How To

How do I configure a CA Signed certificate for replication in a secured DS 5.x or 6.x with no downtime - [replication is enabled]?

Last updated May 22, 2020

The purpose of this article is to provide information on replacing self-signed certificates with a CA Signed certificate for replication in DS. This article is tailored to those who have a secure environment (production mode enabled, secure communication for replication and encrypted backends) where downtime is not an option.


Overview

This article is only suitable if you have a secured environment (production mode enabled, secure communication for replication and encrypted backends) and downtime is not an option. If this is not true, please see How do I replace the certificates (key pair) used for replication in DS 5.x, 6.x or OpenDJ 3.x? for the correct process.

After configuring replication and setting up encrypted backends, symmetric key entries are added to the "cn=admin data" backend (admin-backend.ldif). This process requires you to replace the self-signed certificate on the server that contains all the keys for the other instances first due to an issue reported in OPENDJ-5985 (Divergence of "cn=admin data" after setting up secure replication and encrypted backends), so one of the first steps is to identify that server.

The following process assumes two instances (ds1 and ds2) and applies (other than the first step) regardless of whether you have a DS+RS replication topology or a standalone RS topology.

In summary, the steps are:

  1. Standalone RS only: Import the root and intermediate certificates into the ads-truststore of both RS servers.
  2. Determine which instance to setup first.
  3. Set up the first instance:
    1. Generate a Certificate Signing Request.
    2. Sign the CSR with the CA.
    3. Disable the LDAPS and LDAP connectors.
    4. Import the root, intermediate and server certificates.
    5. Import the CA signed server certificate.
    6. Create and apply an LDIF file to add a new instance key entry that contains the new certificate detail.
    7. Force replication to reconnect so that it uses the new certificates.
    8. Re-enable the LDAPS and LDAP connectors.
    9. Restart the server.
  4. Set up the second instance:
    1. Generate a Certificate Signing Request.
    2. Sign the CSR with the CA.
    3. Disable the LDAPS and LDAP connectors.
    4. Import the root, intermediate and server certificates.
    5. Import the CA signed server certificate.
    6. Create and apply an LDIF file to add a new instance key entry that contains the new certificate detail.
    7. Force replication to reconnect so that it uses the new certificates.
    8. Add the symmetric key information from the first server to the secret keys entry on this server.
    9. Re-enable the LDAPS and LDAP connectors.
    10. Restart the server.

Importing certificates into the ads-truststore of both RS servers (Standalone RS only)

You can import the certificates into the ads-truststore of both RS servers as follows:

  1. Import the root and intermediate (if present) certificates into the ads-truststore of both RS servers. For example:
    • On DS1:
      $ cd config 
      $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/FECRootCA.pem
      
    • On DS2:
      $ cd config
      $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/FECRootCA.pem
      
  2. Verify the import worked on both RS servers. For example:
    • On DS1:
      $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin
    • On DS2:
      $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin

Determining which instance to setup first

You can determine which instance to set up first as follows:

