To Configure Client Authentication
Based Replication for SSL
In the following procedure, it is assumed that you requested properly signed certificate/key pairs from a trusted Certificate Authority (CA) and the CA certificate of such authority is present in all security databases.
The certificate/key pairs should be issued to the user having replication rights, that is the certificate subject is the DN of a user allowed to transfer replication data between the servers. In the following example, such users are ou=user1,o=users and ou=user1,o=users; the certificates short names in the security database are replmgr1 and replmgr2 respectively.
-
Create new servers.
$ dsadm create -p 1389 -P 1636 /local/ds1 $ dsadm create -p 2389 -P 2636 /local/ds2
-
Add a user Certificate/Key pair on each server, as received by the CA.
$ dsadm import-cert /local/ds1 user1.der $ dsadm import-cert /local/ds2 user2.der
The user1.der and user2.der are the CA provided files.
-
Export the users' certificates for later use
$ dsadm show-cert -F ascii /local/ds1 replmgr1 > user1.ldif $ dsadm show-cert -F ascii /local/ds2 replmgr2 > user2.ldif
The files should contain base64 encoded binary certificates.
-
Start the servers.
$ dsadm start /local/ds1 $ dsadm start /local/ds2
-
Create empty suffixes on all the servers, where the users and their certificate will be stored.
$ dsconf create-suffix -p 1389 -e o=example.com $ dsconf create-suffix -p 2389 -e o=example.com $ dsconf create-suffix -p 1389 -e o=users $ dsconf create-suffix -p 2389 -e o=users
Note –Alternatively, the users and their certificates could be in another suffix. It is not recommended to have the user in the same suffix that is to be replicated.
-
On all servers, enable replication.
$ dsconf enable-repl -p 1389 -e -d 1 master o=example.com $ dsconf enable-repl -p 2389 -e -d 1 master o=example.com
-
Prepare the users to be set as replication managers. Edit user1.ldif and user2.ldif to look like the following:
dn: cn=user1,o=users objectclass: top objectclass: inetorgperson sn: user1 userCertificate;binary:: MIIBqDCCARGgAwIBAgI <...> dXNlcnMwHh <...> <...>
The files must be a valid LDIF files.
Get rid of the lines, BEGIN CERTIFICATE and END CERTIFICATE. The value of userCertificate;binary:: is simply the base64 encoding. If it spans multiple lines, the first character of the line must be a space.
-
Add the user definitions on the server where the user is going to be allowed to replicate.
$ ldapmodify -p 1389 -D binddn -w password -a < user2.ldif $ ldapmodify -p 2389 -D binddn -w password -a < user1.ldif
Note –Alternatively, you can issue the ldapmodify commands directly and create the two users interactively. Make sure that you use the correct syntax while setting the userCertifacte attribute.
-
Set the user allowed to replicate between servers as replication manager.
$ dsconf -p 1389 set-suffix-prop repl-manager-bind-dn: cn=user2,o=users $ dsconf -p 2389 set-suffix-prop repl-manager-bind-dn: cn=user1,o=users
-
Set the server certificate to use the user Certificate/key pair as its own.
$ dsconf -p 1389 set-server-prop ssl-rsa-cert-name:replmgr1 $ dsconf -p 2389 set-server-prop ssl-rsa-cert-name:replmgr2
-
Restart the servers to take into account the new changes.
$ dsadm restart /local/ds1 $ dsadm restart /local/ds2
-
Create the replication agreements.
$ dsconf create-repl-agmt -p 1389 -e -A ssl-client o=example.com hostname:2636 $ dsconf create-repl-agmt -p 2389 -e -A ssl-client o=example.com hostname:1636
- © 2010, Oracle Corporation and/or its affiliates