ForgeRock Interview Questions and Answers [ TOP & MOST ASKED ]

Last updated on 17th Nov 2021, Blog, Interview Questions

These ForgeRock Interview Questions have been designed specially to get you acquainted with the nature of questions you may encounter during your interview for the subject of ForgeRock. As per my experience good interviewers hardly plan to ask any particular question during your interview, normally questions start with some basic concept of the subject and later they continue based on further discussion and what you answer.we are going to cover top 100 ForgeRock Interview questions along with their detailed answers. We will be covering ForgeRock scenario based interview questions, ForgeRock interview questions for freshers as well as ForgeRock interview questions and answers for experienced.

1.List the services provided by ForgeRock?

Ans:

The Services of ForgeRock are:-

• Identity Management.
• Access Management.
• Directory Services.
• Edge security and Identity Gateway.
• Privacy Management.

2.What type of solutions are provided by ForgeRock?

Ans:

ForgeRock provides the solutions that allow the users to manage the risks, improve their productivity, growing their revenue, reducing the costs on identity management, compliance regulations, life-cycle management etc.

3.Name a few capabilities of ForgeRock Identity Platform.

Ans:

The key features are:-

• Identity and access management.
• Directory services.
• Authorization policies and enforcement.
• Adaptive risk authentication.
• High availability and scalability.
• Adaptive monitoring and auditing services.

4.Explain about the profile and privacy management in identity management.

Ans:

This feature enables the users to create and manage their profiles, providing privacy towards personal data sharing, data portability, deletion of the account while ensuring the compliance with regulations such as GDPR, HIPAA, PIPEDA.

5.How Data Model Visualization is helpful in identity management?

Ans:

The model visualizes the relationships through ForgeRock identity management, management console, customized dashboards and integration with kibana. This includes the visualisation charts such as line, bar, scatter plot, pie chart to view the data. The audit and management capabilities services login and registrations, system health, resource usage.

6.Explain role-based provisioning in identity management.

Ans:

The identity management provides the features to create and manage roles by assigning to users such as job function, title etc. Users can assign and remove entitlements and resources consistently and rapidly.

7.What is Synchronization and Reconciliation in identity management?

Ans:

Synchronization enables rollback if one or more remote systems are unavailable for both on-demand and scheduled resources. Reconciliation detects and synchronizes the changes to accounts by determining the user access privileges by discovering new, changed or deleted accounts.

8.What are the actions of a workflow engine in Identity Governance?

Ans:

The Identity Governance will handle the self-service actions to process the request for access, manager-driven access reviews and certifications, administration actions such as updating entitlements, onboarding and offboarding, performance maintenance.

9.What is Reporting and Audit in ForgeRock Governance?

Ans:

The reporting and audit features formulizes the review process for auditing purposes. The administrators are able to set the report templates that compliments the access review feature and define the custom reports.

10.How is Risk Management handled in Identity Governance?

Ans:

ForgeRock identity governance provides the risk score for entitlements, roles and certifications within the governance platform for administrators to assign the score values such as low, medium or high for approvals and decision making of employees during a review.

11.Explain about Entitlement Management in Identity Governance.

Ans:

ForgeRock Identity Governance allows the users to associate the metadata with objects in the product with a user-friendly interface. It provides administrators to assign the business name for any user entitlements along with the links to help pages, documents and risk scores.

12.What is Role life cycle management feature in identity Governance?

Ans:

The identity governance provides the solution with robust and life cycle management capabilities that includes role definition, changes and deletions. This feature allows a role-based access control model (RBAC) for assigning the roles to owners who can easily certify entitlements and role membership rules.

13.What is ForgeRock autonomous identity?

Ans:

ForgeRock autonomous identity is an AI analytics that provides real-time user access visibility and control. It collects and analyses the data such as accounts, roles, user activity, entitlements, security access and risk blind spots. It provides the solution with insights on contextual, risk access.

14.Explain about Powerful UI Dashboard feature in autonomous identity.

