In what is presently step 3 of https://ea.forgerock.com/docs/am/install-guide/prepare-configuration-store.html#prepare-ds-for-config, the suggestion when trusting connections to the external directory is to add a truststore to the Tomcat connector:
This, however, is for connection to Tomcat. When you set things up that way, AM cannot connect to DS over TLS.
When AM is connecting from inside Tomcat over a secure connection to an external application, such as DS, the truststore needs to be available from inside Tomcat. For example, https://stackoverflow.com/questions/21833732/configure-truststore-in-tomcat.
My hackaround on the laptop was to add options to tomcat/bin/catalina.sh before starting Tomcat:
That long generated password is the content of /path/to/opendj/config/keystore.pin.
Maybe there's an AM truststore that I should've used instead.