Managing Administration Traffic to the Server

The administration connector is based on the LDAP protocol and uses LDAP over SSL by default. All command-line utilities that access the administrative suffixes use the administration connector. This includes the following commands:

• backup

• dsconfig

• dsreplication

• export-ldif

• import-ldif

• manage-account

• manage-tasks

• restore

• status

• stop-ds

• uninstall

• vdp-uninstall

The administration connector is always present and enabled. You cannot disable or delete the connector but you can use dsconfig to manipulate the following properties of the connector:

• listen-address. The address on which the server listens for administration traffic.

• listen-port. The default port of the administration connector is 4444. You can change this port during setup if required. If you use the default port, you do not need to specify a port when running the administration commands (the default port is assumed). If you change the port, you must specify the new port when running the administration commands.

• Security-related properties. Traffic using the administration connector is always secured. As with the LDAPS connection handler, the administration connector is configured with a self-signed certificate during server setup. This self-signed certificate is generated the first time the server is started. You can manage the administration connector certificate using external tools, such as keytool.

  The security-related properties include the following:

  • ssl-cert-nickname

  • key-manager-provider

  • trust-manager-provider

  When you run the administration commands, you are prompted as to how you want to trust the certificate. If you run the administration commands in non-interactive mode, you must specify the -X or --trustAll option to trust the certificate, otherwise the command will fail.

Accessing Administrative Suffixes

The administrative suffixes include the following:

• cn=config

• cn=monitor

• cn=tasks

• cn=backups

• cn=ads-truststore

• cn=schema

• cn=admin data

In general, direct LDAP access to the administrative suffixes (using the ldap* utilities) is discouraged, with the exception of the cn=monitor suffix. In most cases, it is preferable to use the dedicated administrative command-line utilities to access these suffixes.

If you must use the ldap* commands to access the administrative suffixes, you should use the administration connector port (with the --useSSL or -Z option). Using the administration connector ensures that monitoring data is not polluted and that server administration takes precedence over user traffic. The same recommendations apply if you are accessing the administrative suffixes using an LDAP browser.

To Configure the Administration Connector

This example displays the default properties of the administration connector, and changes the listen port of the connector to 5555.

1. View the default properties of the administration connector, using the dsconfig command.

   $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
   get-administration-connector-prop

   The output is similar to the following.

   Property               : Value(s)
   -----------------------:---------------
   key-manager-provider   : Administration
   listen-address         : 0.0.0.0
   listen-port            : 4444
   ssl-cert-nickname      : admin-cert
   trust-manager-provider : Administration

2. Change the listen port, using the dsconfig command.

   $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \
    set-administration-connector-prop --set listen-port:5555

   ---

   Note - You must restart the server for changes to this property to take effect.

   ---