Shared identity store
This deployment assumes that you are using the following data stores:
-
An external DS instance as the AM configuration store.
-
A separate external DS instance that is shared between AM and IDM as the identity store.
The IDM End User UI is not supported in a platform deployment, as it does not support authentication through AM. You can use the Platform UIs with this deployment, or create your own UIs that support authentication through AM. |
Download DS
Follow the instructions in the DS documentation to download DS, and prepare for installation.
The instructions that follow assume you download the cross-platform .zip distribution.
Set up your data stores
Configuration store
-
Unpack the DS files you downloaded.
-
Generate and save a unique DS deployment ID for external configuration data store servers:
/path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
You will need the deployment ID and password to install DS, and to export the server certificate.
Set the deployment ID in your environment:
export DEPLOYMENT_ID=deployment-id
-
Set up a DS server as an external configuration data store, using the
am-config
setup profile.This example also adds the
am-cts
setup profile to the external configuration data store. In production, consider using separate DS servers for the AM CTS store. For more information about AM CTS, see the AM Core token service (CTS) guide.For more information about DS setup profiles, see setup profiles in the DS documentation.
This command sets up the config store with the parameters listed in Server settings.
/path/to/opendj/setup \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --monitorUserPassword str0ngMon1torPa55word \ --hostname config.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --profile am-config \ --set am-config/amConfigAdminPassword:5up35tr0ng \ --profile am-cts \ --set am-cts/amCtsAdminPassword:5up35tr0ng \ --set am-cts/tokenExpirationPolicy:am-sessions-only \ --acceptLicense
For simplicity, this example uses a standalone directory server that does not replicate directory data (no
--replicationPort
or--bootstrapReplicationServer
options). In production deployments, replicate directory data for availability and resilience. For details, see the DS installation documentation. -
Start the DS server:
/path/to/opendj/bin/start-ds
Identity store
-
Unpack the DS files you downloaded.
-
Generate and save a unique DS deployment ID for identity store servers:
/path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
You will need the deployment ID and password to install DS, and to export the server certificate.
Set the deployment ID in your environment:
export DEPLOYMENT_ID=deployment-id
-
Set up a DS server as an identity store, using the
am-identity-store
andidm-repo
setup profiles.For more information about this step, see setup profiles in the DS documentation.
This command sets up the identity store with the parameters listed in server settings:
/path/to/opendj/setup \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --monitorUserPassword str0ngMon1torPa55word \ --hostname identities.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --profile am-identity-store \ --set am-identity-store/amIdentityStoreAdminPassword:5up35tr0ng \ --profile idm-repo \ --set idm-repo/domain:forgerock.io \ --acceptLicense
For simplicity, this example uses standalone directory servers that do not replicate directory data. (No
--replicationPort
or--bootstrapReplicationServer
options.)In production deployments, replicate directory data for availability and resilience. For details, see the DS installation documentation.
-
Start the DS server:
/path/to/opendj/bin/start-ds
Set up a container
Install a Java container to deploy AM.
These deployment examples assume that you are using Apache Tomcat:
-
Follow the instructions in the AM documentation to prepare your environment.
-
Use a supported version of Apache Tomcat as the web application container:
-
Configure Tomcat to listen on port
8081
.This non-default port requires that you update Tomcat’s
conf/server.xml
file. Instead of the default line,<Connector port="8080" protocol="HTTP/1.1">
, use:<Connector port="8081" protocol="HTTP/1.1">
-
Create a Tomcat
bin/setenv.sh
orbin\setenv.bat
file to hold your environment variables. -
Follow the instructions in the AM documentation to prepare Tomcat as the web application container.
-
For complete instructions on setting up Tomcat, see Apache Tomcat in the AM documentation.
Secure connections
From DS 7 onwards, you must secure connections to DS servers. |
-
Create a new directory that will house a dedicated truststore for AM:
mkdir -p /path/to/openam-security/
-
On each DS server, export the DS server certificate.
You must run these commands in the same terminal window where you set the
DEPLOYMENT_ID
variable:-
On
config.example.com
:/path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile config-ca-cert.pem
-
On
identities.example.com
:/path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile identities-ca-cert.pem
-
-
Import each DS server certificate into the dedicated AM truststore.
If you are not testing this example on a single host, you might need to copy each certificate file onto the AM host machine first:
keytool \ -importcert \ -trustcacerts \ -alias config-ca-cert \ -file /path/to/config-ca-cert.pem \ -keystore /path/to/openam-security/truststore \ -storepass changeit \ -storetype JKS Owner: CN=Deployment key, O=ForgeRock.com Issuer: CN=Deployment key, O=ForgeRock.com ... Trust this certificate? [no]: yes Certificate was added to keystore keytool \ -importcert \ -trustcacerts \ -alias identities-ca-cert \ -file /path/to/identities-ca-cert.pem \ -keystore /path/to/openam-security/truststore \ -storepass changeit \ -storetype JKS Owner: CN=Deployment key, O=ForgeRock.com Issuer: CN=Deployment key, O=ForgeRock.com ... Trust this certificate? [no]: yes Certificate was added to keystore
-
List the certificates in the new truststore and verify that the two certificates you added are there:
keytool \ -list \ -keystore /path/to/openam-security/truststore \ -storepass changeit
-
Point Apache Tomcat to the path of the new truststore so that AM can access it.
Append the truststore settings to the
CATALINA_OPTS
variable in the Tomcatbin/setenv.sh
file; for example:CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/openam-security/truststore \ -Djavax.net.ssl.trustStorePassword=changeit \ -Djavax.net.ssl.trustStoreType=jks"
Refer to your specific container’s documentation for information on configuring truststores.
-
Check that you can use the dedicated AM accounts with the truststore to connect securely to each DS server:
-
On
config.example.com
:/path/to/opendj/bin/ldapsearch \ --hostname config.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-config,ou=admins,ou=am-config \ --bindPassword 5up35tr0ng \ --baseDn ou=am-config \ "(&)" \ 1.1 dn: ou=am-config dn: ou=admins,ou=am-config dn: uid=am-config,ou=admins,ou=am-config
-
On
identities.example.com
:/path/to/opendj/bin/ldapsearch \ --hostname identities.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-identity-bind-account,ou=admins,ou=identities \ --bindPassword 5up35tr0ng \ --baseDn ou=identities \ "(&)" \ 1.1 dn: ou=identities dn: ou=people,ou=identities dn: ou=groups,ou=identities dn: ou=admins,ou=identities dn: uid=am-identity-bind-account,ou=admins,ou=identities
-