Configure the PingDataMetrics server to use SASL EXTERNAL to authenticate to the PingDirectory server with a client certificate.
By default, the PingDataMetrics server authenticates to the PingDirectory server using LDAP simple authentication (with a bind DN and a password).
This procedure assumes that PingDataMetrics server instances are installed and configured to communicate with the backend PingDirectory server instances using either SSL or StartTLS.
Create a Java KeyStore (JKS) that includes a public and private key pair for a
certificate that the PingDataMetrics server
instance will use to authenticate to the PingDirectory server instance.
Run the following command in the instance root of one of the PingDataMetrics server instances.
$ keytool -genkeypair \ -keystore config/metrics-user-keystore \ -storetype JKS \ -keyalg RSA \ -keysize 2048 \ -alias metrics-user-cert \ -dname "cn=Metrics User,cn=Root DNs,cn=config" \ -validity 7300
- When prompted for a keystore password, enter a strong password to protect the certificate.
- When prompted for the key password, press Enter to use the keystore password to protect the private key.
- Run the following command in the instance root of one of the PingDataMetrics server instances.
- Create a config/metrics-user-keystore.pin file that contains a single line that is the keystore password provided in the previous step.
If there are other PingDataMetrics server
instances in the topology, copy the
metrics-user-keystore.pinfiles into the config directory for all instances.
Run the following command to export the public component of the user
certificate to a text file:
$ keytool -export \ -keystore config/metrics-user-keystore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
Copy the metrics-user-cert.txt file into the config
directory of all PingDirectory server
Import that certificate into each server's primary trust store by
running the following command from the server root.
$ keytool -import \ -keystore config/truststore \ -alias metrics-user-cert \ -file config/metrics-user-cert.txt
- When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
- When prompted to trust the certificate, enter yes.
- Import that certificate into each server's primary trust store by running the following command from the server root.
Update the configuration for each PingDataMetrics server instance to create a new key
manager provider that will obtain its certificate from the
Run the following
dsconfigcommand from the server root:
$ dsconfig create-key-manager-provider \ --provider-name "Metrics User Certificate" \ --type file-based \ --set enabled:true \ --set key-store-file:config/metrics-user-keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/metrics-user-keystore.pin
- Run the following
Update the configuration for each LDAP external server in each PingDataMetrics server instance to use the
newly-created key manager provider, and also to use SASL EXTERNAL authentication
instead of LDAP simple authentication.
After these changes, the PingDataMetrics server should re-establish connections to the LDAP external server and authenticate with SASL EXTERNAL.
Run the following
$ dsconfig set-external-server-prop \ --server-name ds1.example.com:636 \ --set authentication-method:external \ --set "key-manager-provider:Metrics User Certificate"
- Run the following
Verify that the PingDataMetrics server is
still able to communicate with all backend servers by running the
All of the servers listed in the "--- LDAP External Servers ---" section should have a status of
Available. Review the PingDirectory server access log can to make sure that the BIND RESULT log messages used to authenticate the connections from the PingDataMetrics server include
authType="SASL", saslMechanism="EXTERNAL", resultCode=0, and
authDN="cn=Metrics User,cn=Root DNs,cn=config".