Setup Profiles

A setup profile lets you configure a server for a specific use case. Profiles greatly simplify the directory server setup process for such use cases, such as preparing a directory server to serve another ForgeRock Identity Platform™ component product.

You can configure a setup profile using the setup command, or the setup-profile command after initial setup. The setup-profile command runs on a server that is offline.

Select a profile with the --profile option. Each profile has its own parameters, some of which have default values. You specify profile parameters with --set options.

The profile selection option takes the form --profile profileName[:version]. If you do not specify the optional :version portion of the argument, the setup command uses the current DS software version, falling back to the previous version if the current version does not match an available profile. Repeat the --profile option to apply multiple setup profiles.

An option to set a parameter takes the form --set [profileName/]parameterName:value where:

  • profileName/ indicates which profile the parameter applies to.

    This name is required when you specify multiple profiles, and the parameter is available in more than one of the specified profiles.

    The profileName is case-insensitive.

  • parameterName specifies the parameter to set.

  • value specifies the value the parameter takes when the setup command applies the profile.

Use the setup --help-profiles or setup-profile --help command to list available profiles. Use the --help-profile profileName[:version] option to list the parameters for the specified profile.

Default Setup Profiles

The following profiles are available by default:

AM Configuration Data Store 6.5.0

The am-config:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing config

Syntax: Name

Default: --set am-config/backendName:cfgStore

baseDn

The base DN to use to store AM's configuration in

Syntax: DN

Default: --set am-config/baseDn:ou=am-config

amConfigAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ

Syntax: Password

AM CTS Data Store 6.5.0

The am-cts:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing tokens

Syntax: Name

Default: --set am-cts/backendName:amCts

baseDn

The base DN to use to store AM's tokens in

Syntax: DN

Default: --set am-cts/baseDn:ou=tokens

amCtsAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ

Syntax: Password

tokenExpirationPolicy

Token expiration and deletion

This parameter takes one of the following values:

  • am: AM CTS reaper manages token expiration and deletion

  • am-sessions-only: AM CTS reaper manages SESSION token expiration and deletion. DS manages expiration and deletion for all other token types. AM continues to send notifications about session expiration and timeouts to agents

  • ds: DS manages token expiration and deletion. AM session-related functionality is impacted and notifications are not sent

Default: --set am-cts/tokenExpirationPolicy:am

AM Identity Data Store 7.0.0

The am-identity-store:7.0.0 profile has the following parameters:

backendName

Name of the backend for storing identities

Syntax: Name

Default: --set am-identity-store/backendName:amIdentityStore

baseDn

The base DN to use to store identities in

Syntax: DN

Default: --set am-identity-store/baseDn:ou=identities

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ

Syntax: Password

AM Identity Data Store 6.5.0

The am-identity-store:6.5.0 profile has the following parameters:

backendName

Name of the backend for storing identities

Syntax: Name

Default: --set am-identity-store/backendName:amIdentityStore

baseDn

The base DN to use to store identities in

Syntax: DN

Default: --set am-identity-store/baseDn:ou=identities

amIdentityStoreAdminPassword

Password of the administrative account that AM uses to bind to OpenDJ

Syntax: Password

DS Evaluation 7.0.0

The ds-evaluation:7.0.0 profile has the following parameters:

generatedUsers

Specifies the number of generated user entries to import. The evaluation profile always imports entries used in documentation examples, such as uid=bjensen. Optional generated users have RDNs of the form uid=user.%d, yielding uid=user.0, uid=user.1, uid=user.2 and so on. All generated users have the same password, "password". Generated user entries are a good fit for performance testing with tools like addrate and searchrate

Syntax: Number

Default: --set ds-evaluation/generatedUsers:100000

DS Proxied Server 7.0.0

The ds-proxied-server:7.0.0 profile has the following parameters:

proxyUserDn

The proxy user service account DN. This will be be used for authorization and auditing proxy requests.

Syntax: DN

Default: --set ds-proxied-server/proxyUserDn:uid=proxy

proxyUserCertificateSubjectDn

The subject DN of the proxy user's certificate. The proxy must connect using mutual TLS with a TLS client certificate whose subject DN will be mapped to the proxy service account.

