Understanding certificate-based authentication for replication

Applies to: VisualSVN Server 3.7 and later

Certificate-based authentication for replication allows performing the repository replication securely in a cross-domain or workgroup environment. This authentication method relies on master and slave Replication Certificates and allows performing the repository replication on computers that reside in non-trusted Active Directory domains or are not members of any domain.

Certificate-based authentication for replication is disabled by default. In order to use the certificate-based authentication, you should enable and configure it on both the master and slave servers. For further details, please read the KB118: Understanding the VDFS replication settings article.

How does certificate-based authentication work for slave servers?

During the certificate-based authentication, a master server verifies that the Common name of the Replication Certificate configured for the slave server is included in the list of the authorized Replication Partners on the master server. Usually, this Common name also matches the Fully Qualified Domain Name (FQDN) of the slave server. But technically VDFS only validates the Common name in the Replication Certificate and does not validate whether it actually matches the FQDN or not.

The following prerequisites must be met for a slave server to be successfully authenticated by a master:

  1. The Common name included in the list of the authorized Replication Partners should match the Common name in the Replication Certificate installed on the slave server.
  2. The Replication Certificate of the slave server must be valid. The certificate must not be expired or revoked.
  3. The Replication Certificate of the slave server must be trusted on the master server.
  4. The Replication Certificate of the slave server must have the Client Authentication purpose.

For further details please consider the article KB121: Understanding Replication Certificates.

Tip
You can find the Common name of the Replication Certificate by clicking View certificate button on the Replication tab in VisualSVN Server Properties dialog and then examining the CN value in the Subject field on the Details tab.

Advanced: mutual authentication of a master server by the slave servers

Without mutual authentication, slave servers do not validate the authenticity of the master VDFS server. Although the replication traffic is always encrypted and protected against eavesdropping, the configurations without mutual authentication may not be resilient to man-in-the-middle attacks. You can enable the mutual authentication when you create a new slave VDFS repository or in the Properties dialog for the existing slave repository.

Follow these steps to find out whether mutual authentication is enabled:

  1. Start VisualSVN Server Manager console on the slave VDFS server.
  2. Open Properties dialog for the slave VDFS repository.
  3. Click the Replication tab.
  4. See the value of the Mutual authentication property.

If the mutual authentication is disabled, you can enable it on the same Replication tab in the Properties of the slave VDFS repository. Follow these steps:

  1. Click Change connection details.
  2. Select Enable mutual authentication and click OK.

The following prerequisites must be met for a master server to be mutually authenticated by a slave:

  1. The Common name of the Replication Certificate installed on the master server must match the Master server name used by slave servers.
  2. The Replication Certificate of the master server must be valid. The certificate must not be expired or revoked.
  3. The Replication Certificate of the master server must be trusted on slave servers.
  4. The Replication Certificate of the master server must have the Server Authentication purpose.

See also

KB120: Getting started with VDFS replication in a non-domain environment
KB121: Understanding Replication Certificates
KB118: Understanding the VDFS replication settings
Last Modified: