PingDirectory

Enabling TLS support during setup

The easiest way to enable TLS support in the server is to do so during setup. You can do so by either providing a key store containing the certificate you want to use or by having the installer generate a self-signed certificate for you.

If you are running setup in interactive mode, then it prompts you for all of the questions needed to configure secure communication.

Do you want to enable the Directory Server services (Available State,
Available or Degraded State, Configuration, Consent, Directory REST API,
Documentation, Instance Root File, SCIM2, and Swagger UI) and Administrative
Console over HTTPS?  After setup, you can selectively enable or disable
individual services and applications by configuring the HTTPS Connection
Handler (yes / no) [yes]: yes

On which port should the Directory Server accept connections from HTTPS
clients? [443]: 443

Do you want to accept unencrypted LDAP connections?

	1)  Do not accept unencrypted LDAP connections
	2)  Accept unencrypted LDAP connections, but require StartTLS to secure all
    	communication on those connections
	3)  Accept unencrypted LDAP connections, but optionally allow StartTLS to
    	secure communication on those connections
	4)  Accept unencrypted LDAP connections and do not enable support for
    	StartTLS

Enter option [3]: 3

On which port should the Directory Server accept connections from LDAP
clients? [389]: 389

Do you want to enable LDAPS? (yes / no) [yes]: yes
On which port should the Directory Server accept connections from LDAPS
clients? [636]: 636

Certificate server options:

	1)  Generate self-signed certificate (recommended for testing purposes
    	only)
	2)  Use an existing certificate located on a Java Keystore (JKS)
	3)  Use an existing certificate located on a PKCS12 keystore
	4)  Use an existing certificate on a PKCS11 token

Enter option [1]: 2

Java Keystore (JKS) path: /ca/ds1-keystore
Keystore PIN: {password}

Truststore options:

	1)  Generate a default JKS truststore
	2)  Use an existing JKS truststore
	3)  Use an existing PKCS12 truststore

Enter option [1]: 2

JKS truststore path: /ca/truststore
Truststore password (can be blank): {password}

When using setup in non-interactive mode, use the following arguments to configure TLS support.

Argument Description

--ldapPort <port>

Indicates that the server should enable support for unencrypted LDAP connections on the specified TCP port. If this argument is not provided, then the server does not accept unencrypted LDAP connections.

--ldapsPort <port>

Indicates that the server should enable support for LDAPS (LDAP over TLS) on the specified TCP port.

--httpsPort <port>

Indicates that the server should enable support for HTTPS (for things like SCIM, the Directory REST API, the web-based administration console, etc.) on the specified TCP port.

--enableStartTLS

Indicates that the LDAP connection handler should enable support for the StartTLS extended operation. This argument should only be provided if the --ldapPort argument is also given.

--generateSelfSignedCertificate

Indicates that setup should generate a self-signed certificate to be presented to clients using LDAPS, HTTPS, and the StartTLS extended operation.

--useJavaKeyStore <path>

Indicates that the server should use the specified Java KeyStore (JKS) key store to obtain the certificate chain to be presented to clients using LDAPS, HTTPS, and the StartTLS extended operation.

--usePKCS12KeyStore <path>

Indicates that the server should use the specified PKCS #12 key store to obtain the certificate chain to be presented to clients using LDAPS, HTTPS, and the StartTLS extended operation.

--usePKCS11KeyStore

Indicates that the server should use a PKCS #11 key store (for example, a hardware security module) to obtain the certificate chain to be presented to clients using LDAPS, HTTPS, and the StartTLS extended operation. The Java virtual machine (JVM) must already be configured to access the desired key store via PKCS #11.

--keyStorePassword <password>

The password needed to interact with the specified JKS, PKCS #12, or PKCS #11 key store. Note that setup assumes that the private key password matches the key store password.

--keyStorePasswordFile <path>

The path to a file containing the password needed to interact with the specified JKS, PKCS #12, or PKCS #11 key store.

--certNickname <alias>

The alias of the private key entry in the specified key store that contains the certificate chain to present to clients during TLS negotiation. This argument is optional, but it is recommended if the key store has multiple certificates.

--useJavaTrustStore <path>

Indicates that the server should use the specified JKS trust store to determine whether to trust any certificate chains that are presented to it during TLS negotiation.

--usePKCS12TrustStore <path>

Indicates that the server should use the specified PKCS #12 trust store to determine whether to trust any certificate chains that are presented to it during TLS negotiation.

--trustStorePassword <password>

The password needed to interact with the specified JKS or PKCS #11 trust store.

--trustStorePasswordFile <path>

The path to a file containing the password needed to interact with the specified JKS or PKCS #11 trust store.

--rejectInsecureRequests

Indicates that the server should be configured to reject requests received over insecure connections. This argument can be used in conjunction with the --ldapPort argument to allow clients to establish connections that are initially insecure, but requires those connections to be secured with the StartTLS extended operation before they can issue other types of requests.

For example, the following command could be used to set up the server in non-interactive mode with an existing certificate.

$ ./setup \
     --no-prompt \
     --acceptLicense \
     --ldapPort 389 \
     --ldapsPort 636 \
     --httpsPort 443 \
     --enableStartTLS \
     --useJavaKeyStore config/keystore \
     --keyStorePasswordFile config/keystore.pin \
     --certNickname server-cert \
     --useJavaTrustStore config/truststore \
     --trustStorePasswordFile config/truststore.pin \
     --baseDN dc=example,dc=com \
     --rootUserDN "cn=Directory Manager" \
     --rootUserPasswordFile root-pw.txt \
     --maxHeapSize 10g \
     --encryptDataWithPassphraseFromFile encryption-settings-password.txt \
     --instanceName ds1 \
     --location Austin \
     --noPropertiesFile


Ping Identity Directory Server 8.2.0.0

Initializing ..... Done
Configuring Directory Server ..... Done
Configuring Certificates ..... Done
Starting Directory Server ..... Done

Access product documentation from docs/index.html