Re: [Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?

2012-05-22 Thread Rob Crittenden 

David Copperfield wrote:

Hi all,

Any one has successfully do a IPA replica promotion when IPA master(Hub)
failed, by following the IPA replica document for 2.1.3 and 2.2.0?

I've tried at my side and see that all the steps involved are very
confusing and may be out-of-dated. my IPA master is installed with
Dogtag, and all replicas are installed with Dogtag too through '--setup-ca'.

In case of ipamaster is not reachable, how can I promote ipareplica01?

the master.ca.agent.host/port are not setup on either ipareplica01 nor
ipareplica02 to forward to IPA master at beginning. do that means all
three IPA servers' Dogtag runs independently?

And what is the value of 'IssuingPointId' in step 3.e and 3.f?

Is that possible for the document
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
or wiki/email, to give a SOLID use case instead of depicting statement?
which is ambiguous and not easy to follow.


[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
ssh -x ${i} cat /var/lib/pki-ca/conf/CS.cfg | egrep
'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent';
done
ipamaster
ipareplica01
ipareplica02

[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i};
ssh -x ${i} cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep
enableCRL; doneipamaster
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica01
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica02
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
[root@ipamaster ~]#


I'll see if I can get one of the dogtag guys to take a look at this.

In general, this is not really a big problem. All we are doing here is 
deciding which of the CAs will generate the CRL. You want just one 
because other operations are happening at the same time, potentially on 
other CAs, and if they are all generating a CRL at more or less the same 
time then resulting CRLs could be different by a cert or two. For 
consistency sake it is better to do this one one machine and publish it.


Other than that there is no master promotion required. All of the 
servers, particularly those with a CA installed, are equals.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] 2.1.3 and 2.2.0: how to do IPA replica promotion?

2012-05-21 Thread David Copperfield 
Hi all,

 Any one has successfully do a IPA replica promotion when IPA master(Hub) 
failed, by following the IPA replica document for 2.1.3 and 2.2.0? 

I've tried at my side and see that all the steps involved are very confusing 
and may be out-of-dated. my IPA master is installed with Dogtag, and all 
replicas are installed with Dogtag too through '--setup-ca'.

In case of ipamaster is not reachable, how can I promote ipareplica01? 

the master.ca.agent.host/port are not setup on either ipareplica01 nor 
ipareplica02 to forward to IPA master at beginning. do that means all three IPA 
servers' Dogtag runs independently?

And what is the value of 'IssuingPointId' in step 3.e and 3.f? 

Is that possible for the document 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
 or wiki/email, to give a SOLID use case instead of depicting statement? which 
is ambiguous and not easy to follow. 


[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x 
${i} cat /var/lib/pki-ca/conf/CS.cfg | egrep 
'ca.certStatusUpdateInterval|ca.listenToCloneModifications|master.ca.agent'; 
done
ipamaster
ipareplica01
ipareplica02

[root@ipamaster ~]# for i in ipamaster ipareplica0{1,2}; do echo ${i}; ssh -x 
${i} cat /var/lib/pki-ca/conf/CS.cfg | grep ca.crl | grep enableCRL; 
doneipamaster
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica01
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ipareplica02
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
[root@ipamaster ~]# 

Thanks.

--David___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users