- List the services provided by ForgeRock?
The Services of ForgeRock are:
- Identity Management.
- Access Management.
- Directory Services.
- Edge security and Identity Gateway.
- Privacy Management.
2. Name a few capabilities of ForgeRock Identity Platform.
The key features are:
- Identity and access management.
- Directory services.
- Authorization policies and enforcement.
- Adaptive risk authentication.
- High availability and scalability.
- Adaptive monitoring and auditing services.
3. What do you feel are the primary features and benefits of the Java programming language?
As a company that utilizes Java, ForgeRock and your interviewer want to make sure that you have an understanding of the Java programming language and they do so by asking this question. Obviously a language packed with unique features, talk about the features that you can speak the most knowledgeable about and tie your direct experience to.
4. Why would I want to use OpenDJ?
OpenDJ is a new LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available and secure store for the identities managed by your enterprise. Its easy installation makes OpenDJ the simplest and fastest directory server to deploy and manage.
5. What are the prerequisites for installing OpenDJ?
At minimum, you need Java 6. If you have Java WebStart configured, you can install OpenDJ server starting with a single click in your web browser. For hardware, you can do an evaluation install on a netbook by default using 256 MB free RAM and less than 100 MB free disk space. How much hardware you need for deployment depends on your requirements. OpenDJ directory server is also available in .deb and .rpm packages for easy installation and upgrade on many Linux systems.
6. How do I import data into OpenDJ? I want to add data (from an SQL database, CSV, spreadsheet, LDIF, etc.) to OpenDJ/provision user accounts now that I have it installed?
One way is to move your content to LDAP Data Interchange Format, and then import.
7. Is DS/OpenDJ compatible with Oracle Java Development Kit (JDK) 11?
Yes, as of DS 6.5, Oracle JDK 11 is supported. You should only use supported versions to prevent compatibility issues.
8. Is it possible to clone a copy of an existing DS/OpenDJ between servers?
You can move DS/OpenDJ data between servers and operating systems. Most of the configuration is portable.
The following two aspects of the configuration are not portable:
Server certificates – they contain the host name of the system.
Replication configuration – this includes the host name and administrative port numbers.
9. About openam / DJ: What’s their open source nature brings in front of their proprietary competitors?
Openam and OpenDJ by their open source nature can accommodate a wider variety of usage scenarios, the community of developers or users contributing to these scenarios, to facilitate the use or the scalability of the products . They are generally much easier to implement than their competitors and adapt to more platforms. Also, being from projects supported by Sun, OpenAM and OpenDJ have been designed to meet the needs of scale beyond SMEs. These are technologies that were deployed in large telecoms operators with tens of millions of users. But their architecture allows them to adapt to smaller scale projects, with a cost reduced accordingly. And then there are the benefits of open source nature of projects: No or very low cost, ability to evaluate the product and the code before you invest, the reduced cost of output: if you are not happy with your support provider, you can continue to use the software, choose another provider for support, or choose to invest in maintaining the product yourself. Finally, the production cycles in open source projects are faster, more frequent, and allow everyone at any time to evaluate products, test versions, a patch or suggest an improvement that will facilitate the immediate deployment and what other readers may also benefit. The code is public, security mechanisms can be studied, and the technologies are more reliable in this area.
10. What is the difference between OpenDJ and OpenAM?
OpenDJ is an open source project building LDAP and REST base Directory Services. OpenDJ is continuing in open source the development of OpenDS, a project that was started by Sun Microsystems, but abandoned by Oracle.
OpenAM is an open source Authentication, Authorization, Web Single Sign On, Federation solution that is flexible, extensible and highly scalable. For its configuration management, OpenAM embedded OpenDJ. For its user stores, it relies on LDAP directory servers, and is very well integrated with OpenDJ.
11. Is there a limit to the number of users and groups that can be created in DS/OpenDJ?
The theoretical limits for maximum number of entries are so high that you will almost certainly hit hardware, performance or infrastructure problems before you can reach them. The possible number of users and groups you can support depends on what hardware resources you have available, how well your data is structured and how well crafted the operations your clients make on the database.
12. Can a group be both dynamic and static?
No, a group cannot be both for implementation reasons.
13. How can I query DS/OpenDJ to find the number of user entries?
You can query your LDAP user store to find the number of users.
The following options are available:
- Count all objects within a particular branch of the directory – you can use this option as long as all users are stored within the same branch of the directory and the branch is not used for any other objects, that is, only users are stored there.
- Count all objects in the directory with a user based object Class search filter – you can use this option if the object Class used in the search filter is only used for real people objects.
- Count all objects in the directory with a uid based RDN – you can use this option if you use uid based RDNs, for example, uid=jdoe.
- Counting managed/user objects in IDM – you can use this option to count all users in your repository providing you are using a JDBC repository. If you use a DS repository, you should use one of the DS options outlined above.
14. Can I use static groups for large numbers of users?
It is recommended that you use dynamic groups for large numbers of users as large static groups can cause performance problems. An alternative to using dynamic groups is to invert the logic and have a small static group that only contains the exceptions rather than all users.
15. Does DS/OpenDJ support attribute encryption?
DS/OpenDJ supports one-way encryption of password values for example, Salted SHA-1 hashing, but it does not support reversibly encrypted attributes.
16. Why does DS/OpenDJ base64 encode some attributes in LDIF format?
Tools such as ldapsearch and export-ldif that input or output LDIF comply with LDIF escaping rules when attribute values contain non-ASCII characters as well as a few special characters. This means they encode the UTF-8 strings using base64 and add a “::” after the attribute name to indicate this has happened.This encoding only takes place when reading and writing LDIF. Attributes in DS/OpenDJ are still stored in UTF-8.
17.What are the requirements to decommission or retire a DS/OpenDJ instance (Pre-DS7)?
If you need to retire the system on which the DS/OpenDJ instance is running and this DS/OpenDJ instance is part of a replication topology, you must first permanently disable replication on this instance only, before decommissioning the system.
18. What are the steps followed to set up OpenAM to protect a web page?
- Prepare your host file.
- Deploy Apache HTTP server.
- Deploy Apache Tomcat.
- Deploy OpenAM.
- Configure a policy in OpenAM.
- Create a web policy agent profile.
- Install the OpenAM web policy agent.
These steps are used in the Linux systems whereas for Microsoft Windows, just adapt the examples accordingly.
19. What are the procedures to upgrade a legacy deployment?
1. Keep your customized OpenAM server .war file organized.
2. Use ‘Installing OpenAM Core Services’ to arrange a new installation of servers from the new, customized .war file, starting with the instructions.
3. After installation is complete, use the ‘ssoadm do-batch’ command to apply multiple changes with a single command
4. Authenticate the new service to check if the performance meets the expected level or not.
5. Finally, execute the task of redirecting client application traffic to the new installation from the old deployment.
20. What Do You Understand By Restful Apis?
Representational State Transfer is a style of architecture that sets certain limitations for designing and building large-scale distributed systems. As a style of architecture, REST has very broad utility. The designs of both HTTP 1.1 & URIs follow RESTful principles. The planet Wide Web is not any doubt the most important and best-known REST applications. Many other web services also follow the remainder architecture, like OAuth 2.0 and OpenID Connect 1.0. ForgeRock Common REST (CREST) applies RESTful principles to define common verbs for HTTP-based APIs that access web resources and collect resources.
21. How to develop Client Applications?
Client applications can access OpenAM services for authentication, authorization, and single sign-on/single logout, by the use of sessions. Client applications also are allowed to manage authorization policies. This part of the guide covers client interaction with OpenAM over supported protocols and using OpenAM APIs.
22. What Is The Radius Protocol?
- Access-Request packets, received from a client to a server to begin a new authentication conversation or to respond to a previous response in an existing conversation and provide the requested information.
- Access-Accept packets received from a server to a client to indicate successful authentication.
- Access-Reject packets received from a server to a client to indicate a failed authentication.
- Access-Challenge packets received from a server to a client to solicit more information from the entity validated.
23. How Can We Specify An Explicit Api Rest Version?
We can specify the version of REST API to use by adding an Accept-API-Version header to the request. We can configure the default behavior of OpenAM which will take when a REST call which does not specify any explicit version information.
24. What is the password reset function?
OpenAM helps users to reset their passwords on their own. OpenAM handles both the case where a user knows their password and wants to change it and the case where the user has forgotten their password and needs to reset it, possibly after answering security questions.
25. How do I open the OpenDJ control panel?
To launch OpenDJ control panel, run the control-panel command, Depending on your host system, this command is one of the following: (Linux|UNIX) /path/to/opendj/bin/control-panel. (Windows) C:\path\to\opendj\bat\control-panel.
26. How can I configure my local system to make administering the DS/OpenDJ server easier?
You can eliminate the need to provide defined arguments when using command line utilities by creating a personal tools.properties file to store commonly entered parameters such as bind DN, host name, and port number.
27. Can I upgrade an embedded DS/OpenDJ (in AM/OpenAM)?
No. Embedded DS/OpenDJ is automatically upgraded when you upgrade AM/OpenAM. If you have a need to upgrade DS/OpenDJ separately, you will need to use DS/OpenDJ as an external repository rather than the embedded DS/OpenDJ.
28. Is replication between two different versions of DS/OpenDJ supported when I am upgrading?
Yes. Replication between different versions of DS/OpenDJ is fully supported, doing a rolling upgrade of servers, which by its nature means you will have different versions of DS/OpenDJ running for a period of time while performing the upgrade process.
29. Where can I find the LDAP SDK for DS/OpenDJ?
The LDAP SDK provides public Java APIs for connecting to DS/OpenDJ. There are multiple versions available. However, the newer versions include more APIs to increase the functionality available. Additionally, there are dependencies between the server version and LDAP SDK in some situations:
If you are building a plugin or extension, you must use the corresponding opendj-core version. For example, if you use DS 7.0.0, you must use the opendj-core-7.0.0.jar.
If you are building an LDAP client, you can use any version with any supported versions of DS/OpenDJ as the SDK version is not tied to the DS/OpenDJ version in this situation.
As of OpenDJ 3, the LDAP SDK was renamed from opendj-ldap-sdk to opendj-core.
opendj-core
Each DS/OpenDJ server release has an equivalent opendj-core-xxx.jar file in Artifactory. You can locate the required file by searching for opendj-core-xxx.jar (replacing xxx with the 3 digit release number). For example, the file for DS 6 is here: opendj-core-6.0.0.jarYou must log in using your BackStage username and password to access these files.The Javadoc for the corresponding version lists the LDAP SDK packages available for that release.
opendj-ldap-sdk
You can download the LDAP SDK from BackStage or Artifactory. You can locate the latest released version by searching for opendj-ldap-sdk-2.6.11.jar.You must log in using your BackStage username and password to access these files.
30. How OpenAM provides functionality to IPv4 and IPv6?
OpenAM provides functionality for IPv4, IPv6, and as a hybrid of both. While the majority of the interaction is done at the backend, there are a few places where the GUI needs some inputs, while setting up policy conditions. These fields follow the same standard, which applies to IPv4 & IPv6. IPv4 uses a 32-bit integer value, with a decimal system. IPv6 uses a hexadecimal system, and a colon separates the eight groups of hexadecimal digits.
31. What Do You Understand By Saml 2.0 SSO & Federation?
SAML 2.0 SSO is part of the federated access management. Federation permits access management across the organizational boundaries. Federation allows organizations to share the identities and services without giving away their organizational information and the services they provide.
32. Can I have Pass Through Authentication (PTA) use a mapped attribute for use with Active Directory?
Yes, as of OpenDJ 3.5, you can map LDAP attributes in DS/OpenDJ for PTA using the mapped-search-filter-template property. For example, you can map different attributes, such as uid in DS/OpenDJ to sAMAccountName in Active Directory.
Prior to this, it was not possible to map different attributes in OpenDJ for PTA. In earlier versions, you had to use the same mapping attribute in both OpenDJ and Active Directory
33. Is antivirus software compatible with DS/OpenDJ?
Antivirus and intrusion detection systems are not compatible with DS/OpenDJ file access. Scanning DS/OpenDJ files may impact performance and cause system reliability problems because of file locking. At a minimum, you should whitelist the DS/OpenDJ database files to exclude them from antivirus scanning, which will prevent interference with normal file access.
34. Does DS/OpenDJ support PostgreSQL?
No, DS/OpenDJ uses its own BerkeleyDB™ JE backend, which cannot be substituted for anything else.
35. How do I get feature XYZ?
If somebody else needs that feature, they might have already entered a request in JIRA for OpenDJ. If not, you can sign up to create a New Feature or Improvement entry in JIRA.
Next, you can lobby on the OpenDJ mailing list or the #opendj IRC chat on irc.freenode.net to have someone develop the feature.
36. What information do the native-windows.out and server.out log files contain?
These files can help with troubleshooting issues with the server’s startup:
- The native-windows.out file is generated by the executable that allows DS/OpenDJ to run as a Microsoft® Windows® service.
