SSL/TLS and basic replication

SSL/TLS can be used to communicate between a replicating server (master or peer) and a replica server (read-only or peer).

Replica server with SSL/TLS enablement

Set the replica server up for SSL/TLS like a typical SSL/TLS server. It needs its own public-private key pair and certificate, and the LDAP server configuration file needs the standard SSL options (listen, sslKeyRingFile, and sslKeyRingFilePW). See Setting up for SSL/TLS for more information.

Replicating server with SSL/TLS enablement

The replicating server acts as an SSL/TLS client to the replica server.

To set up the replicating server, you must:

  1. Run the gskkyman utility (see z/OS Cryptographic Services System SSL Programming) or the RACDCERT command (see z/OS Security Server RACF Command Language Reference), this time as if you were the client. The key database file, RACF® keyring, or PKCS #11 token must contain the replicating server's key pair and certificate. Receive the replica's self-signed certificate and mark it as trusted.
  2. In the LDAP server configuration file on the replicating server:
    • Set sslKeyRingFile to the replica key database file, RACF keyring, or PKCS #11 token created above.
    • If a replica key database file is used, set sslKeyRingFilePW to the password for the key database file, or set sslKeyRingPWStashFile to the file name where the password is stashed.
  3. Ensure any environment variables that control SSL/TLS settings are properly defined in the LDAP server environment variable file. The environment variables for enabling TLS protocol levels are shared with the server definitions. For example, GSK_PROTOCOL_TLSV1_2=ON enables this protocol level for both inbound client connections to the replicating server and for outbound connections from the replicating server to the replica. However, since the replicating server acts as an SSL/TLS client to the replica, the environment variable usage for controlling cipher suites is as described for the client API. The SSL cipher format you should use on the outbound connections to the replicas is controlled by the LDAP_SSL_CIPHER_FORMAT environment variable and then either the GSK_V3_CIPHER_SPECS or GSK_V3_CIPHER_SPECS_EXPANDED environment variable, depending on which format is chosen. The SSL cipher suites on the inbound client connections are controlled by the configured setting of sslCipherSpecs and can potentially share the setting that is specified on GSK_V3_CIPHER_SPECS_EXPANDED. Where settings are shared for both inbound client connections and outbound connections to replicas, the cipher list must include the necessary cipher suites for both sets of connections.
  4. In the replica entry for this replica:
    • Set the replicaPort attribute to the replica’s secure port number.
    • Set the replicaUseSSL attribute to TRUE.

See Setting up for SSL/TLS for more information.

Because the replicating server acts as an SSL/TLS client to the replica server, the replicating server binds with the replica server. The bind method that is used is simple bind. The SASL external bind method is not supported for basic replication.