WebSocket Configuration

From idenprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

When using the idenprotect Active Directory Agent, you will need to configure the Secure WebSocket connection. This is done in two parts as the idenprotect Active Directory Agent will act as the WebSocket Client and the idenprotect Core Platform will act as the WebSocket Server.

Configuring the WebSocket Server

These properties can be found in:

  • WebSocket Configuration section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/websocket.properties
Parameters for Websocket
Parameter in Config Tab Parameter in Properties File Description
Active Directory Sync Agent Port ws.adsync.port Port on which to run the WebSocket (default 8444)
Should Send Settings ws.send.settings Set to true to send out LDAP properties/settings to the Active Directory Sync Client on the connection to the WebSocket
Enable WebSocket Debug Mode ws.server.debug Set to true to log all of the debug information for each connection/message/disconnection. 'Important this may write to logs sensitive data such as user password'
Enable Secure WebSocket ws.ssl.enabled Set to true to use a secure WebSocket connection with TLS
Key Store Path ws.keystore.path /etc/idenprotect/keystore.jks - KeyStore Path for the Secure WebSocket
Key Store Type ws.keystore.type KeyStore type (default JKS)
Key Store Password ws.keystore.pass Password for the KeyStore

Configuring the WebSocket Client

These properties can be found in:

  • Server file system in /etc/idenprotect/adsync/websocket.properties
Parameters for Websocket
Parameter in Properties File Description
adsync.trustStore Location of the Trust Store (For the WebSocket connection to the Server and LDAP if needed) (default = /etc/idenprotect/truststore.jks)
adsync.trustStoreType Trust store Type (default = JKS)
adsync.trustStorePassword Trust store Password (default = pass)
adsync.node.name Active Directory Sync Client Node name (used for the idenprotect Core Platform to determine which idenprotect Active Directory Agent to trigger). See the LDAP Synchronization process on What is the idenprotect Active Directory Agent for more information
websocket.uri WebSocket Server URI (idenprotect Core Platform WebSocket URI) (default = wss://10.0.57.57:8444/)
websocket.check.cron WebSocket connection cron to check if we are connected to the WebSocket (default = 0 * * * * * (every minute))

Securing the WebSocket Connection

When connecting to the WebSocket, the URI can be in the form of ws:// (insecure) or ws:// (secure). In order to secure the WebSocket Connection, you can follow the below steps: -

  • Using a tool like KeyStore Explorer, create a new KeyStore (.jks)
  • In this KeyStore, create a new keypair (RSA 2048). You will need to set and remember a password here
  • Save the new KeyStore to /etc/idenprotect/adsync.jks (Using the same password for both the keypair and keystore)
  • Update the WebSocket Server configuration to point to this KeyStore and add the password you set
  • Export a certificate from this KeyStore to /etc/idenprotect/adsync/adsync.cer
  • Create a second new KeyStore (.jks)
  • Import the certificate you created in the previous step
  • Save this truststore to /etc/idenprotect/adsync/adsync.jks (again you will need to set and remember a password here)
  • Update the WebSocket Client configuration to point to this KeyStore and add the password you set
  • Restart both the idenprotect Core Platform and idenprotect Active Directory applications