By default, the Directory Proxy Server authenticates to the Directory Server using LDAP simple authentication (with a bind DN and a password). However, the Directory Proxy Server can be configured to use SASL EXTERNAL to authenticate to the Directory Server with a client certificate.

Have Directory Proxy Server instances installed and configured to communicate with the backend Directory Server instances using either SSL or StartTLS. After the servers are configured, perform the following steps to configure SASL EXTERNAL authentication.

  1. Create a JKS keystore that includes a public and private key pair for a certificate that the Directory Proxy Server instance(s) will use to authenticate to the Directory Server instance(s). Run the following command in the instance root of one of the Directory Proxy Server instances. When prompted for a keystore password, enter a strong password to protect the certificate. When prompted for the key password, press ENTER to use the keystore password to protect the private key:
    $ keytool -genkeypair \
      -keystore config/proxy-user-keystore \
      -storetype JKS \
      -keyalg RSA \
      -keysize 2048 \
      -alias proxy-user-cert \
      -dname "cn=Proxy User,cn=Root DNs,cn=config" \
      -validity 7300 
  2. Create a config/proxy-user-keystore.pin file that contains a single line that is the keystore password provided in the previous step.
  3. If there are other Directory Proxy Server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pin files into the config directory for all instances.
  4. Use the following command to export the public component of the proxy user certificate to a text file:
    $ keytool -export \
      -keystore config/proxy-user-keystore \
      -alias proxy-user-cert \
      -file config/proxy-user-cert.txt
  5. Copy the proxy-user-cert.txt file into the config directory of all Directory Server instances. Import that certificate into each server's primary trust store by running the following command from the server root. When prompted for the keystore password, enter the password contained in the config/truststore.pin file. When prompted to trust the certificate, enter yes.
    $ keytool -import \
      -keystore config/truststore \
      -alias proxy-user-cert \
      -file config/proxy-user-cert.txt
  6. Update the configuration for each Directory Proxy Server instance to create a new key manager provider that will obtain its certificate from the config/proxy-user-keystore file. Run the following dsconfig command:
    $ dsconfig create-key-manager-provider \
      --provider-name "Proxy User Certificate" \
      --type file-based \
      --set enabled:true \
      --set key-store-file:config/proxy-user-keystore \
      --set key-store-type:JKS \
      --set key-store-pin-file:config/proxy-user-keystore.pin
  7. Update the configuration for each LDAP external server in each Directory Proxy Server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication. Run the following dsconfig command:
    $ dsconfig set-external-server-prop \
      --server-name ds1.example.com:636 \
      --set authentication-method:external \
      --set "key-manager-provider:Proxy User Certificate"
After these changes, the Directory Proxy Server should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL. Verify that the Directory Proxy Server is still able to communicate with all backend servers by running the bin/status command. All of the servers listed in the "--- LDAP External Servers ---" section should be available. Review the Directory Server access log can to make sure that the BIND RESULT log messages used to authenticate the connections from the Directory Proxy Server include authType="SASL", saslMechanism="EXTERNAL", resultCode=0, and authDN="cn=Proxy User,cn=Root DNs,cn=config".