Install and configure the PingDirectoryProxy server instances to communicate with the backend PingDirectory server instances using either SSL or StartTLS.
  1. Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the PingDirectoryProxy server instances will use to authenticate to the PingDirectory instances.
    1. Run the following command in the instance root of one of the PingDirectoryProxy server instances. 
      $ keytool -genkeypair \
  -keystore config/proxy-user-keystore \
  -storetype JKS \
  -keyalg RSA \
  -keysize 2048 \
  -alias proxy-user-cert \
  -dname "cn=Proxy User,cn=Root DNs,cn=config" \
  -validity 7300
    2. When prompted for a key store password, enter a strong password to protect the certificate.
    3. When prompted for the key password, press Enter to use the key store password to protect the private key.
  2. Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.
  3. If there are other PingDirectoryProxy server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
  4. To export the public component of the proxy user certificate to a text file, run the following command. 
    $ keytool -export \
  -keystore config/proxy-user-keystore \
  -alias proxy-user-cert \
  -file config/proxy-user-cert.txt
  5. Copy the proxy-user-cert.txt file into the config directory of all directory server instances.
    1. Import that certificate into each server's primary trust store by running the following command from the server root. 
      $ keytool -import \
  -keystore config/truststore \
  -alias proxy-user-cert \
  -file config/proxy-user-cert.txt
    2. When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
    3. When prompted to trust the certificate, enter yes.
  6. To update the configuration for each PingDirectoryProxy server instance to create a new key manager provider that will obtain its certificate from the config/proxy-user-keystore file, run the following dsconfig command. 
    $ dsconfig create-key-manager-provider \
  --provider-name "Proxy User Certificate" \
  --type file-based \
  --set enabled:true \
  --set key-store-file:config/proxy-user-keystore \
  --set key-store-type:JKS \
  --set key-store-pin-file:config/proxy-user-keystore.pin
  7. To update the configuration for each LDAP external server in each PingDirectoryProxy server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication, run the following dsconfig command. 
    $ dsconfig set-external-server-prop \
  --server-name ds1.example.com:636 \
  --set authentication-method:external \
  --set "key-manager-provider:Proxy User Certificate"
    After these changes, the PingDirectoryProxy server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL.
  8. Verify that the PingDirectoryProxy server can communicate with all backend servers by running the bin/status command.
    All of the servers listed in the "--- LDAP External Servers ---" section are available.
  9. Review the PingDirectory server access log.

    The BIND RESULT log messages used to authenticate the connections from the PingDirectoryProxy server include the following:

    • authType="SASL"
    • saslMechanism="EXTERNAL"
    • resultCode=0
    • authDN="cn=Proxy User,cn=Root DNs,cn=config"