Hi Petr and all,
All the chapter your have pointed out is read many times, but that doesn't
help at all.
My problem is: the Dogtag system ran on the IPA master ONLY before the IPA
Master crashes. Now I have to do the following:
1, install and run Dogtag system on IPA replica -- the document mentioned it
-- 'ipa-ca-install' and etc.
2, promote the IPA replica into new IPA Master -- document mentioned it but not
clear -- regarding the /root/cacert.p12 key file and the replica file under
/var/lib/ipa.
3, how to recover the dogtag systems' data (different LDAP backend)
existed on the IPA master before it crashes?
Other close questions include:
what are included in the replica definition
file /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the
signing key and how to open the .gpg file?
Thanks.
--David
________________________________
From: Petr Spacek <pspa...@redhat.com>
To: freeipa-users@redhat.com
Sent: Thursday, May 10, 2012 2:45 AM
Subject: Re: [Freeipa-users] How to rebuild IPA master?
On 05/10/2012 02:24 AM, Steven Jones wrote:
> Hi,
>
> In case everyone else is asleep now......
>
> Do you have access to RH documentation? the 6.3beta admin guide section 18.8
> talks about why and how to make a replicate a master.
Just for completeness:
Documentation is publicly available: http://docs.redhat.com/
Documentation for IPA beta:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html
Documentation for latest stable IPA:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
>
> eg.,
>
> "NOTE
> All servers and replicas which host a CA are peers in the topology. They can
> all issue certificates
> and keys to IPA clients, and they all replicate information amongst
> themselves.
> The only reason to promote a replica or server to be a master server is if the
> master server is
> being taken offline. There has to be a root CA which can issue CRLs and
> ultimately validate
> certificate checks.
> Aside from that, replicas, servers, and the master server are all equal
> peers."
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------------
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
> behalf of David Copperfield [cao2...@yahoo.com]
> *Sent:* Thursday, 10 May 2012 11:04 a.m.
> *To:* Rob Crittenden; Freeipa-users@redhat.com
> *Subject:* [Freeipa-users] How to rebuild IPA master?
>
> Hi all,
>
> I've a IPA master/replica setup in our development environment. Unfortunately
> our IPA master crashed, the replica is working fine. Now I have the IPA master
> re-imaged.
>
> What are the steps I have to follow to re-create the IPA master from running
> IPA replica? Before crash the IPA master ran dogtag certificate system, while
> the IPA replica didn't -- created normally without the --setup-ca option.
>
> Thanks.
>
> --David
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
