<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Folks,<br>
<br>
I'm looking for the best approach to take for configuring IdM
clients to access web services (HTTP)<br>
with keytabs when a front-end load-balanced hostname is in place.<br>
<br>
I have a distributed OpenShift Enterprise configuration with three
broker hosts (broker1, broker2, broker3)<br>
with all three configured as IdM clients. <br>
<br>
IdM is configured with one server (idm-srv1.example.com), one
replica (idm-srv2.example.com); an HTTP service <br>
has been created for each broker host:<br>
<br>
# ipa service-add HTTP/broker1.example.com<br>
# ipa service-add HTTP/broker2.example.com<br>
# ipa service-add HTTP/broker3.example.com<br>
<br>
A DNS round-robin hostname called '<b>broker</b><b>.example.com</b>'
has also been configured to distribute broker requests<br>
across the three brokers:<br>
<br>
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11<br>
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12<br>
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13<br>
<br>
Effectively, this creates a DNS A record that acts as a pseudo DNS
load-balancer.<br>
<br>
To access the HTTP services, we have been creating keytabs for for
the first broker host:<br>
<br>
# ipa-getkeytab -s idm-srv1.example.com -p HTTP/<b>broker1</b>.example.com@EXAMPLE.COM<br>
-k
/var/www/openshift/broker/httpd/conf.d/http.keytab<br>
<br>
and copying the keytab over to the other two OpenShift broker hosts.
<br>
<br>
This all works fine but in the event that <b>broker1</b> should go
down, the other broker hosts will lose access<br>
to the web service. Ideally, we would like to have web services use
the more generic, "load balanced" <br>
hostname (<b>broker.example.com</b>) and in turn have the keytabs
use this name as well.<br>
<br>
I tried creating an HTTP service using the "load balanced" hostname
(<b>broker.example.com</b>) but that appears to fail<br>
due to <b>broker.example.com</b> not being a valid host within IdM:<br>
<br>
# ipa service-add HTTP/broker.example.com<br>
ipa: ERROR: The host 'broker.example.com' does not exist to add a
service to.<br>
<br>
In the F18 FreeIPA guide it discusses creating a combined keytab
file (Section 6.5.4) using ktutil: <br>
<br>
<a class="moz-txt-link-freetext" href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services</a><br>
<br>
but would that still work as intended should a broker host go down?<br>
<br>
The next section (6.5.5) mentions creating a keytab to create a
service principal that can be used across multiple hosts:<br>
<br>
# ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k
/etc/httpd/conf/krb5.keytab -e des-cbc-crc<br>
<br>
Which seems more in-line with my thinking and exactly what we've
been doing but again, if I try to do that <br>
using the "load balanced" hostname (<b>broker.example.com</b>) it
fails sicne it's not a valid host within IdM.<br>
<br>
What is the best method to doing this? <br>
<br>
Thank you,<br>
<br>
-m<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Red Hat Reference Architectures
Follow Us: <a class="moz-txt-link-freetext" href="https://twitter.com/RedHatRefArch">https://twitter.com/RedHatRefArch</a>
Plus Us: <a class="moz-txt-link-freetext" href="https://plus.google.com/u/0/b/114152126783830728030/">https://plus.google.com/u/0/b/114152126783830728030/</a>
Like Us: <a class="moz-txt-link-freetext" href="https://www.facebook.com/rhrefarch">https://www.facebook.com/rhrefarch</a>
</pre>
</body>
</html>