Install a Remote Connector Server (RCS)

Important

Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.

There are two types of RCS:

Java: Use the Java RCS if your Java connector needs to run in a different JVM to IDM. Unless the remote resource you are connecting to needs the .NET Powershell connector, this is the recommended RCS to use.
Set Up a Java RCS
Install a Java RCS on Unix/Linux
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
1. Download and extract the Java RCS from the ForgeRock BackStage download site.
2. Change to the openicf directory:
  cd /path/to/openicf
3. Review the ConnectorServer.properties file in the /path/to/openicf/conf directory, and adjust it to suit your deployment. For a complete list of properties in that file, see RCS Properties.
  In server mode, the RCS uses a connectorserver.key property to authenticate the connection. The default value of the key is a hashed value of the string changeit. You cannot set this property directly in the configuration file. To change its value, use the command ConnectorServer.sh /setKey. This example sets the key value to Passw0rd:
  /path/to/openicf/bin/ConnectorServer.sh /setKey Passw0rd Key has been successfully updated.
  In client mode, this is not necessary, and may be skipped. For more information about the differences between client mode and server mode, see "Configure a Remote Connector Server (RCS)".
4. Start the Java RCS:
  /path/to/openicf/bin/ConnectorServer.sh /run
  The RCS is now running, and listening on port 8759, by default.
  Log files are available in the /path/to/openicf/logs directory.
  ls logs/ Connector.log ConnectorServer.log ConnectorServerTrace.log
5. To stop the Java RCS, press CTRL + C, or q in the terminal where you started the server.
Install a Java RCS on Windows
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
1. Download and extract the Java RCS from the ForgeRock BackStage download site.
2. In a Command Prompt window, change to the openicf directory:
  C:\>cd C:\path\to\openicf
3. Review the ConnectorServer.properties file in the \path\to\openicf\conf directory, and adjust it to suit your deployment. For a complete list of properties in that file, see RCS Properties.
  In server mode, the RCS uses a connectorserver.key property to authenticate the connection. The default value of the key is a hashed value of the string changeit. You cannot set this property directly in the configuration file. To change its value, use the ConnectorServer.bat /setKey command. This example sets the key value to Passw0rd:
  c:\path\to\openicf>bin\ConnectorServer.bat /setKey Passw0rd Key has been successfully updated.
  In client mode, this is not necessary, and may be skipped. For more information about the differences between client mode and server mode, see "Configure a Remote Connector Server (RCS)".
4. You can either run the Java RCS as a Windows service, or start and stop it from the command line:
  
  To install the Java RCS as a Windows service, run the following command:
  c:\path\to\openicf>bin\ConnectorServer.bat /install
  If you install the RCS as a Windows service, you can use the Microsoft Services Console to start, stop, and restart the service. The Java Connector Service is named OpenICFConnectorServerJava.
  To uninstall the Java RCS as a Windows service, run the following command:
  c:\path\to\openicf>bin\ConnectorServer.bat /uninstall
  
