TheRapidDeploymentToolkitforForgeRockIdentityPlatformWhitePaperJune2017

RockKitWhitePaper 3 June2017

IAMforthedigitalagerequiresnewpracticesOver the last two decades, Identity and Access Management has mainly concentrated onenterprise requirements, such as directory services, RBAC lifecyclemanagement, provisioningand reconciliation, access management, and single sign-on, etc. This has led to imbricatedinfrastructures that are hard to extend and to operate, a situation recognized by domainexperts.

Inthenewdigitalage,thefocushasshiftedtowardsexternalusers,omni-channelapplications,IoTintegrationanddataprotection(GDPR).Cloud-readinessandsecuritybecometopofmind.TheForgeRock®IdentityPlatformprovidesasolutiontoaddressmostofthesechallenges.

This new focus obliges the IAM team to deliver fast and adapt to new requirements. Clouddeployment, changing organizations and new business models require an AGILE deliverymethod.

IAMprojectdeliveryinspiredbyDevOps“DevOps isoneofthehottopicsatthemoment,and iswellon itswayupthehypecurve ... itdoesn’treplaceagilesoftwaredevelopment,itcomplementsitvery,verywell.”LeonTranter1.

DevOpsisarethinkingofhowweconfigure,customizeanddeploysoftware.

Traditionally - already for more than a decade - software development relies on agiledevelopment methods. When a software release is finalized, the package is passed tooperations for deployment. The operations teamwants to keep control of the environmentsunderitsresponsibility,butthereareafewproblemstobesolved:

o The production environment does not look exactly like the development and stagingenvironments.ThisisparticularlytruewithanimbricatedIAMinfrastructure,whereallintegratedcomponentsarenotavailableinallenvironments.

o The deployment process may not be completely automated. Full automation of theinstallationprocessmaynotbepossibleifthepackage(s)does(do)notsupportit.Again,thisisparticularlytruewithIAMproductsuitesavailableonthemarket.

o Different peoplemay execute the deployment process at different times in differentenvironments. If the deployment process is not fully automated and includes manyoperations, itmaybehard to reproduce in the sameway.Moreover, thedeploymentprocessmaynotbethesameindifferentenvironments!

Iftheseproblemssoundfamiliar,wehaveasolutionforyou!

In the long term, DevOps breaks the boundary between development and deployment. Thisworks by putting the released software into a “software container2” and that “softwarecontainer”getsmovedfromdevelopmenttostagingandthentoproduction.

1 LeonTrantermaintainstheExtremeUncertaintywebsiteandpublishedanexcellentblogon“thedifferencebetweenagileandDevOps”.

RockKitWhitePaper 4 June2017

InourIAMcontext,theDevOpsapproachhastobemoderated:

o AnIAMinfrastructureisatransversalserviceanditremainshighlyintegratedwithothercomponents.

o TherearemultipleDevOpstechnologiesandmoststillneedfurtherdevelopmentbeforetheybecomeproduction-ready.

If DevOps is the long-term goal, and if today’s aim is to automate the development anddeploymentofyourForgeRockinfrastructure,whatcanyoudotoday?

ParadigmoproposestheRockKitRockKit has been developed for the ForgeRock Identity Platform products: OpenAM, OpenDJandOpenIDM.

Automated deployment of ForgeRock products has been available for some time. OpenAMincludes thessoadm command line interface3;OpenDJ thedsconfig;andOpenIDMhasalwaysfetcheditsconfigurationfromJSONconfigurationfiles.

Thanks to these long-standing capabilities, Paradigmo started developing the RockKit back in2012, with the goal of optimizing the development process as well as automating andorchestrating the deployment of an IAM infrastructure based on ForgeRock products. AtParadigmo,theRockKitwasdevelopedinitiallytooptimizethedeliveryofourownprojects.WewerealreadyapplyingDevOpsprinciplesbeforeDevOpsbecameahottopic!

AlongsideRockKitdevelopment,oneofForgeRock’scurrentroadmapprioritiesistoimproveitscloud-readiness. To accomplish this, ForgeRock is applying the principles of ‘Infrastructure asCode4’.Theseprinciplesare:

o Store ForgeRock products configuration in text files, in popular file formats like JSONandYAML.

o Augment thedeploymentautomationcapabilitiesbyprocessing theconfiguration filesusingscriptinglanguageslikePerl,Python,etc.

o Versionandtagtheconfigurationfileswhenareleaseisready.o Promoteconfigurationfilesfromoneenvironmenttoanother.o AdoptaContinuousIntegration/ContinuousDeployment(CI/CD)process.

Thepurposeoftheseevolutionsistobettersupportanautomationandorchestrationengine...thatwouldbeprovidedbyathird-party.ItispreciselywhattheRockKitdoes!

2Dockerisoneexample.DockerandKubernetesarethecomponentscurrentlyusedbyForgeRockinitsDevOpstransformation.3Initially,ssoadmwasthecommandlineinterfaceofSunOpenSSO.4InfrastructureasCode(IaC)istheprocessofmanagingandprovisioningcomputerdatacentersthroughmachine-readabledefinitionfiles,ratherthanphysicalhardwareconfigurationorinteractiveconfigurationtools.Source:Wikipedia.

RockKitprovidestheautomationandorchestrationenginethatcomplementsForgeRockproducts’capabilities.

RockKitWhitePaper 5 June2017

TheRockKitatworkHowdoestheRockKitwork?Seethediagrambelow.

Howdoesitwork?

The current sample project delivered with RockKit contains 1 x HA Proxy, 2 x OpenAM, 2 xOpenDJ,and2xOpenIDM.Thesampleprojectconfiguration itemsare loaded intothesourcecode repository, adapted to the project and processed by RockKit to perform an initialinstallation in DEV. During the development configuration, items are collected from a DEVenvironmentandinsertedintotheGIT.Atanytime,adevelopercanreinstallacleanandlatestDEVenvironment.

Once the development of one IAM release is completed, tested and labelled, RockKit willprepare a self-contained installer for each target server in Q&A and PRD environments. Anoperator, potentially shadowed by a developer, can execute the deployment by typing in asingleinstallcommand.

RockKitensurestheknowledgetransferfromdevelopmenttooperations.

TheRockKitmethodologyIn addition to delivering automation and orchestration capabilities, the RockKit includes andproposesamethodology–servingasanIAMprojectdeliveryframework.Thismethodologyisasimportant as the toolkitwhen it comes to organizing, controlling and optimizing the deliveryprocess.

RockKitWhitePaper 6 June2017

An IAM project will follow the standard cycle: design, architecture, development anddeployment.

The design phase is standardized. It describes the solution, typically in terms of functionalrequirements, non-functional requirements and use cases. The design document is thedeliverableofthisinitialphase.

The design document is a prerequisite for entering the RockKitmethodology, as representedbelow.

Thearchitecture template is the first stepof themethodology. Thearchitecture template is apre-filled document whose structure maps the services delivered by the ForgeRock IdentityPlatform. These services for example include provisioning, authentication, authorization,federation,audit,andmonitoring.Thepurposeistotranslateaprojectdescriptionintoasetoftechnical parameters that are required to configure the ForgeRock stack. Two inputs arerequiredtofillthearchitecturetemplate:thedesigndocumentandthetechnicalinfrastructuredetailssuchasdomainnames,URLs,portnumber,baseDN,connectionuidandpasswords.

The project sample is the second step of the methodology. By default, the project sampleprovidesaprojectstructure inasourcecoderepository.Bybuildinganddeployingtheprojectsample, a sample DEV environment can be deployed, including by default 1 x HA Proxy, 2 xOpenAM,2xOpenDJand2xOpenIDM.Afterwards,theiterativedevelopmentphasepresentedinthepreviousparagraphcanbegin.Theprojectsampleandtheprojectstructureareimportantbecause:

o theyharmonize theprojectdevelopment– thedevelopment teamworksaccording tothestructureproposedbytheprojectsample;

o they define the structure – the developers don’t have to concern themselves withcreatingtheappropriatestructure;

o theyprovidealearningpath–juniordeveloperscanrefertoareferenceproject.

The development guide is the third step. It explains how configuration items of the sampleprojectcanbeadded/modified/deleted.

Thedeploymenttemplateisthefourthstep.Itexplainshowthesampleprojectcanbedeployed.Fromthisstartingpoint,thedeploymenttemplatecanbeadapted.

RockKitWhitePaper 7 June2017

RockKithasamovingtargetTheForgeRocksoftwareplatformiscontinuouslyevolving,intermsofnewfunctionalities(newfeatures,newmodules)andtheadoptionofnewtechnologies.

OurintentionistoaligntheRockKitwiththesenewandoftenexcitingtechnologies,assoonasthereleaseisstableandthereissufficientdemandforthesefeatures.

Wejustneedthetimetoupgradeoursampleprojectoradaptourtoolkitproductstacktobecompliantwiththenewrelease.

Theaim is that, for everyextensionon your IAMplatform, you canbenefit fromRockKit. Forfuture upgrade projects, wewill also offer an appropriate RockKit version that is compatiblewiththelatestForgeRocksoftware.

TheRockKitbenefitsØ Benefitsformanagers

ThemanagerwilloptimizethedeliveryofhisIAMprojectintermsoftime,resourceandmoney.

