[Freeipa-users] IPA PKI Questions

Kendal Montgomery kmontgomery at cbuscollaboratory.com
Thu Apr 27 13:31:30 UTC 2017 

Excellent, thanks for the information regarding re-initialization.  I had tried this before, but I still ended up having issues in the logs where it says something along the lines of a CSN is no longer available, may need to do a full re-initializaion after I did that. It seems to only happen on some of the servers, but I wanted to make sure everything is clean at the remote sites.  I will give this a try again instead of removing and re-adding all of them.

Thanks for clearing up those details regarding the servers with CA roles and client interactions, and how to place the CA role servers. That’s very helpful!  I think it would be great if that were added to the documentation.

Thanks all!

Kendal

On 4/26/17, 5:58 PM, "Rob Crittenden" <rcritten at redhat.com> wrote:

    Kendal Montgomery wrote:
    > Hi all,
    > 
    >  
    > 
    > I’ve been struggling the last few days with rebuilding part of my
    > FreeIPA infrastructure, which has lead me to some questions about how
    > some of the IPA infrastructure works.  To give a bit of background, I
    > have two IPA servers (my initially installed IPA server, and a replica)
    > both of which have DNS, NTP, and CA roles.  I’m running CentOS 7.3,
    > FreeIPA 4.4 currently (upgraded from original CentOS 7 installations
    > which I believe was FreeIPA 4.1? initiall).  I have several remote sites
    > that each have two IPA server replicas that have replication topology
    > segments for domain and ca suffixes back to the two on-prem IPA
    > servers.  This has been working quite well for over a year now, through
    > the upgrades, etc.  Occasionally I get an issue with getting some
    > conflicting records in LDAP, which I’ve cleared up by following some of
    > the documentation out there.  It seems when this happens however, I end
    > up getting into a situation where replication stops working, and I end
    > up needing to “refresh” the installations. I have done this once so far,
    > and am in the process again currently, by deleting each remote IPA
    > server (ipa server-del), then re-installing each server to get a clean
    > copy of the databases for everything.  Last time I had no issues doing
    > this.  This time around, I’m running into some issues with the CA
    > setup.  I seem to be able to run ipa-replica-install just fine without
    > the --setup-ca option.  I may be running into some issues identified in
    > an earlier post this week, so I’ll ask about this issue separately if I
    > continue to have problems.  In working through these issues, I realized
    > I don’t really know enough about how the interaction between the IPA
    > clients and IPA server is working, with regard to the PKI
    > infrastructure.  I have some questions on what server roles I need at
    > each site and how the PKI infrastructure works within the IPA
    > environment, and how the clients communicate to it:
    > 
    
    You don't need to uninstall a master in order to fix replication issues.
    You can re-initialize it from a working master. I'm pretty sure that if
    you re-init one you need to re-init them all though, to be safe. I cc'd
    a couple of 389-ds devs to clarify.
    
    > 
    > 1)       How do the IPA clients discover servers with the CA role and
    > use them?
    
    They don't, they talk to one of the IPA masters and lets that figure it out.
    
    An IPA master does this by looking at cn=<host>,
    cn=masters,cn=ipa,cn=etc,$SUFFIX
    
    > 2)       Is all this interaction done through APIs on the IPA server –
    > in other words, are these requests fielded by the IPA server and proxied
    > somehow to known servers with the CA role?
    
    Right.
    
    > 3)       Do the clients need “direct” access to a server with the CA
    > role to request and obtain certificates and renewals? (i.e. do I need
    > each IPA server to have the CA role)?
    
    Nope.
    
    > 4)       Is it sufficient to just have one server with CA role at each
    > site?  Or even just one at the main on-prem site?
    
    One per site may be sufficient, you want to ensure that you have > 1 CAs
    and since you have separate sites, having one at each would give you
    lots of leeway in case of catastrophe.
    
    rob

More information about the Freeipa-users mailing list