Preparing Configuration Stores
This section explains how to prepare a single DS server as an external configuration data store.
Directory Services 6.5 added support for setup profiles to greatly simplify initial configuration.
Using a setup profile will create the backend, schema, bind user, and indexes required for use with configuration data.
To install DS using a setup profile, follow the steps in DS for AM Configuration Data in the Directory Services 7 Installation Guide.
Proceed to installation of AM to use the prepared DS directory server as an external configuration store. See "To Configure an Instance".
The default bind DN of the service account to use when installing AM to authenticate to the external configuration store is:
Share the configuration store certificate with the AM container to prepare for TLS/LDAPS. The configuration store should communicate over secure connections for security reasons.
DS 7 or later is configured to require secure connections by default; therefore, share its certificate with the AM container before continuing.
Export the DS server certificate:
/path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentKey $DEPLOYMENT_KEY \ --deploymentKeyPassword password \ --alias ds-ca-cert \ --outputFile ds-ca-cert.pem
$DEPLOYMENT_KEYis a Unix variable that contains the DS deployment key, so that it is not logged in the user's command history.
The default DS server certificate only has the hostname you supplied at setup time, and
localhost, as the value of the
SubjectAlternativeNameattribute; however, certificate hostname validation is strict.
Ensure that the certificate matches the hostname (or the FQDN) of the DS server before continuing.
Import the DS certificate into the AM truststore:
keytool \ -importcert \ -alias ds-ca-cert \ -file ds-ca-cert.pem \ -keystore /path/to/openam/security/keystores/truststore
For more information on configuring AM's truststore, see "Preparing a Truststore".
Once the certificate is in place, continue installing AM.