User connections during key store changes
- Last Updated: January 17, 2024
- 2 minute read
- OpenEdge
- Version 12.8
- Documentation
Changing the source database's encryption policy briefly blocks new logins for read-only connections on replication target databases. During an encryption policy change, the replication target database must stop applying AI blocks to the target database until the DBA copies the source database key store (.ks) file to the target database location.
If a user tries to connect while the replication agent is waiting for a new key store file, the following message displays:
Database connections are not allowed at this time. (10829)To track the update process, refer to the replication agent log (targetdb.repl.agent.lg).
For example:
- The replication agent starts to wait for the new key store.
[2020/11/16@17:25:51.827-0500] P-6574 T-6577 I RPLA 2: (-----) Preparing to update encryption policy - Logins are disallowed.
[2020/11/16@17:25:51.827-0500] P-6574 T-6577 I RPLA 2: (20162) The Replication Agent is waiting until the newest version of the key store exists before it resumes processing source database after-image blocks. - The DBA has copied the key store file to the target database.
[2020/11/16@17:26:56.482-0500] P-6574 T-6577 I RPLA 2: (20164) The newest key store for this database now exists so the Replication Agent will resume normal processing. - The replication agent resumes normal replication activities and applies transactions sent from the replication server on the source database.
[2020/11/16@17:26:56.482-0500] P-6574 T-6577 I RPLA 2: (-----) About to process block 0... - The replication agent processes the end of the rekey transaction and re-enables logins.
[2020/11/16@17:26:56.482-0500] P-6574 T-6577 I RPLA 2: (-----) Newest keystore found on disk. Logins have been re-enabled.
Suppose that the rekey operation fails on the source database after the agent starts waiting (Step 1). If this happens, the DBA should retry the rekey operation on the source database until it succeeds, then copy the newest key store file to the target database.
The replication agent detects that the version of the key store on disk is newer than expected, and messages in the
targetdb.repl.agent.lg are: [2020/11/16@15:18:56.548-0500] P-12710 T-12717 I RPLA 2: (20162) The Replication Agent is waiting until the newest version of the key store exists before it resumes processing source database after-image blocks.
[2020/11/16@15:18:56.481-0500] P-12710 T-12717 I RPLA 2: (20166) A newer version of the key store was detected than what was expected. The Replication Agent will resume normal processing.
[2020/11/16@15:18:56.482-0500] P-12710 T-12717 I RPLA 2: (20164) The newest key store for this database now exists so the Replication Agent will resume normal processing.
[2020/11/16@15:18:56.482-0500] P-12710 T-12717 I RPLA 2: (-----) About to process block 288...
[2020/11/16@15:18:56.501-0500] P-12710 T-12717 I RPLA 2: (-----) Newest keystore found on disk. Logins have been re-enabled.