Identity Management (IdM) replica installation fails between Red Hat Enterprise Linux 6 and 7

Solution Verified - Updated -

Environment

  • Red Hat Enterprise 6 IdM master
  • Red Hat Enterprise 7 IdM replica
  • ipa-4.6.4-10.el7_6.2

Issue

  • IdM replica installation fails against Red Hat Enterprise Linux 6 IdM master.

Resolution

  • Please add the following cipher to the end of NSSCipherSuite line in /etc/httpd/conf.d/nss.conf on the Red Hat Enterpise Linux 7 replica system:
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

Then please restart httpd:

# systemctl restart httpd

Root Cause

With the update of the pki-core package provided in Red Hat Enterprise Linux- 7.6, certain ciphers that are not supported by hardware security modules (HSM) are no longer enabled by default in Certificate System. As a consequence, setting up Identity Management (IdM) on RHEL-7.6 as a replica with a master running on RHEL-6 fails with a "CRITICAL Failed to configure CA instance" error.

Diagnostic Steps

IdM replica installation fails with the following error:

...
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpxQv9bc' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR    CA configuration failed.
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.