--- title: Separate identity stores description: This is not a comprehensive Advanced Identity Software implementation guide. These sample setup instructions show a minimal integration of Advanced Identity Software components to get you started. component: platform version: 8 page_id: platform:sample-setup:deployment1 canonical_url: https://docs.pingidentity.com/platform/8/sample-setup/deployment1.html page_aliases: ["platform-setup-guide:deployment1.adoc"] section_ids: download_pingds: Download PingDS data-setup-1: Set up PingDS container-setup-1: Set up a container secure-connections-1: Secure connections next_step: Next step --- # Separate identity stores | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is *not* a comprehensive Advanced Identity Software implementation guide. These sample setup instructions show a minimal integration of Advanced Identity Software components to get you started.Ping Advanced Identity Software offers maximum extensibility and flexibility in self-managed deployments. Advanced Identity Software includes many features and options these sample setup instructions do not cover. If you don't need maximum extensibility and flexibility, there are simpler alternatives:- To consume the Advanced Identity Software as a service, use [PingOne Advanced Identity Cloud](https://docs.pingidentity.com/pingoneaic). - To deploy in Kubernetes, start with the [ForgeOps](https://docs.pingidentity.com/forgeops/2025.1) reference implementation.For help with your deployment and to validate your plans before deploying in production, contact [Ping Identity](https://www.pingidentity.com). | This sample deployment uses the following data stores: * An external PingDS server as the PingAM configuration store and the PingAM identity store. * A MySQL repository as the PingIDM data store. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingIDM End User UI is not supported in an Advanced Identity Software deployment, as it does not support authentication through PingAM.You can use the [Set up the Platform UIs](platform-ui.html) with this deployment, or create your own UIs that support authentication through PingAM. | ## Download PingDS Follow the instructions in the PingDS documentation to [download PingDS](https://docs.pingidentity.com/pingds/8/release-notes/downloads.html), and prepare for installation. The instructions that follow assume you download the cross-platform .zip distribution. ## Set up PingDS 1. Unpack the PingDS files you downloaded. 2. Generate and save a unique PingDS deployment ID: ```bash /path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password ``` You will need the deployment ID and password to install PingDS, and to export the server certificate. Set the deployment ID in your environment: ```bash export DEPLOYMENT_ID=deployment-id ``` 3. Install a PingDS server with the necessary setup profiles: * `am-config` * `am-cts` * `am-identity-store` For more information about PingDS setup profiles, refer to [setup profiles](https://docs.pingidentity.com/pingds/8/install-guide/setup-profiles.html) in the PingDS documentation. ```bash /path/to/opendj/setup \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword str0ngAdm1nPa55word \ --monitorUserPassword str0ngMon1torPa55word \ --hostname directory.example.com \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --profile am-config \ --set am-config/amConfigAdminPassword:5up35tr0ng \ --profile am-cts \ --set am-cts/amCtsAdminPassword:5up35tr0ng \ --set am-cts/tokenExpirationPolicy:am-sessions-only \ --profile am-identity-store \ --set am-identity-store/amIdentityStoreAdminPassword:5up35tr0ng \ --acceptLicense ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For simplicity, this sample deployment uses a standalone directory server that:- Does not replicate directory data (no `--replicationPort` or `--bootstrapReplicationServer` options). In production deployments, always replicate directory data for availability and resilience. - Consolidates all directory data in the same replicas. In very high-volume production deployments, test whether this meets your performance requirements and adjust your directory deployment if necessary. - Keeps PingAM identity data and PingIDM repository data under distinct base DNs. Both PingAM and PingIDM expect exclusive access to their data. *Keep their data separate with distinct base DNs and domains in your setup profiles.