PingDS 7.5.1

Install DS for AM CTS

  1. Before proceeding, install the server files.
    For details, refer to Unpack files.

  2. Run the appropriate setup command with the --profile am-cts option.

    Installation settings depend on AM token expiration and session capability requirements. Letting DS expire tokens is efficient, but affects sending AM notifications about session expiration and timeouts to AM policy agents.

    1. AM reaper manages all token expiration (AM default):

      $ /path/to/opendj/setup \
       --deploymentId $DEPLOYMENT_ID \
       --deploymentIdPassword password \
       --rootUserDN uid=admin \
       --rootUserPassword str0ngAdm1nPa55word \
       --monitorUserPassword str0ngMon1torPa55word \
       --hostname ds.example.com \
       --adminConnectorPort 4444 \
       --ldapPort 1389 \
       --enableStartTls \
       --ldapsPort 1636 \
       --httpsPort 8443 \
       --replicationPort 8989 \
       --bootstrapReplicationServer rs1.example.com:8989 \
       --bootstrapReplicationServer rs2.example.com:8989 \
       --profile am-cts \
       --set am-cts/amCtsAdminPassword:5up35tr0ng \
       --acceptLicense
    2. AM reaper manages only SESSION token expiration:

      $ /path/to/opendj/setup \
       --deploymentId $DEPLOYMENT_ID \
       --deploymentIdPassword password \
       --rootUserDN uid=admin \
       --rootUserPassword str0ngAdm1nPa55word \
       --monitorUserPassword str0ngMon1torPa55word \
       --hostname ds.example.com \
       --adminConnectorPort 4444 \
       --ldapPort 1389 \
       --enableStartTls \
       --ldapsPort 1636 \
       --httpsPort 8443 \
       --replicationPort 8989 \
       --bootstrapReplicationServer rs1.example.com:8989 \
       --bootstrapReplicationServer rs2.example.com:8989 \
       --profile am-cts \
       --set am-cts/amCtsAdminPassword:5up35tr0ng \
       --set am-cts/tokenExpirationPolicy:am-sessions-only \
       --acceptLicense
    3. DS manages all token expiration:

      $ /path/to/opendj/setup \
       --deploymentId $DEPLOYMENT_ID \
       --deploymentIdPassword password \
       --rootUserDN uid=admin \
       --rootUserPassword str0ngAdm1nPa55word \
       --monitorUserPassword str0ngMon1torPa55word \
       --hostname ds.example.com \
       --adminConnectorPort 4444 \
       --ldapPort 1389 \
       --enableStartTls \
       --ldapsPort 1636 \
       --httpsPort 8443 \
       --replicationPort 8989 \
       --bootstrapReplicationServer rs1.example.com:8989 \
       --bootstrapReplicationServer rs2.example.com:8989 \
       --profile am-cts \
       --set am-cts/amCtsAdminPassword:5up35tr0ng \
       --set am-cts/tokenExpirationPolicy:ds \
       --acceptLicense

    In the preceding example commands:

    • The deployment ID for installing the server is stored in the environment variable DEPLOYMENT_ID. Install all servers in the same deployment with the same deployment ID and deployment ID password. For details, read Deployment IDs.

    • The service account to use in AM when connecting to DS has:

      • Bind DN: uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens.

      • Password: The password you set with am-cts/amCtsAdminPassword.

    • The base DN for AM CTS tokens is ou=famrecords,ou=openam-session,ou=tokens.

      AM and IDM expect exclusive access to the data in each setup profile. Keep the data separate by using distinct base DNs and domains for each setup profile. Don’t accidentally mix the data by choosing a base DN under another base DN.

    • The am-cts profile excludes the base DN from change number indexing.

    For the full list of profiles and parameters, refer to Default setup profiles.

  3. Finish configuring the server before you start it.

    For a list of optional steps at this stage, refer to Install DS for custom cases.

  4. Start the server:

    $ /path/to/opendj/bin/start-ds