11.2 Encrypted Replication

OpenText eDirectory lets you encrypt data that is transmitted between OpenText eDirectory servers. This offers a high level of security during replication as the data does not flow in clear text.

NOTE:We have deprecated the support for Encrypted Replication in OpenText eDirectory 9.2.7 release.

Figure 11-3 Encrypted Replication

In Figure 11-3, “finance” and “library” are the partitions in the tree. “finance” might contain sensitive data that requires encryption while replicating. You can enable the partition “finance” for encrypted replication. Partitions like “library” that might not contain sensitive data need not be enabled for encrypted replication.

IMPORTANT:When you enable encrypted replication for a partition, the replication process might slow down. You can enable or disable encrypted replication using OpenText Identity Console.

This section provides the following information:

11.2.1 Need for Encrypted Replication

Prior to OpenText eDirectory 8.8, data was transmitted through the wire during replication in clear text. There was a need to protect confidential data over the wire by encrypting it, especially if the replicas were separated geographically and connected through the Internet.

This feature can be used in the following scenarios:

If the directory servers are spread across geographical locations through WAN and the Internet and there is a need to encrypt sensitive data on wire.
If you want only some partitions of your tree to be protected, you can selectively indicate the partitions holding the sensitive data to be encrypted for replication.
If you require encrypted replication between specific replicas of a partition that contain sensitive data.
If you feel the network in your setup is hostile, you might want to protect sensitive data during replication.

11.2.2 Enabling Encrypted Replication

To enable encrypted replication, you need to configure a partition for encrypted replication. Configuration settings are stored in the partition Root object.

You can choose to enable encrypted replication at a partition level or replica level.

The configurations at the partition level are overridden by the configurations at the replica level. This means, if encrypted replication is

Enabled at partition level and disabled for specific replicas, then the replication between the specific replicas happens in clear text.
Disabled at partition level and enabled for specific replicas, then the replication between the specific replicas happens in encrypted form.

Table 11-1 Overriding Encrypted Replication Configuration at the Partition Level

Partition Level	Replica Level	Replication
Enabled	Disabled	Unencrypted
Disabled	Enabled	Encrypted

This section contains the following procedures:

Enabling Encrypted Replication at the Partition Level

When you enable encrypted replication at a partition level, replication between all the replicas hosting the partition is encrypted. For example, consider partition P1 has replicas R1, R2, R3, and R4. You can encrypt the replication between all the replicas, and all replications, inbound or outbound, are encrypted for these replicas.

To enable a partition for encrypted replication, all the servers hosting the partition must be OpenText eDirectory 8.8 or later servers.

Figure 11-4 Encrypted Replication

The configurations for encrypted replication at the partition level are overridden if you have encrypted replication configurations at replica level. Refer to Table 11-1.

Backward compatibility depends on whether the encrypted replication is enabled or disabled at the partition level. Refer to Adding a New Replica to a Replica Ring for more information.

You can enable encrypted replication at the partition level using OpenText Identity Console or LDAP, as explained in the following sections:

Enabling Encrypted Replication at the Partition Level using OpenText Identity Console

On the OpenText Identity Console home page, click Encrypted Replication tile.
On the Encrypted Replication page > click Search Partition .
Select the tree or container.
Select the check box Enable Encrypted replication > Click Finish.

NOTE:To disable encrypted replication at the partition level, unselect the check box Enable Encrypted replication.
The Encrypted Replication successfully enabled message appears.

Click OK.

In the Encrypted Replication page, when you enable encrypted replication for the whole partition, you can disable encrypted replication for specific replicas. The replicas that you disable for encrypted replication will not receive or send data in encrypted form. You can also disable encryption for the entire partition by deselecting Enable Encrypted replication.

Enabling Encrypted Replication at the Partition Level Using LDAP

IMPORTANT:We strongly recommend you to use OpenText Identity Console for enabling encrypted replication.

To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is:

enable/disable flag#destination replica number#source replica number

Replace with either of these flags:

0: Encrypted replication is disabled
1: Encrypted replication is enabled

Source replica number and destination replica number represents source and destination replica numbers of a partition. These numbers can be specified in any order because if the replication from A to B is encrypted, then replication from B to A is also encrypted.

NOTE:If the source and destination replica number at the partition level is 0 and if the flag is set to 1, all the replicas are considered to be enabled for encrypted replication.

To enable encrypted replication at the partition level, the value of the dsEncryptedReplicationConfig attribute should be set to 1#0#0.

Following is a sample LDIF file for enabling encrypted replication at the partition level:

dn: o=ou
changetype:modify
replace: dsEncryptedReplicationConfig
dsEncryptedReplicationConfig:1#0#0

These configurations at the partition level are overridden by the configurations at the replica level. Refer to Enabling Encrypted Replication at the Replica Level using LDAP for more information.

Enabling Encrypted Replication at the Replica Level

When you enable encrypted replication at the replica level, replication between specific replicas is encrypted. Both outbound and inbound replication between the replicas are encrypted.

For example, consider partition P1 has replicas R1, R2, R3, and R4. You can encrypt the replication between replicas R1 and R2 or between R2 and R4.

If you have enabled encrypted replication for one replica, it means that:

the inbound synchronization from a server to this replica
outbound synchronization from this replica to any other server is encrypted.