Syntax: DN

Default: --set ds-proxied-server/proxyUserCertificateSubjectDn:CN=DS,O=ForgeRock.com

baseDn

Base DN for user information in the server.Multiple base DNs may be provided by using this option multiple times.If no base DNs are defined then the server will allow proxying as any user, including administrator accounts.

Syntax: DN

DS Proxy Server 7.0.0

The ds-proxy-server:7.0.0 profile has the following parameters:

backendName

Name of the proxy backend for storing proxy configuration

Syntax: Name

Default: --set ds-proxy-server/backendName:proxyRoot

bootstrapReplicationServer

Bootstrap replication server(s) to contact periodically in order to discover remote servers

Syntax: host:port or configuration expression

rsConnectionSecurity

Connection security type to use to secure communication with remote servers

This parameter takes one of the following values:

  • ssl: Use SSL

  • start-tls: Use Start TLS

Default: --set ds-proxy-server/rsConnectionSecurity:ssl

keyManagerProvider

Name of the key manager provider used for authenticating the proxy in mutual-TLS communications with backend server(s)

Syntax: Name or configuration expression

Default: --set ds-proxy-server/keyManagerProvider:PKCS12

trustManagerProvider

Name of the trust manager provider used for trusting backend server(s) certificate(s)

Syntax: Name or configuration expression

certNickname

Nickname(s) of the certificate(s) that should be sent to the server for SSL client authentication.

Syntax: Name or configuration expression

Default: --set ds-proxy-server/certNickname:ssl-key-pair

primaryGroupId

Replication domain group ID of directory server replicas to contact when available before contacting other replicas. If this option is not specified then all replicas will be treated the same (i.e all remote servers are primary)

Syntax: String or configuration expression

baseDn

Base DN for user information in the Proxy Server.Multiple base DNs may be provided by using this option multiple times.If no base DNs are defined then the proxy will forward requests to all public naming contexts of the remote servers

Syntax: DN or configuration expression

DS User Data Store 7.0.0

The ds-user-data:7.0.0 profile has the following parameters:

backendName

Name of the backend to be created by this profile

Syntax: Name

Default: --set ds-user-data/backendName:userData

baseDn

Base DN for your users data.

Syntax: DN

ldifFile

Path to an LDIF file containing data to import. Use this option multiple times to specify multiple LDIF files

Syntax: File or directory path

addBaseEntry

Create entries for specified base DNs when the 'ldifFile' parameter is not used. When this option is set to 'false' and the 'ldifFile' parameter is not used, create an empty backend.

This parameter takes one of the following values:

  • false

  • true

Default: --set ds-user-data/addBaseEntry:true

IDM External Repository 7.0.0

The idm-repo:7.0.0 profile has the following parameters:

backendName

IDM repository backend database name

Syntax: Name

Default: --set idm-repo/backendName:idmRepo

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".

Syntax: Domain name

Default: --set idm-repo/domain:example.com

IDM External Repository 6.5.0

The idm-repo:6.5.0 profile has the following parameters:

backendName

IDM repository backend database name

Syntax: Name

Default: --set idm-repo/backendName:idmRepo

domain

Domain name translated to the base DN for IDM external repository data. Each domain component becomes a "dc" (domain component) of the base DN. This profile prefixes "dc=openidm" to the result. For example, the domain "example.com" translates to the base DN "dc=openidm,dc=example,dc=com".

Syntax: Domain name

Default: --set idm-repo/domain:example.com

Create Your Own

If you have changes that apply to each server you set up, you can create and maintain your own setup profile.

Important

The custom setup profile interface has stability: Evolving.

Be prepared to adapt your custom profiles to changes in each new release.

  • Add custom setup profiles under the opendj/template/setup-profiles/ directory.

    The setup and setup-profile commands look for profiles in that location. The default profiles provide examples that you can follow when building custom profiles.

  • Add custom setup profiles after unpacking the DS files, but before running the setup or setup-profile command.

  • Each setup profile strictly follows the supported file layout.

    The base path, version directories, and the .groovy files are required. The other files are shown here as examples:

opendj/template/setup-profiles/base-path/
├── version
│   ├── base-entries.ldif
│   ├── parameters.groovy
│   ├── profile.groovy
│   └── schema
│       └── schema-file-name.ldif
└── name.txt
File or DirectoryDescription
base-path (required)

The base path distinguishes the profile from all other profiles, and defines the profile name.

