Chapter 18. Installing an IdM replica

The following sections describe how to install an Identity Management (IdM) replica. The replica installation process copies the configuration of the existing server and installs the replica based on that configuration.

Prerequisites

Ensure your system is prepared for IdM replica installation.
Important
If this preparation is not performed, installing an IdM replica will fail.

Note

Install one IdM replica at a time. The installation of multiple replicas at the same time is not supported.

Procedure

For the individual types of replica installation procedures, see:

To troubleshoot the replica installation procedure, see:

Chapter 19, Troubleshooting IdM replica installation

After the installation, see:

Section 18.6, “Testing an IdM replica”

18.1. Installing an IdM replica with integrated DNS and a CA

This procedure describes installing an Identity Management (IdM) replica:

With integrated DNS
With a certificate authority (CA)

You can do this to, for example, replicate the CA service for resiliency after installing an IdM server with an integrated CA.

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Ensure your system is prepared for an IdM replica installation.

Procedure

Enter ipa-replica-install with these options:
- --setup-dns to configure the replica as a DNS server
- --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use --forwarder multiple times.
- --setup-ca to include a CA on the replica
  For example, to set up a replica with an integrated DNS server and a CA that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:
```
# ipa-replica-install --setup-dns --forwarder 192.0.2.1 --setup-ca
```
  Note
  The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.
After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.
Important
Repeat this step each time after you installed an IdM DNS server.

18.2. Installing an IdM replica with integrated DNS

This procedure describes installing an Identity Management (IdM) replica:

With integrated DNS
Without a certificate authority (CA) in an IdM environment in which a CA is already installed. The replica will forward all certificate operations to the IdM server with a CA installed.

Prerequisites

Ensure your system is prepared for an IdM replica installation.

Procedure

Enter ipa-replica-install with these options:
- --setup-dns to configure the replica as a DNS server
- --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use --forwarder multiple times.
For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:
```
# ipa-replica-install --setup-dns --forwarder 192.0.2.1
```
Note
The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.
After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.
Important
Repeat this step each time after you installed an IdM DNS server.

18.3. Installing an IdM replica with a CA

This procedure describes installing an Identity Management (IdM) replica:

Without integrated DNS
With a certificate authority (CA)

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Ensure your system is prepared for an IdM replica installation.

Procedure

Enter ipa-replica-install with the --setup-ca option.
```
# ipa-replica-install --setup-ca
```
Add the newly created IdM DNS service records to your DNS server:
1. Export the IdM DNS service records into a file in the nsupdate format:
```
$ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
```
2. Submit a DNS update request to your DNS server using the nsupdate utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.

18.4. Installing an IdM replica without a CA

This procedure describes installing an Identity Management (IdM) replica:

Without integrated DNS
Without a certificate authority (CA) by providing the required certificates manually. The assumption here is that the first server was installed without a CA.

Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

Prerequisites

Ensure your system is prepared for an IdM replica installation.

Procedure

Enter ipa-replica-install, and provide the required certificate files by adding these options:
- --dirsrv-cert-file
- --dirsrv-pin
- --http-cert-file
- --http-pin
For details about the files that are provided using these options, see Section 4.1, “Certificates required to install an IdM server without a CA”.
For example:
```
# ipa-replica-install \
    --dirsrv-cert-file /tmp/server.crt \
    --dirsrv-cert-file /tmp/server.key \
    --dirsrv-pin secret \
    --http-cert-file /tmp/server.crt \
    --http-cert-file /tmp/server.key \
    --http-pin secret
```
Note
Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the first server you installed.

18.5. Installing an IdM hidden replica

A hidden (unadvertised) replica is an Identity Management (IdM) server that has all services running and available. However, it has no SRV records in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect these hidden replicas.

For further details about hidden replicas, see The hidden replica mode.

Prerequisites

Ensure your system is prepared for an IdM replica installation.

Procedure

To install a hidden replica, use the following command:
```
ipa-replica-install --hidden-replica
```

Note that the command installs a replica without DNS SRV records and with disabled LDAP server roles.

You can also change the mode of existing replica to hidden. For details, see Demotion and promotion of hidden replicas.

18.6. Testing an IdM replica

After creating a replica, check if the replica replicates data as expected. You can use the following procedure.

Procedure

Create a user on the new replica:

[admin@new_replica ~]$ ipa user-add test_user

Make sure the user is visible on another replica:

[admin@another_replica ~]$ ipa user-show test_user

18.7. Connections performed during an IdM replica installation

Table 18.1, “Requests performed during an IdM replica installation” lists the operations performed by ipa-replica-install, the Identity Management (IdM) replica installation tool.

Table 18.1. Requests performed during an IdM replica installation

Operation	Protocol used	Purpose
DNS resolution against the DNS resolvers configured on the client system	DNS	To discover the IP addresses of IdM servers
Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM servers	Kerberos	To obtain a Kerberos ticket
JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM servers	HTTPS	IdM client enrollment; replica keys retrieval and certificate issuance if required
Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both	LDAP	IdM client enrollment; CA certificate chain retrieval; LDAP data replication
Requests over TCP/TCP6 to port 22 on IdM server	SSH	To check if the connection is working
(optionally) Access over port 8443 (TCP/TCP6) on the IdM servers	HTTPS	To administer the Certificate Authority on the IdM server (only during IdM server and replica installation)

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Red Hat Training

Chapter 18. Installing an IdM replica

18.1. Installing an IdM replica with integrated DNS and a CA

18.2. Installing an IdM replica with integrated DNS

18.3. Installing an IdM replica with a CA

18.4. Installing an IdM replica without a CA

18.5. Installing an IdM hidden replica

18.6. Testing an IdM replica

18.7. Connections performed during an IdM replica installation