As of the release of AM 7.0.0 and DS 7.0.0 LDAP connections to DS are now secure by default. This means the port number has changed from the default of
1636 and the SSL/TLS feature should now be used. It is not possible to use DS without these changes from DS 7.0.0 onwards.
Engineers looking to setup AM with an external DS will need to follow a new process. This guide covers the process of setting up a truststore and installing AM with an external DS configuration store for both DS version 7 and older versions of DS.
The following steps take you through the process of setting up the AM truststore with the DS self-signed certificate in it.
Create a truststore by copying the JDK provided truststore. The following commands give us an example of how to do this:
$ mkdir -p $HOME/openam/security/keystores $ cp $JAVA_HOME/lib/security/cacerts $HOME/openam/security/keystores/truststore
Optional: If required the password of the truststore can be changed from the default "changeit" to another password. The following command shows how to do this:
$ keytool -storepasswd -keystore $HOME/openam/security/keystores/truststore Enter keystore password: changeit New keystore password: badger Re-enter new keystore password: badger
If you do choose to change this password, be sure to update the "
javax.net.ssl.trustStorePassword" value in subsequent commands.
With the truststore created we can now setup DS. For DS 7.0.0 there have been some changes to the
setup command. Of note is the inclusion of the
The following steps show setting up the server with the following fixed credentials:
This will create a server we can use for testing.
$ echo "administrator" > /tmp/admin.pwd $ ./setup \ --deploymentKey AForYBg8mR_0kRsWbGHSrUP8aApOtpw5CBVN1bkVDAKLAd0oCRgow6hc \ --deploymentKeyPassword password \ --rootUserDN "cn=Directory Manager" \ --rootUserPasswordFile /tmp/admin.pwd \ --monitorUserPasswordFile /tmp/admin.pwd \ --hostname ds.localtest.me \ --ldapPort 1389 \ --ldapsPort 1636 \ --httpsPort 8443 \ --adminConnectorPort 4444 \ --profile am-config \ --set am-config/baseDn:ou=am-config \ --set am-config/amConfigAdminPassword:administrator \ --profile am-identity-store \ --set am-identity-store/amIdentityStoreAdminPassword:administrator \ --profile am-cts \ --set am-cts/amCtsAdminPassword:administrator \ --acceptLicense
The installation will then proceed with the following output:
Validating parameters..... Done Configuring certificates......... Done Store the following deployment key in a safe place and re-use it when configuring other servers in the topology: AForYBg8mR_0kRsWbGHSrUP8aApOtpw5CBVN1bkVDAKLAd0oCRgow6hc Configuring server..... Done Configuring profile AM configuration data store......... Done Configuring profile AM identity data store......... Done Configuring profile AM CTS data store............. Done To see basic server status and configuration, you can launch /opt/opendj/bin/status
The Deployment Key is either provided or output in the setup log. If it is not provided it will be generated on each installation.
For older methods of installing DS, check the appropriate getting started guide.
There are two approaches for how to do this. One for DS 7+ only, and relies on the knowledge of the
deploymentKey and the
deploymentKeyPassword, and uses the DS-provided
dskeymgr tool; and one that does not rely on knowledge of these two parameters, and can be executed with older versions of DS.
Read the password for the locally installed DJ from the generated keystore.pin file in the installed DJ config directory:
Copy the ca-cert certificate from the keystore into the AM truststore:
Execute the following command from within the DS folder to export the self-signed certificate and store it into a file in the AM installation folder.
Note: We need both the Deployment Key and the Deployment Key Password to access the keystore.
Inspect the contents of this certificate to verify it is an X.509 certificate:
Import the DS self-signed certificate into the AM truststore with the following command:
At this point we can now start DS with the following command:
We can then verify the status of the started server with the following:
$ bin/status -h ds.localtest.me -p 1636 -D "cn=Directory Manager" -w administrator --useJavaTrustStore $HOME/openam/security/keystores/truststore
Finally, before we can start AM we need to define the Java truststore override options to tell AM where the truststore is. This will allow AM to connect to the DS server:
$ export JAVA_OPTS="-Djavax.net.ssl.trustStore=$HOME/openam/security/keystores/truststore \ -Djavax.net.ssl.trustStorePassword=changeit \ -Djavax.net.ssl.trustStoreType=jks"
Then proceed to start AM and step through the configuration process.
If we are using the DS server configured in the above guide then the following are the configuration screens for the Configuration Data Store and User Store pages.
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.