PingAM 8.0.0

Step 2. Prepare your datastore

To prepare a single DS server as a configuration store, identity store, and CTS token store for evaluation purposes, perform the following tasks:

Create a deployment ID

  1. Unzip the DS .zip file into the file system directory where you want to install the server.

    $ unzip ~/Downloads/DS-8.0.0.zip -d /path/to/opendj

  2. Generate a deployment ID using a deployment ID password of password.

    $ /path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
<deployment-id>

    You’ll use this deployment ID and password when setting up your DS server and generating the keys required to connect securely from AM to DS:

    When configuring DS for real-world use, don’t use this password. It is only to get started with AM.

  3. Save the deployment ID as an environment variable:

    $ export DEPLOYMENT_ID=<deployment-id>

Create a truststore for AM

These steps create a copy of the default JVM truststore, and configure the AM web application container to use the new truststore:

  1. Copy the default truststore. For example, $JAVA_HOME/lib/security/cacerts, name it truststore, and place it in a directory of your choice:

    $ cp $JAVA_HOME/lib/security/cacerts /path/to/truststore

    If you place the truststore in the /path/to/am directory before you install AM, the installation process detects the directory isn’t empty and the installation fails.

    After AM is installed, you can move the truststore to a different directory. For example, the /path/to/am/security/keystores directory.

    The default password of the $JAVA_HOME/lib/security/cacerts truststore is changeit. In a production deployment, you should change the default truststore password. Read the documentation for your JVM for instructions.

  2. Export the DS certificate.

    • On the DS host, export the DS CA certificate.

      DS uses a deployment ID and password to generate a CA key pair. Learn more in Deployment IDs.

      Use the dskeymgr command to export the CA certificate:

      $ /path/to/opendj/bin/dskeymgr \
export-ca-cert \
--deploymentId $DEPLOYMENT_ID \
--deploymentIdPassword password \
--outputFile /path/to/ca-cert.pem

    • Copy the ca-cert.pem file to an accessible location on the AM host.

  3. Import the DS CA certificate into the new truststore:

    $ keytool \
-importcert \
-file /path/to/ca-cert.pem \
-keystore /path/to/truststore

    Enter the keystore password when prompted and confirm you trust this certificate.

  4. To configure the truststore in Apache Tomcat so that AM can access it, append the truststore settings to the CATALINA_OPTS variable in the setenv file.

    For example:

    • Linux

    • Windows

    In $CATALINA_BASE/bin/setenv.sh:

    export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \
-Djavax.net.ssl.trustStore=/path/to/truststore \
-Djavax.net.ssl.trustStorePassword=new-password \
-Djavax.net.ssl.trustStoreType=jks"

    In $CATALINA_BASE/bin/setenv.bat:

    set "CATALINA_OPTS=%CATALINA_OPTS% -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m -
-Djavax.net.ssl.trustStore=/path/to/truststore -
-Djavax.net.ssl.trustStorePassword=new-password -
-Djavax.net.ssl.trustStoreType=jks"

    Read your specific container’s documentation for information on configuring truststores.

    After AM is installed, you can move the truststore to a different location. For example, the /path/to/am/security/keystores/. If you do, remember to update the truststore path in the container configuration.

Install DS

These steps install DS as the configuration store, identity store, and CTS token store.

  1. Use the setup command to install DS with the am-config, am-cts, and am-identity-store profiles. For example:

    $ /path/to/opendj/setup \
--deploymentId $DEPLOYMENT_ID \
--deploymentIdPassword password \
--rootUserDN uid=admin \
--rootUserPassword str0ngAdm1nPa55word \
--monitorUserPassword str0ngMon1torPa55word \
--hostname ds.example.com \
--adminConnectorPort 4444 \
--ldapPort 1389 \
--enableStartTls \
--ldapsPort 1636 \
--profile am-config \
--set am-config/amConfigAdminPassword:5up35tr0ng \
--profile am-cts \
--set am-cts/amCtsAdminPassword:5up35tr0ng \
--set am-cts/tokenExpirationPolicy:am-sessions-only \
--profile am-identity-store \
--set am-identity-store/amIdentityStoreAdminPassword:5up35tr0ng \
--start \
--acceptLicense

    Learn more about installing DS in the PingDS Installation documentation.

  2. Restart Tomcat:

    $ /path/to/tomcat/bin/shutdown.sh
$ /path/to/tomcat/bin/startup.sh

  3. Proceed to Step 3. Deploy AM.