I'm looking for the best approach to take for configuring IdM clients to access web services (HTTP)
with keytabs when a front-end load-balanced hostname is in place.

I have a distributed OpenShift Enterprise configuration with three broker hosts (broker1, broker2, broker3)
with all three configured as IdM clients.

IdM is configured with one server (, one replica (; an HTTP service
has been created for each broker host:

  # ipa service-add HTTP/
  # ipa service-add HTTP/
  # ipa service-add HTTP/

A DNS round-robin hostname called '*broker***' has also been configured to distribute broker requests
across the three brokers:

  # ipa dnsrecord-add broker --a-ip-address=
  # ipa dnsrecord-add broker --a-ip-address=
  # ipa dnsrecord-add broker --a-ip-address=

Effectively, this creates a DNS A record that acts as a pseudo DNS load-balancer.

To access the HTTP services, we have been creating keytabs for for the first broker host:

# ipa-getkeytab -s -p HTTP/*broker1* -k /var/www/openshift/broker/httpd/conf.d/http.keytab

and copying the keytab over to the other two OpenShift broker hosts.

This all works fine but in the event that *broker1* should go down, the other broker hosts will lose access to the web service. Ideally, we would like to have web services use the more generic, "load balanced" hostname (**) and in turn have the keytabs use this name as well.

I tried creating an HTTP service using the "load balanced" hostname (**) but that appears to fail
due to ** not being a valid host within IdM:

   # ipa service-add HTTP/
ipa: ERROR: The host '' does not exist to add a service to.

In the F18 FreeIPA guide it discusses creating a combined keytab file (Section 6.5.4) using ktutil:

but would that still work as intended should a broker host go down?

The next section (6.5.5) mentions creating a keytab to create a service principal that can be used across multiple hosts:

# ipa-getkeytab -s -p HTTP/ -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc

Which seems more in-line with my thinking and exactly what we've been doing but again, if I try to do that using the "load balanced" hostname (**) it fails sicne it's not a valid host within IdM.

What is the best method to doing this?

Thank you,



Red Hat Reference Architectures

Follow Us:
Plus Us:
Like Us:

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to