  To start the Java RCS from the command line, enter the following command:
  c:\path\to\openicf>bin\ConnectorServer.bat /run
5. The RCS is now running, and listening on port 8759, by default.
  Log files are available in the \path\to\openicf\logs directory.
6. To stop the Java RCS, press ^ + C.
.NET: Use the .NET RCS if you are using the PowerShell connector to connect to an identity store. IDM communicates with the .NET RCS over the network, and the RCS runs the Powershell connector.
Set Up a .NET RCS
Set Up a .NET RCS
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
The .NET RCS is distributed in two file formats:
openicf-version-dotnet.msi is a wizard that installs the RCS as a Windows service.
openicf-version-dotnet.zip is just a bundle of files required to run the RCS.
1. Depending on how you want to install the RCS, download the corresponding file from the ForgeRock BackStage download site.
2. Follow one of these procedures to install the RCS:
  Install the RCS as a Service
  Double-click the openicf-version-dotnet.msi installation file and complete the wizard.
  You must run the wizard as a user who has permission to start and stop a Windows service; otherwise, the service will not start.
  Select Typical as the Setup Type.
  When the wizard has completed, the RCS is installed as a Windows service.
  Open the Microsoft Services Console and make sure that the RCS is listed there.
  The name of the service is OpenICF Connector Server, by default.
  Make sure that the RCS is not currently running. If it is running, use the Microsoft Services Console to stop it.
  Unpack the RCS Zip
  If you do not want to run the RCS as a Windows service, download and extract the openicf-version-dotnet.zip file.
  If you have already extracted the .zip file and then decide to run the RCS as a service, install the service manually with the following command:
  .\ConnectorServerService.exe /install /serviceName service-name
3. At the command prompt, change to the directory where the RCS was installed, for example:
  cd "c:\Program Files (x86)\ForgeRock\OpenICF"
4. (Optional) By default, the RCS outputs log messages to a file named connectorserver.log, in the \path\to\openicf directory. To change the location of the log file, set the initializeData parameter in the configuration file. The following example sets the log directory to C:\openicf\logs\connectorserver.log:
  <add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\openicf\logs\connectorserver.log" traceOutputOptions="DateTime"> <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/> </add>
5. Run the ConnectorServerService /setKey command to set a secret key for the RCS. The key can be any string value. This example sets the secret key to Passw0rd:
  ConnectorServerService /setKey Passw0rd Key has been successfully updated.
  This key is used by clients connecting to the RCS. The key that you set here must also be set in the IDM RCS configuration.
6. Edit the RCS configuration.
  The RCS configuration is saved in a file named ConnectorServerService.exe.Config (in the directory where the RCS is installed).
  Check and edit this file, as necessary, to reflect your installation. Specifically, verify that the baseAddress reflects the host and port on which the RCS is installed:
  <system.serviceModel> <services> <service name="Org.ForgeRock.OpenICF.Framework.Service.WcfServiceLibrary.WcfWebsocket"> <host> <baseAddresses> <add baseAddress="http://0.0.0.0:8759/openicf" /> </baseAddresses> </host> </service> </services> </system.serviceModel>
  Note
  The baseAddress specifies the host and port on which the RCS listens, and is set to http://0.0.0.0:8759/openicf by default. If you set a host value other than the default 0.0.0.0, connections from all IP addresses other than the one specified are denied.
  Important
  If Windows firewall is enabled, you must create an inbound port rule to open the TCP port for the RCS (8759 by default). If you do not open the TCP port, IDM won't be able to contact the RCS. For more information, see the corresponding Microsoft documentation.
7. (Optional) Configure the RCS to use SSL:
  Open a Powershell terminal as a user with administrator privileges, then change to the ICF installation directory:
  cd 'C:\Program Files (x86)\ForgeRock\OpenICF'
