[Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Hendrik Frenzel hf+redhat.com at scunc.net
Mon Jun 22 13:59:12 UTC 2015 

Am 22.06.2015 12:10, schrieb Matt .:
> Hi Guys,

Hi Matt,

> I found some good information about migrating from 3.3 to 4.x using
> replica's.
>
> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
> CentOS doesn't provide 3.3.

Could you please share an URL or something?

Currently I'm here:

  * ipa-6 - CentOS 6.6:
    ipa-admintools-3.0.0-42.el6.centos.x86_64
    ipa-client-3.0.0-42.el6.centos.x86_64
    ipa-pki-ca-theme-9.0.3-7.el6.noarch
    ipa-pki-common-theme-9.0.3-7.el6.noarch
    ipa-python-3.0.0-42.el6.centos.x86_64
    ipa-server-3.0.0-42.el6.centos.x86_64
    ipa-server-selinux-3.0.0-42.el6.centos.x86_64
    sssd-ipa-1.11.6-30.el6_6.4.x86_64
    pki-ca-9.0.3-38.el6_6.noarch

  * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, 
bind, bind-dyndb-ldap):
    ipa-admintools-4.1.0-18.el7.centos.3.x86_64
    ipa-client-4.1.0-18.el7.centos.3.x86_64
    ipa-python-4.1.0-18.el7.centos.3.x86_64
    ipa-server-4.1.0-18.el7.centos.3.x86_64
    sssd-ipa-1.12.2-58.el7_1.6.x86_64
    pki-ca-10.1.2-7.el7.noarch

   -1. Update schema
       ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root at ipa-6:
       ipa-6# python copy-schema-to-ca.py

    0. clean up old/stale replication aggreements
       ipa-replica-manage del --force ipa-6.example.com
       ipa-csreplica-manage del --force ipa-6.example.com

    1. prepare replication on ipa-6 for ipa-7
       ipa-replica-prepare ipa-7.example.com

    2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in 
/etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. 
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
       - <LocationMatch 
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
       + <LocationMatch 
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">

    3. slow down the network a bit
       (don't know how effective it is, as we already got 1GBit, but 
without it, a timing bug in 389-ds-base is triggered - s. 
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
       tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 
1ms burst 1540

    4. install replication (without CA for the moment)
       ipa-replica-install 
/var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir 
--no-forwarders

Up to now, everything works, but we need the CA too:

    5. install ca
       ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg

But this won't work and I don't have a clue how to fix/proceed from 
here.

   # ipa-7: /var/log/ipareplica-ca-install.log
   ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable 
to validate security domain user/password through REST interface. 
Interface not available
   pkispawn    : ERROR    ....... Exception from Java Configuration 
Servlet: Error while updating security domain: java.io.IOException: 2

   ipa         : CRITICAL failed to configure ca instance Command 
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero 
exit status 1
   ipa         : DEBUG    Traceback (most recent call last):
     File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation
       run_step(full_msg, method)
     File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
372, in run_step
       method()
     File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
673, in __spawn_instance
       raise RuntimeError('Configuration of CA failed')
   RuntimeError: Configuration of CA failed

   # ipa-7: /var/log/pki/pki-tomcat/ca/system
   0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot 
build CA chain. Error java.security.cert.CertificateException: 
Certificate is not a PKCS #11 certificate
   0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz 
instance DirAclAuthz initialization failed and skipped, error=Property 
internaldb.ldapconn.port missing value

   # ipa-7: /var/log/pki/pki-tomcat/ca/debug
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase 
updateDomainXML start hostname=ipa-6.example.com port=443
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: 
failed to update security domain using admin port 443: 
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: 
now trying agent port with client auth
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase 
updateDomainXML start hostname=ipa-6.example.com port=443
   [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() 
nickname=subsystemCert cert-pki-ca
   [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase 
updateDomainXML: status=1

   # ipa-6: /var/log/httpd/access_log
   10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST 
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 309
   10.1.1.2 - - [22/Jun/2015:15:12:59 +0200] "POST 
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115

   # ipa-6: /var/log/pki-ca/debug
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet:service() uri = 
/ca/agent/ca/updateDomainXML
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='name' value='CA ipa-7.example.com 8443'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='eeclientauthsport' value='443'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='httpport' value='80'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='sport' value='443'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='dm' value='true'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='adminsport' value='443'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='list' value='CAList'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='clone' value='true'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='type' value='CA'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='agentsport' value='443'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='sessionID' value='-4812857165985662682'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet::service() param 
name='host' value='ipa-7.example.com'
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: caUpdateDomainXML 
start to service.
   [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML: processing...
   [22/Jun/2015:15:12:59][TP-Processor5]: UpdateDomainXML process: 
authentication starts
   [22/Jun/2015:15:12:59][TP-Processor5]: IP: 10.1.1.2
   [22/Jun/2015:15:12:59][TP-Processor5]: AuthMgrName: certUserDBAuthMgr
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: retrieving SSL 
certificate
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: certUID=CN=CA 
Subsystem,O=EXAMPLE.COM
   [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: started
   [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Retrieving 
client certificate
   [22/Jun/2015:15:12:59][TP-Processor5]: CertUserDBAuth: Got client 
certificate
   [22/Jun/2015:15:12:59][TP-Processor5]: In 
LdapBoundConnFactory::getConn()
   [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
   [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected 
true
   [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
   [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
   [22/Jun/2015:15:12:59][TP-Processor5]: Authentication: client 
certificate found
   [22/Jun/2015:15:12:59][TP-Processor5]: In 
LdapBoundConnFactory::getConn()
   [22/Jun/2015:15:12:59][TP-Processor5]: masterConn is connected: true
   [22/Jun/2015:15:12:59][TP-Processor5]: getConn: conn is connected 
true
   [22/Jun/2015:15:12:59][TP-Processor5]: getConn: mNumConns now 2
   [22/Jun/2015:15:12:59][TP-Processor5]: returnConn: mNumConns now 3
   [22/Jun/2015:15:12:59][TP-Processor5]: SignedAuditEventFactory: 
create() 
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA 
Subsystem,O=EXAMPLE.COM] authentication failure
   [22/Jun/2015:15:12:59][TP-Processor5]: CMSServlet: curDate=Mon Jun 22 
15:12:59 CEST 2015 id=caUpdateDomainXML time=11

   # ipa-6: /var/log/pki-ca/system
   5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [6] [3] Cannot 
authenticate agent with certificate Serial 0x272 Subject DN CN=CA 
Subsystem,O=EXAMPLE.COM. Error: User not found
   5651.TP-Processor5 - [22/Jun/2015:15:12:59 MESZ] [3] [3] Servlet 
caUpdateDomainXML: Failed to authorize: Invalid Credential..

It would be great if someone could give a hint where to look and what 
user can't authenticate and why.

@Matt: For renaming the IdM server, see 
https://access.redhat.com/solutions/174733 it could possibly help.

b/r
H.

More information about the Freeipa-users mailing list