PingDirectory

Configuring the PingDirectory server to use an HTTP proxy server

Some organizations configure their network so that internal systems cannot directly access the Internet, but instead must use an HTTP proxy server to access external services.

The PingDirectory server now supports using an HTTP proxy server in conjunction with the following components:

  • The Amazon Key Management Service cipher stream provider

  • The Amazon Secrets Manager cipher stream provider

  • The Amazon Secrets Manager passphrase provider

  • The Amazon Secrets Manager password storage scheme

  • The Azure Key Vault cipher stream provider

  • The Azure Key Vault passphrase provider

  • The Azure Key Vault password storage scheme

  • The PingOne pass-through authentication plugin

  • The Pwned Passwords password validator

  • The Twilio alert handler

  • The Twilio OTP delivery mechanism

  • The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler

Setting up the server to use an HTTP proxy server involves two steps, which are described in the following sections.

  1. Creating an HTTP proxy external server in the configuration.

  2. Configuring the appropriate component(s) to use the HTTP proxy server.

Creating an HTTP proxy external server

An HTTP proxy external server configuration object provides information about a proxy server that should be used. At present, we only support HTTP proxy servers (which can handle both unencrypted HTTP and encrypted HTTPS connections), with or without authentication.

HTTP proxy external server definitions support the following configuration properties:

server-host-name

The resolvable name or IP address of the HTTP proxy server to use. This is required.

server-port

The port on which the HTTP proxy server is listening for connections. This is required.

basic-authentication-username

The username to use if the proxy server requires authentication. This should be omitted if the proxy server does not require authentication.

basic-authentication-passphrase-provider

The passphrase provider to use to obtain the password to use if the proxy server requires authentication. This should be omitted if the proxy server does not require authentication.

For example, you can use a configuration change like the following to create an HTTP proxy external server that does not require authentication:

dsconfig create-external-server \
     --server-name "Example HTTP Proxy Server" \
     --type http-proxy \
     --set server-host-name:proxy.example.com \
     --set server-port:3128

Configuring server components to use the HTTP proxy external server

Merely defining an HTTP proxy external server in the configuration does not cause the server to use that proxy server for anything. Instead, you must indicate which components should use that proxy server.

This is necessary because you might only need to use an HTTP proxy server for certain components (for example, it might be necessary when accessing external web services, but not for services on the internal private network).

All of the components that support the use of an HTTP proxy server offer an http-proxy-external-server configuration property whose value should be the name of the appropriate HTTP proxy external server definition in the configuration. For example, to update the Pwned Passwords password validator to use the HTTP proxy server defined in the “Example HTTP Proxy Server" configuration object, use a configuration change like the following:

dsconfig set-password-validator-prop \
     --validator-name "Pwned Passwords" \
     --set "http-proxy-external-server:Example HTTP Proxy Server"