Reported on DS 5.0.0, also reproducible on DS 5.5.0.
Crypto Manager getSymmetricKey uses TLSv1 to connect to admin port.
This fails if the admin connector is configured to accept only ssl-protocol TLSv1.2.
Setting Crypto Manager ssl-protocol to TLSv1.2 does not help. SSL debug shows that it still tries to connect using TLSv1.
- Given a replication topology, say 2 nodes with DS+RS.
- Enable confidentiality on both nodes, so that there is a symmetric key.
- All working at this point. The admin-backend.ldif on both nodes has 2 symmetric key values, encoded with each node's instance key.
- Set the admin connector ssl-protocol to only TLSv1.2.
- For the purpose of having node2 get symmetric key from node1:
- stop both DS.
- edit the admin-backend.ldif on both nodes, deleting the ds-cfg-symmetric-key value that has node2's instance key.
- enable SSL debugging (e.g. start-ds.java-args=... -Djavax.net.debug=all)
- start up node1 DS, and then node2 DS.
- at startup, node2 tries to get symmetric key from node1, but fails.
- Node2 error log:
- Node1 server.out with SSL debugging: