Wow, 2018 is already over, and a new year has started. It’s a usual time to look back at what we’ve achieved, make a clean slate (zero inbox), take a deep breath and jump ahead to the new projects, goals or adventures, both personal and professional. Including posting more on this blog ! 🙂
I’m wishing every day of the new year to be filled with love, success, happiness and prosperity for you. Happy New Year! Bonne Année ! Godt Nytt í r ! ¡ Feliz año nuevo ! あけましておめでとうございます。 …
Ease of use has always been important for us, and DS 6.5 brings it to a new level for the customers that are deploying other ForgeRock products. Starting with this version, you can now select, at the time of installation, one or more profiles. A profile contains the complete configuration for a specific use, from base DN, backend, indexes, schema, specific configuration parameters, administrative users, ACI and privileges.. Out of the box, we are delivering 3 profiles for ForgeRock Access Management: Identity Store, Configuration Store and the Core Token Service Store; 1 profile for ForgeRock Identity Management: Managed Object Store; and 1 profile for Directory Services evaluation, that contains the data and configuration that is used through our documentation, and allows you to copy and paste the command examples of the guides and replay them against a running server.
To learn more about profiles, get DS 6.5, and run
. To learn about a specific profile, you can run
setup –help-profile am-cts:6.5.0
With regards to DevOps, containers and automation in the cloud, we’ve continued the efforts that we had started with previous releases.
DS 6.5 now supports a method to run post upgrade tasks to the data, such as rebuilding indexes.
The server has 2 new HTTP endpoints to poke about its status. /isReady indicates that the server is up and running. /isHealty indicates if its current state is optimal, or if there are some temporary limitations, such as a database backend is offline for maintenance, or the replication is lagging too much (with too much being fully configurable).
The Grafana sample dashboard has been updated
Like all ForgeRock Identity Platform’s products, DS comes with a Common Audit handler that published log messages to stdout, a common practice when working with Docker containers.
Directory Proxy Server 6.5 now supports “sharding”, i.e. distributing data into multiple discrete replicated directory services. Such deployments make very large amount of data easier to manage and give better write scalability. In this version, the number of “shards” is fixed, but we are working on making the service dynamically scaling as the data grows, in future versions.
Directory Services 6.5 now supports limiting the number of connections that can be opened from a single client application. By IP address, a client may be denied, fully allowed or restricted in its number of opened connections, offering a greater protection against misbehaving applications.
The product also now supports the LDAP Relax Rules Control, that allow an administrator to add or modify attributes that are normally read-only. This feature can be used when having to synchronise data between different LDAP products, so they have the same timestamps for their creation or modification dates.
We’ve made the “cn=Changelog” suffix and data available on servers that are only acting as Replication hubs (RS), since they are persisting all the changes to replicate them.
We’ve added a couple of troubleshooting tools with the release. One tool, changelogstat) allows to list and dump the content of the replication changelog databases. The supportextract tool allows an administrator to capture the state and logs of a Directory Services instance and make the file available to ForgeRock support quickly.
Java 11 is now fully supported, both Oracle JVM and OpenJDK builds (from Oracle, Red-Hat or Azul Systems).
Finally, like with all releases of Directory Services, we have enhanced the performance and the reliability of the server in many areas. But most importantly, we have fully tested that you can upgrade to 6.5 without any service interruption: from 2.6 to 6.0, you can upgrade an instance and let it replicate with the other instances, then start upgrading the next one, until all instances are on the latest and greatest version. If you use VMs or containers, you can stop an existing instance and replace it with a new one. Or add a new one and then stop an old one… Your choice, but both scenarios are supported.
Venez nous retrouver, rencontrer des clients, des leaders d’opinions, des experts technique et autres professionnels de l’identité numérique. Pour la première fois, cette année, vous aurez aussi la possibilité, le 14 Novembre, de rencontrer et de discuter avec les experts techniques des produits, les développeurs, sous un format “UnConference” : agenda mouvant, discussions interactives sur les nouvelles fonctionnalités, sur les bonnes pratiques avec les containeurs Docker et Kubernetes…
In London, we’ve had 3 important customers that explained how they are innovating with the help of digital identities, each of them providing online services to over 30 millions users: The BBC, Maerks and Pearson. And we’ve had 3 major UK banks that joined a panel to discuss OpenBanking and APIs in the banking industry. I have particularly enjoyed the well mastered presentations by Bianca Lopes about the data that we leave online and that ties back to our identity, and by Spencer Kelly, technology presenter of the BBC show “Click”.
Today, we had our “unConference” day, where the engineering team is joining the product management one and discuss with our customers and partners on how to leverage the newest features of the ForgeRock Identity Platform, whether already released or soon to be.
