Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Enabling or initializing replication interactively fails in DS 5.x or 6.x with There is an error with the certificate presented by the server

Last updated Apr 8, 2021

The purpose of this article is to provide assistance if you cannot enable or initialize replication in interactive mode in DS. You will see "There is an error with the certificate presented by the server" error.


Symptoms

The following error is shown when attempting to enable or initialize replication interactively using the dsreplication menu with option 1 (Enable Replication) or option 3 (Initialize Replication on one Server):

Establishing connections ..... Error reading data from server localhost:4444. There is an error with the certificate presented by the server. Details: simple bind failed: localhost:4444

You should also be aware that:

  • Using option 4 (Initialize All Servers) appears to be successful, but the servers are not in sync.
  • You can enable or initialize replication successfully via the command line.

Recent Changes

Upgraded to, or installed DS 5.x or 6.x.

Causes

This is a trust issue caused by the order of operations in how you enabled/initialized replication interactively:

  • If you launch dsreplication on Master 1 and use Master 1's connection details for the first server, replication is not enabled or initialized because Master 1 does not trust Master 2's replication certificate.
  • If you launch dsreplication on Master 1 and use Master 2's connection details for the first server, Master 1 connects to Master 2, retrieves the replication certificate and sets up a trust relationship; this allows replication to be successfully enabled or initialized.

Solution

This issue can be resolved by specifying the correct connection details for the first server. Per the explanation above, you must specify the remote server as the first server (rather than the local server) to allow a trust relationship to be formed.

Alternatively, you can use the command line to enable and/or initialize replication:

  • Enable replication, for example:$ ./dsreplication configure --adminUid admin --adminPassword password --baseDn dc=example,dc=com --host1 ds1.example.com --port1 4444 --bindDn1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 ds2.example.com --port2 4444 --bindDn2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt
  • Initialize the new server to ensure both servers have the same data: $ ./dsreplication initialize --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostSource ds1.example.com --portSource 4444 --hostDestination ds2.example.com --portDestination 4444 --trustAll --no-prompt

See Administration Guide › To Configure Replication Interactively for further information. 

See Also

Replication in DS

Administration Guide › Configuring Replication

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.