  Use an existing CA certificate, or use the New-SelfSignedCertificate cmdlet to create a self-signed certificate:
  New-SelfSignedCertificate -DnsName "dotnet", "dotnet.example.com" -CertStoreLocation "cert:\LocalMachine\My" PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- 770F531F14AF435E963E14AD82B70A47A4BFFBF2 CN=dotnet
  Assign the certificate to the RCS:
  .\ConnectorServerService.exe /setCertificate Select certificate you want to use: Index Issued To Thumbprint ----- --------- ------------------------- 0) dotnet 770F531F14AF435E963E14AD82B70A47A4BFFBF2 0 Certificate Thumbprint has been successfully updated to 770F531F14AF435E963E14AD82B70A47A4BFFBF2.
  Bind the certificate to the RCS port (8759 by default). To bind the certificate:
  Use the New-Guid cmdlet to generate a new UUID:
  New-Guid Guid ---- 0352cf0f-2e7a-4aee-801d-7f27f8344c77
  Enter the netsh http console and add the certificate thumbprint generated in the previous step, and the UUID that you have just generated:
  netsh netsh>http netsh http>add sslcert ipport=0.0.0.0:8759 certhash=770F5...FFBF2 appid={0352c...4c77} SSL Certificate successfully added
  Change the RCS configuration (in the ConnectorServerService.exe.Config file) to use HTTPS and not HTTP.
  Change baseAddress="http..." to baseAddress="https...":
  <host> <baseAddresses> ... <add baseAddress="https://0.0.0.0:8759/openicf"/> </baseAddresses> </host>
  Change httpTransport to httpsTransport:
  <httpsTransport authenticationScheme="Basic" realm="OpenICF"> <webSocketSettings transportUsage="Always" createNotificationOnConnection="true" .../> </httpsTransport>
  Export the certificate:
  Launch the certificate management MMC (certlm.msc).
  Right-click the dotnet certificate, and select All Tasks > Export to launch the Certificate Export Wizard.
  Select Next > No, do not export the private key > DER encoded binary X.509 (.CER) > Next.
  Save the file in an accessible location (for example, C:\Users\Administrator\Desktop\dotnet.cer), and click Finish.
  Import the certificate into the IDM truststore:
  Transfer the certificate from the Windows machine to the machine that's running IDM.
  Change to the openidm/security directory and use the Java keytool command to import the certificate:
  cd /path/to/openidm/security keytool -import -alias dotnet -file ~/Downloads/dotnet.cer -keystore ./truststore Enter keystore password: changeit Owner: CN=dotnet Issuer: CN=dotnet Serial number: 1e3af7baed05ce834da5cd1bf1241835 Valid from: Tue Aug 08 15:58:32 SAST 2017 until: Wed Aug 08 16:18:32 SAST 2018 Certificate fingerprints: MD5: D1:B7:B7:46:C2:59:1A:3C:94:AA:65:99:B4:43:3B:E8 SHA1: 77:0F:53:1F:14:AF:43:5E:96:3E:14:AD:82:B7:0A:47:A4:BF:FB:F2 SHA256: C0:52:E2:E5:E5:72:9D:69:F8:11:4C:B8:4C:E4:E3:1C:19:95:86:19:70:E5:31:FA:D8:81:4B:F2:AC:30:9C:73 Signature algorithm name: SHA256withRSA Version: 3 ... Trust this certificate? [no]: yes Certificate was added to keystore
  When you configure the RCS, remember to set "useSSL": true.
8. (Optional) Check the trace settings under system.diagnostics in the RCS configuration file:
  <system.diagnostics> <trace autoflush="true" indentsize="4"> <listeners> <remove name="Default" /> <add name="console" /> <add name="file" /> </listeners> </trace> <sources> <source name="ConnectorServer" switchName="switch1"> <listeners> <remove name="Default" /> <add name="file" /> </listeners> </source> </sources> <switches> <add name="switch1" value="Information" /> </switches> <sharedListeners> <add name="console" type="System.Diagnostics.ConsoleTraceListener" /> <add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="logs\ConnectorServerService.log" traceOutputOptions="DateTime"> <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" /> </add> </sharedListeners> </system.diagnostics>
  The RCS uses the standard .NET trace mechanism. For more information about tracing options, see Microsoft's .NET documentation for System.Diagnostics.
  The default trace settings are a good starting point. For less tracing, set the EventTypeFilter's initializeData to Warning or Error. For very verbose logging, set the value to Verbose or All. The logging level has a direct effect on the RCS performance, so take care when setting this level.
9. Start the .NET RCS in one of the following ways:
  
