Thank you for trying to help me. I have double-checked my config but unfortunately did not help.
This is how I deploy DS:
- generate my certificate
- import my CA to Java truststore
- generate DS deployment key
- generate DS master key
- install DS
- start DS
- Backup/Resrore LDAP
1) Create my own *.pk12
keystore:
- I added the CA key and server cert to the keystore.
- Server cert is signed by CA
Result: ds.hello.com.p12
3) Then I import my CA to Java truststore:
store_password="changeit"
keytool \
-import \
-trustcacerts \
-cacerts\
-alias "hello.com" \
-file "/tmp/ca.crt" \
-storepass "$store_password" \
-noprompt
3) I generate the deployment key this way:
That was really hard to understand the differences between deployment-id
, deployment-key
, and master-key
. I have seen that ForgeRock tried to clarify it a little bit and they renamed the deployment-id
to deployment-key
in the latest docs but not everywhere and as I understand they are the same.
Anyway, I use this command to generate the key:
cd "$DS_HOME"
deployment_key_password="password"
deployment_key="$(bin/dskeymgr create-deployment-id --deploymentIdPassword "$deployment_key_password")"
4) I generate the ForgeRock master-key this way:
keystore_file="/tmp/ds.hello.com.p12"
"$DS_HOME/bin/dskeymgr" export-master-key-pair \
--alias "master-key" \
--deploymentKey "$deployment_key" \
--deploymentKeyPassword "$deployment_key_password" \
--keyStoreFile "$keystore_file" \
--keyStorePassword "$store_password"
Result:
5) Install DS with this command:
profile="am-identity-store"
LDAP_USER_DN="uid=admin"
LDAP_USER_PASSWORD="password"
fqdn=$(hostname -f) # ds.hello.com
truststore_file="/etc/ssl/certs/java/cacerts"
cd "$DS_HOME"
./setup \
--profile "$profile" \
--serverId "$profile" \
--deploymentId "$deployment_key" \
--deploymentIdPassword "$deployment_key_password" \
--rootUserDN "$LDAP_USER_DN" \
--rootUserPassword "$LDAP_USER_PASSWORD" \
--monitorUserPassword "$LDAP_USER_PASSWORD" \
--hostname "$fqdn" \
--adminConnectorPort "$ADMIN_CONNECTOR_PORT" \
--ldapPort "$LDAP_PORT" \
--enableStartTls \
--ldapsPort "$LDAPS_PORT" \
--set am-identity-store/amIdentityStoreAdminPassword:"$LDAP_USER_PASSWORD" \
--acceptLicense \
--usePkcs12KeyStore "$keystore_file" \
--keyStorePassword "$store_password" \
--certNickname "$fqdn" \
--useJavaTrustStore "$truststore_file" \
--trustStorePassword "$tstore_password"
That works fine and I can start DS like a charm with "$DS_HOME/bin/start-ds"
.
I can connect to the LDAP with Apache Directory Studio.
7) Bakup/Restore
Then I would like to use the dsbackup
tool and the problem starts here. This command exits with the following error:
You have provided options for scheduling this operation as a task but options
provided for connecting to the server's tasks backend resulted in the
following error: 'Connect Error: Received fatal alert: certificate_unknown'
Command that i created:
"$DS_HOME/bin/dsbackup" create \
--hostname "$fqdn" \
--port "$ADMIN_CONNECTOR_PORT" \
--bindDN "$LDAP_USER_DN" \
--bindPassword "$LDAP_USER_PASSWORD" \
--backendName amIdentityStore \
--backupLocation "$DS_HOME/bak" \
--no-prompt \
--usePkcs12KeyStore "$keystore_file" \
--keyStorePassword "$store_password" \
--certNickname "$fqdn" \
--useJavaTrustStore "$truststore_file" \
--trustStorePassword "$store_password"
Maybe the way how I create my keystore or the master-key is/are wrong, or maybe there is a typo somewhere.
Could you please confirm that the flow I follow is okay or not?
Thanks a lot.