Configure the PingDataMetrics Server to use SASL EXTERNAL to authenticate to the PingDirectory Server with a client certificate.
By default, the PingDataMetrics Server authenticates to the PingDirectory Server using LDAP simple authentication (with a bind DN and a password).
This procedure assumes that PingDataMetrics Server instances are installed and configured to communicate with the backend PingDirectory Server instances using either SSL or StartTLS.
-
Create a Java KeyStore (JKS) that includes a public and private key pair for a
certificate that the PingDataMetrics Server instance will use to authenticate to
the PingDirectory Server instance.
-
Run the following command in the instance root of one of the
PingDataMetrics Server instances.
$ keytool -genkeypair \ -keystore config/metrics-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias metrics-user-cert \ -dname "cn=Metrics User,cn=Root DNs,cn=config" \ -validity 7300
- When prompted for a keystore password, enter a strong password to protect the certificate.
- When prompted for the key password, press Enter to use the keystore password to protect the private key.
-
Run the following command in the instance root of one of the
PingDataMetrics Server instances.
- Create a config/metrics-user-keystore.pin file that contains a single line that is the keystore password provided in the previous step.
-
If there are other PingDataMetrics Server instances in the topology, copy the
metrics-user-keystore
andmetrics-user-keystore.pin
files into the config directory for all instances. -
Run the following command to export the public component of the user
certificate to a text file:
$ keytool -export \ -keystore config/metrics-user-keystore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
-
Copy the metrics-user-cert.txt file into the config
directory of all PingDirectory Server instances.
-
Import that certificate into each server's primary trust store by
running the following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
- When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
- When prompted to trust the certificate, enter yes.
-
Import that certificate into each server's primary trust store by
running the following command from the server root.
-
Update the configuration for each PingDataMetrics Server instance to create a
new key manager provider that will obtain its certificate from the
config/metrics-user-keystore file.
-
Run the following
dsconfig
command from the server root:$ dsconfig create-key-manager-provider \ --provider-name "Metrics User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/metrics-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/metrics-user-keystore.pin
-
Run the following
-
Update the configuration for each LDAP external server in each PingDataMetrics
Server instance to use the newly-created key manager provider, and also to use
SASL EXTERNAL authentication instead of LDAP simple authentication.
-
Run the following
dsconfig
command:$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Metrics User Certificate"
After these changes, the PingDataMetrics Server should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL. -
Run the following
-
Verify that the PingDataMetrics Server is still able to communicate with all
backend servers by running the
bin/status
command.Note:All of the servers listed in the "--- LDAP External Servers ---" section should have a status of
Available
. Review the PingDirectory Server access log can to make sure that the BIND RESULT log messages used to authenticate the connections from the PingDataMetrics Server includeauthType="SASL", saslMechanism="EXTERNAL", resultCode=0
, andauthDN="cn=Metrics User,cn=Root DNs,cn=config"
.