Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, September 11, 2015 8:46 AM To: Rob Crittenden; Craig White; freeipa-users@redhat.com; Jan Cholasta; Jan Cholasta Subject: Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here... >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >> x/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrat >> ing-ipa-proc.html >> >> >> >> RHEL6 server >> >> # rpm -qa ipa-server >> >> ipa-server-3.0.0-42.el6.x86_64 >> >> >> >> RHEL7 server >> >> # rpm -q ipa-server >> >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> >> >> I am down to the part where I am trying to make the new RHEL7 server >> the master CA server >> >> >> >> On the RHEL6 system, I >> >> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20141022190721': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=STT.LOCAL >> >> subject: CN=CA Subsystem,O=STT.LOCAL >> >> expires: 2016-10-11 19:06:36 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> and the 'post-save' command is empty, doesn't track the page. Should >> I just ignore? I note that the output from this (save for different >> file path on RHEL6) indicates that the original RHEL6 is still CA >> Master > > There was a bug in certmonger where the pre/post save commands > wouldn't display. I believe this was fixed, see if there is an updated > package available. Otherwise you'd have to poke around in the tracking > files in /var/lib/certmonger. I think Rob meant this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181022 It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows about other similar fixes. > >> The CRL generation master can be determined by looking at CS.cfg on each CA: >> >> # grep ca.crl.MasterCRL.enableCRLUpdates >> /etc/pki/pki-tomcat/ca/CS.cfg >> >> ca.crl.MasterCRL.enableCRLUpdates=true >> >> >> >> >> >> Also, when I set up the second new IPA master, do I also make it a CA? > > I'd say yes. You always at at least 2 masters with a CA. > > rob > Indeed - updating the RHEL6 system to current (certmonger) remedied the issue and I was able to proceed. Seems I am complete - at least to the point of shutting down the old IPA servers. Thanks for the great support Rob/Martin and of course everyone in the FreeIPA group - you guys are awesome! Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master
On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here… >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> >> >> RHEL6 server >> >> # rpm -qa ipa-server >> >> ipa-server-3.0.0-42.el6.x86_64 >> >> >> >> RHEL7 server >> >> # rpm -q ipa-server >> >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> >> >> I am down to the part where I am trying to make the new RHEL7 server the >> master CA server >> >> >> >> On the RHEL6 system, I >> >> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20141022190721': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=STT.LOCAL >> >> subject: CN=CA Subsystem,O=STT.LOCAL >> >> expires: 2016-10-11 19:06:36 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> and the ‘post-save’ command is empty, doesn’t track the page. Should I >> just ignore? I note that the output from this (save for different file >> path on RHEL6) indicates that the original RHEL6 is still CA Master > > There was a bug in certmonger where the pre/post save commands wouldn't > display. I believe this was fixed, see if there is an updated package > available. Otherwise you'd have to poke around in the tracking files in > /var/lib/certmonger. I think Rob meant this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181022 It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows about other similar fixes. > >> The CRL generation master can be determined by looking at CS.cfg on each CA: >> >> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg >> >> ca.crl.MasterCRL.enableCRLUpdates=true >> >> >> >> >> >> Also, when I set up the second new IPA master, do I also make it a CA? > > I'd say yes. You always at at least 2 masters with a CA. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master
Craig White wrote: > Following instructions from here > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > > > RHEL6 server > > # rpm -qa ipa-server > > ipa-server-3.0.0-42.el6.x86_64 > > > > RHEL7 server > > # rpm -q ipa-server > > ipa-server-4.1.0-18.el7_1.4.x86_64 > > > > I am down to the part where I am trying to make the new RHEL7 server the > master CA server > > > > On the RHEL6 system, I > > # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" > > Number of certificates and requests being tracked: 8. > > Request ID '20141022190721': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=STT.LOCAL > > subject: CN=CA Subsystem,O=STT.LOCAL > > expires: 2016-10-11 19:06:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > and the post-save command is empty, doesnt track the page. Should I > just ignore? I note that the output from this (save for different file > path on RHEL6) indicates that the original RHEL6 is still CA Master There was a bug in certmonger where the pre/post save commands wouldn't display. I believe this was fixed, see if there is an updated package available. Otherwise you'd have to poke around in the tracking files in /var/lib/certmonger. > The CRL generation master can be determined by looking at CS.cfg on each CA: > > # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg > > ca.crl.MasterCRL.enableCRLUpdates=true > > > > > > Also, when I set up the second new IPA master, do I also make it a CA? I'd say yes. You always at at least 2 masters with a CA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project