Updating the topology registry
After you update the server connection handlers to enable TLS, you should also update the topology registry to provide information about the new configuration.
The topology registry holds information about server instances that are part of the environment and helps facilitate inter-server communication, like replication, mirroring portions of the configuration, and the PingDirectoryProxy server’s automatic backend server discovery functionality.
There are two types of entries that need to be updated: the server instance listener configuration, which provides information needed to trust the TLS certificates presented by instances in the topology, and the server instance configuration, which provides information about options for communicating with those instances.
The server instance listener configuration needs to include the server certificate (that is, the certificate at the head of the chain). This should be the multi-line PEM-formatted representation of the certificate. When using dsconfig
, this is easiest to import from a file.
bin/dsconfig set-server-instance-listener-prop \ --instance-name ds1 \ --listener-name ldap-listener-mirrored-config \ --set server-ldap-port:636 \ --set connection-security:ssl \ --set 'listener-certificate</ca/ds1-cert.pem'
The use of the less-than operator in the last line indicates that the value should be read from a file rather than provided directly. Also, the property name and path might need to be enclosed in single straight quotes to prevent the shell from interpreting the less-than symbol as an attempt to redirect input. |
The server instance configuration object should also be updated to reflect the new methods that are available to communicate with that instance, and the preferred-security property indicates what mechanism other instances in the topology should try to use when communicating with that instance. The following example demonstrates setting the LDAPS and HTTPS ports to indicate that StartTLS support has been enabled and to indicate that other instances should use SSL (LDAPS) when communicating with this instance.
dsconfig set-server-instance-prop \ --instance-name ds1 \ --set ldaps-port:636 \ --set https-port:443 \ --set preferred-security:ssl \ --set start-tls-enabled:true