Patterson, David via FreeIPA-users wrote: > Hello, > > > > I have an existing environment with three Idm servers running RHEL 8.10 > running 4.9.13-10 ipa-server version with FIPS disabled. > > > > I’ve been asked to enable FIPS. > > > > I’ve done enough googling to know you can’t just flip a switch and all > is well, and you must start from scratch. > > > > I must keep the existing domain name the same between the old and new > idm servers. > > > > I was thinking that I could stand up a new idm server with FIPS enabled > using the same domainname. Manually add in all the important things like > users, groups, HBAC, etc etc. Then slowly migrate hosts from the old > (uninstall/de-join) to the new (install). > > > > I believe there is an issue where it checks for an authoritative DNS > server for domain during initial install, so I’d have to install without > being a DNS master. Can that be added later once the old server are no > longer needed? > > > > Does this plan make sense? Is this possible? Is there a better way??
It's the only way. You need a new environment so that all the keys are generated with FIPS enforced. There is an article on how to do this for RHEL 7 which should apply well to RHEL 8 as well, https://access.redhat.com/articles/2949931 There are some notable downsides to migrate-ds: user-private groups are not retained and only user and group information migrated. You'll want to re-generate the sids after migration and probably need to keep in mind the original ID range and whatever the new one is. This will be generally disruptive but many people have done it before. All clients must be re-enrolled. If they don't change the cert subject base then troubleshooting failing TLS connections becomes more difficult. All custom keytabs need to be re-generated. In short it's a pain. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
