Creating replication credentials

 

Use this information to create replication credentials. Expand the Replication management category in the navigation area of the Web administration tool and click Manage credentials.

  1. Select the location that you want to use to store the credentials from the list of subtrees. The Web administration tool allows you to define credentials in these locations:

    • cn=replication,cn=localhost, which keeps the credentials only on the current server.

      In most replication cases, locating credentials in cn=replication,cn=localhost is preferred because it provides greater security than replicated credentials located on the subtree. However, there are certain situations in which credentials located on cn=replication,cn=localhost are not available.

      If you are trying to add a replica under a server, for example serverA and you are connected to a different server with the Web administration tool, serverB, the Select credentials field does not display the option cn=replication,cn=localhost. This is because you cannot read the information or update any information under cn=localhost of the serverA when you are connected to serverB.

      The cn=replication,cn=localhost option is only available when the server under which you are trying to add a replica is the same server that you are connected to with the Web administration tool.

    • Within the replicated subtree, in which case the credentials are replicated with the rest of the subtree. Credentials placed in the replicated subtree are created beneath the ibm-replicagroup=default entry for that subtree.

      If no subtrees are displayed, go to Creating a master server (replicated subtree) for instructions about creating the subtree that you want to replicate.

  2. Click Add.

  3. Enter the name for the credentials you are creating, for example, mycreds, cn= is prefilled in the field for you.

  4. Select the type of authentication method you want to use and click Next.

    • If you selected simple bind authentication:

      1. Enter the DN that the server uses to bind to the replica, for example, cn=any

      2. Enter the password the server uses when it binds to the replica, for example, secret.

      3. Enter the password again to confirm that there are no typographical errors.

      4. If you want, enter a brief description of the credentials.

      5. Click Finish.

      You might want to record the credential's bind DN and password for future reference. You will need this password when you create the replica agreement.

    • If you selected Kerberos authentication:

      1. Enter your Kerberos bind DN.

      2. Enter the key tab file name.

      3. If you want, enter a brief description of the credentials. No other information is necessary. See Enabling Kerberos authentication on the Directory Server for additional information.

      4. Click Finish.

      The Add Kerberos Credentials panel takes an optional bind DN of the form ibm-kn=user@realm and an optional keytab file name (referred to as a key file). If a bind DN is specified, the server uses the specified principal name to authenticate to the consumer server. Otherwise the server's Kerberos service name (ldap/host-name@realm) is used. If a keytab file is used, the server uses it to obtain the credentials for the specified principal name. If no keytab file is specified, the server uses the keytab file specified in the server's Kerberos configuration. If there is more than one supplier, specify the principal name and keytab file to be used by all of the suppliers.

      On the server where you created the credentials:

      1. Expand Directory management and click Manage entries.

      2. Select the subtree where you stored the credentials, for example cn=localhost and click Expand.

      3. Select cn=replication and click Expand.

      4. Select the kerberos credentials (ibm-replicationCredentialsKerberos) and click Edit attributes.

      5. Click the Other attributes tab.

      6. Enter the replicaBindDN, for example, ibm-kn=myprincipal@SOME.REALM.

      7. Enter the replicaCredentials. This is the key tab file name used for myprincipal.

        This principal and password should be the same as the ones you use to run kinit from the command line.

      On the replica

      1. Click Manage replication properties in the navigation area.

      2. Select a supplier from the Supplier information drop-down menu or enter the name of the replicated subtree for which you want to configure supplier credentials.

      3. Click Edit.

      4. Enter the replication bindDN. In this example, ibm-kn=myprincipal@SOME.REALM.

      5. Enter and confirm the Replication bind password. This is the KDC password used for myprincipal.

    • If you selected SSL with certificate authentication you do not need to provide any additional information, if you are using the server's certificate. If you choose to use a certificate other than the server's:

      1. Enter the key file name.

      2. Enter the key file password.

      3. Reenter the key file password to confirm it.

      4. Enter the key label.

      5. If you want, enter a brief description.

      6. Click Finish.

      See Enabling SSL and Transport Layer Security on the Directory Server for additional information.

  5. On the server where you created the credentials, set the Allow server security information to be retained (QRETSVRSEC) system value to 1 (retain data). Since the replication credentials are stored in a validation list, this allows the server to retrieve the credentials from the validation list when it connects to the replica.

 

Parent topic:

Replication tasks