[Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?

Dmitri Pal dpal at redhat.com
Tue May 22 11:11:56 UTC 2012 

On 05/21/2012 04:30 PM, David Copperfield wrote:
> Hi all,
>
>  Any one has successfully do a IPA replica promotion when IPA
> master(Hub) failed, by following the IPA replica document for 2.1.3
> and 2.2.0? 
>
> I've tried at my side and see that all the steps involved are very
> confusing and may be out-of-dated. my IPA master is installed with
> Dogtag, and all replicas are installed with Dogtag too through
> '--setup-ca'.
>
> In case of ipamaster is not reachable, how can I promote ipareplica01? 
>
> the master.ca.agent.host/port are not setup on either ipareplica01 nor
> ipareplica02 to forward to IPA master at beginning. do that means all
> three IPA servers' Dogtag runs independently?
>
> And what is the value of 'IssuingPointId' in step 3.e and 3.f? 
>
> Is that possible for the document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
> or wiki/email, to give a SOLID use case instead of depicting
> statement? which is ambiguous and not easy to follow.


This procedure is in fact a bit confusing and we have a bug to clean it up.
https://bugzilla.redhat.com/show_bug.cgi?id=813880

The purpose of this procedure however is simple: to define which of the
CA instances has to be the authoritative source for the CRLs. Only one
CA can be an authoritative source at a time so if you lost a replica
that was responsible for this (and by default this is the first master
you install) you need to go to some other replica that has CA and follow
this procedure to make it be the source for the CRLs.
This is the goal of the "promotion". There is nothing else to it.

HTH.

>
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep
> 'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'";
> done
> ipamaster
> ipareplica01
> ipareplica02
>
> [root at ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
> ssh -x ${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep
> enableCRL"; doneipamaster
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica01
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> ipareplica02
> ca.crl.MasterCRL.enableCRLCache=true
> ca.crl.MasterCRL.enableCRLUpdates=true
> [root at ipamaster ~]# 
>
> Thanks.
>
> --David
>
>
>
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120522/eaa4ce02/attachment.htm>

More information about the Freeipa-users mailing list