ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Installing and configuring IDM

Last updated Apr 8, 2021

The purpose of this FAQ is to provide answers to commonly asked questions regarding installing and configuring IDM.

Frequently asked questions

Q. Is IDM compatible with Oracle Java Development Kit (JDK) 11?

A. Yes, as of IDM 6.5, Oracle JDK 11 is supported. You should only use supported versions to prevent compatibility issues.

Q. Can IDM be used with OpenJDK?

A. Yes, OpenJDK is supported in IDM. See Release Notes › Before You Install (Java Requirements) for details of versions.

Q. How do I integrate IDM, AM and DS?

A. You should refer to Platform Setup Guide for further information.

Q. Do I need to change the default symmetric encryption key for production (Pre-IDM 6.5)?

A. No, you do not. IDM generates a symmetric key and a private key the first time the server is started. See How do I change the symmetric key in IDM 5.x and 6? for further information.

However, you should change the default keystore password as detailed in Integrator's Guide › To Change the Default Keystore Password.

Q. Does IDM support encryption keys with 256-bit AES encryption?

A. Yes, IDM does support keys with 256-bit AES encryption and as of Java 9, so does Java. With earlier versions of Java, you must install the Oracle Java JCE unlimited strength jars if you want to use keys with 256-bit AES encryption. See Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download for further information and links to download the jars.

Q. How do I configure IDM for case insensitive searching?

A. IDM is case-sensitive, but this can cause issues where valid entries are not found due to their case. This issue also affects queries done using queryFilter as the case-sensitivity of queryFilter depends on the repository's collation. You can resolve this by configuring the repository for case sensitivity as detailed in Synchronization Guide › Reconcile With Case-Insensitive Data Stores.

Q. Can IDM be configured to use multiple OpenICF Connector servers and failover with Active Directory Domain Controllers?

A. No, IDM can only use one OpenICF Connector server at a time. For failover purposes, you should have two or more Active Directory Domain Controllers (DC) with the OpenICF Connector server installed and if one becomes unavailable, your system administrator should change the target IP to another available DC.

Q. Can you configure IDM reconciliation to continue implicit synchronization even when failure occurs?

A. No, IDM performs implicit synchronization on an all or nothing basis according to the failure compensation configuration. There is no way to have implicit synchronization occur on specific objects within a mapping but not others.

Q. How do I configure IDM to handle large data sets for reconciliation?

A. IDM supports reconciliation paging, which breaks down extremely large data sets into chunks. See Synchronization Guide › Tuning Reconciliation Performance for further information on this and other approaches to improve reconciliation performance.

See How do I identify reconciliation performance issues in IDM (All versions)? for further information on troubleshooting reconciliation performance. 

See Also

FAQ: General IDM

FAQ: IDM compatibility with third-party products

FAQ: Upgrading IDM

FAQ: Scripts in IDM

Installation Guide

Setup Guide

Related Training

ForgeRock Identity Management Core Concepts (IDM-400)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.