You are on page 1of 46

Guide to LDAP Replication,

Failover and Homing


configuration

Draft extracted 2010-4-9 3:27


Guide to LDAP Replication, Failover and Homing
configuration
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.

Documentation version:

PN:

Legal Notice
Copyright © 2010 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.

This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.

Draft extracted 2010-4-9 3:27


Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

http://www.symantec.com

Draft extracted 2010-4-9 3:27


Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and/or web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.

Contacting Technical Support


Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
■ Product release level

Draft extracted 2010-4-9 3:27


■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes

Licensing and registration


If your Symantec product requires registration or a license key, access our technical
support web page at the following URL:
www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals

Draft extracted 2010-4-9 3:27


Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:

Asia-Pacific and Japan customercare_apac@symantec.com

Europe, Middle-East, and Africa semea@symantec.com

North America and Latin America supportsolutions@symantec.com

Additional enterprise services


Symantec offers a comprehensive set of services that allow you to maximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:

Managed Services Managed Services remove the burden of managing and monitoring security
devices and events, ensuring rapid response to real threats.

Consulting Services Symantec Consulting Services provide on-site technical expertise from
Symantec and its trusted partners. Symantec Consulting Services offer a variety
of prepackaged and customizable options that include assessment, design,
implementation, monitoring, and management capabilities. Each is focused on
establishing and maintaining the integrity and availability of your IT resources.

Education Services Education Services provide a full array of technical training, security education,
security certification, and awareness communication programs.

To access more information about enterprise services, please visit our web site
at the following URL:
www.symantec.com/business/services/
Select your country or language from the site index.

Draft extracted 2010-4-9 3:27


Contents

Chapter 1 Overview ................................................................................. 9

Overview of the Guide .................................................................... 9


Assumptions ................................................................................. 9

Chapter 2 Directory Replication ......................................................... 11

Directory Replication - Overview .................................................... 11


Directory Replication tasks ............................................................ 13
Certificate Exchange ............................................................... 14
Directory Registration ............................................................ 20
Setup Replication agreements .................................................. 23
Configure SSIM to install Replicas to Master Directory ................. 26
Testing and validating replication ............................................. 27

Chapter 3 Configuring Directory Failover ......................................... 31


Directory Failover Overview ........................................................... 31

Chapter 4 Configuring Homing ........................................................... 33

Directory Homing Overview ........................................................... 33


Verifying Homing Configuration ..................................................... 35

Appendix A Troubleshooting and using IBM LDAP diff tool ............. 37


Error messages and troubleshooting ............................................... 37
LDAP Server Unavailable ............................................................... 37
Directory information is not or does not synchronize ......................... 38
Recovering from a situation where the ibm-replicationState for a
replication agreement is in Retrying state .................................. 40
During the replication process, the certificates did not exchange
correctly, or they have been corrupted. ...................................... 40
Removing a SSIM Directory Replica ................................................. 41
Using the IBM LDAP Diff tool ......................................................... 41

Technical Support ............................................................................................... 4

Draft extracted 2010-4-9 3:27


8 Contents

Draft extracted 2010-4-9 3:27


Chapter 1
Overview
This chapter includes the following topics:

■ Overview of the Guide

■ Assumptions

Overview of the Guide


This document contains detailed instructions needed to setup Directory
Replication, Directory Failover, and Directory Homing.
■ Directory Replication replicates all LDAP settings between multiple SSIM
Directory Servers. Using read/write peer to peer replication. By having multiple
directories, we can have failover and homing
■ Directory Failover allows SSIM Servers to connect to alternate SSIM Directories
if its primary directory becomes unreachable.
■ Directory Homing allows SSIM Servers to connect to preferred SSIM
Directories, such as a directory that is geographically closer to it, thus
increasing performance.

Assumptions
All of these will be further defined through this document. This document assumes
the use of 3 SSIM Directory Machines – 1 Master Directory, and 2 Replica
Directories. From these instructions based on 3 directories, it should then be easy
to extrapolate specific instructions that could be used for only 2 SSIM Directories,
or 4 or more SSIM Directories.
Throughout the remainder of this document, the following will be assumed:
1. Machine hostname nomenclature used in this document:

Draft extracted 2010-4-9 3:27


10 Overview
Assumptions

■ LDAP1.SSIM
This is the FQDN (Fully Qualified Domain Name) of the Master SSIM
Directory.
■ LDAP2.SSIM
This is the FQDN of a Replica SSIM Directory.
■ LDAP3.SSIM
This is the FQDN of a Replica SSIM Directory.
Note: All Replica Directories are equal. There is no ordering, weighting, or
ranking assigned to Replica Directories.
2. The SSIM Domain name throughout this document will assume the name –
SSIMDomain.com
3. DNS is completely and correctly configured. All machines can be resolved
using fully qualified domain names. There should be no need to manually
edit hosts files.
4. NTP servers are being used and all times on all machines are synchronized.
5. Machines have been installed with a version of SSIM compatible with this
document (4.6.3+, 4.7.x), and are all in their own Domain – meaning they have
not been registered to any other directory. They may all have the same domain
name configured during installation, but should not be registered to any other
machine after installation.
6. All commands to be run on any SSIM Server assumes the user is logged onto
that machine locally or remotely as the Linux root user, such as using a DRAC
or SSH Terminal session.
7. When a command is listed in this document, it is a single line command,
unless otherwise specified. Do to word wrapping and paper size, all commands
may not fit on a single line as displayed in this document.

Draft extracted 2010-4-9 3:27


Chapter 2
Directory Replication
This chapter includes the following topics:

■ Directory Replication - Overview

■ Directory Replication tasks

Directory Replication - Overview


SSIM Directory Replication creates Master and Replica Directories which are all
Read/Write, and fully synchronized to and from each directory. If a change is
made on LDAP1.SSIM, it will then immediately synchronize to LDAP2.SSIM and
LDAP3.SSIM. Similarly, if a change is made on LDAP3.SSIM, that change will also
immediately synchronize to LDAP1.SSIM and LDAP2.SSIM. Using three Directories,
the following figure portrays the replication agreements and flow between the
directory machines. Replication Agreements are the green lines.

