PingDS

Install DS for use with DS proxy

  1. Install the server files.

  2. Generate a deployment ID unless you already have one:

    $ /path/to/opendj/bin/dskeymgr create-deployment-id --deploymentIdPassword password
your-deployment-id

    Save the deployment ID and its deployment password. Keep the ID and the password safe, and keep the password secret. Use the same deployment ID and password for all the servers in the same environment.

    About deployment IDs

    A deployment ID is a random string generated using the dskeymgr command. It is a deployment identifier, not a key, but it is used with a password to generate keys.

    A deployment ID password is a secret string at least 8 characters long that you choose.

    The two are a pair. You must have the deployment ID password to use the deployment ID.

    Each deployment requires a single, unique deployment ID and its password. DS uses the pair to:

    • Protect the keys to encrypt and decrypt backup files and directory data.

    • Generate the TLS key pairs to protect secure connections, unless you provide your own.

    Store your deployment ID and password in a safe place, and reuse them when configuring other servers in the same deployment.

    The DS setup and dskeymgr commands use the pair to generate the following:

    • (Required) A shared master key for the deployment.

      DS replicas share secret keys for data encryption and decryption. DS servers encrypt backend data, backup files, and passwords, and each replica must be able to decrypt data encrypted on another peer replica.

      To avoid exposing secret keys, DS servers encrypt secret keys with a shared master key. DS software uses a deployment ID and its password to derive the master key.

    • (Optional) A private PKI for trusted, secure connections.

      A PKI serves to secure network connections from clients and other DS servers. The PKI is a trust network, requiring trust in the CA that signs public key certificates.

      Building a PKI can be complex. You can use self-signed certificates, but you must distribute each certificate to each server and client application. You can pay an existing CA to sign certificates, but that has a cost, and leaves control of trust with a third party. You can set up a CA or certificate management software, but that can be a significant effort and cost. As a shortcut to setting up a private CA, DS software uses deployment IDs and passwords.

      DS software uses the deployment ID and its password to generate key pairs without storing the CA private key.

    Learn more in Deployment IDs.

  3. Set the deployment ID as the value of the environment variable, DEPLOYMENT_ID:

    $ export DEPLOYMENT_ID=your-deployment-id

    Examples in the documentation show this environment variable as a reminder to use your own deployment ID.

  4. Run the setup command with the --profile ds-proxied-server option.

    The example shows the profile used with the evaluation profile. Add this profile to the list so proxy servers can access other profiles' data:

    $ /path/to/opendj/setup \
 --deploymentId $DEPLOYMENT_ID \
 --deploymentIdPassword password \
 --rootUserDN uid=admin \
 --rootUserPassword str0ngAdm1nPa55word \
 --monitorUserPassword str0ngMon1torPa55word \
 --hostname ds.example.com \
 --adminConnectorPort 4444 \
 --ldapPort 1389 \
 --enableStartTls \
 --ldapsPort 1636 \
 --httpsPort 8443 \
 --replicationPort 8989 \
 --bootstrapReplicationServer rs1.example.com:8989 \
 --bootstrapReplicationServer rs2.example.com:8989 \
 --profile ds-evaluation \
 --profile ds-proxied-server \
 --set ds-proxied-server/baseDn:dc=example,dc=com \
 --acceptLicense

    • The deployment ID for installing the server is stored in the environment variable DEPLOYMENT_ID. Install all servers in the same deployment with the same deployment ID and deployment ID password. For details, read Deployment IDs.

    • The account the DS proxy can use to connect to DS replicas has:

      • Bind DN: The DN from the --set ds-proxied-server/proxyUserDn option.

        Default: uid=proxy.

      • Certificate subject DN: The DN from the --set ds-proxied-server/proxyUserCertificateSubjectDn option.

        Default: CN=DS, O=ForgeRock.com.

      • Access to use proxied authorization in the base DNs specified by the multivalued --set ds-proxied-server/baseDn option.

        If you do not specify any values for ds-proxied-server/baseDn, the proxy user can perform operations with any account as authorization identity. This includes administrator accounts.

        To understand what this means, read Proxied authorization.

    • The DS proxy server binds using certificate-based authentication with the SASL EXTERNAL mechanism.

      Make sure that the DS replicas' truststores lets them trust the proxy’s certificate.

    • The DS proxy server uses proxied authorization to perform operations on the DS replicas.

      The authorization identity for the operations must have appropriate access to the data on the DS replicas.

    For the full list of profiles and parameters, refer to Default setup profiles.

  5. Finish configuring the server before you start it.

    For a list of optional steps at this stage, refer to Install DS for custom cases.

  6. Start the server:

    $ /path/to/opendj/bin/start-ds