11.17. Replication over SSL

The Directory Servers involved in replication can be configured so that all replication operations occur over an SSL connection. To use replication over SSL:
  • Configure both the supplier and consumer servers to use SSL.
  • Configure the consumer server to recognize the supplier server's certificate as the supplier DN. Do this only to use SSL client authentication rather than simple authentication.
These procedures are described in Section 7.4, “Setting up TLS/SSL”.
If attribute encryption is enabled, a secure connection is required for replication.

Note

Replication configured over SSL with certificate-based authentication will fail if the supplier's certificate is only capable of behaving as a server certificate, and not also a client during an SSL handshake. Replication with certificate-based authentication uses the Directory Server's server certificate for authentication to the remote server.
When the servers are configured to use SSL, configure an SSL connection for replication in the Replication Agreement Wizard. The Source and Destination sets how to bind between the supplier and the consumer, and this is where SSL is set.
There are two ways to use SSL for replication:
  • Select SSL Client Authentication.
    With SSL client authentication, the supplier and consumer servers use certificates to authenticate to each other.
  • Select Simple Authentication.
    With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other, which are supplied in the Replication Agreement Wizard text fields provided. Simple authentication takes place over a secure channel but without certificates.

    Note

    If secure binds are required for simple password authentication (Section 14.8.1, “Requiring Secure Binds”), then any replication operations will fail unless they occur over a secure connection. Using a secure connection (SSL/TLS and Start TLS connections or SASL authentication) is recommended, anyway.
Once a replication agreement is created, the connection type (SSL or non SSL) cannot be changed in the agreement because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.
Also, the port listed for the consumer is the non-SSL port, even if the Directory Server instance is configured to run over SSL. This port number is used only for identification of the Directory Server instance in the Console; it does not specify the actual port number or protocol that is used for replication.