  Start the server as a Windows service, by using the Microsoft Services Console.
  Locate the RCS service (OpenICF connector server), and click Start the service or Restart the service.
  The service runs with the credentials of the "run as" user (System, by default).
  
  Start the server as a Windows service, by using the command line.
  In the Windows Command Prompt, run the following command:
  net start ConnectorServerService
  To stop the service, run the following command:
  net stop ConnectorServerService
  
  Start the server without using Windows services.
  In the Windows Command Prompt, change to the RCS installation directory. The default location is c:\> cd "c:\Program Files (x86)\ForgeRock\OpenICF".
  Start the server with the following command:
  ConnectorServerService.exe /run
  Note
  This command starts the RCS with the credentials of the current user. It does not start the server as a Windows service.

Both RCS types use the following configuration properties:

RCS Properties

This table shows the complete list of RCS configuration properties. Note that all properties are prefixed with connectorserver. in the configuration file. The prefixes are not shown here so that the table is easier to read:

Property	RCS Mode (Server or Client)	Description	Example
`connectorServerName`	Client	Name of the remote connector client. This name is used to identify the remote connector server in the list of connector reference objects. The name must be lower case alphanumeric characters (`^[a-z0-9]*$`), and must match the `name` property in the `provisioner.openicf.connectorinfoprovider.json` file on your IDM server.	rcs1
`url`	Client	URL of the server on which IDM runs.	`wss://openidm.example.com:8443/openicf` ^[a]
`hostId`	Client	Unique identifier for the RCS.	MY_UNIQUE_RCS_HOST_ID
`proxyHost`	Client	Proxy server host.
`proxyPort`	Client	Proxy server port number.
`proxyPrincipal`	Client	Proxy server principal.
`proxyPassword`	Client	Proxy server password.
`housekeepingInterval`	Client	WebSocket connections housekeeping interval, in seconds.	9
`groupCheckInterval`	Client	WebSocket groups check interval, in seconds.	900
`webSocketConnections`	Client	Number of WebSocket connections to open.	3
`connectionTtl`	Client	Time to live of a WebSocket connection, in seconds.	88
`newConnectionsInterval`	Client	Time (in seconds) before a new connection can be established.	26
`tokenEndpoint`	Client	Token endpoint from which to retrieve the access token, if you are using OAuth2 to authenticate against AM.	`https://am.example.com/am/oauth2/realms/root/access_token`
`scope`	Client	OAuth2 token scope, if you are using OAuth2 to authenticate against AM.	fr:idm:*
`clientId`	Client	OAuth2 Client ID for which to request an access token. ^[b]	connectorServer
`clientSecret`	Client	OAuth2 Client Secret.	openidm
`pingPongInterval`	Both	WebSocket Ping/Pong interval, in seconds. The purpose of the ping is to keep connections alive (for firewalls or load balancers that honor connections in use). If your firewall or load balancer does not honor connections in use (that is, connections are timed out, regardless of their usage), the ping has no effect and you should disable it. Set this property to `0` to disable the ping.	300
`trustStoreFile`	Both	The IDM truststore file. You do not need to set this property if the IDM certificate is a CA-signed certificate.	`security/truststore.pkcs12`
`trustStoreType`	Both	The IDM truststore type. You do not need to set this property if the IDM certificate is a CA-signed certificate.	`PKCS12`
`trustStorePass`	Both	The IDM truststore password. You do not need to set this property if the IDM certificate is a CA-signed certificate.	changeit
`keyStoreFile`	Both	The IDM keystore file. You do not need to set this property if the IDM certificate is a CA-signed certificate.	`security/keyStore.pkcs12`
`keyStoreType`	Both	The IDM keystore type. You do not need to set this property if the IDM certificate is a CA-signed certificate.	`PKCS12`
`keyStorePass`	Both	The IDM keystore password. You do not need to set this property if the IDM certificate is a CA-signed certificate.	changeit
`keyPass`	Both	The IDM certificate password. You do not need to set this property if the IDM certificate is a CA-signed certificate.	changeit
`libDir`	Both	Directory on the RCS host in which connector library file dependencies are located (relative to `/path/to/openicf/`).	`lib`
`bundleDir`	Both	Directory on the RCS host in which connector .jar files are located (relative to `/path/to/openicf/`).	`connectors`
`loggerClass`	Both	The RCS logger class.	`org.forgerock.openicf.common.logging.slf4j.SLF4JLog`
`principal`	Both	Principal to authenticate to the RCS. This property is not used if the RCS obtains its access token through ForgeRock® Access Management (AM) (which is the case when IDM is running in ForgeRock Identity Cloud).	anonymous
`password`	Both	Password to authenticate to the RCS. This property is not used if the RCS obtains its access token through AM (which is the case when IDM is running in ForgeRock Identity Cloud).	changeit
`useSSL`	Server	Whether the connection between IDM and the RCS should be over SSL.	false/true
`port`	Server	Port on which the RCS listens for the connection from IDM.	8759
^[a] Note the `wss` (WebSocket) transport protocol and the `openicf` endpoint. Important ^[b] If the RCS is authenticating against AM, you must update your IDM authentication configuration (in `conf/authentication.json`). Add a user mapping for this client ID in the `rsFilter` authentication module configuration. For more information, see "Authenticate through AM".