This was my first participation to the events in this region (somehow I managed to convince my family to move our vacation earlier so I could attend), and it was great meeting in person with many customers and prospects I’ve interacted with over the phone, as well as meeting the ForgeRock colleagues I hadn’t seen for a while. As usual, the conversations around our products and the customers solutions were very rich and open, and I came back with great inputs and confirmations for our roadmaps.
You can find my photos of the events in the following Flickr albums:
I’m sitting in training this week with our Solution Architects team and was talking to my long time colleague Scott Fehrman about a customer I recently met and a mention of the Open Provisioning ToolKit (OpenPTK) in one of the slides. OpenPTK is an open source project that Scott, Terry Sigle and Derrick Harcey founded at Sun Microsystems some years ago.
As we’re talking Scott realized that the website that hosted OpenPTK source code, issues and downloads (java.net) is gone. As he had a copy of the latest version, he put it back online on his github account.
If anyone is using OpenPTK and would like to get the code, or even better work on it, it has raised from the hashes and is now publicly available:
This major release of Directory Services is a consolidation of the current product, bringing even more reliability and performances to a very robust product. But it also brings a number of new features and improvements.
The main change in this version is around monitoring. With a common set of services, APIs and libraries for the whole Identity Platform, we’ve refined and optimised the monitoring metrics of the Directory Services, organising them in a more logical and hierarchical way. When searching the monitoring data over LDAP, all entries now have a proper schema (objectClasses and AttributeTypes) and many metrics have been consolidated into a single attribute with a JSON. But in addition to also exposing the metrics via JMX, we are now offering 2 endpoints to directly collect them with Prometheus or Graphite and visualise them using Grafana. We’re delivering a sample Grafana dashboard to illustrate their use:
I will write a more in depth post to describe the new monitoring capabilities of ForgeRock Directory Services 6.0.
Amongst the other improvements of the new release, I can mention:
Support for Time To Live (TTL) indexes at the backend level. When entries reach their TTL date, they are automatically removed from the data store.
Ability to sort entries based on JSON attributes and specific fields, and also ability to sort entries when using Simple Paged results (and a page size smaller than the server side index limit).
Support for configuring the server offline, using dsconfig (–offline).
Support for expressions in the configuration file
Support for defining a global server ID for replication, which will be used by all replicated suffixes of that server.
Initial separation of what is static read-only configuration from what is more dynamic in deployments.
A new option to ldapmodify and ldapdelete to do bulk load operations.
More optimisations of disk space usage with entries and logs, as well as more optimisations of performances.
Directory Services 6.0 can upgrade instances of OpenDJ starting with version 2.6.0 or ForgeRock Directory Services 5.x, and it has been tested to be replicating with these versions as well, allowing a smooth upgrade of a replicated service with no downtime, nor change in configuration or replication. For a rolling upgrade, stop one of the servers, take a backup, install DS 6 and upgrade, restart the server, and move to the next one.
I’m one of the organisers of a developers’ conference here in Grenoble, France, the SnowCamp. The 3rd edition took place last week at Minatec. During 3 days, we hosted 10 University workshops, 40 presentations, 3 keynotes, and welcomed 375 attendees. And on the Saturday, we ran a smaller unconference with some of the speakers on the snowy slopes of Chamrousse, the closest ski resort to Grenoble.
It has been 4 very intense days, but I’m really happy with how smooth the event went, and I’m excited to help organising it again next year (no spoiler, but it should take place end of January 2019).
Yes, the picture looks familiar for those who have already come to visited us. In fact, we haven’t changed address, we’ve just moved the ForgeRock Grenoble Engineering Center to a new office space, in the same building, doubling in size, building our lab in the facilities.
With now 23 employees based in the Grenoble area, the expansion was long due. We now have more space for everyone, more meeting rooms, a creative area with huge white board, and a dedicated kitchen area.
Last Thursday, Mike Ellis, ForgeRock CEO, and Jonathan Scudder, co-founder were in the office for the opening party.
We also had visitors from the Bristol engineering team, the Vancouver WA engineering team and the Czech republic ProfiQ team, truly showing our diversity and international presence.
I hope that we will continue to grow as we’ve been doing in these first 7 years… We have an amazing team and a great culture. Let’s keep rocking on!
Thanks to Bruno Lavit Photography for the photo coverage!
Earlier this week, ForgeRock announced an $88M series D funding, ahead of planned IPO.
I’ve been working with ForgeRock for 7 years, starting the first R&D engineering center in Grenoble, France, and building our Directory Services product. And I’m just amazed by the incredible journey we’ve accomplished since the beginning. I’m just thrilled to be part of this great adventure!
If you want to understand its foundation, take a look at this video with Mike Ellis, CEO and Steve Ferris, SVP Services and Founder.