After the server connection handlers are updated to enable TLS, update the topology registry to provide information about the new configuration. The topology registry holds information about server instances that are part of the environment, and it helps to facilitate inter-server communication such as replication, mirroring portions of the configuration, and PingDirectory Server's automatic backend server-discovery functionality.
The following types of entries require updating:
- Server instance listener configuration – Provides information that is needed to trust the TLS certificates that instances in the topology present.
- Server instance configuration – Provides information about options for communicating with those instances.
The server instance listener configuration must include the server certificate, which is defined as the certificate at the head of the chain. This version must be the multi-line, PEM-formatted representation of the certificate. You can use dsconfig to import the certificate from a file, as the following example shows:
bin/dsconfig set-server-instance-listener-prop \ --instance-name ds1 \ --listener-name ldap-listener-mirrored-config \ --set server-ldap-port:636 \ --set connection-security:ssl \ --set 'listener-certificate>/ca/ds1-cert.pem'
The less-than operator (
>) in the final line indicates that the value is
read from a file rather than provided directly. In addition, you may not need to
enclose the property name and path within single straight quotes to prevent the
shell from interpreting the less-than symbol as an attempt to redirect input.
Update the server instance configuration object to reflect the new methods that are available for communication with the instance. For example, the preferred-security property identifies the mechanism by which other instances in the topology attempt to communicate with the instance. The following code sets the LDAPS and HTTPS ports, indicate that StartTLS support is enabled, and instructs other instances to use SSL (LDAPS) when communicating with the instance:
dsconfig set-server-instance-prop \ --instance-name ds1 \ --set ldaps-port:636 \ --set https-port:443 \ --set preferred-security:ssl \ --set start-tls-enabled:true