FAQ
ForgeRock Identity Platform
ForgeRock Identity Cloud

FAQ: Installing and configuring IG

Last updated Jun 8, 2021

The purpose of this FAQ is to provide answers to commonly asked questions regarding installing and configuring IG.


1 reader recommends this article

Frequently asked questions

Q. Can I run multiple IG instances on the same server?

A. Yes you can but you must adhere to the following guidelines:

  • Run each IG instance in its own web application container instance since IG must be run as the root context web application (for example, ROOT.war in Apache Tomcat™).
  • Use different ports for each web application container instance.
  • Use different base configuration directories for each instance. By default, configuration files are stored in the $HOME/.openig directory, so you would want to change this, for example, $HOME/.openig1$HOME/.openig2 etc. See Changing the Default Location of the Configuration Folders for further information.
  • Rename the cookie used for JwtSession if instances run under the same hostname but you do not want to share the stateless session across instances. You do not need to rename this cookie if you want the stateless session to be shared across all IG instances running in a cluster. In this scenario, you need to ensure that the keys/certificates are also the same. See JwtSession for further information.

Q. Can I run IG in the same web application container instance as AM?

A. No, you should run IG and AM in separate web application containers to avoid property file or classloading issues.

Q. Do AM and IG need to be running on the same web application container version?

A. No, there is no dependency between the AM and IG web application container versions.

Q. Can I install IG and AM on the same VM instance?

A. You can for testing purposes provided they listen on different ports for HTTP/HTTPS. However, this setup is not recommended in production.

Q. Can I terminate SSL at the load balancer?

A. Yes, you can set up IG servers behind a load balancer and offload SSL at the load balancer (for example, the F5). 

See IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading for further information about this configuration.

Q. Why does IG have to be installed as the root application?

A. If the intention is to use IG as a reverse proxy for all requests, there shouldn't really be a scenario where you would want to deploy it as anything other than root. If it is not in the root context, you would be restricting applications that can be proxied to since they need to be in the same context. 

There is also code within IG that implicitly assumes it is deployed in the root context.

Q. How do I configure IG to not enforce URI authorization for certain file types?

A. You can use route conditions to control which requests are handled by IG as detailed in Setting Route Conditions or configure the web application container to serve the files instead.

See How do I configure IG (All versions) to access unprotected static content and resources? for further information.

Q. Does IG support URI rewriting?

A. Yes, as of IG 7, URI path rewriting is supported. A UriPathRewriteFilter is available to rewrite the path of a request URL. See UriPathRewriteFilter for further information.

In previous versions, you can use a ScriptableFilter as detailed in ScriptableFilter if you need to rewrite URLs. Unfortunately, we do not provide an example ScriptableFilter for this purpose as there are many different use cases and it can be error prone working with the regular expressions needed to rewrite links in HTML pages.

Resolved RFE: OPENIG-1664 (Provide support for basic URI path rewriting).

Q. How do I change the timezone used for timestamps in the log files?

A. For logs that are recorded using Logback, you can modify the logback.xml file to change the timezone. In the reference file, you will notice that it shows UTC:

<encoder>          <pattern>%date{"yyyy-MM-dd'T'HH:mm:ss,SSSXXX", UTC} | %-5level | %thread | %logger{20} | @%mdc{routeId:-system} | %message%n%xException</pattern>         </encoder>

See Default Logging Behavior for the full reference logback.xml file.

You can change UTC to specify the required timezone. The format required is dictated by the TimeZone.getTimeZone(String) method specification. This means you can use an abbreviation such as "PST", a full name such as "America/Los_Angeles" or a custom ID such as "GMT-8:00". If the timezone is unknown or misspelled, the GMT timezone is assumed. IG might need restarting depending on the Logback configuration.

Audit logs use timestamps in UTC format, which is not currently configurable. An RFE exists for this:  OPENIG-4467 (Allow timezone change in audit logging).

See Also

FAQ: IG performance and tuning

Installing and configuring IG

LocationHeaderFilter

Installation in Detail


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.