Product Q&As
ForgeRock Identity Platform
Does not apply to Identity Cloud

Do ForgeRock products run on AWS?

Last updated Jun 30, 2022

AWS stands for Amazon Web Services and encompasses a range of cloud-based services provided by Amazon. ForgeRock products work well with many AWS offerings. Additionally, ForgeRock has also partnered with AWS to make it even easier for companies to control access to AWS Resources.


Overview

AWS encompasses an extensive range of cloud-based services provided by Amazon; in total, they offer over 200 different services covering a variety of technologies and use cases. 

This article obviously can't cover every single service provided, so instead focuses on the five key services that ForgeRock is commonly asked about:

AWS SNS (Simple Notification Service) Push Service

AWS SNS is a fully managed messaging service that makes it easy to send mobile push notifications. See Amazon Simple Notification Service for further information. 

AWS SNS powers the push authentication mechanism used in ForgeRock Access Management (AM) for multi-factor authentication (MFA). 

See the following resources for further information:

Amazon EKS (Elastic Kubernetes Service)

Amazon EKS is a managed service that allows you to run Kubernetes on AWS without having to deploy and maintain your own Kubernetes deployment. See What is Amazon EKS? for further information.

ForgeOps (ForgeRock DevOps) enables you to deploy the ForgeRock Identity Platform in a Kubernetes containerized environment, including Amazon EKS.

See the following resources for further information:

AWS ELB (Elastic Load Balancer)

AWS ELB is a load-balancing service that automatically distributes incoming application traffic across available resources. See Elastic Load Balancing for further information.

AWS offers four different types of load balancer, so you can choose the most appropriate one for your needs: Application load balancer, Network load balancer, Gateway load balancer and Classic load balancer. See Elastic Load Balancing features for further information. However, please be aware that the Classic load balancer does not support WebSockets; WebSockets are required for notifications when using AM with IG or Agents, so you should not use the Classic load balancer in these types of deployment.

See the following resources for further information:

DS does not currently support the Proxy protocol (which means DS will see the IP address for the load balancer not the client applications) but this will be supported in the future. 

AWS WAF (Web Application Firewall)

The AWS WAF helps protect your web applications from common web attacks and bots, and can be used to protect ForgeRock products. See AWS WAF - Web Application Firewall for further information.

One consideration when configuring a WAF is that you don't block legitimate traffic, which can cause web applications to fail. For example, there is a known issue if you apply the AWS firewall Core rule set (CRS): AWSManagedRulesCommonRuleSet (which includes the SizeRestrictions_BODY rule) without modification; this rule can block AM traffic and cause authentication flows to fail. See AWS web application firewall blocks traffic from AM (All versions) causing authentication flows to fail for further information.

It is also important to remember that if you rely on managed rule sets, although you will benefit from protection as new issues emerge, you may also find previously working web applications fail after a managed rule is updated. 

AWS CloudHSM (Hardware Security Module)

AWS CloudHSM is a cloud-based, standards-compliant hardware security module (HSM) that allows you to manage your encryption keys in the AWS Cloud. See AWS CloudHSM for further information.

ForgeRock products support the PKCS#11 standard interface and you can choose which HSM you want to use to implement this interface, providing the chosen HSM conforms to the PKCS#11 standard v2.20 or later. The PKCS#11 library provided in the AWS CloudHSM is compliant with v2.40 of the PKCS#11 standard, which means you can use this HSM with the PKCS#11 interface and ForgeRock products.

See the following resources for further information:

There are a couple of known issues with early versions of Java 11 and PKCS#11, so you should ensure you are using Java 11.0.6 or later if you're implementing a HSM. See SSLHandshakeException or ClassCastException when using an HSM and Java 11 with ForgeRock products for further information.

Note

AWS KMS (Key Management Service) is a separate service to AWS CloudHSM and is not currently supported by ForgeRock.

See Also

What is AWS

Amazon Web Services (AWS) Partnership with ForgeRock

Cloud Storage (DS)


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.