Install and configure PingDirectoryProxy Server instances to communicate with the backend PingDirectory Server instances using either SSL or StartTLS.
  1. Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the PingDirectoryProxy Server instances will use to authenticate to the Directory Server instances.
    1. Run the following command in the instance root of one of the PingDirectoryProxy Server instances.
      $ keytool -genkeypair \
        -keystore config/proxy-user-keystore \
        -storetype JKS \
        -keyalg RSA \
        -keysize 2048 \
        -alias proxy-user-cert \
        -dname "cn=Proxy User,cn=Root DNs,cn=config" \
        -validity 7300 
    2. When prompted for a key store password, enter a strong password to protect the certificate.
    3. When prompted for the key password, press Enter to use the key store password to protect the private key.
  2. Use a text editor to create a config/ file containing a single line that is the key store password provided in the previous step.
  3. If there are other PingDirectoryProxy Server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
  4. To export the public component of the proxy user certificate to a text file, run the following command.
    $ keytool -export \
      -keystore config/proxy-user-keystore \
      -alias proxy-user-cert \
      -file config/proxy-user-cert.txt
  5. Copy the proxy-user-cert.txt file into the config directory of all Directory Server instances.
    1. Import that certificate into each server's primary trust store by running the following command from the server root.
      $ keytool -import \
        -keystore config/truststore \
        -alias proxy-user-cert \
        -file config/proxy-user-cert.txt
    2. When prompted for the keystore password, enter the password contained in the config/ file.
    3. When prompted to trust the certificate, enter yes.
  6. To update the configuration for each PingDirectoryProxy Server instance to create a new key manager provider that will obtain its certificate from the config/proxy-user-keystore file, run the following dsconfig command.
    $ dsconfig create-key-manager-provider \
      --provider-name "Proxy User Certificate" \
      --type file-based \
      --set enabled:true \
      --set key-store-file:config/proxy-user-keystore \
      --set key-store-type:JKS \
      --set key-store-pin-file:config/
  7. To update the configuration for each LDAP external server in each PingDirectoryProxy Server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication, run the following dsconfig command.
    $ dsconfig set-external-server-prop \
      --server-name \
      --set authentication-method:external \
      --set "key-manager-provider:Proxy User Certificate"
    After these changes, the PingDirectoryProxy Server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL.
  8. Verify that the PingDirectoryProxy Server can communicate with all backend servers by running the bin/status command.
    All of the servers listed in the "--- LDAP External Servers ---" section are available.
  9. Review the Directory Server access log.

    The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy Server include the following:

    • authType="SASL"
    • saslMechanism="EXTERNAL"
    • resultCode=0
    • authDN="cn=Proxy User,cn=Root DNs,cn=config"