Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

2015-09-11 Thread Craig White
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Friday, September 11, 2015 8:46 AM
To: Rob Crittenden; Craig White; freeipa-users@redhat.com; Jan Cholasta; Jan 
Cholasta
Subject: Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA 
Server Master

On 09/11/2015 03:29 PM, Rob Crittenden wrote:
> Craig White wrote:
>> Following instructions from here...
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrat
>> ing-ipa-proc.html
>>
>>  
>>
>> RHEL6 server
>>
>> # rpm -qa ipa-server
>>
>> ipa-server-3.0.0-42.el6.x86_64
>>
>>  
>>
>> RHEL7 server
>>
>> # rpm -q ipa-server
>>
>> ipa-server-4.1.0-18.el7_1.4.x86_64
>>
>>  
>>
>> I am down to the part where I am trying to make the new RHEL7 server 
>> the master CA server
>>
>>  
>>
>> On the RHEL6 system, I
>>
>> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20141022190721':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=STT.LOCAL
>>
>> subject: CN=CA Subsystem,O=STT.LOCAL
>>
>> expires: 2016-10-11 19:06:36 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>  
>>
>> and the 'post-save' command is empty, doesn't track the page. Should 
>> I just ignore? I note that the output from this (save for different 
>> file path on RHEL6) indicates that the original RHEL6 is still CA 
>> Master
> 
> There was a bug in certmonger where the pre/post save commands 
> wouldn't display. I believe this was fixed, see if there is an updated 
> package available. Otherwise you'd have to poke around in the tracking 
> files in /var/lib/certmonger.

I think Rob meant this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1181022

It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows 
about other similar fixes.

> 
>> The CRL generation master can be determined by looking at CS.cfg on each CA:
>>
>> # grep ca.crl.MasterCRL.enableCRLUpdates 
>> /etc/pki/pki-tomcat/ca/CS.cfg
>>
>> ca.crl.MasterCRL.enableCRLUpdates=true
>>
>>  
>>
>>  
>>
>> Also, when I set up the second new IPA master, do I also make it a CA?
> 
> I'd say yes. You always at at least 2 masters with a CA.
> 
> rob
> 

Indeed - updating the RHEL6 system to current (certmonger) remedied the issue 
and I was able to proceed.

Seems I am complete - at least to the point of shutting down the old IPA 
servers.

Thanks for the great support Rob/Martin and of course everyone in the FreeIPA 
group - you guys are awesome!

Craig

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

2015-09-11 Thread Martin Kosek
On 09/11/2015 03:29 PM, Rob Crittenden wrote:
> Craig White wrote:
>> Following instructions from here…
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>>
>>  
>>
>> RHEL6 server
>>
>> # rpm -qa ipa-server
>>
>> ipa-server-3.0.0-42.el6.x86_64
>>
>>  
>>
>> RHEL7 server
>>
>> # rpm -q ipa-server
>>
>> ipa-server-4.1.0-18.el7_1.4.x86_64
>>
>>  
>>
>> I am down to the part where I am trying to make the new RHEL7 server the
>> master CA server
>>
>>  
>>
>> On the RHEL6 system, I
>>
>> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20141022190721':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=STT.LOCAL
>>
>> subject: CN=CA Subsystem,O=STT.LOCAL
>>
>> expires: 2016-10-11 19:06:36 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>  
>>
>> and the ‘post-save’ command is empty, doesn’t track the page. Should I
>> just ignore? I note that the output from this (save for different file
>> path on RHEL6) indicates that the original RHEL6 is still CA Master
> 
> There was a bug in certmonger where the pre/post save commands wouldn't
> display. I believe this was fixed, see if there is an updated package
> available. Otherwise you'd have to poke around in the tracking files in
> /var/lib/certmonger.

I think Rob meant this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1181022

It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows
about other similar fixes.

> 
>> The CRL generation master can be determined by looking at CS.cfg on each CA:
>>
>> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
>>
>> ca.crl.MasterCRL.enableCRLUpdates=true
>>
>>  
>>
>>  
>>
>> Also, when I set up the second new IPA master, do I also make it a CA?
> 
> I'd say yes. You always at at least 2 masters with a CA.
> 
> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

2015-09-10 Thread Craig White
Following instructions from here...
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

RHEL6 server
# rpm -qa ipa-server
ipa-server-3.0.0-42.el6.x86_64

RHEL7 server
# rpm -q ipa-server
ipa-server-4.1.0-18.el7_1.4.x86_64

I am down to the part where I am trying to make the new RHEL7 server the master 
CA server

On the RHEL6 system, I
# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Number of certificates and requests being tracked: 8.
Request ID '20141022190721':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=STT.LOCAL
subject: CN=CA Subsystem,O=STT.LOCAL
expires: 2016-10-11 19:06:36 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

and the 'post-save' command is empty, doesn't track the page. Should I just 
ignore? I note that the output from this (save for different file path on 
RHEL6) indicates that the original RHEL6 is still CA Master
The CRL generation master can be determined by looking at CS.cfg on each CA:
# grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
ca.crl.MasterCRL.enableCRLUpdates=true


Also, when I set up the second new IPA master, do I also make it a CA?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png@01CF86FE.42D51630]

SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project