PingAuthorize

Updating the topology registry

After the server connection handlers are updated to enable TLS, update the topology registry to provide information about the new configuration.

The topology registry holds information about server instances that are part of the environment, and it helps to facilitate inter-server communication, such as replication, mirroring portions of the configuration, and the PingAuthorize automatic backend server-discovery functionality.

The following table details the two types of entries that require updating.

Configuration types and their update descriptions
Configuration Type Update description

Server instance listener configuration

  • Provides information that is needed to trust the TLS certificates that instances in the topology present.

  • The server instance listener configuration must include the server certificate, which is defined as the certificate at the head of the chain. This version must be the multi-line, PEM-formatted representation of the certificate. You can use dsconfig to import the certificate from a file, as shown in the following example.

    bin/dsconfig set-server-instance-listener-prop \
      --instance-name ds1 \
      --listener-name ldap-listener-mirrored-config \
      --set server-ldap-port:636 \
      --set connection-security:ssl \
      --set 'listener-certificate>/ca/ds1-cert.pem'

The less-than operator > in the final line indicates that the value is read from a file rather than provided directly. In addition, you might not need to enclose the property name and path within single straight quotes to prevent the shell from interpreting the less-than symbol as an attempt to redirect input.

Server instance configuration

  • Provides information about options for communicating with those instances.

  • Update the server instance configuration object to reflect the new methods that are available for communication with the instance. For example, the preferred-security property identifies the mechanism by which other instances in the topology attempt to communicate with the instance.

The following example code sets the LDAPS and HTTPS ports, indicates that StartTLS support is enabled, and instructs other instances to use SSL (LDAPS) when communicating with the instance.

dsconfig set-server-instance-prop \
  --instance-name ds1 \
  --set ldaps-port:636 \
  --set https-port:443 \
  --set preferred-security:ssl \
  --set start-tls-enabled:true