Creating a Synchronous Shadow DSA

Recall from the section “Replication Services” in the chapter “Introducing DirX Directory” in the DirX Directory Introduction that DirX Directory supports two types of replication protocol for shadowing configurations:

Asynchronous shadowing, which returns a DAP or LDAP client’s update operation immediately after the master DSA commits the operation. Asynchronous shadowing protocol supports highly flexible replication area definitions and allows a high rate of update operations between supplier and consumer DSAs, even over long distances, but can lead to loss of recent update operations at the consumer DSAs if the master DSA fails.
Synchronous shadowing, which returns a DAP or LDAP client’s update operation only after the master DSA and all synchronous consumer DSAs have committed the operation. Synchronous shadowing protocol prevents data loss in the event of master DSA failure, but supports a lower rate of update operations between supplier and consumer DSAs and limits replication area flexibility.

The chapter “Creating a Shadow DSA” describes how to set up a floating-master shadow configuration that uses the asynchronous type of DirX Directory replication protocol. This chapter describes how to set up a floating-master shadow configuration that uses both asynchronous and synchronous shadowing protocols.

The sample shadow configuration described in this chapter builds on the sample scenarios described in the chapters “Creating a Shadow DSA”, “Distributing the DIT Across Multiple DSAs” and “Multireplication”. We suggest you read these chapters to familiarize yourself with shadowing, distribution and replication concepts and procedures before reading this chapter.

This chapter continues to use the fictitious company “My-Company” to illustrate the planning decisions and administrative tasks necessary to set up this sample shadow configuration.

Understanding Asynchronous and Synchronous Shadowing

Asynchronous and synchronous shadowing protocols each have benefits and drawbacks that must be evaluated before deciding whether and how to use them in a floating-master shadow configuration.The next sections describe these issues.

Understanding Asynchronous Shadowing

As mentioned in the section “Replication Services” in the chapter “Introducing DirX Directory” in the DirX Directory Introduction, asynchronous shadowing allows for complete flexibility with regard to defining the replication area, including attribute and object class selection, the type of updates performed, the update mode, and other aspects of configuration.The protocol supports high update operation rates, even at long distances between supplier and consumer DSA; however, if a supplier DSA outage occurs, recent update operations may be lost at consumer DSAs.

Recall from the chapter “Creating a Shadow DSA” that at the time of total update, the DSA replicates entries and their attributes starting with the context prefix or a subtree below it as specified in the shadowing agreement information.After the total update occurs, every update in the tree that matches the specific shadowing agreement information initiated via DAP, DSP or DISP is also replicated.Recall, too, that changes made via RPC are not replicated; this means that changes made with dirxadm, such as deletion, creation and modification of entries in the tree and changes to audit and database configuration are not replicated to consumer DSAs.

The following figure illustrates asynchronous shadowing protocol flow.In the example, the LDAP client is connected to DSA1.

Figure 1. Asynchronous Shadowing Protocol Flow

As shown in the figure:

In step 1, the LDAP client transmits the LDAP modify operation request to the LDAP server.
In step 2, the LDAP server transmits the DAP modify operation request to shadow DSA1.
In step 3, shadow DSA1 transmits a DSP request to the master DSA.
In steps 4 and 5, the master DSA performs the modify operation, writes the changes into the translog device and then into the journal.
In step 6, the master DSA transmits the DSP result to shadow DSA1.
In step 7, shadow DSA1 transmits the DAP result to the LDAP server.
In step 8, the LDAP server transmits the LDAP result to the LDAP client.
Steps ~9 through ~11 are processed simultaneously:
- In step ~9, the master DSA transmits the DISP incremental shadow update request to the shadow DSAs. The update shadow can contain multiple incremental update operations.
- In step ~10, the shadow consumer DSAs perform the update operation(s) locally and then write the changes into their translog device.
- In step ~11, the shadow consumer DSAs transmits the DISP results to the master DSA. This transmission can be delayed since it is possible to acknowledge multiple update operations with one PDU.

As you can see from this example, the LDAP client receives the result after the master DSA has committed the transaction but before the asynchronous shadow consumer DSAs have performed this operation locally. This principle is good for high update operation rates, but recent update operations can be lost at the asynchronous consumer DSAs if a master DSA outage occurs.

Understanding Synchronous Shadowing

Synchronous shadowing is designed to replicate the complete DIT of a DirX Directory service to full shadow DSAs in a fast and efficient way. The underlying protocol is synchronous: a DAP or LDAP client receives the result of an update operation only after the master DSA and all of the synchronous consumer DSAs have committed it. Synchronous shadowing operates at a lower update operations rate than asynchronous shadowing in favor of synchronized data. The main advantages of synchronous replication are:

There is zero data loss in the event of master DSA outage.
Data safety is always ensured. DAP/DSP/LDAP update operation is returned after master DSA and synchronous consumer DSAs have committed transaction. A read operation (that is search, read, list or compare request) after update operation delivers correct result if DAP/LDAP client is connected either to the master DSA or to a synchronous consumer DSA.
Data synchronicity management delivers the correct search result as long as no network error occurs. If, for any reason, a synchronous consumer DSA’s data is not synchronized with the master DSA’s data, the read operation is automatically chained to the master DSA.

Synchronous shadowing agreement configuration offers fewer options than asynchronous shadowing:

The complete DIT starting at the root DSE (/) and including all object classes and all attributes must always be replicated. The -agreement option in the dirxadm sob create command is not used. (See the dirxadm sob create operation in the DirX Directory Administration Reference for details.)
Incremental changes must always be replicated on change. Synchronous shadowing does not permit scheduled agreements.
The total update can be propagated with DISP or by media. However, if a total update is required - for example, after an error recovery - it is always performed via DISP automatically without administrator intervention and independently from the configured settings.
The automatic total update parameter specified in SOB-Policies should always be set to TRUE. We recommend this setting because it guarantees unattended data adjustment from supplier DSA to consumer DSA after an emergency switch.
The REPLS subcomponent of the consumer policy must always be set to TRUE.

Although synchronous shadow agreement configuration is limited, DirX-Directory-compliant asynchronous shadowing agreements like the samples discussed in the chapter “Creating the Shadow DSA” (the disp_type value in the –consumerkind option is CENTRALADMIN) and X.500-compliant shadowing agreements (the disp_type value in the –consumerkind option is X500) can co-exist in a shadowing configuration as long as different DSAs are affected and the REPLS subcomponent of the DirX-Directory-compliant/asynchronous shadowing agreement is always FALSE; that is, you can administer DirX-Directory-compliant/asynchronous shadowing agreements and X.500 shadowing agreements for consumer DSAs if they don’t participate in synchronous shadowing.

At the time of total update, the DSA replicates the complete DIT, starting with the root DSE, to all consumer DSAs that participate in synchronous shadowing. After the total update occurs, every update in the tree initiated via DAP, DSP and LDAP is also replicated. As with asynchronous shadowing, changes made via RPC are not replicated; this means that changes made with dirxadm, such as deletion, creation and modification of entries in the tree and changes to audit and database configuration are not replicated to consumer DSAs.

How Synchronous Shadowing Works

The following figure illustrates synchronous shadowing protocol flow. In the example, the LDAP client is connected to DSA1.

Figure 2. Synchronous Shadowing Protocol Flow

As shown in the figure:

In step 1, the LDAP client transmits LDAP modify operation request to the LDAP server.
In step 2, the LDAP server transmits DAP modify operation request to shadow DSA1.
In step 3, shadow DSA1 transmits a DSP request to the master DSA.
In steps 4 and 5, the master DSA performs a modify operation, writes changes into the translog device and then into the journal.
In steps 6 and 6’, the master DSA transmits the DISP update shadow to the shadow DSAs.
In steps 7 and 7’, the shadow DSAs perform the modify operation locally and then write changes into their transaction logs.
In steps 8 and 8’, the shadow DSAs transmit the DISP result PDU to the master DSA.
In step 9, the master DSA transmits the DSP result to the shadow DSAs. The DSP result is successful independent of the results of the shadow DSAs because the update operation performed without error at the master DSA.
In step 10, shadow DSA1 transmits the DAP result to the LDAP server.
In step 11, the LDAP server transmits the result to the LDAP client.

As you can see from this example, the LDAP client receives the result after the master DSA and all synchronous shadow consumer DSAs have committed the transaction. This principle is good for zero data loss in the event a master DSA outage occurs, but it operates at lower operation rates compared to asynchronous shadowing.

How Data Synchronicity is Managed

Another aspect of synchronous shadowing protocol is the status of data synchronicity at the consumer DSAs. To manage this situation, the master DSA assigns a modification sequence number (MSN) to each update operation—an add, delete modify or modifyDN request—made in the master DSA. The MSN is incremented with every update operation and is stored in the following locations:

The recent MSN, which always keeps the highest MSN. The recent MSN is stored in the operational attribute DirX Directory Recent MSN (dirxRecentMSN) in the global subentry /CN=DirXDBVersionSubentry. This subentry and its operational attributes are also administered by the synchronous consumer DSAs.
The entry MSN, whose value equals the value of the recent MSN at the time of the update operation. The entry MSN is stored in the created/modified entry in the operational attribute (DirX Directory Entry MSN (dirxEntryMSN)).
The operation MSN, whose value equals the value of the entry MSN. The operation MSN is stored in the journal along with the update operation.
The delta MSN, which is the difference between the recent MSN and the operation MSN calculated at the time at which the master DSA transmits the incremental update to the synchronous consumer DSA and is also part of the update PDU in addition to the update request. A value of 0 indicates a synchronous consumer DSA’s data is synchronized with the master DSA’s data.

A synchronous consumer DSA uses the following mechanisms to manage its data synchronicity status:

When it receives a total update, it sets its data synchronicity status to FALSE.
When it receives an incremental update, it sets its data synchronicity status depending on the value of the delta MSN: a value of 0 sets data synchronicity to TRUE, while any other value sets data synchronicity to FALSE.
It polls the value of the recent MSN at the master DSA and then compares it with its own value. A difference between master and consumer values sets the data synchronicity status to FALSE.

When a synchronous consumer DSA starts to receive a total update, it sets its data synchronicity status to FALSE. Once the total update has completed, it changes its data synchronicity status to TRUE if no outstanding incremental updates exist. If outstanding incremental updates exist, the master DSA starts to transfer them. When the synchronous consumer DSA receives a delta MSN with the value 0, it changes its data synchronicity status to TRUE.

Administrators can determine a synchronous consumer DSA’s current synchronicity status with the operational attribute DirX Directory In Sync (dirXInSync). This value is stored in the subentry /CN=DirXDBVersionSubentry and is always maintained by the DSA when it is part of a synchronous shadowing configuration. The administrator can use the dirxadm sob show command on the master DSA to display the current value of DirX Directory In Sync for a synchronous consumer DSA. The section “Monitoring Data Synchronicity Status” provides an example in the context of the My-Company synchronous shadowing scenario.

Administrators can monitor changes to a consumer DSA’s synchronicity status in the following places:

In the DSA’s log file
In the DSA’s audit file
Via SNMPv2 traps

The chapter “Monitoring DirX Directory” provides more information about these monitoring tools, and the section “Monitoring Data Synchronicity Status” in this chapter provides some examples.

How Data Synchronicity Status Affects Read Operation Service Controls

In synchronous shadowing, a read operation from a synchronous consumer DSA is as good as from the master DSA if the synchronous consumer DSA’s data synchronicity status is TRUE. Thus, the data synchronicity status impacts a synchronous consumer DSA’s search engine by overriding the COPYSHALLDO service control. The following table shows this behavior when the DONTUSECOPY service control is FALSE and the LOCALSCOPE service control is FALSE:

COPYSHALLDO Value	Synchronous Consumer DSA Synchronicity Status	Consumer DSA to Master DSA Bind Status Synchronization	Origin of Read Operation
TRUE	TRUE	Connected	Sync. consumer
TRUE	FALSE	Connected	Master via DSP b)
TRUE	TRUE a)	Not connected	Sync. consumer
TRUE	FALSE	Not connected	Sync. consumer
FALSE	TRUE	Connected	Sync. consumer c)
FALSE	FALSE	Connected	Master via DSP
FALSE	FALSE	Not connected	Error d)
FALSE	TRUE a)	Not connected	Sync. consumer c)

COPYSHALLDO Value

Synchronous Consumer DSA Synchronicity Status

Consumer DSA to Master DSA Bind Status Synchronization

Origin of Read
Operation

TRUE

Connected

Sync. consumer

TRUE

FALSE

Connected

Master via DSP b)

TRUE

TRUE a)

Not connected

Sync. consumer

TRUE

FALSE

Not connected

Sync. consumer

FALSE

TRUE

Connected

Sync. consumer c)

FALSE

Connected

Master via DSP

FALSE

Not connected

Error d)

FALSE

TRUE a)

Not connected

Sync. consumer c)

As shown in the table:

If the network connection to the master DSA fails, the synchronous consumer DSA has compared its recent MSN value with that of other synchronous consumer DSAs. If its value is not lower than the value of any other synchronous consumer DSA, its data synchronicity status remains TRUE; otherwise, its data synchronicity status becomes FALSE.
The service control is overruled. An asynchronous consumer DSA would return the result of the read operation from the consumer DSA. A synchronous consumer DSA chains a read operation to the master DSA since its data synchronicity status is set to FALSE and could potentially return inaccurate results.
The service control is overruled. An asynchronous consumer DSA would chain the read operation to the master DSA. A synchronous consumer DSA performs the read operation locally since its data synchronicity status is set to TRUE and returns accurate results as a master DSA would do.
The synchronous consumer DSA returns an LDAP UNAVAILABLE error.

As you can see from the information in the table, as long as there is no network failure, a DAP or LDAP client that is connected to a synchronous consumer DSA always sees an accurate search result.

How Paging is Handled in a Synchronous Shadowing Environment

Based on the synchronicity status and the service control configuration, paged search operations can be executed on the consumer DSA or chained to the master via DSP. See the section “How Data Synchronicity Status Affects Read Operation Service Controls” for details. A resume information, which stores information about where to continue when the next page is requested is generated in the DSA that executes the first page request. As the resume information is stored in the memory of the DSA, no other DSA has any knowledge of it, so next page requests cannot be successfully executed on other DSAs. To ensure that subsequent next page requests are executed on the originator of the paged search operation, the DSA stores its role in the generated query reference. Based on this query reference, actual synchronicity status will be overridden and the request will be executed on the originator DSA.

As DSA roles are swapped when a switch occurs, generated query references would contain an incorrect role. Consequently, stored query references are invalidated on sob switch operations in the involved DSAs. See the description of “sob switch” in the Administration Reference for details.

How Errors are Processed at the Consumer DSA

If the synchronous consumer DSA can’t perform an update operation due to some local error, it returns a shadow error to the master DSA and sets its data synchronicity status to FALSE. Depending on the service control settings, subsequent read operations are automatically chained to the master DSA to return an accurate result. The master DSA starts its error recovery procedure as defined in the shadowing initiator policies. If the error at the synchronous consumer is a temporary one (for example, a memory shortage) then it may not appear in subsequent re-tries and incremental updates can be performed again successfully. When the synchronous consumer DSA’s data becomes synchronized again, read operations are performed locally without administrator intervention. If the error is permanent, administrator intervention is required.

How Errors and Timeouts are Processed at the Master DSA

The master DSA keeps track of the data synchronicity status of each synchronous consumer DSA. After a synchronous shadow agreement is created, the master DSA first propagates a total update to the synchronous consumer DSA and then subsequently propagates all outstanding incremental updates. The data synchronicity status for that specific synchronous consumer DSA changes to TRUE. When a master DSA transmits an incremental update to synchronous consumer DSAs, it waits for a result from each synchronous consumer DSA whose data synchronicity status is TRUE. The master DSA proceeds differently depending on the result, as shown in the following table.

Incremental update result	Procedure
SUCCESSFUL	No status change.
Shadow error (synchronous consumer DSA processed update and returns error)	Change data synchronicity status to FALSE. Start error recovery procedure b)
Network error	Change data synchronicity status to FALSE. Start error recovery procedure b)
TIMEOUT a)	Change data synchronicity status to FALSE. Continue to wait for result until SUCCESSFUL, shadow error or network error received.

Incremental update result

Procedure

SUCCESSFUL

No status change.

Shadow error (synchronous consumer DSA processed update and returns error)

Change data synchronicity status to FALSE.

Start error recovery procedure b)

Network error

Change data synchronicity status to FALSE.

Start error recovery procedure b)

TIMEOUT a)

Change data synchronicity status to FALSE.

Continue to wait for result until SUCCESSFUL, shadow error or network error received.

As indicated in the table:

The master DSA monitors the time it spends waiting to receive a synchronous consumer DSA’s incremental update result. If a given time interval is exceeded, the master DSA raises a TIMEOUT error. Administrators can configure the maximum waiting time interval with the DirX Directory environment variable DIRX_DSA_SYNC_TIMEOUT. The default value is 5 seconds. See the chapter “DirX Directory Environment Variables” in the DirX Directory Administration Reference for details.
The error recovery procedure starts as defined in the shadow initiator policies. A master DSA typically retries an incremental update until it receives a successful result or the maximum number of retries is reached, at which time it disables the shadowing agreement.

Once the data synchronicity status of synchronous consumer DSA changes to FALSE and the shadowing agreement is not disabled, the master DSA tries to propagate all outstanding incremental updates to the synchronous consumer DSA. If no further errors occur, the synchronous consumer DSA’s data will catch up with the master DSA after a period of time and its data synchronicity status changes back to TRUE. This information is also propagated within the incremental update.

A high data-availability scenario can require at least one synchronous consumer DSA with a data synchronicity status of TRUE to be online at any given time for a master to accept update operations; that is, if you have configured two or more synchronous consumer DSAs, the master DSA should reject an update operation (with the error code “unwilling to perform the operation”) unless at least one of these consumer DSAs is online and has a data synchronicity status of TRUE. Use the DirX Directory environment variable DIRX_FORCE_SYNC_CONSUMER to enable this feature. See the chapter “DirX Environment Variables” in the DirX Directory Administration Reference for details.

Evaluating Asynchronous and Synchronous Shadowing Performance

Synchronous shadowing has a much greater impact on performance than asynchronous shadowing does. Although the performance numbers given in this section are derived from an actual scenario, they serve only for discussion purposes and may not reflect performance numbers in your configuration.

First we’ll look at the response time for a typical modify operation measured at the DirX Directory LDAP server. When asynchronous shadowing is enabled (the disp_type value in the
–consumerkind option is CENTRALADMIN; see the dirxadm sob create operation in the DirX Directory Administration Reference for details), this time may take up to three (3) milliseconds (ms) and includes:

The time required for decoding and encoding the request and result.
The time it takes the DSA to perform the update operation in the local database and write the incremental update into the journal.

Independent of asynchronous consumer DSA performance, a subsequent modify operation will still take about three (3) milliseconds, except for some local performance fluctuations due to disk flushes and so on.

When synchronous shadowing is enabled (the disp_type value in the –consumerkind option is SYNCHRON; see the dirxadm sob create operation in the DirX Directory Administration Reference for details), the response time will be greater since the time for transmitting the incremental update PDU and receiving the result PDU to/from synchronous consumer DSAs is added plus the time for performing the modify operation at synchronous consumer DSA.Thus, response time increases up to six (6) milliseconds.

Another aspect is network latency, which depends on the distance between DSAs, installed network equipment and type of cable, among other items.For example, a fiber optic cable typically brings about 5 microseconds (µs) of latency per kilometer.For longer distances, this value may be even greater due to the deployment of amplifiers or regenerators.In our example, response time may increase up to eight (8) milliseconds (ms) or greater if the cable distance between DSAs is 200 kilometers (km).

Another interesting performance measure is the maximum possible update operations per second within a synchronous shadowing scenario.This number is influenced by many factors, such as system performance, network latency, PDU size and type of modification, and is thus impossible to predict exactly without knowing what these characteristics are.Performance is certainly not the reciprocal of response time, since multiple operations are processed simultaneously.However, you should take into account that the slowest consumer DSA at the greatest distance slows down update operation performance in synchronous shadowing scenario.

Planning the Shadow Configuration

My-Company wants to create a directory service that offers the highest data availability that DirX Directory can provide today.The company operates multiple geographically-separate data centers in Germany and one data center for its subsidiary in Boston.

After evaluating the issues of performance against the issues of high availability described in “Understanding Asynchronous and Synchronous Shadowing”, My-Company decides to implement three DSAs in the Greater Munich area and one DSA in Boston with the following characteristics:

A single master DSA (DSA1) and two synchronous consumer DSAs (DSA2 and DSA3) located in the Greater Munich area within 50 kilometers of each other to minimize network latency.These DSAs build My-Company’s directory data back end and use the synchronous shadowing protocol for replication to ensure the highest level of data integrity.These three DSAs carry the main load of DAP and LDAP requests.DSA2 and DSA3 act as accessible DSAs for load distribution and as online backup for the directory data.They can also be switched to master the directory data if necessary.As a result, DSA1, DSA2 and DSA3 all have the same system configuration for best performance.
One asynchronous DSA (DSA4) located in Boston, Massachusetts to perform DAP and LDAP requests close to the STU subsidiary’s users and applications.This DSA uses asynchronous shadowing protocol due to the great distance between locations.DSA4’s system configuration can differ from the DSAs in Greater Munich to address STU’s requirements.

The following figure illustrates this solution.

Figure 3. My-Company Synchronous Shadow Configuration

Building the Shadow Configuration

To build the configuration, the administrators of DSA1, DSA2, DSA3 and DSA4 first:

Initialize the supplier DSA1 and populate it with My-Company’s directory data.
Initialize the two synchronous consumer DSAs (DSA2 and DSA3) with dbamboot and then start them with empty databases.
Initialize the one asynchronous consumer DSA (DSA4) with dbamboot and then start it with empty database.

The DSA administrators then:

Create the shadowing agreements for the DSAs
Configure the attribute indexes for the DSAs

The next sections describe these procedures.

Creating the Shadowing Agreements

The DSA1 administrator creates the synchronous shadowing agreements for DSA2 and DSA3 on the supplier DSA1. Since synchronous shadowing is applied to these DSAs, their shadowing agreement configuration is as follows:

The complete DIT starting at the root DSE (/) and including all object classes and all attributes is replicated.
The total update can be performed via DISP or by media. For a large number of entries (more than one million), it can be beneficial to perform a total update by media because it may take less time than a total update via DISP. To do so, specify -agreement “CHANGEO=TRUE” in the dirxadm sob create command.
Incremental changes are replicated on change. (Synchronous shadowing does not allow scheduled agreements.)
The automatic total update parameter specified in SOB-Policies is set to TRUE (to guarantee unattended data adjustment from supplier DSA to consumer DSA after an emergency switch).
The REPLS subcomponent of the consumer policy is set to TRUE.

The following dirxadm command creates the synchronous shadowing agreement for DSA2:

sob create \
   -supplier {/CN=DirX-DSA-host1} \
   -supplierpsap
"TS=DSA1,NA='TCP/IP_IDM!internet=123.45.67.91+port=21200',DNS='(HOST=host1,PLAINPORT=21200)'" \
   -consumer {/CN=DirX-DSA-host2} \
   -consumerpsap
"TS=DSA2,NA='TCP/IP_IDM!internet=123.45.67.92+port=21200',DNS='(HOST=host2,PLAINPORT=21200)'" \
   -consumerkind SYNCHRON \
   -agreementid 200 \
   -status cooperative \
   -pol "INI={ATU=TRUE,RMR=60,RI=120},SUPP={US=SEGM-TOTAL-INCR,MAXLOC=512},CONS={REPLS=TRUE}"

The DSA1 administrator uses a similar dirxadm sob create to create the synchronous shadowing agreement for DSA3, specifying the consumer-specific data for DSA3 and an agreement identifier of 300.

Meanwhile, the DSA4 administrator in Boston must also create a shadowing agreement. This agreement is an asynchronous shadowing agreement that:

Replicates the context /O=My-Company and all entries below it.
Sets the REPLS subcomponent of the consumer policy to FALSE, because DSA4 uses asynchronous shadowing (the –consumerkind disp_type option is set to CENTRALADMIN) and only synchronous consumer DSAs can assume mastership of directory data in mixed synchronous and asynchronous shadowing configurations.

The following dirxadm command creates the asynchronous shadowing agreement for DSA4:

sob create \
   -supplier {/CN=DirX-DSA-host1} \
   -supplierpsap "TS=DSA1,NA='TCP/IP_IDM!internet=123.45.67.91+port=21200',DNS='(HOST=host1,PLAINPORT=21200)'" \
   -consumer {/CN=DirX-DSA-host4} \
   -consumerpsap "TS=DSA4,NA='TCP/IP_IDM!internet=198.76.54.40+port=21200',DNS='(HOST=host4,PLAINPORT=21200)'" \
   -consumerkind CENTRALADMIN \
   -agreementid 400 \
   -status cooperative \
   -agreement "SS={AREA={CP={/O=My-Company}, \
                      RA={DEF=TRUE}},ATT={DEF=TRUE}}, \
                      UM={SI={OC=TRUE}}"
   -pol "SUPP={US=SEGM-TOTAL-INCR},CONS={REPLS=FALSE}"

Performing a Total Update by Media

To perform a total update by media with synchronous shadowing, the DSA1 administrator:

Sets up an empty database on the consumer DSA2 and then starts the DirX Directory service.
Creates the agreement on the supplier DSA1 and issues a sob create command with -agreement “CHANGEO=TRUE”. After creating the agreement with status COOPERATIVE, the supplier DSA1 sets the update status to disabled=TRUE.
Uses the dirxbackup utility to save the database into an archive. Please consider the following behavior of dirxbackup:
1. Only verified backups can be restored. This restriction avoids propagating database inconsistencies to the consumer DSAs.
  Verification must be performed on the consumer when it has a newer version of DirX Directory.
2. Database verification can last for hours when the database is huge.
3. By default, full database verification is triggered automatically after backup has finished (see dbamverify -AXDST).
4. To reduce the timeframe between backup creation on the master and restoration on the consumer, the DSA1 administrator can:
  1. Create the backup with the -n option and skip verifications.
  2. Copy the created backup to the consumer.
  3. Verify the backup without the time-consuming attribute index checking using the command:
    dbamverify -DST (the A and X options may be omitted to reduce verification time). In this case, the administrator must use the dirxbackup -n AX option when restoring the archive.
Uses dirxbackup on consumer DSA2 to restore the archive. The DirX Directory service restarts automatically after dirxbackup has finished.
Enables the agreement on supplier DSA1. The consumer DSA2 must be online because the supplier DSA1 checks whether the correct archive was restored on consumer DSA2: the supplier DSA1 has generated a backup signature in the subentry /CN=DirXDBVersionSubentry which is compared with the backup signature at consumer DSA2. If the backup signatures are not identical, the enable operation returns an error. (If this verification procedure does not comply with your operational procedures, you can disable it by setting the environment variable DIRX_DSA_DISP_TUBM to 0. This setting prevents backup signature generation and comparison at enable time.)

An alternative method for performing a backup is to initiate an LDIF dump with the dirxadm ldif_dump command. In this scenario, the DSA1 administrator:

Copies the generated LDIF file(s) to the consumer DSA2.
Stops the consumer DSA2.
Resets the database with the dbamboot command.
Loads the entries with the dirxload command, specifying the -A option to perform the attribute index configuration as configured on the supplier DSA1.
When multiple LDIF files must be loaded, specify all LDIF files in one invocation of the dirxload command.
Starts the DirX Directory service on consumer DSA2.
Enables the agreement on the supplier DSA1.

You can also perform the total update by media for multiple consumer DSAs in one sequence. In this scenario, the DSA1 administrator:

Creates the synchronous agreements with total update by media for both consumer DSAs DSA2 and DSA3.
Saves the database with dirxbackup.
Restores the archive on DSA2 and DSA3.
Enables the agreements.

The procedure is the same when using an LDIF dump.

To restore an older dirxbackup archive, the administrator performs the following steps to synchronize the supplier DSA and the synchronous consumer DSAs:

Restores the dirxbackup archive on supplier DSA1. The DirX Directory service restarts automatically and the supplier DSA1 sets the update status to disabled=TRUE for all agreements where CHANGEO=TRUE is specified.
Creates an archive with dirxbackup or an LDIF dump.
Restores the archive or load the LDIF file(s) on the consumer DSAs.
Enables the agreements.

Configuring the Attribute Indexes

Attribute index configurations are not inherited from master to consumer DSAs.As a result, the administrators of DSA1 through DSA4 must individually configure their DSA attribute indexes with the dirxadm db attrconfig command (see the dirxadm section in the DirX Directory Administration Reference for details).In this sample configuration, the Greater Munich administrators configure identical attribute index configurations for DSA1, DSA2 and DSA3 because these DSAs act as equivalent directory servers that handle the same kind of operation requests.The DSA4 administrator creates a different attribute index configuration for DSA4 that matches the workload expected from LDAP applications in Boston.

Extending the DIT with New Company Data

My-Company has purchased a small company to enhance its product portfolio.Because this new company is also to use My-Company’s directory service, its directory data needs to be migrated to My-Company’s directory.

New-Company’s entries are to be loaded below a new context prefix O=New-Company.Since synchronous shadowing is in force, the DSA1 administrator must use dirxcp to create the new context prefix, because an entry created with dirxadm will not be shadowed.

The following dirxcp command creates the new context prefix O=New-Company:

create /O=New-Company -attr  \
   {OCL=TOP;ORG} \
   {DSET=ENTRY+ADM_POINT+CP} \
   {AR=AA;ACSA;CASA} \
   {ACS=SACS} \
   {SACI={ID=admin: enable Handling of Subentries,
         PR=254,
         AL={BL={L=SIMPLE}},
         UF={UC={N={DN={/O=New-Company/cn=admin}};
                             {DN={/O=My-Company/cn=admin}}},
             UP={PI={E=TRUE},
                 GAD=grantDiscloseOnError+grantRead+grantBrowse+
                     grantReturnDN+grantAdd+grantRemove+grantModify};
                 {PI={AT=SS;OC;AT;DSR;NF;DCR;MR;MRU;ATIDX;CRN;CRT;
                         MN;MT;RFCVN;RFCVV;AT;OC;NOS;NOAS;DUUID;
                         ATIDX;PACI;EACI;SACI;AR;ACS;DSET,
                      AAV=SS;OC;AT;DSR;NF;DCR;MR;MRU;ATIDX;CRN;CRT;
                          MN;MT;RFCVN;RFCVV;AT;OC;NOS;NOAS;DUUID;
                          ATIDX;PACI;EACI;SACI;AR;ACS;DSET,
                      AUATV=TRUE},
                  GAD=grantDiscloseOnError+grantRead+grantCompare+
                      grantFilterMatch+grantAdd+grantRemove}}};
         {ID=allow anonymous to read,
          PR=10,
          AL={BL={L=NONE}},
          UF={UC={AU=TRUE},
              UP={PR=0,
                  PI={E=TRUE,AUATV=TRUE,
                      AT=RFCVN;RFCVV;AT;OC,AAV=RFCVN;RFCVV;AT;OC;ATIDX},
                  GAD=grantDiscloseOnError+grantRead+grantBrowse+
                      grantReturnDN+grantFilterMatch}}}}

The DSA1 administrator also creates an administrator entry and an access control-specific subentry for the new context prefix. See the chapters “Setting up the DSA” and Setting up the DirX Directory Service” for descriptions and examples of these tasks.

Next, the DSA1 administrator populates the tree with entries from /O=New-Company; for example, with dirxmodify, as described in the section “Importing Directory Updates from an LDIF File” in the chapter “Using LDIF Files for Synchronization”. The DSA then automatically replicates all the new entries starting with /O=New-Company to DSA2 and DSA3 without the need for a new shadowing agreement, since these DSAs participate in synchronous replication.

The DSA1 administrator, however, must set up a new shadowing agreement to replicate the New-Company tree to DSA4. The administrator uses the dirxadm sob create command and specifies a –consumerkind disp_type value of CENTRALADMIN to replicate the /O=New-Company context prefix, as follows:

sob create \
   -supplier {/CN=DirX-DSA-host1} \
   -supplierpsap "TS=DSA1,NA='TCP/IP_IDM!internet=123.45.67.91+port=21200',DNS='(HOST=host1,PLAINPORT=21200)'" \
   -consumer {/CN=DirX-DSA-host4} \
   -consumerpsap "TS=DSA4,NA='TCP/IP_IDM!internet=198.76.54.40+port=21200',DNS='(HOST=host4,PLAINPORT=21200)'" \
   -consumerkind CENTRALADMIN \
   -agreementid 410 \
   -status cooperative \
   -agreement "SS={AREA={CP={/O=New-Company}, \
                      RA={DEF=TRUE}},ATT={DEF=TRUE}}, \
                      UM={SI={OC=TRUE}}"
   -pol "SUPP={US=SEGM-TOTAL-INCR},CONS={REPLS=FALSE}"

Disabling and Enabling the Shadowing Agreements

The My-Company administrators want to install the latest system and DirX Directory software patches onto the consumer DSAs.The first step in this process is to disable the shadowing agreement for the consumer at the master DSA.Once this agreement is disabled, the master DSA stops sending incremental updates to the consumer DSA, but continues to commit subsequent incremental updates and propagates them to consumer DSA once the agreement is re-enabled.

The following dirxadm command disables the shadowing agreement 200 for DSA2:

sob disable \
   -supplier {/CN=DirX-DSA-host1} \
   -consumer {/CN=DirX-DSA-host2} \
   -agreementid 200

Now the DSA2 administrator can stop DSA2 and install the system and DirX Directory patches.Once he has completed the installations and re-starts the DirX Directory Service, the administrator at the master DSA (DSA1) can enable agreement 200 for DSA2 with the following dirxadm command:

sob enable \
   -supplier {/CN=DirX-DSA-host1} \
   -consumer {/CN=DirX-DSA-host2} \
   -agreementid 200

Monitoring Data Synchronicity Status

After enabling the shadowing agreement as described in the previous section, DSA2’s data may not be synchronized with the data on the master DSA1 because update operations may have been performed while DSA2 was off-line.DirX Directory offers several ways to evaluate data synchronicity in a synchronous shadowing configuration:

Evaluating the recent modification sequence number (recent MSN) on the master and consumer DSAs
Evaluating the /CN=DirXDBVersionSubentry entry and its attributes
Evaluating DSA logging, DSA audit and SNMPv2 trap information

The next sections discuss these methods in the context of our scenario.

Using Recent MSN Values

Recall from the section “How Data Synchronicity is Managed” that master and consumer DSAs keep a recent modification sequence number (recent MSN) operational attribute (in the entry /CN=DirXDBVersionSubentry). One way to determine whether data is synchronized between a master DSA and a synchronous consumer DSA is to compare the DSAs’ recent MSNs. Since the master DSA knows exactly what it has sent to the consumer DSA and what the consumer DSA has confirmed, you can easily evaluate the data status with dirxadm sob show commands at the master and consumer DSAs.

The following dirxadm command run on the master DSA1 shows the value of its recent MSN:

dirxadm> sob show -p
Supplier-DSA
Cooperating-DSA
  AE-Title      : /CN=DirX-DSA-host1
PSAP-Address
  T-Selector    : DSA1
  NSAP-Address  : TCP/IP_IDM!internet=123.45.67.91+port=21200
  DNS           : (HOST=host1,PLAINPORT=21200)
  DISP-Kind     : SYNCHRON
Recent-MSN
  Recent-MSN    : 12346
Sync-Status
  Sync-Status   : TRUE

As you can see, the master’s Recent-MSN attribute has a value of 12346. The Sync-Status (this is the DirX Directory In Sync operational attribute described in the section “How Data Synchronicity is Managed”) at the master DSA is always TRUE.

The following dirxadm command run on the master DSA1 shows the values of the consumer DSA recent MSNs:

dirxadm> sob show -suppl {/CN=DirX-DSA-host} -p
Consumer-DSA
Cooperating-DSA
  AE-Title      : /CN=DirX-DSA-host2
PSAP-Address
  T-Selector    : DSA2
  NSAP-Address  : TCP/IP_IDM!internet=123.45.67.92+port=21200
  DNS           : (HOST=host2,PLAINPORT=21200)
  DISP-Kind     : SYNCHRON
Recent-MSN
  Recent-MSN    : 9875
Sync-Status
  Sync-Status   : FALSE
Cooperating-DSA
  AE-Title      : /CN=DirX-DSA-host3
PSAP-Address
  T-Selector    : DSA3
  NSAP-Address  : TCP/IP_IDM!internet=123.45.67.93+port=21200
  DNS           : (HOST=host3,PLAINPORT=21200)
  DISP-Kind     : SYNCHRON
Recent-MSN
  Recent-MSN    : 12346
Sync-Status
  Sync-Status   : TRUE
Cooperating-DSA
  AE-Title      : /CN=DirX-DSA-host4
PSAP-Address
  T-Selector    : DSA4
  NSAP-Address  : TCP/IP_IDM!internet=198.76.54.40+port=21200
  DNS           : (HOST=host4,PLAINPORT=21200)
  DISP-Kind     : CENTRALADMIN

As you can see from this output, DSA2’s Recent-MSN attribute is 9875. Its Sync-Status (DirX Directory In Sync attribute) is also FALSE, which indicates that DSA2’s data is not synchronized with the master DSA because its Recent-MSN is different (and was caused by taking DSA2 off-line for a period of time). DSA3’s Recent-MSN value is the same as DSA1, because DSA3 remained online. DSA4 does not show a Recent-MSN value, because it is an asynchronous consumer DSA and thus does not maintain this attribute and the other synchronous shadowing attributes. Subsequent status checks of DSA2’s Recent-MSN attribute over time show that it increases and eventually reaches the same value as the master DSA1.

Using the DirXDBVersion Subentry

Recall from the section “How Data Synchronicity is Managed” that the entry /CN=DirXDBVersionSubentry and its operational attributes are administered by both master and synchronous consumer DSAs. Another way to check a consumer DSA’s data synchronicity status is to read this subentry and its attributes using dirxcp/DAP or dirxcp/LDAP operations. First, make sure you set the service controls that direct the DSA to perform the read operation locally, as shown in the dirxcp/DAP example below (in the dirxcp/LDAP example, the default LDAP server service control settings have already been considered). For more information about service controls, see the dirxcp args and ldapargs operations in the DirX Directory Administration Reference.

The following dirxcp/DAP commands read the entry /CN=DirXDBVersionSubentry from DSA2:

dirxcp> bind -dsa /CN=DirX-DSA-host2 [your bind arguments]
dirxcp> args modify -localscope true
dirxcp> args modify -subentries true
dirxcp> args modify -copyshalldo true
dirxcp> args modify -dontusecopy false
dirxcp> show /cn=dirxdbversionsubentry -alla  -p
1) /CN=DirXDBVersionSubentry
    From-Entry                : FALSE
    Object-Class              : DBVS
                              : TOP
                              : SUBE
    Common-Name               : DirXDBVersionSubentry
    dirx-entry-uuid           : 76b74ea7-ef95-47e4-aa51-11dc051a9e0
    Recent-MSN                : 12346
    Recent-MSN-Time-Stamp     : 20121204085841.987Z
    Recent-Distinguished-Name : /O=My-Company/OU=ou1/CN=1-12345
    Recent-Operation          : add
    Consumer-In-Sync          : TRUE

You can also display this subentry with the following dirxcp/LDAP command:

dirxcp> set _errormsg TRUE
dirxcp> search  cn=DirXDBVersionSubentry -base -filt ocl=* -vtype subentry -attr + -p
 1) cn=DirXDBVersionSubentry
    dirxEntryUUID          : 76b74ea7-ef95-47e4-aa51-11dc051a9e0
    dirxRecentMSN          : 12346
    dirxRecentMSNTimeStamp : 20121204085841.987Z
    dirxRecentDN           : cn=1-12345,ou=ou1,o=My-Company
    dirxRecentOperation    : add
    dirxInSync             : TRUE
LDAP-Result: Search succeeded. Found 1 Entries (0 Aliases), 6 Attributes, 6 Values. (ChainedResult=no)

In the dirxcp/DAP output, the From-Entry attribute shows the value FALSE, which indicates that this entry comes from the consumer DSA. In the LDAP example, this fact is indicated by the (ChainedResult=no) comment. The DirX Directory Recent DN attribute (LDAP name dirxRecentDN) shows the DN of the last update operation. The DirX Directory Recent Operation attribute (LDAP name dirxRecentOperation) shows the type of request of the last update operation. Valid values are add, remove, modify and modifydn. The DirX Directory Recent MSN Time-Stamp attribute (LDAP name dirxRecentMSNTimeStamp) shows the modification time stamp of the last update operation. The DirX Directory Recent MSN attribute (LDAP name dirxRecentMSN) shows the modification sequence number of the last update operation. The DirX Directory In Sync attribute (LDAP name dirxInSync) of the consumer DSA shows the status of data synchronicity. The value is TRUE, which indicates that DSA2’s data is synchronized with the master DSA’s data.

Using Logging, Audit and SNMPv2 Information

Recall from the section “How Data Synchronicity Status Affects Read Operation Service Controls” that synchronous shadowing’s data synchronicity management overrides service controls for read and search operations in favor of accurate results.

In our example, DSA2’s data is not yet synchronized after the upgrade procedure, but DSA2 can perform read and search operations when it comes online. As long as DSA2’s data is out of sync with the master DSA1, it chains the read/search requests to the master DSA1. You can follow the changes in a consumer DSA’s synchronicity status with:

DSA logging at the master DSA and the synchronous consumer DSA
DSA auditing at the master DSA and synchronous consumer DSA, if audit is enabled
SNMPv2 traps generated at the master DSA and the synchronous consumer DSA, if SNMPv2 traps are enabled.

When a consumer DSA becomes unsynchronized with the master DSA, the following notice is reported in DSA logging:

0 Operational Binding 200 switches to "asynchronous" state
Reason: clear text message

When a consumer DSA becomes synchronized with the master DSA, the following notice is reported in DSA logging:

0 Operational Binding 200 switches to "synchronous" state
Reason: clear text message

As you can see, the notices refer to an operational binding ID that is synonymous with the shadow agreement ID.The clear text message string gives the reason for the status change along with a simple explanation.

Synchronicity status changes are also reported in DSA audit records and via SNMPv2 traps, if these DirX Directory monitoring tools are enabled.See the chapter “Monitoring DirX Directory” for more information about these tools.

Switching Supplier DSAs

This section describes how to switch supplier DSAs operating in a synchronous shadowing configuration in both non-emergency and emergency situations.

Making a Non-Emergency Switch

Switching supplier DSAs in a synchronous shadow configuration functions in much the same way as in an asynchronous shadow configuration: a non-emergency switch is performed when all of the DSAs participating in the synchronous shadow configuration are online and their agreements are not disabled.The synchronous master DSA propagates all outstanding incremental updates to all synchronous and asynchronous consumer DSAs.This procedure can take some time; for example, when a scheduled shadowing agreement to an asynchronous consumer DSA exists.

As an alternative, you can perform a sob synchronize command to propagate all outstanding incremental updates before you invoke the sob switch command.After all outstanding incremental updates have been propagated, the master DSA updates all shadowing agreements in the cooperating DSA table locally and then propagates the updated table to all consumer DSAs.As long as the non-emergency switch lasts, all update operations are rejected.

In our example, the administrator of master DSA1 needs to upgrade the DSA with the newest system and DirX Directory patches after the consumer DSAs have been upgraded.To provide an uninterruptible DirX Directory service while DSA1 is being upgraded, the administrator performs the following tasks:

Switches the mastership to one of the synchronous consumer DSAs - in this case, DSA2 - with the following dirxadm command run on DSA1:
```
sob switch -from /CN=DirX-DSA-host1 \
           -to /CN=DirX-DSA-host2
```
Disables the agreement to the old supplier DSA1 with the following command run on the new supplier DSA2:
```
sob disable -supplier /CN=DirX-DSA-host2 \
 -consumer /CN=DirX-DSA-host1 \
 -agreementid 200
```
Stops DSA1, installs the patches and then starts DSA1 again.
Enables the agreement to DSA1 with the following dirxadm command run on the new supplier DSA2:
```
sob enable -supplier /CN=DirX-DSA-host2 \
 -consumer /CN=DirX-DSA-host1 \
 -agreementid 200
```
Waits until DSA1’s data is in sync with the new supplier DSA2 by following its data synchronicity status as described in “Monitoring Data Synchronicity Status”. (You can omit this step if you want.)
Switches mastership back to DSA1 with the following dirxadm command run on DSA2:
```
sob switch -from /CN=DirX-DSA-host2 \
           -to /CN=DirX-DSA-host1
```

Making an Emergency Switch

A supplier DSA may fail for various reasons. An administrator may perform an emergency switch, depending on the reason for the failure. A crash of the dirxdsa or dirxldapv3 process does not require an emergency switch since a restart of the DirX Directory service typically lasts within the range of seconds. But a system crash or a network interruption may take a longer time and an emergency switch is recommended. In this case, the administrator can run a dirxadm sob switch –emergency command on one of the synchronous consumer DSAs. This command performs the following actions:

Sets the DSA to read only.
Tests network connectivity to the supplier DSA. If this test succeeds at connecting to the supplier DSA, the operation rejects the emergency switch.
Determines the highest recent modification sequence number of all synchronous consumer DSAs and rejects the emergency switch if the performing consumer DSA doesn’t own this value. That is, the performing consumer DSA contacts each synchronous consumer DSA and reads the dirxRecentMSN attribute. These values are compared with the value of the local dirxRecentMSN attribute. If the local value is exceeded by a value from any other synchronous consumer DSA, the emergency switch is rejected.
Updates all shadowing agreements in the cooperating DSA table with the new supplier DSA.
Propagates the cooperating DSA table to all consumer DSAs.
Releases read only state.

Once the old supplier DSA is online again, the new supplier DSA sends a total update if the maximum recovery time has not been exceeded. Please refer to the section "SOB-Policies" in the DirX Directory Syntaxes and Attributes for more information on this topic. If the maximum recovery time has been exceeded, the shadowing agreement to the old supplier DSA is disabled and the administrator should be enable it manually,

Under normal conditions, all synchronous consumer DSAs should have equal recent modification sequence numbers at the time of the emergency switch. However, it is possible that a synchronous consumer DSA’s data may be out of sync, as indicated by a difference in the recent modification sequence number when compared to the new supplier DSA. In this case, the supplier DSA automatically sends a total update to the relevant synchronous consumer DSA after the emergency switch.

Returning to our example, suppose that the master DSA1’s system crashes and that synchronous consumer DSA2’s data is still not in sync (DSA2’s dirxRecentMSN attribute should have a value of 9999, for example). An emergency switch at DSA2 is rejected, as shown in the following example:

dirxadm> bind -h host2
dirxadm> sob switch -emergency
Error: State of Agreement does not allow the operation to be performed.
       (Consumer for Binding ID: 300 has higher RMSN)

On synchronous consumer DSA2, the following actions are performed:

A bind to master DSA1 fails since the system has crashed and the system is not online again. The first condition is met and the emergency switch continues.
DSA2 binds to DSA3 and reads the dirxRecentMSN attribute, which has a value of 12346. By comparing this value to its own value, DSA2 detects that DSA3 has a higher recent modification sequence number. The emergency switch is rejected and dirxadm reports the shadow agreement identifier of the synchronous DSA that owns the highest recent modification number. The administrator needs to initiate an emergency switch manually at DSA3.

After the emergency switch has completed, the new synchronous supplier DSA sends a total update to all synchronous consumer DSAs whose recent modification sequence number was different from the new supplier DSA’s at the time of the switch. In our example, DSA3 sends a total update to DSA2, since DSA2’s recent modification sequence number had a lesser value than that of DSA3.

The agreement to the old supplier DSA1 goes into the recovery state: the new supplier DSA3 tries to connect to DSA1 every 2 minutes. This time interval is specified in the RI=*recovery_interval component of the SOB-Policies attribute. If DSA2 can’t be connected to within the maximum number of retries (component *RMR), then DSA3 sets the agreement to the disabled state and won’t try any further connections. In this case, the administrator needs to enable the shadow agreement manually once DSA1 is online again.

Since the recent modification sequence number is not maintained at asynchronous consumer DSAs, the new supplier DSA can’t evaluate the data synchronicity status at emergency switch time. Thus, it is necessary to invoke a total update to asynchronous consumer DSAs manually to be sure that asynchronous consumer DSAs do not miss any updates due to the system crash on DSA1. A typical method to initiate a total update is to terminate and then establish an asynchronous shadowing agreement. If the asynchronous shadowing agreement is configured for total update by media, perform the following procedures:

Terminate all agreements configured to the asynchronous consumer DSA.
Establish all agreements configured to the asynchronous consumer DSA.
Save the database with dirxbackup at the supplier DSA.
Stop the DirX Directory service at the consumer DSA, restore the database with dirxbackup, and then start the DirX Directory service again.
Enable all agreements configured to the asynchronous consumer DSA.

In this example, the shadowing agreements to asynchronous consumer DSA4 are configured to perform a total update by protocol. Consequently, the administrator needs to terminate and establish agreements 400 and 410, as shown in the following dirxadm commands:

sob terminate -agreementid 400 \
                     -supplier /CN=DirX-DSA-host3 \
                     -consumer /CN=DirX-DSA-host4 \
sob terminate -agreementid 410 \
                     -supplier /CN=DirX-DSA-host3 \
                     -consumer /CN=DirX-DSA-host4 \
sob establish -agreementid 400 \
                     -supplier /CN=DirX-DSA-host3 \
                     -consumer /CN=DirX-DSA-host4 \
sob establish -agreementid 410 \
                     -supplier /CN=DirX-DSA-host3 \
                     -consumer /CN=DirX-DSA-host4 \