[Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master?
Rob Crittenden
rcritten at redhat.com
Tue Jun 12 21:58:43 UTC 2012
David Copperfield wrote:
> Hi Rob, Rich and all,
>
> After read through all the mails in the list and the 2.2.0 document, It
> is still not clear how to promote a IPA replica to master after the
> master is dead.
>
> The basic setup is:
>
> IPA 2.2.0 Master A; and IPA 2.2.0 replica B installed from A with
> '--setup-ca' option. That means, both A and B are running CA. According
> to 2.2.0 manual at chapter 18.8.1. All the steps, 1--5, are making no
> differences.
>
> So the problem turns into: how to let B has the root signing key, the
> following stanza are copied from chapter 18.8.1.
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/promoting-replica.html
>
> ------------------------------------------------
> The only difference between a replica in the IPA topology and the master
> server is that the master owns the master CA in the PKI hierarchy. The
> master CA is the authoritative CA; it has the root CA signing key and
> generates CRLs which are distributed among the other servers and
> replicas in the topology. A replica database is cloned (or copied)
> directly from that master database.
> ------------------------------------------------
>
> How to let B has the root signing key? Is that as simple as: overwrite
> B's /root/cacert.p12 from A (which I already saved in subversion)?
>
It already has the root signing key. The only difference is which one
generates the CRL. The dogtag guys have told us that the first server
installed is automatically the CRL generator and that the clones are not
configured this way. It is unclear that this is actually the case in
practice, AFAIK the dogtag team is working with our doc writer to
clarify this.
But in short the only thing to do is change the CRL generator per those
instructions. It is otherwise already a full CA. If none or all of them
are generating a CRL it isn't the end of the world either way, you could
just end up with slightly different CRLs on different masters which can
be confusing.
/root/cacert.p12 is not used by a running server.
rob
More information about the Freeipa-users
mailing list