Manualshelf

Migrating Sun Java Directory Server to HP-UX Directory Server White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
12345678910
8
Encryption Usage
A self-signed certificate is automatically configured for SJDS instances, but the certificates are not
necessarily used. Configure certificates for HPDS if any of the following are true:
LDAP clients are using SSL/TLS
Determine whether clients are connecting using SSL/TLS, or using the Start TLS extended
operation to upgrade connections to use TLS. The following example shows how to check for
usage of SSL/TLS in the access logs:
# egrep -i "conn=.* op=.* msgid=.* - SSL" /export/instance1/logs/access*
[13/Nov/2009:15:39:39 -0800] conn=1 op=-1 msgId=-1 - SSL 128-bit RC4
Replication agreements using SSL/TLS
To determine whether the instance has any replication agreements configured to use SSL/TLS, use
the following command:
# egrep -i "^nsDS5ReplicaTransportInfo: SSL$" /export/instance1/config/dse.ldif
nsDS5ReplicaTransportInfo: SSL
A replication consumer might not have replication agreements configured, but the access logs
discussed previously will reveal any incoming encrypted replication sessions that it receives.
Attribute encryption
Check for attribute encryption configuration. Look for attribute encryption configuration in
dse.ldif. The following example shows that the carLicense attribute is encrypted:
# egrep -i "^dn: cn=.*,[ ]*cn=encrypted attributes" /export/instance1/config/dse.ldif
dn: cn=carlicense,cn=encrypted attributes,cn=example,cn=ldbm database,cn=plug
Replication Topology
Developing a replication topology for HPDS requires familiarity with any deployed SJDS replicas in
the existing topology.
Replicas
Determine the number of replicas that will be migrated and their role as masters, hubs, or
consumers. Note the layout, such as whether some replicas cohabitate on, or make exclusive
use of, a host.
Replication agreements
Determine the location and destination of all replication agreements. In addition, note whether
they use a replication schedule, and whether they are configured for fractional replication by
excluding any attributes from being replicated. Finally, it is important to note whether any
agreements use SSL/TLS, as certificate configuration would then become a prerequisite for
configuring a new replication topology.
To determine the configuration specifics of a replication agreement, use the following
command, where the last argument is the host name and port number of the destination replica
of the replication agreement:
# dsconf get-repl-agmt-prop -p 389 -D "cn=directory manager" dc=example,dc=com
host2:636