Understanding the VDFS replication settings

Applies to: VisualSVN Server 3.7 and later

Multisite Repository Replication feature is based on the VisualSVN Distributed File System (VDFS) technology. There are several VDFS replication settings that apply to master and slave VDFS services. You can find these settings on the Replication tab in the VisualSVN Server Properties dialog.

The main VDFS replication settings are as follows:

• The list of replication partners authorized to connect to this server as a slave.
• The option to enable certificate-based authentication for replication.

Replication partners authorized to connect to this server as a slave

The list of authorized replication partners controls whether a remote VDFS service can connect to a local VDFS service as a slave. In other words, the list must include all the slave servers that are authorized to replicate master repositories from this server. Leave this list empty if this VisualSVN Server instance does not have any master VDFS repositories.

The list of authorized replication partners can include servers authenticated by Active Directory as well as by Replication Certificate.

Replication partners authenticated by Active Directory

The replication partners authenticated by Active Directory (domain replicators) are Active Directory accounts authorized to connect to a local VDFS service as a slave. As usual, you can authorize access not only to the individual accounts, but also to the domain or local groups.

Technically, all domain replicators are included into the local Windows group named VisualSVN Replication Partners that is used to control remote access to the VDFS service on the master server.

Follow these steps to authorize the domain replicators to perform the replication:

1. Start VisualSVN Server Manager console.
2. Click Action | Properties.
3. Click the Replication tab.
4. Click the Add menu-button and then select Add server authenticated by Active Directory command.
5. Select the required domain replicator's account and click OK.

Replication partners authenticated by Replication Certificate

In most cases, the replication partners authenticated by Replication Certificate (certificate-based replicators) are the non-domain servers authorized to connect to a local VDFS service as a slave — but instead of authenticating by Active Directory, they are authenticated by a digital SSL/TLS certificate. However, they are not limited to being the non-domain servers, and the certificate-based authentication can also be used for cross-domain replication or for replication within a single domain.

Certificate-based replicators are identified by the Common name. This name should match the Common name of the Replication Certificate configured for the slave server. For successful authorization, the slave’s Replication Certificate must be valid and trusted on the master server.

Certificate-based replicators cannot perform the replication from the server when the Enable certificate-based authentication option is cleared. See the section Certificate-based authentication for VDFS replication for more information.

Follow these steps to authorize a certificate-based replicator to perform the replication:

1. Start VisualSVN Server Manager console.
2. Click Action | Properties.
3. Click the Replication tab.
4. Click the Add menu-button and then select Add server authenticated by Replication Certificate command.
5. Enter the Common name of the slave server and click OK. This name should match the common name of the replication certificate configured for the slave server.

Enabling certificate-based authentication for replication

VDFS supports two different methods to authenticate the replication partner computers:

• Active Directory authentication. Allows performing the repository replication between the computers that are members of the same or trusted domains.
• Certificate-based authentication. Allows performing the repository replication in a cross-domain or workgroup environment. This authentication method relies on master and slave Replication Certificates and allows performing the repository replication on computers that reside in non-trusted Active Directory domains or are not members of any domain.

The main distinction between these two methods is that the authentication by the Replication Certificate does not mandate the presence of a reachable domain controller for the authentication between the replication partners. Therefore, it can be used to configure the replication in non-domain environments or between two disjoint domains — in other words, in the situations where using the Active Directory authentication is not possible.

However, please note that the use of the certificate-based authentication method is not limited to such environments. This method can also be successfully used in the domain environments as an alternative for the Active Directory authentication, if you find the certificate-based authentication more convenient and suitable for your needs.

Active Directory authentication for VDFS replication

Active Directory authentication is the default authentication method for the replication. It is suitable for VDFS deployments when the master and slave servers are members of the same or trusted Active Directory domains.

Active Directory authentication for VDFS replication is always enabled and cannot be explicitly disabled. Leave the list of replication partners authenticated by Active Directory empty if you do not need to enable the replication for your domain computers. See the section partners authenticated by Active Directory for further information.

Certificate-based authentication for VDFS replication

Certificate-based authentication helps to deploy the replication securely in a cross-domain or workgroup environment. When certificate-based authentication is enabled, the server can use certificate-based authentication to connect to remote VDFS servers as a slave, and the remote slave server can use Replication Certificates to authenticate to this server instance.

The following prerequisites are required to use the certificate-based authentication for VDFS replication:

1. The option Enable certificate-based authentication for replication must be enabled in VisualSVN Server Properties on all the VDFS replication partners that will use the certificates for VDFS replication.
2. Valid Replication Certificates must be configured for all the participating servers. The certificate should have the following purposes (Extended Key Usage):
   1. If the server acts only as a master VDFS server, the Replication Certificate must have Server Authentication purpose.
   2. If the server acts only as a slave VDFS server, the Replication Certificate must have Client Authentication purpose.
   3. If the server simultaneously acts as a slave VDFS server and master VDFS server, the Replication Certificate must have both Client Authentication and Server Authentication purposes.
3. The replication certificate of a slave server should be trusted on the corresponding master server. If you would like to use mutual authentication, then the replication certificate of the master server should be trusted on the slave server as well.

The Replication Certificate should have a private key and should be installed into the Local Machine Store. Local VDFS service must have Read access to the certificate's private key. The required Read access permissions are granted automatically when you select the certificate in the VisualSVN Server Manager console.

To enable certificate-based authentication, perform the following steps both on master and slave computers:

1. Start VisualSVN Server Manager console.
2. Click Action | Properties.
3. Click the Replication tab.
4. Select the Enable certificate-based authentication for replication option.
5. Click Select certificate button, select the appropriate certificate and click OK. Note that the Replication Certificate Selection dialog only lists the certificates from the Local Machine Store that have an associated private key.

See also