Preparing External Stores
AM requires at least one DS server to store the different data it requires to work, such as AM's own configuration data, information about your users, devices, and things, as well as data pertaining to authenticated identities.
By default, AM stores all the data after the installation process in the configuration store, but you can configure different DS instances to keep data separated. This can be useful in high-load deployments; for example, when data tuning requirements differ.
Tip
If you want to install a single AM instance for a quick test or for demo purposes, AM provides an embedded DS server. See the Evaluation Guide.
The following table shows the different DS stores that AM supports:
| Store Name | Type of Data | Required During Installation? |
|---|---|---|
| Configuration store | Stores the properties and settings used by the AM instance. | Yes |
| Identity or user store | Stores identity profiles; that is, information about the users, devices, or things that will be authenticating to your systems. You can also configure AM to access existing directory servers to obtain identity profiles. | No, but you can configure one during the install process ForgeRock recommends that you configure an external identity store, or that you configure AM to access an external identity store. |
| Policy store | Stores policy-related data, such as policies, policy sets, and resource types. | No |
| Application store | Stores application-related data, such as web and Java agent configurations, federation entities and configuration, and OAuth 2.0 client definitions. | No |
| CTS token store | Stores information about sessions, SAML v2.0 assertions, OAuth 2.0 tokens, and session blacklists and whitelists. | No |
| UMA store | Stores information about UMA resources, labels, audit messages, and pending requests. | No |
The following table shows which directory servers are supported for storing different data:
| Directory Server | Versions | Configuration | Apps / Policies | CTS | Identities | UMA |
|---|---|---|---|---|---|---|
| Embedded ForgeRock Directory Services [a] | 7.1.4 | | | | | |
| External ForgeRock Directory Services | Any ForgeRock-supported version | | | | | |
| File system-based | N/A | | ||||
| Oracle Unified Directory | 11g R2 | | ||||
| Oracle Directory Server Enterprise Edition | 11g | | ||||
| Microsoft Active Directory | 2016, 2019 | | ||||
| IBM Tivoli Directory Server | 6.4 | | ||||
[a] Demo and test environments only | ||||||
The procedure for preparing external directory servers for use by AM is similar for each of the different data types. The steps to perform are as follows:
If it does not yet exist, install the external directory server software, for example Directory Services.
As the directory administrator user, you may need to perform the following steps:
Apply the relevant schema to the directory.
Create indexes to optimize data retrieval from the directory server.
Create a user account with the minimum required privileges for AM to bind to the directory server with and access necessary data.
To prepare the external stores AM needs during installation, see the following sections:
| Create a truststore ready for the certificates required to connect to external stores using LDAPS. | Install and prepare a DS instance to serve as AM's configuration store. | Install and prepare a DS instance to serve as an identity repository for AM. Optionally, prepare an existing identity store for use by AM. |
You can configure all the stores except the configuration store after installing AM. To read more, see: