12.2 Encrypted Replication

In NetIQ eDirectory 8.8 and later, you can encrypt data that is transmitted between eDirectory 8.8 servers. This offers a high level of security during replication as the data does not flow in clear text.

Figure 12-3 Encrypted Replication

In the above illustration, “finance” and “library” are the partitions in the tree. “finance” might contain sensitive data that requires encryption while replicating. You can enable the partition “finance” for encrypted replication. Partitions like “library” that might not contain sensitive data need not be enabled for encrypted replication.

IMPORTANT:When you enable encrypted replication for a partition, the replication process might slow down. You can enable or disable encrypted replication using iManager.

This section provides the following information:

12.2.1 Need for Encrypted Replication

Prior to eDirectory 8.8, data was transmitted through the wire during replication in clear text. There was a need to protect confidential data over the wire by encrypting it, especially if the replicas were separated geographically and connected through the Internet.

This feature can be used in the following scenarios:

  • If the directory servers are spread across geographical locations through WAN and the Internet and there is a need to encrypt sensitive data on wire.

  • If you want only some partitions of your tree to be protected, you can selectively indicate the partitions holding the sensitive data to be encrypted for replication.

  • If you require encrypted replication between specific replicas of a partition that contain sensitive data.

  • If you feel the network in your setup is hostile, you might want to protect sensitive data during replication.

12.2.2 Enabling Encrypted Replication

To enable encrypted replication, you need to configure a partition for encrypted replication. Configuration settings are stored in the partition Root object.

You can choose to enable encrypted replication at a partition level or replica level.

The configurations at the partition level are overridden by the configurations at the replica level. This means, if encrypted replication is

  • Enabled at partition level and disabled for specific replicas, then the replication between the specific replicas happens in clear text.

  • Disabled at partition level and enabled for specific replicas, then the replication between the specific replicas happens in encrypted form.

Table 12-1 Overriding Encrypted Replication Configuration at the Partition Level

Partition Level

Replica Level

Replication

Enabled

Disabled

Unencrypted

Disabled

Enabled

Encrypted

This section contains the following procedures:

Enabling Encrypted Replication at the Partition Level

When you enable encrypted replication at a partition level, replication between all the replicas hosting the partition is encrypted. For example, consider partition P1 has replicas R1, R2, R3, and R4. You can encrypt the replication between all the replicas, and all replications, inbound or outbound, are encrypted for these replicas.

To enable a partition for encrypted replication, all the servers hosting the partition must be eDirectory 8.8 or later servers. Other partitions in the tree that are not enabled for encrypted replication can have pre-eDirectory 8.8 servers.

Figure 12-4 Encrypted Replication at Partition Level

The configurations for encrypted replication at the partition level are overridden if you have encrypted replication configurations at replica level. Refer to Table 12-1.

Backward compatibility depends on whether the encrypted replication is enabled or disabled at the partition level. Refer to Section 12.2.3, Adding a New Replica to a Replica Ring for more information.

You can enable encrypted replication at the partition level using iManager or LDAP, as explained in the following sections:

Enabling Encrypted Replication at the Partition Level using iManager
  1. Click the Roles and Tasks button Roles and Tasks Button.

  2. Click eDirectory Encryption > Encrypted Replication.

  3. Enter or browse to the partition for which you want to enable encrypted replication.

  4. Click Next.

  5. In the Encrypted Replication Wizard, select Encrypt all Replica synchronizations.

    Help is available throughout the Wizard.

    NOTE:To disable encrypted replication at the partition level, unselect Encrypt all Replica synchronizations.

  6. Click Finish.

In the Encrypted Replication Wizard, when you enable encrypted replication for the whole partition, you can disable encrypted replication for specific replicas. The replicas that you disable for encrypted replication will not receive or send data in encrypted form. You can also disable encryption for the entire partition by deselecting Encrypt all Replica synchronizations.

Enabling Encrypted Replication at the Partition Level Using LDAP

IMPORTANT:We strongly recommend you to use iManager for enabling encrypted replication.

To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is:

enable/disable flag#destination replica number#source replica number

Replace with either of these flags:

  • 0: Encrypted replication is disabled

  • 1: Encrypted replication is enabled

Source replica number and destination replica number represents source and destination replica numbers of a partition. These numbers can be specified in any order because if the replication from A to B is encrypted, then replication from B to A is also encrypted.

NOTE:If the source and destination replica number at the partition level is 0 and if the flag is set to 1, all the replicas are considered to be enabled for encrypted replication.

To enable encrypted replication at the partition level, the value of the dsEncryptedReplicationConfig attribute should be set to 1#0#0.

Following is a sample LDIF file for enabling encrypted replication at the partition level:

dn: o=ou
changetype:modify
replace: dsEncryptedReplicationConfig
dsEncryptedReplicationConfig:1#0#0

These configurations at the partition level are overridden by the configurations at the replica level. Refer to Enabling Encrypted Replication at the Replica Level using LDAP for more information.

