Data encryption or hashing and basic replication

When encryption or hashing is configured in an LDBM or TDBM backend participating in a basic replication environment, attribute values subject to encryption or hashing based on the pwEncryption or secretEncryption configuration options are either replicated in the clear or hashed.

When configuring basic replication in an LDBM backend, the following should be considered when setting the pwEncryption and secretEncryption configuration options:
  1. If the pwEncryption or secretEncryption configuration option is set to AES or DES, the attribute values eligible for encryption on add or modify requests are sent from the master or peer server to the replica or other peer server in the clear. Because these sensitive attribute values are replicated in the clear, a secure or SSL connection should be configured between the servers to protect this data while it is in transit. See Replicating serverand Configuring the replica for more information.
  2. If the pwEncryption configuration option is set to crypt and replication is configured between a z/OS® LDAP server and a non-z/OS LDAP server, specify pwCryptCompat off in the LDBM backend section of the configuration file. This setting indicates that the LDAP server should use the UTF-8 version of the crypt algorithm to hash eligible values. When eligible attribute values (for example, userPassword) for hashing in crypt are replicated between z/OS and non-z/OS LDAP servers, the password is the same on both platforms and, therefore, is usable.

    If basic replication is configured between two z/OS LDAP servers, verify the pwCryptCompat configuration option has the same settings on both servers. This ensures that the values are usable on both servers.

  3. If the pwEncryption configuration option is set to any other one-way hashing method (for example, SHA, MD5, SSHA, SHA-2 or Salted SHA-2), the master or peer server replicates the tagged hashed value to the replica or other peer server. Therefore, the replica or the other peer server must support the same hashing method to ensure that the values are usable on the other server.

When basic replication is configured in a TDBM backend, the attribute values eligible for encryption or hashing on add or modify requests are always sent from the master or peer server to the replica or other peer server in the clear. A secure or SSL connection should be configured between the servers to protect this data while it is transit. See Replicating server and Configuring the replica for more information.