UI and API Access

This page shows you how to access and monitor the ForgeRock Identity Platform components that make up the CDM.

AM and IDM are configured for access through the CDM cluster’s Kubernetes ingress controller. You can access these components using their normal interfaces:

  • For AM, the console and REST APIs.

  • For IDM, the Admin UI and REST APIs.

DS cannot be accessed through the ingress controller, but you can use Kubernetes methods to access the DS pods.

For more information about how AM and IDM have been configured in the CDM, see Configuration in the forgeops repository’s top-level README file for more information about the configurations.

AM Services

Access the AM console and REST APIs as follows:

Access the AM Console
  1. Obtain the amadmin user’s password:

    $ cd /path/to/forgeops/bin
    $ ./print-secrets.sh amadmin
  2. Open a new window or tab in a web browser.

  3. Go to https://prod.iam.example.com/platform.

    The Kubernetes ingress controller handles the request, routing it to the login-ui pod.

    The login UI prompts you to log in.

  4. Log in as the amadmin user.

    The ForgeRock Identity Platform UI appears in the browser.

  5. Select Native Consoles > Access Management.

    The AM console appears in the browser.

Access the AM REST APIs
  1. Start a terminal window session.

  2. Run a curl command to verify that you can access the REST APIs through the ingress controller. For example:

    $ curl \
     --insecure \
     --request POST \
     --header "Content-Type: application/json" \
     --header "X-OpenAM-Username: amadmin" \
     --header "X-OpenAM-Password: 179rd8en9rffa82rcf1qap1z0gv1hcej" \
     --header "Accept-API-Version: resource=2.0" \
     --data "{}" \
     'https://prod.iam.example.com/am/json/realms/root/authenticate'
    
    {
        "tokenId":"AQIC5wM2…​",
        "successUrl":"/am/console",
        "realm":"/"
    }

IDM Services

Access the IDM Admin UI and REST APIs as follows:

Access the IDM Admin UI
  1. Obtain the amadmin user’s password:

    $ cd /path/to/forgeops/bin
    $ ./print-secrets.sh amadmin
  2. Open a new window or tab in a web browser.

  3. Go to https://prod.iam.example.com/platform.

    The Kubernetes ingress controller handles the request, routing it to the login-ui pod.

    The login UI prompts you to log in.

  4. Log in as the amadmin user.

    The ForgeRock Identity Platform UI appears in the browser.

  5. Select Native Consoles > Identity Management.

    The IDM Admin UI appears in the browser.

Access the IDM REST APIs
  1. Start a terminal window session.

  2. If you haven’t already done so, get the amadmin user’s password using the print-secrets.sh command.

  3. AM authorizes IDM REST API access using the OAuth 2.0 authorization code flow. The CDM comes with the idm-admin-ui client, which is configured to let you get a bearer token using this OAuth 2.0 flow. You’ll use the bearer token in the next step to access the IDM REST API:

    1. Get a session token for the amadmin user:

      $ curl \
       --request POST \
       --insecure \
       --header "Content-Type: application/json" \
       --header "X-OpenAM-Username: amadmin" \
       --header "X-OpenAM-Password: vr58qt11ihoa31zfbjsdxxrqryfw0s31" \
       --header "Accept-API-Version: resource=2.0, protocol=1.0" \
       'https://prod.iam.example.com/am/json/realms/root/authenticate'
      {
       "tokenId":"AQIC5wM…​TU3OQ*",
       "successUrl":"/am/console",
       "realm":"/"}
    2. Get an authorization code. Specify the ID of the session token that you obtained in the previous step in the --Cookie parameter:

      $ curl \
       --dump-header - \
       --insecure \
       --request GET \
       --Cookie "iPlanetDirectoryPro=AQIC5wM…​TU3OQ*" \
       "https://prod.iam.example.com/am/oauth2/realms/root/authorize?redirect_uri=https://prod.iam.example.com/platform/appAuthHelperRedirect.html&client_id=idm-admin-ui&scope=openid&response_type=code&state=abc123"
      HTTP/2 302
      server: nginx/1.17.10
      date: Tue, 21 Jul 2020 16:54:20 GMT
      content-length: 0
      location: https://prod.iam.example.com/platform/appAuthHelperRedirect.html
       ?code=3cItL9G52DIiBdfXRngv2_dAaYM&iss=http://prod.iam.example.com:80/am/oauth2&state=abc123
       &client_id=idm-admin-ui
      set-cookie: route=1595350461.029.542.7328; Path=/am; Secure; HttpOnly
      x-frame-options: SAMEORIGIN
      x-content-type-options: nosniff
      cache-control: no-store
      pragma: no-cache
      set-cookie: OAUTH_REQUEST_ATTRIBUTES=DELETED; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; HttpOnly
    3. Exchange the authorization code for an access token. Specify the access code that you obtained in the previous step in the code URL parameter:

