Manualshelf

HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
51525354555657585960
For more information on database encryption configuration schema, see "Database Attributes
under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config" in the HP-UX Directory Server configuration, command, and file
reference.
2.3.3.5 Exporting and importing an encrypted database
Exporting and importing encrypted databases is similar to exporting and importing regular
databases. However, the encrypted information must be decrypted when it is exported to LDIF,
then re-encrypted when it is imported to the database. Using the -E option when running the
db2ldif and ldif2db scripts will decrypt the data on export and re-encrypt it on import.
1. Export the data using the db2ldif script, as follows:
db2ldif -n Database1 -E -a /path/to/output.ldif -s "dc=example,dc=com" -s "o=userRoot"
For more information, see “Exporting to LDIF from the command line”.
2. Make any configuration changes.
3. Re-import the data using the ldif2db script, as follows:
ldif2db -n Database1 -E -i /path/to/output.ldif
For more information, see “Importing from the command line”.
NOTE:
When enabling encryption for data that is already present in the database, several additional
security concerns arise:
It is possible for old, unencrypted data to persist in the server's database page pool backing
file, even after a successful re-import with encryption. To remove this data, stop the server
and delete the db/guardian file, then restart the server. This will force recovery, a side-effect
of which is deleting the backing file. However, it is possible that the data from the deleted
file could still be recovered from the hard drive unless steps are taken to overwrite the disk
blocks that it occupied.
After enabling encryption and importing data, be sure to delete the LDIF file because it
contains plain text values for the now-encrypted data. Ensure that the disk blocks that it
occupied are overwritten.
The unencrypted data previously stored in the server's database may persist on disk after
a successful re-import with encryption. This is because the old database files are deleted as
part of the import process. Ensure that the disk blocks that those files occupied are
overwritten.
Data stored in the server's replication log database is never encrypted; therefore, care should
be taken to protect those files if replication is used.
The server does not attempt to protect unencrypted data stored in memory. This data may
be copied into a system page file by the operating system. For this reason, ensure that any
page or swap files are adequately protected.
2.4 Creating and maintaining database links
Chaining means that a server contacts other servers on behalf of a client application then returns
the combined results. Chaining is implemented through a database link, which points to data
stored remotely. When a client application requests data from a database link, the database link
retrieves the data from the remote database and returns it to the client.
“Creating a new database link”
“Configuring the chaining policy”
“Maintaining database links”
“Database links and access control evaluation”
52 Configuring directory databases