AM 7.3.1

Prepare external stores

AM requires at least one DS server to store the different data it requires to work, such as AM’s own configuration data, information about your users, devices, and things, as well as data pertaining to authenticated identities.

By default, AM stores all the data after the installation process in the configuration store. This keeps basic deployments simple.

For advanced and high-load deployments, you can configure different sets of replicated DS servers to keep data separated and to tune DS differently for different requirements.

To install a single AM instance for a quick test or for demo purposes, use AM’s embedded DS server.

Refer to Evaluation.

The following table shows the different DS stores that AM supports:

Store name Type of data Required during installation?

Configuration store

Stores the properties and settings used by the AM instance.


Identity or user store

Stores identity profiles; that is, information about the users, devices, or things that will be authenticating to your systems. You can also configure AM to access existing directory servers to obtain identity profiles.

No, but you can configure one during the install process

ForgeRock recommends that you configure an external identity store, or that you configure AM to access an external identity store.

Policy store

Stores policy-related data, such as policies, policy sets, and resource types.


Application store

Stores application-related data, such as web and Java agent configurations, federation entities and configuration, and OAuth 2.0 client definitions.


CTS token store

Stores information about sessions, SAML v2.0 assertions, OAuth 2.0 tokens, and session denylists and allowlists.


UMA store

Stores information about UMA resources, labels, audit messages, and pending requests.


The following table shows which directory servers are supported for storing different data:

Supported Data Stores
Directory server Versions Configuration Apps / policies CTS Identities UMA

Embedded ForgeRock Directory Services(1)


External ForgeRock Directory Services

6 and later

File system-based


Oracle Unified Directory

11g R2

Oracle Directory Server Enterprise Edition


Microsoft Active Directory

2016, 2019

IBM Tivoli Directory Server


(1) Demo and test environments only.

The procedure for preparing external directory servers for use by AM is similar for each of the different data types. The steps to perform are as follows:

  1. If it does not yet exist, install the external directory server software; for example, Directory Services.

  2. As the directory administrator user, you may need to perform the following steps:

    1. Apply the relevant schema to the directory.

    2. Create indexes to optimize data retrieval from the directory server.

    3. Create a user account with the minimum required privileges for AM to bind to the directory server with and access necessary data.

To prepare the external stores AM needs during installation, refer to the following pages:

Where do I find more information about the other external stores?

You can configure all the stores except the configuration store after installing AM:

Copyright © 2010-2024 ForgeRock, all rights reserved.