Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
15.13. Configuring Changelog Encryption
To increase security, Directory Server supports encrypting the changelog. This section explains how to enable this feature.
Prerequisites
The server must have a certificate and key stored in the network security services (NSS) database. Therefor, enable TLS encryption on the server as described in Section 9.4.1, “Enabling TLS in Directory Server”.
Procedure
To enable changelog encryption:
- Except for the server on which you want to enable changelog encryption, stop all instances in the replication topology by entering the following command:
dsctl instance_name stop
# dsctl instance_name stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow - On the server where you want to enable changelog encryption:
- Export the changelog, for example, to the
/tmp/changelog.ldiffile:dsconf -D "cn=Directory Manager" ldap://server.example.com replication dump-changelog -o /tmp/changelog.ldif
# dsconf -D "cn=Directory Manager" ldap://server.example.com replication dump-changelog -o /tmp/changelog.ldifCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Stop the instance:
dsctl instance_name stop
# dsctl instance_name stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the following setting to the
dn: cn=changelog5,cn=configentry in the/etc/dirsrv/slapd-instance_name/dse.ldiffile:nsslapd-encryptionalgorithm: AES
nsslapd-encryptionalgorithm: AESCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Start the instance:
dsctl instance_name start
# dsctl instance_name startCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Import the changelog from the
/tmp/changelog.ldiffile:dsconf -D "cn=Directory Manager" ldap://server.example.com replication restore-changelog from-ldif /tmp/changelog.ldif
# dsconf -D "cn=Directory Manager" ldap://server.example.com replication restore-changelog from-ldif /tmp/changelog.ldifCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Start all instances on the other servers in the replication topology using the following command:
dsctl instance_name start
# dsctl instance_name startCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
To verify that the changelog is encrypted, run the following steps on the server with the encrypted changelog:
- Make a change in the LDAP directory, such as updating an entry.
- Stop the instance:
dsctl stop instance_name
# dsctl stop instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enter the following command to display parts of the changelog:
dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/replica_name_replGen.db | tail -50
# dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/replica_name_replGen.db | tail -50Copy to Clipboard Copied! Toggle word wrap Toggle overflow If the changelog is encrypted, you see only encrypted data. - Start the instance:
dsctl start instance_name
# dsctl start instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}