Remote connector serversystemconnectorconfiguration

CzechIdM comes bundled only with certain types of connectors. For some deployments, it is necessary to use Remote connector server ("connector server" from now on). There are generally four reasons for this:

• We cannot run Java code on the target system (e. g. .NET code is needed).
• The OS does not have some normal API (e. g. old Windows without WinRM) so we need to run commands on it locally.
• Security reasons - we do not want to run the connector code under the same user as the CzechIdM.
• You need to use two different versions of one connector (or two connectors which bundle different versions of the same library - for example Apache CXF). If you did deploy them both into one Java context, libraries would break due to Java Class FQDN conflicts.

The remote server connector configuration form behaves just like the local connector form - this means that definition is stored in the EAV attributes for system which it belongs. As a key to EAV attributes are used the system name, connector name, and connector version. Therefore, it is possible to have multiple connectors with different version on the remote connector server.

Download appropriate version of the connector server. If you are a BCV developer, use our internally provided version.

1. Download the all-in-one prepared bundle from there (login required), you do not need to download anything else.
2. Continue with deployment instructions.

1. Download connector server from the ConnId project.
2. Use version 1.4.5.1 of remote connector server and version 1.4.3.0 of connector framework.
3. Download following libraries and add them to the lib directory of the connector server:
   • jackson-annotations-2.9.8
   • jackson-core-2.9.8
   • jackson-databind-2.9.8
4. Add those libraries to the classpath inside ConnectorServer.sh script (for Linux) or ConnectorServer.bat script (for Windows).

1. Install Java 1.8 (OpenJDK headless is preferred).
2. Create new OS user the connector server will run under. By default, we create user connector-server with home under /opt.

   useradd -b /opt -m -s /bin/bash connector-server
   chmod 750 /opt/connector-server/

3. Copy over the connector server and unpack it.

   cp connector-server-master.tar.gz /opt/connector-server/
   chown connector-server:connector-server /opt/connector-server/connector-server-master.tar.gz
   su - connector-server
   cd /opt/connector-server
   tar xzf connector-server-master.tar.gz
   rm connector-server-master.tar.gz 

4. Your setup should look like this:

   ls -l /opt/connector-server/
   total 4
   drwxrwxr-x 9 connector-server connector-server 4096 Oct 10 16:45 connid-connector-server
   
   ls -l /opt/connector-server/connid-connector-server/
   total 23448
   drwxrwxr-x 5 connector-server connector-server     4096 Oct 17 12:31 bin
   drwxrwxr-x 2 connector-server connector-server     4096 Oct 10 16:45 bundles
   drwxrwxr-x 2 connector-server connector-server     4096 Oct 10 16:45 certs
   drwxrwxr-x 2 connector-server connector-server     4096 Oct 17 12:47 conf
   -rw-rw-r-- 1 connector-server connector-server 11976830 Oct 10 16:45 datetime
   drwxrwxr-x 3 connector-server connector-server     4096 Oct 10 16:45 lib
   -rw-rw-r-- 1 connector-server connector-server    19982 Oct 10 16:45 LICENSE
   drwxrwxr-x 2 connector-server connector-server     4096 Oct 17 12:51 logs
   drwxrwxr-x 2 connector-server connector-server     4096 Oct 10 16:45 scripts
   -rw-rw-r-- 1 connector-server connector-server 11976825 Oct 10 16:45 sys

5. Set executable permission on the main script.

   cd connid-connector-server
   chmod +x bin/ConnectorServer.sh

6. Create strong password for the connector server (use pwgen -1 16 or something similar).

   ./bin/ConnectorServer.sh -setKey -key PASSWORD_HERE -properties conf/connectorserver.properties

7. If you plan to connect to remote connector server remotely (not locally on localhost), edit the conf/connectorserver.properties and set/comment out the connectorserver.ifaddress.
8. As root, create systemd unit /etc/systemd/system/connector-server.service:

   connector-server.service

   [Unit]
   Description=Java Connector Server Service
   After=network-online.target
    
   [Service]
   User=connector-server
   WorkingDirectory=/opt/connector-server/connid-connector-server
   ExecStart=/bin/bash /opt/connector-server/connid-connector-server/bin/ConnectorServer.sh -run -properties /opt/connector-server/connid-connector-server/conf/connectorserver.properties
   SuccessExitStatus=143
    
   [Install]
   WantedBy=multi-user.target

9. Reload systemd, start and enable the connector server.

   systemctl daemon-reload
   systemctl start connector-server
   systemctl enable connector-server

10. For additional configuration, see conf/connectorserver.properties and conf/logging.properties files.
11. Connector server is now configured. You can deploy connector bundles into it. You have to restart the connector server for changes to take effect.
    1. Add connector bundles (.jars) into the bundles directory.
    2. Add custom scripts the CzechIdM will use under the scripts directory.
    3. Add certificates to be used under cert directory. CzechIdM scripts by default look there.

When you interface end systems remotely, you have to secure the communication with TLS. For this to work, you need a Java truststore. This short howto will show you how to create one.

1. Get (or create - as we do there) a certificate of the end system.

   su - connector-server
   cd /opt/connector-server/connid-connector-server/conf
   openssl genrsa -out fakecert.key
   openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=Connector placeholder cert"
   openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt

2. Import the certificate into the truststore. If the truststore.jks does not exist, the keytool will create it.

   keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
       Enter keystore password:  ENTER SOME PASSWORD HERE AND REMEMBER IT FOR LATER
       Re-enter new password:
       ...
       Trust this certificate? [no]:  yes
       Certificate was added to keystore

3. Just some cleanup.

   rm fakecert.key fakecert.csr fakecert.crt
   chmod 644 truststore.jks
   # the connector server user should not be able to write the truststore, only read it
   chown root:connector-server truststore.jks

4. Add truststore to startup script ConnectorServer.sh:

   cd /opt/connector-server/connid-connector-server
   vim bin/ConnectorServer.sh
   
   # add this snippet to the command line that executes the connector server
   -Djavax.net.ssl.trustStore=/opt/connector-server/connid-connector-server/conf/truststore.jks -Djavax.net.ssl.trustStorePassword=PUT_KEYSTORE_PASSWORD_HERE

5. Restart the connector server.

1) Install Java 1.8 (OpenJDK headless is preferred).

2) Unpack connector server to his root directory "C:\connid-connector-server".

3) Create trustore for connector server. Use git bash in direcotory "C:\connid-connector-server\conf".

• Get (or create - as we do there) a certificate of the end system.

openssl genrsa -out fakecert.key
openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=Connector placeholder cert"
openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt

• Import the certificate into the truststore. If the truststore.jks does not exist, the keytool will create it.

/c/Program\ Files/Java/jdk-1.9.8/bin/keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
    Enter keystore password:  ENTER SOME PASSWORD HERE AND REMEMBER IT FOR LATER
    Re-enter new password:
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

• Just some cleanup.

rm fakecert.key fakecert.csr fakecert.crt

4) Add trustore location and password to service installation in „bin\ConnectorServer.bat“(windows). These parameters are in script already, so just trustore path and password.

"-Djavax.net.ssl.trustStore=C:\connid-connector-server\conf\truststore.jks";"-Djavax.net.ssl.trustStorePassword=TODO_PASSWORD"

5) Start CMD under system admin. Then go to connector-server root directory.

cd C:\connid-connector-server
bin\ConnectorServer.bat /setkey

6) Add connectors to "C:\connid-connector-server\bundles" and scripts to "C:\connid-connector-server\scripts".

7) Then setup connector-server key and install windows service(connector_server).

bin\ConnectorServer.bat /install connector_server

8) Then start service in "services.msc". If connector_server service started correctly set this service to automatic start.

1. In CzechIdM, on the system tab, create a new system.
2. In the detail of this system, check option "Use remote connector server" and fill in every form field that IdM needs to connect to the remote system. It is necessary to supply the host and port on which the connector is available on remote server. If the server is secured by password, you will need to fill in the password in order to successfully connect to the remote connector server. Password will be stored in local confidential storage.
3. When you are done, save the form.
4. Go to the "Configurations" tab. There, only connectors that are deployed inside remote connector server, will be available.
5. Configure everything else as you would do if you were not using remote connector server.