Prepare external UMA data stores

This page explains how to prepare DS instances as external UMA data stores. You can create separate DS instances to store the following UMA-related data:

Resources
Resource labels
UMA audit messages
Pending requests

The procedure for preparing external DS instances is similar for each of the UMA-related data types. The steps to perform are as follows:

If you have not done so yet, install Directory Services.

As an administrative user, for example, uid=admin:

Create a backend and base DN entry in the external store.
Create a user account with the minimum required privileges. This user lets AM bind to the directory server, and access necessary data.

Apply the relevant schema to the directory.

Each type of data requires a specific set of schema LDIF files to be applied.

LDIF files for UMA data stores

Data Store LDIF Files

Data Store	LDIF Files
Resources	*`/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_sets.ldif`
Resource labels	`/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_labels_schema.ldif` `/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_set_labels.ldif`
UMA audit messages	*`/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_audit.ldif`
Pending requests	*`/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_pending_requests.ldif`

Resources

*/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_sets.ldif

Resource labels

*/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_labels_schema.ldif

*/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_set_labels.ldif

UMA audit messages

*/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_audit.ldif

Pending requests

*/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_pending_requests.ldif

You can use a single external DS instance with multiple backend configurations to store each of the UMA-related data types. Change the steps in the sections below to apply the backends, schema, and administrative accounts to a single DS instance.

This page shows how to set up a DS instance to store UMA resources. Repeat these procedures with the relevant schema files to set up a DS instance to store other types of UMA-related data.

The commands in this section use example values for user IDs and port numbers. Adjust the values to match your deployment.

Install and configure Directory Services for UMA data

Download and install Directory Services.
- Generate a DS deployment ID, unless you already have one:
  $ /path/to/opendj/dskeymgr create-deployment-id --deploymentIdPassword password deployment-id
  Save the deployment ID and deployment ID password, and keep the password secret. Use the same deployment ID and password for all servers in the same environment; for example, if you use replicated DS servers. Replication is not covered in this example.
- DS does not provide an UMA setup profile; create an example DS UMA server by providing the parameters in a single setup command. For example:
  $ /path/to/opendj/setup \ --instancePath '/path/to/opendj' \ --serverId uma-resource-server\ --deploymentId deployment-id \ --deploymentIdPassword deployment-id-password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --hostname uma-rs.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --httpsPort 8443 \ --acceptLicense
  For additional options for the setup command, see setup in the Directory Services 7.3.0 Tools Reference.
  
  DS does not start automatically after installation; do not start the server until after you have created a backend and added the required schemas at the end of this section.

When the install has completed, create a backend for UMA resource data, named umaRsStore, and prepare for a base DN of dc=uma-resources,dc=example,dc=com:

$ /path/to/opendj/bin/dsconfig create-backend \
--hostname 'uma-rs.example.com' \
--port 4444 \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--backend-name umaRsStore \
--set base-dn:dc=uma-resources,dc=example,dc=com \
--set enabled:true \
--type je \
--bindDN uid=admin \
--bindPassword str0ngAdm1nPa55word \
--offline
The JE Backend was created successfully

Share the UMA store certificate with the AM container to prepare for TLS/LDAPS. UMA stores should communicate over secure connections for security reasons.

DS is configured to require secure connections by default. You must share the DS certificate with the AM container before continuing.
Share the DS certificate with AM
1. Export the DS server certificate:
  
  $ keytool -exportcert \ -keystore /path/to/opendj/config/keystore \ -storepass:file /path/to/opendj/config/keystore.pin \ -alias ssl-key-pair \ -rfc \ -file ds-cert.pem
  
  The default DS server certificate only has the hostname you supplied at setup time, and localhost, as the value of the SubjectAlternativeName attribute; however, certificate hostname validation is strict. Ensure that the certificate matches the hostname (or the FQDN) of the DS server before continuing.
  
  Copy the ds-cert.pem file to an accessible location on the AM host.
2. Import the DS certificate into the AM truststore:
  
  $ keytool \ -importcert \ -file ds-cert.pem \ -keystore /path/to/openam/security/keystores/truststore
For more information on configuring AM’s truststore, see Prepare the truststore.