Ans:

The dashboard displays the organisation’s entitlements graphically on the UI console. The entitlement outliers which are at security risk can be investigated. With UI, the entitlements can be quickly identified for automated low-risk approvals. The management of entitlements can be viewed by users based on trend-lines.

15.Explain about Automated workflows in autonomous identity.

Ans:

The autonomous identity reduces the burden for managers in approving the new entitlements. The workflow approves the access automatically which reduces the time and cost in handling automated entitlement certifications and low-risk access requests.

16.What is ForgeRock Access Management?

Ans:

ForgeRock Access Management is a solution which provides a comprehensive set of services in the market for identity and access management (IAM) requirements for user access who can connect from the mobile, connected car or home appliances.

17.What are the benefits of using the ForgeRock autonomous identity?

Ans:

Benefits of autonomous identity:

• Enterprise-wide risk visibility.
• Boosting operational efficiency.
• Accelerating decision making.

18.Why are directory services used in ForgeRock?

Ans:

It is used in addressing the latest security and privacy requirements with high performance and handling the massive transaction volumes by using resilient directory services.

19.Name a few features of directory services in ForgeRock.

Ans:

Features of directory services are :-

• Providing the security services for connection, access control and data encryption for stored data.
• Configuring the server management with easy setup and administration.
• Supports SNAP and JMX monitoring standards with easy integration with existing infrastructure.
• Advanced backup and restore functions such as automated, compressed, signed and encrypted backups to improve data reliability and security.

20.What is Pass-Through Authentication in Directory Services?

Ans:

The Pass-Through Authentication is the delegated authentication given to another LDAP directory service such as Active directory that removes security risks associated with synchronized passwords.

21.Explain about Backup and Restore feature in Directory Services.

Ans:

This feature provides advanced backup and restores functions such as automated, compressed, signed and encrypted backups for improving the data reliability and security.

22.What are the services provided by Intelligent Access orchestration?

Ans:

Services of Intelligent Access orchestration:-

• Creating the custom authenticators and integrating it with cybersecurity solutions.
• Designing an intuitive interface for creating security and risk profiles.
• Support the factors such as contextual, user choice, analytics which can configure, measure and adjust login journeys using digital signals.
• Improving customer experience and leveraging login analytics.

23.What you can do with ForgeRock Identity Gateway?

Ans:

The ForgeRock Identity Gateway can quickly protect the API’s and users. It serves as a reverse proxy as well as authorization enforcement point for any type of traffic. It detects the anomalies and protects against security breach attacks.

24.What is Message Transformation in ForgeRock Identity Gateway?

Ans:

ForgeRock Identity Gateway transforms the messages while passing through the gateway which can add or remove headers, variables. This allows the administrators to split the traffic between multiple web-pages or API’s.

25.Explain Single Sign-On and Sign-Out in Identity Gateway.

Ans:

The Single Sign-On and Sign-Out feature improve the user experience, adoption rates and consumption of services provided. The ForgeRock Identity Gateway ensures consistency, secure access across multiple web pages and API’s.

26.What you can do with ForgeRock Identity cloud?

Ans:

• ForgeRock Identity cloud can leverage a single platform for all identity and access needs.
• Apps can be protected quickly and easily with the features of cloud security enhancements.
• Identity capabilities with cutting-edge measures are gained which makes no worries on maintenance, patching and upgrading.
• Efficient and secure workforces are empowered from anywhere in the world.

27.What is the advantage of deploying the IAM?

Ans:

28.What you can do with the integration of Social Registration and Login.

Ans:

It allows users to register and authenticate quickly from a social networking service. With ForgeRock you can do these following things:-

• Users are able to utilize popular social identity providers.
• Data can be linked across multiple social profiles for a single view of a customer.
• Provides one-click registration across a range of platforms using open standards.

29.How does the REST API framework help with integration?

Ans:

• It allows the user to use only a single API for invoking with ForgeRock Identity Platform service.
• Provides the extendible identities for social, mobile, cloud and IoT.
• Custom UI’s, apps and pages will help you meet with the business needs by enabling the REST API’s.
• API Explorer feature helps in enabling the developers to interact with API’s.

30.How is the IOT Edge controller used by ForgeRock?

Ans:

The ForgeRock IOT Edge controller uses secure, standard tokens instead of usernames, passwords and PKI certifications. It provides industry-specific solutions with additional functionalities and drives interoperability.

31.What is OpenAM?

Ans:

OpenAM is open-source access management, entitlements, and federation server platform, backed by ForgeRock. OpenAM originated as OpenSSO, an access management system developed by Sun Microsystems, owned by Oracle.

32.How does OpenAM Help us?

Ans:

OpenAM provides a service named access management, which involves managing access to all resources available within the network. Once we set up OpenAM to manage access, we have a service to take control of who can access what resources, when, and under what circumstances.

33.Can OpenAM be centrally managed?

Ans:

OpenAM centralizes all access control by handling both validation and authorization. validation is confirming identity, for example confirming that a user has successfully logged in. Authorization is determining whether to grant access to someone valid.

34.How does OpenAM validate?

Ans:

• OpenAM centralizes validation by using a variety of authentication modules. Modules connect to identity repositories that store identities and provide authentication services.
• The identity repositories are implemented as LDAP directories, relational databases, RADIUS, Windows authentication, one-time password services, other standards-based access management systems, and much more.
• OpenAM lets us chain together the validation services used which lets you configure stronger authentication for more sensitive resources for example. It allows to set up modules that remember a device when the user logs in successfully.

35.How is OpenAM authorized?

Ans:

OpenAM centralizes authorization by letting the user, use OpenAM to manage access policies separate from applications and resources. Instead of building an access policy into a web application, we can install a policy agent with the web application to request policy decisions from OpenAM.

36.Explain the Software Requirements to implement OpenAM?

Ans:

The following are the software requirements for effective installation of OpenAM,

• The Apache HTTP Server is used to support the OpenAM projects that rely on web pages.
• Apache Tomcat, which provides a web container for the OpenAM platform OpenAM is a Java web application; it needs a web container established by Apache Tomcat.
• OpenAM core server with its console.

37.How to Configure a Policy in OpenAM?

Ans:

Follow these steps to create a policy that allows all authenticated users to perform an HTTP GET

• In OpenAM Console, click the Access Control tab, then in the Realms table click the link to / (Top Level Realm).
• We should click the Policies tab, click iPlanetAMWebAgentService, and then click Add New Policy.
• Allocate a new name to the policy of Authenticated users can get Apache HTTP home page, and then click Next.

38.What are the steps followed to set up OpenAM to protect a web page?

Ans:

• Prepare your host file.
• Deploy Apache HTTP server.
• Deploy Apache Tomcat.
• Deploy OpenAM.
• Configure a policy in OpenAM.
• Create a web policy agent profile.
• Install the OpenAM web policy agent.

39.What are deployment-planning steps in OpenAM?

Ans:

Following the installation step in Project Initiation:-

• Architectural design.
• Execution of OpenAM system.
• Testing with the help of Automation & continuous integration.
• Providing solutions by Functional testing.
• Recovery of issues by Non-Functional testing.
• Supportability.

40.What is the need for OpenAM client Application Programming Interfaces (APIs)?

Ans:

In Federate and OpenAM environments, the OpenAM Java APIs offered through the OpenAM Java SDK let a user’s Java and Java EE applications request OpenAM for authentication and authorization.The exposure of RESTful API, which returns XML or JSON over HTTP, will allow the user to access authentication, authorization, and identity services from web applications using REST clients in the same language as that of the user’s choice.

41.What are the procedures to upgrade a legacy deployment?

Ans:

• Keep your customized OpenAM server .war file organized.
• Use ‘Installing OpenAM Core Services’ to arrange a new installation of servers from the new, customized .war file, starting with the instructions.
• After installation is complete, use the ‘ssoadm do-batch’ command to apply multiple changes with a single command Authenticate the new service to check if the performance meets the expected level or not.
• Finally, execute the task of redirecting client application traffic to the new installation from the old deployment.

42.What are the functions of OpenAM APIs?

Ans:

OpenAM provides client application programming interfaces for several requirements. The OpenAM Java APIs offered through OpenAM Java SDK lets your Java and Java EE applications to call for OpenAM validation, in both OpenAM and federated environments.

43.What are the functions of OpenAM SPIs?

Ans:

OpenAM offers Java-based service interfaces to let you extend services for the requirements of your specific deployment. Following is are the steps to implement such plugins:-

• Custom OAuth 2.0 scopes plugins define how OpenAM playing the role of authorization server handles scopes, including what token information to return regarding scopes set when authorization was granted.
• Custom authentication plugins let OpenAM validate users against a new authentication service or an authentication service specific to the deployment.

44.How OpenAM provides functionality to IPv4 and IPv6?

Ans:

OpenAM provides functionality for IPv4, IPv6, and as a hybrid of both. While the majority of the interaction is done at the backend, there are a few places where the GUI needs some inputs, while setting up policy conditions.These fields follow the same standard, which applies, to IPv4 & IPv6. IPv4 uses a 32-bit integer value, with a decimal system. IPv6 uses a hexadecimal system, and a colon separates the eight groups of hexadecimal digits.

45.How to develop Client Applications?

Ans:

• Client applications can access OpenAM services for authentication, authorization, and single sign-on/single log-out, by the use of sessions.
• Client applications also are allowed, to manage authorization policies. This part of the guide covers client interaction with OpenAM over supported protocols and using OpenAM APIs.

46.What do you understand by RESTful APIs?

Ans:

Representational State Transfer is an architectural style that sets certain limitations for designing and building large-scale distributed systems. As an architectural style, REST has very broad utility. The designs of both HTTP 1.1 & URIs follow RESTful principles.The World Wide Web is no doubt the largest and best-known REST application. Many other web services also follow the REST architecture, like OAuth 2.0 and OpenID Connect 1.0.ForgeRock Common REST (CREST) applies RESTful principles to define common verbs for HTTP-based APIs that access web resources and collects resources.

47.How can we specify an explicit API REST version?

Ans:

We can specify the version of REST API to use by adding an Accept-API-Version header to the request. We can configure the default behavior of OpenAM which will take when a REST call that does not specify any explicit version information.

48.What is The RADIUS Protocol?

Ans:

The RADIUS protocol is a very simple protocol of four packet types:-

• Access-Request packets, received from a client to a server to begin a new authentication conversation or to respond to a previous response in an existing conversation and provide the requested information.
• Access-Accept packets received from a server to a client to indicate successful authentication.
• Access-Reject packets received from a server to a client to indicate a failed authentication.
• Access-Challenge packets received from a server to a client to solicit more information from the entity validated.

49.How to Create a Web Policy Agent Profile?

Ans:

OpenAM stores information of profiles about policy agents centrally by default. You can then manage the policy agent profile through OpenAM Console.The policy agent can recover the configuration from the OpenAM profile at installation time when it starts up, and OpenAM can notify the policy agent of changes to its configuration.

50.What is user self-registration?

Ans:

OpenAM provides self-registration for users as a feature in OpenAM’s REST APIs. Users can be safely signed up in OpenAM without the administrators or help desk getting involved.

51.What is the password reset function?

Ans:

OpenAM help users reset their passwords on their own. OpenAM handles both the case where a user knows their password and wants to change it and the case where the user has forgotten their password and needs to reset it, possibly after answering security questions.

52.What are the dashboard services?

Ans:

Users have several applications assigned, especially if the organization has standardized software as a service, for example for email, document sharing, support ticketing, customer relationship management, web conferencing, and so forth.It can be useful to present these applications on a user’s dashboard with the profile and assign applications to the user’s dashboard automatically based on the user’s profile.

53.What is Single-Sign on?

Ans:

Single sign-on (SSO) is a core attribute of OpenAM. Once we have set up OpenAM, we can protect as many applications in the network domain as we want. We need to install the policy agents for the additional servers and add policies for the resources served by the applications.

