PingAuthorize

Enabling TLS support during server setup

Enable TLS support in the server.

To enable TLS support in the server, you should complete one of the following tasks during the setup procedure:

  • Provide a key store that contains the certificate to use.

  • Make the installer generate a self-signed certificate.

When using the setup tool in interactive mode, it prompts you for the information that it needs to configure secure communication.

When using setup in non-interactive mode, use the following arguments to configure TLS support.

Argument Description

--ldapsPort {port}

Server enables support for LDAPS (LDAP over TLS) on the specified TCP port.

--httpsPort {port}

Server enables support for HTTPS for SCIM, the Directory REST API, and the web-based administration console on the specified TCP port.

--enableStartTLS

LDAP connection handler enables support for the StartTLS extended operation.

--generateSelfSignedCertificate

setup generates a self-signed certificate that is presented to clients that use LDAPS, HTTPS, and the StartTLS extended operation.

--useJavaKeyStore {path}

Server uses the specified Java KeyStore (JKS) key store to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation.

--usePKCS12KeyStore {path}

Server uses the specified PKCS #12 key store to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation.

--usePKCS11KeyStore

Server uses a PKCS #11 key store, like a hardware security module, to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation. The Java Virtual Machine (JVM) must already be configured to access the appropriate key store through PKCS #11.

--keyStorePassword {password}

Password that is needed to interact with the specified JKS, PKCS #12, or PKCS #11 key store. The setup tool assumes that the private key password matches the key store password.

--keyStorePasswordFile {path}

Path to the file that contains the password needed to interact with the specified JKS, PKCS #12, or PKCS #11 key store.

--certNickname {alias}

Alias of the private key entry in the specified key store that contains the certificate chain to present to clients during TLS negotiation. This argument is optional but recommended if the key store contains multiple certificates.

--useJavaTrustStore {path}

Server uses the specified JKS trust store to determine whether to trust certificate chains that are presented to it during TLS negotiation.

--usePKCS12TrustStore {path}

Server uses the specified PKCS #12 trust store to determine whether to trust certificate chains that are presented to it during TLS negotiation

--trustStorePassword {password}

Password that is needed to interact with the specified JKS or PKCS #11 trust store.

--trustStorePasswordFile {path}

Path to the file that contains the password needed to interact with the specified JKS or PKCS #11 trust store.

The following example command sets up PingAuthorize in non-interactive mode with an existing certificate.

$ ./setup \
  --no-prompt \
  --acceptLicense \
  --ldapPort 8389 \
  --ldapsPort 8636 \
  --httpsPort 8443 \
  --enableStartTLS \
  --useJavaKeyStore config/keystore \
  --keyStorePasswordFile config/keystore.pin \
  --certNickname server-cert \
  --useJavaTrustStore config/truststore \
  --trustStorePasswordFile config/truststore.pin  \
  --rootUserDN "cn=Directory Manager" \
  --rootUserPasswordFile root-pw.txt \
  --maxHeapSize 1g \
  --location Austin \
  --instanceName paz1
  .
  .
  .

Initializing ..... Done
Configuring PingAuthorize Server ..... Done
Configuring Certificates ..... Done
Creating Encryption Settings ..... Done
Starting PingAuthorize Server ..... Done

The server is now ready for configuration. You may either run the
create-initial-config tool to continue configuration or import an
existing configuration using dsconfig.

Access product documentation from https://myhostname:8443/docs/index.html