DbEnv::repmgr_set_ssl_config()

#include <db_cxx.h>
 
int
DB_ENV->repmgr_set_ssl_config(DB_ENV *env, u_int32_t  which, 
const char *value);

The DB_ENV->repmgr_set_ssl_config() method configures the SSL support for Berkeley DB Replication Manager Messaging.

The SSL support for Replication Manager may also be configured using the environment's DB_CONFIG file (https://docs.oracle.com/cd/E17275_01/html/programmer_reference/env_db_config.html#env_db_config.DB_CONFIG). The syntax of the entry in that file is a single line with the string repmgr_set_ssl_config, one or more whitespace characters. This is followed by the name of the parameter to be configured, one or more whitespace characters, and finally the value of the ssl config parameter. For example:

repmgr_set_ssl_config DB_REPMGR_SSL_CA_CERT ./mycerts1/cacerts/cacert.pem

Because the DB_CONFIG file is read when the database environment is opened, it will silently overrule configuration done before that time.

The DB_ENV->repmgr_set_ssl_config() method may not be called before the DB_ENV->open() method is called to open the local environment. This method should be called before DB_ENV->repmgr_start() methods are called.

The DB_ENV->repmgr_set_ssl_config() method returns a non-zero error value on failure and 0 on success.

Parameters

Value

This parameter must be set to the value corresponding to the option selected for the Which parameter.

Which

This parameter must be set to one of the following values:

  • DB_REPMGR_SSL_CA_CERT:

    The value for this parameter is used to configure the path to the CA certificate or the CA-chain certificate file whose private key was used to sign the replication node certificate. This certificate is used for verification of certificate provided by peer. If the peer certificate has been signed by the private key of this certificate, then verification will pass.

    Note that either DB_REPMGR_SSL_CA_CERT or DB_REPMGR_SSL_CA_DIR must be provided, otherwise an error is raised by the Replication Manager.

    Only a single file can be specified using this option. In case of multiple calls, the latest value specified before DB_ENV->repmgr_start() will be used. The certificate must be in .pem format.

  • DB_REPMGR_SSL_CA_DIR:

    The value for this parameter is used to configure the path to the directory containing the root and intermediate CA certificates. This directory should contain all individual certificates in the chain used to sign the peer certificate.

    • If the CA file or the CA chain file was provided by using the DB_REPMGR_SSL_CA_CERT option, this API need not be called with this option.

    • c_rehash (openssl utility) must be run in the target directory before providing the path of target directory through a call to this API.

    • Only a single directory can be specified using this option. In case of multiple calls, the latest value specified before DB_ENV->repmgr_start() will be used.

  • DB_REPMGR_SSL_REPNODE_CERT:

    The value for this parameter is used to specify the path of the certificate that represents the replication node and will be used for authentication and SSL connection negotiation. This certificate is signed by previously mentioned CA certificate(s) or Intermediate CA certificates and used for authentication. The certificate must be in .pem format. This configuration parameter is not optional.

  • DB_REPMGR_SSL_REPNODE_PRIVATE_KEY:

    The value for this parameter is used to configure the path to the private key corresponding to the certificate being used for authentication by this replication node. In case both the private key and the certificate are output to a single file, the value for this will be same as the certificate file provided. This configuration parameter is not optional. The certificate must be in .pem format.

  • DB_REPMGR_SSL_REPNODE_KEY_PASSWD:

    The value for this parameter is used to configure the password for the private key corresponding to the certificate being used for authentication by this replication node. Note if unsecured private key file (one without password) is being used then there is no need to specify this parameter.

  • DB_REPMGR_SSL_VERIFY_DEPTH:

    If multiple intermediate CA are being used, then upon SSL connection negotiation, each certificate in the chain is verified. This value specifies the number of levels after which the verification will fail.

    This configuration parameter is optional. The default value is 9.

Errors

The DB_ENV->repmgr_set_ssl_config() method may fail and return one of the following non-zero errors:

EINVAL

If an invalid flag value or parameter was specified or if we are calling repmgr_set_ssl_config() after replication manager has been started.

Class

DbEnv

See Also

Replication and Related Methods