I am planning to retire the v3.3 ipa servers since they are Linux 6
and replacing them outright.
I am trying to make the v4 ipa the master and I have another server in the wings to make
a replica under that server once I know it is the master. All my concerns focus on the
elevation of the ipa v4 server to master of all so I can ipa-manage-del the original v3
servers next and then deploy a final ipa v4 as replica.
My understanding of what I am reading in the documentation is the limiting factor.
All masters are the equals. The only differences are:
- optional services: CA, KRA, DNS, etc
- one is the CA renewal master
- one is the CRL generator (usually same as CA renewal master)
- a master doesn't have a DNA range unless it has created a user or group
That's it.
If your certs are not due to expire any time soon you'll save a lot of
time and effort by moving to v4 and running the config-mod command I
pointed out, then you'll have your CA renewal master. Follow the "How to
promote" instructions to set the CRL generator on the same server. Add a
user or group on at least one of the new masters. You're done.
We recommend at least 2 masters have the CA on them for redundancy.
rob
-Steve
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, October 3, 2019 1:25 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Florence
Blanc-Renaud <flo(a)redhat.com>
Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
Subject: Re: [Freeipa-users] Re: CA Master Confusion
Auerbach, Steven via FreeIPA-users wrote:
> After several weeks I am moving back to this project.
>
> I am reading the "Howto/Promote CA to Renewal and CRL Master"
documentation.
>
> Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from
the original ipa v3 (ipa1) as the input to an ipa-create-replica command.
>
> When I execute the command for ipa version < 4.0 to verify certificate
> master on all three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0)
> $ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" |
grep post-save the response I get
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
> is the same on all three servers.
>
> Several Questions:
> Is this as expected or does it indicate a problem?
It depends. On the IPA v4 server what does ipa config-show |grep -i renewal say?
> Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the
first master?
I assume by first master you mean the CA renewal master and CRL generator. On the v4
server run: ipa config-mod
--ca-renewal-master-server=<v4 master fqdn>
> Is this done before unconfiguring master status on the ipa v3 servers or after?
Order doesn't matter as long as you aren't in the middle of a renewal.
> Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2?
Not sure what you mean. It used to be that the tracking was different between the renewal
master and the others. I don't believe that is the case in v3.3+.
> What to do about the same information on ipa3 (the ipa v4 server) at this point?
v4 uses the renewal master config setting to know which is the master.
I'd focus more on migrating the other two masters to v4 first. While different
versions can interopate together it is not ideal to run this way in the long term.
rob
>
> I have no lab in which to try this update, so I am making these changes across a
production datacenter and I am EXCEEEDINGLY wary of breaking everything.
>
> Advice appreciated.
>
>
> Steven Auerbach
> ASSISTANT DIRECTOR OF INFORMATION SYSTEMS INFORMATION TECHNOLOGY &
> SECURITY State University System of Florida Board of Governors
> 325 W. Gaines Street, Suite 1625
> Tallahassee, Florida 32399
> (850) 245-9592
>
https://nam05.safelinks.protection.outlook.com/?url=www.flbog.edu&
> data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d74
> 8269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705720290064630
> 1&sdata=OVKFsaWC1TBhQ0RxjQV54tfx7qzNuB4U4A7cvrIHNjU%3D&reserve
> d=0
>
>
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: Tuesday, August 27, 2019 9:20 AM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] CA Master Confusion
>
> On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
>> As I work through understanding the current state of my CA mastering in this
realm I am getting results I do not understand from these ipa commands (on the v4.6.4
server) and from the ldapsearch commands (on the v3.0.0 server):
>> On the v4.6.4 replica (ipa<3>):
>> $ sudo ipa config-show |grep 'CA renewal master'
>> [sudo] password for <user>:
>> $
>> $
>>
>> On the v3.0.0 (ipa<1>):
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W
>> -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local'
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for
<user>:
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope
>> subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>
> Hi,
> the ipaConfigString=caRenewalMaster attribute was introduced in
> freeIPA
> 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not
surprised that the search does not return anything.
> When the 3.0 server was installed, the attribute did not exist yet. When the 4.x
replica was installed, the attribute was not added since the new replica wasn't CA
master.
>
> As the attribute is not set at all, the ipa config-show command (internally using the
same ldapsearch you did) is unable to find a CA master.
>
> If you want to move the CA master role to ipa3, just follow the steps in [1], making
sure to apply the steps for the corresponding IPA version.
>
> Also please note that we do not recommend using versions 3.x and 4.x together over a
long period of time. This is completely OK when you want to migrate but once you have
ensured all the services are properly working, the 3.x master should be decommissioned.
Please see [2].
> HTH,
> flo
>
> [1]
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> freeipa.org%2Fpage%2FHowto%2FPromote_CA_to_Renewal_and_CRL_Master&
> data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d74
> 8269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705720290064630
> 1&sdata=UpuRfpRPl69fGfYCGp0GKye95yfgv7TbLyrQt18P4o8%3D&reserve
> d=0
> [2]
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
> ss.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F7%2
> Fhtml%2Flinux_domain_identity_authentication_and_policy_guide%2Fmigrat
> e-6-to-7&data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf83
> 43c59acb08d748269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C6370
> 57202900646301&sdata=gOAGuDXeb74RRYDOZTqPa%2Fyz%2FpT5WVMMfFn3kL%2B
> szVI%3D&reserved=0
>
>>
>>
>> Neither tells me anything. Is it possible that the original installation never
had a CA master at all? This seems odd considering when I look for CA Master(s), on the
v4.6.4 (ipa<3>) tells me:
>>
>> $ sudo ipa server-role-find --role 'CA server'
>> [sudo] password for <user>:
>> ----------------------
>> 3 server roles matched
>> ----------------------
>> Server name: ipa<2>.mydomain.local
>> Role name: CA server
>> Role status: absent
>>
>> Server name: ipa<1>.mydomain.local
>> Role name: CA server
>> Role status: enabled
>>
>> Server name: ipa<3>.mydomain.local
>> Role name: CA server
>> Role status: absent
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> And on the v3.0.0 (ipa<1>) I get:
>>
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W
>> -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local'
'(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
>> # filter: (&(cn=CA)(ipaConfigString=caServer))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> I know I am missing something basic and fundamental here. Is there a CA Master
or not? If not, would I want to just enable the CA Master on the newest server
(ipa<3>)?
>>
>> The way forward is not clear.
>> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
> 7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d748269787%
> 7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C637057202900646301&sd
> ata=eTb85JO2nVygRB35BJDlhC7MHx%2FgPspKw75qDo5uIT8%3D&reserved=0
> List Guidelines:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
> raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7CStev
> en.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d748269787%7C63bf107bc
> b6f41738c1c1406bb5cb794%7C0%7C0%7C637057202900646301&sdata=mCinJbx
> vyF5Il9hVqh9iE1RcPPPlTZenTjYMzdkBd6A%3D&reserved=0
> List Archives:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos
> ted.org&data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf834
> 3c59acb08d748269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705
> 7202900646301&sdata=jytk0FP%2FtAhyFOTjg6NDTArH2cn5dGd%2FNqGT1F%2BU
> MDw%3D&reserved=0
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...