My organization is not ready for DevOps
The only technical requirement of RockKit is Unix. RockKit is an automation and orchestration engine that only uses scripting languages and packages largely available on Linux. It has a very small footprint. Our experience shows that RockKit is easily adopted by Operations, when they compare a deployment with and without RockKit.
When we refer to DevOps, we mean an emerging practice that reconsiders how Development and Operations interact.
What does the RockKit do?
The RockKit has been designed to cope with the complexity of a ForgeRock deployment. In particular:
- it is able to configure most of the Configuration Items (CIs) of the ForgeRock Identity Platform: Access Management, Directory Services, Identity Management, Identity Gateway. Access Management and Directory Services are the most challenging ones.
- it is able to build a deployment package for each node of a large deployment.
- it then copes with the complexity of an integrated deployment: one node relaying on another - the deployment sequence is delegated the operators or to a tool like Jenkins -, replication agreements, password and certificate management, security best practices
- last but not least, it copes with the installation sequences. This mostly applies to the Access Management layer that requires a specific sequence, a combination of ssoadm and REST APIs commands, some server restart…
Does the RockKit handle different ForgeRock releases?
Yes, it does. Configuration management is a domain on which ForgeRock works intensively at the moment. This is in the perspective of facilitating cloud deployments, among others. The effort implies many changes from release to release regarding deployment practices.
For the ForgeRock customer that implements its own scripted installations, it implies that an update is required, more or less important depending on the complexity of the deployment.
Does my runtime environment depend on RockKit?
No. RockKit is used by developers for the development and by operators for the deployment. Once it is deployed, there is no dependency whatsoever on RockKit. At any time, an organization may choose to turn to another automation and orchestration engine.
How are the ForgeRock Access Management and Directory services configured?
Access Management and Directory Services are configured using either CLI commands (respectively ssoadm and dsconfig) or REST APIs. The trend over time and across ForgeRock releases is to go from a full CLI model to a full REST APIs model.
Access Management and Directory Services are tightly linked. Access Management uses an internal Directory Service as a configuration store. In recent architectures, each Access Management node uses its independent configuration store. One configuration store is populated by the configuration of Access Management node.
Access Management also relies on the Directory Services to implement its persistence layer, called the Core Token Service (CTS) layer. The CTS layer stores the active sessions of the Access Management layer (which is stateless). The CTS layer is made of a set of replicated Directory Services nodes.
What is the minimal setup for a ForgeRock deployment?
A minimal setup includes:
- 2 x Access Management nodes, 2 x configuration store nodes, 2 x CTS nodes for the production environment
- 2 x Access Management nodes, 2 x configuration store nodes, 2 x CTS nodes for the acceptance environment
- 1 x Access Management node, 1 x configuration store node, 1 x CTS node for development environment
This setup represents 15 deployment instances linked to each other. In case horizontal scalability is required, in case different environments needs to be setup (for instance, internal and external users, different clients), the setup may scale up significantly.
How do I transfer Configuration Items (CIs) from my development environment to the source code repository?
Once an OpenAM instance is installed in a development environment, OpenAM is configured using either ssoadm or the admin console.
What are the services proposed by Paradigmo?
Paradigmo has been a partner of ForgeRock since ForgeRock started. We deliver implementation and support services to our customers.
Today, we work mainly on projects that involve RockKit. In that context, we deliver:
- The RockKit automation and orchestration engine
- The RockKit automation sample project and its project structure
- The RockKit document templates: architecture, development, deployment
- A first implementation support
- Coaching and knowledge transfer services
What does the subscription include?
A client with an active subscription has access to:
- the latest release and patch of the RockKit
- our support services
Which ForgeRock versions are currently supported?
The following table presents the latest available RockKit / ForgeRock release mapping.
|RockKit release||ForgeRock release|
Access Management 6.0
Directory Service 6.0
Identity Management 5.5
Identity Gateway 5.5
As a general rule, our intention is to deliver the RockKit on the first patch release of a ForgeRock major release. Just give us some time after ForgeRock issues the first patch release!
How can I obtain RockKit?
We work with ForgeRock partners, who can benefit from the toolkit and methodology to deliver a ForgeRock project.
Today we have partners in the UK and the Netherlands, and we are looking for new partners.
We deliver Partner training and the first implementation is a joint effort where knowledge transfer takes place. After that, we provide coaching during project execution.
End-customer training and coaching can also be provided.