Skip to content

README.md

Latest commit

 

History

History
129 lines (99 loc) · 5.33 KB

README.md

File metadata and controls

129 lines (99 loc) · 5.33 KB

ForgeRock Backup & Restore Automation Scripts

Production-ready backup and restore automation for ForgeRock Access Management (AM), Identity Management (IDM), and Directory Services (DS).

Features

  • Full stack backup: AM (Amster + REST API), IDM (config + managed objects), DS (dsbackup + LDIF export)
  • AES-256 encryption: Encrypt backups at rest with --encrypt flag
  • S3 upload: Push backups to AWS S3 with --s3 flag
  • Automated retention: Configurable cleanup of old backups
  • Detailed logging: Per-operation timestamped logs
  • Cron templates: Ready-to-install daily/weekly/monthly schedules
  • Restore verification: Automated post-restore validation

Full Tutorial: ForgeRock Backup and Restore Automation: Complete Scripts for AM, IDM, and DS on IAMDevBox.com

Quick Start

# 1. Clone
git clone https://github.com/IAMDevBox/forgerock-backup-restore-scripts.git
cd forgerock-backup-restore-scripts

# 2. Configure
cp config/backup.env.example config/backup.env
# Edit config/backup.env with your ForgeRock URLs and credentials

# 3. Run a backup
chmod +x scripts/*.sh
./scripts/backup_all.sh                    # Basic backup
./scripts/backup_all.sh --encrypt          # With encryption
./scripts/backup_all.sh --encrypt --s3     # Encrypted + S3 upload

Scripts

Script Description
scripts/backup_am.sh Exports AM configuration via Amster and REST API (realms, services, agents, authentication trees)
scripts/backup_idm.sh Exports IDM configuration and managed objects (users, roles, assignments) via REST API
scripts/backup_ds.sh Creates DS backup via dsbackup, optional LDIF export for auditing
scripts/backup_all.sh Runs all three backups sequentially with summary report
scripts/restore_idm.sh Restores IDM configuration from a backup file
scripts/restore_ds.sh Restores DS data from a dsbackup archive

Usage Examples

# Individual component backups
./scripts/backup_am.sh                     # AM only
./scripts/backup_idm.sh                    # IDM only
./scripts/backup_ds.sh --ldif              # DS with LDIF export

# Encrypted backups
./scripts/backup_all.sh --encrypt          # AES-256-CBC encryption

# Upload to S3
./scripts/backup_all.sh --s3               # Upload to configured S3 bucket
./scripts/backup_all.sh --encrypt --s3     # Encrypt + upload

# Restore
./scripts/restore_idm.sh /path/to/idm-config-20260221.json
./scripts/restore_ds.sh /path/to/ds-backup-20260221
./scripts/restore_idm.sh backup.tar.gz.enc --decrypt

Configuration

Copy config/backup.env.example to config/backup.env and set:

Variable Description Example
AM_URL ForgeRock AM base URL https://am.example.com/am
IDM_URL ForgeRock IDM base URL https://idm.example.com/openidm
DS_HOME DS installation directory /opt/forgerock/ds
ENCRYPTION_KEY AES-256 passphrase (for --encrypt) your-strong-passphrase
S3_BUCKET AWS S3 bucket name (for --s3) my-forgerock-backups
RETENTION_DAYS Days to keep local backups 30

See config/backup.env.example for all options.

Scheduling with Cron

# Install the provided cron template
crontab -l | cat - cron/forgerock-backup.cron | crontab -

Default schedule:

  • Daily at 2 AM: Full encrypted backup → S3
  • Weekly (Sundays) at 3 AM: DS LDIF export → S3
  • Monthly (1st) at 1 AM: Full backup with LDIF → S3

Directory Structure

forgerock-backup-restore-scripts/
├── scripts/
│   ├── backup_am.sh        # AM backup (Amster + REST API)
│   ├── backup_idm.sh       # IDM backup (config + managed objects)
│   ├── backup_ds.sh         # DS backup (dsbackup + LDIF)
│   ├── backup_all.sh        # Full stack backup
│   ├── restore_idm.sh       # IDM restore
│   └── restore_ds.sh        # DS restore
├── config/
│   └── backup.env.example   # Configuration template
├── cron/
│   └── forgerock-backup.cron  # Cron schedule template
└── README.md

Security Notes

  • Store config/backup.env securely — it contains ForgeRock admin credentials
  • Always use --encrypt for production backups
  • Use IAM roles instead of access keys for S3 uploads when possible
  • Restrict backup directory permissions: chmod 700 /opt/backups/forgerock
  • Rotate encryption keys periodically

Related Resources

License

MIT License — see LICENSE for details.