Chapter 6. Installing an IdM server: Without integrated DNS, with an external CA as the root CA

This chapter describes how you can install a new Identity Management (IdM) server, without integrated DNS, that uses an external certificate authority (CA) as the root CA.

6.1. Interactive installation

During the interactive installation using the ipa-server-install utility, you are asked to supply basic configuration of the system, for example the realm, the administrator’s password and the Directory Manager’s password.

The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.

This procedure describes how to install a server:

Without integrated DNS
With an external certificate authority (CA) as the root CA

Prerequisites

Decide on the type of the external CA you use (the --external-ca-type option). See the ipa-server-install(1) man page for details.
Alternatively, decide on the --external-ca-profile option allowing an alternative Active Directory Certificate Services (AD CS) template to be specified. For example, to specify an AD CS installation-specific object identifier:
```
[root@server ~]# ipa-server-install --external-ca --external-ca-type=ms-cs --external-ca-profile=1.3.6.1.4.1.311.21.8.8950086.10656446.2706058.12775672.480128.147.7130143.4405632:1
```

Procedure

Run the ipa-server-install utility with the --external-ca option.
```
# ipa-server-install --external-ca
```
If you are using the Microsoft Certificate Services CA, use also the --external-ca-type option. For details, see the ipa-server-install(1) man page.
The script prompts to configure an integrated DNS service. Press Enter to select the default no option.
```
Do you want to configure integrated DNS (BIND)? [no]:
```
The script prompts for several required settings and offers recommended default values in brackets.
- To accept a default value, press Enter.
- To provide a custom value, enter the required value.
```
Server host name [server.example.com]:
Please confirm the domain name [example.com]:
Please provide a realm name [EXAMPLE.COM]:
```
  Warning
  Plan these names carefully. You will not be able to change them after the installation is complete.
Enter the passwords for the Directory Server superuser (cn=Directory Manager) and for the IdM administration system user account (admin).
```
Directory Manager password:
IPA admin password:
```

Enter yes to confirm the server configuration.

Continue to configure the system with these values? [no]: yes

During the configuration of the Certificate System instance, the utility prints the location of the certificate signing request (CSR): /root/ipa.csr:
```
...

Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/8]: creating certificate server user
  [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as:
/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
```
When this happens:
1. Submit the CSR located in /root/ipa.csr to the external CA. The process differs depending on the service to be used as the external CA.
2. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.
  Important
  Be sure to get the full certificate chain for the CA, not just the CA certificate.
3. Run ipa-server-install again, this time specifying the locations and names of the newly-issued CA certificate and the CA chain files. For example:
```
# ipa-server-install --external-cert-file=/tmp/servercert20170601.pem --external-cert-file=/tmp/cacert.pem
```
The installation script now configures the server. Wait for the operation to complete.
The installation script produces a file with DNS resource records: the /tmp/ipa.system.records.UFRPto.db file in the example output below. Add these records to the existing external DNS servers. The process of updating the DNS records varies depending on the particular DNS solution.
```
...
Restarting the KDC
Please add records in this file to your DNS system: /tmp/ipa.system.records.UFRBto.db
Restarting the web server
...
```
Important
The server installation is not complete until you add the DNS records to the existing DNS servers.

Additional resources

The ipa-server-install --external-ca command can sometimes fail with the following error:
```
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/pass:quotes[configuration_file]' returned non-zero exit status 1
Configuration of CA failed
```
This failure occurs when the *_proxy environmental variables are set. For a solution of the problem, see Section 3.2, “Troubleshooting: External CA installation fails”.

6.2. Non-interactive installation

This procedure installs a server:

Without integrated DNS
with an external certificate authority (CA) as the root CA

Note

The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.

Prerequisites

Decide on the type of the external CA you use (the --external-ca-type option). See the ipa-server-install(1) man page for details.
Alternatively, decide on the --external-ca-profile option allowing an alternative Active Directory Certificate Services (AD CS) template to be specified. For example, to specify an AD CS installation-specific object identifier:
```
[root@server ~]# ipa-server-install --external-ca --external-ca-type=ms-cs --external-ca-profile=1.3.6.1.4.1.311.21.8.8950086.10656446.2706058.12775672.480128.147.7130143.4405632:1
```

Procedure

Run the ipa-server-install utility with the options to supply all the required information. The minimum required options for non-interactive installation of an IdM server with an external CA as the root CA are:
- --external-ca to specify an external CA is the root CA
- --realm to provide the Kerberos realm name
- --ds-password to provide the password for the Directory Manager (DM), the Directory Server super user
- --admin-password to provide the password for admin, the IdM administrator
- --unattended to let the installation process select default options for the host name and domain name
  For example:
```
# ipa-server-install --external-ca --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
```
If you are using the Microsoft Certificate Services CA, use also the --external-ca-type option. For details, see the ipa-server-install(1) man page.
During the configuration of the Certificate System instance, the utility prints the location of the certificate signing request (CSR): /root/ipa.csr:
```
...

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/11]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-server-install command was successful
```
When this happens:
1. Submit the CSR located in /root/ipa.csr to the external CA. The process differs depending on the service to be used as the external CA.
2. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.
  Important
  Be sure to get the full certificate chain for the CA, not just the CA certificate.
3. Run ipa-server-install again, this time specifying the locations and names of the newly-issued CA certificate and the CA chain files. For example:
```
# ipa-server-install --external-cert-file=/tmp/servercert20170601.pem --external-cert-file=/tmp/cacert.pem --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
```
The installation script now configures the server. Wait for the operation to complete.
The installation script produces a file with DNS resource records: the /tmp/ipa.system.records.UFRPto.db file in the example output below. Add these records to the existing external DNS servers. The process of updating the DNS records varies depending on the particular DNS solution.
```
...
Restarting the KDC
Please add records in this file to your DNS system: /tmp/ipa.system.records.UFRBto.db
Restarting the web server
...
```

Important

The server installation is not complete until you add the DNS records to the existing DNS servers.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Chapter 6. Installing an IdM server: Without integrated DNS, with an external CA as the root CA

6.1. Interactive installation

6.2. Non-interactive installation