In NetIQ eDirectory 9.0, you can encrypt specific sensitive data while they are stored on the disk and while they are accessed by the client. This chapter provides you information on the errors you might encounter while using the encrypted attributes and replication features in eDirectory 9.0.
For information on other error messages in eDirectory, refer to the NetIQ Error Codes Web site
The eDirectory replica synchronization process tried to start encrypted replication with the target server. But the target eDirectory server has the encrypted replica synchronization process disabled
Possible Cause
Encrypted replication is disabled on the target eDirectory server.
Action
Enable encrypted replication on the target eDirectory server.
An application (client access) tried to access an encrypted attribute over a clear text channel.
Source
eDirectory or NDS.
Possible Cause
The encrypted attributes are configured to be accessed only over a secure channel. The application is trying to access the encrypted attributes over a clear text channel.
Action
The application should access the encrypted attributes through a secure channel, like LDAP secure channel or HTTP secure channel.
Possible Cause
If you get this error during replication, one or more servers in the replica ring have some attributes marked for encryption and are configured to be accessed only over secure channel.
Action
Change the configuration of the encrypted attribute policy, so that the encrypted attributes can be accessed over insecure channels. For more information, see Section 11.0, Encrypting Data in eDirectory.
Possible Cause
If you get this error when encrypted replication is configured at the partition level or between the replicas of the partition, then the replica ring has pre-eDirectory 8.8.x servers in it.
Action
Upgrade all the servers in the replica ring to a version compatible with eDirectory 8.8.x.
Text goes here
Possible Cause
If encrypted replication is enabled at a partition level and if you are trying to add a replica of this partition to an eDirectory server, then the eDirectory version on this server is incompatible with the version on the source server.
Action
Upgrade the server to a compatible version of eDirectory.
Possible Cause
If the parent partition has pre-eDirectory 8.8.x servers (mixed version ring) and if the child partition has ER enabled, the merge and/or join partition operations would be disallowed and the ERR_INCOMPATIBLE_DS_VERSION error will be returned.
The reason for this is that the child partition contains sensitive data with ER enabled at the partition level and the parent partition having pre-eDirectory 8.8.x server. With ER enabled only between eDirectory 8.8.x servers, on merging, sensitive data is exposed when replicating to pre-eDirectory 8.8.x servers.
Action
Upgrade the server to a compatible version of eDirectory.
OR
Disable ER at the parent or child partition.
NOTE:On disabling ER, replication will happen in the clear text form.
If you add an attribute for encryption using LDIF, do not associate duplicate algorithms with one attribute.
For example, marking title as an encrypted attribute with AES and DES encryption algorithms makes it unclear as to which algorithm is ultimately considered. Each time when limber is run it appears the title attribute toggles between AES and DES. Therefore, it seems as though there were some configuration changes.
To prevent such scenarios, we recommend you to avoid duplicate algorithms been assigned to the same attribute.
This does not happen if you mark an attribute for encryption using iManager.
Stream attributes might be present as clear text data. This is because eDirectory 9.0 does not encrypt stream attributes.
You cannot configure encrypted replication through iManager if any server in the replica ring is down.
If an attribute of an object is encrypted, you cannot view or modify the object by using iManager.
To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods:
LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used.
ICE: LDIF scripts can be used to modify the object. If you do this, ICE must use a secure channel.
Use iManager 2.5 FP2, iManager 2.6, or later.
NOTE:We recommend using iManager 2.6 or later for viewing or modifying encrypted attributes.
Alternatively, you can turn off the secure channel required option for viewing or modifying the encrypted attributes by disabling the requireSecure attribute in the EA policy. This makes the object and the encrypted attributes accessible by any client over clear text channel. After this, iManager will be able to access the object.
When encrypted replication is enabled, merging trees fails. Disable secure replication on each tree before doing a merge.
Limber displays the -603 error if the server has only sub-ref replica of the encrypted attribute policy partition.
To work around this issue, do any one of the following:
Give read access to the NCP server object. You can do this through iManager by adding a trustee at the tree root and giving read access to NCP server object. In the attributes, specify attrEncryptionDefinition and attrEncryptionRequiresSecure.
Give Public Read access to the following attributes through LDAP or ndssch:
attrEncryptionDefinition
attrEncryptionRequiresSecure