Chapter 4. Installing an IdM server: With integrated DNS, without a CA

Installing a new Identity Management (IdM) server with integrated DNS has the following advantages:

  • You can automate much of the maintenance and DNS record management using native IdM tools. For example, DNS SRV records are automatically created during the setup, and later on are automatically updated.
  • You can have a stable connection with the rest of the Internet by setting up global forwarders during the installation of the IdM server. Global forwarders are also useful for trusts with Active Directory.
  • You can set up a DNS reverse zone to prevent emails from your domain to be considered spam by email servers outside of the IdM domain.

Installing IdM with integrated DNS has certain limitations:

  • IdM DNS is not meant to be used as a general-purpose DNS server. Some of the advanced DNS functions are not supported.

This chapter describes how you can install a new IdM server without a certificate authority (CA).

4.1. Certificates required to install an IdM server without a CA

This section lists:

  • the certificates required to install an Identity Management (IdM) server without a certificate authority (CA)
  • the command-line options used to provide these certificates to the ipa-server-install utility
Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

The LDAP server certificate and private key
  • --dirsrv-cert-file for the certificate and private key files for the LDAP server certificate
  • --dirsrv-pin for the password to access the private key in the files specified in --dirsrv-cert-file
The Apache server certificate and private key
  • --http-cert-file for the certificate and private key files for the Apache server certificate
  • --http-pin for the password to access the private key in the files specified in --http-cert-file
The full CA certificate chain of the CA that issued the LDAP and Apache server certificates
  • --dirsrv-cert-file and --http-cert-file for the certificate files with the full CA certificate chain or a part of it

You can provide the files specified in the --dirsrv-cert-file and --http-cert-file options in the following formats:

  • Privacy-Enhanced Mail (PEM) encoded certificate (RFC 7468). Note that the Identity Management installer accepts concatenated PEM-encoded objects.
  • Distinguished Encoding Rules (DER)
  • PKCS #7 certificate chain objects
  • PKCS #8 private key objects
  • PKCS #12 archives

You can specify the --dirsrv-cert-file and --http-cert-file options multiple times to specify multiple files.

The certificate files to complete the full CA certificate chain (not needed in some environments)
  • --ca-cert-file for the file or files containing the CA certificate of the CA that issued the LDAP, Apache Server, and Kerberos KDC certificates. Use this option if the CA certificate is not present in the certificate files provided by the other options.

The files provided using --dirsrv-cert-file and --http-cert-file combined with the file provided using --ca-cert-file must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

The Kerberos key distribution center (KDC) PKINIT certificate and private key (optional)
  • --pkinit-cert-file for the Kerberos KDC SSL certificate and private key
  • --pkinit-pin for the password to access the Kerberos KDC private key in the files specified in --pkinit-cert-file
  • --no-pkinit for disabling pkinit setup steps

If you do not provide the PKINIT certificate, ipa-server-install configures the IdM server with a local KDC with a self-signed certificate.

Additional resources

  • For details on what the certificate file formats these options accept, see the ipa-server-install(1) man page.

4.2. Interactive installation

During the interactive installation using the ipa-server-install utility, you are asked to supply basic configuration of the system, for example the realm, the administrator’s password and the Directory Manager’s password.

The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.

Procedure

  1. Run the ipa-server-install utility and provide all the required certificates. For example:

    [root@server ~]# ipa-server-install \
        --http-cert-file /tmp/server.crt \
        --http-cert-file /tmp/server.key \
        --http-pin secret \
        --dirsrv-cert-file /tmp/server.crt \
        --dirsrv-cert-file /tmp/server.key \
        --dirsrv-pin secret \
        --ca-cert-file ca.crt

    See Section 4.1, “Certificates required to install an IdM server without a CA” for details on the provided certificates.

  2. The script prompts to configure an integrated DNS service. Enter yes or no. In this procedure, we are installing a server with integrated DNS.

    Do you want to configure integrated DNS (BIND)? [no]: yes
    Note

    If you want to install a server without integrated DNS, the installation script will not prompt you for DNS configuration as described in the steps below. See Chapter 5, Installing an IdM server: Without integrated DNS, with an integrated CA as the root CA for details on the steps for installing a server without DNS.

  3. The script prompts for several required settings and offers recommended default values in brackets.

    • To accept a default value, press Enter.
    • To provide a custom value, enter the required value.

      Server host name [server.example.com]:
      Please confirm the domain name [example.com]:
      Please provide a realm name [EXAMPLE.COM]:
      Warning

      Plan these names carefully. You will not be able to change them after the installation is complete.

  4. Enter the passwords for the Directory Server superuser (cn=Directory Manager) and for the Identity Management (IdM) administration system user account (admin).

    Directory Manager password:
    IPA admin password:
  5. The script prompts for DNS forwarders.

    Do you want to configure DNS forwarders? [yes]:
    • To configure DNS forwarders, enter yes, and then follow the instructions on the command line. The installation process will add the forwarder IP addresses to the /etc/named.conf file on the installed IdM server.

      • For the forwarding policy default settings, see the --forward-policy description in the ipa-dns-install(1) man page.
    • If you do not want to use DNS forwarding, enter no.

      With no DNS forwarders, your environment will be isolated, and names from other DNS domains in your infrastructure will not be resolved.

  6. The script prompts to check if any DNS reverse (PTR) records for the IP addresses associated with the server need to be configured.

    Do you want to search for missing reverse zones? [yes]:

    If you run the search and missing reverse zones are discovered, the script asks you whether to create the reverse zones along with the PTR records.

    Do you want to create reverse zone for IP 192.0.2.1 [yes]:
    Please specify the reverse zone name [2.0.192.in-addr.arpa.]:
    Using reverse zone(s) 2.0.192.in-addr.arpa.
    Note

    Using IdM to manage reverse zones is optional. You can use an external DNS service for this purpose instead.

  7. Enter yes to confirm the server configuration.

    Continue to configure the system with these values? [no]: yes
  8. The installation script now configures the server. Wait for the operation to complete.
  9. After the installation script completes, add DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is ipa.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after an IdM DNS server is installed.