Getting Started for Architects and Deployers The following section provides general instructions to get started with an OpenAM deployment. Plan the Deployment The initial process is the planning phase of your project. Learn about OpenAM. You can access online information, meet with your ForgeRock Sales representative, go to a seminar, or call ForgeRock about OpenAM’s capabilities. The following are some general questions that you may want to have answered: OpenAM Initial Questions OpenAM Initial Tasks Done ? Understand the access management problems that OpenAM helps to solve Y N Learn how to protect a Web site with OpenAM Y N Get to know the OpenAM software deliverables Y N Get to know the tools for administering OpenAM Y N Get to know the APIs for OpenAM client applications Y N Find out how to get help and support from ForgeRock and partners Y N Find out how to get training from ForgeRock and partners Y N Find out how to keep up to date on new development and new releases Y N Find out how to report problems Y N Set up a Demo or Pilot. View an OpenAM demo or set up a pilot to determine how you want to use OpenAM to protect your site(s). ForgeRock Sales representatives can assist you with a demo or pilot. Attend a Training Class. ForgeRock presents effective training classes to deploy OpenAM in your environment. See ForgeRock University for more information. Complete the Accreditation Program. Complete the product-specific ForgeRock Accreditation Program to gain in-depth design and deployment expertise or seek partners who are ForgeRock Accredited Partners. Determine Your Service Level Agreements. ForgeRock provides a set of standard service level agreements that you can sign up for. ForgeRock also provides custom service level agreements if the standard set does not meet your needs. OpenAM Standard SLAs Priority Gold Silver Bronze Urgent (P1) 2 Hour 4 Hour Next Business Day High (P2) 4 Hour 8 Hour 2 Business Days Normal (P3) 6 Hour Next Business Day 3 Business Days Low (P4) Next Business Day 2 Business Days 4 Business Days Determine Your Services. ForgeRock provides a full, proven-production Identity Management stack to meet your requirements. OpenAM Services Services Task Done ? Understand the services OpenAM software provides Y N Determine which services to deploy Y N Determine which services the deployment consumes (load balancing, application container, authentication services, configuration storage, profile storage, token/session storage, policy storage, log storage) Y N Determine which services the deployment provides (SSO, CDSSO, SAML Federation IDP/SP, XACML PDP, REST STS, OAuth 2.0/OpenID Connect 1.0, and so forth) Y N Determine which resources OpenAM protects (who consumes OpenAM services) Y N Determine Your Deployment Objectives. OpenAM provides proven performance and security in many production deployments. You should determine your overall deployment objectives. OpenAM Deployment Objectives Deployment Objectives Done ? Define deployment objectives in terms of service levels (expectations for authentication rates, active sessions maintained, session life cycles, policies managed, authorization decision rates, response times, throughput, and so forth) Y N Define deployment objectives in terms of service availability (OpenAM service availability, authentication availability, authorization decision availability, session availability, elasticity) Y N Understand how OpenAM services scale for high availability Y N Understand the restrictions in an OpenAM deployment that uses stateless sessions Y N Plan for availability (number of sites and servers, load balancing and OpenAM software configuration) Y N Define the domains managed and domains involved in the deployment Y N Define deployment objectives for delegated administration Y N Agree with partners for federated deployments on circles of trust and terms Y N Plan Sizing. At this stage, you should determine the sizing estimates for your deployment. ForgeRock Sales Engineers can assist you in this task. OpenAM Sizing Sizing Done ? Derive sizing estimates from service levels and availability Y N Understand how to test sizing estimates (load generation tools?) Y N Size servers for OpenAM deployment: CPU Y N Size servers for OpenAM deployment: Memory Y N Size servers for OpenAM deployment: Network Y N Size servers for OpenAM deployment: I/O Y N Size servers for OpenAM deployment: Storage Y N Quantify impact on external services consumed (LDAP, other auth services, load balancing, and so forth) Y N Plan testing and acceptance criteria for sizing Y N Plan the Topology. Plan your logical and physical deployment. OpenAM Topology Planning Topology Done ? Specify the logical and physical deployment topology (show examples of each) Y N Determine whether to use the embedded or external directory service for configuration, CTS, and user data Y N Plan installation of OpenAM services (including external dependencies) Y N Plan installation of OpenAM policy agents, Fedlets, and OpenIG (might be done by partner service providers) Y N Plan integration with client applications Y N Plan customization of OpenAM (classic UI or XUI, user profile attributes, authentication modules, identity repositories, OAuth 2.0 scope handling, OAuth 2.0 response types, post-authentication actions, policy evaluation, session quota exhaustion actions, policy evaluation, identity data storage, OpenAM service, custom logger, custom Web policy agents). Y N Plan Security. At this stage, you must plan how to secure your deployment. OpenAM Security Security Done ? Understand security guidelines, including legal requirements Y N Change default settings and administrative user credentials Y N Protect service ports (Firewall, Dist Auth UI, reverse proxy) Y N Turn off unused service endpoints Y N Separate administrative access from client access Y N Secure communications (HTTPS, LDAPS, secure cookies, cookie hijacking protection, key management for