Appendix E. Synchronizing two-way cryptography between server instances
If you want to use replication, use a distributed directory, or
import and export LDIF data between server instances, you must cryptographically
synchronize the server instances to obtain the best performance. (If
you create a directory server instance as a copy of an existing directory
server instance, the two directory server instances are cryptographically
synchronized and you do not need to synchronize them.)
If you are creating a new directory server instance and you want
it to be cryptographically synchronized with other directory server
instances, use the following procedure:
On the original server, obtain the encryption salt value by performing
the following search:
The
part of the string after the equal to sign (=) is the encryption salt
value. In this example, the encryption salt value is :SxaQ+.qdKor
Find the encryption seed value that was supplied when creating
the original server.
Create the new server using one of the following:
Use the Instance Administration Tool and provide the encryption seed value from the
original server in the Encryption seed string field
and the encryption salt value from the original server in the Encryption salt string field.
Use the idsicrt command, and specify the -e encryptionseed and -g encryptsalt options.
If you already have a server instance, and you have another server
instance that you want to cryptographically synchronize with the first
server instance, use the following procedure before you
do any of the following:
Start the second server instance
Run the idsbulkload command from the second
server instance
Run the idsldif2db command from the second
server instance
To cryptographically synchronize two server instances, assuming
that you have already created the first server instance:
Create the second server instance if you have not already created
it, but do not run the idsbulkload command,
or run the idsldif2db command on the second
server instance.
Use
the idsgendirksf utility on the second server
instance to recreate the ibmslapddir.ksf file (the key stash file)
from the first server instance. This file is used to replace the second
server instance's original ibmslapddir.ksf file. For information
about the idsgendirksf utility, see the IBM® Tivoli® Directory Server Version
6.3 Administration Guide. The file is in the idsslapd-instance_name\etc directory on Windows systems, or in the idsslapd-instance_name/etc directory on AIX®, Linux,
and Solaris systems. (instance_name is the
name of the directory server instance).
Note:
The idsgendirksf utility requires the encryption salt
value from the first server as a parameter. To obtain the encryption
salt value:
On the first server, obtain the encryption salt value by performing
the following search:
The
part of the string after the equal to sign (=) is the encryption salt
value. In this example, the encryption salt value is :SxaQ+.qdKor
Start the second server instance, run the idsbulkload command,
or run the idsldif2db command on the second
server instance.
The server instances are now cryptographically synchronized, and
AES-encrypted data will load correctly. (Although the procedure discusses
two server instances, you might need a group of server instances that
are cryptographically synchronized.)
Note:
When importing LDIF data, if the LDIF import file
is not cryptographically synchronized with the server instance that
is importing the LDIF data, any AES-encrypted entries in the LDIF
import file will not be imported.