Note

Certain configuration properties are dependent on the RCS mode. For more information, see "Configure a Remote Connector Server (RCS)".

Sample connectorserver.properties file for client mode

connectorserver.url=wss://my-tenant.forgeblocks.com:8443/openicf
connectorserver.connectorServerName=myConnectorServer
connectorserver.hostId=MY_UNIQUE_RCS_HOST_ID
connectorserver.pingPongInterval=60
connectorserver.housekeepingInterval=20
connectorserver.groupCheckInterval=900
connectorserver.webSocketConnections=3
connectorserver.maxWebSocketConnections=4
connectorserver.connectionTtl=3000
connectorserver.newConnectionsInterval=10
connectorserver.tokenEndpoint=https://my-tenant.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token
connectorserver.clientId=my-client-id
connectorserver.clientSecret=my-client-secret
connectorserver.trustStoreFile=security/truststore.pkcs12
connectorserver.trustStoreType=PKCS12
connectorserver.trustStorePass=changeit
connectorserver.keyStoreFile=security/keyStore.pkcs12
connectorserver.keyStoreType=PKCS12
connectorserver.keyStorePass=changeit
connectorserver.keyPass=changeit
connectorserver.scope=fr:idm:*
connectorserver.bundleDir=connectors
connectorserver.libDir=lib
connectorserver.loggerClass=org.forgerock.openicf.common.logging.slf4j.SLF4JLog

Sample connectorserver.properties file for server mode

connectorserver.port=8759
connectorserver.pingPongInterval=60
connectorserver.principal=anonymous
connectorserver.password=changeit
connectorserver.useSSL=true
connectorserver.trustStoreFile=security/truststore.pkcs12
connectorserver.trustStoreType=PKCS12
connectorserver.trustStorePass=changeit
connectorserver.keyStoreFile=security/keyStore.pkcs12
connectorserver.keyStoreType=PKCS12
connectorserver.keyStorePass=changeit
connectorserver.keyPass=changeit
connectorserver.bundleDir=connectors
connectorserver.libDir=lib
connectorserver.key=lmA6bMfENJGlIDbfrVtklXFK32s\=
connectorserver.loggerClass=org.forgerock.openicf.common.logging.slf4j.SLF4JLog

Install Connector Dependencies

Important

Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.

In most cases, ICF connectors come bundled with all third party libraries needed to run. In some cases, however, you'll need to download certain libraries (for example, the Database Table connector needs the appropriate JDBC driver for the database you are targeting). For local connectors, place these libraries in the /path/to/openidm/lib/ directory. For remote connectors, place them in the /path/to/openicf/lib/ directory on the RCS.

The following table lists the connector dependencies and indicates which ones must be downloaded:

Dependencies for bundled connectors
Connector	Dependencies
Database Table Connector	No external dependencies. However, you must include the JDBC driver for the database that you are targeting in the `/path/to/openidm/lib/` directory.
DocuSign Connector	`lib/java-jwt-3.4.0.jar`
PeopleSoft Connector	`psjoa.jar` `psft.jar`