Re: [Freeipa-users] How to rebuild IPA master?
On 05/10/2012 02:24 AM, Steven Jones wrote: Hi, In case everyone else is asleep now.. Do you have access to RH documentation? the 6.3beta admin guide section 18.8 talks about why and how to make a replicate a master. Just for completeness: Documentation is publicly available: http://docs.redhat.com/ Documentation for IPA beta: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html Documentation for latest stable IPA: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html eg., "NOTE All servers and replicas which host a CA are peers in the topology. They can all issue certificates and keys to IPA clients, and they all replicate information amongst themselves. The only reason to promote a replica or server to be a master server is if the master server is being taken offline. There has to be a root CA which can issue CRLs and ultimately validate certificate checks. Aside from that, replicas, servers, and the master server are all equal peers." regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Copperfield [cao2...@yahoo.com] *Sent:* Thursday, 10 May 2012 11:04 a.m. *To:* Rob Crittenden; Freeipa-users@redhat.com *Subject:* [Freeipa-users] How to rebuild IPA master? Hi all, I've a IPA master/replica setup in our development environment. Unfortunately our IPA master crashed, the replica is working fine. Now I have the IPA master re-imaged. What are the steps I have to follow to re-create the IPA master from running IPA replica? Before crash the IPA master ran dogtag certificate system, while the IPA replica didn't -- created normally without the --setup-ca option. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to rebuild IPA master?
On Thu, 2012-05-10 at 00:24 +, Steven Jones wrote: > Hi, > > In case everyone else is asleep now.. > > Do you have access to RH documentation? the 6.3beta admin guide > section 18.8 talks about why and how to make a replicate a master. The problem seems to be that David had only a single server providing the dogtag CA, and that was the machine that died. > > I've a IPA master/replica setup in our development environment. > Unfortunately our IPA master crashed, the replica is working fine. Now > I have the IPA master re-imaged. > > > What are the steps I have to follow to re-create the IPA master from > running IPA replica? Before crash the IPA master ran dogtag > certificate system, while the IPA replica didn't -- created normally > without the --setup-ca option. You'll have to check with the FreeIPA/Dogtag dev team (I'm a client-side guy, so I don't have all the data here), but you're probably not going to be in good shape. If you kept a separate backup of the private root certificate for the CA, you may be able to stand up a new CA instance and then issue new signed certs from the restored private root cert. Otherwise, you're probably in trouble. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to rebuild IPA master?
Hi, In case everyone else is asleep now.. Do you have access to RH documentation? the 6.3beta admin guide section 18.8 talks about why and how to make a replicate a master. eg., "NOTE All servers and replicas which host a CA are peers in the topology. They can all issue certificates and keys to IPA clients, and they all replicate information amongst themselves. The only reason to promote a replica or server to be a master server is if the master server is being taken offline. There has to be a root CA which can issue CRLs and ultimately validate certificate checks. Aside from that, replicas, servers, and the master server are all equal peers." regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Copperfield [cao2...@yahoo.com] Sent: Thursday, 10 May 2012 11:04 a.m. To: Rob Crittenden; Freeipa-users@redhat.com Subject: [Freeipa-users] How to rebuild IPA master? Hi all, I've a IPA master/replica setup in our development environment. Unfortunately our IPA master crashed, the replica is working fine. Now I have the IPA master re-imaged. What are the steps I have to follow to re-create the IPA master from running IPA replica? Before crash the IPA master ran dogtag certificate system, while the IPA replica didn't -- created normally without the --setup-ca option. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to rebuild IPA master?
Hi all, I've a IPA master/replica setup in our development environment. Unfortunately our IPA master crashed, the replica is working fine. Now I have the IPA master re-imaged. What are the steps I have to follow to re-create the IPA master from running IPA replica? Before crash the IPA master ran dogtag certificate system, while the IPA replica didn't -- created normally without the --setup-ca option. Thanks. --David___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users