Description of problem:
At the moment the security domain info is supposed to be updated automatically during installation & uninstallation. This leads to problems when CA systems are removed from IdM topology using ipa tools. There is a difference between the output from 'pki' and 'ipa' tools.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
One additional point: LWCA entries may also contain references to
decomissioned servers. This will, at worst, cause a delay in
lightweight CA key replication as the client attempts to contact
possibly nonexistant servers, until it hits a live one that. So we
should probably include that along with the security domain work.
Christian and Fraser, does this have higher importance for cloud based deployments?
We have a few CLIs for managing security domains under PKI:
[ascheel@ascheel-p50 ~]$ pki securitydomain-host
securitydomain-host-find Find security domain hosts
securitydomain-host-show Show security domain host
securitydomain-host-add Add security domain host
securitydomain-host-del Remove security domain host
We could potentially use these as a workaround so customers see the same information in both places.
Would RHEL 8.5/RHEL 9 be viable for fixing this?
Good question. Yes, I think it does have higher importance in a context where installations
will be managed with more automation via operators. But I don't think it is critical.
We could code the behaviour into the operator.
That makes sense now, thanks :-)
The difference in output is due to bz#1481949 (see comment 15 there). I'm closing this because we already have the tools to correct this difference in PKI (see comment #3 in this BZ). As per comments 18 in bz#1481949 and the email thread on the subject, this is safe to correct manually. I'm not sure if IPA will automatically correct output when fixing that BZ.
Marking comment 3 as non-private since these tools already exist and should be sufficient.