54.How can users authenticate?

Ans:

Users can then authenticate themselves on their own to start a session on any site in the domain, and they remain authenticated for all sites in the domain, without the need to log in again.

55.Why is the Single Sign-on feature necessary?

Ans:

Many organizations have more than one domain, with cookies set in one domain are not returned to servers in another domain. Many organizations get sub-domains controlled independently, leading to the need to protect against someone setting up against a rogue sub-domain to hijack session cookies.

56.What is a standard-based federation?

Ans:

When we need to federate identities across not just different domains but instead across different organizations with separate access management solutions, then we need interoperable federation technologies.An organization, that acts as an identity provider for other organizations providing services, allows users to use their identity from another organization to access the services. Either way, OpenAM has the capability to integrate well in federated access management scenarios.

57.What is CRUD?

Ans:

OpenAM REST APIs make CRUD (create, read, update, delete) easy to use in web applications. They also provide extended actions and query capabilities for access management functionality.

58.What is the benefit of OpenAM Java APIs?

Ans:

OpenAM Java APIs provided through the OpenAM Java SDK allow Java and Java EE applications to call on OpenAM for authentication and authorization in both OpenAM and federated environments.

59.What does C SDK?

Ans:

The OpenAM C SDK provides APIs for native applications with new webserver policy agents. The C SDK has been designed for Linux, Solaris, and Windows platforms.

60.What do you understand by SAML 2.0 SSO & Federation?

Ans:

SAML 2.0 SSO is part of the federated access management. Federation permits access management across the organizational boundaries. Federation allows organizations to share their identities and services without giving away their organizational information and the services they provide.

61.What is sync.json?

Ans:

• The sync.json file describes a set of mappings. Each mapping specifies how attributes from source objects correspond to attributes on target objects.
• The source and target indicate the direction for the data flow, so you must define a mapping for each data flow.
• For example, if you want data flows from an LDAP server to the repository and also from the repository to the LDAP server, you must define two separate mappings.

62.What are the types of synchronization?

Ans:

• Reconciliation.
• LiveSync.
• Synchronization happens either when OpenIDM receives a change directly, or when OpenIDM discovers a change on an external resource.For direct changes to OpenIDM, OpenIDM immediately pushes updates to all external resources configured to receive the updates.

63.What is Reconciliation?

Ans:

In identity management, reconciliation is the process of bidirectional synchronization of objects between different data stores. Reconciliation applies mainly to user objects, though OpenIDM can reconcile any objects, including groups and roles.To perform reconciliation, OpenIDM analyzes both source and target systems to uncover the differences that it must reconcile.

64.What is LiveSync?

Ans:

• LiveSync performs the same job as reconciliation. LiveSync relies on a changelog on the external resource to determine which objects have changed.
• LiveSync is intended to react quickly to changes as they happen.
• LiveSync is, however, a best-effort mechanism that in some cases can miss changes.

65.How to trigger OpenIDM to poll for changes?

Ans:

• Usually by scheduling reconciliation or LiveSync
• Alternatively, you can start reconciliation through the REST interface.

66.What is Apache Felix Server URL?

Ans:

• http://hostname:port/system/console
• http://127.0.0.1:8080/system/console.
• http://localhost:8080/system/console.

67.What is the default admin user name and password?

Ans:

Username : openidm-admin

Password : openidm-admin

68.What is the default back-end database in Pre-OpenIDM 4.0?

Ans:

OrientDB

69.What is the default back-end database in above OpenIDM?

Ans:

LDAP ( OpenDJ )

70.What is the OpenIDM application server?

Ans:

Apache Felix Server.

71.What are the default OpenIDM HTTP ports?

Ans:

http Port : 8080

https Port : 8443

72.How to start the OpenIDM server?

Ans:

Windows : OpenIDM-Home>\startup.bat

Linux : OpenIDM-Home>\startup.sh

73.How to stop the OpenIDM server?