Path separator characters are replaced with dashes in the name. For example, the base path DS/evaluation yields the profile name ds-evaluation.

version (required)

The profile version, including either two or three numbers. Numbers can be separated by dots (.) or dashes (-).

Set this to the version of the software that the profile is for. For example, if you are writing a profile for Transmogrifier 2.0, use 2.0. Add multiple versions of your profile when using the same DS version with different versions of your application.

base-entries.ldif

Optional LDIF file that templates the entries this profile adds to the directory.

This is an example of a file used by profile.groovy.

parameters.groovy (required)

Groovy script defining profile parameters that users can set.

See "Parameters".

profile.groovy (required)

Groovy script that makes changes to the server.

See "Profile Script".

schema-file-name.ldif

Optional LDAP schema file required for entries added by this profile.

This is an example of a file used by profile.groovy.

name.txt

If this file is present, it must hold the human-readable form of the profile name, not including the version, in a single-line text file.

At setup time, the user cannot select more than one version of the same setup profile. The user can select multiple setup profiles for the same server. You must ensure that your profile is not incompatible with other available profiles.

Parameters

You let users set parameters through the parameters.groovy script. The profile uses the parameters as variables in the profile.groovy script, and resource files.

The parameters.groovy script lists all parameter definitions for the profile. It includes only parameter definitions. Each parameter definition is resolved at runtime, and so must not be provided programmatically. Parameter definitions start with define, and can have the following methods:

define.type "name"                              \
  advanced()                                    \
  defaultValueFromSetupTool global-setup-option \
  defaultValue default                          \
  description "short-description"               \
  help "help-message"                           \
  multivalued()                                 \
  multivalued "help message(s)"                 \
  optional()                                    \
  optional "help message(s)"                    \
  descriptionIfNoValueSet "short-description"   \
  property "property-name"                      \
  prompt "prompt message(s)"                    \
  expressionAllowed()
ElementDescription
type (required)

This mandatory parameter type is one of the following. The profile mechanism converts the string input internally into a Java class:

  • booleanParameter

  • dnParameter (a DN)

  • domainParameter

    The input is a domain that the profile mechanism converts to a DN. The domain example.com becomes dc=example,dc=com.

  • hostPortParameter (a hostname:port pair)

  • doubleParameter (a Double number)

  • floatParameter (a Float number)

  • integerParameter (an Integer number)

  • longParameter (a Long number)

  • passwordParameter

    The input is a password, and encoded with a password storage scheme to avoid exposing the plain text.

  • pathParameter

  • stringParameter

name (required)

This mandatory parameter name must be a valid Groovy name string.

advanced()

This is an advanced parameter, meaning interactive mode does not show the parameter or prompt for input.

When using advanced(), you must set a default parameter value. Interactive mode sets this parameter to the default value.

defaultValueFromSetupTool global-setup-option

This parameter takes its default from the value of the specified the global setup option. The defaultValueFromSetupTool method only applies when the profile is used by the setup command.

The global-setup-option is the option name without leading dashes.

defaultValue default

This parameter's default must match the type.

description "short-description"

This provides a brief summary of what the parameter does.

The "short-description" is a single paragraph with no trailing punctuation.

help "help-message"

The message, used in online help, provides further explanation on how to use the parameter.

The "help-message" is a single paragraph with no trailing punctuation.

multivalued()

This parameter takes multiple values, and no help message is required.

Use this, for example, when the property is advanced().

multivalued "help message(s)"

This parameter takes multiple values, and interactive mode prompts the user for each one.

Each help message string is a single paragraph, and the final help message has no trailing punctuation. Help message arguments are separated with commas.

optional()

This parameter is optional, and no help message is required.

optional "help message(s)"

This parameter is optional, and interactive mode prompts the user for input.

Each help message string is a single paragraph, and the final help message has no trailing punctuation. Help message arguments are separated with commas.

descriptionIfNoValueSet "short-description"

The description is displayed when the parameter is optional, and the user has not set a value.

The "short-description" is a single paragraph with no trailing punctuation.

property "property-name"

The profile replaces &{property-name} in resource files with the value of this property.

The &{property-name} expressions follow the rules described in Property Value Substitution.

prompt "prompt message(s)"

In interactive mode, display one or more paragraphs when prompting the user for input.

Each prompt message string is a single paragraph. If no default value is set the final prompt message takes a trailing colon. Prompt message arguments are separated with commas.

