Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Replication Over SSL

You can configure Directory Servers involved in replication so that all replication operations occur over an SSL connection.

ProcedureTo Configure Replication Operations for SSL

This procedure shows example commands for setting up replication on a replication topology with two masters.

Note –

This example shows a simple replication configuration, using a self-signed certificate. When setting up replication over SSL in a production environment, you will have better security if you use Certificate Authority trusted certificates instead.

Replication over SSL will fail if the supplier server certificate is an SSL server-only certificate that cannot act as a client during an SSL handshake.

While replication is secure by SSL, authentication of the replication manager is still done using a simple bind and password. You can use client-based authentication to fully secure replication, but this requires more complex settings.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Create new servers and start them.

    $ dsadm create -p 1389 -P 1636 /local/ds1
    $ dsadm create -p 2389 -P 2636 /local/ds2
    $ dsadm start /local/ds1
    $ dsadm start /local/ds2
  2. On all servers, create empty suffixes.

    $ dsconf create-suffix -e -i -p 1389 dc=example,dc=com
    $ dsconf create-suffix -e -i -p 2389 dc=example,dc=com
  3. On all servers, set the multimaster password file.

    $ dsconf set-server-prop -e -i -h example1.server -p 1389 \
    $ dsconf set-server-prop -e -i -h example2.server -p 2389 \
  4. On all servers, enable replication.

    $ dsconf enable-repl -h example1.server -p 1389 -e -i -d 1 master dc=example,dc=com
    $ dsconf enable-repl -h example2.server -p 2389 -e -i -d 2 master dc=example,dc=com
  5. On all servers, view the existing default certificate.

    $ dsadm show-cert -F der -o certfile1 /local/ds1 defaultCert
    $ dsadm show-cert -F der -o certfile2 /local/ds2 defaultCert
  6. On all servers, add the CA trusted certificate from all other servers.

    $ dsadm add-cert --ca /local/ds1 "ds2 Repl Manager Cert" certfile2
    $ dsadm add-cert --ca /local/ds2 "ds1 Repl Manager Cert" certfile1
  7. On all master and hub (source) servers, create replication agreements with all consumer (destination) servers.

    Note that secure LDAP ports are used for the replication agreements.

    $ dsconf create-repl-agmt -h example1.server -p 1389 -e -i \
     --auth-protocol "ssl-simple" dc=example,dc=com example2.server:2636
    $ dsconf create-repl-agmt -h example2.server -p 2389 -e -i \
     --auth-protocol "ssl-simple" dc=example,dc=com example1.server:1636
  8. For all replication agreements, configure the authentication password file to be the replication manager password file of the consumer (destination) server in the replication agreement.

    $ dsconf set-repl-agmt-prop -h example1.server -p 1389 -e -i \
     dc=example,dc=com example2.server:2636 auth-pwd-file:/local/ds1/replmanrpwd2.txt
    $ dsconf set-repl-agmt-prop -h example2.server -p 2389 -e -i \
     dc=example,dc=com example1.server:1636 auth-pwd-file:/local/ds1/replmanrpwd1.txt

    After you have initialized the suffixes, the supplier will send all replication update messages to the consumer over SSL and will use certificates if you chose that option. Customer initialization will also use a secure connection if performed through DSCC using an agreement configure for SSL.

  9. On all servers, restart the server in order to take configuration changes into account.

    $ dsadm restart /local/ds1
    $ dsadm restart /local/ds2
  10. On one of the master servers, initialize the suffix.

    $ dsconf import -h example1.server -p 1389 -e -i /tmp/Example.ldif dc=example,dc=com
  11. On all servers not yet initialized, initialize the servers by using a replication agreement.

    $ dsconf init-repl-dest -e -i -h example1.server -p 1389 \
     dc=example,dc=com example1.server:2636