By default, the PingDirectoryProxy server authenticates to the PingDirectory server using LDAP simple authentication with a bind DN and a password. You can configure the PingDirectoryProxy server to use Simple Authentication and Security Layer (SASL) EXTERNAL to authenticate to the PingDirectory server with a client certificate.
-
Create a Java KeyStore (JKS) that includes a public and private key pair for a
certificate that the PingDirectoryProxy server instances
will use to authenticate to the PingDirectory
instances.
-
Run the following command in the instance root of one of the PingDirectoryProxy server instances.
$ keytool -genkeypair \ -keystore config/proxy-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias proxy-user-cert \ -dname "cn=Proxy User,cn=Root DNs,cn=config" \ -validity 7300
- When prompted for a key store password, enter a strong password to protect the certificate.
- When prompted for the key password, press Enter to use the key store password to protect the private key.
-
Run the following command in the instance root of one of the PingDirectoryProxy server instances.
- Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.
- If there are other PingDirectoryProxy server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
-
To export the public component of the proxy user certificate to a text file, run
the following command.
$ keytool -export \ -keystore config/proxy-user-keystore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
-
Copy the proxy-user-cert.txt file into the
config directory of all directory server instances.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
- When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
- When prompted to trust the certificate, enter yes.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
-
To update the configuration for each PingDirectoryProxy
server instance to create a new key manager provider that will obtain its certificate
from the config/proxy-user-keystore file, run the following
dsconfig command.
$ dsconfig create-key-manager-provider \ --provider-name "Proxy User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/proxy-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/proxy-user-keystore.pin
-
To update the configuration for each LDAP external server in each PingDirectoryProxy server instance to use the newly-created key
manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple
authentication, run the following dsconfig command.
$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Proxy User Certificate"
After these changes, the PingDirectoryProxy server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL. -
Verify that the PingDirectoryProxy server can communicate
with all backend servers by running the bin/status command.
All of the servers listed in the "--- LDAP External Servers ---" section are available.
-
Review the PingDirectory server access log.
The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy server include the following:
authType="SASL"
saslMechanism="EXTERNAL"
resultCode=0
authDN="cn=Proxy User,cn=Root DNs,cn=config"