Synchronizing two-way cryptography between server instances

Edit online

You can use the procedure that is provided here to synchronize two-way cryptography between server instances.

Before you begin

To synchronize Directory Server instances by using two-way cryptography, you must have two or more instances.

About this task

You must synchronize two-way cryptography between directory server instances to reduce the time that is required to encrypt and decrypt data during server communications.

If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, you must cryptographically synchronize the server instances to obtain the best performance.

If you already have a server instance, and you want to cryptographically synchronize another server instance with the first server instance, use the following procedure before you do any of the following steps:

  • Start the second server instance
  • Run the idsbulkload command from the second server instance
  • Run the idsldif2db command from the second server instance

To cryptographically synchronize two server instances, assuming that you already created the first server instance:

Procedure

  1. Create the second server instance, but do not start the server instance.
  2. Run the idsbulkload command, or run the idsldif2db command on the second server instance.
  3. Run the idsgendirksf command to create the ibmslapddir.ksf file from the source server instance.
  4. Replace the ibmslapddir.ksf file of the target server instance with the ibmslapddir.ksf file of the source server instance.

    For more information about the idsgendirksf command, see the Command reference. The file is in the idsslapd-instance_name/etc directory. (instance_name is the name of the server instance).

  5. Run any one of the following operations:
    • Start the second server instance.
    • Run the idsbulkload command from the second server instance.
    • Run the idsldif2db command from the second server instance.

Results

The server instances are now cryptographically synchronized, and AES-encrypted data is loaded correctly. Although the procedure discusses two server instances, you might need a group of server instances that are cryptographically synchronized.
Note: When you import LDIF data, if the LDIF import file is not cryptographically synchronized with the server instance that is importing the LDIF data, any AES-encrypted entries in the LDIF import file are not imported.