      $ curl --request POST \
       --insecure \
       --data "grant_type=authorization_code" \
       --data "code=3cItL9G52DIiBdfXRngv2_dAaYM" \
       --data "client_id=idm-admin-ui" \
       --data "redirect_uri=https://prod.iam.example.com/platform/appAuthHelperRedirect.html" \
       "https://prod.iam.example.com/am/oauth2/realms/root/access_token" 
      {
       "access_token":"oPzGzGFY1SeP2RkI-ZqaRQC1cDg",
       "scope":"openid",
       "id_token":"eyJ0eXAiOiJKV..sO4HYqlQ",
       "token_type":"Bearer",
       "expires_in":239
      }
  4. Run a curl command to verify that you can access the openidm/config REST endpoint through the ingress controller. Use the access token returned in the previous step as the bearer token in the authorization header.

    The following example command provides information about the IDM configuration:

    $ curl \
     --insecure \
     --request GET \
     --header "Authorization: Bearer oPzGzGFY1SeP2RkI-ZqaRQC1cDg" \
     --data "{}" \
     https://prod.iam.example.com/openidm/config
    {
     "_id":"",
     "configurations":
      [
       {
        "_id":"ui.context/admin",
        "pid":"ui.context.4f0cb656-0b92-44e9-a48b-76baddda03ea",
        "factoryPid":"ui.context"
        },
        . . .
       ]
    }

Directory Services

The DS pods in the CDM are not exposed outside of the cluster. If you need to access one of the DS pods, use a standard Kubernetes method:

  • Execute shell commands in DS pods using the kubectl exec command.

  • Forward a DS pod’s LDAPS port (1636) to your local computer. Then you can run LDAP CLI commands, for example ldapsearch. You can also use an LDAP editor such as Apache Directory Studio to access the directory.

For all CDM directory pods, the directory superuser DN is uid=admin. Obtain this user’s password by running the print-secrets.sh dsadmin command.

CDM Monitoring

Here are procedures to access Grafana dashboards and the Prometheus web UI:

Access Grafana Dashboards

For information about the Grafana UI, see the Grafana documentation.

  1. Forward port 3000 on your local computer to port 3000 on the Grafana web server:

    $ kubectl \
     port-forward \
     $(kubectl get pods --selector=app.kubernetes.io/name=grafana \
     --output=jsonpath="{.items..metadata.name}" --namespace=monitoring) \
     3000 --namespace=monitoring
    
    Forwarding from 127.0.0.1:3000 → 3000
    Forwarding from [::1]:3000 → 3000
  2. In a web browser, go to http://localhost:3000 to start the Grafana user interface.

  3. Log in to Grafana as the admin user. The password is password.

  4. When you’re done using the Grafana UI, enter Cntl+c in the terminal window to stop port forwarding.

Access the Prometheus Web UI

For information about the Prometheus web UI, see the Prometheus documentation.

  1. Forward port 9090 on your local computer to port 9090 on the Prometheus web server:

    $ kubectl \
     port-forward \
     $(kubectl get pods --selector=app=prometheus \
     --output=jsonpath="{.items..metadata.name}" --namespace=monitoring) \
     9090 --namespace=monitoring
    
    Forwarding from 127.0.0.1:9090 → 9090
    Forwarding from [::1]:9090 → 9090
  2. In a web browser, go to http://localhost:9090.

    The Prometheus web UI appears in the browser.

  3. When you’re done using the Prometheus web UI, enter Cntl+c in the terminal window to stop port forwarding.

For a description of the CDM monitoring architecture and information about how to customize CDM monitoring, see Monitoring Customizations.