Installing directory-service with my private CA and server key

I am building a test environment for learning purposes with ForgeRock Directory Service (DS) and Access Management (AM) products.

I use the latest DS-7.3.0 zip.

I can install DS, and it works like a charm with the default security settings. But now I would like to have a DS instance that uses my cryptographic keys. I use OpenVPN easy-rsa CLI utility to build and manage my private PKI CA.

So I have:

• ca.crt - This is my CA certificate
• ca.key - This is my CA private key
• ds.hello.com.key - Server private key signed by my CA, DS will run on this host
• ds.hello.com.crt - Server certificate

I checked the dskeymgr doc here and I run the command multiple times to see how it works. As I see I can use this tool to generate a new CA in the config/keystore file using dskeymgr export-ca-cert. This adds a new CA to the keystone under the given alias.

The dskeymgr create-tls-key-pair generates a new TLS key-pair signed by the CA that sits in the keystore.

But I can not see how to create a completely new keystore with my existing CA cert and server key which is actually the TLS key, if I am correct.

I tried to use keytool and easyrsa to create a completely new keystore with my certs but DS does not accept it.

Could you please explain to me how to use my CA and server cert with forgerock DS?

Hi zappee

What sort of issues are you having with using a keystore generated via keytool? You can specify the keystore to use during installation via the --useJavaKeyStore, --useJceKeyStore, or --usePkcs12KeyStore arguments (be sure to include the --keyStorePassword argument as well) (see setup :: ForgeRock Directory Services) or post-installation using dsconfig, specifically with the Key Manager Provider objects (see Key Manager Provider :: ForgeRock Directory Services) or the Key Manager Provider option when running interactively.

If you are using one of these approaches and still experiencing an error, please share the details of what error you are receiving.

Thank you for trying to help me. I have double-checked my config but unfortunately did not help.

This is how I deploy DS:

1. generate my certificate
2. import my CA to Java truststore
3. generate DS deployment key
4. generate DS master key
5. install DS
6. start DS
7. Backup/Resrore LDAP

1) Create my own *.pk12 keystore:

• I added the CA key and server cert to the keystore.
• Server cert is signed by CA

Result: ds.hello.com.p12

2022-05-16-ks-11239×861 159 KB

3) Then I import my CA to Java truststore:

store_password="changeit"
keytool \
    -import \
    -trustcacerts \
    -cacerts\
    -alias "hello.com" \
    -file "/tmp/ca.crt" \
    -storepass "$store_password" \
    -noprompt

3) I generate the deployment key this way:
That was really hard to understand the differences between deployment-id, deployment-key, and master-key. I have seen that ForgeRock tried to clarify it a little bit and they renamed the deployment-id to deployment-key in the latest docs but not everywhere and as I understand they are the same.
Anyway, I use this command to generate the key:

cd "$DS_HOME"
deployment_key_password="password"
deployment_key="$(bin/dskeymgr create-deployment-id --deploymentIdPassword "$deployment_key_password")"

4) I generate the ForgeRock master-key this way:

keystore_file="/tmp/ds.hello.com.p12"

"$DS_HOME/bin/dskeymgr" export-master-key-pair \
    --alias "master-key" \
    --deploymentKey "$deployment_key" \
    --deploymentKeyPassword "$deployment_key_password" \
    --keyStoreFile "$keystore_file" \
    --keyStorePassword "$store_password"

Result:

2022-05-16-ks-21380×863 171 KB

5) Install DS with this command:

profile="am-identity-store"
LDAP_USER_DN="uid=admin"
LDAP_USER_PASSWORD="password"
fqdn=$(hostname -f)  # ds.hello.com
truststore_file="/etc/ssl/certs/java/cacerts"

  cd "$DS_HOME"
  ./setup \
    --profile "$profile" \
    --serverId "$profile" \
    --deploymentId "$deployment_key" \
    --deploymentIdPassword "$deployment_key_password" \
    --rootUserDN "$LDAP_USER_DN" \
    --rootUserPassword "$LDAP_USER_PASSWORD" \
    --monitorUserPassword "$LDAP_USER_PASSWORD" \
    --hostname "$fqdn" \
    --adminConnectorPort "$ADMIN_CONNECTOR_PORT" \
    --ldapPort "$LDAP_PORT" \
    --enableStartTls \
    --ldapsPort "$LDAPS_PORT" \
    --set am-identity-store/amIdentityStoreAdminPassword:"$LDAP_USER_PASSWORD" \
    --acceptLicense \
    --usePkcs12KeyStore "$keystore_file" \
    --keyStorePassword "$store_password" \
    --certNickname "$fqdn" \
    --useJavaTrustStore "$truststore_file" \
    --trustStorePassword "$tstore_password"

That works fine and I can start DS like a charm with "$DS_HOME/bin/start-ds".
I can connect to the LDAP with Apache Directory Studio.

7) Bakup/Restore
Then I would like to use the dsbackup tool and the problem starts here. This command exits with the following error:

You have provided options for scheduling this operation as a task but options
provided for connecting to the server's tasks backend resulted in the
following error: 'Connect Error: Received fatal alert: certificate_unknown'

Command that i created:

"$DS_HOME/bin/dsbackup" create \
    --hostname "$fqdn" \
    --port "$ADMIN_CONNECTOR_PORT" \
    --bindDN "$LDAP_USER_DN" \
    --bindPassword "$LDAP_USER_PASSWORD" \
    --backendName amIdentityStore \
    --backupLocation "$DS_HOME/bak" \
    --no-prompt \
    --usePkcs12KeyStore "$keystore_file" \
    --keyStorePassword "$store_password" \
    --certNickname "$fqdn" \
    --useJavaTrustStore "$truststore_file" \
    --trustStorePassword "$store_password"

Maybe the way how I create my keystore or the master-key is/are wrong, or maybe there is a typo somewhere.

Could you please confirm that the flow I follow is okay or not?
Thanks a lot.

Hey zappee

Your commands look great, and DS starting cleanly is a great sign that you are off to the right start. With regards to the issue you are seeing with Backup/Restore, the problem is likely stemming from the trust store arguments you are using. You are specifying that you want DS to use /etc/ssl/certs/java/cacerts as the trust store. That keystore is the default keystore used for storing CA certificates, and while it is great for commonly trusted CAs, it isn’t that great for certificates issued by your own CA (unless of course your CA’s root has been added by the team responsible for your PKI, but that’s a whole separate topic.)

You have a couple of options here:

• Add your CA’s certificate chain (really just the root is needed) to cacerts
• Reference a different keystore for your truststore (for example, you could reference the keystore file at /tmp/ds.hello.com.p12 which contains the same certificate being served by your directory server)

Hope this is helpful!

Hi @mwtech,

That was good advice. That solved my problem. But I had to “improve” it a little bit

When I changed the keystore reference to /tmp/ds.hello.com.p12 file, I got the same error. Then I changed a little bit how I set up the DS. I use /tmp/ds.hello.com.p12 for truststore too. This way the dsbackup command works great with the suggested keystore/truststore parameters.

As I can see the dsbackup works fine without keystore and truststore parameters. I completely deleted the keystore and truststore parameters and it still works. That is strange, have no idea how that is possible but this works this way too:

"$DS_HOME/bin/dsbackup" create \
    --hostname "$fqdn" \
    --port "$ADMIN_CONNECTOR_PORT" \
    --bindDN "$LDAP_USER_DN" \
    --bindPassword "$LDAP_USER_PASSWORD" \
    --backendName amIdentityStore \
    --backupLocation "$DS_HOME/bak" \
    --no-prompt

Thx!