Requirement :
Enable TLS (LDAPS & HTTPS) after setup of PingAuthorize Server using external CA signed certificate.
Environment :
- PingAuthorize Server : 8.3..0.0
Instructions :
High level step includes following :
- Create certificate signing request (includes creation of JKS keystore file, public & private key pair and storing private key pair into key store)
- External Root CA to sign the CSR request and provide server certificate as well as Root CA certs (this is outside of the scope of this post)
- Import the signed certificate and root CA cert into key store
- Configure key store provider
- Configure connection handler (both LDAPS and HTTPS) to use the key store and trust store providers
- Restart Ping Authorize server
a) Manually create a keystore.pin file with the password that you want to use for key store
[root@ip-172-31-43-131 PingAuthorize]# cat config/keystore.pin
password
[root@ip-172-31-43-131 PingAuthorize]#
b) Create certificate signing request (as I intend to use the same cert for multiple Ping suite of products, I have added additonal dns names, this is optional)
bin/manage-certificates generate-certificate-signing-request \
–output-file ds1-cert.csr \
–output-format PEM \
–keystore config/keystore \
–keystore-password-file config/keystore.pin \
–keystore-type JKS \
–alias server-cert \
–subject-dn “CN=pingaz1.versent.com,O=Versent,C=AU” \
–key-algorithm EC \
–key-length-bits 256 \
–signature-algorithm SHA256withECDSA \
–subject-alternative-name-dns pingaz.versent.com\
–subject-alternative-name-dns pingfed.versent.com \
–subject-alternative-name-dns pingdir.versent.com\
–subject-alternative-name-dns pingaccess.versent.com\
–subject-alternative-name-ip-address 127.0.0.1 \
–subject-alternative-name-ip-address 0:0:0:0:0:0:0:1 \
–key-usage digital-signature \
–key-usage key-encipherment \
–key-usage key-agreement \
–extended-key-usage server-auth \
–extended-key-usage client-auth
b) Submit the csr to Root CA and get the signed server cert (say pingaz1.cer) and root ca cert (say rootca2.cer) in PEM format
c) Import both server cert and Root CA cert into key store
bin/manage-certificates import-certificate \
–keystore config/keystore \
–keystore-password-file config/keystore.pin \
–alias server-cert \
–certificate-file /opt/PingIdentity/certs/pingaz1.cer \
–certificate-file /opt/PingIdentity/certs/rootca2.cer
Sample output :
d)Configure key store providers
bin/dsconfig –offline set-key-manager-provider-prop –provider-name JKS –set enabled:true –set key-store-file:config/keystore –set key-store-pin-file:config/keystore.pin
e) Configure LDAPS connection handler to use file based JKS key store and trust store and specified server certificate (as per the cert alias)
bin/dsconfig set-connection-handler-prop –offline\
–handler-name “LDAPS Connection Handler” \
–set enabled:true \
–set key-manager-provider:JKS \
–set trust-manager-provider:JKS \
–set ssl-cert-nickname:server-cert \
–set ssl-client-auth-policy:optional
f) Configure HTTPS connection handler to use file based JKS key store and trust store and specified server certificate (as per the cert alias)
bin/dsconfig set-connection-handler-prop –offline\
–handler-name “HTTPS Connection Handler” \
–set enabled:true \
–set listen-port:443 \
–set key-manager-provider:JKS \
–set trust-manager-provider:JKS \
–set ssl-cert-nickname:server-cert