AtParadigmo,wemadeabenchmarkbasedonasetofsixprojectsdeliveredbetween2010and2017.Theprojectstakenintoaccountwere:

2010 2012 2014 2015 2016 2017

Stage NoRockKit RockKitBeta

RockKitv1.0

RockKitv2.0

RockKitv3.0

RockKitv4.5

Typeofproject

Initialsetup

Migrationproject

Migrationproject

Initialsetup

Initialsetup

Migrationproject

Projectscope

2.8Mexternalusers

IDPservice 25Kinternalusers

Internal&externalusers

Self-servicecustomerportal

12Kinternalusers

RockKitWhitePaper 8 June2017

Theresultofourbenchmarkingisillustratedinthediagrambelow.

Thestandarddurationofourprojectsisnowbetween3and6months.

The standard resourceusage inman-days is less than100man-days.WhenusingRockKit,weestimatethataproject’sresourceusageisreducedbyafactorof4to6.

Thanks to the RockKit methodology, the manager can call on junior IAM resources for theproject.Thejuniorresourcebenefitsfromtheprojectsampleanditspre-definedstructure.Thejuniorresourcealsobenefitsfromtemplatedocumentscoveringarchitecture,developmentanddeployment.Ideally,thejunioriscoachedbyaseniorresource.

Withourmethodologyandtoolkit,theIAMdeliveryprocessbecomesastructuredandwell-managedIAMprojectdeliverypractice.Cyber-securityrequiresastrongergovernancemodel,whichcanbebuiltontopofRockKit.

WeprovideRockKit training and knowledge transfer on the toolkit andmethodology, so thatyour teambecomesself-sufficient for thedevelopmentandfor theday-to-dayoperationsandsupport. Our aim is to reduce your dependency on any external service provider asmuch aspossible: there is no lock-in after RockKit knowledge transfer. Once deployed, there is nodependencywhatsoeveronRockKit.Atanytime,anorganizationmaychoosetoturntoanotherautomationandorchestrationengine.

Ø Benefitsfordevelopers

The developer benefits from a collaborative environment. The development process is verysimilartothatforastandardapplication,withthedeveloperworkinginateamofdevelopers.Each developer commits hiswork in a source code repository and contributes to the projectdelivery.

ThedeveloperusesconfigurationfilesortheGUIasaconfigurationtool.Therearetwowaystoconfigure theForgeRockproducts.Firstly, theconfiguration filesarechanged.Theserverscanreload these files or are restarted – as typically happens inOpenIDM. Secondly the graphicaladminconsoleisusedtochangetheconfiguration–thisiswhattypicallyhappensinOpenAM.

RockKitWhitePaper 9 June2017

Finally,thedevelopercanreinstallacleanandlatestdevelopmentenvironmentatanytime.Noneedtorememberwhathasbeenconfigured,whatworkedandwhatdidn’t,orhowtorollbacksometests...Justrestartfromacleaninstall.

Ø Benefitsforoperators

Theoperatorbenefitsfromanoptimizedandreliabledeployment.

It isoptimisedbecausethedeploymentiscompletelyautomated,reducingtheoperationstoasingledeploymentcommand.So,theprocessislesspronetoerrors.

Itisreliablebecauseonthedaythatareleaseisfinalizedandtagged,the.bz2archivesarebuiltforallQ&AandPRDservers.Allarchivescontaintheexactsamerelease,withtheexceptionofthe local variables. Different operators can then reliably deploy the archives in differentenvironments,atdifferenttimes.

Ø Thebusinessvalue

With RockKit we increase speed, enabling faster execution of your transformation programs.Transformation today is driven by digitization initiatives, organizational changes like mergersandacquisitions,securityprogramsandmanyothertrends.

Whensmallchangesarerequired,reactivityisalsoakeyelementformeetingbusinessneeds.

At the same time, we significantly lower the cost of IAM project delivery, because fewerresources are involved in the development project.Moreover, update andupgradework andcostscanbereducedsignificantly.

Finally, as security is a fast-moving area with constant innovation, easy adoption of newtechnologies will allow you to develop better security while ensuring seamless customerexperience.

RockKitWhitePaper 10 June2017

Summaryofbenefits

Formanagers Fordevelopers Foroperators

Ø Optimizedusageoftime,resources,money

Ø Abilitytoengagejuniorresource

Ø StrongergovernancemodelforIAMdelivery

Ø Lowerdependencyonserviceprovider,nolock-inafterRockKitknowledgetransfer

Ø Collaborativeenvironmenttodevelopinteam

Ø Restartfromlatestatanymoment

Ø Optimizeddeployments:reliabilityandtime

Ø Availabilityofrollback

Valueforthebusiness

Ø Increasedspeed,fasterexecutionofdigitalprograms,shortertime-to-marketØ Betterreactivity,fastreactiontochangerequestsØ Lowercost:

o fewerresourcesinvolvedindevelopmentprojecto significantlylowerupgrade/updatework

Ø Fastadoptionofnewtechnologiesallowingyoutodevelopbettercustomerexperience