[Freeipa-users] Confused/lost at promoting a replica into a master

Mon Apr 30 21:28:32 UTC 2012

Hi Deon, Dmitri, and all,
>
> >> Hi follks,
> >
> >>  I'm completely lost at reading the IPA document on how to promote a IPA replica into master IPA. When I'm try to follow the steps listed in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at the link http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, the last steps 'g' said:
> >>
> >>    g. Disable the redirect settings for CRL generation requests:
> >>         master.ca.agent.host=hostname
> >>         master.ca.agent.port=port number
> >>
> >> The above instructions don't give any hints of 'hostname', or 'port number'. users don't have any clues about them, should them be this replica's name, or the original master's name? and what is the por
> >> t number? it is a TCP port, or a UDP port?
> >
> >The replica is configured to check for information from the master CA -- in this case, asking the master CA to generate a CRL. Those parameters tell the replica where to look. Part of promoting the replica is telling it *not* to look for a master CA. So, those parameters should be blanked or removed.
> >
> >I can definitely make that more clear.
>
>
>
>
> Have you used a --selfsign option when you installed the first server?
> If you did, you installed the server without CA. This is an advanced option for those who know why they do not want the CA at all.
> The standard, default way is to not provide --selfsign flag.
> This will install CA on the first replica. On the other replicas you can have a CA at your discretion. Or add it later if you did not install it at the beginning.
> HTH.
>
>

It's my pleasure to clarify here: no '--selfsign' option was used to create IPA master, or the first replica, or other replica siblings. But the Dogtag installation results are:

 IPA master has the dogtag systems installed, and the '/var/lib/pki-ca/conf/CS.conf' file created. Inside there was not 'master.ca.agent.{host,port} statement.
 IPA replica (first replica and its siblings): NO dogtag certificate system was automatically installed. Even no /var/lib/pki-ca/ directory.

By the way, on the document page, the commands 'service pki-ca stop' and 'service pki-ca start' was wrong too -- as there was only 'pki-cad' service, not 'pki-ca'. :)

So, please have the migration page updated and submit it here so that users can follow the updated version and give you more feedback immediately. it looks like a win-win solution.

--David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120430/9c74b07a/attachment.htm>