On to, 07 maalis 2019, Vivek Aggarwal via FreeIPA-users wrote:
Thanks you Alexander.
Since you represent Redhat team , i couldnt resist myself from asking
below two questions as well . it would be great if you can provide
guidance/suggestion on these too
1) We've a cloud environment , where updating resolv.conf file for
accommodating our IDM DNS server entry is not recommended , though
i've come across forums where people talk about applying the "chattr"
command which will make resolv.conf as readonly but i refrain from
doing that ,as its not a wise thing to do in cloud env. Hence as per
your experience please share what should be our approach for
configuring Redhat IDM DNS without changing the cloud provided
resolv.conf .
All you need to do is to follow normal DNS zone deployment
recommendations. In other words, you should be using a DNS zone that is
delegated to you, it needs to be resolvable via upstream DNS servers
your cloud provider maintains and so on. There is nothing specific on
IPA side around it at all.
2) I've gone through the docs for integrated Vault as part of IDM
solution but didnt find enough detail like how under the hood data is
getting stored securely in vault , how the security of secrets/data
handled within vault provided by IDM . And is it recommended to use
the integrated IDM vault for production grade env , i mean is it safe
to do that ? please suggest
The vault is stored in KRA facility of the Dogtag CA. See documentation
about that in RHCS product documentation:
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/key_recovery_authority
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
