Prepare configuration stores
This page explains how to prepare a single DS server as an external configuration data store. Make sure DS replicas use the same configuration.
Installing DS with a DS setup profile creates the required backend, schema, bind user, and indexes:
-
Follow the steps in Install DS for AM configuration in the Directory Services documentation.
-
Install AM to use the prepared DS directory server as an external configuration store.
The default bind DN of the service account to connect to the external configuration store is:
uid=am-config,ou=admins,ou=am-config
-
Share the configuration store certificate with the AM container to prepare for TLS/LDAPS.
AM should communicate with the configuration store over a secure connection.
From DS 7 onwards, secure connections are required by default; therefore, share the DS certificate with the AM container before continuing.
-
Export the DS server certificate:
$ keytool -exportcert \ -keystore /path/to/opendj/config/keystore \ -storepass:file /path/to/opendj/config/keystore.pin \ -alias ssl-key-pair \ -rfc \ -file ds-cert.pemThe default DS server certificate only has the hostname you supplied at setup time, and
localhost, as the value of theSubjectAlternativeNameattribute; however, certificate hostname validation is strict. Ensure that the certificate matches the hostname (or the FQDN) of the DS server before continuing.Copy the
ds-cert.pemfile to an accessible location on the AM host. -
Import the DS certificate into the AM truststore:
$ keytool \ -importcert \ -file ds-cert.pem \ -keystore /path/to/openam/security/keystores/truststoreFor more information on configuring AM’s truststore, refer to Prepare the truststore.
-
When the certificate is in place, continue installing AM.
| After setting up the external configuration store, you can enhance security by configuring mTLS authentication to that store and rotating the mTLS certificates periodically. For details, refer to mTLS for configuration stores. |