Draft extracted 2010-4-9 3:27


12 Directory Replication
Directory Replication - Overview

Figure 2-1 Three Directory Replication

■ LDAP1.SSIM Replication is setup to both LDAP2.SSIM and LDAP3.SSIM


■ LDAP2.SSIM and LDAP3.SSIM have a replication agreement between them.
Using three directories, three Replication Agreements are created. In this
replication setup, any change made on any directory will immediately replicate
to all other directories. Redundant replication agreements are created to also
account for failover situations. You must create replication agreements between
every directory.
Below is an example of how a four machine replication would be configured.
Replication Agreements are displayed here in purple lines.

Draft extracted 2010-4-9 3:27


Directory Replication 13
Directory Replication tasks

Figure 2-2 Four Directory Replication

Adding a 4th Directory greatly increases the complexity of replication agreements.


To keep the ‘mesh’ replication, this type of setup needs 6 Replication Agreements
which ensures that during any failover situation, all machines are synchronized.

Directory Replication tasks


Before you start Directory Replication, you must note the following:

Warning: If you do not set up all of the necessary replication agreements your
replication setup will break.

Directory Replication setup can be divided into the following tasks:


■ Certificate Exchange
■ Directory Registration
■ Setup Replication agreements
■ Configure SSIM to install Replicas to Master Directory.

Draft extracted 2010-4-9 3:27


14 Directory Replication
Directory Replication tasks

Certificate Exchange
Before replication between SSIM Servers can be configured, each server must
trust each other. To achieve this objective, a certificate from each machine is
shared with all other machines.

Note: A new certificate gets created when the network settings or date/time change
or if customers are using signed certificates. These certificates are usually valid
for one year only.

Before exchanging certificates:


1. If you are using custom certificates, they must all be added and configured
on each SSIM Server.
2. If you plan to move any machine to a different time zone, change the time
zone before continuing with certificate exchanges.
3. The current certificate name must be obtained and will be used in the following
commands.
■ Logon to each SSIM Server Web configuration interface via a URL such
as https://LDAP1.SSIM
■ Open the Certificate Management page
For those using SSIM 4.6.x: This is a link in the left pane
For those using SSIM 4.7.x: This is the Certificate option in the Settings
view.
■ Find the Default Certificate Label for each machine
SSIM 4.6.x: Click the ‘Show Default Certificate’ button.
SSIM 4.7.x: Select the ‘View Default Certificate’ link in the left pane.
■ Record the value listed next to ‘Label:’. A default SSIM installation
Certificate Label will be SESA. This value will be used in most of the
commands following in this section.

Draft extracted 2010-4-9 3:27


Directory Replication 15
Directory Replication tasks

Figure 2-3 Web configuration interface showing default SESA Certificate

To exchange Certificates
1 Logon to the SSIM Server as root using a local or remote console session(via
a DRAC or SSH Terminal).
■ On each server, run the following command from any folder. This
command is on a single line:
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb
-label SESA -target /tmp/LDAP1.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth
Where:

Draft extracted 2010-4-9 3:27


16 Directory Replication
Directory Replication tasks

■ SESA – is the name of the certificate label recorded above.


■ LDAP1.crt – is a descriptive name of the certificate to store. The name
should be based on the machine name to help recognize certificates.
The above command extracts and places the certificate in the /tmp folder.
While this location can be changed, it is suggested to use the /tmp folder
as it is an easily found and common location to use amongst all SSIM
Servers. The /tmp folder is assumed in all certificate commands
throughout this document.

2 Using the example three server names that are used in this document and
assuming SESA is the certificate label on each server, run the following
commands:
On LDAP1.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP1.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth

On LDAP2.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP2.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

On LDAP3.SSIM
gsk7cmd.ssim -cert -extract -db /etc/symantec/ses/key.kdb -label
SESA -target /tmp/LDAP3.crt -pw
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

3 Copy certificates to each of the SSIM Servers using a SCP application directly
from the server, or via Windows. If you are using a Windows SCP application
to transfer files from each SSIM Server to a Windows machine then you must
follow the steps outlined below:
■ Create a folder on the computer having the Windows OS to store all
certificates.
■ Using the Windows SCP application, open the /tmp folder on each SSIM
Server and copy the new .crt file to the folder on your computer having
the Windows OS.
■ Using the Windows SCP application, copy all of the .crt files from the
Windows folder to each of the SSIM servers to the /tmp folder. The goal

Draft extracted 2010-4-9 3:27


Directory Replication 17
Directory Replication tasks

is to have a certificate for each server stored in the /tmp folder on each
server.
After completing the steps detailed above, LDAP1.SSIM, LDAP2.SSIM, and
LDAP3.SSIM would all have the following files in their /tmp folders -
LDAP1.crt, LDAP2.crt, LDAP3.crt.
Insert figure for Certificate files on a SSIM Server, in the /tmp folder:
4 To insert certificates into each SSIM Server, logon as root using a local or
remote console session.
■ On each server, run the following command for each new certificate, from
any folder:
gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db
/etc/symantec/ses/key.kdb -label LDAP1Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth
Note: The above command is all in a single line.
With appropriate modifications as shown below, two forms of this
command will need to be run on each SSIM Server. One command for each
certificate of the other 2 servers.
Where:
■ LDAP1.crt – is the name of one of the servers that is not the one you
are logged onto
■ LDAP1Cert – is a unique label to be given for that server’s certificate.
This can be any name, however is much easier to use descriptive labels
such as the one used above.

Using the three machine names used as an example in this document, the following
commands must be run (2 commands per server):
On LDAP1.SSIM
■ SSIM gsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db
/etc/symantec/ses/key.kdb -label LDAP2Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

■ gsk7cmd.ssim -cert -add -file /tmp/LDAP3.crt -db


/etc/symantec/ses/key.kdb -label LDAP3Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

■ On LDAP2.SSIM

Draft extracted 2010-4-9 3:27


18 Directory Replication
Directory Replication tasks

gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db


/etc/symantec/ses/key.kdb -label LDAP1Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

■ gsk7cmd.ssim -cert -add -file /tmp/LDAP3.crt -db


/etc/symantec/ses/key.kdb -label LDAP3Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

■ On LDAP3.SSIM
gsk7cmd.ssim -cert -add -file /tmp/LDAP2.crt -db
/etc/symantec/ses/key.kdb -label LDAP2Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

■ gsk7cmd.ssim -cert -add -file /tmp/LDAP1.crt -db


/etc/symantec/ses/key.kdb -label LDAP1Cert -format ascii -trust
enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth

Figure 2-4 Certificate files on a SSIM Server, in the /tmp folder

Draft extracted 2010-4-9 3:27


Directory Replication 19
Directory Replication tasks

Testing Certificate Exchange


After the certificates have been exchanged no restart of the server or services are
required. When complete, tests can be done via a command line to ensure the
certificates are added and are correct. The following command can be run on each
SSIM server to validate a connection to the other servers using the new certificates.
You must logon as root user and run the command from any folder. This command
attempts to connect to a different SSIM Server and obtain the Location object
from the directory.
idsldapsearch -h LDAP2.SSIM -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

Where:
■ LDAP2.SSIM
Is the hostname of the SSIM Server which you want to test the connection to.
■ password – is the password for the directory’s cn=root user.
■ dc=SSIMDomain,dc=com
Is the full notation for the SSIM Domain name. In this example, the SSIM
Domain name is SSIMDomain.com. If your domain name is
SSIM.MyCompany.com, then this value would be
dc=SSIM,dc=MyCompany,dc=com. The ou=locations must precede this value,
and o=symc_ses must follow it. There are no spaces in this entire value.
After running this command, no errors should be displayed. An output describing
the Locations container in the directory should be displayed on the screen.
As an example , the output displayed when testing the connection from
LDAP1.SSIM to LDAP2.SSIM is shown below:
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses ou=Locations description=The
root of the SYMC Locations DIT. objectclass=top objectclass=organizationalUnit
Note: The dc=SSIMDomain,dc=com is the long format of the SSIM Domain name.
Using the example computer names used in this document and assuming SESA
is the certificate label on each, the following commands would be run (2 commands
per SSIM Server):

Draft extracted 2010-4-9 3:27


20 Directory Replication
Directory Replication tasks

Commands to be run on LDAP1.SSIM


1 idsldapsearch -h LDAP2.SSIM -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*
idsldapsearch -h LDAP3.SSIM -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

2 idsldapsearch -h LDAP3.SSIM -p 636 -D cn=root -w password -K


/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

Commands to be run on LDAP2.SSIM


1 idsldapsearch -h LDAP1.SSIM -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

2 idsldapsearch -h LDAP3.SSIM -p 636 -D cn=root -w password -K


/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

Commands to be run on LDAP3.SSIM


1 idsldapsearch -h LDAP1.SSIM -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

2 idsldapsearch -h LDAP2.SSIM -p 636 -D cn=root -w password -K


/etc/symantec/ses/key.kdb -b
ou=Locations,dc=SSIMDomain,dc=com,o=symc_ses -s base objectclass=*

Directory Registration
Starting with three installed SSIM Servers, two of the SSIM Servers must register
to the first SSIM Server (LDAP2.SSIM and LDAP3.SSIM would register to
LDAP1.SSIM). This is the process needed to join all of the SSIM Servers into the
same, single SSIM Domain.
To do this, the SSIM Web configuration interface will be used. Before proceeding,
ensure all machine names are resolvable, and the Date/Time on all are
synchronized.
Symantec recommends that full DNS and NTP support be configured in your
network environment prior to deploying or configuring SSIM.

Draft extracted 2010-4-9 3:27


Directory Replication 21
Directory Replication tasks

Command line options are available to do this, and are described in Appendix A
and B. However, for the purpose of this document section, and for ease of use, the
Web configuration interface must be used for all directory registration. Because
the Web configuration interface validates user input, and makes the command
less error prone, this is the suggested method for any directory registration for
any user.
To perform Directory Registration
1 The following procedure assumes that LDAP1.SSIM will be the Master SSIM
Directory, and all others will be replicas. SSIMDomain.com will be the SSIM
domain name for all machines when done.
Register LDAP2.SSIM to LDAP1.SSIM
■ Open the Web configuration interface on the Replica Directory –
https://LDAP2.SSIM
■ Logon as the SSIM Administrator
■ Access the Directory Registration section.
If you are using SSIM 4.6.x, this is a link in the left pane
If you are using SSIM 4.7.x, select this from the Settings menu.
■ Fill out the following required information:
■ Hostname or IP Address
This is the Hostname or IP of the Master Directory. Following this
document, this would be LDAP1.SSIM * It is highly suggested to use
FQDN and not IP Address, or alias.
■ LDAP port
This will always be 636.
■ LDAP cn=root password
This is the password on LDAP1.SSIM assigned to the IBM Directory
cn=root user. By default, this is the password you entered during the
SSIM installation, and is typically the same as the SSIM Administrator
or Linux root user password.
■ Administrator
This is the SSIM Administrator name on LDAP1.SSIM. This is typically
‘administrator’.
■ Password
The password for the SSIM Administrator account.
■ Domain
The full SSIM Domain name for LDAP1.SSIM. In this document example
this would be SSIMDomain.com.

Draft extracted 2010-4-9 3:27


22 Directory Replication
Directory Replication tasks

■ Click the Register icon.


