PingDirectory

Enabling PKCS #11 support during setup

About this task

If you know that you’re going to be using a PKCS #11, you can enable PKCS #11 support when running setup or manage-profile setup.

Steps

  • Run setup or manage-profile setup with the following important arguments:

    --usePKCS11KeyStore

    Indicates that you want to configure the server to use a PKCS #11 token to access the listener certificate.

    --pkcs11ProviderConfigFile <path>

    Specifies the path to the provider configuration file that tells the JVM how to access the PKCS #11 token.

    --keyStorePasswordFile <path>

    Specifies the path to the file containing the user PIN needed to interact with the PKCS #11 token.

    Example:

    $ ./setup \
     --no-prompt \
     --noPropertiesFile \
     --acceptLicense \
     --localHostName demo.example.com \
     --ldapPort 1389 \
     --ldapsPort 1636 \
     --httpsPort 1443 \
     --usePKCS11KeyStore \
     --pkcs11ProviderConfigFile config/path/to/provider.conf \
     --keyStorePasswordFile /path/to/pkcs11/user.pin \
     --encryptDataWithPassphraseFromFile config/encryption-settings.pin \
     --baseDN dc=example,dc=com \
     --rootUserDN "cn=Directory Manager" \
     --rootUserPasswordFile config/pre-encoded-root-user-password.txt \
     --instanceName demo-instance \
     --location demo-location

Ping Identity Directory Server 8.3.0.0

Initializing ..... Done
Configuring Directory Server .....

Server tools will be configured with a minimal heap size due to limited system memory
available. If out of memory errors occur, it will be necessary to increase tool memory
settings in java.properties and run dsjavaproperties for the changes to take effect.

Configuring Directory Server ..... Done
Configuring Certificates ..... Done
Starting Directory Server ..... Done

Access product documentation from docs/index.html

    If you don’t specify any trust store-related properties, then setup automatically generates a trust store populated with just the listener certificate, which works if the token is configured with a self-signed certificate, or if you’re using a certificate signed by an authority that is already included in the JVM’s default trust store.

    However, if you’re using a certificate signed by a private authority, then you likely want to either provide an existing trust store, such as in JKS or PKCS #12 format, or you want to use the --trustedCertificatePEMFile argument to specify the paths to PEM files for any appropriate issuer certificates that you want to include in the trust store.