Child pages
  • Start AM 7.0.0 with Embedded DS 7.0.0
Skip to end of metadata
Go to start of metadata

As of the release of AM 7.0.0 and DS 7.0.0 LDAP connections to DS are now secure by default. This means that in order for AM to connect to the DS server, it needs to use the LDAPS port and the SSL/TLS feature. This applies both to external DS servers and the embedded DS server. As such AM requires the use of a truststore to hold the DS self-signed certificate.

This guide will cover both how to deploy AM with a default installation using Embedded DS and how to then connect to that Embedded DS using Apache Directory Studio.

Default Installation with AM 7.0.0

With the release of AM 7.0.0 the manual process to perform a default installation is unchanged.

The main differences appear if you are using the HTTP configurator to automatically install AM. In this case the DIRECTORY_SSL property value needs to be changed from SIMPLE to SSL.

The following is an example of using cURL to perform a default installation of AM using the HTTP Configurator:

# Install AM with default installation
export ADMINPWD=administrator
export DEMOPWD=changeit
export SERVER=
export BASE_DIR=$HOME/openam

curl --verbose "$SERVER/openam/config/configurator" \
--header "Content-Type:application/x-www-form-urlencoded" \
--data-urlencode "SERVER_URL=$SERVER" \
--data-urlencode "DEPLOYMENT_URI=openam" \
--data-urlencode "BASE_DIR=$BASE_DIR" \
--data-urlencode "locale=en_US" \
--data-urlencode "PLATFORM_LOCALE=en_US" \
--data-urlencode "ADMIN_PWD=$ADMINPWD" \
--data-urlencode "ADMIN_CONFIRM_PWD=$ADMINPWD" \
--data-urlencode "AMLDAPUSERPASSWD=$DEMOPWD" \
--data-urlencode "COOKIE_DOMAIN=$COOKIE_DOMAIN" \
--data-urlencode "DATA_STORE=embedded" \
--data-urlencode "DIRECTORY_SSL=SSL" \
--data-urlencode "DIRECTORY_SERVER=localhost" \
--data-urlencode "DIRECTORY_PORT=50636" \
--data-urlencode "DIRECTORY_ADMIN_PORT=4444" \
--data-urlencode "DIRECTORY_JMX_PORT=1689" \
--data-urlencode "ROOT_SUFFIX=dc=openam,dc=forgerock,dc=org" \
--data-urlencode "DS_DIRMGRDN=cn=Directory Manager" \
--data-urlencode "DS_DIRMGRPASSWD=administrator" \
--data-urlencode "acceptLicense=true"

Connecting to the Embedded DS Server using Apache Directory Studio

The following section details how to connect to the Embedded DS. Given that the Embedded DS certificate will change each time the developer deploys the server the approach shown below is likely to be the quickest way to connect to the server.

Configure New Connection

Start by creating a new connection in the Connections tab bottom left with the New Connection icon.

  • Tab: Network Parameter
    • Connection Name: Embedded DS
    • Hostname: localhost
    • Port: 50636
    • Encryption Method: Use SSL encryption (ldaps://)
  • Tab: Authentication
    • Authentication Method: Simple Authentication
    • Bind DN or User: cn="Directory Manager"
    • Bind Password: <AM Administrators password>
  • Click: Apply and Close

We can now use this connection to connect to the DS server. When doing so Apache Directory Studio will prompt for us to accept the certificate that is used for the LDAPS connection.

By selecting "Trust this certificate for this session" we can allow Apache Directory Studio to accept the DS certificate for this session without cluttering up the list of certificates that Apache Directory Studio needs to maintain.

Manual Configuration of Certificates

It is possible however to configure Apache Directory Studio with the DS certificate manually. In doing so we will explore how to extract the certificate from a keystore and add it into Apache Directory Studio.

Extract the ds-ca-cert Self-Signed Certificate from the AM truststore

During a default embedded installation, AM will create a truststore by copying the JDK default cacerts truststore ($JAVA_HOME/lib/security/cacerts) into the AM installation folder. This is done because AM is only able to use one truststore at a time. As such AM needs the default JDK provided Root CA Certificates to be in this truststore in order for it to be able to make secure out-going connections.

Assuming that the AM server is installed in the default location, the following command will export the ds-ca-cert from the truststore and place it into a file in the AM installation folder:

$ keytool -exportcert \
    -keystore $HOME/openam/security/keystores/truststore \
    -storepass changeit \
    -alias ds-ca-cert \
    -file $HOME/openam/ds-ca-cert.pem

This will the certificate into a PEM file in $HOME/openam/ds-ca-cert.pem.

Add Certificate to Apache Directory Studio

Before we add the connection details for the server, we can setup the certificate. This allows Apache Directory Studio to form a secure connection to the DS server.

We can add this certificate to Apache Directory Studio with the following commands:

  • MacOS Menu Bar > Apache Directory Studio > Preferences (CMD + ,)
  • Left hand side navigation: Apache Directory Studio > Connections > Certificate Validation
  • Tab: Permanent Trusted
  • Button: Add...
    • Select the location of the certificate: $HOME/openam/ds-ca-cert.pem
  • Click Apply and Close

Now connect to DS as shown previously using the connection created above.


  • The port number used above could be considered confusing. The LDAP port is typically 1389 and the LDAPS port is typically 1636. The port shown above is 50636 to look an LDAPS port.
  • The "Check Network Parameters" button fails, but the connection works ok. If we switch the Encryption Method to "Use StartTLS Extension" the "Check Network Parameters" button works but the connection fails.

1 Comment

  1. The Check Network Parameter functionality is working for me with Apache Directory Studio Version: 2.0.0.v20180908-M14 and Java 1.8.0_242-b08