Ans:

In the OpenIDM Console, type shutdown or Press Ctrl + c same process in both linux and windows

74.What is Some of the OpenIDM connectors?

Ans:

• CSV File Connector.
• LDAP Connector.
• Database Table Connector.
• MongoDB Connector.
• ServiceNow Connector.
• Salesforce Connector.

75.What are managed operations in OpenIDM?

Ans:

• User.
• Role.
• Assignment.

76.We seek to hire highly ambitious people. Where would you like your career with ForgeRock to take you?

Ans:

Have you researched ForgeRock AS enough to understand how their internal hierarchy works? Do they need a spread of departments and management levels, offering you choices when it involves carving out your career path? ask the interviewer about your career ambitions specifically associated with this role and their organization.

77.What is about OpenIDM & OpenICF?

Ans:

OpenICF provides a common service provider interface to allow identity services access to the resources containing user information. OpenICF uses a connection server that can run as a local connector server inside OpenIDM, or as a remote connector server that is a stand-alone process.A remote connector server is needed when access libraries that cannot be included as part of the OpenIDM process are needed. If a resource, such as Microsoft ADSI, does not provide a connection library that can be included inside the Java Virtual Machine, then OpenICF can use the native .dll with a remote .NET connector server. (OpenICF connects to ADSI through a remote connector server implemented as a .NET service.)

78.What is CSV File Connector?

Ans:

The CSV file connector often serves when importing users, either for initial provisioning or for ongoing updates. When used continuously in production, a CSV file serves as a change log, often containing only user records that changed.

79.What is Scripted SQL Connector?

Ans:

The Scripted SQL Connector uses customizable Groovy scripts to interact with the database.

80.What is Flexible Data Model?

Ans:

Identity management software tends to favor either a meta-directory data model, where all data are mirrored in a central repository, or a virtual data model, where only a minimum set of attributes are stored centrally, and most are loaded on demand from the external resources on which they are stored. The meta-directory model offers fast access at the risk of getting out-of-date data. The virtual model guarantees fresh data, but pays for that guarantee in terms of performance.

81.What is Basic Data Flow Configuration?

Ans:

Data flow for synchronization involves three types of configuration files, two of which you typically edit, and also a links table that OpenIDM maintains in its repository, as well as scripts needed to check objects and manipulate attributes. The two types of configuration files you edit are the connector configuration files, with one file per external resource, and the synchronization mappings file, with one file per OpenIDM instance.

82.How to Using Encrypted Values?

Ans:

OpenIDM supports reversible encryption of attribute values for managed objects. Attribute values to encrypt include passwords (if passwords are not already encrypted on the external resource, which would usually exclude them from the synchronization process, see the chapter about Passwords ), and also authentication questions, credit card numbers, and social security numbers.

83.What is Constructing & Manipulating Attributes?

Ans:

OpenIDM lets you construct and manipulate attributes using scripts triggered when an object is created (onCreate), updated (onUpdate), or deleted (onDelete), or when a link is created (onLink), or removed (onUnlink).

84.What is Reusing Links?

Ans:

When two mappings exist to sync the same objects bidirectionally, you can use the links property in one mapping to have OpenIDM use the same internally managed link for both mappings. Otherwise, if no links property is specified, OpenIDM maintains a link for each mapping.

85.How to Managing Passwords?

Ans:

OpenIDM provides password management features that help you enforce password policies, limit the number of passwords users must remember, and let users reset and change their passwords.

86.What is Password recovery ?

Ans:

Password recovery involves recovering a password or setting a new password when the password has been forgotten.OpenIDM can provide a self-service end user interface for password changes, password recovery, and password reset.

87.What is Securing & Hardening OpenIDM?

Ans:

• After following the guidance in this chapter, make sure that you test your installation to verify that it behaves as expected before putting it into production.
• Out of the box, OpenIDM is set up for ease of development and deployment. When deploying OpenIDM in production, take the following precautions.

88.What is the Use of SSL and HTTPS?