Profile Script

When a user requests a profile, the profile.groovy script controls what the profile does.

When developing your profile script, you can use these classes and methods, which are bound into the execution context of your script before it executes:

In addition, see the Javadoc for the setup model.

Default Imports

The profile mechanism imports the following classes and methods, making them available by default in the context of your profile script:

import static org.forgerock.i18n.LocalizableMessage.raw
import static org.forgerock.opendj.setup.model.Profile.ParameterType.of
import static java.nio.file.Files.*

import org.forgerock.i18n.LocalizableMessage
import org.forgerock.opendj.ldap.Dn
import org.forgerock.opendj.setup.model.SetupException

import java.nio.file.Paths

Server Methods

A ds object is bound into the execution context of your profile script.

All its methods throw a SetupException on failure. On failure, the setup process removes the server's db and config directories. This allows the user to start over, applying the same profiles again.

All the ds methods run with the server offline:

MethodDescription
void ds.addBackend(String backendName, String entryDn)

Creates the backend, adds it to the server, and sets it as the working backend. When you use other methods to import LDIF and create indexes, they operate on the working backend.

Use importBaseEntry to add only the base entry, or importLdif to add entries to the backend.

void ds.addBackend(String backendName, Dn entryDn)
void ds.addBackendWithDefaultUserIndexes(String backendName, String entryDn)
void ds.addBackendWithDefaultUserIndexes(String backendName, Dn entryDn)
void ds.setWorkingBackend(String backendName)

Set the specified backend as the one to operate on when importing LDIF and creating indexes.

void ds.importBaseEntry(Dn baseDn)

Import the entry with the specified base DN as the base entry of the working backend.

The import operation erases any previous content of the backend before importing new content.

void ds.importLdifWithSampleEntries(Dn sampleEntryBaseDn, int nbSampleEntries, String... ldifFilePaths)

Import the specified number of sample entries with the specified base DN, based on the LDIF file templates provided, to the working backend. The LDIF must contain the base entry.

This method replaces &{property-name}s in the LDIF with the property values before import.

The import operation erases any previous content of the backend before importing new content.

void ds.importLdifTemplate(String... ldifFilePaths)

Add the entries from the LDIF files provided to the working backend. The LDIF must contain the base entry.

This method replaces &{property-name}s in the LDIF with the property values before import.

The import operation erases any previous content of the backend before importing new content.

void ds.importLdifTemplate(Collection<Path> ldifFilePaths)
void ds.importLdif(String... ldifFilePaths)

Add the entries from the LDIF files provided to the working backend.

The LDIF must contain the base entry. If there are multiple files, each entry must appear only once.

The import operation erases any previous content of the backend before importing new content.

void ds.importLdif(Collection<Path> ldifFilePaths)
void ds.addSchemaFiles()

Copy LDIF-format schema files from the schema directory of the profile to the db/schema directory of the server.

If no schema directory is present for the current version of the profile, this method uses schema from a previous version of the profile.

void ds.config(List<String> cliArgs)

Run the dsconfig command in offline mode with the specified arguments.

Use this method only for additional configuration, not when creating backends or indexes.

void ds.addIndex(String attributeName, String... types)

Create indexes of the specified types in the working backend for the specified attribute. For a list of available index types, see index-type.

void ds.failSetup(String message)

Cause the profile to fail with a SetupException having the specified message.

Resource File Methods

A resource object is bound into the execution context of your profile script. The resource methods let you retrieve arbitrary files from the profile, and replace configuration expressions in resource files:

MethodDescription
Path resource.file(String path)

Return the path to the specified resource file.

If the specified path is relative, the method first returns the path of the file in the current profile version, or the path of the file in the previous profile version if none is present in the current version.

If the specified path is absolute, the method only converts the string to a path.

void resource.applyTemplate(String template, String target)

Convert the relative template path as resource.file(template), the relative target path as an absolute path, and copy the template file to the target file, replacing &{property-name}s with the property values.

The &{property-name} expressions follow the rules described in Property Value Substitution.

Logging Methods

Use the console object to write log messages when your profile script runs.

The console object implements SetupConsole, and so provides all the methods documented for that interface.

The setup and setup-profile commands log any exceptions that occur when your profile script runs, so there is no need to catch exceptions just for logging purposes.

Read a different version of :