Data encryption or hashing and basic replication
When encryption or hashing is configured in an LDBM or TDBM backend participating in a basic replication environment, attribute values subject to encryption or hashing based on the pwEncryption or secretEncryption configuration options are either replicated in the clear or hashed.
- If the pwEncryption or secretEncryption configuration option is set to AES or DES, the attribute values eligible for encryption on add or modify requests are sent from the master or peer server to the replica or other peer server in the clear. Because these sensitive attribute values are replicated in the clear, a secure or SSL connection should be configured between the servers to protect this data while it is in transit. See Replicating serverand Configuring the replica for more information.
- If the pwEncryption configuration option is set to crypt and
replication is configured between a z/OS® LDAP
server and a non-z/OS LDAP server, specify pwCryptCompat off in
the LDBM backend section of the configuration file. This setting
indicates that the LDAP server should use the UTF-8 version of the
crypt algorithm to hash eligible values. When eligible attribute values
(for example, userPassword) for hashing in crypt are
replicated between z/OS and
non-z/OS LDAP servers, the password is the same on both platforms
and, therefore, is usable.
If basic replication is configured between two z/OS LDAP servers, verify the pwCryptCompat configuration option has the same settings on both servers. This ensures that the values are usable on both servers.
- If the pwEncryption configuration option is set to any other one-way hashing method (for example, SHA, MD5, SSHA, SHA-2 or Salted SHA-2), the master or peer server replicates the tagged hashed value to the replica or other peer server. Therefore, the replica or the other peer server must support the same hashing method to ensure that the values are usable on the other server.
When basic replication is configured in a TDBM backend, the attribute values eligible for encryption or hashing on add or modify requests are always sent from the master or peer server to the replica or other peer server in the clear. A secure or SSL connection should be configured between the servers to protect this data while it is transit. See Replicating server and Configuring the replica for more information.