[Freeipa-users] New Replacing Master server help

Thu Feb 19 09:38:10 UTC 2015

On 02/18/2015 07:46 PM, Dmitri Pal wrote:
> On 02/18/2015 12:17 PM, Cory Carlton wrote:
>> Hey all.
>>
>>  We are in the process of essentially moving data centers while additionally
>> changing to new OS(rhel from centos) - so we are building replica with master
>> option servers to the new networks.  version 3.0.. its up and is working as
>> any of our instances.
>>
>> Question is how or what do I need to bring over on the new install -replica
>> master(s) to ensure we have all the Original master server information, keys,
>> crt's, CA etc. before we can shut it down for ever (+ a snapshot ;) )
>>
>> we have struggled understanding exactly what to back up since the 3.0 version
>> is lacking backup scripts.
>>
>>
>> a thought, but not timely present would be to upgrade everything in place
>> then migrate, again not timed right for us.
>>
>> Thanks in advance.
>>
>> Cory
>>
>>
>>
> 
> You need to make sure that at least one of the new replicas (better two) acts
> as an IPA CA.
> You need to move CRL generation to one of the new replicas that are CAs
> You need to move the certificate tracking from the old master to the new
> replica with CA.
> 
> After that you can decommission old master.
> 
> All these procedures are documented on the wiki and RHEL docs. You can also
> find some hints in these archives.
> 
> Martin, do you think we need a combined wiki page that covers this use case or
> we already have something like this?

I think we are already well set. This is the upstream page:

http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS

This is the downstream documentation, mostly targetted on RHEL-6.x to RHEL-7.0
migration, but also applicable on your use case:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

Martin