Install DS as an IDM repository

When IDM uses multiple DS replicas, configure IDM for failover.

Install the server files.
Generate a deployment ID unless you already have one:
```
$ /path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
your-deployment-id
```
Save the deployment ID and its deployment password. Keep the ID and the password safe, and keep the password secret. Use the same deployment ID and password for all the servers in the same environment.
About deployment IDs
A deployment ID is a random string generated using the dskeymgr command. It is a deployment identifier, not a key, but it is used with a password to generate keys.

A deployment ID password is a secret string at least 8 characters long that you choose.

The two are a pair. You must have the deployment ID password to use the deployment ID.

Each deployment requires a single, unique deployment ID and its password. DS uses the pair to:
- Protect the keys to encrypt and decrypt backup files and directory data.
- Generate the TLS key pairs to protect secure connections, unless you provide your own.
Store your deployment ID and password in a safe place, and reuse them when configuring other servers in the same deployment.

The DS setup and dskeymgr commands use the pair to generate the following:
- (Required) A shared master key for the deployment.
  
  DS replicas share secret keys for data encryption and decryption. DS servers encrypt backend data, backup files, and passwords, and each replica must be able to decrypt data encrypted on another peer replica.
  
  To avoid exposing secret keys, DS servers encrypt secret keys with a shared master key. DS software uses a deployment ID and its password to derive the master key.
- (Optional) A private PKI for trusted, secure connections.
  
  A PKI serves to secure network connections from clients and other DS servers. The PKI is a trust network, requiring trust in the CA that signs public key certificates.
  
  Building a PKI can be complex. You can use self-signed certificates, but you must distribute each certificate to each server and client application. You can pay an existing CA to sign certificates, but that has a cost, and leaves control of trust with a third party. You can set up a CA or certificate management software, but that can be a significant effort and cost. As a shortcut to setting up a private CA, DS software uses deployment IDs and passwords.
  
  DS software uses the deployment ID and its password to generate key pairs without storing the CA private key.
Learn more in Deployment IDs.
Set the deployment ID as the value of the environment variable, DEPLOYMENT_ID:
```
$ export DEPLOYMENT_ID=your-deployment-id
```
Examples in the documentation show this environment variable as a reminder to use your own deployment ID.
Run the setup command with the --profile idm-repo option:
```
$ /path/to/opendj/setup \
 --deploymentId $DEPLOYMENT_ID \
 --deploymentIdPassword password \
 --rootUserDN uid=admin \
 --rootUserPassword str0ngAdm1nPa55word \
 --hostname localhost \
 --adminConnectorPort 34444 \
 --ldapPort 31389 \
 --enableStartTls \
 --profile idm-repo \
 --set idm-repo/domain:forgerock.com \
 --acceptLicense
```
- The deployment ID for installing the server is stored in the environment variable DEPLOYMENT_ID. Install all servers in the same deployment with the same deployment ID and deployment ID password. For details, read Deployment IDs.
- The administrative account to use in IDM when connecting to DS has:
  - Bind DN: The DN set with the --rootUserDN option.
  - Password: The password set with the --rootUserPassword option.
- The base DN for IDM data is dc=openidm,dc=example,dc=com.
  
  AM and IDM expect exclusive access to the data in each setup profile. Keep the data separate by using distinct base DNs and domains for each setup profile. Don’t accidentally mix the data by choosing a base DN under another base DN.
- IDM requires change number indexing with the default settings.
For the full list of profiles and parameters, refer to Default setup profiles.
Finish configuring the server before you start it.

For a list of optional steps at this stage, refer to Install DS for custom cases.

If all access to DS goes through IDM, IDM manages password policy.

In this case, relax the default password policy settings:

$ dsconfig \
 set-password-policy-prop \
 --policy-name "Default Password Policy" \
 --reset password-validator \
 --offline \
 --no-prompt
$ dsconfig \
 set-password-policy-prop \
 --policy-name "Root Password Policy" \
 --reset password-validator \
 --offline \
 --no-prompt

Start the server:
```
$ /path/to/opendj/bin/start-ds
```

PingDS

Install DS as an IDM repository