Separate identity stores
This is not a comprehensive platform implementation guide. These sample setup instructions show a minimal integration of platform components to get you started. The ForgeRock Identity Platform offers maximum extensibility and flexibility in self-managed deployments. The platform includes many features and options these sample setup instructions do not cover. If you don’t need maximum extensibility and flexibility, there are simpler alternatives:
For help with your deployment and to validate your plans before deploying in production, contact ForgeRock. |
This sample deployment uses the following data stores:
-
An external DS server as the AM configuration store and the AM identity store.
-
A MySQL repository as the IDM data store.
The IDM End User UI is not supported in a platform deployment, as it does not support authentication through AM. You can use the Set up the platform UIs with this deployment, or create your own UIs that support authentication through AM. |
Download DS
Follow the instructions in the DS documentation to download DS, and prepare for installation.
The instructions that follow assume you download the cross-platform .zip distribution.
Set up DS
-
Unpack the DS files you downloaded.
-
Generate and save a unique DS deployment ID:
/path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
You will need the deployment ID and password to install DS, and to export the server certificate.
Set the deployment ID in your environment:
export DEPLOYMENT_ID=deployment-id
-
Install a DS server with the necessary setup profiles:
-
am-config
-
am-cts
-
am-identity-store
For more information about DS setup profiles, refer to setup profiles in the DS documentation.
/path/to/opendj/setup \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --monitorUserPassword str0ngMon1torPa55word \ --hostname directory.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --profile am-config \ --set am-config/amConfigAdminPassword:5up35tr0ng \ --profile am-cts \ --set am-cts/amCtsAdminPassword:5up35tr0ng \ --set am-cts/tokenExpirationPolicy:am-sessions-only \ --profile am-identity-store \ --set am-identity-store/amIdentityStoreAdminPassword:5up35tr0ng \ --acceptLicense
For simplicity, this sample deployment uses a standalone directory server that:
-
Does not replicate directory data (no
--replicationPort
or--bootstrapReplicationServer
options).In production deployments, always replicate directory data for availability and resilience.
-
Consolidates all directory data in the same replicas.
In very high-volume production deployments, test whether this meets your performance requirements and adjust your directory deployment if necessary.
-
Keeps AM identity data and IDM repository data under distinct base DNs.
Both AM and IDM expect exclusive access to their data. Keep their data separate with distinct base DNs and domains in your setup profiles. Don’t accidentally mix their data by choosing a base DN under the other base DN.
For details, refer to the DS installation documentation.
-
-
Start the DS server:
/path/to/opendj/bin/start-ds
Set up a container
Install a Java container to deploy AM.
These deployment examples assume that you are using Apache Tomcat:
-
Follow the instructions in the AM documentation to prepare your environment.
-
Use a supported version of Apache Tomcat as the web application container:
-
Configure Tomcat to listen on port
8081
.This non-default port requires that you update Tomcat’s
conf/server.xml
file. Instead of the default line,<Connector port="8080" protocol="HTTP/1.1">
, use:<Connector port="8081" protocol="HTTP/1.1">
-
Create a Tomcat
bin/setenv.sh
orbin\setenv.bat
file to hold your environment variables. -
Follow the instructions in the AM documentation to prepare Tomcat as the web application container.
-
For complete instructions on setting up Tomcat, see Apache Tomcat in the AM documentation.
Secure connections
From DS 7 onwards, you must secure connections to DS servers. |
-
Create a new directory that will house a dedicated truststore for AM:
mkdir -p /path/to/openam-security/
-
Export the DS server certificate.
You must run this command on
directory.example.com
in the terminal window where you set theDEPLOYMENT_ID
variable:/path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile ds-ca-cert.pem
-
Import the DS server certificate into the dedicated AM truststore.
If you are not testing this example on a single host, you might need to copy each certificate file onto the AM host machine first:
keytool \ -importcert \ -trustcacerts \ -alias ds-ca-cert \ -file /path/to/ds-ca-cert.pem \ -keystore /path/to/openam-security/truststore \ -storepass changeit \ -storetype JKS Owner: CN=Deployment key, O=ForgeRock.com Issuer: CN=Deployment key, O=ForgeRock.com ... Trust this certificate? [no]: yes Certificate was added to keystore
-
List the certificates in the new truststore and verify that the certificate you added is there:
keytool \ -list \ -keystore /path/to/openam-security/truststore \ -storepass changeit
-
Point Apache Tomcat to the path of the new truststore so that AM can access it.
Append the truststore settings to the
CATALINA_OPTS
variable in the Tomcatbin/setenv.sh
file; for example:CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/openam-security/truststore \ -Djavax.net.ssl.trustStorePassword=changeit \ -Djavax.net.ssl.trustStoreType=jks"
Refer to your specific container’s documentation for information on configuring truststores.
-
Verify secure authentication to the DS server with the dedicated AM accounts.
If you deployed AM and DS on separate computers, first copy the AM truststore to
/path/to/openam-security/truststore
on the computer where DS runs. Use the DSldapsearch
command to connect to DS using the local copy of the AM truststore:/path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-config,ou=admins,ou=am-config \ --bindPassword 5up35tr0ng \ --baseDn ou=am-config \ "(&)" \ 1.1 dn: ou=am-config dn: ou=admins,ou=am-config dn: uid=am-config,ou=admins,ou=am-config /path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-identity-bind-account,ou=admins,ou=identities \ --bindPassword 5up35tr0ng \ --baseDn ou=identities \ "(&)" \ 1.1 dn: ou=identities dn: ou=people,ou=identities dn: ou=groups,ou=identities dn: ou=admins,ou=identities dn: uid=am-identity-bind-account,ou=admins,ou=identities