Skip to content

Configuring DS Replication with PKI Tools

Jump to bottom
Endi S. Dewata edited this page Jan 8, 2024 · 21 revisions

Overview

This page describes the process to configure bi-directional replication between two DS instances using PKI tools.

Availability: Since PKI 11.5

Prerequisites

  • Install primary DS

  • Import data into primary DS (by installing a primary PKI subsystem)

  • Install secondary DS

Preparing DS Backend

To create a secondary PKI subsystem:

$ pki-server create
$ pki-server nss-create --no-password
$ pki-server ca-create

To configure DS connection params for the secondary PKI subsystem:

$ pki-server password-add --password Secret.123 internaldb
$ pki-server ca-db-config-mod \
    --hostname secondaryds.example.com \
    --port 3389 \
    --secure false \
    --auth BasicAuth \
    --bindDN "cn=Directory Manager" \
    --bindPWPrompt internaldb \
    --database ca \
    --baseDN dc=ca,dc=pki,dc=example,dc=com \
    --multiSuffix false \
    --maxConns 15 \
    --minConns 3

To create a new DS backend in the secondary DS:

$ pki-server ca-db-create

Enabling Replication

To enable replication on the primary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id 1 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

To enable replication on the secondary DS:

$ pki-server ca-db-repl-enable \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --replica-id 2 \
    --suffix dc=ca,dc=pki,dc=example,dc=com

Creating Replication Agreements

To create replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://secondaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

To create replication agreement on the secondary DS:

$ pki-server ca-db-repl-agmt-add \
    --url ldap://secondaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --replica-url ldap://primaryds.example.com:3389 \
    --replica-bind-dn "cn=Replication Manager,cn=config" \
    --replica-bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    secondaryds-to-primaryds

Initializing Replication Agreement

To initialize the replication agreement on the primary DS:

$ pki-server ca-db-repl-agmt-init \
    --url ldap://primaryds.example.com:3389 \
    --bind-dn "cn=Directory Manager" \
    --bind-password Secret.123 \
    --suffix dc=ca,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds
Clone this wiki locally