Tivoli Directory Server Seed Value is lost

Tivoli Directory Server Seed Value is lost or Client forgot after creating the Instance.

Clients often ask me what is the process of recovering Seed value (due to several reasons like forgot, lost, admin not available) after setting up the Instance.

There is NO process of recovering the same. We have to create a new instance and then import the Old Instance LDIF file into a newly created new Instance.

As mentioned in Knowledge center and Technote,

http://www-01.ibm.com/support/docview.wss?uid=swg21244655

http://www-01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IBMDS.doc/pdguide134.htm

Following steps are required to recover the lost seed value (as mentioned in above Knowledge center link),

1. Create a user for the instance. Issue the command of the following format:

idsadduser -u newinst -w newinst -l /home/newinst -g idsldap

2. Create and configure a new directory server instance. Issue the commands of the following format:

idsicrt -I newinst -e thisismynewencryptionseed -l /home/newinst -n
idscfgdb -I newinst -a newinst -w newinst -t newinst -l /home/newinst -n
idsdnpw -u cn=root -p root -I newinst
idscfgsuf -s “o=sample” -I newinst

3. After setting up the new instance, newinst, find and save the salt value generated by the directory server instance. To find the salt value, issue the command of the following format:

idsldapsearch -p <port_number> -D cn=root -w root -b “cn=crypto,cn=localhost” \ -s base objectclass=* ibm-slapdCryptoSalt

4. To export data to an LDIF file from the directory server instance (for example, oldinst) for which the encryption seed is lost, use the db2ldif command of the following format:

db2ldif -o mydata.ldif -I oldinst -k thisismynewencryptionseed -t newsaltvalue

5. Finally, import the data from the LDIF file to the new directory server instance. Issue the ldif2db command of the following format:

ldif2db -i mydata.ldif -I newinst