15.14. Configuring Changelog Encryption

To increase security, Directory Server supports encrypting the changelog. This section explains how to enable this feature.

Prerequisites

The server must have a certificate and key stored in the network security services (NSS) database. Therefor, enable TLS encryption on the server as described in Section 9.4.1, “Enabling TLS in Directory Server”.

Procedure

To enable changelog encryption:
  1. Except for the server on which you want to enable changelog encryption, stop all instances in the replication topology by entering the following command:
    # systemctl stop dirsrv@instance_name
  2. On the server where you want to enable changelog encryption:
    1. Create a task that exports the changelog:
      # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
      dn: cn=replica,cn=suffix,cn=mapping tree,cn=config
      changetype: modify
      add: nsds5Task
      nsds5Task: CL2LDIF
      Directory Server stores the export in the /var/lib/dirsrv/slapd-instance_name/changelogdb/ directory.
    2. Stop the instance:
      # systemctl stop dirsrv@instance_name
    3. Add the following setting to the dn: cn=changelog5,cn=config entry in the /etc/dirsrv/slapd-instance_name/dse.ldif file:
      nsslapd-encryptionalgorithm: AES
    4. Start the instance:
      # systemctl start dirsrv@instance_name
    5. Create a task to import the changelog:
      # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
      dn: cn=replica,cn=suffix,cn=mapping tree,cn=config
      changetype: modify
      add: nsds5Task
      nsds5Task: LDIF2CL
  3. Start all instances on the other servers in the replication topology using the following command:
    # systemctl start dirsrv@instance_name

Verification

To verify that the changelog is encrypted, run the following steps on the server with the encrypted changelog:
  1. Make a change in the LDAP directory, such as updating an entry.
  2. Stop the instance:
    # systemctl stop dirsrv@instance_name
  3. Enter the following command to display parts of the changelog:
    # dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/replica_name_replGen.db | tail -50
    If the changelog is encrypted, you see only encrypted data.
  4. Start the instance:
    # systemctl start dirsrv@instance_name