---
title: Prepare a configuration store
description: This page explains how to prepare a single DS server as a configuration datastore. Make sure DS replicas use the same configuration.
component: pingam
version: 8.1
page_id: pingam:installation:prepare-configuration-store
canonical_url: https://docs.pingidentity.com/pingam/8.1/installation/prepare-configuration-store.html
keywords: ["Install", "Configuration Store"]
page_aliases: ["install-guide:prepare-configuration-store.adoc"]
---

# Prepare a configuration store

This page explains how to prepare a single DS server as a configuration datastore. Make sure DS replicas use the same configuration.

Installing DS with a [setup profile](https://docs.pingidentity.com/pingds/8.1/install-guide/setup-profiles.html) creates the required backend, schema, bind user, and indexes:

1. Follow the steps in [Install DS for AM configuration](https://docs.pingidentity.com/pingds/8.1/install-guide/profile-am-config.html) in the PingDS documentation.

2. [Install AM](interactive-install.html) to use the prepared DS directory server as a configuration store.

   The default bind DN of the service account to connect to the configuration store is:

   ```
   uid=am-config,ou=admins,ou=am-config
   ```

3. Share the configuration store certificate with the AM container to prepare for TLS/LDAPS.

   Communication with the configuration store *must* use a secure connection.

   * On the DS host, export the DS CA certificate.

     DS uses a deployment ID and password to generate a CA key pair. Learn more in [Deployment IDs](https://docs.pingidentity.com/pingds/8.1/security-guide/pki.html#about-deployment-ids).

     Use the `dskeymgr` command to export the CA certificate:

     ```bash
     $ /path/to/opendj/bin/dskeymgr \
     export-ca-cert \
     --deploymentId $DEPLOYMENT_ID \
     --deploymentIdPassword password \
     --outputFile /path/to/ca-cert.pem
     ```

   * Copy the `ca-cert.pem` file to an accessible location on the AM host.

   - Import the DS CA certificate into the AM truststore:

     ```bash
     $ keytool \
     -importcert \
     -file /path/to/ca-cert.pem \
     -keystore /path/to/am/security/keystores/truststore
     -storepass truststore-password
     ```

   Learn more about configuring AM's truststore in [Prepare the truststore](prepare-trust-store.html).

4. When the certificate is in place, continue installing AM.

|   |                                                                                                                                                                                                                                                                             |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | After setting up the configuration store, you can enhance security by configuring mTLS authentication to that store and rotating the mTLS certificates periodically. Learn more in [mTLS for configuration stores](../security/secure-connections.html#mtls-config-stores). |