Se Recon for a node while allow WEB traffic to other node to Distribute load


Can we set Identity manager to have two separate type function. One Node I would like to receive only API / WEB traffic which I am able to achieve by placing LB in-front of it. while I would like to set another node just to do recon. No Api/UI traffic should reach it. I believe this way I can reduce the load on the IDM and dedicate each node to do any given job. Well I coming from SailPoint world so my question is this way.

Do we have this feature in Forgerock IDM and How to do it if there is a way ?

Hi @tusharchoudhury

You can accomplish this, partly through IDM configuration and partly through your network configuration.

Recon is a scheduled task, so you can restrict which nodes perform schedule tasks in the file with openidm.scheduler.execute.persistent.schedules=true as described in Scheduled tasks across a cluster :: IDM 7.5.0. This setting should be set to false on your API/UI nodes, and true on your recon nodes. You’ll also need to ensure that you are persisting your scheduled jobs.

On the network side of things, you can set up your load balancer to only route the UI/API traffic to the instances where you want UI/API traffic. For example, you can have route to the UI/API nodes, and route traffic to the non-UI/API nodes or simply not expose them via an LB.

Let me know if you have any additional questions!

1 Like

Thanks @mwtech for the input… So with this change all recon will certainly be handled by dedicated node, will try to simulate as you mentioned.

Another followup question on this, Will the Live Sync and Implicit sync too be handled by same Recon Node or it will be handled by the Node where change is received for example if I modify a managed Object using a REST call, or via UI, which Node will update the System Objects? Will that be the Recon Node or ui Node?

I will try to simulate this… however, would like your input too here? Objective is I do not want API/UI nodes to do any job of updating system objects.

Hi @tusharchoudhury

Live Sync is a scheduled job, so that will be handled by these recon nodes. For Implicit Sync, I believe your best option would be to look into queued synchronization (Implicit synchronization and liveSync :: IDM 7.5.0) which will result in all implicit syncs being persisted and presumably processed by the nodes identified for executing persistent scheduled. I say presumably only because I don’t have much experience with this particular configuration. From looking at the documentation on this feature there is certainly new complexity introduced with this approach, with additional considerations to be made for tuning the performance accordingly.

One quick note on the recon solution I mention - you need to ensure that your scheduled job for recon/Live Sync is configured as a persistent schedule: Persistent schedules :: IDM 7.5.0

I hope this is helpful!


With non-queued syncs, implicit synchronisation, is performed within the calling thread, and will return a response to the update after the synchronisation has completed against all targets. This means that the implicit sync occurs on the same node where the request has been received. The drawback with this approach is a delayed response for large number of targets, poor performance with a single target.

With Queued Synchronisation, the response returns immediately to the user, and synchronisation task queued to the database. Then synchronisation load is distributed to all nodes.