--- title: Step 2. Prepare your datastore description: To prepare a single DS server as a configuration store, identity store, and CTS token store for evaluation purposes, perform the following tasks: component: pingam version: 8.1 page_id: pingam:evaluation:step-2-prepare-data-store canonical_url: https://docs.pingidentity.com/pingam/8.1/evaluation/step-2-prepare-data-store.html keywords: ["Evaluation", "Install"] page_aliases: ["eval-guide:step-2-prepare-data-store.adoc"] section_ids: create-deployment-id: Create a deployment ID prepare-am-trust-store: Create a truststore for AM install-ds: Install DS --- # Step 2. Prepare your datastore To prepare a single DS server as a configuration store, identity store, and CTS token store for evaluation purposes, perform the following tasks: ## Create a deployment ID 1. Unzip the DS `.zip` file into the file system directory where you want to install the server. ```bash $ unzip ~/Downloads/DS-8.1.0.zip -d /path/to/opendj ``` 2. Generate a deployment ID using a deployment ID password of `password`. ```bash $ /path/to/opendj/bin/dskeymgr \ create-deployment-id \ --deploymentIdPassword password deployment-id ``` You'll use this deployment ID and password when setting up your DS server and generating the keys required to connect securely from AM to DS: | | | | - | --------------------------------------------------------------------------------------------------- | | | When configuring DS for real-world use, don't use this password. It is only to get started with AM. | 3. Save the deployment ID as an environment variable: ```bash $ export DEPLOYMENT_ID=deployment-id ``` ## Create a truststore for AM These steps create a copy of the default JVM truststore, and configure the AM web application container to use the new truststore: 1. Copy the default truststore. For example, `$JAVA_HOME/lib/security/cacerts`, name it `truststore`, and place it in a directory of your choice: ```bash $ cp $JAVA_HOME/lib/security/cacerts /path/to/truststore ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you place the truststore in the `/path/to/am` directory *before* you install AM, the installation process detects the directory isn't empty and the installation fails.After AM is installed, you can move the truststore to a different directory. For example, the `/path/to/am/security/keystores` directory. | The default password of the `$JAVA_HOME/lib/security/cacerts` truststore is `changeit`. In a production deployment, you should change the default truststore password. Read the documentation for your JVM for instructions. 2. Export the DS certificate. * On the DS host, export the DS CA certificate. DS uses a deployment ID and password to generate a CA key pair. Learn more in [Deployment IDs](https://docs.pingidentity.com/pingds/8.1/security-guide/pki.html#about-deployment-ids). Use the `dskeymgr` command to export the CA certificate: ```bash $ /path/to/opendj/bin/dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile /path/to/ca-cert.pem ``` * Copy the `ca-cert.pem` file to an accessible location on the AM host. 3. Import the DS CA certificate into the new truststore: ```bash $ keytool \ -importcert \ -file /path/to/ca-cert.pem \ -keystore /path/to/truststore -storepass truststore-password ``` Confirm you trust this certificate when prompted. 4. To configure the truststore in Apache Tomcat so that AM can access it, append the truststore settings to the `CATALINA_OPTS` variable in the `setenv` file. For example: * Linux * Windows In `$CATALINA_BASE/bin/setenv.sh`: ```bash export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \ -Djavax.net.ssl.trustStore=/path/to/truststore \ -Djavax.net.ssl.trustStorePassword=new-password \ -Djavax.net.ssl.trustStoreType=jks" ``` In `$CATALINA_BASE/bin/setenv.bat`: ```powershell set "CATALINA_OPTS=%CATALINA_OPTS% -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m - -Djavax.net.ssl.trustStore=/path/to/truststore - -Djavax.net.ssl.trustStorePassword=new-password - -Djavax.net.ssl.trustStoreType=jks" ``` Read your specific container's documentation for information on configuring truststores. After AM is installed, you can move the truststore to a different location. For example, the `/path/to/am/security/keystores/`. If you do, remember to update the truststore path in the container configuration. ## Install DS These steps install DS as the configuration store, identity store, and CTS token store. 1. Use the `setup` command to install DS with the `am-config`, `am-cts`, and `am-identity-store` profiles. For example: ```bash $ /path/to/opendj/setup \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --monitorUserPassword str0ngMon1torPa55word \ --hostname ds.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --profile am-config \ --set am-config/amConfigAdminPassword:5up35tr0ng \ --profile am-cts \ --set am-cts/amCtsAdminPassword:5up35tr0ng \ --set am-cts/tokenExpirationPolicy:am-sessions-only \ --profile am-identity-store \ --set am-identity-store/amIdentityStoreAdminPassword:5up35tr0ng \ --start \ --acceptLicense ``` Learn more about installing DS in the [PingDS Installation documentation](https://docs.pingidentity.com/pingds/8.1/install-guide/preface.html). 2. Restart Tomcat: ```bash $ /path/to/tomcat/bin/shutdown.sh $ /path/to/tomcat/bin/startup.sh ``` 3. Proceed to [Step 3. Deploy AM](step-3-deploy-am.html).