HP-UX Directory Server 8.1 administrator guide
8.13 Replication over SSL
The Directory Servers involved in replication can be configured so that all replication operations
occur over an SSL connection. To use replication over SSL, first do the following:
• Configure both the supplier and consumer servers to use SSL.
• Configure the consumer server to recognize the supplier server's certificate as the supplier
DN. Do this only to use SSL client authentication rather than simple authentication.
These procedures are described in Chapter 12 “Managing SSL”.
If attribute encryption is enabled, a secure connection is required for replication.
NOTE:
Replication configured over SSL with certificate-based authentication will fail if the supplier's
certificate is only capable of behaving as a server certificate, and not also a client during an SSL
handshake. Replication with certificate-based authentication uses the Directory Server's server
certificate for authentication to the remote server.
When the servers are configured to use SSL, configure an SSL connection for replication in the
Replication Agreement Wizard. The Source and Destination sets how to bind between the
supplier and the consumer, and this is where SSL is set.
There are two ways to use SSL for replication:
• Select SSL Client Authentication.
With SSL client authentication, the supplier and consumer servers use certificates to
authenticate to each other.
• Select Simple Authentication.
With simple authentication, the supplier and consumer servers use a bind DN and password
to authenticate to each other, which are supplied in the Replication Agreement Wizard text
fields provided. Simple authentication takes place over a secure channel but without
certificates.
After a replication agreement is created, the connection type (SSL or non SSL) cannot be changed
in the agreement because LDAP and LDAPS connections use different ports. To change the
connection type, re-create the replication agreement.
Also, the port listed for the consumer is the non-SSL port, even if the Directory Server instance
is configured to run over SSL. This port number is used only for identification of the Directory
Server instance in the Console; it does not specify the actual port number or protocol that is used
for replication.
8.14 Replicating o=NetscapeRoot for Administration Server failover
Replication usually occurs between Directory Server user databases to distribute directory data,
but it is also possible to use replication to provide failover support for the Administration Server
database, o=NetscapeRoot.
1. Install and configure the first Directory Server instance.
The setup-ds-admin.pl script has an option, -f, which references an inf. The inf can
be used to import LDIF files through the ConfigFile parameter, and the LDIF files can
create databases, suffixes, and replication entries. (The inf file is described in more detail
in the HP-UX Directory Server installation guide.)
/opt/dirsrv/sbin/setup-ds-admin.pl -f /tmp/server1.inf
To configure the o=NetscapeRoot database on server1 as a multi-master supplier replica,
use the following statements in the inf file:
380 Managing replication