Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11

Chapter 3. Installing Identity Management in Red Hat Enterprise Linux

Section Installing an Identity Management Server

SectionObjectives
SectionPrerequisites for Installing IdM
SectionIdentity Management Server Installation
SectionUninstalling an IdM Server

Guided Exercise: Installing an Identity Management Server

Installing an Identity Management Client

Objectives
Installing Identity Management Clients
Client Installation Methods
Post-installation Steps
Uninstalling an IdM Client

Guided Exercise: Installing an Identity Management Client

Installing an Identity Management Replica

Objectives
Planning a Replica Installation
Interactive Installation of a Replica
Uninstalling a Replica

Guided Exercise: Installing an Identity Management Replica

Automating an Identity Management Installation

Objectives
Automating IdM Installation and Management
Installing IdM by Using the FreeIPA Collection

Guided Exercise: Automating an Identity Management Installation

Lab: Installing Identity Management in Red Hat Enterprise Linux

Summary

Abstract

Goal	Install Identity Management servers, replicas, and clients on Red Hat Enterprise Linux 9.
Objectives	Choose an installation method and the components to integrate, configure the system prerequisites, and install the first IdM server in an Identity Management plan. Choose an installation method, configure the system prerequisites, and install an IdM client. Choose an installation method, configure the system prerequisites, and install an IdM replica server. Prepare for installing servers, clients, and replicas in an IdM topology plan by using Ansible Playbooks.
Sections	Installing an Identity Management Server (and Guided Exercise) Installing an Identity Management Client (and Guided Exercise) Installing an Identity Management Replica (and Guided Exercise) Automating an Identity Management Installation (and Guided Exercise)
Lab	Installing Identity Management in Red Hat Enterprise Linux

Installing an Identity Management Server

Objectives

Choose an installation method and the components to integrate, configure the system prerequisites, and install the first IdM server in an Identity Management plan.

Prerequisites for Installing IdM

Before you install an IdM server you should plan the topology components for the IdM infrastructure. The number of replicas, the configured services, and the installation method depend on the topology requirements and organization needs.

For example, you can choose to install IdM with integrated DNS and CA services or use an external provider. When you install DNS as an integrated service, you can manage DNS zones, reverse zones, and DNS records directly in IdM.

Some organizations might require that the target systems for the installation comply with the Federal Information Processing Standards or FIPS. When FIPS mode is enabled, clients are not required to enable FIPS to interact with IdM, but all replicas must have the same FIPS configuration. You can install the IdM server and configure it with trusts to integrate with Active Directory (AD) or you can choose to do that later in the deployment.

Taking these considerations into account during architecture planning helps you have a successful installation.

Integrating IdM with Active Directory is covered in a later chapter.

Hardware Requirements

You must plan the size and distribution of your IdM topology before installing your first IdM server. Red Hat recommends installing multiple, replicated servers for performance, redundancy, and balanced data distribution.

IdM often stores information in cache, so RAM sizing is important. You can estimate your IdM server's minimum RAM requirements with the following suggestions:

An IdM server with 10,000 users and 100 groups requires a minimum of 4 GB RAM and 4 GB of swap space.
A server with more than 100,000 users and 50,000 groups requires a minimum of 16 GB RAM and 4 GB of swap space.

The size of a user or host entry with a configured certificate for Kerberos authentication is about 10 KB. For large deployments, consider increasing the available memory because much of the data is stored in the cache.

System Requirements

Always install an IdM server on a clean system without any existing Apache, Directory Server, DNS, or Kerberos services. When you first install a new IdM server, the installer backs up system files and overwrites them. This backup is stored in the /var/lib/ipa/sysrestore/ directory. These files are restored when IdM is uninstalled at the end of the system's lifecycle.

The Name Service Cache Daemon (NSCD) used in earlier identity management solutions is replaced by SSSD in IdM. IdM uses SSSD to perform caching, and having both services available simultaneously might cause unforeseen problems. These two daemons are mutually exclusive; ensure that NSCD is disabled before performing the installation.

IdM requires that IPv6 is enabled at the kernel level. You do not have to use IPv6 addresses or have IPv6 enabled on the network. IPv6 is enabled by default on Red Hat Enterprise Linux 9. When IPv6 protocol support is fully disabled at the kernel level, IdM cannot operate certain important plug-ins in its LDAP server. These plug-ins are required for interoperability with Active Directory.

Your IdM host must have a valid DNS client configuration. The DNS server must resolve the IdM server's fully qualified domain name (FQDN) and its reverse resolution, because most IdM domain functions depend on DNS records, including LDAP directory services, Kerberos, and Active Directory integration.

Important

After it is configured, your DNS domain and Kerberos domain name cannot be changed.

Consider also whether you are going to enable Federal Information Processing Standard (FIPS) mode on the IdM server. If FIPS is enabled, the installer configures IdM to only use cipher suites that are compliant with FIPS 140-3. For an IdM ecosystem to be FIPS-compliant, all the IdM replicas must have FIPS mode enabled. When FIPS mode is enabled clients are not required to enable FIPS to interact with IdM however Red Hat recommends that you enable FIPS on the clients, especially if these clients might be promoted to replicas.

Ensure that the host server name is a fully qualified domain name (FQDN). To verify your server's hostname, use the hostname command:

[user@idm ~]$ hostname
idm.example.com

Important

The hostname command output must not be localhost or localhost6. If this is the case, use the hostnamectl set-hostname NEW_FQDN_NAME command to set the FQDN for the host. Furthermore, the FQDN must not resolve to the loopback IP address (127.0.0.1), but must resolve to the server's public IP address.

Verify the server's IP address by running the ip addr show command. Verify the forward and reverse DNS configuration:

[user@idm ~]$ dig idm.example.com
...output omitted...
;; ANSWER SECTION:
idm.example.com.	3600	IN	A	172.20.150.8
...output omitted...

[user@idm ~]$ dig -x 172.20.150.8
...output omitted...
;; ANSWER SECTION:
8.150.20.172.in-addr.arpa. 3600	IN	PTR	idm.example.com.
...output omitted...

Important

Be cautious when making manual modifications to the /etc/hosts file. Verify that the IdM server hostname is not part of the localhost entry.

IdM uses a range of ports for communication with its services.

Protocol	Port	State
TCP	80	open
TCP	443	open
TCP	389	open
TCP	636	open
TCP	88	open
TCP	464	open
TCP	53	open
UDP	88	open
UDP	464	open
UDP	53	open
UDP	123	open
TCP	8080	closed
TCP	8443	closed
TCP	749	closed

All the ports required by an IdM server are present in the firewalld service definition. To open those ports, you can use firewall-cmd command with the --add-service option. For example, freeipa-ldap for IdM with LDAP, or freeipa-ldaps for IdM with LDAPS, or both. Optionally, the firewall-cmd --runtime-to-permanent command saves the active runtime configuration and overwrites the permanent rules.

[root@idm ~]# firewall-cmd --add-service=freeipa-ldap
success
[root@idm ~]# firewall-cmd --add-service=freeipa-ldaps
success
[root@idm ~]# firewall-cmd --runtime-to-permanent
success

The installation of DNS and CA services can be integrated or external. You can have integrated DNS and external CA and vice versa. The NTP service, however, must be provided externally.

Selecting a DNS Configuration

A functional DNS configuration is required for nearly for all Identity Management domain functions. IdM can manage its own DNS or use an existing DNS server. When using an integrated DNS server, most of the DNS record maintenance is automated. You can configure global forwarders during the installation of the IdM server for a stable external internet connection. Global forwarders are also useful for trusts with Active Directory.

During installation, when you choose an integrated DNS, IdM can either prompt for the required information, or you can pass the DNS information to the installer for automatic or unattended setup.

Some DNS limitations need to be considered before starting the IdM installation. The integrated DNS server provided by IdM is not designed to be used as a general purpose DNS server. Its main function is to support IdM deployment and maintenance. It does not support advanced DNS features.

Red Hat recommends using the integrated DNS for basic usage within the IdM deployment. An IdM deployment with integrated DNS enables the automation of some DNS record management using native IdM tools.

Time Service Requirements

Kerberos, the mechanism for authentication in IdM, relies on time stamps; the client and server clocks must be synchronized within a certain margin. If the system time of an IdM client differs from the system time of the Key Distribution Center (KDC) by more than five minutes, then Kerberos authentication fails. Certificate, ticket, and password expiration, and account lockouts also rely on time and date synchronization to function.

