Prepare a configuration store
This page explains how to prepare a single DS server as a configuration datastore. Make sure DS replicas use the same configuration.
Installing DS with a setup profile creates the required backend, schema, bind user, and indexes:
-
Follow the steps in Install DS for AM configuration in the PingDS documentation.
-
Install AM to use the prepared DS directory server as a configuration store.
The default bind DN of the service account to connect to the configuration store is:
uid=am-config,ou=admins,ou=am-config
-
Share the configuration store certificate with the AM container to prepare for TLS/LDAPS.
Communication with the configuration store must use a secure connection.
-
On the DS host, export the DS CA certificate.
DS uses a deployment ID and password to generate a CA key pair. Learn more in Deployment IDs.
Use the
dskeymgrcommand to export the CA certificate:$ /path/to/opendj/bin/dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile /path/to/ca-cert.pem -
Copy the
ca-cert.pemfile to an accessible location on the AM host.
-
Import the DS CA certificate into the AM truststore:
$ keytool \ -importcert \ -file /path/to/ca-cert.pem \ -keystore /path/to/am/security/keystores/truststore -storepass truststore-password
Learn more about configuring AM’s truststore in Prepare the truststore.
-
-
When the certificate is in place, continue installing AM.
| After setting up the configuration store, you can enhance security by configuring mTLS authentication to that store and rotating the mTLS certificates periodically. Learn more in mTLS for configuration stores. |