Preparing External Stores

AM requires at least one DS server to store the different data it requires to work, such as AM's own configuration data, information about your users, devices, and things, as well as data pertaining to authenticated identities.

By default, AM stores all the data after the installation process in the configuration store, but you can configure different DS instances to keep data separated. This can be useful in high-load deployments; for example, when data tuning requirements differ.


If you want to install a single AM instance for a quick test or for demo purposes, AM provides an embedded DS server. See the Evaluation Guide.

The following table shows the different DS stores that AM supports:

Store NameType of DataRequired During Installation?
Configuration store

Stores the properties and settings used by the AM instance.

Identity or user store

Stores identity profiles; that is, information about the users, devices, or things that will be authenticating to your systems. You can also configure AM to access existing directory servers to obtain identity profiles.

No, but you can configure one during the install process

ForgeRock recommends that you configure an external identity store, or that you configure AM to access an external identity store.

Policy store

Stores policy-related data, such as policies, policy sets, and resource types.

Application store

Stores application-related data, such as web and Java agent configurations, federation entities and configuration, and OAuth 2.0 client definitions.

CTS token store

Stores information about sessions, SAML v2.0 assertions, OAuth 2.0 tokens, and session blacklists and whitelists.

UMA store

Stores information about UMA resources, labels, audit messages, and pending requests.


The following table shows which directory servers are supported for storing different data:

Supported Data Stores
Directory ServerVersionsConfigurationApps / PoliciesCTSIdentitiesUMA
Embedded ForgeRock Directory Services [a]7.1.4
External ForgeRock Directory ServicesAny ForgeRock-supported version
File system-basedN/A     
Oracle Unified Directory11g R2     
Oracle Directory Server Enterprise Edition11g   
Microsoft Active Directory2016, 2019     
IBM Tivoli Directory Server6.4     

[a] Demo and test environments only

The procedure for preparing external directory servers for use by AM is similar for each of the different data types. The steps to perform are as follows:

  1. If it does not yet exist, install the external directory server software, for example Directory Services.

  2. As the directory administrator user, you may need to perform the following steps:

    1. Apply the relevant schema to the directory.

    2. Create indexes to optimize data retrieval from the directory server.

    3. Create a user account with the minimum required privileges for AM to bind to the directory server with and access necessary data.

To prepare the external stores AM needs during installation, see the following sections:

Prepare a Truststore

Create a truststore ready for the certificates required to connect to external stores using LDAPS.

Prepare Configuration Stores

Install and prepare a DS instance to serve as AM's configuration store.

Prepare Identity Repositories

Install and prepare a DS instance to serve as an identity repository for AM. Optionally, prepare an existing identity store for use by AM.

You can configure all the stores except the configuration store after installing AM. To read more, see:

Read a different version of :