Layer7 Access Management

Expand all | Collapse all

CA Directory - dsa-password

Jump to Best Answer
  • 1.  CA Directory - dsa-password

    Posted 06-30-2016 07:34 AM

    Hi Team,



    I have a few queries related to "dsa-password" command in CA Directory.

    1.  How the "dsa-password" command used to communicate with other DSAs during replication ?

    2.  Do we need to supply same password string for all the DSAs participating in replication ?


    Thanks and Regards,


    Srinivasu G

  • 2.  Re: CA Directory - dsa-password
    Best Answer

    Posted 06-30-2016 06:56 PM

    When a DSA needs to communicate with another DSA (either for chaining or replication) it will create a link. In X.500, this is called a DSP (Directory System Protocol) link. X.500 defines a directory service allowing multiple DSAs to service requests from a single entry point. There are 3 types of DSP link that can be created between 2 DSAs, one for each level of authentication (anonymous, clear-password, ssl-auth).


    The authentication level is determines by how a client has authenticated against directory. For example, if a client has connected via LDAP using a userDN/password, then this request will be sent over a DSP clear-password authenticated link.


    The reason I've gone into this level of detail is that the "dsa-password" field is used when creating a DSP link at the clear-password authentication level.


    DSA A knowledge (Host 1 & Host2)

    • prefix = <c AU><o CA>
    • address = ""
    • dsa-name = <c AU><o CA><cn "DSA A">
    • dsa-password = "passwordA"
    • auth-levels = anonymous, clear-password, ssl-auth

    DSA B knowledge  (Host 1 & Host2)

    • prefix = <c AU><o CA>
    • address = ""
    • dsa-name = <c AU><o CA><cn "DSA B">
    • dsa-password = "passwordB"
    • auth-levels = anonymous, clear-password, ssl-auth



    • LDAP bind to DSA A using userDN/password
    • LDAP sends modify request to DSA A
    • DSA A performs the update
    • DSA A replicates the update
    • DSA A creates a clear-password authenticated DSP link, as the original request was sent in at this level
    • DSA A creates a DSP bind request using the "dsa-name" and "dsa-password" from it's own knowledge file (DSA A), in this case name = <c AU><o CA><cn "DSA A">, password = "passwordA"
    • DSA B receives the bind request
    • DSA B firstly checks if it has a knowledge file with the same "dsa-name" and finds "DSA A"
    • If DSA B finds a match then it will check that the "dsa-password" received matches the local copy "passwordA"
    • If the "dsa-password" matches, DSA B checks the address against the address "" that the bind request was received on
    • If the address check passes then a DSP bind confirm is sent back to DSA A
    • Once the link is created the update will be replicated from DSA A to DSA B


    In summary,

    • The "dsa-password" is used when DSAs need to create links with each other
    • For each copy of a knowledge file, the "dsa-password" needs to be the same, for example, each host should have the same version of knowledge/dsaA.dxc
    • The "dsa-password" is only used for clear-password authenticated links
    • The "dsa-password" can differ between DSAs, but not the same DSA knowledge on different machines. Typically most customers just leave this the same for all DSAs
    • The "dsa-password" can be obfuscated using the output of "dxpassword -P CADIR password"


    Note: DSP links are shared between users, that is requests received from multiple LDAP clients will be sent down the same DSP link.

  • 3.  Re: CA Directory - dsa-password

    Posted 07-01-2016 01:20 AM

    Hi Justin,



    Thanks for the detailed explanation regarding the communication between DSAs.              


    Thanks and Regards,