- The server.out file is essentially the STDERR (Standard Errors) for the DS/OpenDJ server. DS/OpenDJ currently overwrites these files when they reach 0.5 MB, although they are not expected to grow much.
37. How do I get OpenDJ in my language?
OpenDJ software has been localized in the following languages for the directory administrator.
French
German
Japanese
Simplified Chinese
Spanish
Certain messages have also been translated into Catalan, Korean, Polish, and Traditional Chinese. Some error messages including messages labeled SEVERE and FATAL are provided only in English. Furthermore, OpenDJ supports many locales for user data.
38. What are all the port numbers and protocols OpenDJ uses?
OpenDJ server software uses the following TCP/IP ports by default.
- LDAP: 389 (1389) – OpenDJ directory server listens for LDAP requests from client applications on port 389 by default. OpenDJ directory server uses port 1389 by default for non-root users. LDAP is enabled by default.
- LDAPS: 636 (1636) – OpenDJ directory server listens for LDAPS requests from client applications on port 636 by default. OpenDJ directory server uses port 1636 by default for non-root users. LDAPS is not enabled by default.
- Administrative connections: 4444 – OpenDJ directory server listens for administrative traffic on port 4444 by default. The administration connector is enabled by default.
- SNMP: 161 – OpenDJ directory server listens for SNMP traffic on port 161 by default. SNMP is not enabled by default.
- JMX: 1689 – OpenDJ directory server listens for Java Management eXtension traffic on port 1689 by default. JMX is not enabled by default.
- HTTP: 8080 – OpenDJ directory server can listen for HTTP client requests to the RESTful API. The default port is 8080, but HTTP access is not enabled by default.
- Replication: 8989 – OpenDJ directory server listens for replication traffic on port 8989 by default. Replication is not enabled by default.
39. How can OpenDJ store user data in another application?
Oracle DB, MySQL, PeopleSoft, Google Apps, SalesForce.com. Currently OpenDJ provides a directory server and data stores based on LDIF files or Berkeley DB Java Edition. The LDIF file data store is meant for a small number of entries and very infrequent changes such as configuration or schema. Future versions of OpenDJ will provide Virtual Directory capabilities and allow storing user data to external data stores. In the past, an attempt to use an external distributed database as the user store Network DB, providing similar services as what OpenLDAP was also trying to build.
The level of performances and the reliability of the service didn’t match our expectations, and in the end, the code was removed and is not supported.
40. Do I need to perform a DS/OpenDJ performance test?
Yes, performance testing is a very important step to ensure that the system you have configured will cope with the expected load once it is in production. By performance testing your system, you can tweak any performance issues you encounter before going live.
Before running any performance tests, you should ensure DS/OpenDJ is running and configured in a test environment that closely resembles your planned production environment. You should also be aware of the type of load expected in your production system and the types of user data involved to make your tests as realistic as possible.
41. Are there things I should monitor on an ongoing basis in terms of DS/OpenDJ performance?
Yes, it is useful to monitor performance on an ongoing basis to allow you to react to changes quickly. Useful things to monitor include:
- Heap size.
- Number of open sessions/size of sessions.
- CPU utilization – utilization of 70-80% is worth investigating.
42. Do I have to use the directory superuser (uid=admin or cn=Directory Manager) for JMX monitoring?
No, you can use any user for JMX monitoring; you just need to add the JMX privileges (jmx-notify, jmx-read, and jmx-write) to the user you want to access JMX monitoring. No users have access to JMX monitoring by default.
43. How can I connect to JMX to ensure mbeans are returned?
You must be authenticated to the DS/OpenDJ server via a JMX client to see the mbeans with associated attributes and operations. Authenticating to the server is the only way to expose the sensitive elements within the mbeans, connecting to the process directly will not show them. Additionally, you must ensure the user who authenticates has JMX privileges.
44. What is the recommended way to load balance client connections?
In most scenarios, the way to load balance client connections is specific to your topology so we don’t have definitive best practice recommendations. You may want to have pooled connections so that clients only open a set number of connections or your clients may not be able to pool connections and open individual connections for each request. In either case, you may or may not want to load balance based on:
- Number of opened connections.
- System load of the DS/OpenDJ server.
- Round robin.
- Failover only.
You should consider setting an idle time limit to ensure idle connections are closed in particular, you must set this lower than the idle time limit for the load balancer