Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
51525354555657585960
For more information on database encryption configuration schema, see "Database Attributes
under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config" in the HP-UX Directory Server configuration, command, and file
reference.
2.3.3.5 Exporting and importing an encrypted database
Exporting and importing encrypted databases is similar to exporting and importing regular
databases. However, the encrypted information must be decrypted when it is exported to LDIF,
then re-encrypted when it is imported to the database. Using the -E option when running the
db2ldif and ldif2db scripts will decrypt the data on export and re-encrypt it on import.
1. Export the data using the db2ldif script, as follows:
db2ldif -n Database1 -E -a /path/to/output.ldif -s "dc=example,dc=com" -s "o=userRoot"
For more information, see “Exporting to LDIF from the command line” (page 158).
2. Make any configuration changes.
3. Re-import the data using the ldif2db script, as follows:
ldif2db -n Database1 -E -i /path/to/output.ldif
For more information, see “Importing from the command line” (page 151).
NOTE:
When enabling encryption for data that is already present in the database, several additional
security concerns arise:
It is possible for old, unencrypted data to persist in the server's database page pool backing
file, even after a successful re-import with encryption. To remove this data, stop the server and
delete the db/guardian file, then restart the server. This will force recovery, a side-effect of
which is deleting the backing file. However, it is possible that the data from the deleted file
could still be recovered from the hard drive unless steps are taken to overwrite the disk blocks
that it occupied.
After enabling encryption and importing data, be sure to delete the LDIF file because it contains
plain text values for the now-encrypted data. Ensure that the disk blocks that it occupied are
overwritten.
The unencrypted data previously stored in the server's database may persist on disk after a
successful re-import with encryption. This is because the old database files are deleted as part
of the import process. Ensure that the disk blocks that those files occupied are overwritten.
Data stored in the server's replication log database is never encrypted; therefore, care should
be taken to protect those files if replication is used.
The server does not attempt to protect unencrypted data stored in memory. This data may be
copied into a system page file by the operating system. For this reason, ensure that any page
or swap files are adequately protected.
2.4 Creating and Maintaining Database Links
Chaining means that a server contacts other servers on behalf of a client application then returns
the combined results. Chaining is implemented through a database link, which points to data stored
remotely. When a client application requests data from a database link, the database link retrieves
the data from the remote database and returns it to the client.
“Creating a new database link” (page 52)
“Configuring the chaining policy” (page 63)
“Maintaining database links” (page 68)
“Database links and access control evaluation” (page 71)
2.4 Creating and Maintaining Database Links 51