Hi all,
Any one has successfully do a IPA replica promotion when IPA master(Hub)
failed, by following the IPA replica document for 2.1.3 and 2.2.0?
I've tried at my side and see that all the steps involved are very confusing
and may be out-of-dated. my IPA master is installed with Dogtag, and all
replicas are installed with Dogtag too through '--setup-ca'.
In case of ipamaster is not reachable, how can I promote ipareplica01?
the master.ca.agent.host/port are not setup on either ipareplica01 nor
ipareplica02 to forward to IPA master at beginning. do that means all three IPA
servers' Dogtag runs independently?
And what is the value of 'IssuingPointId' in step 3.e and 3.f?
Is that possible for the document
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
or wiki/email, to give a SOLID use case instead of depicting statement? which
is ambiguous and not easy to follow.
[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x
${i} "cat /var/lib/pki-ca/conf/CS.cfg | egrep
'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'";
done
ipamaster
ipareplica01
ipareplica02
[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x
${i} "cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL";
doneipamaster
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica01
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica02
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
[root@ipamaster ~]#
Thanks.
--David
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users