Ans:

Disable plain HTTP access, included for development convenience, as described in the section titled Secure Jetty. Use TLS/SSL to access OpenIDM, ideally with mutual authentication so that only trusted systems can invoke each other. TLS/SSL protects data on the wire. Mutual authentication with certificates imported into the applications’ trust and key stores provides some confidence for trusting application access.Augment this protect with message level security where appropriate.

89.What is the Encrypt Data Internally & Externally?

Ans:

Beyond relying on end-to-end availability of TLS/SSL to protect data, OpenIDM also supports explicit encryption of data that goes on the wire. This can be important if the TLS/SSL termination happens prior to the final end point.OpenIDM also supports encryption of data it puts into the repository, using a symmetric key. This protects against some attacks on the data store.OpenIDM automatically encrypts sensitive data in configuration files, such as passwords. OpenIDM replaces clear text values when the system first reads the configuration file. Take care with configuration files having clear text values that OpenIDM has not yet read and updated.

90.What is the Use of Message Level Security?

Ans:

OpenIDM supports message level security, forcing authentication before granting access. Authentication works by means of a filter-based mechanism that lets you use either a HTTP Basic like mechanism or OpenIDM-specific headers, setting a cookie in the response that you can use for subsequent authentication. If you attempt to access OpenIDM URLs without the appropriate headers or session cookie, OpenIDM returns HTTP 401 Unauthorized.

91.What is Secure Jetty?

Ans:

Before running OpenIDM in production, edit the openidm/conf/jetty.xml configuration to avoid clear text HTTP. Opt instead for HTTPS either with or without mutual authentication. To disable plain HTTP access, comment out the section in openidm/conf/jetty.xml that enables HTTP on port 8080.

92.How to Protect Sensitive REST Interface URLs?

Ans:

Although the repository is accessible directly by default, since anything attached to the router is accessible with the default policy, avoid direct HTTP access in production. If you do not need such access, deny it in the authorization policy to reduce the attack surface.

93.How to Protect Sensitive Files & Directories?

Ans:

Protect OpenIDM files from access by unauthorized users.In particular, prevent other users from reading files in at least the openidm/conf/boot/ and openidm/security/ directories.

94.How to Remove or Protect Development & Debug Tools?

Ans:

Before deploying OpenIDM in production, remove or protect development and debug tools, including the OSGi console exposed under /system/console. Authentication for this console is not integrated with authentication for OpenIDM.

95.How to Protect the OpenIDM Repository?

Ans:

• Use the JDBC repository. OrientDB is not yet supported for production use.
• Use a strong password for the JDBC connection. Do not rely on default passwords.
• Use a case sensitive database, particularly if you work with systems with different identifiers that match except for case. Otherwise correlation queries can pick up identifiers that should not be considered the same.

96.How to Adjust Log Levels?

Ans:

• Leave log levels at INFO in production to ensure that you capture enough information to help diagnose issues. See the chapter on Configuring Server Logs for more information.
• At start up and shut down, INFO can produce many messages. Yet, during stable operation, INFO generally results in log messages only when coarse-grain operations such as scheduled reconciliation start or stop.

97.How to known Issues & Limitations?

Ans:

The following are known issues and limitation for the experimental embedded workflow and business process engine:-

• OpenIDM does not include a form generator, making it difficult to include embedded forms (OPENIDM-468).
• Error handling needs improvement.
• This version depends on Activiti 5.8, which does not have the fix for ACT-583: Processes are not found in the .bar file if they are below root.

98.What is Event Types?

Ans:

The eventTypes configuration specifies what events OpenIDM writes to audit logs. OpenIDM supports two eventTypes: activity for the activity log, and recon for the reconciliation log. The filter for actions under activity logging shows the actions on managed or system objects for which OpenIDM writes to the activity log.

99.How to Generating Reports?

Ans:

When generating reports from audit logs, you can correlate information from activity and reconciliation logs by matching the “rootActionId” on entries in both logs.

100.What is Implementation Phases?

Ans:

Any identity management project should follow a set of well defined phases, where each phase defines discrete deliverables. The phases take the project from initiation to finally going live with a tested solution.