Skip to end of metadata
Go to start of metadata

Java Remote Connector Server is using the same kind of connectors that midPoint itself is using. The Java Remote Connector Server is used in situations where a connector needs a local access to some resource to be able to work with it. It is usually used for connectors that require local access to files such as CSVFile Connector (deprecated). This avoids the need to copy the file using FTP or a similar mechanism which is difficult to do right and it is quite error-prone (e.g. problems with partially downloaded files, error handling, atomicity, etc.) Java Remote Connector Server is also used in situations that require firewall traversal or securing insecure communication protocol.

Requirements

  • Java SE 6 or later

Download

Version

Download

Sources

Note

1.4.2.12ZIPhttps://github.com/Evolveum/ConnId/tree/connid-1.4.2.12 
1.4.0.49ZIPhttps://github.com/Evolveum/ConnId/tree/connid-1.4.0.49 

1.1.1.0

ZIP

OpenICF 1.1.1.0 tag

obsolete version, probably won't work with current midPoint

You may also download from the OpenICF download page.

Installation

  1. Download and unzip the binary distribution (or clone git repo with sources and build your own with mvn clean install command)
  2. In the installation folder (that contains bin, conf, and lib directories) create a directory for connector bundles, named bundles. In the following text, we assume /opt/connid-connector-server directory for Linux.
  3. Copy connectors you need into bundles directory (e.g. connector-csvfile-1.4.0.49.jar for CSV connector)
  4. Set the secret key by invoking the command:
    1. (on Windows): bin\ConnectorServer.bat /setkey <your secret key here>
    2. (on Linux):

      java -cp "lib/framework/connector-framework.jar:lib/framework/connector-framework-internal.jar:lib/framework/groovy-all.jar" org.identityconnectors.framework.server.Main  -setKey -key <your secret key here> -properties conf/ConnectorServer.properties

  5. Fix the logging configuration:
    1. replace the line "connectorserver.loggerClass=org.identityconnectors.common.logging.slf4j.SLF4JLog" in conf/ConnectorServer.properties file with "connectorserver.loggerClass=org.identityconnectors.common.logging.impl.JDKLogger"
    2. add "-Djava.util.logging.config.file=conf/logging.properties" to your startup parameters to actually use logging
    3. update the conf/logging.properties to log to file in logs directory:

  6. Run the connector server e.g. by invoking the command:
    1. (on Windows): bin\ConnectorServer.bat /run
    2. (on Linux): java -cp "lib/framework/connector-framework.jar:lib/framework/connector-framework-internal.jar:lib/framework/groovy-all.jar" org.identityconnectors.framework.server.Main  -run -properties conf/ConnectorServer.properties

Connector Server will run on foreground/console. CTRL+C will stop it.

Automatic Server Startup

Systemd

Create user/group for running the service (e.g. connid, connid). This user must have access to the connector server files.

Create systemd service file /etc/systemd/system/java-connector-server.service (as root) - inspiration from http://stackoverflow.com/questions/21503883/spring-boot-application-as-a-service/22121547#22121547:

Issue the following commands (as root):

You can start/stop the service using:

SysV Init

Create start script to be run by startup script /opt/connid-connector-server/start:

Set file permissions:

Create startup script /etc/init.d/connid-connector-server - inspiration from: https://orrsella.com/2014/11/06/initd-and-start-scripts-for-scala-java-server-apps/

Set file permissions:

Start the service:

Set the service to autostart (using your distribution command; here Red Hat-based distributions "chkconfig" is used:

You may need to use different command and edit the script to use dependencies or service startup ordering.

 

Original instructions for OpenICF Connector Server: http://openicf.forgerock.org/connector-framework-internal/connector_server.html

Configuring SSL

The Connector Server is a SSL server. Therefore is needs a keypair (private key + certificate). Java connector server expects the keypair to be present in a keystore. It is using standard Java JCE keystore for this purpose. The keystore does not exist at the time of the initial installation. It needs to be created and populated with a keypair.

Creating and Populating a Keystore

The keypair is usually distributed in a PKCS#12 format (a file with p12 or pfx extension). This format needs to be converted in Java JCE keystore. There is keytool utility that is part of Java platform that can be used for conversion:

Converting PKCS#12 key and certificate to java keystore

The command above creates a keystore.jks file which is the actual Java JCE keystore. The keytool command will ask for two passwords:

  • A password on the PCKS#12 files as these files are usually protected by password (because they contain a private key)
  • A password for a newly created keystore. Make sure you remember this.

But there is a catch. The Java JCE keystore as a whole is protected by a password. But also each individual key is protected by a password. These passwords are usually the same and that is exactly what the connector server expects. However when the keystore is converted from PCKS#12 the keystore password is set to the supplied password but the key password remains the same as was the password on PCKS#12 file. If these passwords were not the same then the key password needs to be changed in one extra step:

Changing a key password

See Keystore Configuration page for some more tips and tricks dealing with keystore. But please note that this page deals with midPoint keystore which is slightly different than Connector server keystore.

Passing Keystore Parameters to Connector Server

The connector server is a Java application that looks for a default keystore. The location, type and password of the default keystore needs to be passed to the connector server in a form of Java options:

Add these options to the script that is starting connector server.

Enabling Connector Server SSL

Change the connectorserver.usessl option to true in the connectorserver.properties configuration file.

You can start the server now. Please do not forget to configure the midPoint side as well.

Troubleshooting

Error "Cannot recover key": Make sure that the key password in the keystore is the same as the keystore password.

See Also

  • No labels