Synchronizing two-way cryptography between server instances

Edit online

You must synchronize two-way cryptography between directory server instances to reduce the time that is required to encrypt and decrypt data during server communications.

Before you begin

To synchronize directory server instances by using two-way cryptography, you must have two or more instances.

You must synchronize the servers before you do any of the following operations:

  • Starting the second server instance.
  • Running the idsbulkload command from the second server instance.
  • Running the idsldif2db command from the second server instance. When you import an LDIF data that is not cryptographically synchronized, AES encrypted entries in the file are not imported.

About this task

If you want to use replication, distributed directory, or import and export LDIF data between server instances, you must cryptographically synchronize the instances for better performance.

Although, in the procedure two server instances are used. You might need a group of server instances that are cryptographically synchronized.

Procedure

To cryptographically synchronize two server instances, assuming that you created the first server instance do the following steps.

  1. Create the second server instance, but do not start the server instance.
  2. Run the idsbulkload command, or run the idsldif2db command on the second server instance.
  3. Copy the ibmslapddir.ksf file (the key stash file) from the first server instance to the second server instance.
    The file is in the idsslapd-instance_name\etc directory on Windows systems, or in the idsslapd-instance_name/etc directory on AIX®, Linux®, and Solaris systems. The instance_name is the name of the server instance.
  4. Run the idsgendirksf command to create the ibmslapddir.ksf file from the source server instance.
  5. Replace the ibmslapddir.ksf file of the target server instance with the ibmslapddir.ksf file of the source server instance.
    For more information about the idsgendirksf command, seeidsgendirksf.
  6. Run any one of the following operations:
    • Start the second server instance.
    • Run the idsbulkload command from the second server instance.
    • Run the idsldif2db command from the second server instance.

Results

After the directory server instances are cryptographically synchronized, AES encrypted data gets loaded correctly.