PingAM 7.5.1

Prepare a configuration store

This page explains how to prepare a single DS server as an external configuration data store. Make sure DS replicas use the same configuration.

Installing DS with a setup profile creates the required backend, schema, bind user, and indexes:

  1. Follow the steps in Install DS for AM configuration in the PingDS documentation.

  2. Install AM to use the prepared DS directory server as an external configuration store.

    The default bind DN of the service account to connect to the external configuration store is:

    uid=am-config,ou=admins,ou=am-config
  3. Share the configuration store certificate with the AM container to prepare for TLS/LDAPS.

    Communication with the configuration store must use a secure connection.

    • On the DS host, export the DS CA certificate.

      DS uses a deployment ID and password to generate a CA key pair. Learn more in Deployment IDs.

      Use the dskeymgr command to export the CA certificate:

      $ /path/to/opendj/bin/dskeymgr \
      export-ca-cert \
      --deploymentId $DEPLOYMENT_ID \
      --deploymentIdPassword password \
      --outputFile /path/to/ca-cert.pem
    • Copy the ca-cert.pem file to an accessible location on the AM host.

    • Import the DS certificate into the AM truststore:

      $ keytool \
      -importcert \
      -file /path/to/ca-cert.pem \
      -keystore /path/to/openam/security/keystores/truststore

    Learn more about configuring AM’s truststore in Prepare the truststore.

  4. When the certificate is in place, continue installing AM.

After setting up the external configuration store, you can enhance security by configuring mTLS authentication to that store and rotating the mTLS certificates periodically. Learn more in mTLS for configuration stores.