To enable TLS support in the server, we recommend that you complete one of the following tasks during the setup procedure:

  • Provide a keystore that contains the certificate to use.
  • Make the installer generate a self-signed certificate.

When you use the setup tool in Interactive mode, it prompts you for the information that it needs to configure secure communication, as shown in the following example:

Do you want to enable the Directory Server services (Available State,
Available or Degraded State, Configuration, Consent, Directory REST API,
Documentation, SCIM2, and Swagger UI) and Administrative Console over
HTTPS?  After setup, you can selectively enable or disable individual
services and applications by configuring the HTTPS Connection Handler
(yes / no) [yes]: yes
 
On which port should the Directory Server accept connections from HTTPS
clients? [443]: 443
 
On which port should the Directory Server accept connections from LDAP
clients? [389]: 389
 
Do you want to enable LDAPS? (yes / no) [yes]: yes
On which port should the Directory Server accept connections from LDAPS
clients? [636]: 636
 
Do you want to enable StartTLS? (yes / no) [yes]: yes
 
Certificate server options:
 
    1)  Generate self-signed certificate (recommended for testing purposes
        only)
    2)  Use an existing certificate located on a Java Keystore (JKS)
    3)  Use an existing certificate located on a PKCS12 keystore
    4)  Use an existing certificate on a PKCS11 token
 
Enter option [1]: 2
 
Java Keystore (JKS) path: /ca/ds1-keystore
Keystore PIN: {password}
 
Truststore options:
 
    1)  Generate a default JKS truststore
    2)  Use an existing JKS truststore
    3)  Use an existing PKCS12 truststore
 
Enter option [1]: 2
 
JKS truststore path: /ca/truststore
Truststore password (can be blank): {password}

When using setup in non-interactive mode, use the following arguments to configure TLS support:

  • --ldapsPort {port} – Server enables support for LDAPS (LDAP over TLS) on the specified TCP port.
  • --httpsPort {port} – Server enables support for HTTPS for SCIM, the Directory REST API, and the web-based administration console on the specified TCP port.
  • --enableStartTLS – LDAP connection handler enables support for the StartTLS extended operation.
  • --generateSelfSignedCertificatesetup generates a self-signed certificate that is presented to clients that use LDAPS, HTTPS, and the StartTLS extended operation.
  • --useJavaKeyStore {path} – Server uses the specified JKS keystore to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation.
  • --usePKCS12KeyStore {path} – Server uses the specified PKCS #12 keystore to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation.
  • --usePKCS11KeyStore – Server uses a PKCS #11 keystore, like a hardware security module, to obtain the certificate chain that it presents to clients that use LDAPS, HTTPS, and the StartTLS extended operation. The JVM must already be configured to access the appropriate keystore through PKCS #11.
  • --keyStorePassword {password} – Password that is needed to interact with the specified JKS, PKCS #12, or PKCS #11 keystore. The setup tool assumes that the private key password matches the keystore password.
  • --keyStorePasswordFile {path} – Path to the file that contains the password needed to interact with the specified JKS, PKCS #12, or PKCS #11 keystore.
  • --certNickname {alias} – Alias of the private key entry in the specified keystore that contains the certificate chain to present to clients during TLS negotiation. This argument is optional but recommended if the keystore contains multiple certificates.
  • --useJavaTrustStore {path} – Server uses the specified JKS truststore to determine whether to trust certificate chains that are presented to it during TLS negotiation.
  • --usePKCS12TrustStore {path} – Server uses the specified PKCS #12 truststore to determine whether to trust certificate chains that are presented to it during TLS negotiation.
  • --trustStorePassword {password} – Password that is needed to interact with the specified JKS or PKCS #11 truststore.
  • --trustStorePasswordFile {path} – Path to the file that contains the password needed to interact with the specified JKS or PKCS #11 truststore.

The following example command sets up PingDirectory Server in non-interactive mode with an existing certificate:

$ ./setup \
     --no-prompt \
     --acceptLicense \
     --ldapPort 389 \
     --ldapsPort 636 \
     --httpsPort 443 \
     --enableStartTLS \
     --useJavaKeyStore config/keystore \
     --keyStorePasswordFile config/keystore.pin \
     --certNickname server-cert \
     --useJavaTrustStore config/truststore \
     --trustStorePasswordFile config/truststore.pin \
     --baseDN dc=example,dc=com \
     --rootUserDN "cn=Directory Manager" \
     --rootUserPasswordFile root-pw.txt \
     --maxHeapSize 10g \
     --encryptDataWithPassphraseFromFile encryption-settings-password.txt \
     --instanceName ds1 \
     --location Austin \
     --noPropertiesFile
 
 
Ping Identity Directory Server 8.0.0.0
 
Initializing ..... Done
Configuring Directory Server ..... Done
Configuring Certificates ..... Done
Starting Directory Server ..... Done
 
Access product documentation from docs/index.html