DevTech101

DevTech101

How to setup your first directory instance click here
Note: If you have any issues with the Directory Server Control Center(DSCC) and you needed to re-initialize it Click here

Setup Directory Server Certificates

Note: The process was update please read before you continue

Before you start Make sure to setup the DSCC certificates

Replication Topology

For a list of steps on how to configure the certificates Click Here (This is needed for DSCC replication)

Before you begin
Make sure your storage is setup with the correct block size check this first Directory Server Databases and Usage of db_stat
Another place to look on how to tune the files system is Filesystem Cache Optimization Strategies

Setup a password file

Setup a password file that will be used doing this configuration on both servers
Run on all 3 servers for all servers (On all servers, set the multi-master password file.)
Note: on all servers for all servers (Don’t know if its needed)

echo '[password]' > dsccreplmanpwd.txt

cp dsccreplmanpwd.txt /var/opt/SUNWdsee/dscc6/dcc/ads/.

dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap1 -p 3998 \
def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap2 -p 3998 \
def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
dsconf set-server-prop -e -i -w dsccreplmanpwd.txt -h ldap3 -p 3998 \
def-repl-manager-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt

Enable DSCC replication

Run on all 3 servers, On all servers, enable replication.

dsconf enable-repl -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i -d 1 master cn=dscc
dsconf enable-repl -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i -d 2 master cn=dscc
dsconf enable-repl -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i -d 3 master cn=dscc

Get the DSCC default certificate

Run on all 3 servers, On all servers, view the existing default certificate.

dsadm show-cert -F der -o ldap1-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert
dsadm show-cert -F der -o ldap2-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert
dsadm show-cert -F der -o ldap3-dscc-certfile /var/opt/SUNWdsee/dscc6/dcc/ads defaultCert

Import the default certificate to each Directory Server

Note: You will need to copy the default certificates to the respective servers and import.
Run on all 3 servers (On all servers, add the CA trusted certificate from all other servers.)

Run on ldap1:
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap2 DSCC Repl Manager Cert" ldap2-dscc-certfile
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap3 DSCC Repl Manager Cert" ldap3-dscc-certfile

Run on ldap2:
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap1 DSCC Repl Manager Cert" ldap1-dscc-certfile
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap3 DSCC Repl Manager Cert" ldap3-dscc-certfile

Run on ldap3:
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap1 DSCC Repl Manager Cert" ldap1-dscc-certfile
dsadm add-cert --ca /var/opt/SUNWdsee/dscc6/dcc/ads "ldap2 DSCC Repl Manager Cert" ldap2-dscc-certfile

Setup a replication agreement using SSL

Run on all 3 servers

Run on ldap1:
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap2:3999
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap3:3999

Run on ldap2:
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap1:3999
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap3:3999

Run on ldap3:
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap1:3999
dsconf create-repl-agmt -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i --auth-protocol "ssl-simple" cn=dscc ldap2:3999

Setup a replication agreement password file

Run on all 3 servers

Run on ldap1:
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i cn=dscc \
ldap2:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap1 -p 3998 -e -i cn=dscc \
ldap3:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt

Run on ldap2:
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i cn=dscc \
ldap1:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap2 -p 3998 -e -i cn=dscc \
ldap3:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt

Run on ldap3:
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i cn=dscc \
ldap1:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt
dsconf set-repl-agmt-prop -w dsccreplmanpwd.txt -h ldap3 -p 3998 -e -i cn=dscc \
ldap2:3999 auth-pwd-file:/var/opt/SUNWdsee/dscc6/dcc/ads/dsccreplmanpwd.txt

Now restart all 3 servers for new replication agreement to work

dsadm restart /var/opt/SUNWdsee/dscc6/dcc/ads

Consolidated the Directory Server (DSCC) ldif data

We need to consolidated the LDAP data from all directory server (DSCC)used in the replication topology
Do an ldif export on ldap1 and ldap2 ldap3
Note: This won’t work without full path given to the file

dsconf export -w dsccreplmanpwd.txt -h ldap1 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap1.ldif
dsconf export -w dsccreplmanpwd.txt -h ldap2 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap2.ldif
dsconf export -w dsccreplmanpwd.txt -h ldap3 -p 3998 cn=dscc /var/tmp/user/rep/dscc-ldap3.ldif

Create an LDIF import file

Create ldif import file by using on of the export files like dscc-ldap1.ldif and append the following entry
Append the following entry from ldif file(The entry with cn=[servername@/….]) from each directory server

dn: cn=ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc
secureport: 3999
port: 3998
servertype: ADS
instanceowner: noaccess
objectClass: extensibleobject
objectClass: top
description: DS instance used as the DSCC registry
cn: ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20070510045551Z
modifyTimestamp: 20070510045551Z
nsUniqueId: b6ad3530-feb211db-80828567-1f32384c
............................
...................

Import and Initialize one server with the LDIF import data

Initialize on one server like ldap1 using dscc-ldap1.ldif
Note: This won’t work without full path given to the file

chmod 777 dscc-ldap1.ldif

dsconf import -h ldap1 -p 3998 /var/tmp/user/rep/dscc-ldap1.ldif cn=dscc

Initialize all other directory servers

Initialize ldap2 from ldap1 using the replication agreement

on ldap1:
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1 -p 3998 cn=dscc ldap2:3999
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap1 -p 3998 cn=dscc ldap3:3999

on ldap2:
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2 -p 3998 cn=dscc ldap1:3999
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap2 -p 3998 cn=dscc ldap3:3999

on ldap3:
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3 -p 3998 cn=dscc ldap1:3999
dsconf init-repl-dest -w dsccreplmanpwd.txt -e -i -h ldap3 -p 3998 cn=dscc ldap2:3999

Show replication status

To check replication status(if dscc is used to mange)

dsccreg list-servers -C -a

Another way to see replication status

dsconf show-repl-agmt-status -h ldap2 -p 3998 cn=dscc ldap1:3999

The dscc ds instance is now replicated too both servers. Before you can manage the /opt/ds instances from ldap2 you have to bind as the Directory Manager for these instances. The admin user (cn=admin,cn=Administrators,cn=dscc) only has the ability to stop and start these instances. To edit their contents you need to bind as the DM. Until this is done they will show up as an error via the dscc gui and also when running dsccreg from ldap2:
An example of the error could be displayed with running dsccreg.

To run all DSCC replication in SSL

Before adding the certificate

Before adding the certificate to the DSCC LDAP instance you will get Denied on the SSL field

dsccreg list-servers -C -a
[root@ldap1] /var/tmp/user/rep # dsccreg list-servers -C -a
Enter DSCC administrator's password:
Hostname  Port  sPort  Type  Owner     iPath                            LDAP  sTLS    LDAPS
--------  ----  -----  ----  --------  -------------------------------  ----  ------  ------
ldap3  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Denied  Denied
ldap1  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Denied  Denied
ldap2  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Denied  Denied
3 server instance(s) found in DSCC on localhost.

Export the DSCC certificate

To fix this issue and run all data in SSL (you could see it says Denied
On each server run this

dsadm show-cert -o /var/tmp/user/rep/ldap1-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads
dsadm show-cert -o /var/tmp/user/rep/ldap2-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads
dsadm show-cert -o /var/tmp/user/rep/ldap3-dscc-der -F der /var/opt/SUNWdsee/dscc6/dcc/ads

prepere to add the DSCC certificate

Then on each server create a file with the ldif modify data called modify.ldif

version: 1
dn: cn=ldap1@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///var/tmp/user/rep/ldap1-dscc-der

version: 1
dn: cn=ldap2@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///var/tmp/user/rep/ldap2-dscc-der

version: 1
dn: cn=ldap3@/var/opt/SUNWdsee/dscc6/dcc/ads,cn=Servers,cn=dscc
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///var/tmp/user/rep/ldap3-dscc-der

Add the certificate to the DSCC LDAP instance

Then modify the dscc ldap entry on each server

ldapmodify -h ldap1 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif
ldapmodify -h ldap2 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif
ldapmodify -h ldap3 -p 3998 -D "cn=directory manager" -w - -f ./modify.ldif

Verify if the DSCC now works in SSL

Now all should look nice

dsccreg list-servers -C -a
# dsccreg list-servers -C -a
Enter DSCC administrator's password:
Hostname  Port  sPort  Type  Owner     iPath                            LDAP  sTLS    LDAPS
--------  ----  -----  ----  --------  -------------------------------  ----  ------  ------
ldap3  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Ok      Ok
ldap1  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Ok      Ok
ldap2  3998  3999   ADS   noaccess  /var/opt/SUNWdsee/dscc6/dcc/ads  Ok    Ok      Ok
3 server instance(s) found in DSCC on localhost.

Note: this is only needed on the DSCC LDAP instance, any other instance this is not needed by going in to the DSCC GUI it will get fixed.

To extend the Web Console timeout

wcadmin add -p -a ROOT session.timeout.value=mm

Example:
wcadmin add -p -a ROOT session.timeout.value=120

Refrense link

Whats next: How to setup your first directory instance click here

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: