Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-3475

Docs: Replication (interactively) fails when using the local master as the "First Servers"

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0, 3.5.1, 3.5.0, 3.0.0
    • Fix Version/s: 4.0.0
    • Component/s: documentation
    • Labels:
      None
    • Support Ticket IDs:
    • Sprint:
      OpenDJ Sprint 95

      Description

      The replication documentation need to show an example of enabling replication interactively and the proper steps to do so.

      Problem: When enabling replication, if you use the local master as the "First Servers", trust has not been established and fails.

      Example 1: Use Master 1 for the "first server" connection parameters.

      opendj; bin/$ pwd/opt/instances/capella16571/master1/bin
      opendj; bin/$ ./dsreplication 
      What do you want to do?
      
          1)  Enable Replication
          2)  Disable Replication
          3)  Initialize Replication on one Server
          4)  Initialize All Servers
          5)  Pre External Initialization
          6)  Post External Initialization
          7)  Display Replication Status
          8)  Purge Historical
          9)  Re-synchronizes the change-log changenumber on one server with the
              change-log changenumber of another.
      
          c)  cancel
      
      Enter choice: 1
      
      
      >>>> Specify server administration connection parameters for the first server
      
      Directory server hostname or IP address [Lees-MacBook-Pro.local]: master1.forgerock.com
      
      Directory server administration port number [4444]: 4444
      
      How do you want to trust the server certificate?
      
          1)  Automatically trust
          2)  Use a truststore
          3)  Manually validate
      
      Enter choice [3]: 
      
      Global Administrator User ID, or bind DN if no Global Administrator is defined
      [admin]: cn=Directory Manager
      
      Password for user 'cn=Directory Manager': 
      Replication port for the first server (the port must be free) [8989]: 
      
      Do you want replication to use encrypted communication when connecting to
      replication port 8989 on the first server? (yes / no) [no]: 
      
      
      
      >>>> Specify server administration connection parameters for the second server
      
      Directory server hostname or IP address [Lees-MacBook-Pro.local]: master2.forgerock.com
      
      Directory server administration port number [4444]: 5444
      
      How do you want to trust the server certificate?
      
          1)  Automatically trust
          2)  Use a truststore
          3)  Manually validate
      
      Enter choice [3]: 
      
      Global Administrator User ID, or bind DN if no Global Administrator is defined
      [admin]: cn=Directory Manager
      
      Password for user 'cn=Directory Manager': 
      
      Server Certificate:
      
      
      
      User DN  : CN=master2.forgerock.com, O=Administration Connector RSA
      Self-Signed Certificate
      Validity : From 'Wed Nov 02 13:46:31 MDT 2016'
                   To 'Tue Oct 28 13:46:31 MDT 2036'
      Issuer   : CN=master2.forgerock.com, O=Administration Connector RSA
      Self-Signed Certificate
      
      
      Do you trust this server certificate?
      
          1)  No
          2)  Yes, for this session only
          3)  Yes, also add it to a truststore
          4)  View certificate details
      
      Enter choice [2]: 
      Replication port for the second server (the port must be free) [8989]: 9989
      
      Do you want replication to use encrypted communication when connecting to
      replication port 9989 on the second server? (yes / no) [no]: 
      
      Global Administrator must be created.
      You must provide the credentials of the Global Administrator that will be
      created to manage the server instances that are being replicated.
      Global Administrator User ID [admin]: 
      
      Global Administrator Password: 
      
      Confirm Password: 
      
      
      You must choose at least one Base DN to be replicated.
      Replicate base DN dc=example,dc=com? (yes / no) [yes]: 
      
      Establishing connections ..... 
      Error reading data from server master2.forgerock.com:5444.  There is an error
      with the certificate presented by the server.
      Details: simple bind failed: master2.forgerock.com:5444
      

      Example 2: Use Master 2 for the "first server" connection parameters.

      opendj; bin/$ pwd
      /opt/instances/capella16571/master1/bin
      opendj; bin/$ ./dsreplication 
      What do you want to do?
      
          1)  Enable Replication
          2)  Disable Replication
          3)  Initialize Replication on one Server
          4)  Initialize All Servers
          5)  Pre External Initialization
          6)  Post External Initialization
          7)  Display Replication Status
          8)  Purge Historical
          9)  Re-synchronizes the change-log changenumber on one server with the
              change-log changenumber of another.
      
          c)  cancel
      
      Enter choice: 1
      
      
      >>>> Specify server administration connection parameters for the first server
      
      Directory server hostname or IP address [Lees-MacBook-Pro.local]: master2.forgerock.com
      
      Directory server administration port number [4444]: 5444
      
      How do you want to trust the server certificate?
      
          1)  Automatically trust
          2)  Use a truststore
          3)  Manually validate
      
      Enter choice [3]: 
      
      Global Administrator User ID, or bind DN if no Global Administrator is defined
      [admin]: cn=Directory Manager
      
      Password for user 'cn=Directory Manager': 
      
      Server Certificate:
      
      
      
      User DN  : CN=master2.forgerock.com, O=Administration Connector RSA
      Self-Signed Certificate
      Validity : From 'Wed Nov 02 13:46:31 MDT 2016'
                   To 'Tue Oct 28 13:46:31 MDT 2036'
      Issuer   : CN=master2.forgerock.com, O=Administration Connector RSA
      Self-Signed Certificate
      
      
      Do you trust this server certificate?
      
          1)  No
          2)  Yes, for this session only
          3)  Yes, also add it to a truststore
          4)  View certificate details
      
      Enter choice [2]: 
      Replication port for the first server (the port must be free) [8989]: 
      
      Do you want replication to use encrypted communication when connecting to
      replication port 8989 on the first server? (yes / no) [no]: 
      
      
      
      >>>> Specify server administration connection parameters for the second server
      
      Directory server hostname or IP address [Lees-MacBook-Pro.local]: master1.forgerock.com
      
      Directory server administration port number [4444]: 
      
      How do you want to trust the server certificate?
      
          1)  Automatically trust
          2)  Use a truststore
          3)  Manually validate
      
      Enter choice [3]: 
      
      Global Administrator User ID, or bind DN if no Global Administrator is defined
      [admin]: cn=Directory Manager
      
      Password for user 'cn=Directory Manager': 
      Replication port for the second server (the port must be free) [8989]: 9989
      
      Do you want replication to use encrypted communication when connecting to
      replication port 9989 on the second server? (yes / no) [no]: 
      
      Global Administrator must be created.
      You must provide the credentials of the Global Administrator that will be
      created to manage the server instances that are being replicated.
      Global Administrator User ID [admin]: 
      
      Global Administrator Password: 
      
      Confirm Password: 
      
      
      You must choose at least one Base DN to be replicated.
      Replicate base DN dc=example,dc=com? (yes / no) [yes]: 
      
      Establishing connections ..... Done.
      Checking registration information ..... Done.
      Configuring Replication port on server master2.forgerock.com:5444 ..... Done.
      Configuring Replication port on server master1.forgerock.com:4444 ..... Done.
      Updating replication configuration for baseDN dc=example,dc=com on server
      master2.forgerock.com:5444 .....Done.
      Updating replication configuration for baseDN dc=example,dc=com on server
      master1.forgerock.com:4444 .....Done.
      Updating registration configuration on server master2.forgerock.com:5444 ..... Done.
      Updating registration configuration on server master1.forgerock.com:4444 ..... Done.
      Updating replication configuration for baseDN cn=schema on server
      master2.forgerock.com:5444 .....Done.
      Updating replication configuration for baseDN cn=schema on server
      master1.forgerock.com:4444 .....Done.
      Initializing registration information on server master1.forgerock.com:4444
      with the contents of server master2.forgerock.com:5444 .....Done.
      Initializing schema on server master1.forgerock.com:4444 with the contents of
      server master2.forgerock.com:5444 .....Done.
      
      Replication has been successfully enabled.  Note that for replication to work
      you must initialize the contents of the base DNs that are being replicated
      (use dsreplication initialize to do so).
      
      
      See
      /var/folders/32/hqbp0t2n5k73f9ssp3ssc9740000gn/T/opendj-replication-8200243056498898043.log
      for a detailed log of this operation.
      

      What is happening when you use Master 2's info for the "first server" while on Master 1.

      • dsreplication on Master 1 connects to Master 2 (the first server) as cn=Directory Manager.
      • Once the BIND is successful, Master 1 retrieves Master 2's and presents the Replication Certificate's information.
      • dsreplication then asks "Do you trust this server certificate?". Since you opted to select 2) Yes, for this session only then the "trust relationship" has been established and dsreplication can now enable the topology correctly.

      The opposite is true when you use Master 1's details for the first server. It needs to first trust Master 2's replication certificate to setup that mutual trust. It cannot and fails.

        Attachments

          Activity

            People

            • Assignee:
              Mark Mark Craig
              Reporter:
              lee.trujillo Lee Trujillo
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: