Hi Deon, Dmitri, and all,
> >> Hi follks,
> >
> >>  I'm completely lost at reading the IPA document on how to promote a IPA 
> >>replica into master IPA. When I'm try to follow the steps listed in the 
> >>chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at 
> >>the link 
> >>http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
> >> the last steps 'g' said:
> >>
> >>    g. Disable the redirect settings for CRL generation requests:
> >>         master.ca.agent.host=hostname
> >>         master.ca.agent.port=port number
> >>
> >> The above instructions don't give any hints of 'hostname', or 'port 
> >> number'. users don't have any clues about them, should them be this 
> >> replica's name, or the original master's name? and what is the por
> >> t number? it is a TCP port, or a UDP port?
> >
> >The replica is configured to check for information from the master CA -- in 
> >this case, asking the master CA to generate a CRL. Those parameters tell the 
> >replica where to look. Part of promoting the replica is telling it *not* to 
> >look for a master CA. So, those parameters should be blanked or removed.
> >
> >I can definitely make that more clear.
> Have you used a --selfsign option when you installed the first server?
> If you did, you installed the server without CA. This is an advanced option 
> for those who know why they do not want the CA at all.
> The standard, default way is to not provide --selfsign flag.
> This will install CA on the first replica. On the other replicas you can have 
> a CA at your discretion. Or add it later if you did not install it at the 
> beginning.
> HTH.

It's my pleasure to clarify here: no '--selfsign' option was used to create IPA 
master, or the first replica, or other replica siblings. But the Dogtag 
installation results are:

 IPA master has the dogtag systems installed, and the 
'/var/lib/pki-ca/conf/CS.conf' file created. Inside there was not 
'master.ca.agent.{host,port} statement.
 IPA replica (first replica and its siblings): NO dogtag certificate system was 
automatically installed. Even no /var/lib/pki-ca/ directory.
By the way, on the document page, the commands 'service pki-ca stop' and 
'service pki-ca start' was wrong too -- as there was only 'pki-cad' service, 
not 'pki-ca'. :)

So, please have the migration page updated and submit it here so that users can 
follow the updated version and give you more feedback immediately. it looks 
like a win-win solution.

Freeipa-users mailing list

Reply via email to