A new window will open and will show the progress of the registration
process.
This process will take 40 to 60 minutes to complete
You can move around the UI, or close and re-open the Web configuration
interface and return to Directory Registration view to continue to monitor
the registration process.
You can also monitor the progress via the log file on the server
(LDAP2.SSIM) in /opt/Symantec/simserver/logs/dirreg.log
When the process is completed, a completed message will appear in the
status, as well as all status indicators will be green.

2 Register LDAP3.SSIM to LDAP1.SSIM


Follow the same instructions for LDAP2.SSIM, substituting LDAP3.SSIM
accordingly.

Figure 2-5 Directory Registration through the Web configuration interface

To verify Directory Registration


◆ To verify successful registration, logon to the SSIM Console for LDAP1.SSIM
machine and then verify the following:
■ System view > Administration Tab > Organizational Units > Default: This
container should show the 2 added SSIM Servers – LDAP2.SSIM and
LDAP3.SSIM.

Draft extracted 2010-4-9 3:27


Directory Replication 23
Directory Replication tasks

■ System view > Appliance Configurations: This should list all 3 SSIM
Directories being configured – LDAP1.SSIM, LDAP2.SSIM, LDAP3.SSIM
On SSIM 4.7.x, this tab is named Server Configurations.
There is no need to perform any appliance configurations yet at this point.
There are many more steps to complete to finalize the replications.
■ System view > Visualizer: This should show all 3 SSIM Servers in the
diagram.
■ Currently only 1 directory will show in this diagram. All 3 will show
after finalizing replication.
■ Appliance configuration should be done after the replication process
is fully complete.

Figure 2-6 Console showing registered Directories

Setup Replication agreements


Now that all SSIM Directories all are registered to the same SSIM Domain, and
certificates have been exchanged so they all trust each other, directory replication
can now be performed. Directory replication utilizes a tool that is downloaded

Draft extracted 2010-4-9 3:27


24 Directory Replication
Directory Replication tasks

from the SSIM Web configuration interface, and run on a Windows machine
running Java version 1.6.x.

Warning: If you have an existing replication agreement with another Server, then
you must not perform ldap restore.

Before running replication commands:


■ Download the Directory Replication Tool from the Web configuration interface.
If you are using SSIM 4.6.x – Available from the Downloads link in the left
pane.
If you are using SSIM 4.7.x – Available from the Downloads option in the Home
view.
■ Extract this tool to a Windows machine running Java 1.6.x.
For the examples used in this document, it is assumed the tool is uncompressed
to C:\Dirreplicatool.
■ Verify the tool can be run. From a command prompt, in the folder where the
tool was uncompressed, execute the following command:
java -jar dirreplicatool.jar -help
Help output should show on the screen with version information as follows:
Version 1.0a10 -- built 4/17/2009 12:48 AM

Draft extracted 2010-4-9 3:27


Directory Replication 25
Directory Replication tasks

To run the Replica tool to create agreements between all machines.


1 To replicate from Master to Replica Directories do the following:
From a command prompt, in the folder where the tool exists, the following
command should be executed for each replication agreement from Master to
Replica directories. This command is entered on a single line.
java -jar dirreplicatool.jar replicate -from
ldaps://LDAP1.SSIM:636 password -to ldaps://LDAP2.SSIM:636
password

Here
LDAP1.SSIM – is the Master SSIM Directory.
LDAP2.SSIM – is one of the Replica SSIM Directories
password – is the cn=root password for the directory
This command will be run one time per replica to create agreements from
the Master to each Replica Directory.
2 In the examples used in this document, the two commands would be run as
follows:
java -jar dirreplicatool.jar replicate -from
ldaps://LDAP1.SSIM:636 password -to ldaps://LDAP2.SSIM:636
password

java -jar dirreplicatool.jar replicate -from


ldaps://LDAP1.SSIM:636 password -to ldaps://LDAP3.SSIM:636
password

When complete, if successful, the following should be output displayed at


the command line:
Completed setting up replication credentials
Completed replication operation

Draft extracted 2010-4-9 3:27


26 Directory Replication
Directory Replication tasks

3 Setup Replication Agreement between Replica Directories as follows:


From a command prompt in the folder where the tool exists, the following
command is executed once per replication agreement between the replica’s
only. This command is entered on a single line.
java -jar dirreplicatool.jar setupreplicationagreement -primary
ldaps://LDAP2.SSIM:636 password -secondary ldaps://LDAP3.SSIM:636
password

Where
LDAP2.SSIM – Is a Replica SSIM Directory
LDAP3.SSIM – Is the other Replica SSIM Directory
password – is the cn=root password for the directory.
This command is run once per replica pair. In a three directory environment,
where there are two replicas, this command is only needed once. In a four
directory environment, this command would be run three times. This
command should never use the Master Directory hostname, and should only
replicate using replica hostnames.
Using the environment setup example described in this document, the above
command is run verbatim, and only run once.
When complete, the following should be output at the command line:
Completed setting up peer to peer replication agreement.

Configure SSIM to install Replicas to Master Directory


Install Replica as follows:
The final step in the replication process is to insert each replica into the Master
SSIM Directory and designate them as Read/Write Replica SSIM Directories. This
step is performed by running a command on the Master SSIM Server command
line (LDAP1.SSIM), as the root user. This command can be run from any folder,
and is run once per replica directory. From a local or remote console session to
the Master SSIM Directory (LDAP1.SSIM), run the following command:
sesa-setup -install-replica

After this is entered, a series of prompts will be displayed and await user input:
Provide SESA Directory connection parameters when prompted:
Enter SESA domain password and press [ENTER]:
Provide SESA Directory replica connection parameters when prompted:
Enter SESA Directory hostname/ip of the replica and press [Enter]: LDAP2.SSIM

Draft extracted 2010-4-9 3:27


Directory Replication 27
Directory Replication tasks

Enter SESA Directory port of the replica and press [Enter]: 636
Enter SESA Manager hostname/ip of the Replica and press [Enter]: LDAP2.SSIM
Where:
SESA domain password – The cn=root password for the directory
SESA Directory hostname/ip of the replica – The hostname for a replica directory.
SESA Directory port of the replica – This should always be 636
SESA Manager hostname/ip of the Replica – This is the same value as entered in
the above SESA Directory hostname/ip value
This command should only take a few minutes to run. When done, the following
should output to the command line:
*** Completed ***

This command is only run from the Master SSIM Directory (such as LDAP1.SSIM),
and is run once per each replica directory being added. In the examples used in
this document, this command would be run 2 times, one each for LDAP1.SSIM,
and LDAP2.SSIM.
At this time, all directory replication should be complete.

Testing and validating replication


Testing replication can be done from both the SSIM Console and via the command
line on the SSIM Servers. Validate from the SSIM Console as shown below.
To validate from the SSIM Console
1 Logon to the SSIM Console.
2 From the System view, open the Administration tab.
3 Open the Directories container.

Draft extracted 2010-4-9 3:27


28 Directory Replication
Directory Replication tasks

4 All Directories should be listed here, each with the correct Directory type.
a. In the examples in this document, the following directories should have
the type:
LDAP1.SSIM – Read/Write Master
LDAP2.SSIM – Read/Write Replica
LDAP3.SSIM – Read/Write Replica
5 Verify new objects are replicated in the UI
Logon to the SSIM Console on the Master SSIM Directory (such as
LDAP1.SSIM)
Create a new user
Logon to the SSIM Console on a Replica SSIM Directory (such as LDAP2.SSIM)
Verify the new user created above exists.

Figure 2-7 Directories on the SSIM console System view

Draft extracted 2010-4-9 3:27


Directory Replication 29
Directory Replication tasks

To validate from the SSIM Server command line


1 Open a local or remote session to a SSIM Server console and logon as the root
user.
2 Run the following command:
idsldapsearch -h localhost -p 636 -D cn=root -w password -K
/etc/symantec/ses/key.kdb -b
cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
-s one objectclass=* host

where
Password – is the cn=root password for this SSIM Domain
dc=SSIMDomain,dc=com – Is the long format of the SSIM Domain
3 When done, information for all SSIM Directory machines will be output. You
will see something similar to the following for each SSIM Directory configured:
dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP1.SSIM

4 Run this command on each SSIM Directory server (Master and Replicas).
Using the examples in this document, each time the command is run, the
information for three servers, where host is LDAP1.SSIM, LDAP2.SSIM, and
LDAP3.SSIM is displayed as follows:.
dlmName=0a001e841ad7a870125791bcf9a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP1.SSIM

dlmName=0a001e841ad7a870123714d954001005,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP2.SSIM

dlmName=0a001e841ad7a870125791e436a01001,cn=Directories,cn=SES,ou=Administration,dc=SSIMDomain,dc=com,o=symc_ses
host=LDAP3.SSIM

Draft extracted 2010-4-9 3:27


30 Directory Replication
Directory Replication tasks

Draft extracted 2010-4-9 3:27


Chapter 3
Configuring Directory
Failover
This chapter includes the following topics:

■ Directory Failover Overview

Directory Failover Overview


Directory failover is configured to allow machines to connect to a different
directory, if the one it is connected to fails, or cannot be contacted on the network.
Directory failover can also be configured to specify local directory homing, which
will be covered in the following section. Directory failover configuration consists
of specifying the Primary SSIM Directory. The order of failover to Secondary SSIM
Directories is calculated by the system and is not configurable.

Note: A SSIM Primary Directory does not necessarily have to be the same machine
as the Master Directory. For failover only use cases, the Primary and Master
Directory will typically be the same. For Directory Homing, these may differ.

To configure Directory failover


1 Logon to the SSIM Console as a member of the Administrator role.
2 On the System view, then select the Product Configurations Tab.
3 From the SSIM Domain name listed, drill down to SSIM Agent and Manager
> Manager Connection Configurations.
4 Create a new configuration and add all SSIM servers to it.
5 When done, select this new configuration and open the SSIM Directory
Failover tab.

Draft extracted 2010-4-9 3:27


32 Configuring Directory Failover
Directory Failover Overview

6 In the Primary Directory field, select the directory machine you want to serve
as the Primary SSIM Directory. This will be the directory all SSIM servers
attempt to contact first to get directory information such as configurations
and authentication.
7 Set all other applicable values and Save.
When clicking the Save button, there is no longer a need to distribute. In
SSIM 4.6 and above, this is done automatically after any configuration has
been changed or saved.
For details on the other settings in this configuration, click the Help icon in
the tool bar. Each configurable property will be explained in detail.
In this configuration, only a Primary can be selected. The order of secondary
directories is determined by each SSIM Server.

Figure 3-1 Configuring SSIM Directory Failover on SSIM console

Draft extracted 2010-4-9 3:27


Chapter 4
Configuring Homing
This chapter includes the following topics:

■ Directory Homing Overview

■ Verifying Homing Configuration

Directory Homing Overview


Directory Homing is used to force certain SSIM Servers to connect to a specific
SSIM Directory. This directory can be any Master or Replica SSIM Directory in
the environment. The most common use case for this is to improve performance
when using a SSIM environment that is spread out geographically.
Use Case: A customer has large corporate locations in Chicago, Tokyo, and Dublin.
Chicago is the company’s headquarters and is the main IT center for the
corporation, and SSIM Servers are installed in all 3 geographical regions. In this
case, SSIM Directories could be installed in all 3 of these cities, using Chicago as
the Master Directory and Tokyo and Dublin as Replica Directories. In this case,
in a default setup, when someone logs onto SSIM in Tokyo or Dublin, SSIM
information and authenticate is actually retrieved from the Chicago SSIM
Directory. This can be a very slow link, and may cause performance issues. For
better reliability and performance, Directory Homing can be configured to force
all SSIM Servers in a region to use the SSIM Directory that is closest to them. In
this example, a SSIM Server in Osaka Japan can be configured to contact the SSIM
Replica Directory in Tokyo Japan first, instead of going all the way to Chicago.
Homing utilizes SSIM Directory Failover configurations to specify the Primary
SSIM Directory a group or region of SSIM Servers should use.
To configure SSIM Directory Homing
1 Logon to the SSIM Console as a member of the Administrator role.
2 Open the System view, then select the Product Configurations Tab.

Draft extracted 2010-4-9 3:27


34 Configuring Homing
Directory Homing Overview

3 From the SSIM Domain name listed, drill down to SSIM Agent and Manager
> Manager Connection Configurations.
4 Create a new configuration for each logical region, where a SSIM Master or
Replica Directory will be placed.
a. Using the customer example above, configurations would be created such
as:
Americas, APAC, and EMEA
5 Assign logical regional SSIM Servers to each regional configuration.
Using the customer example above, SSIM Servers in Nashville and Norfolk
would be assigned to the Americas configuration, Servers in Dublin and Paris
would be added to the EMEA configuration, and so on.
6 Modify each configuration and select the Primary Directory to be the directory
closest to their region.
Using the use case above, the Americas configuration would select the Chicago
SSIM Directory as the Primary Directory. The APAC configuration would
select the Tokyo SSIM Directory (which is a replica) as the Primary Directory.
The EMEA configuration would select the Dublin Directory.
In the following image, LDAP3.SSIM is in Tokyo, and is a Replica Directory. All
SSIM Servers in the entire APAC region should be assigned to this configuration.
By setting LDAP3.SSIM as the Primary, any machine assigned to this configuration
will first try to connect to LDAP3.SSIM in Tokyo to get directory information such
as configurations, authentication, etc.

Draft extracted 2010-4-9 3:27


Configuring Homing 35
Verifying Homing Configuration

Figure 4-1 SSIM Directory Failover configuration - showing Homing to


LDAP3.SSIM

Verifying Homing Configuration


Verifying Homing Configuration
Once Directory Failover and Homing configurations are complete, a simple
verification would be to use the Visualizer in the UI to view SSIM Servers. Each
SSIM Server should connect to the desired SSIM Directory. The connection is
represented by a pink line from Server to Directory

Draft extracted 2010-4-9 3:27


36 Configuring Homing
Verifying Homing Configuration

Figure 4-2 Directory Homing using 3 Directories

The above image is stamped with 3 numbers to show Directory Homing:


■ Stamp 1 shows the Tokyo Region. The circled directory is LDAP3.SSIM in
Tokyo, and is a Replica Directory. The SSIM Appliance connecting to it (pink
line) is in Osaka
■ Stamp 2 shows the EMEA region. The circled directory is LDAP2.SSIM in
Dublin, and is a Replica Directory. The SSIM Appliance connecting to it is in
Paris
■ Stamp 3 shows the Americas Region. The circled directory is LDAP1.SSIM in
Chicago, and is the Master Directory
a. Note that the Master Directory will also have the Replica Directories showing
connected (pink line). While all regional SSIM Servers can connect to regional
directories, each directory must show connected to the Master Directory

Draft extracted 2010-4-9 3:27


Appendix A
Troubleshooting and using
IBM LDAP diff tool
This appendix includes the following topics:

■ Error messages and troubleshooting

■ LDAP Server Unavailable

■ Directory information is not or does not synchronize

■ Recovering from a situation where the ibm-replicationState for a replication


agreement is in Retrying state

■ During the replication process, the certificates did not exchange correctly, or
they have been corrupted.

■ Removing a SSIM Directory Replica

■ Using the IBM LDAP Diff tool

Error messages and troubleshooting


The following paragraphs outline troubleshooting steps for the specific error
messages as shown below.

LDAP Server Unavailable


This error, or any similar error is encountered when logging on to either the SSIM
Console or the Web configuration interface. This will occur when directory
registration is not completed correctly, or has become in an unstable state. To fix
this, re-run directory registration on the machine which you cannot logon to.
Directory Registration should only be done from a server to the Master SSIM

Draft extracted 2010-4-9 3:27


38 Troubleshooting and using IBM LDAP diff tool
Directory information is not or does not synchronize

Directory as initially configured in the SSIM Directory Registration section above.


As you may not be able to logon to the Web configuration interface to run Directory
Registration, a command line version is available.
Note: There is no need to re-register it back to itself first, then to the Master
Directory. This is an unneeded step and wastes almost an hour.
To run Directory Registration manually
1 Logon to the server console via a SSH terminal or local connection, as root
user.
2 Run the following command on a single line:
sesa-setup --reg-external --ldap-ip LDAP1.SSIM --ldap-domain
SSIMDomain.com --ldap-port 636 --ldap-user administrator
--ldap-pass password --db-user symcmgmt --db-pass password

Where
LDAP1.SSIM – is the hostname of the Master SSIM Directory
SSIMDomain.com – is the SSIM Domain name
password – is the password for the SSIM Administrator account
This process will take 40 to 60 minutes to complete. Progress will be output
to the terminal console. Alternatively, you can monitor
/opt/Symantec/simserver/logs/dirreg.log.

Directory information is not or does not synchronize


When logging onto the SSIM console in different locations, you may find some
things missing in one UI and not another. For example, you can see all System
Queries in the Event view when you logon to the Chicago SSIM Server, but they
are all missing when you logon to the Dublin SSIM Server.
This can be due to many reasons. The two most common reasons are:
■ Network connection between SSIM Directories is non-functional. If the SSIM
Directories cannot contact each other, they will not be able to replicate data.
All network connections should be checked, and all hostname resolutions
should be verified.
■ Directory Replication is failing due to issues within the SSIM Directory. SSIM
uses IBM Tivoli Directory Server (ITDS) for its directory services. If ITDS fails,
SSIM Directory services may not function completely. Tools can be used to
first compare directories to see if they are in synch. If they are found to be out
of synch, there are commands available to force synchronization.

Draft extracted 2010-4-9 3:27


Troubleshooting and using IBM LDAP diff tool 39
Directory information is not or does not synchronize

A command line tool can be used to check replication status. This command
is run at the SSIM Directory machine as root user. This command is all on one
line.
idsldapsearch -K /etc/symantec/ses/key.kdb -N LDAP1 -P
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth` -D cn=root -w password -b "o=symc_ses"
-s "sub" "objectclass=ibm-replicationAgreement"
ibm-replicationState
Where
LDAP1 – is the label of the certificate for the machine you are running the
command on
password – is the cn=root password of the directory
After running this command, information will be output to the screen. In this
output, look for
ibm-replicationState=ready
This should be listed after each of the replica directories. If the state is not
ready, the LDAP Diff Tool should be run to verify the differences and possibly
force synchronization.
ibm-replicationState: The current state of replication with this consumer. Possible
values are:
■ Ready
In immediate replication mode, ready to send updates as they occur.
■ Retry
An error exists, and an update to correct the error is sent every 60 seconds
■ Waiting
Waiting for next scheduled replication time.
■ Binding
In the process of binding to the consumer.
■ Connecting
In the process of connecting to the consumer.
■ On Hold
This replication agreement has been suspended or "held".
■ Error log full
More replication errors have occurred than can be logged. The amount of
errors that can be logged is based on the configured value for
ibm-slapdReplMaxErrors.
See “Using the IBM LDAP Diff tool” on page 41.
■ Retrying

Draft extracted 2010-4-9 3:27


40 Troubleshooting and using IBM LDAP diff tool
Recovering from a situation where the ibm-replicationState for a replication agreement is in Retrying state

It means that a conflict occurred and no new changes will be replicated for
this replication agreement.
See “Recovering from a situation where the ibm-replicationState for a
replication agreement is in Retrying state” on page 40.

Recovering from a situation where the


ibm-replicationState for a replication agreement is
in Retrying state
To recover from the above situation, you will have to clear the replication queue
for a replication agreement using the ldapexop command and then run the
ldapdiff command to synchronize the directories.

You will find the following error message in the ibmslapd.log in this case:
GLPRPL118E Replication for replica 'cn=atr-ses-9551.emea.ts:636,ibm-
replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-
replicaGroup=default,o=symc_ses' will continue to retry the same failed with change
ID 1323 until it is successful.
You can clear the replication queue in this example with the following command:
ldapexop -K /etc/Symantec/ses/key.kdb -P
`/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/Symantec/ses/key.sth` -N SESA -D cn=root -w password -op
controqueue -skip all -ra cn=atr-ses-
9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-
replicaGroup=default,o=symc_ses

The -ra option is copied from the error message:


'cn=atr-ses-
9551.emea.ts:636,ibm-replicaServerId=990a7cc0-f665-102c-975e-b3d706ee3073,ibm-
replicaGroup=default,o=symc_ses
Afterwards you should see the ibm-repliactionState switching to Ready and you
can run ldapdiff to synchronize the directories.

During the replication process, the certificates did


not exchange correctly, or they have been corrupted.
If there are any problems with certificates, including if the verification process
fails, certificates should be removed and re-exchanged following the Certificate

Draft extracted 2010-4-9 3:27


Troubleshooting and using IBM LDAP diff tool 41
Removing a SSIM Directory Replica

Exchange instructions earlier in this document. The following command is used


to remove a certificate from a SSIM Server after it has been added:
gsk7cmd.ssim -cert -delete -db /etc/symantec/ses/key.kdb -label
LDAP2Cert -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl
/etc/symantec/ses/key.sth`

Where LDAP2Cert is the label of the certificate to remove.

Removing a SSIM Directory Replica


The steps below outline the procedure to remove a Replica SSIM Directory.
How to remove a SSIM Directory Replica
1 Run the following command on the Windows computer where the Directory
Replica Tool was installed to. This command must be run from a command
prompt in the Directory Replica Tool folder:
java -jar dirreplicatool.jar remove -replica ldaps://LDAP2.SSIM
password -from ldaps://LDAP1.SSIM password

Where
LDAP2.SSIM – is the directory to remove
LDAP1.SSIM – is the directory where it is being removed from
password – is the cn=root password
2 In the SSIM Console, open the System view > Administration Tab >
Organizational Units. Here find the directory machines in the OU they were
in. Select each removed replica and delete it.

Using the IBM LDAP Diff tool


The LDAP Diff Tool can be used to check for differences between SSIM Directories,
and it can be used to force synchronization from a Master SSIM Directory to any
Replica SSIM Directory. Normally, synchronization is done automatically and
continually during normal replication processes. However, at times directories
may become out of synch and a force synchronization may need to be done. Below
is information to run this tool in a SSIM environment. For more details on this
tool, refer to IBM’s web site at the following URL:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahyldapdiff.htm
Before running this tool, a symbolic link to IBM’s version of Java must be created,
and current certificates from all directory machines imported to the IBM Java

Draft extracted 2010-4-9 3:27


42 Troubleshooting and using IBM LDAP diff tool
Using the IBM LDAP Diff tool

keystore. These 2 steps must be done on the Master SSIM Directory (such as
LDAP1.SSIM), and as the root user.
To create a symbolic link to IBM’s Java:
◆ Execute the following command from any folder:
cd /opt/ibm/ldap/V6.1/java

ln -s /opt/jdk/jre jre

To import SSIM Server certificates to the IBM Java keystore:


◆ If using self-signed certificates, they will need to be imported to the IBM Java
keystore. First, the certificates should be extracted and exchanged as described
in the Certificate Exchange section in this document. With all directory
certificates in the /tmp folder on the Master SSIM Directory, run the following
command. This command will need to be run once for the Master Directory,
and once for each Replica Directory. This command is all on one line.
/opt/IBMJava2-142/jre/bin/keytool -import -alias AliasName -file
/tmp/Cert.crt -keystore /opt/IBMJava2-142/jre/lib/security/cacerts

Where
AliasName – is a name given to the certificate being imported. This should
be something descriptive like LDAP2.
Cert.crt – is the name of the certificate file for the replica certificate being
added.
Using the machine examples used throughout this document, the following three
commands would be run from the Master SSIM Directory – LDAP1.SSIM:
To import LDAP1.SSIM Certificate to LDAP1.SSIM IBM Java Keystore
◆ /opt/IBMJava2-142/jre/bin/keytool -import -alias LDAP1 -file
/tmp/LDAP1.crt -keystore
/opt/IBMJava2-142/jre/lib/security/cacerts

To import LDAP2.SSIM Certificate to LDAP1.SSIM IBM Java Keystore


◆ /opt/IBMJava2-142/jre/bin/keytool -import -alias LDAP2 -file
/tmp/LDAP2.crt -keystore
/opt/IBMJava2-142/jre/lib/security/cacerts

To import LDAP3.SSIM Certificate to LDAP1.SSIM IBM Java Keystore


◆ /opt/IBMJava2-142/jre/bin/keytool -import -alias LDAP3 -file
/tmp/LDAP3.crt -keystore
/opt/IBMJava2-142/jre/lib/security/cacerts

Draft extracted 2010-4-9 3:27


Troubleshooting and using IBM LDAP diff tool 43
Using the IBM LDAP Diff tool

To check for directory differences


◆ The LDAP Diff Tool is run with the –S option to compare directory
information. This tool is always run from the Master Directory to compare
Master to Replica Directory. On the Master SSIM Directory, run the following
command. This command is run on a single line.
ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"
-sw password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts
-sP changeit -sN jks -sT
/opt/IBMJava2-142/jre/lib/security/cacerts -sY changeit -st jks
-ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password -cZ -cK
/opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN jks
-cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks

Where
o=symc_ses – is the DN in the directory where synchronization starts. All
trees under this DN will be compared. o=symc_ses is the top most level of a
SSIM Directory. A lower level directory tree under o=symc_ses can be specified
by entering the full DN value
LDAP1.SSIM – is the hostname of the Master SSIM Directory.
LDAP2.SSIM – is the hostname of the Replica SSIM Directory to be compared
to the Master.
o password – is the cn=root password for that directory.
Using example machines used throughout this document, the following two
commands would be run from the Master SSIM Directory:
To compare LDAP1.SSIM to LDAP2.SSIM
ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT" -sw
password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts -sP
changeit -sN jks -sT /opt/IBMJava2-142/jre/lib/security/cacerts -sY
changeit -st jks -ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password
-cZ -cK /opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN
jks -cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks

To compare LDAP1.SSIM to LDAP3.SSIM


ldapdiff -S -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT" -sw
password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts -sP
changeit -sN jks -sT /opt/IBMJava2-142/jre/lib/security/cacerts -sY
changeit -st jks -ch LDAP3.SSIM -cp 636 -cD "CN=ROOT" -cw password

Draft extracted 2010-4-9 3:27


44 Troubleshooting and using IBM LDAP diff tool
Using the IBM LDAP Diff tool

-cZ -cK /opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN


jks -cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks

To force Directory Synchronization


◆ The LDAP Diff Tool is run with the –F option to force a synchronization of
directory data from a Master SSIM Directory to a Replica SSIM Directory.
This tool option should only be run when the diff option (-S) has revealed
differences. On the Master SSIM Directory, run the following command for
each replica that is not in-synch. This command is run on a single line.
Where:
o=symc_ses – is the DN in the directory where synchronization starts. All
trees under this DN will be compared. o=symc_ses is the top most level of a
SSIM Directory. A lower level directory tree under o=symc_ses can be specified
by entering the full DN value.
LDAP1.SSIM – is the hostname of the Master SSIM Directory.
LDAP2.SSIM – is the hostname of the Replica SSIM Directory to be compared
to the Master.
password – is the cn=root password for that directory.
Using example machines used throughout this document, the following commands
would be run from the Master SSIM Directory:
To force directory synchronization from Master LDAP1.SSIM to LDAP2.SSIM:
◆ ldapdiff -F -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"
-sw password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts
-sP changeit -sN jks -sT
/opt/IBMJava2-142/jre/lib/security/cacerts -sY changeit -st jks
-ch LDAP2.SSIM -cp 636 -cD "CN=ROOT" -cw password -cZ -cK
/opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN jks
-cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks

Draft extracted 2010-4-9 3:27


Troubleshooting and using IBM LDAP diff tool 45
Using the IBM LDAP Diff tool

To force directory synchronization from Master LDAP1.SSIM to LDAP3.SSIM:


◆ ldapdiff -F -b o=symc_ses -sh LDAP1.SSIM -sp 636 -sD "CN=ROOT"
-sw password -sZ -sK /opt/IBMJava2-142/jre/lib/security/cacerts
-sP changeit -sN jks -sT
/opt/IBMJava2-142/jre/lib/security/cacerts -sY changeit -st jks
-ch LDAP3.SSIM -cp 636 -cD "CN=ROOT" -cw password -cZ -cK
/opt/IBMJava2-142/jre/lib/security/cacerts -cP changeit -cN jks
-cT /opt/IBMJava2-142/jre/lib/security/cacerts -cY changeit -ct
jks

Note: Synchronization cannot be forced between replica directories.


Synchronization is only forced from Master to Replica.

Draft extracted 2010-4-9 3:27


46 Troubleshooting and using IBM LDAP diff tool
Using the IBM LDAP Diff tool

Draft extracted 2010-4-9 3:27