This section describes how to install a standard Directory Proxy Server deployment using the create-initial-proxy-config tool. Remember that you deploy the Directory Proxy Server in pairs. Each pair should be configured identically except for their host name, port, and possibly their location.

  1. After initial installation, select the number to start the create-initial-proxy-config tool automatically. Otherwise, run it manually at the command line from the server root directory, <server-root>/PingDirectoryProxy.
    $ ./bin/create-initial-proxy-config
  2. The initial proxy configuration presents the assumptions about the underlying Directory Server backend servers. If the servers do not meet the requirements, then you can enter "no" to quit the process.
    Some assumptions are made about the topology in order to keep this tool simple:
    
    	1) all servers will be accessible via a single user account
    	2) all servers support the same communication security type
    	3) all servers are PingDirectoryProxy Server, Directory Server,
    	   Java System 5.x, 6.x, or 7.x, or Red Hat (including Fedora and 389) 
    	   directory servers
    
    If your topology does not have these characteristics you can use this tool to define a basic configuration and then use the 'dsconfig' tool or the Administrative Console to
    fine tune the configuration.
    
    Continue? (yes / no) [yes]: 
  3. Enter the DN for the Directory Proxy Server user account, then enter and confirm the password for this account. Note that you should not use cn=Directory Manager account for communication between the Directory Proxy Server and the Directory Server. For security reasons, the account used to communicate between the Directory Proxy Server and the Directory Server should not be directly accessible by clients accessing the Directory Proxy Server. For more information about this account, see Configuring LDAP External Servers.
    Enter the DN of the proxy user account [cn=Proxy User,cn=Root DNs,cn=config]:
    Enter the password for 'cn=Proxy User,cn=Root DNs,cn=config':
    Confirm the password for 'cn=Proxy User,cn=Root DNs,cn=config':
  4. Specify whether you will be using secure communication with the Directory Server instances.
    >>>> External Server Communication Security
    
    Specify the type of security that the Directory Proxy Server will use when communicating with directory server instances:
    
       1)  None
       2)  SSL
       3)  StartTLS
    
       b)  back
       q)  quit
    
    Enter choice [1]:
  5. Specify the base DNs of the Directory Server instances that will be accessed through the Directory Proxy Server. The Directory Proxy Server will create subtree views using each base DN to define portions of the external servers' DIT available for client access. You can specify more than one base DN. Press Enter when you have finished specifying the DN(s).
    Enter a base DN of the directory server instances that will be accessed through the Identity Proxy:
    
        b)  back
        q)  quit
    
    Enter a DN or choose a menu item [dc=example,dc=com]: 
  6. Next, specify if the entries under your defined subtree view will be split across multiple servers in an entry balanced deployment. For this example, press Enter to accept the default ("no").
  7. Define a location for your server, such as the name of your data center or the city where the server is located. This example illustrates defining a location named east.
    Enter a location name or choose a menu item: east
  8. If you defined more than one location, specify the location that contains the Directory Proxy Server itself.
    Choose the location for this Directory Proxy Server
    
        1)  east
        2)  west
    
        b)  back
        q)  quit
    
    Enter choice [1]: 1
  9. Define the hostname:port used by the LDAP external servers. If you have specified more than one location, you will go through this process for each location.
    Enter a host:port or choose a menu item [localhost:389]: ldap-east-01.example.com:389
  10. After each step, the server will attempt to prepare each external server by testing the communication between the Directory Proxy Server and the Directory Server. Select the option "Yes, and all subsequent servers" to indicate that you want the tool to create a proxy user account on all of your LDAP external servers within that location.
    Would you like to prepare ldap-east-01.example.com:389 for access by the Directory Proxy Server?
    
        1) Yes
        2) No
        3) Yes, and all subsequent servers
        4) No, and all subsequent servers
    
    Enter choice [1]: 3
  11. If the proxy user account did not previously exist on your LDAP external server, create the account by connecting as cn=Directory Manager.
    Would you like to create or modify root user 'cn=Proxy User' so that it is available for this Directory Proxy Server? (yes / no) [yes]:
    Enter the DN of an account on ldap-east-01.example.com:389 with which to create or manage the 'cn=Proxy
    User' account [cn=Directory Manager]:    
    
    Enter the password for 'cn=Directory Manager':    
    
    Created 'cn=Proxy User,cn=Root DNs,cn=config' 
    Testing 'cn=Proxy User' privileges ..... Done
    Verifying backend 'dc=example,dc=com' ..... Done    
  12. Repeat steps 9-12 for the servers in the other location. Then, press Enter to finish configuring the location.
  13. Review the configuration summary. Once you have confirmed that the changes are correct, press Enter to write the configuration.
    >>>> Configuration Summary
    
      External Server Security:  SSL
      Proxy User DN:             cn=Proxy User,cn=Root DNs,cn=config
    
      Location east
        Failover Order: west
        Servers: localhost:1636
    
      Location west
        Failover Order: east
        Servers: localhost:2636
    
      Base DN: dc=example,dc=com
        Servers: localhost:1636, localhost:2636
    
    
        b)  back
        q)  quit
        w)  write configuration file
    
    Enter choice [w]:
  14. Next, apply the configuration changes locally to the Directory Proxy Server. If you have any Server SDK extensions, make sure to run the manage-extension tool, then press Enter to apply the changes to the Directory Proxy Server. Alternatively, you can quit and instead run the dsconfig batch file at a later time. Once the changes have been applied, you cannot use the create-initial-proxy-config tool to configure this Directory Proxy Server again. Instead, use the dsconfig tool.
    This tool can apply the configuration changes to the local Identity Proxy. This requires any configured Server SDK extensions to be in place. Do you want to do
    this? (yes / no) [yes]:

    If you open the generated proxy-cfg.txt file or the logs/config-audit.log file, you will see that a configuration element hierarchy has been created: locations, health checks, external servers, load-balancing algorithms, request processors, and subtree views.