[Freeipa-users] Services and Keytabs for load-balanced hostnames
Mark Heslin
mheslin at redhat.com
Mon Sep 29 20:30:05 UTC 2014
On 09/29/2014 04:25 PM, Alexander Bokovoy wrote:
> On Mon, 29 Sep 2014, Mark Heslin wrote:
>> Folks,
>>
>> I'm looking for the best approach to take for configuring IdM clients
>> to access web services (HTTP)
>> with keytabs when a front-end load-balanced hostname is in place.
>>
>> I have a distributed OpenShift Enterprise configuration with three
>> broker hosts (broker1, broker2, broker3)
>> with all three configured as IdM clients.
>>
>> IdM is configured with one server (idm-srv1.example.com), one replica
>> (idm-srv2.example.com); an HTTP service
>> has been created for each broker host:
>>
>> # ipa service-add HTTP/broker1.example.com
>> # ipa service-add HTTP/broker2.example.com
>> # ipa service-add HTTP/broker3.example.com
>>
>> A DNS round-robin hostname called '*broker**.example.com*' has also
>> been configured to distribute broker requests
>> across the three brokers:
>>
>> # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11
>> # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12
>> # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13
>>
>> Effectively, this creates a DNS A record that acts as a pseudo DNS
>> load-balancer.
>>
>> To access the HTTP services, we have been creating keytabs for for
>> the first broker host:
>>
>> # ipa-getkeytab -s idm-srv1.example.com -p
>> HTTP/*broker1*.example.com at EXAMPLE.COM
>> -k
>> /var/www/openshift/broker/httpd/conf.d/http.keytab
>>
>> and copying the keytab over to the other two OpenShift broker hosts.
>>
>> This all works fine but in the event that *broker1* should go down,
>> the other broker hosts will lose access
>> to the web service. Ideally, we would like to have web services use
>> the more generic, "load balanced"
>> hostname (*broker.example.com*) and in turn have the keytabs use this
>> name as well.
>>
>> I tried creating an HTTP service using the "load balanced" hostname
>> (*broker.example.com*) but that appears to fail
>> due to *broker.example.com* not being a valid host within IdM:
>>
>> # ipa service-add HTTP/broker.example.com
>> ipa: ERROR: The host 'broker.example.com' does not exist to add a
>> service to.
>>
>> In the F18 FreeIPA guide it discusses creating a combined keytab file
>> (Section 6.5.4) using ktutil:
>>
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services
>>
>>
>> but would that still work as intended should a broker host go down?
>>
>> The next section (6.5.5) mentions creating a keytab to create a
>> service principal that can be used across multiple hosts:
>>
>> # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k
>> /etc/httpd/conf/krb5.keytab -e des-cbc-crc
>>
>> Which seems more in-line with my thinking and exactly what we've been
>> doing but again, if I try to do that
>> using the "load balanced" hostname (*broker.example.com*) it fails
>> sicne it's not a valid host within IdM.
>>
>> What is the best method to doing this?
> Make a host named broker.example.com
> ipa host-add broker.example.com --force
>
> --force will make sure to create the host object even if there is no
> such name in the DNS.
>
> Then create services for this host.
Nice - just what we were looking for!
>
> You'll need to set up your balancer hosts to use the proper service
> principal instead of allowing them to construct the principal themselves
> based on the hostname.
>
Thank you Alexander :-)
-m
--
Red Hat Reference Architectures
Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch
More information about the Freeipa-users
mailing list