Chapter 4. Installing and Uninstalling Identity Management Replicas
Replicas are created by cloning the configuration of existing Identity Management servers. Therefore, servers and their replicas share identical core configuration. The replica installation process copies the existing server configuration and installs the replica based on that configuration.
Maintaining several server replicas is a recommended backup solution to avoid data loss, as described in the "Backup and Restore in IdM/IPA" Knowledgebase solution.
Another backup solution, recommended primarily for situations when rebuilding the IdM deployment from replicas is not possible, is the
ipa-backuputility, as described in Chapter 9, Backing Up and Restoring Identity Management.
4.1. Explaining IdM Replicas
To provide service availability and redundancy for large numbers of clients, you can deploy multiple IdM servers, called replicas, in a single domain. Replicas are clones of the initial IdM server that are functionally identical to each other: they share the same internal information about users, machines, certificates, and configured policies.
There are, however, two unique server roles that only one server in the environment can fulfill at a time:
- CA Renewal Server: this server manages renewal of Certificate Authority (CA) subsystem certificates
- CRL Generation Server: this server generates certificate revocation lists (CRLs).
By default, the first CA server installed fulfills both CA Renewal Server and CRL Generation Server roles. You can transition these roles to any other CA server in the topology, for example if you need to decommission the initially installed server. Both roles do not have to be fulfilled by the same server.
For more information on the types of machines in the IdM topology, see Section 1.2, “The Identity Management Domain”.
Replication is the process of copying data between replicas. The information between replicas is shared using multi-master replication: all replicas joined through a replication agreement receive updates and are therefore considered data masters.
Figure 4.1. Server and Replica Agreements