[Freeipa-users] Re: Migrating or adding CA to a replica after-the-fact?

[Florence Blanc-Renaud via FreeIPA-users]

On 6/2/20 3:28 PM, Auerbach, Steven via FreeIPA-users wrote:
Can we add the CA mastery or CA replica to an IPA v4 server that is a 
replica and later promote to CA mastery?  We have a IPA v3 server that 
has been the only CA master for several years. We have a recent IPAv4 
replica that was set up without DNS or CA or NTP at the point of 
creation, so only the LDAP is in the replication agreement. We are 
trying to retire the IPA v3 servers and have a new replication pair in 
IPA v4 without breaking the realm and all our clients and users 
records.  We keep running into walls and roadblocks as we try to build a 
procedure we can execute in an off-hours maintenance window.




Hi,

you can add the CA role to an existing replica that was installed 
without CA, using ipa-ca-install on the replica. If you decide later on 
to move the master CA to this replica, you can follow the steps from 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#server-roles-promote-to-ca


Same thing for DNS, you can run ipa-dns-install on a non-DNS replica.

HTH,
flo


*Steven Auerbach*

*Assistant Director of Information Systems*

*Information Technology & Security***

**

State University System of Florida

Board of Governors

325 W. Gaines Street

Tallahassee, Florida 32399

(850) 245-9592

www.flbog.edu 

Graphic for Email


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Migrating or adding CA to a replica after-the-fact?

[Rob Crittenden via FreeIPA-users]

Auerbach, Steven via FreeIPA-users wrote:
> Can we add the CA mastery or CA replica to an IPA v4 server that is a
> replica and later promote to CA mastery?  We have a IPA v3 server that
> has been the only CA master for several years. We have a recent IPAv4
> replica that was set up without DNS or CA or NTP at the point of
> creation, so only the LDAP is in the replication agreement. We are
> trying to retire the IPA v3 servers and have a new replication pair in
> IPA v4 without breaking the realm and all our clients and users
> records.  We keep running into walls and roadblocks as we try to build a
> procedure we can execute in an off-hours maintenance window.

Run ipa-ca-install to add a CA to a master that does not have the role
configured.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org