Configure authentication with a SASL external certificate
About this task
By default, PingDataSync authenticates to the PingDirectory server using LDAP simple authentication (with a bind DN and a password). However, PingDataSync can be configured to use SASL EXTERNAL to authenticate to the PingDirectory server with a client certificate.
This procedure assumes that PingDataSync instances are installed and configured to communicate with the backend PingDirectory server instances using either SSL or StartTLS. |
After the servers are configured, perform the following steps to configure SASL EXTERNAL authentication:
Steps
-
Create a JKS keystore that includes a public and private key pair for a certificate that the PingDataSync instance(s) will use to authenticate to the PingDirectory server instance(s). Run the following command in the instance root of one of the PingDataSync instances. When prompted for a keystore password, enter a strong password to protect the certificate. When prompted for the key password, press ENTER to use the keystore password to protect the private key:
$ keytool -genkeypair \ -keystore config/sync-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias sync-user-cert \ -dname "cn=Sync User,cn=Root DNs,cn=config" \ -validity 7300
-
Create a
config/sync-user-keystore.pin
file that contains a single line that is the keystore password provided in the previous step. -
If there are other PingDataSync instances in the topology, copy the
sync-user-keystore
andsync-user-keystore.pin
files into the config directory for all instances. -
Use the following command to export the public component of the user certificate to a text file:
$ keytool -export \ -keystore config/sync-user-keystore \ -alias sync-user-cert \ -file config/sync-user-cert.txt
-
Copy the
sync-user-cert.txt
file into theconfig
directory of all PingDirectory server instances. Import that certificate into each server’s primary trust store by running the following command from the server root. When prompted for the keystore password, enter the password contained in theconfig/truststore.pin
file. When prompted to trust the certificate, enteryes
.$ keytool -import \ -keystore config/truststore \ -alias sync-user-cert \ -file config/sync-user-cert.txt
-
Update the configuration for each PingDataSync instance to create a new key manager provider that will obtain its certificate from the
config/sync-user-keystore
file. Run the followingdsconfig
command from the server root:$ dsconfig create-key-manager-provider \ --provider-name "Sync User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/sync-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/sync-user-keystore.pin
-
Update the configuration for each LDAP external server in each PingDataSync server instance to use the newly created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication. Run the following
dsconfig
command:$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Sync User Certificate"
Next steps
After these changes, PingDataSync should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL. Verify that PingDataSync is still able to communicate with all backend servers by running the bin/status
command. All of the servers listed in the "--- LDAP External Servers ---" section should have a status of Available
. Review the PingDirectory server access log to make sure that the BIND RESULT log messages used to authenticate the connections from PingDataSync include authType="SASL",
saslMechanism="EXTERNAL", resultCode=0
, and authDN="cn=Sync
User,cn=RootDNs,cn=config"
.