Re: [Freeipa-users] Replicating o=ipaca
On 08/13/2014 02:15 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 08/12/2014 11:49 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: The documentation seems to be a little fuzzy on setting up two CAs, some parts indicate this is a bad idea because the CRLs can clobber each other, other parts, such as the migration guide from RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that is just for a short time. >> >>> It isn't a bad idea to stand up clones, you just need to understand >>> that this is one of the rare places where all masters are not >>> equal. One has to be designated as the CRL generator and one as the >>> CA renewal master. These don't have to be the same but it makes >>> sense to keep them together IMHO. >> >>> The reason to limit CRL generation to one master is the small >>> chance that you could end up with two CRLs with the same serial >>> number but containing different certificates. Remember that a CRL >>> is just a signed snapshot in time of revoked certificates. >> >>> Similarly for renewal it is vastly easier to do it on one host than >>> try to manage the race condition of them trying to renew at the >>> same time. >> What I am wondering, because I get a little nervous when all my data for the CA is on one host (backups aside), is whether there is a value, assuming that having two concurrent dogtag instances is a bad thing, to replicating the ipaca data in ldap. Just the data I mean, would it be possible, having just the LDAP data and whatever certs are in the replica file to basically reconstruct a CA? >> >>> Right, you want at least two CAs for redundancy. Some dogtag guru >>> could probably stand up a new CA using just the LDAP data and the >>> certs but I can't imagine it would be easy, even for them. >> >>> rob >> >> >> Ok, are there manual steps involved in that or does the --setup-ca on >> the replica just take care of everything. >> >> I certainly hope I am not looking in the wrong place, I just can't >> seem to find anything definitive in the docs. > > --setup-ca does it all for you. Dogtag actually handles the creation of > the replication agreement so we don't do a lot other than to tell it the > remote server and provide the initial certs/keys. > > You can use ipa-csreplica-manage to view/manage CA replication agreements. > > rob > Also, in case you choose to for example decommission your current CRL generator, you can switch that role to other machine using this HOWTO: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replicating o=ipaca
Erinn Looney-Triggs wrote: > On 08/12/2014 11:49 AM, Rob Crittenden wrote: >> Erinn Looney-Triggs wrote: >>> The documentation seems to be a little fuzzy on setting up two >>> CAs, some parts indicate this is a bad idea because the CRLs can >>> clobber each other, other parts, such as the migration guide from >>> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that >>> is just for a short time. > >> It isn't a bad idea to stand up clones, you just need to understand >> that this is one of the rare places where all masters are not >> equal. One has to be designated as the CRL generator and one as the >> CA renewal master. These don't have to be the same but it makes >> sense to keep them together IMHO. > >> The reason to limit CRL generation to one master is the small >> chance that you could end up with two CRLs with the same serial >> number but containing different certificates. Remember that a CRL >> is just a signed snapshot in time of revoked certificates. > >> Similarly for renewal it is vastly easier to do it on one host than >> try to manage the race condition of them trying to renew at the >> same time. > >>> What I am wondering, because I get a little nervous when all my >>> data for the CA is on one host (backups aside), is whether there >>> is a value, assuming that having two concurrent dogtag instances >>> is a bad thing, to replicating the ipaca data in ldap. Just the >>> data I mean, would it be possible, having just the LDAP data and >>> whatever certs are in the replica file to basically reconstruct a >>> CA? > >> Right, you want at least two CAs for redundancy. Some dogtag guru >> could probably stand up a new CA using just the LDAP data and the >> certs but I can't imagine it would be easy, even for them. > >> rob > > > Ok, are there manual steps involved in that or does the --setup-ca on > the replica just take care of everything. > > I certainly hope I am not looking in the wrong place, I just can't > seem to find anything definitive in the docs. --setup-ca does it all for you. Dogtag actually handles the creation of the replication agreement so we don't do a lot other than to tell it the remote server and provide the initial certs/keys. You can use ipa-csreplica-manage to view/manage CA replication agreements. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replicating o=ipaca
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/12/2014 11:49 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> The documentation seems to be a little fuzzy on setting up two >> CAs, some parts indicate this is a bad idea because the CRLs can >> clobber each other, other parts, such as the migration guide from >> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that >> is just for a short time. > > It isn't a bad idea to stand up clones, you just need to understand > that this is one of the rare places where all masters are not > equal. One has to be designated as the CRL generator and one as the > CA renewal master. These don't have to be the same but it makes > sense to keep them together IMHO. > > The reason to limit CRL generation to one master is the small > chance that you could end up with two CRLs with the same serial > number but containing different certificates. Remember that a CRL > is just a signed snapshot in time of revoked certificates. > > Similarly for renewal it is vastly easier to do it on one host than > try to manage the race condition of them trying to renew at the > same time. > >> What I am wondering, because I get a little nervous when all my >> data for the CA is on one host (backups aside), is whether there >> is a value, assuming that having two concurrent dogtag instances >> is a bad thing, to replicating the ipaca data in ldap. Just the >> data I mean, would it be possible, having just the LDAP data and >> whatever certs are in the replica file to basically reconstruct a >> CA? > > Right, you want at least two CAs for redundancy. Some dogtag guru > could probably stand up a new CA using just the LDAP data and the > certs but I can't imagine it would be easy, even for them. > > rob > Ok, are there manual steps involved in that or does the --setup-ca on the replica just take care of everything. I certainly hope I am not looking in the wrong place, I just can't seem to find anything definitive in the docs. Thanks, - -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJT6nChAAoJEFg7BmJL2iPOxjoH/i3fOKoJX1jFyMyP8L7KQZIA c+H94PnvGrsNXUtA7nlfFAvkLj0k1H9lib5vxPwTAF+XGAY4EsxlxFU8e//aIKOw yjDNqIVOoTa0OAVWNDDOFXyCZrmuvgpTLawk0iGSorWljPYWoQBaZvRmJo6l9MAO QyKtBIrrhrese9iNTvg3qbR6teIHRTnoQ5QftE0dxvDlrSqc1sj2GppRoVGVqwqv jETT6sq1IJaiFF3wBBso58vC5vLFqu8xkdF7g8nhRXnMX2oG50WHRtFoYvaGRlNf pHfojyuZn9XhVmLvqAIi0da6T6iwtR1UvwwkVndLqso59iB6KgSx6GA/pfqJd8k= =V5A3 -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replicating o=ipaca
Erinn Looney-Triggs wrote: > The documentation seems to be a little fuzzy on setting up two CAs, > some parts indicate this is a bad idea because the CRLs can clobber > each other, other parts, such as the migration guide from RHEL 6.5 to > 7 seem to indicate that it is ok, albeit maybe that is just for a > short time. It isn't a bad idea to stand up clones, you just need to understand that this is one of the rare places where all masters are not equal. One has to be designated as the CRL generator and one as the CA renewal master. These don't have to be the same but it makes sense to keep them together IMHO. The reason to limit CRL generation to one master is the small chance that you could end up with two CRLs with the same serial number but containing different certificates. Remember that a CRL is just a signed snapshot in time of revoked certificates. Similarly for renewal it is vastly easier to do it on one host than try to manage the race condition of them trying to renew at the same time. > What I am wondering, because I get a little nervous when all my data > for the CA is on one host (backups aside), is whether there is a > value, assuming that having two concurrent dogtag instances is a bad > thing, to replicating the ipaca data in ldap. Just the data I mean, > would it be possible, having just the LDAP data and whatever certs are > in the replica file to basically reconstruct a CA? Right, you want at least two CAs for redundancy. Some dogtag guru could probably stand up a new CA using just the LDAP data and the certs but I can't imagine it would be easy, even for them. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project