Thank You All,
Finally managed to get it working....
- The documentation is a bit confusing in terms of how certificates should be generated across DataDSAs (no RouterDSA in this mix).
- The normal recommendation is to generate at one place and copy the certs.
Here's what I did to get it to work with only DataDSA's (no Router DSA). Again I stayed on the same approach i.e. enabled SSL on each DataDSA first, then did replication over SSL.
SSL Enablement
A. Server-1, Setup KStore1/DataDSA. [dxnewdsa kstore1 7771 "dc=ca,dc=com"].
B. Enable SSL for KStore1 using dxcertgen command on KStore1.
- dxcertgen -D kstore1 -Z SHA256 -k 2048 certreq
- dxcertgen -D kstore1 -n kstore1.cer certmerge
- dxcertgen -n ca.cer importca
NOTE :
The 1st bullet >> generates a key and CSR.
The 2nd bullet >> imports the signed certificate and the key into a pem file under personalities folder.
The 3rd bullet >> imports the Root CA who signed the CSR inorder to generate the signed certificate into trusted.pem.
C. Server-2, Setup KStore2/DataDSA. [dxnewdsa kstore2 7771 "dc=ca,dc=com"].
D. Enable SSL for KStore2 using dxcertgen command on KStore2.
- dxcertgen -D kstore2 -Z SHA256 -k 2048 certreq
- dxcertgen -D kstore2 -n kstore2.cer certmerge
- dxcertgen -n ca.cer importca
NOTE :
The 1st bullet >> generates a key and CSR.
The 2nd bullet >> imports the signed certificate and the key into a pem file under personalities folder.
The 3rd bullet >> imports the Root CA who signed the CSR inorder to generate the signed certificate into trusted.pem.
E. Server-3, Setup KStore3/DataDSA. [dxnewdsa kstore3 7771 "dc=ca,dc=com"].
F. Enable SSL for KStore3 using dxcertgen command on KStore3.
- dxcertgen -D kstore3 -Z SHA256 -k 2048 certreq
- dxcertgen -D kstore3 -n kstore3.cer certmerge
- dxcertgen -n ca.cer importca
NOTE :
The 1st bullet >> generates a key and CSR.
The 2nd bullet >> imports the signed certificate and the key into a pem file under personalities folder.
The 3rd bullet >> imports the Root CA who signed the CSR inorder to generate the signed certificate into trusted.pem.
G. Make modification to the knowledge file to allow changes for SSL enablement. All changes to default knowledge file is shown in italics.
set dsa "kstore1" =
{
prefix = <dc com><dc ca>
dsa-name = <dc com><dc ca><cn "kstore1">
dsa-password = "secret"
address = tcp "host1" port 7771, tcp "host1" port 7443
disp-psap = DISP
snmp-port = 7771
console-port = 7772
auth-levels = anonymous, clear-password, ssl-auth
trust-flags = allow-check-password
link-flags = ssl-encryption, ssl-encryption-remote
};
H. Repeat Step-G for KStore2 and KStore3.
I. To force SSL encryption on anonymous bindings, include the following parameter in the settings configuration file of the DSA (DXHOME\config\settings) under the # security controls section. When this is set to “true”, if a user tries to create an anonymous binding without SSL, the DSA disallows it and returns an "Inappropriate authentication" error.
set force-encrypt-anon = true;
J. To force SSL encryption on authenticated bindings, include the following parameter in the settings configuration file of the DSA (DXHOME\config\settings) under the # security controls section. Note: The ‘set force-encrypt-auth’ setting does not prevent the credentials from being sent unencrypted over the network. However it refuses any unencrypted binding request.
set force-encrypt-auth = true;
I. Stop and Start services.
Now you could use a LDAP Tool e.g. Jxplorer to connect to each of these servers / instances and test SSL Connection.
Replication
A. Go to KStore1 Server. Add the below flags for replication in the knowledge files of the DataDSA KStore1.
set dsa "kstore1" =
{
prefix = <dc com><dc ca>
dsa-name = <dc com><dc ca><cn "kstore1">
dsa-password = "secret"
address = tcp "host1" port 7771, tcp "host1" port 7443
disp-psap = DISP
snmp-port = 7771
console-port = 7772
auth-levels = anonymous, clear-password, ssl-auth
dsa-flags = multi-write
trust-flags = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations
link-flags = ssl-encryption, ssl-encryption-remote
};
B. Repeat the same Step-A in knowledge files by logging into servers KStore2 and KStore3.
C. Copy the knowledge files from KStore2 and KStore3 into the knowledge folder in KStore1. Do the same for KStore2 and KStore3, such that all 3 server/DataDSA now have local copies of all 3 knowledge files in the knowledge folder within the respective server.
D. Go to KStore1 server. Create a Group file "repDSAGrp.dxg" in KStore1 under knowledge folder and source all the knowledge files.
-bash-4.1$ more ../knowledge/repDSAGrp.dxg
source "kstore1.dxc";
source "kstore2.dxc";
source "kstore3.dxc";
E. Copy the Group file into the knowledge folder in KStore2 and KStore3.
F. Go to KStore1 server. Modify the initialization file kstore1.dxi under DX_HOME/config/servers, to include the Group file. Note I had to disable the knowledge file otherwise an error about not being unique is thrown up.
# knowledge
clear dsas;
#source "../knowledge/kstore1.dxc";
source "../knowledge/repDSAGrp.dxg";
G. Go to KStore2 and KStore3. Repeat the same Step-F.
H. Stop and Start all DataDSA's.
Now you could use a LDAP Tool e.g. Jxplorer to connect to each of these servers / instances using SSL Connection. Connect to KStore1 and create a test object e.g. create a user and submit. Now login using JXplorer to KStore2 and KStore3 on SSL, you should see the object replicated.
Error Logging
If there are any errors, they'd be logged in the WARNING log file under DXHOME/logs.
The name of the log file would be <DSANAME>_warn_<timestamp>.log e.g. kstore_warn_20141103.log
I hope I have recorded all the steps that I performed to get this working.
Regards
Hubert