Chapter 19. Preparing the system for an IdM replica installation

The following links list the requirements to install an Identity Management (IdM) replica. Before the installation, make sure your system meets these requirements.

  1. Ensure the target system meets the general requirements for IdM server installation.
  2. Ensure the target system meets the additional, version requirements for IdM replica installation.
  3. [Optional] If you are adding a RHEL 9 Identity Management (IdM) replica on which FIPS mode is enabled to a RHEL 8 IdM deployment in FIPS mode, ensure that the replica has the correct encryption types enabled.

  4. Authorize the target system for enrollment into the IdM domain. For more information, see one of the following sections that best fits your needs:

Additional resources

19.1. Replica version requirements

An IdM replica must be running the same or later version of IdM as other servers. For example:

  • You have an IdM server installed on Red Hat Enterprise Linux 9 and it uses IdM 4.x packages.
  • You must install the replica also on Red Hat Enterprise Linux 9 and use IdM version 4.x or later.

This ensures that configuration can be properly copied from the server to the replica.

For details on how to display the IdM software version, see Methods for displaying IdM software version.

19.2. Methods for displaying IdM software version

You can display the IdM version number with:

  • the IdM WebUI
  • ipa commands
  • rpm commands

 

Displaying version through the WebUI

In the IdM WebUI, the software version can be displayed by choosing About from the username menu at the upper-right.

Checking IdM Software Version
Displaying version with ipa commands

From the command line, use the ipa --version command. 

[root@server ~]# ipa --version
VERSION: 4.8.0, API_VERSION: 2.233
Displaying version with rpm commands

If IdM services are not operating properly, you can use the rpm utility to determine the version number of the ipa-server package that is currently installed. 

[root@server ~]# rpm -q ipa-server
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64

19.3. Ensuring FIPS compliance for a RHEL 9 replica joining a RHEL 8 IdM environment

If RHEL Identity Management (IdM) was originally installed on a RHEL 8.6 or earlier system, then the AES HMAC-SHA1 encryption types it uses are not supported by RHEL 9 in FIPS mode by default. To add a RHEL 9 replica in FIPS mode to the deployment, you must enable these encryption keys on the RHEL 9 system by setting the cryptographic policy to FIPS:AD-SUPPORT.

By setting the cryptographic policy to FIPS:AD-SUPPORT, you add support for the following encryption types:

  • aes256-cts:normal
  • aes256-cts:special
  • aes128-cts:normal
  • aes128-cts:special

Prerequisites

  • You have enabled FIPS mode on your RHEL 9 system.
  • You want to configure the RHEL 9 system as an IdM replica for your RHEL 8 IdM environment in FIPS mode.

  • The encryption type of your IdM master key is not aes256-cts-hmac-sha384-192. For more information, view the encryption type of your IdM master key.

    Note

    Microsoft’s Active Directory implementation does not yet support any of the RFC8009 Kerberos encryption types that use SHA-2 HMAC. If you have an IdM-AD trust configured, FIPS:AD-SUPPORT crypto subpolicy use is therefore required even if the encryption type of your IdM master key is aes256-cts-hmac-sha384-192.

Procedure

  • On the RHEL 9 system, enable the use of the AES HMAC-SHA1 encryption types: 

    # update-crypto-policies --set FIPS:AD-SUPPORT

19.4. Authorizing the installation of a replica on an IdM client

When installing a replica on an existing Identity Management (IdM) client by running the ipa-replica-install utility, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:

  • You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
  • You want to automate your replica installation.
Method 1: the ipaservers host group

  1. Log in to any IdM host as IdM admin: 

    $ kinit admin

  2. Add the client machine to the ipaservers host group: 

    $ ipa hostgroup-add-member ipaservers --hosts client.idm.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: server.idm.example.com, client.idm.example.com
-------------------------
Number of members added 1
-------------------------
Note

Membership in the ipaservers group grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, the ipa-replica-install utility can be run on the host successfully by a junior system administrator.

Method 2: a privileged user’s credentials

Choose one of the following methods to authorize the replica installation by providing a privileged user’s credentials:

  • Let Identity Management (IdM) prompt you for the credentials interactively after you start the ipa-replica-install utility. This is the default behavior.

  • Log in to the client as a privileged user immediately before running the ipa-replica-install utility. The default privileged user is admin: 

    $ kinit admin

Additional resources

19.5. Authorizing the installation of a replica on a system that is not enrolled into IdM

When installing a replica on a system that is not enrolled in the Identity Management (IdM) domain, the ipa-replica-install utility first enrolls the system as a client and then installs the replica components. For this scenario, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:

  • You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
  • You want to automate your replica installation.
Method 1: a random password generated on an IdM server

Enter the following commands on any server in the domain:

  1. Log in as the administrator. 

    $ kinit admin

  2. Add the external system as an IdM host. Use the --random option with the ipa host-add command to generate a random one-time password to be used for the subsequent replica installation. 

    $ ipa host-add replica.example.com --random
--------------------------------------------------
Added host "replica.example.com"
--------------------------------------------------
  Host name: replica.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: server.example.com

    The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.

  3. Add the system to the ipaservers host group. 

    $ ipa hostgroup-add-member ipaservers --hosts replica.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: server.example.com, replica.example.com
-------------------------
Number of members added 1
-------------------------
Note

Membership in the ipaservers group grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, the ipa-replica-install utility can be run on the host successfully by a junior system administrator that provides the generated random password.

Method 2: a privileged user’s credentials

Using this method, you authorize the replica installation by providing a privileged user’s credentials. The default privileged user is admin.

No action is required prior to running the IdM replica installation utility. Add the principal name and password options (--principal admin --admin-password password) to the ipa-replica-install command directly during the installation.

Additional resources