signing and encryption) Y N Determine if components handle SSL acceleration or termination Y N Securing processes and files (e.g. with SELinux, dedicated non-privileged user and port forwarding, and so forth) Y N Post-Deployment Tasks. At this stage, you should plan your post-deployment tasks to sustain and monitor your system. OpenAM Post-Deployment Tasks Post Deployment Tasks Done ? Plan administration following OpenAM deployment (services, agents/OpenIG, delegated administration) Y N Plan monitoring following deployment Y N Plan how to expand the deployment Y N Plan how to upgrade the deployment Y N Install the Components The installation process requires that you implement your deployment plan. Plan the Overall Deployment. The initial planning step involves establishing the overall deployment. You should determine who is responsible for each task and any external dependencies. Determine What To Install. Based on your deployment plan, determine what you need to install. Determine Your System Requirements. Based on your deployment plan, determine your system requirements. Prepare the Operating System. Prepare your operating system, depending on the OS: Linux, Solaris, Windows, Cloud (Amazon EC2, OpenStack, and so forth), Virtual Machines (VMWare, Xen, Hyper-V, and so forth) Prepare the Java Environment. Prepare your Java environment, depending on your vendor type: Oracle, IBM, OpenJDK. Prepare the App Server. Prepare your application server, depending on type: Apache Tomcat, JBoss 4/5, WildFly, Jetty, Oracle WebLogic, IBM WebSphere. Also, prepare each app server for HTTPS. Prepare the Directory Servers. Prepare the configuration directory server, OpenDJ for the core token service (CTS), and the LDAP identity repository. For information on installing data repositories, see "Preparing For Installation" in the Installation Guide. Obtain the OpenAM Software. You should obtain a supported release of OpenAM or an archive build. For the latest stable version of OpenAM, click Releases. Configure OpenAM. Install and configure OpenAM with or without the console, the setup tools (configurator), configuration tools (ssoadm, ampassword, amverifyarchive), or set up your scripted install and configuration of OpenAM. For information on installing OpenAM, see the Installation Guide. Set up your Realms. Within OpenAM, set up your realms and realm administrators if any. For more information on realms, see "Configuring Realms" in the Administration Guide. Configure Session State. Configure sessions as stateful or stateless. For more information on session state, see "Configuring Session State" in the Administration Guide. Install Another OpenAM Instance. Set up an identical instance of your first OpenAM instance. For information on installing multiple OpenAM servers, see "Installation Considerations for Multiple Servers" in the Installation Guide. Secure OpenAM. Configure OpenAM to access external resources over HTTPS and LDAPS. Set up secure cookies and certificates. For more information, see "Securing OpenAM" in the Administration Guide. Configure High Availability. Configure the load balancers, reverse proxies, and site(s). Configure OpenAM for session failover and server failover. For simple instructions to deploy OpenAM behind a load balancer, see Deploying OpenAM behind a load balancer. For an example of a reverse proxy with OpenAM, see Simple Apache Reverse Proxy for OpenAM with Certificate-Based Authentication. For information on configuring sites, see "Installation Considerations for Multiple Servers" in the Installation Guide. Prepare the Policy Agent Profiles. Prepare the policy agent profile, agent authenticator, policy agent configuration, bootstrap configuration for a Java EE or Web policy agent. For more information, see "Configuring Policy Agent Profiles" in the Administration Guide. Install the Policy Agents. Install the policy agents depending on the app server or Web server type. For app servers, Apache Tomcat, JBoss, Jetty, Oracle WebLogic, IBM WebSphere. For Web servers, Apache , Microsoft IIS. Set up any script installations of the policy agents. For more information, see the OpenAM Web Policy Agent documentation. Customizing OpenAM. Customize OpenAM for your organization. For information on customizing the OpenAM end-user pages, see "Customizing the OpenAM End User Pages" in the Installation Guide. Install OpenIG. Determine which OpenIG deliverable to install (whether federation is involved). Prepare the Apache Tomcat, JBoss, Jetty, Oracle WebLogic app servers for installation. Install OpenIG. See the OpenIG documentation for details. Plan Application and Host Backup. Determine your backup strategy including LDIF exports, file system backups, tar files, and so forth. Also, consider log rotation and retention policies. For more information on backups, see "Backing Up and Restoring OpenAM Configurations" in the Administration Guide. Plan an OpenAM Upgrade. You should know what is new or fixed in an upgrade version as well as the differences and compatibility between the current version and an upgrade. Know the limitations of an upgrade version. Plan a live upgrade without service interruption. Plan an offline upgrade with service interruption. Plan the test of the upgrade and revert a failed upgrade. For more information on upgrades, see the Upgrade Guide. Upgrade OpenAM. Upgrade OpenAM and other instances with or without the console. Upgrade the setup tools (configurator), configuration tools (ssoadm, ampassword, amverifyarchive), and the Java EE and/or Web policy agents. Upgrade OpenIG. For more information on upgrades, see the Upgrade Guide. Remove OpenAM. If required, remove OpenAM with or without the console. Remove setup and configuration tools. Remove the Java EE and/or Web policy agents. Remove OpenIG. For more information on removing OpenAM, see "Removing OpenAM Software" in the Installation Guide. OpenAM Hardware and Software Requirements Reference