PingDirectory

Configuring authentication with a SASL external certificate

By default, the PingDirectoryProxy server authenticates to the PingDirectory server using LDAP simple authentication with a bind DN and a password. You can configure the PingDirectoryProxy server to use Simple Authentication and Security Layer (SASL) EXTERNAL to authenticate to the PingDirectory server with a client certificate.

Before you begin

Install and configure the PingDirectoryProxy server instances to communicate with the backend PingDirectory server instances using either SSL or StartTLS.

Steps

  1. Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the PingDirectoryProxy server instances will use to authenticate to the PingDirectory instances.

    1. Run the following command in the instance root of one of the PingDirectoryProxy server instances.

      $ keytool -genkeypair \
  -keystore config/proxy-user-keystore \
  -storetype JKS \
  -keyalg RSA \
  -keysize 2048 \
  -alias proxy-user-cert \
  -dname "cn=Proxy User,cn=Root DNs,cn=config" \
  -validity 7300

    2. When prompted for a key store password, enter a strong password to protect the certificate.

    3. When prompted for the key password, press Enter to use the key store password to protect the private key.

  2. Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.

  3. If there are other PingDirectoryProxy server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.

  4. To export the public component of the proxy user certificate to a text file, run the following command.

    $ keytool -export \
  -keystore config/proxy-user-keystore \
  -alias proxy-user-cert \
  -file config/proxy-user-cert.txt

  5. Copy the proxy-user-cert.txt file into the config directory of all directory server instances.

    1. Import that certificate into each server’s primary trust store by running the following command from the server root.

      $ keytool -import \
  -keystore config/truststore \
  -alias proxy-user-cert \
  -file config/proxy-user-cert.txt

    2. When prompted for the keystore password, enter the password contained in the config/truststore.pin file.

    3. When prompted to trust the certificate, enter yes.

  6. To update the configuration for each PingDirectoryProxy server instance to create a new key manager provider that will obtain its certificate from the config/proxy-user-keystore file, run the following dsconfig command.

    $ dsconfig create-key-manager-provider \
  --provider-name "Proxy User Certificate" \
  --type file-based \
  --set enabled:true \
  --set key-store-file:config/proxy-user-keystore \
  --set key-store-type:JKS \
  --set key-store-pin-file:config/proxy-user-keystore.pin

  7. To update the configuration for each LDAP external server in each PingDirectoryProxy server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication, run the following dsconfig command.

    $ dsconfig set-external-server-prop \
  --server-name ds1.example.com:636 \
  --set authentication-method:external \
  --set "key-manager-provider:Proxy User Certificate"

    Result:

    After these changes, the PingDirectoryProxy server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL.

  8. Verify that the PingDirectoryProxy server can communicate with all backend servers by running the bin/status command.

    Result:

    All of the servers listed in the "--- LDAP External Servers ---" section are available.

  9. Review the PingDirectory server access log.

    The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy server include the following:

    • authType="SASL"

    • saslMechanism="EXTERNAL"

    • resultCode=0

    • authDN="cn=Proxy User,cn=Root DNs,cn=config"