* Don't accidentally mix their data by choosing a base DN under the other base DN.For details, refer to the [PingDS installation documentation](https://docs.pingidentity.com/pingds/8/install-guide/). | 4. Start the PingDS server: ```bash /path/to/opendj/bin/start-ds ``` ## Set up a container Install a Java container to deploy PingAM. These deployment examples assume you're using Apache Tomcat: 1. Follow the instructions in the PingAM documentation to [prepare your environment](https://docs.pingidentity.com/pingam/8/install-guide/prepare-env-install.html). 2. Use [a supported version of Apache Tomcat](https://docs.pingidentity.com/pingam/release-notes/requirements.html#prerequisites-application-servers) as the web application container: 1. Configure Tomcat to listen on port `8081`. This non-default port requires that you update Tomcat's `conf/server.xml` file. Instead of the default line, ``, use: ```xml ``` 2. Create a Tomcat `bin/setenv.sh` or `bin\setenv.bat` file to hold your environment variables. 3. Follow the instructions in the PingAM documentation to [prepare Tomcat as the web application container](https://docs.pingidentity.com/pingam/8/install-guide/prepare-containers.html). You can find complete instructions on setting up Tomcat in the [PingAM documentation.](https://docs.pingidentity.com/pingam/8/install-guide/prepare-apache-tomcat.html) ## Secure connections | | | | - | ----------------------------------------------------------------------- | | | From PingDS 7 onwards, you *must* secure connections to PingDS servers. | 1. Create a new directory that will house a dedicated truststore for PingAM: ```bash mkdir -p /path/to/openam-security/ ``` 2. Export the PingDS server certificate. You must run this command on `directory.example.com` in the terminal window where you set the `DEPLOYMENT_ID` variable: ```bash /path/to/opendj/bin/dskeymgr export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile ds-ca-cert.pem ``` 3. Import the PingDS server certificate into the dedicated PingAM truststore. If you're not testing this example on a single host, you might need to copy each certificate file onto the PingAM host machine first: ```bash keytool \ -importcert \ -trustcacerts \ -alias ds-ca-cert \ -file /path/to/ds-ca-cert.pem \ -keystore /path/to/openam-security/truststore \ -storepass changeit \ -storetype JKS Owner: CN=Deployment key, O=ForgeRock.com Issuer: CN=Deployment key, O=ForgeRock.com ... Trust this certificate? [no]: yes Certificate was added to keystore ``` 4. List the certificates in the new truststore and verify that the certificate you added is there: ```bash keytool \ -list \ -keystore /path/to/openam-security/truststore \ -storepass changeit ``` 5. Point Apache Tomcat to the path of the new truststore so that PingAM can access it. Append the truststore settings to the `CATALINA_OPTS` variable in the Tomcat `bin/setenv.sh` file; for example: ```properties CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/openam-security/truststore \ -Djavax.net.ssl.trustStorePassword=changeit \ -Djavax.net.ssl.trustStoreType=jks" ``` Refer to your specific container's documentation for information on configuring truststores. 6. Verify secure authentication to the PingDS server with the dedicated PingAM accounts. If you deployed PingAM and PingDS on separate computers, first copy the PingAM truststore to `/path/to/openam-security/truststore` on the computer where PingDS runs. Use the PingDS `ldapsearch` command to connect to PingDS using the local copy of the PingAM truststore: ```bash /path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-config,ou=admins,ou=am-config \ --bindPassword 5up35tr0ng \ --baseDn ou=am-config \ "(&)" \ 1.1 dn: ou=am-config dn: ou=admins,ou=am-config dn: uid=am-config,ou=admins,ou=am-config /path/to/opendj/bin/ldapsearch \ --hostname directory.example.com \ --port 1636 \ --useSsl \ --useJavaTrustStore /path/to/openam-security/truststore \ --trustStorePassword changeit \ --bindDn uid=am-identity-bind-account,ou=admins,ou=identities \ --bindPassword 5up35tr0ng \ --baseDn ou=identities \ "(&)" \ 1.1 dn: ou=identities dn: ou=people,ou=identities dn: ou=groups,ou=identities dn: ou=admins,ou=identities dn: uid=am-identity-bind-account,ou=admins,ou=identities ``` ## Next step * [icon: check-square-o, set=fa][Choose your sample](overview.html) * [icon: check-square-o, set=fa][Prepare the servers](server-settings.html) * Separate identity stores * [icon: check-square-o, set=fa][Set up PingDS](deployment1.html) * [icon: square-o, set=fa]*[Set up PingAM](am-setup-1.html)* * [icon: square-o, set=fa][Set up PingIDM](idm-setup-1.html) * [icon: square-o, set=fa][Protect the deployment](protect-deployment.html) * [icon: square-o, set=fa][Set up the Platform UIs](platform-ui.html) * [icon: square-o, set=fa][Test your deployment](test-deployment.html)