Do ForgeRock products run on Google Cloud?
Google Cloud (sometimes referred to as Google Cloud Platform or GCP) is a set of cloud computing services provided by Google. ForgeRock products work well with many Google Cloud services.
1 reader recommends this article
Overview
Google Cloud provides over 100 different cloud computing services covering a wide range of products and solutions. This article considers five of the main services that ForgeRock gets asked about:
- Google Kubernetes Engine (GKE)
- Cloud Load Balancing
- Cloud HSM
- Google Key Management Service (KMS)
- Google Secret Manager (GSM)
Google Kubernetes Engine (GKE)
GKE is a managed Kubernetes service that provides a simple way of deploying and managing a Kubernetes cluster using the Google Cloud Platform. See GKE Overview for further information.
ForgeOps (ForgeRock DevOps) enables you to deploy the ForgeRock Identity Platform in a Kubernetes containerized environment, including GKE.
See the following resources for further information:
- ForgeOps Start here
- Cloud Deployment Model Documentation
- GKE setup checklist
- Multi-Cluster Deployment Using Google Cloud Multi-Cluster Ingress and Cloud DNS for GKE
- Deploying ForgeRock Directory Services on a Kubernetes Multi-Cluster using Google Cloud Multi-cluster Services (MCS)
- Multi-Cluster Deployment for DS on GKE Using Cloud DNS for GKE
- DevOps on Google Cloud: tools to speed up software development velocity
Cloud Load Balancing
Google Cloud Load Balancing is a managed service that distributes traffic across multiple instances of your applications to improve performance. Google offers eight different Cloud Load Balancing products: Cloud Load Balancing overview.
See the following resources for further information:
- Load balancing (AM)
- On load balancers (DS)
- Proxy Protocol (DS)
- IDM in a cluster
- Prepare for load balancing and failover (IG)
- Configure load balancers and reverse proxies (Web Agents)
- Configure load balancers and reverse proxies (Java Agents)
Cloud HSM
Cloud HSM is a cloud-hosted, standards-compliant hardware security module (HSM) that enables you to manage your encryption keys in Google Cloud. Cloud HSM uses the Google Key Management Service (KMS) for its front end to provide additional functionality. See Cloud HSM for further information.
ForgeRock products support the PKCS#11 standard interface and you can choose which HSM you want to use to implement this interface, providing the chosen HSM conforms to the PKCS#11 standard v2.20 or later. The PKCS#11 library provided in the Google Cloud HSM is compliant with v2.40 of the PKCS#11 standard, which means you can use this HSM with the PKCS#11 interface and ForgeRock products.
See the following resources for further information:
- Library for PKCS #11
- Cloud HSM architecture
- Does the ForgeRock Identity Platform support HSMs?
- HSMs and ForgeRock software
- HSM secret stores (AM)
- HSM (DS)
- PPKCS#11 hardware security module (DS)
- Hardware security module (HSM) (IDM)
- Secrets (IG)
- Is the ForgeRock Identity Platform FIPS 140-2 compliant?
There are a couple of known issues with early versions of Java 11 and PKCS#11, so you should ensure you are using Java 11.0.6 or later if you're implementing a HSM. See SSLHandshakeException or ClassCastException when using an HSM and Java 11 with ForgeRock products for further information.
Google Key Management Service (KMS)
Cloud KMS is a cloud service that enables you to manage your symmetric and asymmetric cryptographic keys in Google Cloud. This encompasses the full lifecycle, including creating, rotating and destroying the keys. You can do this directly using Cloud KMS or via other Google services. See Cloud Key Management Service for further information.
AM can retrieve secrets from the Cloud KMS.
See the following resources for further information:
Google Secret Manager (GSM)
GSM is a cloud service for storing and managing secrets. Secrets stored within GSM are encrypted; by default they are encrypted with a Google-managed key, but you can use Cloud KMS to encrypt the secrets instead (Customer-managed encryption keys (CMEK)), giving you control over the encryption keys. See Secret Manager conceptual overview for further information.
AM can retrieve secrets from GSM.
See the following resources for further information:
See Also
ForgeRock Identity Cloud: Powered by Google Cloud
Cloud storage (DS)