<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 05/23/2012 08:59 AM, James Hogarth wrote:</tt>
<blockquote
cite="mid:CAGkb5vdY-dTYE6BJiMzDHTos1vvWbQy=QYfzCkzBmqw3MrAmwA@mail.gmail.com"
type="cite">
<blockquote type="cite">
<pre wrap=""><tt>I'll see if I can get one of the dogtag guys to take a look at this.
In general, this is not really a big problem. All we are doing here is deciding which of the CAs will generate the CRL. You want just one because other operations are happening at the same time, potentially on other CAs, and if they are all generating a CRL at more or less the same time then resulting CRLs could be different by a cert or two. For consistency sake it is better to do this one one machine and publish it.
Other than that there is no "master" promotion required. All of the servers, particularly those with a CA installed, are equals.
</tt></pre>
</blockquote>
<pre wrap=""><tt>
Just joined the list following looking in the archives - so apologies
for the random quote from a post yesterday....
This has left me quite confused compared to my infrastructure and
directly impacts me as I need to take the first IPA install offline
indefinitely....
On the first system a service pki-cad status shows:
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
On the three systems built subsequently (with dns and CA replica
install options) the following is shown:
PKI Instance Name: pki-ca
PKI Subsystem Type: CA Clone (Security Domain)
The section 18.8.1 of the Identity Guide on the docs.redhat.com site
refers to entries such as:
ca.listenToCloneModifications=true
master.ca.agent.host=hostname
master.ca.agent.port=port number
However on none of my four IPA instances do these lines appear in CS.cfg ....
So far as I can see from ipa-csmanage-replica list the initial system
has a replica agreement with each of the other three but no agreements
exist between those other three themselves (ie all replication has to
go through the initial system).
This is a fully updated CentOS 6 system... IPA/PKI packages in the rpmdb:
ipa-server-selinux-2.1.3-9.el6.x86_64
libipa_hbac-1.5.1-66.el6_2.3.x86_64
libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.1.3-9.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
pki-java-tools-9.0.3-21.el6_2.noarch
pki-common-9.0.3-21.el6_2.noarch
pki-symkey-9.0.3-21.el6_2.x86_64
pki-util-9.0.3-21.el6_2.noarch
pki-ca-9.0.3-21.el6_2.noarch
pki-setup-9.0.3-21.el6_2.noarch
pki-silent-9.0.3-21.el6_2.noarch
pki-native-tools-9.0.3-21.el6_2.x86_64
pki-selinux-9.0.3-21.el6_2.noarch
krb5-pkinit-openssl-1.9-22.el6_2.1.x86_64
I can't quite reconcile all the above with the discussions on the
mailing list of how no promoting is needed in a dogtag (as opposed to
self signed) IPA replication topology....
So far as I can see at a minimum when the first server gets switched
off the other three will no longer exchange certificate information
and there might be CRL issues too?
Is there any tested procedure to go from a 'Clone' to a 'Root'
instance for the CAs (and sort out the replication agreements in the
process) in IPA 2.1/2.2?
Kind regards,
James Hogarth
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</tt></pre>
</blockquote>
<tt><br>
They are identical CAs so calling one of them 'Root' and others
'Clone' is quite misleading.<br>
<br>
One of Dogtag CAs is selected to produce CRLs to have consistent
source of revocation information.<br>
<br>
CRL generation is one of many Dogtag CA options and enabling or
disabling this option<br>
does not make selected CA 'Root' or 'Clone'.<br>
<br>
<br>
Here is an information on Dogtag CA configuration which should
help to clear confusion.<br>
<br>
<br>
</tt><tt>General information about related Dogtag CA default
configuration: <br>
</tt>
<ul>
<li><tt>CRL generation is by default enabled.<br>
<b>ca.crl.<issuingPointId>.enableCRLUpdates=true<br>
</b>Absence of the above line is a equivalent to <b> </b>CRL
generation being enabled.<br>
<br>
</tt> </li>
<li><tt>CRL cache is by default enabled.<br>
<b>ca.crl.<issuingPointId>.enableCRLCache=true<br>
</b>Absence of the above line is a equivalent to <b> </b>CRL
cache being enabled.<br>
<br>
</tt> </li>
<li><tt>CA's database maintenance thread is controlled by setting
its interval.<br>
Its default value is 10 minutes set by the following line:<br>
<b> ca.certStatusUpdateInterval=600</b><br>
Absence of the above line is a equivalent to setting database<br>
maintenance thread interval to 10 minutes.<br>
CA's database maintenance thread can be disabled by setting
its interval to zero:<br>
ca.certStatusUpdateInterval=0<br>
<br>
</tt> </li>
<li><tt>Monitoring of database replications for the purpose of
updating CRL cache<br>
is by default disabled.<br>
<b>ca.listenToCloneModifications=false<br>
</b>Absence of the above line is a equivalent to <b> </b>disabled
monitoring<br>
of database replications.<br>
<br>
</tt> </li>
<li><tt>Redirection of CRL generation requests is by default
disabled.<br>
<b>master.ca.agent.host=<em class="replaceable"><code><hostName></code></em><br>
</b><b>master.ca.agent.port=<em class="replaceable"><code><portNumber></code></em><br>
</b><b> </b>Absence of the above lines is a equivalent to<b>
</b>redirection of CRL generation<br>
requests being disabled.<br>
<br>
</tt> </li>
</ul>
<tt><br>
1. Installation of first IPA should configure Dogtag CA generating
CRLs:<br>
</tt>
<blockquote><tt>Default CA installation includes CRL issuing point
generating CRLs.<br>
Monitoring of database replications </tt><tt>for the purpose </tt><tt>of
updating CRL cache<br>
</tt><tt>can be added assuming that CA will be cloned, by setting
<br>
<b>ca.listenToCloneModifications=true</b><br>
</tt></blockquote>
<tt><br>
2. Installation of IPA's clone </tt><tt>should</tt><tt> configure
Dogtag CA with CRL generation disabled:<br>
</tt>
<blockquote><tt>CRL generation can be disabled by setting <br>
<b>ca.crl.<issuingPointId>.enableCRLUpdates=false</b><br>
<br>
Redirection of CRL generation requests can be enabled by setting<br>
<b>master.ca.agent.host=<em class="replaceable"><code><hostName></code></em><br>
</b><b>master.ca.agent.port=<em class="replaceable"><code><portNumber><br>
</code></em></b>This <b>step</b> can be <b>optional</b> if
IPA will not issue </tt><tt>"manual" CRL generation requests.<br>
<b><br>
</b>CA's database maintenance thread can be </tt><tt>disabled
by setting<br>
<b>ca.certStatusUpdateInterval=0<br>
</b>This <b>step</b> can be <b>optional</b> if each clone can
verify certificate expiration independently.<br>
</tt></blockquote>
<tt><br>
3. Transferring CRL generation to another clone:<br>
</tt>
<blockquote><tt>CRL generation can be transfer from one CA clone to
another<br>
by disabling CRL generation in CA currently issuing CRLs<br>
using differences from default configuration provided in <b>(2)<br>
</b> and enabling CRL generation </tt><tt></tt><tt>in new CA by
applying</tt><br>
<tt>differences from default configuration provided</tt><tt> in <b>(1)</b>.</tt></blockquote>
<tt><br>
Thank you,<br>
Andrew<br>
<br>
<br>
</tt>
<pre wrap=""><tt>
</tt></pre>
</body>
</html>