JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

Planning Your Replication Deployment

Recommended Interface for Configuring and Managing Replication

Summary of Steps for Configuring Replication

Summary of Steps for Configuring Replication

Enabling Replication on a Dedicated Consumer

To Create a Suffix for a Consumer Replica

To Enable a Consumer Replica

To Perform Advanced Consumer Configuration

Enabling Replication on a Hub

To Create a Suffix for a Hub Replica

To Enable a Hub Replica

To Modify Change Log Settings on a Hub Replica

Enabling Replication on a Master Replica

To Create a Suffix for a Master Replica

To Enable a Master Replica

To Modify Change Log Settings on a Master Replica

Configuring the Replication Manager

Using a Non-Default Replication Manager

To Set A Non-Default Replication Manager

To Change the Default Replication Manager Password

Creating and Changing Replication Agreements

To Create a Replication Agreement

To Change the Destination of a Replication Agreement

Fractional Replication

Considerations for Fractional Replication

To Configure Fractional Replication

Replication Priority

To Configure Replication Priority

Initializing Replicas

To Initialize a Replicated Suffix from a Remote (Supplier) Server

Replica Initialization From LDIF

To Initialize a Replicated Suffix From LDIF

To Export a Replicated Suffix to LDIF

Filtering an LDIF File for Fractional Replication

Initializing a Replicated Suffix by Using Binary Copy

Restrictions for Using Binary Copy With Replication

Making a Binary Copy for Initializing a Server

Initializing Replicas in Cascading Replication

To Initialize Replicas in Cascading Replication

Indexing Replicated Suffixes

Incrementally Adding Many Entries to Large Replicated Suffixes

To Add Many Entries to Large Replicated Suffixes

Replication and Referential Integrity

Replication Over SSL

To Configure Replication Operations for SSL

To Configure Client Authentication Based Replication for SSL

Replication Over a WAN

Configuring Network Parameters

Configuring Window Size

Configuring Group Size

Scheduling Replication Activity

To Schedule Replication Activity

Configuring Replication Compression

To Configure Replication Compression

Modifying the Replication Topology

Changing the Replication Manager

Managing Replication Agreements

Disabling a Replication Agreement

Enabling a Replication Agreement

Deleting a Replication Agreement

Promoting or Demoting Replicas

To Promote or Demote a Replica

Disabling a Replicated Suffix

To Disable a Replicated Suffix

Keeping Replicated Suffixes Synchronized

Replication Retry Algorithm

To Force Replication Updates

Moving a Master Replica to a New Machine

To Remove a Master From an Existing Replication Topology

To Add a Master to an Existing Replication Topology

Replication With Releases Prior to Directory Server 11g Release 1 (11.1.1.5.0)

Replicating Between Directory Server 11g Release 1 (11.1.1.5.0) and Directory Server 6 or 5.2

Using the Retro Change Log

To Enable the Retro Change Log

To Configure the Retro Change Log to Record Updates for Specified Suffixes

To Configure the Retro Change Log to Record Attributes of a Deleted Entry

To Trim the Retro Change Log

Access Control and the Retro Change Log

Getting Replication Status

Getting Replication Status in DSCC

Getting Replication Status by Using the Command Line

Solving Common Replication Conflicts

Solving Replication Conflicts by Using DSCC

Solving Replication Conflicts by Using the Command Line

Solving Naming Conflicts

To Rename a Conflicting Entry That has a Multivalued Naming Attribute

To Rename a Conflicting Entry With a Single-Valued Naming Attribute

Solving Orphan Entry Conflicts

Solving Potential Interoperability Problems

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Replication Over SSL

You can configure Directory Servers involved in replication so that all replication operations occur over an SSL connection.

To Configure Replication Operations for SSL

This procedure shows example commands for setting up replication on a replication topology with two masters.


Note - This example shows a simple replication configuration, using a self-signed certificate as generated during instance creation. When setting up replication over SSL in a production environment, you will have better security if you use Certificate Authority trusted certificates instead.

Replication over SSL will fail if the supplier server certificate is an SSL server-only certificate that cannot act as a client during an SSL handshake.


While replication is secure by SSL, authentication of the replication manager is still done using a simple bind and password. You can use client-based authentication to fully secure replication, but this requires more complex settings. For more information about replication using client based authentication, see To Configure Client Authentication Based Replication for SSL

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Create new servers and start them.
    $ dsadm create -p 1389 -P 1636 /local/ds1
    $ dsadm create -p 2389 -P 2636 /local/ds2
    
    $ dsadm start /local/ds1
    $ dsadm start /local/ds2

    For more information about configuring SSL, see Using SSL With Directory Server.

  2. On all servers, create empty suffixes.
    $ dsconf create-suffix -e -w password-file -p 1389 dc=example,dc=com
    $ dsconf create-suffix -e -w password-file -p 2389 dc=example,dc=com
  3. On all servers, set the multimaster password file.
    $ dsconf set-server-prop -e -i -w password-file -h example1.server -p 1389 \
     def-repl-manager-pwd-file:/local/ds1/replmanrpwd1.txt
    $ dsconf set-server-prop -e -i -w password-file -h example2.server -p 2389 \
     def-repl-manager-pwd-file:/local/ds1/replmanrpwd2.txt
  4. On all servers, enable replication.
    $ dsconf enable-repl -h example1.server -p 1389 -e -i -w password-file \
    -d 1 master dc=example,dc=com
    $ dsconf enable-repl -h example2.server -p 2389 -e -i -w password-file \
    -d 2 master dc=example,dc=com
  5. On all servers, export the existing default certificate.
    $ dsadm show-cert -F der -o certfile1 /local/ds1 defaultCert
    $ dsadm show-cert -F der -o certfile2 /local/ds2 defaultCert
  6. On all servers, add the certificate from all other servers.
    $ dsadm add-cert --ca /local/ds1 "ds2 Repl Manager Cert" certfile2
    $ dsadm add-cert --ca /local/ds2 "ds1 Repl Manager Cert" certfile1
  7. Create replication agreement between the servers just configured.

    Note that secure LDAP ports are used for the replication agreements.

    $ dsconf create-repl-agmt -h example1.server -p 1389 -e -i -w password-file\
     --auth-protocol "ssl-simple" dc=example,dc=com example2.server:2636
    $ dsconf create-repl-agmt -h example2.server -p 2389 -e -i -w password-file\
     --auth-protocol "ssl-simple" dc=example,dc=com example1.server:1636
  8. For all replication agreements, configure the authentication password file to be the replication manager password file of the consumer (destination) server in the replication agreement.
    $ dsconf set-repl-agmt-prop -h example1.server -p 1389 -e -i -w password-file\
     dc=example,dc=com example2.server:2636 auth-pwd-file:/local/ds1/replmanrpwd2.txt
    $ dsconf set-repl-agmt-prop -h example2.server -p 2389 -e -i -w password-file\
     dc=example,dc=com example1.server:1636 auth-pwd-file:/local/ds1/replmanrpwd1.txt

    After you have initialized the suffixes, the supplier will send all replication update messages to the consumer over SSL and will use certificates if you chose that option. Customer initialization will also use a secure connection if performed through DSCC using an agreement configure for SSL.

  9. On all servers, restart the server in order to take configuration changes into account.
    $ dsadm restart /local/ds1
    $ dsadm restart /local/ds2
  10. On one of the master servers, initialize the suffix.
    $ dsconf import -h example1.server -p 1389 -e -i \
    -w password-file /tmp/Example.ldif dc=example,dc=com
  11. On all servers not yet initialized, initialize the servers by using a replication agreement.
    $ dsconf init-repl-dest -e -i -w password-file \
    -h example1.server -p 1389 dc=example,dc=com example1.server:2636

To Configure Client Authentication Based Replication for SSL

In the following procedure, it is assumed that you requested properly signed certificate/key pairs from a trusted Certificate Authority (CA) and the CA certificate of such authority is present in all security databases.

The certificate/key pairs should be issued to the user having replication rights, that is the certificate subject is the DN of a user allowed to transfer replication data between the servers. In the following example, such users are ou=user1,o=users and ou=user1,o=users; the certificates short names in the security database are replmgr1 and replmgr2 respectively.

  1. Create new servers.
    $ dsadm create -p 1389 -P 1636 /local/ds1
    $ dsadm create -p 2389 -P 2636 /local/ds2
  2. Add a user Certificate/Key pair on each server, as received by the CA.
    $ dsadm import-cert /local/ds1 user1.der
    $ dsadm import-cert /local/ds2 user2.der

    The user1.der and user2.der are the CA provided files.

  3. Export the users' certificates for later use
    $ dsadm show-cert -F ascii /local/ds1 replmgr1 > user1.ldif
    $ dsadm show-cert -F ascii /local/ds2 replmgr2 > user2.ldif

    The files should contain base64 encoded binary certificates.

  4. Start the servers.
    $ dsadm start /local/ds1 
    $ dsadm start /local/ds2
  5. Create empty suffixes on all the servers, where the users and their certificate will be stored.
    $ dsconf create-suffix -p 1389 -e o=example.com
    $ dsconf create-suffix -p 2389 -e o=example.com
    $ dsconf create-suffix -p 1389 -e o=users
    $ dsconf create-suffix -p 2389 -e o=users

    Note - Alternatively, the users and their certificates could be in another suffix. It is not recommended to have the user in the same suffix that is to be replicated.


  6. On all servers, enable replication.
    $ dsconf enable-repl -p 1389 -e -d 1 master o=example.com
    $ dsconf enable-repl -p 2389 -e -d 1 master o=example.com
  7. Prepare the users to be set as replication managers. Edit user1.ldif and user2.ldif to look like the following:
    dn: cn=user1,o=users
    objectclass: top
    objectclass: inetorgperson
    sn: user1
    userCertificate;binary:: MIIBqDCCARGgAwIBAgI <...>
     dXNlcnMwHh <...>
     <...>

    The files must be a valid LDIF files.

    Get rid of the lines, BEGIN CERTIFICATE and END CERTIFICATE. The value of userCertificate;binary:: is simply the base64 encoding. If it spans multiple lines, the first character of the line must be a space.

  8. Add the user definitions on the server where the user is going to be allowed to replicate.
    $ ldapmodify -p 1389 -D binddn -w password -a < user2.ldif
    $ ldapmodify -p 2389 -D binddn -w password -a < user1.ldif

    Note - Alternatively, you can issue the ldapmodify commands directly and create the two users interactively. Make sure that you use the correct syntax while setting the userCertifacte attribute.


  9. Set the user allowed to replicate between servers as replication manager.
    $ dsconf -p 1389 set-suffix-prop repl-manager-bind-dn: cn=user2,o=users
    $ dsconf -p 2389 set-suffix-prop repl-manager-bind-dn: cn=user1,o=users
  10. Set the server certificate to use the user Certificate/key pair as its own.
    $ dsconf -p 1389 set-server-prop ssl-rsa-cert-name:replmgr1
    $ dsconf -p 2389 set-server-prop ssl-rsa-cert-name:replmgr2
  11. Restart the servers to take into account the new changes.
    $ dsadm restart /local/ds1
    $ dsadm restart /local/ds2
  12. Create the replication agreements.
    $ dsconf create-repl-agmt -p 1389 -e -A ssl-client o=example.com hostname:2636
    $ dsconf create-repl-agmt -p 2389 -e -A ssl-client o=example.com hostname:1636