search cancel

Symantec Directory : MW and/or MW-DISP recovery replication not working after setting up for the first time.

book

Article ID: 254515

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You have setup two DSAs on a two separate nodes in MW-DISP recovery replication. Making sure the initial data set is identiacal and still replication is not working, revealing following messages in the log files:

** In warn log:
WARN : Supplied DN 'cn=abc,ou=def,o=The company-name,l=Citi-name,st=State-name,c=US' matches no remote DSA

** In alarm log:
DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'xxxxxxdsanamexxxx'

Environment

Release : 14.1

Resolution

The problem is related to your custom certs (.pem files) for your DSAs that are in DXHOME/config/ssld/personalities folder while at the same time to use the certs you have configured 'ssl-auth' in your DSA's KNOWLEDGE .dxc file as part of 'auth-levels' parameter.

The DSA certs must have the 'subject' matching the 'dsa-name' paramter that you have in KNOWLEDGE .dxc file.

i.e. you may have:

set dsa "democorp" =
{
    prefix        = <c au><o democorp>
    dsa-name      = <c au><o democorp><cn "democorp">
    dsa-password  = "secret"
    address       = ipv4 "hostname" port 12345
    disp-psap     = DISP
    snmp-port     = 12345
    console-port  = 12346
    auth-levels   = anonymous, clear-password, ssl-auth
    trust-flags   = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations
};

Soultion would be to either....

1) Temporarily remove 'ssl-auth' from the 'auth-levels' paramter and restart the DSAs.
2) While the above will work, you can work on obtaining new certs where the 'subject' of the certificate is matching what the 'dsa-name' is defined with. Once put in place, add 'ssl-auth' back in the configuration file and you will be good to use SSL protocol.