PingDirectory

Configuring authentication with a SASL external certificate

Configure the PingDataMetrics server to use SASL EXTERNAL to authenticate to the PingDirectory server with a client certificate.

About this task

By default, the PingDataMetrics server authenticates to the PingDirectory server using LDAP simple authentication (with a bind DN and a password).

This procedure assumes that PingDataMetrics server instances are installed and configured to communicate with the backend PingDirectory server instances using either SSL or StartTLS.

After the servers are configured, perform the following steps to configure SASL EXTERNAL authentication:

Steps

  1. Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the PingDataMetrics server instance will use to authenticate to the PingDirectory server instance.

    1. Run the following command in the instance root of one of the PingDataMetrics server instances.

      $ keytool -genkeypair \
        -keystore config/metrics-user-keystore \
        -storetype JKS \
        -keyalg RSA \
        -keysize 2048 \
        -alias metrics-user-cert \
        -dname "cn=Metrics User,cn=Root DNs,cn=config" \
        -validity 7300
    2. When prompted for a keystore password, enter a strong password to protect the certificate.

    3. When prompted for the key password, press Enter to use the keystore password to protect the private key.

  2. Create a config/metrics-user-keystore.pin file that contains a single line that is the keystore password provided in the previous step.

  3. If there are other PingDataMetrics server instances in the topology, copy the metrics-user-keystore and metrics-user-keystore.pin files into the config directory for all instances.

  4. Run the following command to export the public component of the user certificate to a text file:

    $ keytool -export \
      -keystore config/metrics-user-keystore \
      -alias metrics-user-cert \
      -file config/metrics-user-cert.txt
  5. Copy the metrics-user-cert.txt file into the config directory of all PingDirectory server instances.

    1. Import that certificate into each server’s primary trust store by running the following command from the server root.

      $ keytool -import \
        -keystore config/truststore \
        -alias metrics-user-cert \
        -file config/metrics-user-cert.txt
    2. When prompted for the keystore password, enter the password contained in the config/truststore.pin file.

    3. When prompted to trust the certificate, enter yes.

  6. Update the configuration for each PingDataMetrics server instance to create a new key manager provider that will obtain its certificate from the config/metrics-user-keystore file.

    1. Run the following dsconfig command from the server root:

      $ dsconfig create-key-manager-provider \
        --provider-name "Metrics User Certificate" \
        --type file-based \
        --set enabled:true \
        --set key-store-file:config/metrics-user-keystore \
        --set key-store-type:JKS \
        --set key-store-pin-file:config/metrics-user-keystore.pin
  7. Update the configuration for each LDAP external server in each PingDataMetrics server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication.

    1. Run the following dsconfig command:

      $ dsconfig set-external-server-prop \
        --server-name ds1.example.com:636 \
        --set authentication-method:external \
        --set "key-manager-provider:Metrics User Certificate"

      Result:

      After these changes, the PingDataMetrics server should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL.

  8. Verify that the PingDataMetrics server is still able to communicate with all backend servers by running the bin/status command.

    All of the servers listed in the "--- LDAP External Servers ---" section should have a status of Available. Review the PingDirectory server access log can to make sure that the BIND RESULT log messages used to authenticate the connections from the PingDataMetrics server include authType="SASL", saslMechanism="EXTERNAL", resultCode=0, and authDN="cn=Metrics User,cn=Root DNs,cn=config".