Page created: 15 Jul 2022
|
Page updated: 11 Jul 2023
| 3 min read
9.2 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience System Administrator Software Deployment Method Configuration PingDirectoryProxy
By default, the PingDirectoryProxy server authenticates to the PingDirectory server using LDAP simple authentication with a bind DN and a password. You can configure the PingDirectoryProxy server to use Simple Authentication and Security Layer (SASL) EXTERNAL to authenticate to the PingDirectory server with a client certificate.
-
Create a Java KeyStore (JKS) that includes a public and private key pair for a
certificate that the PingDirectoryProxy server instances
will use to authenticate to the PingDirectory
instances.
-
Run the following command in the instance root of one of the PingDirectoryProxy server instances.
$ keytool -genkeypair \ -keystore config/proxy-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias proxy-user-cert \ -dname "cn=Proxy User,cn=Root DNs,cn=config" \ -validity 7300
- When prompted for a key store password, enter a strong password to protect the certificate.
- When prompted for the key password, press Enter to use the key store password to protect the private key.
-
Run the following command in the instance root of one of the PingDirectoryProxy server instances.
- Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.
- If there are other PingDirectoryProxy server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
-
To export the public component of the proxy user certificate to a text file, run
the following command.
$ keytool -export \ -keystore config/proxy-user-keystore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
-
Copy the proxy-user-cert.txt file into the
config directory of all directory server instances.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias proxy-user-cert \ -file config/proxy-user-cert.txt
- When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
- When prompted to trust the certificate, enter yes.
-
Import that certificate into each server's primary trust store by running the
following command from the server root.
-
To update the configuration for each PingDirectoryProxy
server instance to create a new key manager provider that will obtain its certificate
from the config/proxy-user-keystore file, run the following
dsconfig command.
$ dsconfig create-key-manager-provider \ --provider-name "Proxy User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/proxy-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/proxy-user-keystore.pin
-
To update the configuration for each LDAP external server in each PingDirectoryProxy server instance to use the newly-created key
manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple
authentication, run the following dsconfig command.
$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Proxy User Certificate"
After these changes, the PingDirectoryProxy server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL. -
Verify that the PingDirectoryProxy server can communicate
with all backend servers by running the bin/status command.
All of the servers listed in the "--- LDAP External Servers ---" section are available.
-
Review the PingDirectory server access log.
The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy server include the following:
authType="SASL"
saslMechanism="EXTERNAL"
resultCode=0
authDN="cn=Proxy User,cn=Root DNs,cn=config"