Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 18. Installing an IdM replica

The following sections describe how to install an Identity Management (IdM) replica. The replica installation process copies the configuration of the existing server and installs the replica based on that configuration.

Prerequisites

Note

Install one IdM replica at a time. The installation of multiple replicas at the same time is not supported.

Procedure

For the individual types of replica installation procedures, see:

To troubleshoot the replica installation procedure, see:

After the installation, see:

18.1. Installing an IdM replica with integrated DNS and a CA

This procedure describes installing an Identity Management (IdM) replica:

  • With integrated DNS
  • With a certificate authority (CA)

You can do this to, for example, replicate the CA service for resiliency after installing an IdM server with an integrated CA.

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server
    • --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use --forwarder multiple times.
    • --setup-ca to include a CA on the replica

      For example, to set up a replica with an integrated DNS server and a CA that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:

      # ipa-replica-install --setup-dns --forwarder 192.0.2.1 --setup-ca
      Note

      The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you installed an IdM DNS server.

18.2. Installing an IdM replica with integrated DNS

This procedure describes installing an Identity Management (IdM) replica:

  • With integrated DNS
  • Without a certificate authority (CA) in an IdM environment in which a CA is already installed. The replica will forward all certificate operations to the IdM server with a CA installed.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server
    • --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use --forwarder multiple times.

    For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1
    Note

    The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you installed an IdM DNS server.

18.3. Installing an IdM replica with a CA

This procedure describes installing an Identity Management (IdM) replica:

  • Without integrated DNS
  • With a certificate authority (CA)
Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with the --setup-ca option.

    # ipa-replica-install --setup-ca
  2. Add the newly created IdM DNS service records to your DNS server:

    1. Export the IdM DNS service records into a file in the nsupdate format:

      $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
    2. Submit a DNS update request to your DNS server using the nsupdate utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.

18.4. Installing an IdM replica without a CA

This procedure describes installing an Identity Management (IdM) replica:

  • Without integrated DNS
  • Without a certificate authority (CA) by providing the required certificates manually. The assumption here is that the first server was installed without a CA.
Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

Prerequisites

Procedure

  • Enter ipa-replica-install, and provide the required certificate files by adding these options:

    • --dirsrv-cert-file
    • --dirsrv-pin
    • --http-cert-file
    • --http-pin

    For details about the files that are provided using these options, see Section 4.1, “Certificates required to install an IdM server without a CA”.

    For example:

    # ipa-replica-install \
        --dirsrv-cert-file /tmp/server.crt \
        --dirsrv-cert-file /tmp/server.key \
        --dirsrv-pin secret \
        --http-cert-file /tmp/server.crt \
        --http-cert-file /tmp/server.key \
        --http-pin secret
    Note

    Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the first server you installed.

18.5. Installing an IdM hidden replica

A hidden (unadvertised) replica is an Identity Management (IdM) server that has all services running and available. However, it has no SRV records in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect these hidden replicas.

For further details about hidden replicas, see The hidden replica mode.

Prerequisites

Procedure

  • To install a hidden replica, use the following command:

    ipa-replica-install --hidden-replica

Note that the command installs a replica without DNS SRV records and with disabled LDAP server roles.

You can also change the mode of existing replica to hidden. For details, see Demotion and promotion of hidden replicas.

18.6. Testing an IdM replica

After creating a replica, check if the replica replicates data as expected. You can use the following procedure.

Procedure

  1. Create a user on the new replica:

    [admin@new_replica ~]$ ipa user-add test_user
  2. Make sure the user is visible on another replica:

    [admin@another_replica ~]$ ipa user-show test_user

18.7. Connections performed during an IdM replica installation

Table 18.1, “Requests performed during an IdM replica installation” lists the operations performed by ipa-replica-install, the Identity Management (IdM) replica installation tool.

Table 18.1. Requests performed during an IdM replica installation

OperationProtocol usedPurpose

DNS resolution against the DNS resolvers configured on the client system

DNS

To discover the IP addresses of IdM servers

Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM servers

Kerberos

To obtain a Kerberos ticket

JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM servers

HTTPS

IdM client enrollment; replica keys retrieval and certificate issuance if required

Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both

LDAP

IdM client enrollment; CA certificate chain retrieval; LDAP data replication

Requests over TCP/TCP6 to port 22 on IdM server

SSH

To check if the connection is working

(optionally) Access over port 8443 (TCP/TCP6) on the IdM servers

HTTPS

To administer the Certificate Authority on the IdM server (only during IdM server and replica installation)