On Mon, 29 Sep 2014, Mark Heslin wrote:
I'm looking for the best approach to take for configuring IdM clients
to access web services (HTTP)
with keytabs when a front-end load-balanced hostname is in place.
I have a distributed OpenShift Enterprise configuration with three
broker hosts (broker1, broker2, broker3)
with all three configured as IdM clients.
IdM is configured with one server (idm-srv1.example.com), one replica
(idm-srv2.example.com); an HTTP service
has been created for each broker host:
# ipa service-add HTTP/broker1.example.com
# ipa service-add HTTP/broker2.example.com
# ipa service-add HTTP/broker3.example.com
A DNS round-robin hostname called '*broker**.example.com*' has also
been configured to distribute broker requests
across the three brokers:
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12
# ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13
Effectively, this creates a DNS A record that acts as a pseudo DNS
To access the HTTP services, we have been creating keytabs for for the
first broker host:
# ipa-getkeytab -s idm-srv1.example.com -p
and copying the keytab over to the other two OpenShift broker hosts.
This all works fine but in the event that *broker1* should go down,
the other broker hosts will lose access
to the web service. Ideally, we would like to have web services use
the more generic, "load balanced"
hostname (*broker.example.com*) and in turn have the keytabs use this
name as well.
I tried creating an HTTP service using the "load balanced" hostname
(*broker.example.com*) but that appears to fail
due to *broker.example.com* not being a valid host within IdM:
# ipa service-add HTTP/broker.example.com
ipa: ERROR: The host 'broker.example.com' does not exist to add a
In the F18 FreeIPA guide it discusses creating a combined keytab file
(Section 6.5.4) using ktutil:
but would that still work as intended should a broker host go down?
The next section (6.5.5) mentions creating a keytab to create a
service principal that can be used across multiple hosts:
# ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k
/etc/httpd/conf/krb5.keytab -e des-cbc-crc
Which seems more in-line with my thinking and exactly what we've been
doing but again, if I try to do that
using the "load balanced" hostname (*broker.example.com*) it fails
sicne it's not a valid host within IdM.
What is the best method to doing this?
Make a host named broker.example.com
ipa host-add broker.example.com --force
--force will make sure to create the host object even if there is no
such name in the DNS.
Then create services for this host.
You'll need to set up your balancer hosts to use the proper service
principal instead of allowing them to construct the principal themselves
based on the hostname.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project