  1. Search the "cn=admin data" backend on each server to determine which instance has the symmetric key entries (the instance with multiple symmetric keys is the first instance to set up):
    • On DS1:
      $ ./ldapsearch --hostname ds1.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      
      dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E58E088B2C80257264102449D60FA4EE:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:51BDC9BE849EBF885DCBDFC8AF22FD6EBE1B2FCF5F646B0CF6D498D78B06CB75731FE9DECDE57E5B810944D8A52DED42D9E410D17A519D55ADDD8661BE814F4E930A62D4E241B4ABEB6B0A932A9E23AA9FEB8627EAF8A9ADDFA14274C06701C69E70B28A9BDA49FD8D76023B23FCEE678EBA67304A592D5000BB7B78B1C007B5B95A62A9460F2B20D08F8AFDD3E72F444B4BA37ECEF62B585FB0882F90ACAE35C9CAED2FCD44EBD1D9C90907B8639BB675ED0E465A8E3AB832E0D2E0F0C2DA2BDA0EFF21FC4850B72EE5658A5A4F4497631DD9A0C766B0E3595E6F8B69D71D582E07010F5FE9490ABD7B3D7A1994F0174E0051C72B9819C57A02FE0C6AF96ECF
    • On DS2:
      $ ./ldapsearch --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      
      dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E58E088B2C80257264102449D60FA4EE:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:51BDC9BE849EBF885DCBDFC8AF22FD6EBE1B2FCF5F646B0CF6D498D78B06CB75731FE9DECDE57E5B810944D8A52DED42D9E410D17A519D55ADDD8661BE814F4E930A62D4E241B4ABEB6B0A932A9E23AA9FEB8627EAF8A9ADDFA14274C06701C69E70B28A9BDA49FD8D76023B23FCEE678EBA67304A592D5000BB7B78B1C007B5B95A62A9460F2B20D08F8AFDD3E72F444B4BA37ECEF62B585FB0882F90ACAE35C9CAED2FCD44EBD1D9C90907B8639BB675ED0E465A8E3AB832E0D2E0F0C2DA2BDA0EFF21FC4850B72EE5658A5A4F4497631DD9A0C766B0E3595E6F8B69D71D582E07010F5FE9490ABD7B3D7A1994F0174E0051C72B9819C57A02FE0C6AF96ECF
      ds-cfg-symmetric-key: 768F6DCCC3A6F62D123C0F73F31919E7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:79F09C2F339C67A0059E6EB9C774EFA70405A672E172752ABA092D7430FA725369EDADBF5155576BAC8E454E13D72D6950E16BBC088612CF2B49A59D20520DF76B3C981DE516AB51565FADB6D7970B589CDE6D535CF4B299D4D51C93094A4C9392A60744E1A6715F5BAFD4900FC660AA7A8758C6BB82A1D507371B1AFA576319DABDE40A1C3C0F7E0E4D2967807C3B99814C0B6690D105C6A7EE738D39C9689BE5E953BD58A1ED44AF50B6D5FF83E96DE45B11F6D8DC6F7BF47A5945B16CC79CEC5C50AF513EDFB970638952FCCEEF0BF7EE0A89D0FF658490ADF7F43CC0A36FAF4A3C36FF67F6B07732AEA565CAC65C0CA9492B9B571FE61DE6BE71B535F163
      

In this example, ds2 is the first instance to set up because it has two symmetric keys configured in the "dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data" entry.

Setting up the first instance

You can set up the first instance (ds2 in this example) as follows:

  1. Create a Certificate Signing Request (CSR) from ads-truststore for the ds2 instance. For example:
    $ keytool -certreq -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds2_cert_req.csr
  2. Sign the CSR with the CA. For example:
    $ cd ~/CA/certs
    $ openssl x509 -req -in ds2_cert_req.csr -CA ../FECRootCA.pem -CAkey ../FECRootCA.key -extensions server_cert -days 375 -CAcreateserial -out ds2_cert.pem
  3. Disable the LDAPS and LDAP connectors to ensure instances only come online once the setup process is complete:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
  4. Import the root, intermediate (if present) and server certificates into the ads-truststore and verify. For example:
    $ cd config
    $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/FECRootCA.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin
    
  5. Import the CA signed server certificate and verify. For example:
    $ keytool -import -trustcacerts -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds2_cert.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin -alias ads-certificate
    
    Alias name: ads-certificate
    Creation date: 13-Feb-2019
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=ds2, O=OpenDJ RSA Certificate
    Issuer: CN=fecCA, O=FEC, L=London, ST=London, C=UK
    Serial number: b9cf4f71c94eb24e
    Valid from: Wed Feb 13 13:39:23 GMT 2019 until: Sun Feb 23 13:39:23 GMT 2020
    Certificate fingerprints:
      MD5:  C5:B9:BB:08:50:E4:C4:9F:76:3C:9B:31:6D:C6:21:C8
      SHA1: F1:6F:54:23:CE:4D:1B:7C:F7:BC:DA:DC:F7:4E:67:74:3C:F8:9F:78
      SHA256: 92:42:6D:12:D2:F7:42:82:58:3D:65:36:95:FA:02:B2:05:E5:D3:BB:82:AC:E3:FE:7B:55:D2:38:16:7F:DA:DC
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 1
    
  6. Extract a MD5 hash of the ads-truststore certificate without ":" characters. This hash is needed in step 8 to reflect the new certificate information in "cn=admin data":
    $ keytool -export -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ads-new-cert.crt
    $ keytool -printcert -file ads-new-cert.crt | grep MD5 | awk '{print $2}'  | sed "s/://g"
    
    DC54D2DAF3E1D7672779E55D59310A36
    
  7. Output the certificate details. These details are needed in step 8 to reflect the new certificate information in "cn=admin data":
    for line in `sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' ~/CA/certs/ds2_cert.pem  | sed "s/-----.* CERTIFICATE-----//" | sed "/^$/d"`; do printf "%s" "$line"; done; echo
    
    MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
  8. Create an LDIF file to add a new instance key entry that contains the new certificate detail:
    • Add the DN, etc (in bold) to the file.
    • Replace the ds-cfg-key-id attribute (in three places) with the new MD5 hash value output in step 6.
    • Paste the certificate details output in step 7 as the value after ds-cfg-public-key-certificate;binary::
    For example:
    vi /tmp/update_server_cert.ldif
    dn: ds-cfg-key-id=DC54D2DAF3E1D7672779E55D59310A36,cn=instance keys,cn=admin data
                      changetype:add
                      objectClass: top
                      objectClass:ds-cfg-instance-key
                      ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
                      ds-cfg-public-key-certificate;binary:: MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
    dn: cn=ds2.example.com:4444,cn=servers,cn=admin data
                      changetype:modify
                      replace: ds-cfg-key-id
                      ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
                   
  9. Use ldapmodify to import the LDIF file:
    $ ./ldapmodify --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll /tmp/update_server_cert.ldif
    
  10. Force replication to reconnect so that it uses the new certificates:
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --no-prompt --trustAll
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --no-prompt --trustAll
    
  11. Re-enable the LDAP and LDAPS connection handlers:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
  12. Verify everything is working correctly by modifying a user's description, checking you can see the updated description on both instances and checking the certificates. For example:
    $ ./ldapmodify --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    dn:uid=user.0,ou=people,dc=example,dc=com
    changetype:modify
    replace:description
    description: ds2 test
    
    # Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
    # MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
    $ ./ldapsearch --hostname ds1.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ openssl s_client -connect ds2.example.com:8989 -showcerts
    
  13. Restart ds2 and verify it starts without any errors:
    $ ./stop-ds --restart
    

Setting up the second instance

You can set up the second instance (ds1 in this example) as follows:

  1. Create a Certificate Signing Request (CSR) from ads-truststore for the ds2 instance. For example:
    $ keytool -certreq -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds2_cert_req.csr
  2. Sign the CSR with the CA. For example:
    $ cd ~/CA/certs
    $ openssl x509 -req -in ds2_cert_req.csr -CA ../FECRootCA.pem -CAkey ../FECRootCA.key -extensions server_cert -days 375 -CAcreateserial -out ds2_cert.pem
  3. Disable the LDAPS and LDAP connectors to ensure instances only come online once the setup process is complete:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
  4. Import the root, intermediate (if present) and server certificates into the ads-truststore and verify. For example:
    $ cd config
    $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/FECRootCA.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin
    
  5. Import the CA signed server certificate and verify. For example:
    $ keytool -import -trustcacerts -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds2_cert.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin -alias ads-certificate
    
    Alias name: ads-certificate
    Creation date: 13-Feb-2019
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=ds2, O=OpenDJ RSA Certificate
    Issuer: CN=fecCA, O=FEC, L=London, ST=London, C=UK
    Serial number: b9cf4f71c94eb24e
    Valid from: Wed Feb 13 13:39:23 GMT 2019 until: Sun Feb 23 13:39:23 GMT 2020
    Certificate fingerprints:
      MD5:  C5:B9:BB:08:50:E4:C4:9F:76:3C:9B:31:6D:C6:21:C8
      SHA1: F1:6F:54:23:CE:4D:1B:7C:F7:BC:DA:DC:F7:4E:67:74:3C:F8:9F:78
      SHA256: 92:42:6D:12:D2:F7:42:82:58:3D:65:36:95:FA:02:B2:05:E5:D3:BB:82:AC:E3:FE:7B:55:D2:38:16:7F:DA:DC
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 1
    
  6. Extract a MD5 hash of the ads-truststore certificate without ":" characters. This hash is needed in step 8 to reflect the new certificate information in "cn=admin data":
    $ keytool -export -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ads-new-cert.crt
    $ keytool -printcert -file ads-new-cert.crt | grep MD5 | awk '{print $2}'  | sed "s/://g"
    
    DC54D2DAF3E1D7672779E55D59310A36
    
  7. Output the certificate details. These details are needed in step 8 to reflect the new certificate information in "cn=admin data":
    for line in `sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' ~/CA/certs/ds2_cert.pem  | sed "s/-----.* CERTIFICATE-----//" | sed "/^$/d"`; do printf "%s" "$line"; done; echo
    
    MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
  8. Create an LDIF file to add a new instance key entry that contains the new certificate detail:
    • Add the DN, etc (in bold) to the file.
    • Replace the ds-cfg-key-id attribute (in three places) with the new MD5 hash value output in step 6.
    • Paste the certificate details output in step 7 as the value after ds-cfg-public-key-certificate;binary::
    For example:
    vi /tmp/update_server_cert.ldif
    dn: ds-cfg-key-id=DC54D2DAF3E1D7672779E55D59310A36,cn=instance keys,cn=admin data
                      changetype:add
                      objectClass: top
                      objectClass:ds-cfg-instance-key
                      ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
                      ds-cfg-public-key-certificate;binary:: MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
    dn: cn=ds2.example.com:4444,cn=servers,cn=admin data
                      changetype:modify
                      replace: ds-cfg-key-id
                      ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
                   
  9. Use ldapmodify to import the LDIF file:
    $ ./ldapmodify --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll /tmp/update_server_cert.ldif
    
  10. Force replication to reconnect so that it uses the new certificates:
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --no-prompt --trustAll
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --no-prompt --trustAll
    
  11. Search the "cn=admin data" backend on ds2 to retrieve the symmetric key information: 
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key 
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data 
    ds-cfg-symmetric-key: DC54D2DAF3E1D7672779E55D59310A36:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3B18195C0A832D35812487E25036391BD6B791BCE1BB78A6FD78421690044D94D8344D0A6E5B3C2FFD661473B43355314F8F40FA2B36A951092CA9BF484D7BA303741766CEC9932C0541B14712117C9298245C5BEB0405E4DF0165AB8BC8D3F56DA33582A366A040A00550CEB7654FC99E8EBE1F16140E3944189DF781612D31CE935F5393488D8AF3DCD841465395799916EA491C8C3477E59253C6D72D1B727D955A207CC407424A260F0238A0970027C2DDAE5BB60FA798CFBE7B8A2A7B4167C658A66317B0928581E9AFF99569A5274DB22DC8AB4E78C94E71EDAA55ACDFB2240135F49C1175226BC79F7C04CA5F7CA3A46D1B9B141FF47B04971D34CDD5
  12. Add the ds2 symmetric key information returned in the previous step to the secret keys entry on ds1 (this is necessary to ensure the backend is accessible and re-initialization is not needed):
    $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
    changetype:modify
    add:ds-cfg-symmetric-key
    ds-cfg-symmetric-key: DC54D2DAF3E1D7672779E55D59310A36:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3B18195C0A832D35812487E25036391BD6B791BCE1BB78A6FD78421690044D94D8344D0A6E5B3C2FFD661473B43355314F8F40FA2B36A951092CA9BF484D7BA303741766CEC9932C0541B14712117C9298245C5BEB0405E4DF0165AB8BC8D3F56DA33582A366A040A00550CEB7654FC99E8EBE1F16140E3944189DF781612D31CE935F5393488D8AF3DCD841465395799916EA491C8C3477E59253C6D72D1B727D955A207CC407424A260F0238A0970027C2DDAE5BB60FA798CFBE7B8A2A7B4167C658A66317B0928581E9AFF99569A5274DB22DC8AB4E78C94E71EDAA55ACDFB2240135F49C1175226BC79F7C04CA5F7CA3A46D1B9B141FF47B04971D34CDD5
    
  13. Re-enable the LDAP and LDAPS connection handlers:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
  14. Verify everything is working correctly by modifying a user's description, checking you can see the updated description on both instances and checking the certificates. For example:
    $ ./ldapmodify --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    dn:uid=user.0,ou=people,dc=example,dc=com
    changetype:modify
    replace:description
    description: ds2 test
    
    # Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
    # MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
    $ ./ldapsearch --hostname ds1.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ openssl s_client -connect ds2.example.com:8989 -showcerts
    
  15. Restart ds2 and verify it starts without any errors:
    $ ./stop-ds --restart
    

See Also

FAQ: SSL certificate management in DS 5.x, 6.x or OpenDJ 3.x

Replication in DS/OpenDJ

How do I use externally created SSL keys with DS 5.x, 6.x or OpenDJ 3.x?

Administration Guide › Changing Server Certificates

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

OPENDJ-5985 (Divergence of "cn=admin data" after setting up secure replication and encrypted backends)

OPENDJ-5235 (Allow external certificates to be used for replication during setup)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...