Synchronizing two-way cryptography between server instances

Edit online

You can use the procedure provided here to synchronize two-way cryptography between server instances.

About this task

If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, you must cryptographically synchronize the server instances to obtain the best performance.

If you already have a server instance, and you have another server instance that you want to cryptographically synchronize with the first server instance, use the following procedure before you do any of the following steps:

  • Start the second server instance
  • Run the idsbulkload command from the second server instance
  • Run the idsldif2db command from the second server instance

To cryptographically synchronize two server instances, assuming that you have already created the first server instance:

Procedure

  1. Create the second server instance, but do not start the server instance, run the idsbulkload command, or run the idsldif2db command on the second server instance.
  2. Use the idsgendirksf utility on the second server instance to re-create the ibmslapddir.ksf file (the key stash file) from the first server instance. This file is used to replace the second server instance's originalibmslapddir.ksf file. See the idsgendirksf command information in the Command Reference for more information about the idsgendirksf utility. The file is in the idsslapd-instance_name\etc directory on Windows systems, or in the idsslapd-instance_name/etc directory on AIX®, Linux®, and Solaris systems. (instance_name is the name of the server instance).
  3. Start the second server instance, run the idsbulkload command, or run the idsldif2db command on the second server instance.

Results

The server instances are now cryptographically synchronized, and AES-encrypted data will load correctly. Although the procedure discusses two server instances, you might need a group of server instances that are cryptographically synchronized. Note: When importing LDIF data, if the LDIF import file is not cryptographically synchronized with the server instance that is importing the LDIF data, any AES-encrypted entries in the LDIF import file will not be imported. If you are creating a new directory server instance and you want it to be cryptographically synchronized with other directory server instances, use the following procedure:

  1. On the original server, obtain the encryption salt value by performing the following search:ldapsearch -D adminDN -w adminPw -b "cn=crypto,cn=localhost" objectclass=* ibm-slapdCryptoSalt
  2. A value similar to the following value is returned:ibm-slapdCryptoSalt=d?TRm$'ucc5mThe part of the string after the equals to sign (=) is the encryption salt value. In this example, the encryption salt value is d?TRm$'ucc5m
  3. Find the encryption seed value that was supplied when creating the original server.
  4. Create the new server using one of the following methods:
    • Use the Instance Administration Tool and provide the encryption seed value from the original server in the Encryption seed string field and the encryption salt value from the original server in the Encryption salt string field.
    • Use the idsicrt command, and specify the -e encryptionseed and -g encryptsalt options.