Configuring authentication with a SASL external certificate
Configure the PingDataMetrics server to use SASL EXTERNAL to authenticate to the PingDirectory server with a client certificate.
About this task
By default, the PingDataMetrics server authenticates to the PingDirectory server using LDAP simple authentication (with a bind DN and a password).
This procedure assumes that PingDataMetrics server instances are installed and configured to communicate with the backend PingDirectory server instances using either SSL or StartTLS. |
After the servers are configured, perform the following steps to configure SASL EXTERNAL authentication:
Steps
-
Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the PingDataMetrics server instance will use to authenticate to the PingDirectory server instance.
-
Run the following command in the instance root of one of the PingDataMetrics server instances.
$ keytool -genkeypair \ -keystore config/metrics-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias metrics-user-cert \ -dname "cn=Metrics User,cn=Root DNs,cn=config" \ -validity 7300
-
When prompted for a keystore password, enter a strong password to protect the certificate.
-
When prompted for the key password, press
Enter
to use the keystore password to protect the private key.
-
-
Create a
config/metrics-user-keystore.pin
file that contains a single line that is the keystore password provided in the previous step. -
If there are other PingDataMetrics server instances in the topology, copy the
metrics-user-keystore
andmetrics-user-keystore.pin
files into the config directory for all instances. -
Run the following command to export the public component of the user certificate to a text file:
$ keytool -export \ -keystore config/metrics-user-keystore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
-
Copy the
metrics-user-cert.txt
file into the config directory of all PingDirectory server instances.-
Import that certificate into each server’s primary trust store by running the following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
-
When prompted for the keystore password, enter the password contained in the
config/truststore.pin
file. -
When prompted to trust the certificate, enter
yes
.
-
-
Update the configuration for each PingDataMetrics server instance to create a new key manager provider that will obtain its certificate from the
config/metrics-user-keystore
file.-
Run the following
dsconfig
command from the server root:$ dsconfig create-key-manager-provider \ --provider-name "Metrics User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/metrics-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/metrics-user-keystore.pin
-
-
Update the configuration for each LDAP external server in each PingDataMetrics server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication.
-
Run the following
dsconfig
command:$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Metrics User Certificate"
Result:
After these changes, the PingDataMetrics server should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL.
-
-
Verify that the PingDataMetrics server is still able to communicate with all backend servers by running the
bin/status
command.All of the servers listed in the "--- LDAP External Servers ---" section should have a status of
Available
. Review the PingDirectory server access log can to make sure that the BIND RESULT log messages used to authenticate the connections from the PingDataMetrics server includeauthType="SASL", saslMechanism="EXTERNAL", resultCode=0
, andauthDN="cn=Metrics User,cn=Root DNs,cn=config"
.