[Freeipa-users] Confused/lost at promoting a replica into a master

Mon Apr 30 20:11:03 UTC 2012

David Copperfield wrote:
> Hi Deon and all,
>
>  >> Hi follks,
>  >>
>  >> I'm completely lost at reading the IPA document on how to promote a
> IPA replica into master IPA. When I'm try to follow the steps listed in
> the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System
> CA' at the link
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki,
> the last steps 'g' said:
>  >>
>  >> g. Disable the redirect settings for CRL generation requests:
>  >> master.ca.agent.host=hostname
>  >> master.ca.agent.port=port number
>  >>
>  >> The above instructions don't give any hints of 'hostname', or 'port
> number'. users don't have any clues about them, should them be this
> replica's name, or the original master's name? and what is the por
>  >> t number? it is a TCP port, or a UDP port?
>  >
>  >The replica is configured to check for information from the master CA
> -- in this case, asking the master CA to generate a CRL. Those
> parameters tell the replica where to look. Part of promoting the replica
> is telling it *not* to look for a master CA. So, those parameters should
> be blanked or removed.
>  >
>  >I can definitely make that more clear.
>
> Sure, please elabroate -- I'll still half undertstand only :) This part
> is pretty confusing by itself.
>
> First, when a IPA replica is first installed, the dogtag certification
> system is not installed at all, so the directory /var/lib/pki-ca/conf
> doesn't exist on IPA slave at all. The directory shows after
> only after 'ipa-ca-install' command is run on the replica.
>
> After running the command 'ipa-ca-install', in the configuration file
> '/var/lib/pki-ca/conf/CS.conf', there are no 'ca.crl.*' statements on
> IPA replica at all; there are no master.ca.agent.{host/port} s
> tatement either.
>
> What we really need to clarify here, from users' respective, are
> elaborated below(may not be completed):
>
> 1, how to promote a IPA replica into a IPA master?

All replicas are equal with the exception that:
   * some may have a CA and others may not
   * some may have a DNS server and others may not

The only distinction that the initial CA installation has is that it is 
the one that generates the CRL.

> 2, What's the effect on other sibling IPA replicas? -- do we need to
> break original replication agreement with old IPA master? and create new
> aggrement with new server? If so, how to do it?

No, nothing changes, this is all MMR.

> 3, How to check/verify that new IPA replica is really promoted into new
> IPA master?

You would verify that the CRL is being generated on the master you 
choose (/var/log/pki-ca/debug).

> 4, how to check/verify that old IPA Master is stopped its orignal master
> function? disowning the master CA in the PKI hierarchy as claimed?

Verify that it is no longer generating a CRL (/var/log/pki-ca/debug)
>
> 4, what's the operations on the original IPA master?
> 4.1 case #1, what is the 'official' steps to remove/decommission
> original IPA master? -- what's the steps besides final
> 'ipa-master-install --uninstall'?

If you are decommissioning an instance then you'll want to break all 
replication agreements it has.

> 4.2 case #2, if the original IPA server is broken completely and all IPA
> replica could not reach it? -- Then what's are the steps to promote a
> IPA replica? Do we need the orignal /root/cacert.p12?

No, use the documented steps. The only thing to do is to generate the 
CRL on a different host.

> 4.3 case #2, if the original IPA server is only temporarily unreachable?
> -- then after an IPA replica is promoted into new IPA master, how to
> depromote the orignal IPA master to replica after it is up?

You would just reverse the CRL generation. Note that if the server is 
down for longer than the changelog then you'll want to re-initialize bot 
the the CA and IPA LDAP databases from one of the other masters.

rob