15.19. Replication over TLS

For security reasons, the Directory Servers involved in replication should be configured so that all replication operations occur over an TLS connection. To use replication over TLS:
  • Configure both the supplier and consumer servers to use TLS.
  • Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use TLS client authentication rather than simple authentication.
These procedures are described in Section 9.4, “Enabling TLS”.
If attribute encryption is enabled, a secure connection is required for replication.

Note

Replication configured over TLS with certificate-based authentication will fail if the supplier's certificate is only capable of behaving as a server certificate, and not also a client during an TLS handshake. Replication with certificate-based authentication uses the Directory Server's server certificate for authentication to the remote server.
If you use certutil to generate the Certificate Signing Request (CSR), pass the --nsCertType=sslClient,sslServer option to the command to set the certificate required type.
When the servers are configured to use TLS, configure an TLS connection for replication in the Replication Agreement Wizard. The Source and Destination sets how to bind between the supplier and the consumer, and this is where TLS is set.
There are two ways to use TLS for replication:
  • Select SSL Client Authentication.
    With TLS client authentication, the supplier and consumer servers use certificates to authenticate to each other.
  • Select Simple Authentication.
    With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other, which are supplied in the Replication Agreement Wizard text fields provided. Simple authentication takes place over a secure channel but without certificates.

    Note

    If secure binds are required for simple password authentication (Section 19.11.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (TLS and Start TLS connections or SASL authentication) is recommended, anyway.
Once a replication agreement is created, the connection type (TLS or non-TLS) cannot be changed in the agreement because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.
Also, the port listed for the consumer is the non-TLS port, even if the Directory Server instance is configured to run over TLS. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.