Replication Changelog Error When Configuring Attribute Encryption In Multi-master Replication (Doc ID 1510957.1)

Last updated on MARCH 18, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.3.1 SP1 DPS6.3.1.1 to 11.1.1.5.1 [Release 6.0 to 11gR1]
Information in this document applies to any platform.
***Checked for relevance on 09-Jul-2014***
The procedures detailed in the 6.3 Administration guide are incorrect and are what causes this problem. The database cache files and the transactional logs should not be removed.

Bug 16185062: DOCUMENTATION ON ENABLING ATTRIBUTE ENCRYPTION IS INCORRECT FOR DS 6.3.X.

The procedure described in 11G Administration Guide should be followed instead, http://docs.oracle.com/cd/E19656-01/821-1504/ftziq/index.html

Symptoms

After performing the procedures outlined below, the following error is encountered

[04/Dec/2012:12:36:51 -0700] - DEBUG - conn=-1 op=-1 msgId=-1 -  Backend Instance: oracle
[04/Dec/2012:12:36:51 -0700] - ERROR<4633> - Command line - conn=-1 op=-1 msgId=-1 - Argument error Suffix to be imported contains encrypted attributes: missing key db password.
usage: ns-slapd ldif2db -D instancedir [-d debuglevel] [-n backend_instance_name] [-e] [-O] [-g uniqueid_type] [--namespaceid uniqueID] [-Y keydb-pwd] [-y keydb-pwd-file] [-X][{-s includesuffix}*] [{-x excludesuffix}*] {-i ldif-file}*
Note: either "-n backend_instance_name" or "-s includesuffix" is required.
/opt/dsee6/ds6/lib/64/ns-slapd ldif2db -D /var/ds/ds6-1 -s dc=oracle,dc=local -i /out/encrypt.ldif failed: err=1
Failed to import data: err=1

[04/Dec/2012:12:38:57 -0700] - Sun-Java(tm)-System-Directory/6.3.1.1.1 B2011.1116.2249 (64-bit) starting up
[04/Dec/2012:12:38:57 -0700] - DEBUG - conn=-1 op=-1 msgId=-1 -  libdb: file unknown (meta pgno = 0) has LSN [1][855510].
[04/Dec/2012:12:38:57 -0700] - DEBUG - conn=-1 op=-1 msgId=-1 -  libdb: end of log is [1][2432]
[04/Dec/2012:12:38:57 -0700] - DEBUG - conn=-1 op=-1 msgId=-1 -  libdb: /var/ds/ds6-1/db/oracle/cl5dc_oracle_dc_local50be4eda000000010000.db3: unexpected file type or format
[04/Dec/2012:12:38:57 -0700] - ERROR<8266> - Replication  - conn=-1 op=-1 msgId=-1 - Internal error  Failed to open changelog file for replica 82f1faac-3e4811e2-80f6c525-4581d0ab, DB error 22 - Invalid argument
[04/Dec/2012:12:38:57 -0700] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 -  Could not send consumer sol10:6489 the bind request
[04/Dec/2012:12:38:57 -0700] - INFORMATION - NSMMReplicationPlugin - conn=-1 op=-1 msgId=-1 -  Failed to connect to replication consumer sol10:6489
[04/Dec/2012:12:38:57 -0700] - ERROR<8318> - Repl. Transport  - conn=-1 op=-1 msgId=-1 -  [S] Bind failed with response: Failed to bind to remote (900).

 

The following procedures were performed as outlined in the "Encrypting Attribute Values" section of the ODSEE administration guide

If the suffix on which you want to configure attribute encryption contains any entries whatsoever, you must first export the contents of that suffix to an LDIF file.

If the suffix contains encrypted attributes and you plan to re-initialize the suffix using the exported LDIF file, you can leave the attributes encrypted in the exported LDIF

1) Export data

 

After following these procedures, the import fails with a corrupted Replication changelog.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms