Trusting Transaction IDs From Other Products

Each audit event is identified by a unique transaction ID that can be communicated across products and recorded for each local event. By using the transaction ID, requests can be tracked as they traverse the platform, making it easier to monitor activity and to enrich reports.

The X-ForgeRock-TransactionId header is automatically set in all outgoing HTTP calls from one ForgeRock product to another. Customers can also set this header themselves from their own applications or scripts that call into the ForgeRock Identity Platform.

To reduce the risk of malicious attacks, by default IG does not trust transaction ID headers from client applications.

If you trust the transaction IDs sent by your client applications, consider setting Java system property org.forgerock.http.TrustTransactionHeader to true. All incoming X-ForgeRock-TransactionId headers are trusted, and monitoring or reporting systems that consume the logs can allow requests to be correlated as they traverse multiple servers:

  • When IG is running in standalone mode, add a system property in env.sh:

    # Specify a JVM option
    TX_HEADER_OPT="-Dorg.forgerock.http.TrustTransactionHeader=true"
    
    # Include it into the JAVA_OPTS environment variable
    export JAVA_OPTS="${TX_HEADER_OPT}"
  • When IG is running in web container mode, set a Java system property. For information, see the container documentation.

Read a different version of :