Tech Tip – PingAuthorize/Ping Data Governance – How to enable TLS for LDAPS/HTTPS listener and use CA signed certs

PingIdentity

Requirement :

Enable TLS (LDAPS & HTTPS) after setup of PingAuthorize Server using external CA signed certificate.

Environment :

  • PingAuthorize Server : 8.3..0.0

Instructions :

 

High level step includes following :

  1. Create certificate signing request (includes creation of JKS keystore file, public & private key pair and storing private key pair into key store)
  2. External Root CA to sign the CSR request and provide server certificate as well as Root CA certs (this is outside of the scope of this post)
  3. Import the signed certificate and root CA cert into key store
  4. Configure key store provider
  5. Configure connection handler (both LDAPS and HTTPS) to use the key store and trust store providers
  6. Restart Ping Authorize server

 

a) Manually create a keystore.pin file with the password that you want to use for key store

[root@ip-172-31-43-131 PingAuthorize]# cat config/keystore.pin
password
[root@ip-172-31-43-131 PingAuthorize]#

b) Create certificate signing request (as I intend to use the same cert for multiple Ping suite of products, I have added additonal dns names, this is optional)

bin/manage-certificates generate-certificate-signing-request \

–output-file ds1-cert.csr \

–output-format PEM \

–keystore config/keystore \

–keystore-password-file config/keystore.pin \

–keystore-type JKS \

–alias server-cert \

–subject-dn “CN=pingaz1.versent.com,O=Versent,C=AU” \

–key-algorithm EC \

–key-length-bits 256 \

–signature-algorithm SHA256withECDSA \

–subject-alternative-name-dns pingaz.versent.com\

–subject-alternative-name-dns pingfed.versent.com \

–subject-alternative-name-dns pingdir.versent.com\

–subject-alternative-name-dns pingaccess.versent.com\

–subject-alternative-name-ip-address 127.0.0.1 \

–subject-alternative-name-ip-address 0:0:0:0:0:0:0:1 \

–key-usage digital-signature \

–key-usage key-encipherment \

–key-usage key-agreement \

–extended-key-usage server-auth \

–extended-key-usage client-auth

b) Submit the csr to Root CA and get the signed server cert (say pingaz1.cer) and root ca cert (say rootca2.cer) in PEM format

c) Import both server cert and Root CA cert into key store

bin/manage-certificates import-certificate \

–keystore config/keystore \

–keystore-password-file config/keystore.pin \

–alias server-cert \

–certificate-file /opt/PingIdentity/certs/pingaz1.cer \

–certificate-file /opt/PingIdentity/certs/rootca2.cer

Sample output :

d)Configure key store providers

bin/dsconfig –offline set-key-manager-provider-prop      –provider-name JKS      –set enabled:true      –set key-store-file:config/keystore      –set key-store-pin-file:config/keystore.pin

e) Configure LDAPS connection handler to use file based JKS key store and trust store and specified server certificate (as per the cert alias)

bin/dsconfig set-connection-handler-prop –offline\

  –handler-name “LDAPS Connection Handler” \

  –set enabled:true \

  –set key-manager-provider:JKS \

  –set trust-manager-provider:JKS \

  –set ssl-cert-nickname:server-cert \

  –set ssl-client-auth-policy:optional

f) Configure HTTPS connection handler to use file based JKS key store and trust store and specified server certificate (as per the cert alias)

bin/dsconfig set-connection-handler-prop –offline\

  –handler-name “HTTPS Connection Handler” \

  –set enabled:true \

  –set listen-port:443 \

  –set key-manager-provider:JKS \

  –set trust-manager-provider:JKS \

  –set ssl-cert-nickname:server-cert

Testing :

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *