Intel ® Teach | Program Deployment Model Getting Started Course Toolkit.
The Rapid Deployment Toolkit for ForgeRock Identity Platform · The Rapid Deployment Toolkit for...
Transcript of The Rapid Deployment Toolkit for ForgeRock Identity Platform · The Rapid Deployment Toolkit for...
TheRapidDeploymentToolkitforForgeRockIdentityPlatformWhitePaperJune2017
RockKitWhitePaper 3 June2017
IAMforthedigitalagerequiresnewpracticesOver the last two decades, Identity and Access Management has mainly concentrated onenterprise requirements, such as directory services, RBAC lifecyclemanagement, provisioningand reconciliation, access management, and single sign-on, etc. This has led to imbricatedinfrastructures that are hard to extend and to operate, a situation recognized by domainexperts.
Inthenewdigitalage,thefocushasshiftedtowardsexternalusers,omni-channelapplications,IoTintegrationanddataprotection(GDPR).Cloud-readinessandsecuritybecometopofmind.TheForgeRock®IdentityPlatformprovidesasolutiontoaddressmostofthesechallenges.
This new focus obliges the IAM team to deliver fast and adapt to new requirements. Clouddeployment, changing organizations and new business models require an AGILE deliverymethod.
IAMprojectdeliveryinspiredbyDevOps“DevOps isoneofthehottopicsatthemoment,and iswellon itswayupthehypecurve ... itdoesn’treplaceagilesoftwaredevelopment,itcomplementsitvery,verywell.”LeonTranter1.
DevOpsisarethinkingofhowweconfigure,customizeanddeploysoftware.
Traditionally - already for more than a decade - software development relies on agiledevelopment methods. When a software release is finalized, the package is passed tooperations for deployment. The operations teamwants to keep control of the environmentsunderitsresponsibility,butthereareafewproblemstobesolved:
o The production environment does not look exactly like the development and stagingenvironments.ThisisparticularlytruewithanimbricatedIAMinfrastructure,whereallintegratedcomponentsarenotavailableinallenvironments.
o The deployment process may not be completely automated. Full automation of theinstallationprocessmaynotbepossibleifthepackage(s)does(do)notsupportit.Again,thisisparticularlytruewithIAMproductsuitesavailableonthemarket.
o Different peoplemay execute the deployment process at different times in differentenvironments. If the deployment process is not fully automated and includes manyoperations, itmaybehard to reproduce in the sameway.Moreover, thedeploymentprocessmaynotbethesameindifferentenvironments!
Iftheseproblemssoundfamiliar,wehaveasolutionforyou!
In the long term, DevOps breaks the boundary between development and deployment. Thisworks by putting the released software into a “software container2” and that “softwarecontainer”getsmovedfromdevelopmenttostagingandthentoproduction.
1 LeonTrantermaintainstheExtremeUncertaintywebsiteandpublishedanexcellentblogon“thedifferencebetweenagileandDevOps”.
RockKitWhitePaper 4 June2017
InourIAMcontext,theDevOpsapproachhastobemoderated:
o AnIAMinfrastructureisatransversalserviceanditremainshighlyintegratedwithothercomponents.
o TherearemultipleDevOpstechnologiesandmoststillneedfurtherdevelopmentbeforetheybecomeproduction-ready.
If DevOps is the long-term goal, and if today’s aim is to automate the development anddeploymentofyourForgeRockinfrastructure,whatcanyoudotoday?
ParadigmoproposestheRockKitRockKit has been developed for the ForgeRock Identity Platform products: OpenAM, OpenDJandOpenIDM.
Automated deployment of ForgeRock products has been available for some time. OpenAMincludes thessoadm command line interface3;OpenDJ thedsconfig;andOpenIDMhasalwaysfetcheditsconfigurationfromJSONconfigurationfiles.
Thanks to these long-standing capabilities, Paradigmo started developing the RockKit back in2012, with the goal of optimizing the development process as well as automating andorchestrating the deployment of an IAM infrastructure based on ForgeRock products. AtParadigmo,theRockKitwasdevelopedinitiallytooptimizethedeliveryofourownprojects.WewerealreadyapplyingDevOpsprinciplesbeforeDevOpsbecameahottopic!
AlongsideRockKitdevelopment,oneofForgeRock’scurrentroadmapprioritiesistoimproveitscloud-readiness. To accomplish this, ForgeRock is applying the principles of ‘Infrastructure asCode4’.Theseprinciplesare:
o Store ForgeRock products configuration in text files, in popular file formats like JSONandYAML.
o Augment thedeploymentautomationcapabilitiesbyprocessing theconfiguration filesusingscriptinglanguageslikePerl,Python,etc.
o Versionandtagtheconfigurationfileswhenareleaseisready.o Promoteconfigurationfilesfromoneenvironmenttoanother.o AdoptaContinuousIntegration/ContinuousDeployment(CI/CD)process.
