Chapter 51. Authentication and Interoperability

Installing an IdM replica on RHEL 7.6 fails if the IdM master runs on RHEL 6

With a recent update of the pki-core package, certain ciphers are no longer enabled by default in the Identity Management (IdM) Certificate Authority (CA). As a consequence, setting up an IdM server with integrated CA on RHEL 7.6 as a replica of a master running on RHEL 6 fails with a CRITICAL Failed to configure CA instance error. To work around the problem, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file:
As a result, the IdM installation on RHEL 7.6 no longer fails. Note that installing a CA-less IdM replica on RHEL 7.6 works as expected even without this workaround. (BZ#1667434)

RADIUS proxy functionality is now also available in IdM running in FIPS mode

In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail.
If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter.
To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content:
# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
To apply the change, reload the systemd configuration:
# systemctl daemon-reload
and start the radiusd service:
# systemctl start radiusd
The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI:
# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret