This tool is intended to help repair a Ping Identity server topology that has been broken by replacing the listener certificate for an instance without first updating the topology registry to include information about that certificate. The topology registry is used as a source of trust information for inter-server communication, and if a listener certificate is replaced without updating the topology registry, then other instances in the topology will not trust the new certificate and will refuse to connect to it.
To avoid such problems in the future, please use the replace-certificate tool to perform all the necessary processing when updating a server's listener certificate. In older versions of the server that don't provide this tool, carefully read the documentation for the appropriate set of steps to complete manually.
It will establish connections to each server in the topology, collecting the certificates that they present during TLS negotiation for LDAPS, LDAP+StartTLS, and HTTPS. It will then examine the topology registry for each server to identify any updates that need to be made, and will optionally attempt to apply those updates.
Invokes this tool in interactive mode, in which it will prompt for all of the necessary information needed to run.
repair-topology-listener-certificates
Establishes a secure connection to the specified instance, retrieving information about all of the instances in the topology, identifying any listener certificate updates that may be needed, and writing them to LDIF files in a newly created subdirectory. It will not attempt to actually update the topology registry.
repair-topology-listener-certificates --hostname ds1.example.com --port 636 \
--useSSL --trustStorePath /path/to/ds1/trust/store \
--bindDN "cn=Directory Manager" --bindPasswordFile /path/to/password.txt \
--dryRun
-V
--version
| Description | Display Directory Server version information |
-H
--help
| Description | Display general usage information |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-h {host}
--hostname {host}
| Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
| Default Value | localhost |
| Required | Yes |
| Multi-Valued | No |
-p {port}
--port {port}
| Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
| Default Value | 389 |
| Required | Yes |
| Multi-Valued | No |
-D {dn}
--bindDN {dn}
| Description | The DN to use to bind to the directory server when performing simple authentication. |
| Required | No |
| Multi-Valued | No |
-w {password}
--bindPassword {password}
| Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
| Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
--promptForBindPassword
| Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
| Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
| Description | Use StartTLS when communicating with the directory server. |
--defaultTrust
| Description | Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it. |
-X
--trustAll
| Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
| Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
| Required | No |
| Multi-Valued | No |
-W {password}
--keyStorePassword {password}
| Description | The password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
--promptForKeyStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file. |
| Required | No |
| Multi-Valued | No |
-P {path}
--trustStorePath {path}
| Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
| Required | No |
| Multi-Valued | No |
-T {password}
--trustStorePassword {password}
| Description | The password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
--promptForTrustStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file. |
| Required | No |
| Multi-Valued | No |
--verifyCertificateHostnames
| Description | Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued. |
-N {nickname}
--certNickname {nickname}
| Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
| Required | No |
| Multi-Valued | No |
--enableSSLDebugging
| Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'. |
-o {name=value}
--saslOption {name=value}
| Description | A name-value pair providing information to use when performing SASL authentication. |
| Required | No |
| Multi-Valued | Yes |
--useSASLExternal
| Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
| Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
--outputDirectory {path}
| Description | The path to a directory to which output files will be written, including a log file with detailed information about the processing performed by this tool and LDIF files with any changes to be applied. If this is not specified, a new directory will be created in the current working directory with a name of 'repair-topology-listener-certificates-{timestamp}' |
| Required | No |
| Multi-Valued | No |
--forceAsMasterDelay {delay}
| Description | The amount of time to wait after forcing the server to act as the topology master before attempting to update topology data in that instance. If specified, the value should consist of an integer followed by a time unit. If this is not provided, a default of '10 seconds' will be used. A value of '0 seconds' indicates that no delay should be used |
| Required | Yes |
| Multi-Valued | No |
-n
--dryRun
| Description | Identify any updates that need to be applied to the topology registry, but do not actually attempt to apply any updates. The changes will be written as LDIF files in the output directory |
--interactive
| Description | Launch the tool in interactive mode. |