat though in migrating to the DS is it doesn’t support workflows, unlike a DB backend.
In summary, the migration of the IDM backend repository from DB to DS can be achieved with zero downtime by designing the DS, planning ways to synchronize data, identifying the functional issues in lower environments, fixing them and automating the processes that can be automated.
If you would like to learn more, please don't hesitate to contact me.
Ravi