Re: [Freeipa-users] change CA subject or "friendly name"?

[Fraser Tweedale]

On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote:
> Hello All,
> 
> I'm in the process of deploying FreeIPA 4 in a development environment.
> One of my testers has imported the ca.pem file into Windows, and indicates
> that it displays as:
> 
> Issued to: Certificate Authority
> Issued by: Certificate Authority
> Friendly Name: 
> 
> This will unfortunately cause confusion among certain end users, so I was
> wondering if there's a way to change those attributes?
> 
> Ideally without reinstalling everything, but thankfully we're still early
> in the process so it's OK if do blow everything away.
> 
> Do I need to generate a new CA outside of FreeIPA and then use
> ipa-cacert-manage to "renew" the base CA?
> 
> Thanks,
> 
> Anthony Clark

Hi Anthony,

After a brief investigation it appears that ``Friendly Name'' is a
property that can be set in a Windows certificate store, and is not
part of, or derived from, the certificate itself.

Here are a couple of TechNet articles that might help:

- https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx
- 
https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from 3.0 to 4.3.1 questions

[Rob Crittenden]

Zak Wolfinger wrote:





On Apr 11, 2016, at 12:09 PM, Martin Basti > wrote:



On 11.04.2016 19:01, Zak Wolfinger wrote:

We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate
to the latest version.

I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no
“upgrade” but can be accomplished as a “migration”.

However we are not currently using CA so that may simplify things.

Can I just do this?
1. Create a new  replica VM running 4.3.1
2. Make sure it syncs up with the 3.0 primary and test
3. Promote the new replica to primary
4. Remove all the old 3.0 replicas
5. Build new 4.3.1 replicas
6. ??
7. Profit

What do you experienced people think?  What am I missing?


This may help
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading

There is covered migration form RHEL 6 to RHEL 7, it should work
Martin


Since we are running FreeIPA on CentOS instead of IDM on RHEL, I’m not
sure how this warning applies to our configuration:

WARNING
If any of the instances in your IdM deployment are using Red Hat
Enterprise Linux 6.5 or earlier, upgrade them to Red Hat
Enterprise Linux 6.6 before upgrading a Red Hat Enterprise Linux 7.0 IdM
server to the 7.1 version or before connecting a Red Hat
Enterprise Linux 7.1 IdM replica.
anything to be concerned about here?


One reason is https://bugzilla.redhat.com/show_bug.cgi?id=1083878

You need 3.0.0-38 or higher.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from 3.0 to 4.3.1 questions

[Zak Wolfinger]

> On Apr 11, 2016, at 12:09 PM, Martin Basti  wrote:
> 
> 
> 
> On 11.04.2016 19:01, Zak Wolfinger wrote:
>> We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to the 
>> latest version.
>> 
>> I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no “upgrade” 
>> but can be accomplished as a “migration”.
>> 
>> However we are not currently using CA so that may simplify things.
>> 
>> Can I just do this?
>> 1. Create a new  replica VM running 4.3.1
>> 2. Make sure it syncs up with the 3.0 primary and test
>> 3. Promote the new replica to primary
>> 4. Remove all the old 3.0 replicas
>> 5. Build new 4.3.1 replicas
>> 6. ??
>> 7. Profit
>> 
>> What do you experienced people think?  What am I missing?
>> 
> This may help
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading
>  
> 
> 
> There is covered migration form RHEL 6 to RHEL 7, it should work
> Martin

Since we are running FreeIPA on CentOS instead of IDM on RHEL, I’m not sure how 
this warning applies to our configuration:

WARNING
If any of the instances in your IdM deployment are using Red Hat Enterprise 
Linux 6.5 or earlier, upgrade them to Red Hat Enterprise Linux 6.6 before 
upgrading a Red Hat Enterprise Linux 7.0 IdM server to the 7.1 version or 
before connecting a Red Hat Enterprise Linux 7.1 IdM replica.
anything to be concerned about here?

Thanks!

-- 





signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from 3.0 to 4.3.1 questions

[Martin Basti]

On 11.04.2016 19:01, Zak Wolfinger wrote:
We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to 
the latest version.


I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no 
“upgrade” but can be accomplished as a “migration”.


However we are not currently using CA so that may simplify things.

Can I just do this?
1. Create a new  replica VM running 4.3.1
2. Make sure it syncs up with the 3.0 primary and test
3. Promote the new replica to primary
4. Remove all the old 3.0 replicas
5. Build new 4.3.1 replicas
6. ??
7. Profit

What do you experienced people think?  What am I missing?


This may help
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading

There is covered migration form RHEL 6 to RHEL 7, it should work
Martin



Cheers,
*Zak Wolfinger*

Infrastructure Engineer  |  Emma®
zak.wolfin...@myemma.com 
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)
*
*
Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com 










-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Migration from 3.0 to 4.3.1 questions

[Zak Wolfinger]

We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to the 
latest version.

I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no “upgrade” 
but can be accomplished as a “migration”.

However we are not currently using CA so that may simplify things.

Can I just do this?
1. Create a new  replica VM running 4.3.1
2. Make sure it syncs up with the 3.0 primary and test
3. Promote the new replica to primary
4. Remove all the old 3.0 replicas
5. Build new 4.3.1 replicas
6. ??
7. Profit

What do you experienced people think?  What am I missing?



Cheers,
Zak Wolfinger

Infrastructure Engineer  |  Emma®
zak.wolfin...@myemma.com 
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com 


-- 





signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Adding FreeIPA to an existing infrastructure

[Remco Kranenburg]

Hi all,

At our company, we manage several Ubuntu web servers with SSH, and we 
use ansible scripts to automate some tasks. The web servers are hosted 
by a VPS hosting provider. Until now, we have always managed the user 
accounts manually for each server, but this is becoming increasingly 
cumbersome as we grow. To centralize our identity management, I've been 
looking into FreeIPA, but having no prior experience with this, I am 
overwhelmed by complexity.


So the first question: is FreeIPA too complex for what we are trying to 
accomplish? Should we be looking at a different solution? I do like 
some of the advanced things we can supposedly do with FreeIPA: single 
identity for everything (SSH on our servers, our Bitbucket accounts, 
our Jenkins CI server), but those are currently not hard requirements.


Some technical questions:

We currently manage our TLS certificate manually with a wildcard that 
we install on each server every year, but we will soon be moving to the 
automated system provided by Letsencrypt. Does this mean we can disable 
the Certificate Authority system provided by FreeIPA, or is the CA also 
required for other things?


We currently manage our DNS entries through the web interface of our 
hosting provider. When we introduce a new server, we simply clone a 
special clean 'image' server, change the hostname and add an A and  
record to our ISP's DNS settings. How does this interact with the 
FreeIPA DNS system? Should we disable it, or does it provide advantages?


--
Remco

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project