David Copperfield wrote:
Hi Petr and all,

All the chapter your have pointed out is read many times, but that
doesn't help at all.

My problem is: the Dogtag system ran on the IPA master ONLY before the
IPA Master crashes. Now I have to do the following:

1, install and run Dogtag system on IPA replica -- the document
mentioned it -- 'ipa-ca-install' and etc.

2, promote the IPA replica into new IPA Master -- document mentioned it
but not clear -- regarding the /root/cacert.p12 key file and the replica
file under /var/lib/ipa.

3, how to recover the dogtag systems' data (different LDAP backend)
existed on the IPA master before it crashes?

Other close questions include:

what are included in the replica definition file
/var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the
signing key and how to open the .gpg file?

# gpg -d /path/to/replica.gpg | tar xf -

The password is the Directory Manager password.

You have limited options since your CA was a single point of failure and it failed. The root CA private keys should be in the replica file so there may be ways to recover, all of them will require significant manual effort.

We have no way to add a new CA to an existing IPA installation outside of ipa-ca-install so we'll need to give that some thought. I think the simplest way to fix this is to create a new CA as a subordinate of the original one. The existing certs should still be trusted (except for the agent cert) so mass rekeying won't be necessary.

Another option is to install a new CA and try to replace key with the original. We'd need to think long-term about this effort and you'd want to renew all issued certificates so they will be revokable.

rob



Thanks.

--David

------------------------------------------------------------------------
*From:* Petr Spacek <pspa...@redhat.com>
*To:* freeipa-users@redhat.com
*Sent:* Thursday, May 10, 2012 2:45 AM
*Subject:* Re: [Freeipa-users] How to rebuild IPA master?

On 05/10/2012 02:24 AM, Steven Jones wrote:
 > Hi,
 >
 > In case everyone else is asleep now......
 >
 > Do you have access to RH documentation? the 6.3beta admin guide
section 18.8
 > talks about why and how to make a replicate a master.

Just for completeness:
Documentation is publicly available: http://docs.redhat.com/

Documentation for IPA beta:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html

Documentation for latest stable IPA:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

 >
 > eg.,
 >
 > "NOTE
 > All servers and replicas which host a CA are peers in the topology.
They can
 > all issue certificates
 > and keys to IPA clients, and they all replicate information amongst
themselves.
 > The only reason to promote a replica or server to be a master server
is if the
 > master server is
 > being taken offline. There has to be a root CA which can issue CRLs and
 > ultimately validate
 > certificate checks.
 > Aside from that, replicas, servers, and the master server are all
equal peers."
 >
 > regards
 >
 > Steven Jones
 >
 > Technical Specialist - Linux RHCE
 >
 > Victoria University, Wellington, NZ
 >
 > 0064 4 463 6272
 >
 >
------------------------------------------------------------------------------
 > *From:* freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>] on
 > behalf of David Copperfield [cao2...@yahoo.com
<mailto:cao2...@yahoo.com>]
 > *Sent:* Thursday, 10 May 2012 11:04 a.m.
 > *To:* Rob Crittenden; Freeipa-users@redhat.com
<mailto:Freeipa-users@redhat.com>
 > *Subject:* [Freeipa-users] How to rebuild IPA master?
 >
 > Hi all,
 >
 > I've a IPA master/replica setup in our development environment.
Unfortunately
 > our IPA master crashed, the replica is working fine. Now I have the
IPA master
 > re-imaged.
 >
 > What are the steps I have to follow to re-create the IPA master from
running
 > IPA replica? Before crash the IPA master ran dogtag certificate
system, while
 > the IPA replica didn't -- created normally without the --setup-ca option.
 >
 > Thanks.
 >
 > --David
 >
 >
 > _______________________________________________
 > Freeipa-users mailing list
 > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
 > https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to