Before you install
This section covers requirements before you run ForgeRock Identity Management software, especially in a production environment. If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
Hardware and memory requirements
Due to the underlying Java platform, IDM software runs well on a variety of processor architectures.
When you install IDM for evaluation with the embedded DS repository, you need:
-
256 MB memory (32-bit) or 1 GB memory (64-bit) available.
-
10 GB free disk space for the software and sample data.
A DS repository (whether embedded or external) requires free disk space of 5% of the filesystem size, plus 1 GB by default. To change this requirement, set the In the case of an embedded DS instance, you can manage the configuration using the |
In production, disk space and memory requirements depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.
The amount of memory that IDM consumes is highly dependent on the data that it holds. Queries that return large data sets will have a significant impact on heap requirements, particularly if they are run in parallel with other large data requests. To avoid out-of-memory errors, analyze your data requirements, set the heap configuration appropriately, and modify access controls to restrict requests on large data sets.
IDM exposes many JVM metrics to help you analyze the amount of memory that it is consuming. For more information on analyzing hardware and memory performance, see Load testing.
Change the JVM heap size
Changing the JVM heap size can improve performance and reduce the time it takes to run reconciliations.
You can set the JVM heap size via the OPENIDM_OPTS
environment variable. If OPENIDM_OPTS
is undefined, the JVM maximum heap size defaults to 2GB. For example, to set the minimum and maximum heap sizes to 4GB, enter the following before starting IDM:
cd /path/to/openidm/ export OPENIDM_OPTS="-Xms4096m -Xmx4096m" ./startup.sh Using OPENIDM_HOME: /path/to/openidm Using PROJECT_HOME: /path/to/openidm Using OPENIDM_OPTS: -Xms4096m -Xmx4096m ... OpenIDM ready
cd \path\to\openidm set OPENIDM_OPTS=-Xms4096m -Xmx4096m startup.bat "Using OPENIDM_HOME: \path\to\openidm" "Using PROJECT_HOME: \path\to\openidm" "Using OPENIDM_OPTS: -Xms4096m -Xmx4096m -Dfile.encoding=UTF-8" ... OpenIDM ready
You can also edit the OPENIDM_OPTS
values in startup.sh
or startup.bat
.
For more information about tuning and load testing, refer to Load testing |
Operating System requirements
IDM 7.5 software is supported on the following operating systems:
-
Red Hat Enterprise Linux (and Rocky Linux) 7.9, 8.7, and 9.1
-
Ubuntu Linux 20.04 and 22.04
-
Windows Server 2019 and 2022
Java requirements
IDM software supports the following Java environments:
Vendor | Versions | ||
---|---|---|---|
OpenJDK, including OpenJDK-based distributions:
|
17** |
||
Oracle Java |
17** |
** Version 17.0.3 or higher.
ForgeRock recommends that you keep your Java installation up-to-date with the latest security fixes. |
Supported web application containers
You must install IDM as a standalone service, using the bundled Apache Felix framework and Jetty web application container. Alternate containers are not supported. IDM bundles Jetty version 9.4.48.
Supported repositories
The following repositories are supported for use in production:
-
ForgeRock Directory Services (DS) 7.5.
By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.
-
MySQL version 5.7 and 8.0 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
MariaDB version 10.6.11 and 10.10.2 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
Microsoft SQL Server 2019 and 2022.
-
Oracle Database 19c and 21c.
-
PostgreSQL 13.10, 14.7, and 15.2.
-
IBM DB2 11.5.
ForgeRock supports repositories in cloud-hosted environments, such as AWS and GKE Cloud, as long as the underlying repository is supported. In other words, the repositories listed above are supported, regardless of how they are hosted.
These repositories might not be supported on all operating system platforms. refer to the specific repository documentation for more information. Do not mix and match versions. For example, if you are running Oracle Database 19c, and want to take advantage of the support for Oracle UCP, download driver and companion JARs for Oracle version 19c. |
Supported browsers
The IDM UI has been tested with the latest, stable versions of the following browsers:
-
Chrome and Chromium
-
Edge
-
Firefox
-
Safari
Supported connectors
IDM bundles the following connectors:
-
Adobe Cloud Marketing connector
-
CSV File connector
-
Database Table connector
-
Google Apps connector
-
Groovy Connector Toolkit
This toolkit lets you create scripted connectors to virtually any resource.
-
Kerberos connector
The Kerberos connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled Kerberos connector requires Groovy version 3.0.
-
LDAP connector
Using the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
-
Marketo connector
-
MongoDB connector
-
Microsoft Graph API connector
-
Salesforce connector
-
SCIM connector
-
Scripted REST connector
The scripted REST connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted REST connector requires Groovy version 3.0.
-
Scripted SQL connector
The scripted SQL connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SQL connector requires Groovy version 3.0.
-
ServiceNow connector
-
Scripted SSH connector
The scripted SSH connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SSH connector requires Groovy version 3.0.
Additional connectors are available from the ForgeRock BackStage download site.
A PowerShell Connector Toolkit is bundled with the .NET remove connector server. This toolkit lets you create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Windows Server 2012 R2, 2016, and 2019 are supported as the remote systems for connectors and password synchronization plugins.
You must use the supported versions of the .NET Remote Connector Server (RCS), or the Java Remote Connector Server (RCS). The 1.5.x Java RCS is backward-compatible with the version 1.1.x connectors. The 1.5.x .NET RCS is compatible only with the 1.4.x and 1.5.x connectors. For more information, refer to IDM / ICF Compatibility Matrix.
The Java RCS requires Java 11 or Java 17, and is supported on any platform on which Java runs.
The .NET RCS requires the .NET framework (version 4.6.2 or later) and is supported on Windows Server versions 2012 R2, 2016, and 2019.
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in Samples. |
The following table lists the connector and RCS versions that are supported across IDM versions. For a list of connectors supported with this IDM release, refer to the ICF connector documentation. For a list of connector releases associated with this version of IDM, refer to the ICF release notes.
IDM Version | RCS Version | Java Connectors | Scripted Groovy Connectors | .NET Connectors |
---|---|---|---|---|
4.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
5.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
6.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
7.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted SQL, SSH, Kerberos connectors version 1.5.x. |
PowerShell Connector 1.4.x, 1.5.x |
Supported password synchronization plugins
The following table lists the supported password synchronization plugins:
Plugin | Supported Version |
---|---|
DS Password Synchronization Plugin |
7.5.x, supported with DS 7.5.x and IDM 7.5.x 7.4.x, supported with DS 7.4.x and IDM 7.4.x 7.3.x, supported with DS 7.3.x and IDM 7.3.x 7.1.x, supported with DS 7.1.x, DS 7.2.x, IDM 7.1.x, and IDM 7.2.x 7.0.1, supported with DS 7.0.x, IDM 7.0.x, and IDM 7.1.x 6.5.0, supported with DS 6.5.x and IDM 6.5.x 6.0, supported with DS 6.0.x and IDM 6.0.x 5.5.0, supported with DS 5.5.x and IDM 5.5.x 5.0, supported with DS 5.0.x and IDM 5.0.x 3.5, supported with OpenDJ 3.5 and OpenIDM 4.x DS Password Sync plugins are not supported with DS OEM |
Active Directory Password Synchronization Plugin |
1.7.0 and 1.5.0 supported on Windows Server versions 2012 R2, 2016, 2019, and 2022 |