PingDirectory

Configure authentication with a SASL external certificate

About this task

By default, PingDataSync authenticates to the PingDirectory server using LDAP simple authentication (with a bind DN and a password). However, PingDataSync can be configured to use SASL EXTERNAL to authenticate to the PingDirectory server with a client certificate.

This procedure assumes that PingDataSync instances are installed and configured to communicate with the backend PingDirectory server instances using either SSL or StartTLS.

After the servers are configured, perform the following steps to configure SASL EXTERNAL authentication:

Steps

  1. Create a JKS keystore that includes a public and private key pair for a certificate that the PingDataSync instance(s) will use to authenticate to the PingDirectory server instance(s). Run the following command in the instance root of one of the PingDataSync instances. When prompted for a keystore password, enter a strong password to protect the certificate. When prompted for the key password, press ENTER to use the keystore password to protect the private key:

    $ keytool -genkeypair \
      -keystore config/sync-user-keystore \
      -storetype JKS \
      -keyalg RSA \
      -keysize 2048 \
      -alias sync-user-cert \
      -dname "cn=Sync User,cn=Root DNs,cn=config" \
      -validity 7300
  2. Create a config/sync-user-keystore.pin file that contains a single line that is the keystore password provided in the previous step.

  3. If there are other PingDataSync instances in the topology, copy the sync-user-keystore and sync-user-keystore.pin files into the config directory for all instances.

  4. Use the following command to export the public component of the user certificate to a text file:

    $ keytool -export \
      -keystore config/sync-user-keystore \
      -alias sync-user-cert \
      -file config/sync-user-cert.txt
  5. Copy the sync-user-cert.txt file into the config directory of all PingDirectory server instances. Import that certificate into each server’s primary trust store by running the following command from the server root. When prompted for the keystore password, enter the password contained in the config/truststore.pin file. When prompted to trust the certificate, enter yes.

    $ keytool -import \
      -keystore config/truststore \
      -alias sync-user-cert \
      -file config/sync-user-cert.txt
  6. Update the configuration for each PingDataSync instance to create a new key manager provider that will obtain its certificate from the config/sync-user-keystore file. Run the following dsconfig command from the server root:

    $ dsconfig create-key-manager-provider \
      --provider-name "Sync User Certificate" \
      --type file-based \
      --set enabled:true \
      --set key-store-file:config/sync-user-keystore \
      --set key-store-type:JKS \
      --set key-store-pin-file:config/sync-user-keystore.pin
  7. Update the configuration for each LDAP external server in each PingDataSync server instance to use the newly created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication. Run the following dsconfig command:

    $ dsconfig set-external-server-prop \
      --server-name ds1.example.com:636 \
      --set authentication-method:external \
      --set "key-manager-provider:Sync User Certificate"

Next steps

After these changes, PingDataSync should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL. Verify that PingDataSync is still able to communicate with all backend servers by running the bin/status command. All of the servers listed in the "--- LDAP External Servers ---" section should have a status of Available. Review the PingDirectory server access log to make sure that the BIND RESULT log messages used to authenticate the connections from PingDataSync include authType="SASL", saslMechanism="EXTERNAL", resultCode=0, and authDN="cn=Sync User,cn=RootDNs,cn=config".