[Freeipa-users] PKI Subsystem Type: CA Clone convert to Root
James Hogarth
james.hogarth at gmail.com
Thu May 24 09:23:29 UTC 2012
>
> They are identical CAs so calling one of them 'Root' and others 'Clone' is
> quite misleading.
>
> One of Dogtag CAs is selected to produce CRLs to have consistent source of
> revocation information.
>
> CRL generation is one of many Dogtag CA options and enabling or disabling
> this option
> does not make selected CA 'Root' or 'Clone'.
>
>
Andrew I understand what you are trying to say about what should be
the case... I'm describing what I'm actually seeing on my systems and
attempting to work out why there are discrepancies, how these can be
resolved and what the actual effect of switching off the server first
built will be (given that the replication agreements apparently all go
through that according to ipa-csmanage-replica and I get errors trying
to arrange other agreements... plus the service pki-cad status stating
quite clearly the first is 'Root' and the other three 'Clone'
regardless of what the documentation in place on the Redhat/Fedora
sites implies.
Here's the output of service pki-cad status on each system:
[root at first ~]# service pki-cad status
pki-ca (pid 6754) is running... [ OK ]
Unsecure Port = http://first.ipa.system.built:9180/ca/ee/ca
Secure Agent Port = https://first.ipa.system.built:9443/ca/agent/ca
Secure EE Port = https://first.ipa.system.built:9444/ca/ee/ca
Secure Admin Port = https://first.ipa.system.built:9445/ca/services
EE Client Auth Port = https://first.ipa.system.built:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://first.ipa.system.built:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://first.ipa.system.built:443
==========================================================================
[root at second ~]# service pki-cad status
pki-ca (pid 11580) is running... [ OK ]
Unsecure Port = http://second.ipa.system.built:9180/ca/ee/ca
Secure Agent Port = https://second.ipa.system.built:9443/ca/agent/ca
Secure EE Port = https://second.ipa.system.built:9444/ca/ee/ca
Secure Admin Port = https://second.ipa.system.built:9445/ca/services
EE Client Auth Port = https://second.ipa.system.built:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://second.ipa.system.built:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: CA Clone (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://second.ipa.system.built:443
==========================================================================
[root at third ~]# service pki-cad status
pki-ca (pid 24039) is running... [ OK ]
Unsecure Port = http://third.ipa.system.built:9180/ca/ee/ca
Secure Agent Port = https://third.ipa.system.built:9443/ca/agent/ca
Secure EE Port = https://third.ipa.system.built:9444/ca/ee/ca
Secure Admin Port = https://third.ipa.system.built:9445/ca/services
EE Client Auth Port = https://third.ipa.system.built:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://third.ipa.system.built:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: CA Clone (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://third.ipa.system.built:443
==========================================================================
[root at fourth ~]# service pki-cad status
pki-ca (pid 19349) is running... [ OK ]
Unsecure Port = http://fourth.ipa.system.built:9180/ca/ee/ca
Secure Agent Port = https://fourth.ipa.system.built:9443/ca/agent/ca
Secure EE Port = https://fourth.ipa.system.built:9444/ca/ee/ca
Secure Admin Port = https://fourth.ipa.system.built:9445/ca/services
EE Client Auth Port = https://fourth.ipa.system.built:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://fourth.ipa.system.built:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: CA Clone (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://fourth.ipa.system.built:443
==========================================================================
Next here's the csreplica list output:
[root at first ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:
second.ipa.system.built
third.ipa.system.built
fourth.ipa.system.built
[root at second ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:
first.ipa.system.built
[root at third ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:
first.ipa.system.built
[root at fourth ~]# ipa-csreplica-manage list `uname -n`
Directory Manager password:
first.ipa.system.built
An attempt to add a replication agreement between third and fourth results in:
[root at third ~]# ipa-csreplica-manage connect `uname -n` fourth.ipa.system.built
Directory Manager password:
This replication agreement already exists.
Attached are the sanitized (so far as I can see) CS.cfg files for
first and third - second and fourth are the same as the third -
barring hostnames of course.
These are full IPA systems with DNS and Dogtag integration enabled
across the board....
There is a clear discrepancy between the expected and the actual -
some something must be going weird here.....
Kind regards,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: first-CS.cfg
Type: application/octet-stream
Size: 65293 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120524/f5d75d27/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: third-CS.cfg
Type: application/octet-stream
Size: 65797 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120524/f5d75d27/attachment-0001.obj>
More information about the Freeipa-users
mailing list