This section describes concepts to help you troubleshoot problems using SSL for Directory Server multi-master replication. Problems with SSL always appear on the supplier side. The error log will contain security related messages such as “SSL init failed.” or “Certificate not accepted.”
SSL connections always involve two participants:
The SSL client, which is the LDAP client sending the LDAP requests or the Directory Server sending the replication updates (the supplier).
The SSL server, which is the Directory Server accepting the LDAP requests (the consumer).
The SSL client initiates requests and the SSL server always receives the requests. During this exchange, the SSL server must provide credentials. Any SSL server needs to verify the credentials sent by the SSL client. In order to make this verification, the certificate database on the peer must contain the CA certificate of the certificate sent by the other peer.
In replication, SSL must be enabled in all replicas, even master replicas that only accept non-SSL operations. For example, a master server communicates with a hub server using SSL. The hub must listen on the SSL port. The master does not need listen on the SSL port because it is an SSL client. However, it must still define an SSL port, otherwise Directory Server can not initiate SSL certificate exchange for communication with the host server.
By default, SSL is enabled on all Directory Server 6.x instances. For a detailed explanation of how SSL works, see Secure Sockets Layer (SSL) in Sun Java System Directory Server Enterprise Edition 6.2 Reference.