Create an UMA store base DN

Create an LDIF file to add the base DN to the UMA store, and save the file as add-uma-base-dn.ldif:

dn: dc=uma-resources,dc=example,dc=com
changetype:add
objectClass: top
objectClass: domain
dc: uma-resources

Apply the LDIF file to the DS instance by using the ldapmodify command:

$ /path/to/opendj/bin/ldapmodify \
--hostname 'uma-rs.example.com' \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--bindDN uid=admin \
--bindPassword str0ngAdm1nPa55word \
--continueOnError \
--offline \
add-uma-base-dn.ldif
# ADD operation successful for DN dc=uma-resources,dc=example,dc=com

If you are having trouble with the LDIF file, remove any line feeds in the ACI attributes.

Create an UMA store bind account

As a best practice, using the root uid=admin is not recommended for accessing data on the directory server. Instead, you can create a new service account, the UMA store bind account, with limited access and fewer privileges.

Create an LDIF file to add the bind account to the UMA store, and save the file as add-uma-bind-account.ldif.

When AM connects as the bind account to store the UMA-related data, it requires read, write, persistent search, and server-side sorting access privileges. You add these privileges by setting access control instructions (ACIs) on the base distinguished name (DN) entry you created in the previous step (for example, dc=uma-resources,dc=example,dc=com).

The following is an example of a suitable add-uma-bind-account.ldif LDIF file:

dn: ou=admins,dc=uma-resources,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: admins

dn: uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: am-uma-bind-account
sn: am-uma-bind-account
uid: am-uma-bind-account
userPassword: {ds_bind_password}
aci: (targetattr="*")(version 3.0; acl "Allow CRUDQ operations"; allow (search, read, write, add, delete)(userdn = "ldap:///uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com");)
aci: (targetcontrol="2.16.840.1.113730.3.4.3")(version 3.0; acl "Allow persistent search"; allow (search, read)(userdn = "ldap:///uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com");)
aci: (targetcontrol="1.2.840.113556.1.4.473")(version 3.0; acl "Allow server-side sorting"; allow (read)(userdn = "ldap:///uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com");)

Apply the LDIF file to the DS instance by using the ldapmodify command:
```
$ /path/to/opendj/bin/ldapmodify \
--hostname 'uma-rs.example.com' \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--bindDN uid=admin \
--bindPassword str0ngAdm1nPa55word \
--continueOnError \
--offline \
add-uma-bind-account.ldif
# ADD operation successful for DN uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com
```
If you are having trouble with the LDIF file, remove any line feeds in the ACI attributes.

The am-uma-bind-account account can now connect to the Directory Services instance. Note that you must use the full distinguished name of the account when binding, for example uid=am-uma-bind-account,ou=admins,dc=uma-resources,dc=example,dc=com, with the configured password, for example 5up35tr0ng.

Create a schema for UMA-related data

When the DS instance is installed and operational, import the schema files required for UMA-related data. You must do this as an administrative user, such as uid=admin. For information on the required schema files, see LDIF files for UMA data stores.

These steps use LDIF files that are delivered with the AM server.

Replace the @SM_CONFIG_ROOT_SUFFIX@ variable in the LDIF files with the base DN you configured in the directory server.

For example, dc=uma-resources,dc=example,dc=com.

Depending on the UMA-related data type you will store in this directory server, replace the variable in the following LDIF files:

/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_audit.ldif
/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_sets.ldif
/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_set_labels.ldif
/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_pending_requests.ldif

If you have previously edited the files to replace the variables, replace those root entry values with the new UMA directory server root entries. For example, replace occurrences of dc=cts,dc=example,dc=com with dc=uma-resources,dc=example,dc=com.

Apply the required LDIF files to the store by using the ldapmodify command.

The following applies the schema required for storing resources:

$ /path/to/opendj/bin/ldapmodify \
--hostname 'uma-rs.example.com' \
--port 1636 \
--useSsl \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--continueOnError \
--bindDN uid=admin \
--bindPassword str0ngAdm1nPa55word \
--offline \
/path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_uma_resource_sets.ldif
# ADD operation successful for DN ou=resource_sets,dc=uma-resources,dc=example,dc=com

For more information on the required LDIF files, see LDIF files for UMA data stores.

After applying all the required LDIF files, start the DS server.
```
$ /path/to/opendj/bin/start-ds
```
The DS instance is now ready to store UMA resources. To set up additional DS instances for other UMA-related data repeat the steps above, specifying the relevant schema LDIF files.

To configure AM to use the external DS instances to store UMA-related data, see Configure external UMA stores.

AM 7.3.1

Prepare external UMA data stores

Install and configure Directory Services for UMA data

Create an UMA store base DN

Create an UMA store bind account

Create a schema for UMA-related data