Status: Dev backlog
Affects Version/s: 6.5.3
Fix Version/s: None
Two DJ instances have confidentiality enabled on a backend which is subsequently replicated. This works fine.
The customer has a requirement to replace the ads-certificate to one signed by an external CA. I'll attach the script I used, but in brief we do this using:
Then we sign the CSR generated by the certreq. Then import the cert:
We then create a new instance key in the server using ldapmodify and the keyid of the new cert:
This is as per the documentation in the admin guide. However when we restart this server we discover that the old instance key has more symmetric keys on the restarted server than in the other replicated servers. This causes the other servers to log when they startup that they can't import the symmetric key:
Doing an ldifdiff of the two admin-backend.ldif files shows this symmetric key is present on server 1 but not server 2.
The error seems benign, in that the servers work OK and can read/write data in the confidential backend.
As a workaround, it is possible to use ldapmodify to manually copy the missing ds-cfg-symmetric-key to another server. This works, and the servers do not log an error on startup.