Sun Directory Server Enterprise Edition 7.0 Administration Guide

ProcedureTo Configure Client Authentication Based Replication for SSL

In the following procedure, it is assumed that you requested properly signed certificate/key pairs from a trusted Certificate Authority (CA) and the CA certificate of such authority is present in all security databases.

The certificate/key pairs should be issued to the user having replication rights, that is the certificate subject is the DN of a user allowed to transfer replication data between the servers. In the following example, such users are ou=user1,o=users and ou=user1,o=users; the certificates short names in the security database are replmgr1 and replmgr2 respectively.

  1. Create new servers.

    $ dsadm create -p 1389 -P 1636 /local/ds1
    $ dsadm create -p 2389 -P 2636 /local/ds2
  2. Add a user Certificate/Key pair on each server, as received by the CA.

    $ dsadm import-cert /local/ds1 user1.der
    $ dsadm import-cert /local/ds2 user2.der

    The user1.der and user2.der are the CA provided files.

  3. Export the users' certificates for later use

    $ dsadm show-cert -F ascii /local/ds1 replmgr1 > user1.ldif
    $ dsadm show-cert -F ascii /local/ds2 replmgr2 > user2.ldif

    The files should contain base64 encoded binary certificates.

  4. Start the servers.

    $ dsadm start /local/ds1 
    $ dsadm start /local/ds2
  5. Create empty suffixes on all the servers, where the users and their certificate will be stored.

    $ dsconf create-suffix -p 1389 -e
    $ dsconf create-suffix -p 2389 -e
    $ dsconf create-suffix -p 1389 -e o=users
    $ dsconf create-suffix -p 2389 -e o=users

    Note –

    Alternatively, the users and their certificates could be in another suffix. It is not recommended to have the user in the same suffix that is to be replicated.

  6. On all servers, enable replication.

    $ dsconf enable-repl -p 1389 -e -d 1 master
    $ dsconf enable-repl -p 2389 -e -d 1 master
  7. Prepare the users to be set as replication managers. Edit user1.ldif and user2.ldif to look like the following:

    dn: cn=user1,o=users
    objectclass: top
    objectclass: inetorgperson
    sn: user1
    userCertificate;binary:: MIIBqDCCARGgAwIBAgI <...>
     dXNlcnMwHh <...>

    The files must be a valid LDIF files.

    Get rid of the lines, BEGIN CERTIFICATE and END CERTIFICATE. The value of userCertificate;binary:: is simply the base64 encoding. If it spans multiple lines, the first character of the line must be a space.

  8. Add the user definitions on the server where the user is going to be allowed to replicate.

    $ ldapmodify -p 1389 -D binddn -w password -a < user2.ldif
    $ ldapmodify -p 2389 -D binddn -w password -a < user1.ldif

    Note –

    Alternatively, you can issue the ldapmodify commands directly and create the two users interactively. Make sure that you use the correct syntax while setting the userCertifacte attribute.

  9. Set the user allowed to replicate between servers as replication manager.

    $ dsconf -p 1389 set-suffix-prop repl-manager-bind-dn: cn=user2,o=users
    $ dsconf -p 2389 set-suffix-prop repl-manager-bind-dn: cn=user1,o=users
  10. Set the server certificate to use the user Certificate/key pair as its own.

    $ dsconf -p 1389 set-server-prop ssl-rsa-cert-name:replmgr1
    $ dsconf -p 2389 set-server-prop ssl-rsa-cert-name:replmgr2
  11. Restart the servers to take into account the new changes.

    $ dsadm restart /local/ds1
    $ dsadm restart /local/ds2
  12. Create the replication agreements.

    $ dsconf create-repl-agmt -p 1389 -e -A ssl-client hostname:2636
    $ dsconf create-repl-agmt -p 2389 -e -A ssl-client hostname:1636