Hi Mark,
Replication does not use the server's certificate for SSL Client
Authentication. It uses the client certificate in the "Replication
Manager" entry. Sounds like you did not add a user certificate to this
entry.
Your hint seems to clarify something. Thanx for that.
First this lead me to the chapter in the documentation which I didn't step over
before:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
From there I understand that there needs to be an account entry on the supplier
corresponding to the supplier's hostname, and that I need to add a client certificate
to that entry. It says "Both servers will later use these accounts and certificates
to authenticate when they establish a replication connection to each other." So I did
that and put the server certificate (issued by the same CA, 'u' flag set) to the
account entry. Furthermore as shown in the chapter I put the account entries to a group
which is referenced (nsds5replicabinddngroup) in the replica entry on the supplier.
I skipped the steps with the temporary replication manager account (with password) and
agreement, because I setup the two servers in parallel so I make sure the accounts with
the certificates on the consumer do already exist when initializing the replication.
Result for now: Still doesn't work. The supplier doesn't send the certificate in
the account entry at "cn=supplierhost,dc=..." of the supplier's database. It
doesn't send any certificate.
This brings me to another question to you: The replication manager entry is the entry on
the consumer server from the perspective of the supplier that starts the replication. From
where does the supplier take the certificate in a single master scenario where there is no
replication manager account on its side?
Somehow there is still a missing link between the supplier's hostname and the place
for the supplier to get the certificate from to use it in the TLS handshake with the
consumer.
Regards,
Eugen