Home
Products
Red Hat Directory Server
11
Administration Guide
15.13. Configuring Changelog Encryption

15.13. Configuring Changelog Encryption

To increase security, Directory Server supports encrypting the changelog. This section explains how to enable this feature.

Prerequisites

The server must have a certificate and key stored in the network security services (NSS) database. Therefor, enable TLS encryption on the server as described in Section 9.4.1, “Enabling TLS in Directory Server”.

Procedure

To enable changelog encryption:

Except for the server on which you want to enable changelog encryption, stop all instances in the replication topology by entering the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl instance_name stop
```
```
# dsctl instance_name stop
```

On the server where you want to enable changelog encryption:

Export the changelog, for example, to the /tmp/changelog.ldif file:

Copy to Clipboard Toggle word wrap

dsconf -D "cn=Directory Manager" ldap://server.example.com replication dump-changelog -o /tmp/changelog.ldif

# dsconf -D "cn=Directory Manager" ldap://server.example.com replication dump-changelog -o /tmp/changelog.ldif

Stop the instance:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl instance_name stop
```
```
# dsctl instance_name stop
```
Add the following setting to the dn: cn=changelog5,cn=config entry in the /etc/dirsrv/slapd-instance_name/dse.ldif file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
nsslapd-encryptionalgorithm: AES
```
```
nsslapd-encryptionalgorithm: AES
```
Start the instance:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl instance_name start
```
```
# dsctl instance_name start
```

Import the changelog from the /tmp/changelog.ldif file:

Copy to Clipboard Toggle word wrap

dsconf -D "cn=Directory Manager" ldap://server.example.com replication restore-changelog from-ldif /tmp/changelog.ldif

# dsconf -D "cn=Directory Manager" ldap://server.example.com replication restore-changelog from-ldif /tmp/changelog.ldif

Start all instances on the other servers in the replication topology using the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl instance_name start
```
```
# dsctl instance_name start
```

Verification

To verify that the changelog is encrypted, run the following steps on the server with the encrypted changelog:

Make a change in the LDAP directory, such as updating an entry.
Stop the instance:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl stop instance_name
```
```
# dsctl stop instance_name
```

Enter the following command to display parts of the changelog:

Copy to Clipboard Toggle word wrap

dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/replica_name_replGen.db | tail -50

# dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/replica_name_replGen.db | tail -50

If the changelog is encrypted, you see only encrypted data.

Start the instance:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dsctl start instance_name
```
```
# dsctl start instance_name
```

15.13. Configuring Changelog Encryption

Prerequisites

Procedure

Verification

Additional Resources

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links