Prepare external stores
You need at least one DS server to store AM data. AM has several distinct data types; for example, configuration data, information about identities, client applications, policies, sessions, and so on.
Apart from identity data, AM stores all data after the installation process in its configuration store. This keeps basic deployments simple.
If you want to test file-based configuration (FBC) in a non-production environment, first install AM with external data stores and then Migrate to a file-based configuration. Using FBC in a production environment isn’t currently supported. |
For advanced and high-load deployments, you can configure different sets of replicated DS servers to keep distinct data types separate and to tune DS for different requirements.
AM supports following DS data stores:
Store name | Type of data | Required during installation? |
---|---|---|
Configuration store |
Stores the properties and settings used by the AM instance. |
Yes |
Identity or user store |
Stores identity profiles; that is, information about the users, devices, or things that authenticate to your systems. You can also configure AM to access existing directory servers to obtain identity profiles. |
No, but you can configure one during the installation process In production deployments, you must configure an external identity store, or configure AM to access an existing identity store. |
Policy store |
Stores policy-related data, such as policies, policy sets, and resource types. |
No |
Application store |
Stores application-related data, such as web and Java agent configurations, federation entities and configuration, and OAuth 2.0 client definitions. |
No |
CTS token store |
Stores information about sessions, SAML v2.0 assertions, OAuth 2.0 tokens, and session denylists and allowlists. |
No |
UMA store |
Stores information about UMA resources, labels, audit messages, and pending requests. |
No |
The following table lists the supported directory servers for storing different data types:
Directory server | Versions | Configuration | Apps / policies | CTS | Identities | UMA |
---|---|---|---|---|---|---|
Embedded ForgeRock Directory Services(1) |
7.4 |
✔ |
✔ |
✔ |
✔ |
✔ |
External ForgeRock Directory Services |
6 and later |
✔ |
✔ |
✔ |
✔ |
✔ |
File system-based |
N/A |
✔ |
||||
Oracle Unified Directory |
11g R2 |
✔ |
||||
Oracle Directory Server Enterprise Edition |
11g |
✔ |
||||
Microsoft Active Directory |
2016, 2019 |
✔ |
||||
IBM Tivoli Directory Server |
6.4 |
✔ |
(1) Demo and test environments only.
The procedure for preparing external directory servers for AM to use is similar for each data type and includes the following steps:
-
If you don’t have an existing directory server, install the external directory server software; for example, Directory Services.
-
As the directory administrator, you may need to perform the following steps:
-
Apply the relevant schema to the directory.
-
Create indexes to optimize data retrieval from the directory server.
-
Create a user account with the minimum required privileges for AM to bind to the directory server and access necessary data.
-
To prepare the external stores AM needs during installation, refer to the following pages:
Where do I find more information about the other external stores?
You can configure all data stores except the configuration store after you install AM: