[Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?

[David Copperfield]

Hi all,

 Any one has successfully do a IPA replica promotion when IPA master(Hub) failed, by following the IPA replica document for 2.1.3 and 2.2.0? 

I've tried at my side and see that all the steps involved are very confusing and may be out-of-dated. my IPA master is installed with Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'.

In case of ipamaster is not reachable, how can I promote ipareplica01? 

the master.ca.agent.host/port are not setup on either ipareplica01 nor ipareplica02 to forward to IPA master at beginning. do that means all three IPA servers' Dogtag runs independently?

And what is the value of 'IssuingPointId' in step 3.e and 3.f? 

Is that possible for the document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, or wiki/email, to give a SOLID use case instead of depicting statement? which is ambiguous and not easy to follow. 


[root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'"; done
ipamaster
ipareplica01
ipareplica02

[root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL"; doneipamaster
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica01
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica02
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
[root at ipamaster ~]# 

Thanks.

--David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120521/e818ccaf/attachment.htm>