To keep time synchronized centrally between IdM servers and clients, IdM relies on the chronyd Network Time Protocol (NTP) software. NTP is used to synchronize clocks over the network. A central server acts as an authoritative clock, and all clients that reference that NTP server synchronize their time to match.

The IdM installer searches for _ntp._udp DNS service (SRV) records that point to the NTP server in your network and configures the chrony service by using that address. If you do not have an _ntp._udp SRV record configured, then the chronyd service uses its default configuration.

Use the dig command to verify that you have the correct DNS configuration.

[user@idm ~]$ dig +short -t SRV _ntp._udp.example.com
0 100 123 ntpserver.example.com.

If this search does not return a record, then add an _ntp._udp SRV record to your DNS zone that points to your NTP time server and port 123, which is the NTP default.

Selecting a CA Configuration

The integrated IdM certificate authority (CA) can be used to create all required certificates and keytabs used by users or hosts in a domain.

By default, most of the IdM servers are installed with the integrated certificate system governed by the integrated IdM certificate authority (CA). Within the IdM domain the CA uses a signing certificate to create and sign all hosts and user certificates. On the IdM host, server certificates are required for the IdM internal domain services to work properly. For example, the LDAP server and Apache server (for the Identity Management web UI) require server certificates for establishing secure connections with each other.

For the signing certificate to work, the CA certificate has to be signed by the CA that issued it. There are two ways that a CA can sign the certificate:

The default Identity Management configuration uses the integrated IdM CA to sign its own certificate. No additional parameters or configuration steps are required when you run the ipa-server-install command. This type of configuration means that there is no higher CA instance.
The initial domain CA certificate is issued by a different, possibly externally hosted CA. In this type of configuration, the external CA is the root CA for your domain. The internal IdM CA is subordinate to that external root CA. For using an external CA, two additional steps are required: submit the generated certificate request to the external CA; and then load the CA certificate and issued server certificate.

You can configure the installation of IdM without a CA. If you do not use a CA, you have to manually create, renew, and upload certificates used in the IdM domain.

Defining the CA requirements is crucial before the beginning of the installation process. IdM does not support changing the CA configuration after creating the domain.

Identity Management Server Installation

The ipa-server package provides the required utilities for an IdM installation. Optionally, you can install the ipa-server-dns package to manage domain names in the topology.

Preparing for an IdM Server Installation

The IdM server installation process involves several security considerations: the IdM installation requires the file mode creation be set to 0022 for the root user. You can set this temporarily and restore it to its original value when the installation is complete. For Java and the Java classes, ensure that they are not blocked by fapolicyd rules.

You can use the ipa-server-install command to install the IdM server. You can provide the options to customize the installation either with the interactive or unattended installation.

The following is a list of the most common options to customize the installation:

To specify the hostname and IP address of the IdM server, use --hostname and --ip-address options, respectively.
To set the password for the IdM admin user, use the --admin-password option.
To specify an unattended installation, use the --unattended option.
To specify the Kerberos realm, use the --realm option.

Options for internal DNS configuration:

To enable the integrated DNS server, use the --setup-dns option.
To disable reverse zones, use the --no-reverse option.

Options for NTP and CA configuration:

To configure the NTP server, use the --ntp-server option.
To configure external certificates, use the --external-ca, --external-ca-type, --external-ca-profile, and --external-cert-file options.
To configure internal certificates, use the --subject-base, --ca-subject, and --ca-signing-algorithm options.

Before you begin the IdM server installation, install the ipa-server and ipa-server-dns packages. The ipa-server package installs dependencies such as krb5-server, 389-ds-base, and IdM command-line tools and web console.

[root@host ~]# dnf install ipa-server ipa-server-dns
...output omitted...
Complete!

Interactive Installation of the IdM Server

The ipa-server-install command creates and configures new IdM instances. By default, it prompts for options but you can also use command-line arguments.

The interactive installation prompts you for IdM configuration information.

[root@host ~]# ipa-server-install
...output omitted...

Server host name [host.lab.example.com]: host.lab.example.com

Warning: skipping DNS resolution of host host.lab.example.com
The domain name has been determined based on the host name.

Please confirm the domain name [lab.example.com]: lab.example.com

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [LAB.EXAMPLE.COM]: LAB.EXAMPLE.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: RedHat123^
Password (confirm): RedHat123^

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: RedHat123^
Password (confirm): RedHat123^

...output omitted...

The IPA Master Server will be configured with:
Hostname:       host.lab.example.com
IP address(es): 172.25.250.8
Domain name:    lab.example.com
Realm name:     LAB.EXAMPLE.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=LAB.EXAMPLE.COM
Subject base: O=LAB.EXAMPLE.COM
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       172.25.250.254, 8.8.8.8
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]: yes
...output omitted...

The installation process takes a few minutes to complete. The ipa-server-install command creates the /var/log/ipaserver-install.log file, which you can review if the installation fails.

Unattended Installation of the IdM Server

An unattended installation is suited to scripting and automation. Use the --unattended option and include the desired options for the IdM instance.

[root@host ~]# ipa-server-install --realm LAB.EXAMPLE.COM \
  --ds-password RedHat123^ \
  --admin-password RedHat123^  --ntp-server 172.25.254.254 \
  --unattended
...output omitted...

After the installation is complete, validate the Kerberos, DNS, and NTP services, and also verify that you can log in successfully to the Identity Management web UI.

Both interactive and unattended installations create an instance of an IdM domain and configure all the required services and policies:

LDAP Directory Server instance
Kerberos Key Distribution Center (KDC)
Active Directory WinSync plug-in
Certificate Authority (CA) - optional
HTTP web server
SELinux targeted policy
Domain Name Service (DNS) - optional

Depending on your needs for the IdM domain, the setup process can be minimal or granular, by providing configuration of the IdM services as command-line arguments to the ipa-server-install command.

Uninstalling an IdM Server

Before you uninstall an IdM server, ensure that other servers are running critical services and that the topology continues to be redundant after you remove the server.

Red Hat recommends reviewing the distribution of roles and services to ensure that uninstalling the server does not affect the topology. To verify which servers are running certain services, use the ipa server-role-find command.

Note

The IdM server roles are covered in a later chapter.

[user@host ~]$ kinit
Password for root@LAB.EXAMPLE.COM: PASSWORD
[user@host ~]$ ipa server-role-find --role 'DNS server'
---------------------
2 server roles matched
---------------------
  Server name: idm.lab.example.com
  Role name: DNS server
  Role status: enabled

  Server name: idm2.lab.example.com
  Role name: DNS server
  Role status: enabled
----------------------------
Number of entries returned 2
----------------------------

Verify that the server is not the only CA server:

[user@host ~]$ ipa server-role-find --role 'CA server'
---------------------
2 server roles matched
---------------------
  Server name: idm.lab.example.com
  Role name: CA server
  Role status: enabled

  Server name: idm2.lab.example.com
  Role name: CA server
  Role status: enabled
----------------------------
Number of entries returned 2
----------------------------

For vault-enabled IdM environments, verify that the server is not a Key Recovery Authority (KRA) server or that it is not the only KRA server in the topology.

[user@host ~]$ ipa server-role-find --role 'KRA server'
---------------------
2 server roles matched
---------------------
  Server name: idm.lab.example.com
  Role name: KRA server
  Role status: enabled

  Server name: idm2.lab.example.com
  Role name: KRA server
  Role status: enabled
----------------------------
Number of entries returned 2
----------------------------

Review the CA renewal servers and the certificate revocation list (CRL) servers.

[user@host ~]$ ipa config-show | grep 'CA renewal'
 IPA CA renewal master: idm.example.com
[user@host ~]$ ipa-crlgen-manage status
CRL generation: disabled

To uninstall the server, use the ipa server-del command from a different client.

[user@host ~]$ ipa server-del idm.example.com
...output omitted...

Then, on the target machine, use the ipa-server-install --uninstall command.

[root@host ~]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.

Are you sure you want to continue with the uninstall procedure? [no]: yes
Updating DNS system records
Invalid IP address fe80::5054:ff:fe00:fa08 for host.lab.example.com.: cannot use link-local IP address fe80::5054:ff:fe00:fa08
Forcing removal of host.lab.example.com
----------------------------------------
Deleted IPA server "host.lab.example.com"
----------------------------------------

...output omitted...

The ipa-client-install command was successful
The ipa-server-install command was successful

Remove all name server (NS) DNS records that point to the IdM server from all your DNS zones.

Optionally, if a replication topology is present, remove the topology segment that joins the server, and then delete the server.

References

Further information is available in the Installing Identity Management chapter in the Red Hat Enterprise Linux 9 product documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/installing_identity_management/

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8