By default, the PingDirectoryProxy Server authenticates to the PingDirectory Server using LDAP simple authentication with a bind DN and a password. You can configure the Directory Proxy Server to use Simple Authentication and Security Layer (SASL) EXTERNAL to authenticate to the Directory Server with a client certificate.
-
Create a Java KeyStore (JKS) that includes a public and private key pair for a
certificate that the PingDirectoryProxy Server instances will use to
authenticate to the Directory Server instances.
-
Run the following command in the instance root of one of the PingDirectoryProxy Server instances.
$ keytool -genkeypair \ -keystore config/proxy-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias proxy-user-cert \ -dname "cn=Proxy User,cn=Root DNs,cn=config" \ -validity 7300
- When prompted for a key store password, enter a strong password to protect the certificate.
- When prompted for the key password, press Enter to use the key store password to protect the private key.
-
Run the following command in the instance root of one of the PingDirectoryProxy Server instances.
- Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.
- If there are other PingDirectoryProxy Server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
-
To export the public component of the proxy user certificate to a text file, run
the following command.
$ keytool -export \ -keystore config/proxy-user-keystore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
-
Copy the proxy-user-cert.txt file into the
config directory of all Directory Server instances.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
- When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
- When prompted to trust the certificate, enter yes.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
-
To update the configuration for each PingDirectoryProxy Server instance to
create a new key manager provider that will obtain its certificate from the
config/proxy-user-keystore file, run the following
dsconfig command.
$ dsconfig create-key-manager-provider \ --provider-name "Proxy User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/proxy-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/proxy-user-keystore.pin
-
To update the configuration for each LDAP external server in each PingDirectoryProxy Server instance to use the newly-created key manager provider,
and also to use SASL EXTERNAL authentication instead of LDAP simple authentication,
run the following dsconfig command.
$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Proxy User Certificate"
After these changes, the PingDirectoryProxy Server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL. -
Verify that the PingDirectoryProxy Server can communicate with all backend
servers by running the bin/status command.
All of the servers listed in the "--- LDAP External Servers ---" section are available.
-
Review the Directory Server access log.
The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy Server include the following:
authType="SASL"
saslMechanism="EXTERNAL"
resultCode=0
authDN="cn=Proxy User,cn=Root DNs,cn=config"