Thepurposeoftheseevolutionsistobettersupportanautomationandorchestrationengine...thatwouldbeprovidedbyathird-party.ItispreciselywhattheRockKitdoes!
2Dockerisoneexample.DockerandKubernetesarethecomponentscurrentlyusedbyForgeRockinitsDevOpstransformation.3Initially,ssoadmwasthecommandlineinterfaceofSunOpenSSO.4InfrastructureasCode(IaC)istheprocessofmanagingandprovisioningcomputerdatacentersthroughmachine-readabledefinitionfiles,ratherthanphysicalhardwareconfigurationorinteractiveconfigurationtools.Source:Wikipedia.
RockKitprovidestheautomationandorchestrationenginethatcomplementsForgeRockproducts’capabilities.
RockKitWhitePaper 5 June2017
TheRockKitatworkHowdoestheRockKitwork?Seethediagrambelow.
Howdoesitwork?
The current sample project delivered with RockKit contains 1 x HA Proxy, 2 x OpenAM, 2 xOpenDJ,and2xOpenIDM.Thesampleprojectconfiguration itemsare loaded intothesourcecode repository, adapted to the project and processed by RockKit to perform an initialinstallation in DEV. During the development configuration, items are collected from a DEVenvironmentandinsertedintotheGIT.Atanytime,adevelopercanreinstallacleanandlatestDEVenvironment.
Once the development of one IAM release is completed, tested and labelled, RockKit willprepare a self-contained installer for each target server in Q&A and PRD environments. Anoperator, potentially shadowed by a developer, can execute the deployment by typing in asingleinstallcommand.
RockKitensurestheknowledgetransferfromdevelopmenttooperations.
TheRockKitmethodologyIn addition to delivering automation and orchestration capabilities, the RockKit includes andproposesamethodology–servingasanIAMprojectdeliveryframework.Thismethodologyisasimportant as the toolkitwhen it comes to organizing, controlling and optimizing the deliveryprocess.
RockKitWhitePaper 6 June2017
An IAM project will follow the standard cycle: design, architecture, development anddeployment.
The design phase is standardized. It describes the solution, typically in terms of functionalrequirements, non-functional requirements and use cases. The design document is thedeliverableofthisinitialphase.
The design document is a prerequisite for entering the RockKitmethodology, as representedbelow.
Thearchitecture template is the first stepof themethodology. Thearchitecture template is apre-filled document whose structure maps the services delivered by the ForgeRock IdentityPlatform. These services for example include provisioning, authentication, authorization,federation,audit,andmonitoring.Thepurposeistotranslateaprojectdescriptionintoasetoftechnical parameters that are required to configure the ForgeRock stack. Two inputs arerequiredtofillthearchitecturetemplate:thedesigndocumentandthetechnicalinfrastructuredetailssuchasdomainnames,URLs,portnumber,baseDN,connectionuidandpasswords.
The project sample is the second step of the methodology. By default, the project sampleprovidesaprojectstructure inasourcecoderepository.Bybuildinganddeployingtheprojectsample, a sample DEV environment can be deployed, including by default 1 x HA Proxy, 2 xOpenAM,2xOpenDJand2xOpenIDM.Afterwards,theiterativedevelopmentphasepresentedinthepreviousparagraphcanbegin.Theprojectsampleandtheprojectstructureareimportantbecause:
o theyharmonize theprojectdevelopment– thedevelopment teamworksaccording tothestructureproposedbytheprojectsample;
o they define the structure – the developers don’t have to concern themselves withcreatingtheappropriatestructure;
o theyprovidealearningpath–juniordeveloperscanrefertoareferenceproject.
The development guide is the third step. It explains how configuration items of the sampleprojectcanbeadded/modified/deleted.
Thedeploymenttemplateisthefourthstep.Itexplainshowthesampleprojectcanbedeployed.Fromthisstartingpoint,thedeploymenttemplatecanbeadapted.
RockKitWhitePaper 7 June2017
RockKithasamovingtargetTheForgeRocksoftwareplatformiscontinuouslyevolving,intermsofnewfunctionalities(newfeatures,newmodules)andtheadoptionofnewtechnologies.
OurintentionistoaligntheRockKitwiththesenewandoftenexcitingtechnologies,assoonasthereleaseisstableandthereissufficientdemandforthesefeatures.
Wejustneedthetimetoupgradeoursampleprojectoradaptourtoolkitproductstacktobecompliantwiththenewrelease.
Theaim is that, for everyextensionon your IAMplatform, you canbenefit fromRockKit. Forfuture upgrade projects, wewill also offer an appropriate RockKit version that is compatiblewiththelatestForgeRocksoftware.
TheRockKitbenefitsØ Benefitsformanagers
ThemanagerwilloptimizethedeliveryofhisIAMprojectintermsoftime,resourceandmoney.
