--- title: Identity stores description: An identity store, also called an identity repository, is a persistent store of user data. For example, PingDS, PingDirectory, or Microsoft Active Directory. You can configure identity stores either when installing AM, or by adding them to an existing AM instance. component: pingam version: 8.1 page_id: pingam:setup:setting-up-identity-stores canonical_url: https://docs.pingidentity.com/pingam/8.1/setup/setting-up-identity-stores.html keywords: ["Setup & Configuration", "Identity Store", "Repository"] page_aliases: ["setup-guide:setting-up-identity-stores.adoc"] section_ids: realm-data-store: Configure an identity store --- # Identity stores An identity store, also called an identity repository, is a persistent store of user data. For example, PingDS, PingDirectory, or Microsoft Active Directory. You can configure identity stores either when installing AM, or by adding them to an existing AM instance. AM also uses other types of datastores, such as the configuration datastore, the UMA datastore, and the Core Token Service (CTS) datastore. When you first set up a realm, the new realm inherits the identity store from the parent realm. For example, in an installation where the Top Level Realm has a DS server as the identity store, any new realm created would have the same DS instance as the identity store, by default. If your administrators are in one realm and your users in another, your new child realm might retrieve users from a different identity store. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You shouldn't configure more than one writable identity store in a single realm. AM will try to perform write operations on each identity store configured in a realm, and there is no way to configure which repository is written to.To manage identities and reconcile differences between multiple identity stores, use [PingIDM](https://docs.pingidentity.com/pingidm/8.1). | **Tasks to connect identity stores** | Task | Resources | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | **Prepare an identity store**You must prepare the identity store before AM can use it. | [Prepare identity stores](../installation/prepare-identity-repository.html) | | **Configure an identity store**Configure the store in a realm so that users can be authenticated.By default, AM re-uses your configuration store as the identity store of the Top Level realm. | [Configure an identity store](#realm-data-store) | | **Customize an identity store**Create custom attributes for your users or custom identity plugins to change how AM maps users and groups to a realm. | [Customize identity stores](customizing-data-stores.html) | ## Configure an identity store 1. Share the identity store certificate with the AM container to prepare for TLS/LDAPS. AM should communicate with identity stores over secure connections. DS is configured to require secure connections by default. Share the DS certificate with the AM container before continuing. > **Collapse: Share the DS certificate with AM** > > * On the DS host, export the DS CA certificate. > > DS uses a deployment ID and password to generate a CA key pair. Learn more in [Deployment IDs](https://docs.pingidentity.com/pingds/8.1/security-guide/pki.html#about-deployment-ids). > > Use the `dskeymgr` command to export the CA certificate: > > ```bash > $ /path/to/opendj/bin/dskeymgr \ > export-ca-cert \ > --deploymentId $DEPLOYMENT_ID \ > --deploymentIdPassword password \ > --outputFile /path/to/ca-cert.pem > ``` > > * Copy the `ca-cert.pem` file to an accessible location on the AM host. > > - Import the DS CA certificate into the AM truststore: > > ```bash > $ keytool \ > -importcert \ > -file /path/to/ca-cert.pem \ > -keystore /path/to/am/security/keystores/truststore > -storepass truststore-password > ``` > > Learn more about configuring AM's truststore in [Prepare the truststore](../installation/prepare-trust-store.html). 2. In the AM admin UI, go to Realms > *realm name* > Identity Stores. 3. Click Add Identity Store, enter an ID, and select the type of identity store from one of the following: | Type | Use for | | ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Active Directory Application Mode (ADAM)` | [Active Directory Lightweight Directory Services (AD LDS)](data-stores-adam.html) | | `Active Directory` | [Active Directory](data-stores-active-directory.html) | | `ForgeRock IAM Directory Server` | [PingDS](data-stores-opendj.html)Only use this type if DS is the shared identity store in a Ping Advanced Identity Software deployment. Otherwise, use type `OpenDJ`. | | `OpenDJ` | [PingDS](data-stores-opendj.html) | | `Generic LDAPv3` | [Generic LDAPv3 compliant](data-stores-generic-ldapv3.html) identity stores, including Oracle Unified Directory | | `Ping Directory Server` | [PingDirectory](data-stores-ping-directory.html) | Don't select the following unsupported types: `Sun DS with OpenAM schema` or `Tivoli Directory Server`. 4. Click Create. 5. In the tabbed view, provide information on how to connect to your identity store. Read the configuration hints for your identity store: * [Active Directory](data-stores-active-directory.html) * [Active Directory Lightweight Directory Services (AD LDS)](data-stores-adam.html) * [Generic LDAPv3](data-stores-generic-ldapv3.html) * [PingDS](data-stores-opendj.html) * [PingDirectory](data-stores-ping-directory.html) 6. If you've not applied the schema configuration to your identity data, but the AM service account used to bind to the directory service has permission to alter schema, enable the Load Schema option. 7. Save your changes. 8. Test the connection as described in [Test identity store access](prepare-idrepo-testing.html).