Re: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?
David Copperfield wrote: Hi all, Any one has successfully do a IPA replica promotion when IPA master(Hub) failed, by following the IPA replica document for 2.1.3 and 2.2.0? I've tried at my side and see that all the steps involved are very confusing and may be out-of-dated. my IPA master is installed with Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'. In case of ipamaster is not reachable, how can I promote ipareplica01? the master.ca.agent.host/port are not setup on either ipareplica01 nor ipareplica02 to forward to IPA master at beginning. do that means all three IPA servers' Dogtag runs independently? And what is the value of 'IssuingPointId' in step 3.e and 3.f? Is that possible for the document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, or wiki/email, to give a SOLID use case instead of depicting statement? which is ambiguous and not easy to follow. [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'"; done ipamaster ipareplica01 ipareplica02 [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL"; doneipamaster ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica01 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica02 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true [root@ipamaster ~]# I'll see if I can get one of the dogtag guys to take a look at this. In general, this is not really a big problem. All we are doing here is deciding which of the CAs will generate the CRL. You want just one because other operations are happening at the same time, potentially on other CAs, and if they are all generating a CRL at more or less the same time then resulting CRLs could be different by a cert or two. For consistency sake it is better to do this one one machine and publish it. Other than that there is no "master" promotion required. All of the servers, particularly those with a CA installed, are equals. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?
On 05/21/2012 04:30 PM, David Copperfield wrote: > Hi all, > > Any one has successfully do a IPA replica promotion when IPA > master(Hub) failed, by following the IPA replica document for 2.1.3 > and 2.2.0? > > I've tried at my side and see that all the steps involved are very > confusing and may be out-of-dated. my IPA master is installed with > Dogtag, and all replicas are installed with Dogtag too through > '--setup-ca'. > > In case of ipamaster is not reachable, how can I promote ipareplica01? > > the master.ca.agent.host/port are not setup on either ipareplica01 nor > ipareplica02 to forward to IPA master at beginning. do that means all > three IPA servers' Dogtag runs independently? > > And what is the value of 'IssuingPointId' in step 3.e and 3.f? > > Is that possible for the document > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, > or wiki/email, to give a SOLID use case instead of depicting > statement? which is ambiguous and not easy to follow. This procedure is in fact a bit confusing and we have a bug to clean it up. https://bugzilla.redhat.com/show_bug.cgi?id=813880 The purpose of this procedure however is simple: to define which of the CA instances has to be the authoritative source for the CRLs. Only one CA can be an authoritative source at a time so if you lost a replica that was responsible for this (and by default this is the first master you install) you need to go to some other replica that has CA and follow this procedure to make it be the source for the CRLs. This is the goal of the "promotion". There is nothing else to it. HTH. > > > [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; > ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep > 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'"; > done > ipamaster > ipareplica01 > ipareplica02 > > [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; > ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep > enableCRL"; doneipamaster > ca.crl.MasterCRL.enableCRLCache=true > ca.crl.MasterCRL.enableCRLUpdates=true > ipareplica01 > ca.crl.MasterCRL.enableCRLCache=true > ca.crl.MasterCRL.enableCRLUpdates=true > ipareplica02 > ca.crl.MasterCRL.enableCRLCache=true > ca.crl.MasterCRL.enableCRLUpdates=true > [root@ipamaster ~]# > > Thanks. > > --David > > > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?
Hi all, Any one has successfully do a IPA replica promotion when IPA master(Hub) failed, by following the IPA replica document for 2.1.3 and 2.2.0? I've tried at my side and see that all the steps involved are very confusing and may be out-of-dated. my IPA master is installed with Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'. In case of ipamaster is not reachable, how can I promote ipareplica01? the master.ca.agent.host/port are not setup on either ipareplica01 nor ipareplica02 to forward to IPA master at beginning. do that means all three IPA servers' Dogtag runs independently? And what is the value of 'IssuingPointId' in step 3.e and 3.f? Is that possible for the document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, or wiki/email, to give a SOLID use case instead of depicting statement? which is ambiguous and not easy to follow. [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'"; done ipamaster ipareplica01 ipareplica02 [root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL"; doneipamaster ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica01 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ipareplica02 ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true [root@ipamaster ~]# Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users