You can configure ABS to verify the validity of MongoDB server certificate, when it tries to connect with MongoDB. This is an optional check and the following diagram shows the summary of steps involved in this verification.
- Check if the mongo_ssl parameter in the /<pi_install_path>/pingidentity/abs/config/abs.properties file is set true.
- Check if the mongo_certificate parameter in the /<pi_install_path>/pingidentity/abs/config/abs.properties file is set true.
- Import the MongoDB Server certificate into the abs.jks
truststore, using either of the following commands as applicable. The commands
prompt for a
destination keystore password, and the password entered should be same as the jks_password configured in the abs.properties file.
# keytool -import -file <mongodb-cert.crt> -storetype JKS -keystore /<pi_install_path>/pingidentity/abs/config/ssl/abs.jksIf the MongoDB server certificate is in .pem format then use the following command to import the certificate in to the ABS truststore.
# keytool -import -v -trustcacerts -file server.pem -keystore /<pi_install_path>/pingidentity/abs/config/ssl/abs.jks -storetype JKS
When ABS starts, it loads the certificates available in abs.jks truststore. If the server certificate presented by MongoDB gets validated, ABS connects with it and completes the booting.
CertificateExceptionis thrown by ABS. The error is logged in /<pi_install_ path>/pingidentity/abs/abs.log.
Using a CA-signed certificate
You can also use a CA-signed certificate to verify the MongoDB server certificate. For that, import your existing CA-signed certificate into ABS by following the instructions explained in Import existing CA-signed certificates. Once the certificate is imported, complete Step-1 through Step-3 above so that ABS can verify MongoDB server certificate.