Prepare external stores
AM requires at least one DS server to store the different data it requires to work, such as AM’s own configuration data, information about your users, devices, and things, as well as data pertaining to authenticated identities.
By default, AM stores all the data after the installation process in the configuration store. This keeps basic deployments simple.
For advanced and high-load deployments, you can configure different sets of replicated DS servers to keep data separated and to tune DS differently for different requirements.
|
To install a single AM instance for a quick test or for demo purposes, use AM’s embedded DS server. Refer to Evaluation. |
The following table shows the different DS stores that AM supports:
| Store name | Type of data | Required during installation? |
|---|---|---|
Configuration store |
Stores the properties and settings used by the AM instance. |
Yes |
Identity or user store |
Stores identity profiles; that is, information about the users, devices, or things that will be authenticating to your systems. You can also configure AM to access existing directory servers to obtain identity profiles. |
No, but you can configure one during the install process ForgeRock recommends that you configure an external identity store, or that you configure AM to access an external identity store. |
Policy store |
Stores policy-related data, such as policies, policy sets, and resource types. |
No |
Application store |
Stores application-related data, such as web and Java agent configurations, federation entities and configuration, and OAuth 2.0 client definitions. |
No |
CTS token store |
Stores information about sessions, SAML v2.0 assertions, OAuth 2.0 tokens, and session denylists and allowlists. |
No |
UMA store |
Stores information about UMA resources, labels, audit messages, and pending requests. |
No |
The following table shows which directory servers are supported for storing different data:
| Directory server | Versions | Configuration | Apps / policies | CTS | Identities | UMA |
|---|---|---|---|---|---|---|
Embedded ForgeRock Directory Services(1) |
7.3 |
✔ |
✔ |
✔ |
✔ |
✔ |
External ForgeRock Directory Services |
6 and later |
✔ |
✔ |
✔ |
✔ |
✔ |
File system-based |
N/A |
✔ |
||||
Oracle Unified Directory |
11g R2 |
✔ |
||||
Oracle Directory Server Enterprise Edition |
11g |
✔ |
||||
Microsoft Active Directory |
2016, 2019 |
✔ |
||||
IBM Tivoli Directory Server |
6.4 |
✔ |
(1) Demo and test environments only.
The procedure for preparing external directory servers for use by AM is similar for each of the different data types. The steps to perform are as follows:
-
If it does not yet exist, install the external directory server software; for example, Directory Services.
-
As the directory administrator user, you may need to perform the following steps:
-
Apply the relevant schema to the directory.
-
Create indexes to optimize data retrieval from the directory server.
-
Create a user account with the minimum required privileges for AM to bind to the directory server with and access necessary data.
-
To prepare the external stores AM needs during installation, refer to the following pages:
Where do I find more information about the other external stores?
You can configure all the stores except the configuration store after installing AM: