Bug 1200728
| Summary: | [RFE] Replicate PKI Profile information | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.0 | CC: | ftweedal, jcholast, rcritten, spoore | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.2.0-1.el7 | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1200729 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 12:01:58 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1200729 | |||
| Bug Blocks: | 1181710, 1200694 | |||
|
Description
Martin Kosek
2015-03-11 09:52:48 UTC
master: https://fedorahosted.org/freeipa/changeset/ba071e757dc3b38b524af0212ec1a6a1b0208d83 https://fedorahosted.org/freeipa/changeset/ba075b195c5c6a78416f15fb06c765858a0b2069 The functionality is there. From now on, the upstream feature is in bugfixing mode. *** Bug 1200729 has been marked as a duplicate of this bug. *** Is there something in cn=config on a Replica with CA installed I can query that would indicate this is indeed configured? Fraser, Can I just verify this by confirming that the data for the profile is visible from an IPA Replica's DS? So, would this be enough to verify? ldapsearch -h replica.testrelm.testrelm.test \ -b cn=certprofiles,cn=ca,dc=testrelm,dc=test \ cn=caIPAserviceCert Or is there something else I should check? Thanks, Scott This ticket concerns replication of *Dogtag's* profile data between CA replicas.
To test:
1. There must be >0 CA replica.
2. Create a new profile via `certprofile-import'
3. Ensure that that profile is replicated to the CA replicas' directories.
The DN will be cn={profileId},ou=certificateProfiles,ou=ca,ou=ipaca
Similarly, changes resulting from updating the profile via
`certprofile-mod {profileId} --file={newconfig}' or removing via
`certprofile-del' should be replicated.
Hope that makes sense - let me know if any clarification needed.
[root@replica ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -p Secret123 -w Secret123 -U replica-info-replica.testrelm.test.gpg Checking DNS forwarders, please wait ... Using reverse zone(s) 122.168.192.in-addr.arpa. Run connection check to master Check connection from replica to remote master 'master.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'replica.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [25/38]: updating schema [26/38]: setting Auto Member configuration [27/38]: enabling S4U2Proxy delegation [28/38]: importing CA certificates from LDAP [29/38]: initializing group membership [30/38]: adding master entry [31/38]: initializing domain level [32/38]: configuring Posix uid/gid generation [33/38]: adding replication acis [34/38]: enabling compatibility plugin [35/38]: activating sidgen plugin [36/38]: activating extdom plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: configuring certificate server instance [3/17]: stopping certificate server instance to update CS.cfg [4/17]: backing up CS.cfg [5/17]: disabling nonces [6/17]: set up CRL publishing [7/17]: enable PKIX certificate path discovery and validation [8/17]: starting certificate server instance [9/17]: creating RA agent certificate database [10/17]: importing CA chain to RA certificate database [11/17]: fixing RA database permissions [12/17]: setting up signing cert profile [13/17]: setting audit signing renewal to 2 years [14/17]: configure certmonger for renewals [15/17]: configure certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [7/8]: starting the KDC [8/8]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd). Estimated time: 1 minute [1/17]: setting mod_nss port to 443 [2/17]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/17]: setting mod_nss password file [4/17]: enabling mod_nss renegotiate [5/17]: adding URL rewriting rules [6/17]: configuring httpd [7/17]: configure certmonger for renewals [8/17]: setting up ssl [9/17]: importing CA certificates from LDAP [10/17]: publish CA cert [11/17]: creating a keytab for httpd [12/17]: clean up any existing httpd ccache [13/17]: configuring SELinux for httpd [14/17]: create KDC proxy config [15/17]: enable KDC proxy [16/17]: restarting httpd [17/17]: configuring httpd to start on boot Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Applying LDAP updates Upgrading IPA: [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up reverse zone [3/9]: setting up our own record [4/9]: adding NS record to the zones [5/9]: setting up CA record [6/9]: setting up kerberos principal [7/9]: setting up named.conf [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server [root@replica ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -h $(hostname) -b ou=certificateProfiles,ou=ca,o=ipaca cn=new_cert_profile dn: cn=new_cert_profile,ou=certificateProfiles,ou=ca,o=ipaca certProfileConfig:: YXV0aC5pbnN0YW5jZV9pZD1yYUNlcnRBdXRoCmRlc2M9TmV3IFByb2ZpbG ...truncated to simplify output... PWZhbHNlCg== classId: caEnrollImpl cn: new_cert_profile objectClass: top objectClass: certProfile ^^^ This was a profile created on master.testrelm.test before replica.testrelm.test was setup. ######## Now we'll delete it to make sure if deleted on replica, it's removed from master ########## [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -h $(hostname) -b ou=certificateProfiles,ou=ca,o=ipaca cn=new_cert_profile dn: cn=new_cert_profile,ou=certificateProfiles,ou=ca,o=ipaca objectClass: top objectClass: certProfile cn: new_cert_profile classId: caEnrollImpl certProfileConfig:: YXV0aC5pbnN0YW5jZV9pZD1yYUNlcnRBdXRoCmRlc2M9TmV3IFByb2ZpbG ...truncated to simplify output... PWZhbHNlCg== [root@replica ~]# kinit admin Password for admin: [root@replica ~]# ipa certprofile-del new_cert_profile ---------------------------------- Deleted profile "new_cert_profile" ---------------------------------- [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -h $(hostname) -b ou=certificateProfiles,ou=ca,o=ipaca cn=new_cert_profile [root@master ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |