Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Hi, Not yet, I'm busy with it right now. I created a bugreport where I'm checking the reference bugs now, but I didn't saw a solution that fast. https://bugzilla.redhat.com/show_bug.cgi?id=1235766 I did do point 3 & 4. Matt 2015-06-27 15:27 GMT+02:00 Dmitri Pal : > On 06/23/2015 06:15 PM, Matt . wrote: >> >> Anyone some suggestions about this ? >> >> I'm thinking about adding from my second 3.x master where I first need >> to split that cluster to make that happen. > > > > Was that resolved? > > > >> >> >> >> 2015-06-22 22:57 GMT+02:00 Matt . : >>> >>> OK, >>> >>> I'm on the go here but I have some issue. >>> >>> When I install the replica server I get this error on the new replica: >>> >>> ipa : CRITICAL CA DS schema check failed. Make sure the PKI >>> service on the remote master is operational. >>> >>> >>> When I restart IPA on the old master I get this: >>> >>> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: >>> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR >>> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [ OK ] >>> >>> So the error on the replica is not that strange, but how to fix this >>> on the master ? >>> >>> Matt >>> >>> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : Am 22.06.2015 12:10, schrieb Matt .: > > Hi Guys, Hi Matt, > I found some good information about migrating from 3.3 to 4.x using > replica's. > > It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as > CentOS doesn't provide 3.3. Could you please share an URL or something? Currently I'm here: * ipa-6 - CentOS 6.6: ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-ca-9.0.3-38.el6_6.noarch * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, bind-dyndb-ldap): ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 pki-ca-10.1.2-7.el7.noarch -1. Update schema ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: ipa-6# python copy-schema-to-ca.py 0. clean up old/stale replication aggreements ipa-replica-manage del --force ipa-6.example.com ipa-csreplica-manage del --force ipa-6.example.com 1. prepare replication on ipa-6 for ipa-7 ipa-replica-prepare ipa-7.example.com 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) - >>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> + >>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> 3. slow down the network a bit (don't know how effective it is, as we already got 1GBit, but without it, a timing bug in 389-ds-base is triggered - s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms burst 1540 4. install replication (without CA for the moment) ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir --no-forwarders Up to now, everything works, but we need the CA too: 5. install ca ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg But this won't work and I don't have a clue how to fix/proceed from here. # ipa-7: /var/log/ipareplica-ca-install.log ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updat
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On 06/23/2015 06:15 PM, Matt . wrote:
Anyone some suggestions about this ?
I'm thinking about adding from my second 3.x master where I first need
to split that cluster to make that happen.
Was that resolved?
2015-06-22 22:57 GMT+02:00 Matt . :
OK,
I'm on the go here but I have some issue.
When I install the replica server I get this error on the new replica:
ipa : CRITICAL CA DS schema check failed. Make sure the PKI
service on the remote master is operational.
When I restart IPA on the old master I get this:
PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error:
the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR
matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[ OK ]
So the error on the replica is not that strange, but how to fix this
on the master ?
Matt
2015-06-22 15:59 GMT+02:00 Hendrik Frenzel :
Am 22.06.2015 12:10, schrieb Matt .:
Hi Guys,
Hi Matt,
I found some good information about migrating from 3.3 to 4.x using
replica's.
It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.
Could you please share an URL or something?
Currently I'm here:
* ipa-6 - CentOS 6.6:
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-ca-9.0.3-38.el6_6.noarch
* ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind,
bind-dyndb-ldap):
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-client-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
pki-ca-10.1.2-7.el7.noarch
-1. Update schema
ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6:
ipa-6# python copy-schema-to-ca.py
0. clean up old/stale replication aggreements
ipa-replica-manage del --force ipa-6.example.com
ipa-csreplica-manage del --force ipa-6.example.com
1. prepare replication on ipa-6 for ipa-7
ipa-replica-prepare ipa-7.example.com
2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
/etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
-
+
3. slow down the network a bit
(don't know how effective it is, as we already got 1GBit, but without
it, a timing bug in 389-ds-base is triggered - s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms
burst 1540
4. install replication (without CA for the moment)
ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
--setup-dns --mkhomedir --no-forwarders
Up to now, everything works, but we need the CA too:
5. install ca
ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
But this won't work and I don't have a clue how to fix/proceed from here.
# ipa-7: /var/log/ipareplica-ca-install.log
ipa : DEBUGstderr=pkispawn: WARNING ... unable to
validate security domain user/password through REST interface. Interface not
available
pkispawn: ERROR... Exception from Java Configuration Servlet:
Error while updating security domain: java.io.IOException: 2
ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
exit status 1
ipa : DEBUGTraceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
# ipa-7: /var/log/pki/pki-tomcat/ca/system
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build
CA chain. Error java.security.cert.CertificateException: Certificate is not
a PKCS #11 certificate
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value
# ipa-7: /var/log/pki/pki-tomcat/ca/debug
[22/Jun/2015:15
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Anyone some suggestions about this ?
I'm thinking about adding from my second 3.x master where I first need
to split that cluster to make that happen.
2015-06-22 22:57 GMT+02:00 Matt . :
> OK,
>
> I'm on the go here but I have some issue.
>
> When I install the replica server I get this error on the new replica:
>
> ipa : CRITICAL CA DS schema check failed. Make sure the PKI
> service on the remote master is operational.
>
>
> When I restart IPA on the old master I get this:
>
> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error:
> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with
> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR
> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with
> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
>[ OK ]
>
> So the error on the replica is not that strange, but how to fix this
> on the master ?
>
> Matt
>
> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel :
>> Am 22.06.2015 12:10, schrieb Matt .:
>>>
>>> Hi Guys,
>>
>>
>> Hi Matt,
>>
>>> I found some good information about migrating from 3.3 to 4.x using
>>> replica's.
>>>
>>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
>>> CentOS doesn't provide 3.3.
>>
>>
>> Could you please share an URL or something?
>>
>> Currently I'm here:
>>
>> * ipa-6 - CentOS 6.6:
>>ipa-admintools-3.0.0-42.el6.centos.x86_64
>>ipa-client-3.0.0-42.el6.centos.x86_64
>>ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>ipa-pki-common-theme-9.0.3-7.el6.noarch
>>ipa-python-3.0.0-42.el6.centos.x86_64
>>ipa-server-3.0.0-42.el6.centos.x86_64
>>ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>>sssd-ipa-1.11.6-30.el6_6.4.x86_64
>>pki-ca-9.0.3-38.el6_6.noarch
>>
>> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind,
>> bind-dyndb-ldap):
>>ipa-admintools-4.1.0-18.el7.centos.3.x86_64
>>ipa-client-4.1.0-18.el7.centos.3.x86_64
>>ipa-python-4.1.0-18.el7.centos.3.x86_64
>>ipa-server-4.1.0-18.el7.centos.3.x86_64
>>sssd-ipa-1.12.2-58.el7_1.6.x86_64
>>pki-ca-10.1.2-7.el7.noarch
>>
>> -1. Update schema
>> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6:
>> ipa-6# python copy-schema-to-ca.py
>>
>>0. clean up old/stale replication aggreements
>> ipa-replica-manage del --force ipa-6.example.com
>> ipa-csreplica-manage del --force ipa-6.example.com
>>
>>1. prepare replication on ipa-6 for ipa-7
>> ipa-replica-prepare ipa-7.example.com
>>
>>2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
>> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
>> - > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
>> + > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
>>
>>3. slow down the network a bit
>> (don't know how effective it is, as we already got 1GBit, but without
>> it, a timing bug in 389-ds-base is triggered - s.
>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
>> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms
>> burst 1540
>>
>>4. install replication (without CA for the moment)
>> ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
>> --setup-dns --mkhomedir --no-forwarders
>>
>> Up to now, everything works, but we need the CA too:
>>
>>5. install ca
>> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
>>
>> But this won't work and I don't have a clue how to fix/proceed from here.
>>
>> # ipa-7: /var/log/ipareplica-ca-install.log
>> ipa : DEBUGstderr=pkispawn: WARNING ... unable to
>> validate security domain user/password through REST interface. Interface not
>> available
>> pkispawn: ERROR... Exception from Java Configuration Servlet:
>> Error while updating security domain: java.io.IOException: 2
>>
>> ipa : CRITICAL failed to configure ca instance Command
>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
>> exit status 1
>> ipa : DEBUGTraceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>> method()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 673, in __spawn_instance
>> raise RuntimeError('Co
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
OK,
I'm on the go here but I have some issue.
When I install the replica server I get this error on the new replica:
ipa : CRITICAL CA DS schema check failed. Make sure the PKI
service on the remote master is operational.
When I restart IPA on the old master I get this:
PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error:
the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR
matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with
the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[ OK ]
So the error on the replica is not that strange, but how to fix this
on the master ?
Matt
2015-06-22 15:59 GMT+02:00 Hendrik Frenzel :
> Am 22.06.2015 12:10, schrieb Matt .:
>>
>> Hi Guys,
>
>
> Hi Matt,
>
>> I found some good information about migrating from 3.3 to 4.x using
>> replica's.
>>
>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
>> CentOS doesn't provide 3.3.
>
>
> Could you please share an URL or something?
>
> Currently I'm here:
>
> * ipa-6 - CentOS 6.6:
>ipa-admintools-3.0.0-42.el6.centos.x86_64
>ipa-client-3.0.0-42.el6.centos.x86_64
>ipa-pki-ca-theme-9.0.3-7.el6.noarch
>ipa-pki-common-theme-9.0.3-7.el6.noarch
>ipa-python-3.0.0-42.el6.centos.x86_64
>ipa-server-3.0.0-42.el6.centos.x86_64
>ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>sssd-ipa-1.11.6-30.el6_6.4.x86_64
>pki-ca-9.0.3-38.el6_6.noarch
>
> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind,
> bind-dyndb-ldap):
>ipa-admintools-4.1.0-18.el7.centos.3.x86_64
>ipa-client-4.1.0-18.el7.centos.3.x86_64
>ipa-python-4.1.0-18.el7.centos.3.x86_64
>ipa-server-4.1.0-18.el7.centos.3.x86_64
>sssd-ipa-1.12.2-58.el7_1.6.x86_64
>pki-ca-10.1.2-7.el7.noarch
>
> -1. Update schema
> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6:
> ipa-6# python copy-schema-to-ca.py
>
>0. clean up old/stale replication aggreements
> ipa-replica-manage del --force ipa-6.example.com
> ipa-csreplica-manage del --force ipa-6.example.com
>
>1. prepare replication on ipa-6 for ipa-7
> ipa-replica-prepare ipa-7.example.com
>
>2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
> - "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
> + "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
>
>3. slow down the network a bit
> (don't know how effective it is, as we already got 1GBit, but without
> it, a timing bug in 389-ds-base is triggered - s.
> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms
> burst 1540
>
>4. install replication (without CA for the moment)
> ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
> --setup-dns --mkhomedir --no-forwarders
>
> Up to now, everything works, but we need the CA too:
>
>5. install ca
> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
>
> But this won't work and I don't have a clue how to fix/proceed from here.
>
> # ipa-7: /var/log/ipareplica-ca-install.log
> ipa : DEBUGstderr=pkispawn: WARNING ... unable to
> validate security domain user/password through REST interface. Interface not
> available
> pkispawn: ERROR... Exception from Java Configuration Servlet:
> Error while updating security domain: java.io.IOException: 2
>
> ipa : CRITICAL failed to configure ca instance Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
> exit status 1
> ipa : DEBUGTraceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
> method()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 673, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
> RuntimeError: Configuration of CA failed
>
> # ipa-7: /var/log/pki/pki-tomcat/ca/system
> 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build
> CA chain. Error java.security.cert.CertificateException: Certificate is not
> a PKCS #11 certificate
> 0.localhost-startStop-
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Am 22.06.2015 12:10, schrieb Matt .:
Hi Guys,
Hi Matt,
I found some good information about migrating from 3.3 to 4.x using
replica's.
It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as
CentOS doesn't provide 3.3.
Could you please share an URL or something?
Currently I'm here:
* ipa-6 - CentOS 6.6:
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
sssd-ipa-1.11.6-30.el6_6.4.x86_64
pki-ca-9.0.3-38.el6_6.noarch
* ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server,
bind, bind-dyndb-ldap):
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-client-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
pki-ca-10.1.2-7.el7.noarch
-1. Update schema
ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6:
ipa-6# python copy-schema-to-ca.py
0. clean up old/stale replication aggreements
ipa-replica-manage del --force ipa-6.example.com
ipa-csreplica-manage del --force ipa-6.example.com
1. prepare replication on ipa-6 for ipa-7
ipa-replica-prepare ipa-7.example.com
2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in
/etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
- "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
+ "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
3. slow down the network a bit
(don't know how effective it is, as we already got 1GBit, but
without it, a timing bug in 389-ds-base is triggered - s.
https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html)
tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency
1ms burst 1540
4. install replication (without CA for the moment)
ipa-replica-install
/var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir
--no-forwarders
Up to now, everything works, but we need the CA too:
5. install ca
ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg
But this won't work and I don't have a clue how to fix/proceed from
here.
# ipa-7: /var/log/ipareplica-ca-install.log
ipa : DEBUGstderr=pkispawn: WARNING ... unable
to validate security domain user/password through REST interface.
Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: Error while updating security domain: java.io.IOException: 2
ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero
exit status 1
ipa : DEBUGTraceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
# ipa-7: /var/log/pki/pki-tomcat/ca/system
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot
build CA chain. Error java.security.cert.CertificateException:
Certificate is not a PKCS #11 certificate
0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz
instance DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value
# ipa-7: /var/log/pki/pki-tomcat/ca/debug
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa-6.example.com port=443
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
failed to update security domain using admin port 443:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain:
now trying agent port with client auth
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipa-6.example.com port=443
[22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1
# ipa-6: /var/log/httpd/acc
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Matt . wrote: Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Some other question is that my hostnames are now like ipa-01 and ipa-02 where I make one replica ipa-01-1 and finally go from there. But what is the best way to set my hostnames back to ipa-01 from ipa-01-1 (and maybe ipa-02-1) ? I hope for some good suggestions. You can't change a hostname in IPA. You'd need to create ipa-01-1 and ipa-02-1, confirm that they are working ok, delete ipa-01 and ipa-02, then re-create those as new replicas, connect them, then delete the -1 versions. It is a lot of trouble to go through to preserve a hostname. Things to consider: - maintaining a CA throughout - consider DNA ranges - ensure that RUVs are properly cleaned up rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. Some other question is that my hostnames are now like ipa-01 and ipa-02 where I make one replica ipa-01-1 and finally go from there. But what is the best way to set my hostnames back to ipa-01 from ipa-01-1 (and maybe ipa-02-1) ? I hope for some good suggestions. Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