AtParadigmo,wemadeabenchmarkbasedonasetofsixprojectsdeliveredbetween2010and2017.Theprojectstakenintoaccountwere:
2010 2012 2014 2015 2016 2017
Stage NoRockKit RockKitBeta
RockKitv1.0
RockKitv2.0
RockKitv3.0
RockKitv4.5
Typeofproject
Initialsetup
Migrationproject
Migrationproject
Initialsetup
Initialsetup
Migrationproject
Projectscope
2.8Mexternalusers
IDPservice 25Kinternalusers
Internal&externalusers
Self-servicecustomerportal
12Kinternalusers
RockKitWhitePaper 8 June2017
Theresultofourbenchmarkingisillustratedinthediagrambelow.
Thestandarddurationofourprojectsisnowbetween3and6months.
The standard resourceusage inman-days is less than100man-days.WhenusingRockKit,weestimatethataproject’sresourceusageisreducedbyafactorof4to6.
Thanks to the RockKit methodology, the manager can call on junior IAM resources for theproject.Thejuniorresourcebenefitsfromtheprojectsampleanditspre-definedstructure.Thejuniorresourcealsobenefitsfromtemplatedocumentscoveringarchitecture,developmentanddeployment.Ideally,thejunioriscoachedbyaseniorresource.
Withourmethodologyandtoolkit,theIAMdeliveryprocessbecomesastructuredandwell-managedIAMprojectdeliverypractice.Cyber-securityrequiresastrongergovernancemodel,whichcanbebuiltontopofRockKit.
WeprovideRockKit training and knowledge transfer on the toolkit andmethodology, so thatyour teambecomesself-sufficient for thedevelopmentandfor theday-to-dayoperationsandsupport. Our aim is to reduce your dependency on any external service provider asmuch aspossible: there is no lock-in after RockKit knowledge transfer. Once deployed, there is nodependencywhatsoeveronRockKit.Atanytime,anorganizationmaychoosetoturntoanotherautomationandorchestrationengine.
Ø Benefitsfordevelopers
The developer benefits from a collaborative environment. The development process is verysimilartothatforastandardapplication,withthedeveloperworkinginateamofdevelopers.Each developer commits hiswork in a source code repository and contributes to the projectdelivery.
ThedeveloperusesconfigurationfilesortheGUIasaconfigurationtool.Therearetwowaystoconfigure theForgeRockproducts.Firstly, theconfiguration filesarechanged.Theserverscanreload these files or are restarted – as typically happens inOpenIDM. Secondly the graphicaladminconsoleisusedtochangetheconfiguration–thisiswhattypicallyhappensinOpenAM.
RockKitWhitePaper 9 June2017
Finally,thedevelopercanreinstallacleanandlatestdevelopmentenvironmentatanytime.Noneedtorememberwhathasbeenconfigured,whatworkedandwhatdidn’t,orhowtorollbacksometests...Justrestartfromacleaninstall.
Ø Benefitsforoperators
Theoperatorbenefitsfromanoptimizedandreliabledeployment.
It isoptimisedbecausethedeploymentiscompletelyautomated,reducingtheoperationstoasingledeploymentcommand.So,theprocessislesspronetoerrors.
Itisreliablebecauseonthedaythatareleaseisfinalizedandtagged,the.bz2archivesarebuiltforallQ&AandPRDservers.Allarchivescontaintheexactsamerelease,withtheexceptionofthe local variables. Different operators can then reliably deploy the archives in differentenvironments,atdifferenttimes.
Ø Thebusinessvalue
With RockKit we increase speed, enabling faster execution of your transformation programs.Transformation today is driven by digitization initiatives, organizational changes like mergersandacquisitions,securityprogramsandmanyothertrends.
Whensmallchangesarerequired,reactivityisalsoakeyelementformeetingbusinessneeds.
At the same time, we significantly lower the cost of IAM project delivery, because fewerresources are involved in the development project.Moreover, update andupgradework andcostscanbereducedsignificantly.
Finally, as security is a fast-moving area with constant innovation, easy adoption of newtechnologies will allow you to develop better security while ensuring seamless customerexperience.
RockKitWhitePaper 10 June2017
Summaryofbenefits
Formanagers Fordevelopers Foroperators
Ø Optimizedusageoftime,resources,money
Ø Abilitytoengagejuniorresource
Ø StrongergovernancemodelforIAMdelivery
Ø Lowerdependencyonserviceprovider,nolock-inafterRockKitknowledgetransfer
Ø Collaborativeenvironmenttodevelopinteam
Ø Restartfromlatestatanymoment
Ø Optimizeddeployments:reliabilityandtime
Ø Availabilityofrollback
Valueforthebusiness
Ø Increasedspeed,fasterexecutionofdigitalprograms,shortertime-to-marketØ Betterreactivity,fastreactiontochangerequestsØ Lowercost:
o fewerresourcesinvolvedindevelopmentprojecto significantlylowerupgrade/updatework
Ø Fastadoptionofnewtechnologiesallowingyoutodevelopbettercustomerexperience