The replicas you have enabled for encrypted replication must be on OpenText eDirectory 8.8 or later servers. The remaining replicas in the replica ring, that are not enabled for encrypted replication, can be on servers with earlier versions of OpenText eDirectory.

To disable encrypted replication at the replica level, you need to disable Encrypt Link for specific replicas using Encrypted Replication Configuration page in OpenText Identity Console.

You can enable encrypted replication at the replica level using LDAP as described in the following section:

Enabling Encrypted Replication at the Replica Level using LDAP

Enabling Encrypted Replication at the Replica Level using LDAP

IMPORTANT:We strongly recommend you to use OpenText Identity Console for enabling encrypted replication.

To encrypt replication, you need to use the attribute dsEncryptedReplicationConfig. The syntax is:

enable/disable flag#destination replica number#source replica number

For more information on the syntax, refer to Enabling Encrypted Replication at the Partition Level Using LDAP.

When you specify the replicaNumber of the replicas in the above syntax, you enable the encrypted replication between those replicas. consider the following example syntaxes:

1#0#1: Encrypted replication is enabled from and to replica number 1; to and from, every other replica in the partition.
0#3#1: Encrypted replication is disabled between replica numbers 3 and 1.
0#1#1: Encrypted replication is disabled for replica number 1.

The following is a sample LDIF file that disables encrypted replication between replica numbers 1 and 3:

dn: o=ou
changetype: modify
replace: dsEncryptedReplicationConfig
dsEncryptedReplicationConfig: 0#3#1

Partition Operations

When you split a partition, the encrypted replication configuration in the parent partition is inherited by the child partition. When you merge a partition, the encrypted replication configuration of the parent partition is retained in the resultant partition.

11.2.3 Adding a New Replica to a Replica Ring

Adding new replica to a replica ring is affected by whether encrypted replication is enabled or disabled for the partition at the partition and replica level.

For more information on adding a replica to a replica ring, refer to Administering Replicas.

At each of the above levels, you have different scenarios depending on which version of OpenText eDirectory server you are trying to add to the replica ring, as explained in the following sections:

Enabling Encrypted Replication at the Partition Level

The scenarios vary depending on the version of OpenText eDirectory server you are trying to add.

Scenario	Data Encryption
Adding an OpenText eDirectory 9.1 or above server without EBA and with Encrypted Replication disabled	The data flows in clear text.
Adding an OpenText eDirectory 9.1 or above server with Encrypted Replication and without EBA	OpenText eDirectory encrypts data based on the encrypted replication policies.
Adding an OpenText eDirectory 9.1 or above server with EBA	EBA-based encryption will take precedence over encrypted replication.

Enabling Encrypted Replication at the Replica Level

If encrypted replication is enabled between a source replica and specific destination replicas, you can add an OpenText eDirectory 8.8 server or later to the replica ring.

The scenarios vary if encrypted replication is enabled between a source replica and all the other replicas in the replica ring. This is similar to adding replicas to a replica ring with encrypted replication enabled or disabled at the partition level. Refer to Enabling Encrypted Replication at the Partition Level for more information.

Enabling Encrypted Replication for the Server You Add

If the server you are trying to add is on Linux, you can use the ndsconfig -E option to enable encrypted replication on the server. Refer to the ndsconfig man pages for more information.

If the server you are trying to add is on Windows, you can enable the Enable Encrypted Replication option in the installation page.

If the server you are trying to add is on platforms other than Linux, you can enable encrypted replication through OpenText Identity Console or LDAP. Refer to Enabling Encrypted Replication for more information.

11.2.4 Synchronization and Encrypted Replication

If one replica is enabled for encrypted replication and the configuration changes are not synchronized with the other servers, replication happens in the encrypted form between the replicas. The replicas that are not synced with the configuration changes for encrypted replication continue to sync in clear text.

Even if the encrypted replication configuration has not been synchronized across the replicas, the replication between them will happen in the encrypted form.

11.2.5 Viewing the Encrypted Replication Status

You can view the encrypted replication status through OpenText iMonitor as follows:

In OpenText iMonitor, click Agent Synchronization in the Assistant frame.
Click Replica Synchronization for the partition you want to view.

The replica status information is displayed. The Encryption Status field displays whether the link from the replica to which you are currently connected is encrypted or not.

Basically, there are three scenarios in encryption replication (ER):
- ER enabled at partition level: The replica to which you are connected to shows Encryption State is enabled.
  
  To find out which replica you are connected to, in the replica frame, the one that is not hyper linked is the one you are connected to. If you browse to the other replicas it shows that the Encryption State is also marked Enabled.
- ER enabled at replica level: You have enabled ER for all replicas from one particular replica (that is, One to All.) In this case, when you are connected to that replica, its Encryption State is marked Enabled.
- ER enabled/disabled for a combination of replicas: ER enabled/disabled for one combination of replicas - You have enabled ER for the whole partition but not for a selected set of servers or vice versa.
  
  For example, you have enabled ER for partition A that has three replicas 1, 2, and 3 and disabled ER for 1 <--> 3. In this case, if you are connected to replica 1, the Encryption State is displayed as:
  
  Server 1 Enabled
  
  Server 2
  
  Server 3 Disabled
  
  This means that Server 1 is enabled for encrypted replication to all the servers in the replica ring but 1<-->3 is disabled by the administrator.