Getting started with VDFS replication in a non-domain environment

Applies to: VisualSVN Server 3.7 and later

Multisite Repository Replication feature is based on the VisualSVN Distributed File System (VDFS). VDFS supports certificate-based authentication method for the replication that allows you to deploy the replication securely in a non-domain environment. Certificate-based authentication supports strong encryption on the wire and mutual authentication.

The document provides setup instructions for creating master and slave VDFS repositories on non-domain computers and establishing the replication using the certificate-based authentication via self-signed certificates. For explanatory reasons, we will assume the following:

• There are two instances of VisualSVN Server installed on the following servers:
  • Berlin-SVN.example.com. Master repository will be hosted here and we refer to this server as to the master server.
  • NY-SVN.example.com. Slave repository will be hosted here and we will refer to this server as to the slave server.
• Both VisualSVN Server instances are not joined to an Active Directory domain. Consider the KB68: Getting started with VDFS replication in an Active Directory environment article if your servers reside in the same domain or there is a trust relationship between the domains.
• Both VisualSVN Server instances will be equipped with self-signed replication certificates. The certificates will be made trusted by manually adding them to the Local Machine's Trusted People store.

Prerequisites

Before deploying VDFS replication, please ensure that the following prerequisites are met:

• All the VisualSVN Server instances must be at the same server version of 3.7 or newer.
• All the VisualSVN Server instances must have an Essential, Enterprise, Enterprise Multinode or Evaluation license. Feel free to request a 45-day evaluation license key.

Step 1: Enable VDFS service on master and slave servers

The VisualSVN Distributed File System Service (also referred to as VDFS service) must be started on all the VisualSVN Server instances. The service is disabled by default. It can be enabled and started from the VisualSVN Server Manager by clicking the Enable link in the service status section of the dashboard. See the article KB74: Enabling and starting VDFS service for further details.

Step 2: Enable VDFS firewall rule on master server

An inbound firewall rule named VisualSVN Distributed File System Service must be enabled on the master server. The rule is created during the VisualSVN Server installation but it is not enabled by default. See the article KB73: Enabling the inbound firewall rule for a master VDFS service for further details.

Step 3: Enable certificate-based replication on the master server

You should enable certificate-based replication for the master Berlin-SVN server. Follow these steps on the master server computer:

1. Start VisualSVN Server Manager console.
2. Click Action | Properties and click the Replication tab.
3. Select the Enable certificate-based authentication for replication check box.
4. Click Select certificate.
5. Click More Actions | New self-signed certificate and perform the following steps in the Create Self-Signed Replication Certificate wizard:
   1. Enter Berlin-SVN.example.com into the Common name field and click Next.
   2. Optionally fill in other properties of the self-signed certificate and click Create.
6. Select the created self-signed certificate and click OK.
7. Click Apply.

For more information about certificate prerequisites and requirements, read the article KB118: Understanding the VDFS replication settings.

Step 4: Enable certificate-based replication on the slave server

Once the previous step is done, you should enable certificate-based authentication for the slave NY-SVN server, too. Follow these steps on the slave server computer:

1. Start VisualSVN Server Manager console.
2. Click Action | Properties and click the Replication tab.
3. Select the Enable certificate-based authentication for replication check box.
4. Click Select certificate.
5. Click More Actions | New self-signed certificate and perform the following steps in the Create Self-Signed Replication Certificate wizard:
   1. Enter NY-SVN.example.com into the Common name field and click Next.
   2. Optionally fill in other properties of the self-signed certificate and click Create.
6. Select the created self-signed certificate and click OK.
7. Click Apply.

For more information about certificate prerequisites and requirements, read the article KB118: Understanding the VDFS replication settings.

Step 5: Make slave replication certificate trusted on master server

Self-signed certificates are not trusted because they are not signed by a trusted Certificate Authority. To get the certificate-based replication working, you must make the slave self-signed replication certificate trusted by the master computer. Follow these steps:

1. Start VisualSVN Server Manager console on the slave NY-SVN server.
2. Click Action | Properties and click the Replication tab.
3. Click View certificate and click the Details tab.
4. Click Copy to File and click Next.
5. Select the Base-64 encoded X.509 (.CER) format to export and click Next.
6. Enter the name of the file as "NYReplicationCert.cer" and click Next.
7. Copy the "NYReplicationCert.cer" file to the master Berlin-SVN server.
8. Open the Certificates snap-in to manage the Local Machine certificate store (Computer account):
   • Windows Server 2012 and newer: start certlm.msc.
   • Windows Server 2008 R2: start mmc.exe and add the Certificates snap-in to manage certificates for the Computer account. See the article TechNet | Add the Certificates Snap-in to an MMC for detailed instructions.
9. Select the Trusted People certificate store and launch the All Tasks | Import command from the context menu.
10. Enter the path to "NYReplicationCert.cer" file and import the certificate.

Step 6: Authorize the slave server to connect to the master server

The slave server should be authorized to connect to the master server. Follow these steps to add the slave server into the list of authorized replication partners:

1. Start VisualSVN Server Manager console on the master Berlin-SVN server.
2. Click Action | Properties and click Replication tab.
3. Click the Add menu-button and then choose Add server authenticated by Replication Certificate command.
4. Enter NY-SVN.example.com as the Common name of the slave server and click OK.

Note that this step authorizes only slave server’s access to the local VDFS service, but not to the individual master repositories. Access to the particular master repository will be granted on the next step.

Step 7: Create master repository

Creating a master VDFS repository in VisualSVN Server is very similar to creating a regular, FSFS-type repository. Follow these steps to create a new VDFS master repository:

1. Start VisualSVN Server Manager console on the master Berlin-SVN server.
2. Right-click Repositories and click Create New Repository.
3. Select Distributed VDFS repository and click Next.
4. Select Master repository and click Next.
5. Enter MyRepo as a name of the new master repository and click Next.
6. Choose suitable settings for the repository structure and permissions. You may leave these settings at their defaults.
7. At the Repository Replication Permissions step, click the Add menu-button and then select Add server authenticated by Replication Certificate command.
8. Enter NY-SVN.example.com as the Common name of the slave server and click OK.
9. Click Create.

The new master repository will become available to all Subversion clients just like any other regular Subversion repository.

Instead of creating an empty repository, you may choose to populate it with data from an existing one. Simply select Import data from existing repository and specify the path of an existing FSFS repository to import.

In-place repository conversion from FSFS to VDFS

Existing FSFS repositories can be converted to VDFS format in-place. The in-place conversion operation is nearly instantaneous and reversible.

Follow the instructions to perform the in-place conversion of a repository:

1. Stop VisualSVN Server services.
2. Start the VisualSVN Server Manager console.
3. Right-click on a repository name.
4. Click All Tasks | Convert to VDFS Format.

Step 8: Create slave repository

When all the above steps are complete, you are ready to create a new slave VDFS repository that will use certificate-based replication. While creating the slave repository, please do not forget to select the certificate-based authentication method on the Master Repository Connection Details wizard’s page.

To create a slave repository, follow the steps below:

1. Start VisualSVN Server Manager console on the slave NY-SVN server.
2. Right-click Repositories and click Create New Repository.
3. Select Distributed VDFS repository and click Next.
4. Select Slave repository and click Next.
5. On the Master Repository Connection Details page perform the steps below:
   1. Enter Berlin-SVN.example.com as the Master server name.
   2. Enter MyRepo as the Master repository name.
   3. Click the Active Directory link and select Use certificate-based authentication.
6. On the next page enter MyRepo as the Repository name and click Create.

These steps will result in creating the new slave repository and automatically starting its synchronization. Until the synchronization completes, the slave repository is going to be available for read operations, but will be out-of-date. Please note that the initial synchronization may take some time for large repositories.

See also