Enabling Encrypted Replication at the Replica Level

When you enable encrypted replication at the replica level, replication between specific replicas is encrypted. Both outbound and inbound replication between the replicas are encrypted.

For example, consider partition P1 has replicas R1, R2, R3, and R4. You can encrypt the replication between replicas R1 and R2 or between R2 and R4.

To enable encrypted replication between replicas of a partition, you need to define an encryption link between the replicas. Refer to Enabling Encrypted Replication at the Replica Level Using iManager for more information.

If you have enabled encrypted replication for one replica, it means that:

  • the inbound synchronization from a server to this replica

  • outbound synchronization from this replica to any other server is encrypted.

The replicas you have enabled for encrypted replication must be on eDirectory 8.8 servers. The remaining replicas in the replica ring, that are not enabled for encrypted replication, can be on servers with earlier versions of eDirectory.

If you have enabled only specific replicas for encrypted replication, you can add an eDirectory 8.8 server or a pre-eDirectory 8.8 server to the replica ring.

To disable encrypted replication at the replica level, you need to disable Encrypt Link for specific replicas using Encrypted Replication Configuration Wizard in iManager.

You can enable encrypted replication at the replica level using either iManager or LDAP as described in the following sections:

Enabling Encrypted Replication at the Replica Level Using iManager

You can enable encrypted replication at replica level through iManager by creating encryption links. Encryption links connect the replicas between which you want the replication to be encrypted. You create encryption links while configuring a replica for encrypted replication by selecting a source replica and one or more destination replicas.

For example, consider partition P1 having replicas R1, R2, R3, and R4. To encrypt replication between replicas R1 and R2, you need to create an encryption link by identifying one of them as the source and the other as the destination replica.

After creating encryption links, you can choose to encrypt these links for specific replicas by selecting or deselecting Encrypt Link in the Encrypted Replication Configuration Wizard in iManager. Refer to Enabling Encrypted Replication at the Replica Level Using iManager for more information.

To enable encrypted replication at the replica level:

  1. Click the Roles and Tasks button Roles and Tasks Button.

  2. Click eDirectory Encryption > Encrypted Replication.

  3. Enter or browse to the partition for which you want to enable encrypted replication.

  4. Click Next.

  5. In the Encrypted Replication Wizard, in the Encrypted synchronizations table, click New to define an encryption link.

    1. In the Select Source Replica field, specify or browse to the replica you want to use as the source.

    2. In the Destination Replicas field, specify or browse to one or more replicas you want to use as the destination for replication.

    3. Select Encrypt Link.

    4. Click OK.

  6. Click Finish.

Enabling Encrypted Replication at the Replica Level using LDAP

IMPORTANT:We strongly recommend you to use iManager for enabling encrypted replication.

To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is:

enable/disable flag#destination replica number#source replica number

For more information on the syntax, refer to Enabling Encrypted Replication at the Partition Level Using LDAP.

When you specify the replicaNumber of the replicas in the above syntax, you enable the encrypted replication between those replicas. consider the following example syntaxes:

  • 1#0#1: Encrypted replication is enabled from and to replica number 1; to and from, every other replica in the partition.

  • 0#3#1: Encrypted replication is disabled between replica numbers 3 and 1.

  • 0#1#1: Encrypted replication is disabled for replica number 1.

The following is a sample LDIF file that disables encrypted replication between replica numbers 1 and 3:

dn: o=ou
changetype: modify
replace: dsEncryptedReplicationConfig
dsEncryptedReplicationConfig: 0#3#1

Partition Operations

When you split a partition, the encrypted replication configuration in the parent partition is inherited by the child partition. When you merge a partition, the encrypted replication configuration of the parent partition is retained in the resultant partition.

12.2.3 Adding a New Replica to a Replica Ring

Adding new replica to a replica ring is affected by whether encrypted replication is enabled or disabled for the partition at the partition and replica level.

For more information on adding a replica to a replica ring, refer to Section 6.5, Administering Replicas.

At each of the above levels, you have different scenarios depending on which version of eDirectory server you are trying to add to the replica ring, as explained in the following sections:

Enabling Encrypted Replication at the Partition Level

The scenarios vary depending on the version of eDirectory server you are trying to add. This section contains the following information:

Adding Pre-eDirectory 8.8 Servers to the Replica Ring

The following illustration gives you the possible scenarios when you add a pre-eDirectory 8.8 server to the replica ring:

NOTE:ER in the graphic below indicates encrypted replication.

Figure 12-5 Possible Scenarios for Pre-eDirectory 8.8 Server

Scenario A: Adding a Pre-eDirectory 8.8 server to an eDirectory 8.8 Replica Ring with Encrypted Replication Enabled

When you try to add a pre-eDirectory 8.8 server to an eDirectory 8.8 replica ring for which you have enabled the encrypted replication, you get the ERR_INCOMPATIBLE_DS error. You will be able to add the server to the replica ring, but you cannot have a replica of the partition on the server.

Figure 12-6 Adding Pre-eDirectory 8.8 Server to eDirectory 8.8 Replica Ring with Encrypted Replication Enabled.

Scenario B: Adding a Pre-eDirectory 8.8 Server to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled

You can add a pre-eDirectory 8.8 server to an eDirectory 8.8 replica ring with encrypted replication disabled.

Figure 12-7 Adding Pre-eDirectory 8.8 Server to Replica Ring with Encrypted Replication Disabled

Scenario C: Adding a Pre-eDirectory 8.8 Server to a Mixed Replica Ring with Encrypted Replication Disabled

You can add a pre-eDirectory 8.8 server to a replica ring having a mixed version of eDirectory with encrypted replication disabled. Refer to Figure 43 above.

Adding eDirectory 8.8 Servers to the Replica Ring

The following illustration gives you the possible scenarios when you add eDirectory 8.8 server to the replica ring:

Figure 12-8 Possible Scenarios for eDirectory 8.8 Server

Scenario A: Adding eDirectory 8.8 Servers to an eDirectory 8.8 Replica Ring with Encrypted Replication Enabled

In this case, the encrypted replication would already be enabled on the added eDirectory 8.8 server.

Figure 12-9 Adding eDirectory 8.8 Server to eDirectory Replica Ring with Encrypted Replication Enabled

Scenario B: Adding eDirectory 8.8 Servers to an eDirectory 8.8 Replica Ring with Encrypted Replication Disabled

In this case, encrypted replication will be disabled on the added eDirectory 8.8 server.

Figure 12-10 Adding eDirectory 8.8 Server to Replica Rings where Encrypted Replication is Disabled.

Scenario C: Adding eDirectory 8.8 Servers to a Mixed Replica Ring where Master Replica Is an eDirectory 8.8 Server and Encrypted Replication Is Disabled

In this case, you do not need to enable encrypted replication on the eDirectory 8.8 server you are trying to add. Refer to Figure 12-10.

Scenario D: Adding eDirectory 8.8 Servers to a Mixed Replica Ring where Master Replica is a Pre-eDirectory 8.8 Server and Encrypted Replication is Disabled

In this case, you do not need to enable encrypted replication on the eDirectory 8.8 server you are trying to add.

Figure 12-11 Adding eDirectory 8.8 server to a Replica Ring where Master Replica is a Pre-eDirectory 8.8 Server

Enabling Encrypted Replication at the Replica Level

If encrypted replication is enabled between a source replica and specific destination replicas, you can add an eDirectory 8.8 server or a pre-eDirectory 8.8 server to the replica ring.

The scenarios vary if encrypted replication is enabled between a source replica and all the other replicas in the replica ring. This is similar to adding replicas to a replica ring with encrypted replication enabled or disabled at the partition level. Refer to Enabling Encrypted Replication at the Partition Level for more information.

Enabling Encrypted Replication for the Server You Add

If the server you are trying to add is on Linux, you can use the ndsconfig -E option to enable encrypted replication on the server. Refer to the ndsconfig man pages for more information.

If the server you are trying to add is on Windows, you can enable the Enable Encrypted Replication option in the installation wizard.

If the server you are trying to add is on platforms other than Linux, you can enable encrypted replication through iManager or LDAP. Refer to Section 12.2.2, Enabling Encrypted Replication for more information.

12.2.4 Synchronization and Encrypted Replication

If one replica is enabled for encrypted replication and the configuration changes are not synchronized with the other servers, replication happens in the encrypted form between the replicas. The replicas that are not synced with the configuration changes for encrypted replication continue to sync in clear text.

Even if the encrypted replication configuration has not been synchronized across the replicas, the replication between them will happen in the encrypted form.

12.2.5 Viewing the Encrypted Replication Status

You can view the encrypted replication status through iMonitor as follows:

  1. In iMonitor, click Agent Synchronization in the Assistant frame.

  2. Click Replica Synchronization for the partition you want to view.

    The replica status information is displayed. The Encryption Status field displays whether the link from the replica to which you are currently connected is encrypted or not.

    Basically, there are three scenarios in encryption replication (ER):

    • ER enabled at partition level: The replica to which you are connected to shows Encryption State is enabled.

      To find out which replica you are connected to, in the replica frame, the one that is not hyper linked is the one you are connected to. If you browse to the other replicas it shows that the Encryption State is also marked Enabled.

    • ER enabled at replica level: You have enabled ER for all replicas from one particular replica (that is, One to All.) In this case, when you are connected to that replica, its Encryption State is marked Enabled.

    • ER enabled/disabled for a combination of replicas: ER enabled/disabled for one combination of replicas - You have enabled ER for the whole partition but not for a selected set of servers or vice versa.

      For example, you have enabled ER for partition A that has three replicas 1, 2, and 3 and disabled ER for 1 <--> 3. In this case, if you are connected to replica 1, the Encryption State is displayed as:

      Server 1 Enabled

      Server 2

      Server 3 Disabled

      This means that Server 1 is enabled for encrypted replication to all the servers in the replica ring but 1<-->3 is disabled by the administrator.