How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How does AM (All versions) establish the LDAP connection to the configuration store on startup?

Last updated Jan 16, 2023

The purpose of this article is to provide information on how AM establishes the LDAP connection to the configuration store on startup, and the purpose of boot.json and the keystore file in this process.

1 reader recommends this article

Connecting to the configuration store

The Configuration directory (/path/to/am) contains files created during the install process. Some of these files contain critical information that is required when AM initializes; AM cannot start if these files become corrupt or are missing. In particular, there are two files within AM’s configuration directory that are used to bind to the configuration store when AM starts up:

On startup, AM establishes the LDAP connection to the configuration store as follows:

  1. AM reads the boot.json file to get the bind DNs to access the configuration store and the location of the JCEKS keystore file.
  2. AM uses the .storepass file to access the keystore.jceks file. The .storepass file is created at build time and consists of a random-generated string stored in cleartext.
  3. AM uses the .keypass file to access the configstorepwd and dsamesuserpwd password entries in the keystore, which are then used to bind to the configuration store in DS.
  4. AM reads the bindDN and bindPassword from the identity store (baseDN entry: ou=<server URL>,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,<root suffix>).
  5. AM writes the bindDN and bindPassword retrieved in step 4 back to the boot.json file and the keystore.jceks file.


This file contains connection details to the configuration store, but does not include any passwords or key material. An example boot.json file looks like this:

{ "instance": "", "dsameUser": "cn=dsameuser,ou=DSAME Users,dc=am,dc=forgerock,dc=org", "keystores": { "default": { "keyStorePasswordFile": "/path/to/am/security/secrets/default/.storepass", "keyPasswordFile": "/path/to/am/security/secrets/default/.keypass", "keyStoreType": "JCEKS", "keyStoreFile": "/path/to/am/security/keystores/keystore.jceks" } }, "configStoreList": [ { "baseDN": "ou=am-config", "dirManagerDN": "uid=am-config,ou=admins,ou=am-config", "ldapHost": "", "ldapPort": 1636, "ldapProtocol": "ldap" } ] }

See Replace the bootstrap file for further information about the individual properties in the boot.json file.


The keystore.jceks file contains entries of type SecretKeyEntry for the following aliases:

  • configstorepwd - maps to the password for the dirManagerDN entry in boot.json.
  • dsamesuserpwd - maps to the password for the dsameUser entry in boot.json.

See Replace the AM keystore for further information about these aliases.

See Also

How do I check if AM (All versions) is up and running?

Attempting to access AM (All versions) fails with ConfigurationException: Configuration store is not available

Data stores in AM

Secrets, certificates, and keys

Back up configurations

Identity stores

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.