Show Table of Contents
11.17. Replication over SSL
The Directory Servers involved in replication can be configured so that all replication operations occur over an SSL connection. To use replication over SSL:
- Configure both the supplier and consumer servers to use SSL.
- Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use SSL client authentication rather than simple authentication.
These procedures are described in Section 7.4, “Setting up TLS/SSL”.
If attribute encryption is enabled, a secure connection is required for replication.
Note
Replication configured over SSL with certificate-based authentication will fail if the supplier's certificate is only capable of behaving as a server certificate, and not also a client during an SSL handshake. Replication with certificate-based authentication uses the Directory Server's server certificate for authentication to the remote server.
When the servers are configured to use SSL, configure an SSL connection for replication in the Replication Agreement Wizard. The Source and Destination sets how to bind between the supplier and the consumer, and this is where SSL is set.
There are two ways to use SSL for replication:
- Select SSL Client Authentication.With SSL client authentication, the supplier and consumer servers use certificates to authenticate to each other.
- Select Simple Authentication.With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other, which are supplied in the Replication Agreement Wizard text fields provided. Simple authentication takes place over a secure channel but without certificates.
Note
If secure binds are required for simple password authentication (Section 14.8.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (SSL/TLS and Start TLS connections or SASL authentication) is recommended, anyway.
Once a replication agreement is created, the connection type (SSL or non SSL) cannot be changed in the agreement because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.
Also, the port listed for the consumer is the non-SSL port, even if the Directory Server instance is configured to run over SSL. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.