RH362 - ch03s05

Bookmark this page

Installing an Identity Management Replica

Objectives

Choose an installation method, configure the system prerequisites, and install an IdM replica server.

Planning a Replica Installation

After installing the first IdM server, you can install replicas to increase the size of the IdM infrastructure. These replicas clone the configuration of the existing IdM servers and provide IdM services to clients.

Replica Installation Considerations

You can install a replica on a machine that is not part of the IdM domain. The replica installation process configures the machine as an IdM client first and then configures it as a replica server.

You can also configure an existing IdM client to be a replica. You must first grant privileges to the client before it can be configured as a replica. You can grant privileges to the client by providing the credentials of a privileged user or by adding the client to the ipaservers group.

Whichever method you choose, replica installation or configuring an existing client, the replica machine is always configured as a client first and then as a replica.

In an IdM infrastructure that has FIPS mode enabled, clients are not mandated to enable FIPS mode to interact with the IdM services. To configure a client as a replica in a FIPS-enabled infrastructure, however, you must ensure that the client has FIPS mode enabled. In this scenario, Red Hat recommends enabling FIPS mode right after the client OS installation. This could avoid a situation where non-FIPS compliant cryptography is used in the system.

Similarly, a FIPS-enabled client cannot be configured as a replica in a non-FIPS IdM infrastructure.

You can use server roles to configure a replica to host specific services. Depending on the service, the replica might only run the service by taking it over from another server. For this reason, you must ensure that during installation the replica mirrors the configuration of existing services. For example, if you configure a replica to host the CA service, then the CA configuration of the replica must mirror the CA configuration of the IdM server. The replica cannot have an external CA configured if the IdM server has an integrated CA service, and vice versa.

You can view the enabled roles in a replica server by using the ipa server-show command.

Prerequisites for a Replica Installation

The installation requirements for replicas are the same as for IdM servers. For more information about IdM server installation requirements, refer to the the section called “ Installing an Identity Management Server ” section.

A replica system must use the same or a later IdM package version as the original server, to enable the replica to communicate and replicate with it.

Interactive Installation of a Replica

You can choose between interactive, non-interactive, and Ansible role methods to install a replica. Red Hat recommends using Ansible roles to install replicas. By using Ansible roles, you can consistently install and customize multiple replicas. This section discusses the interactive and non-interactive methods.

These methods are useful in topologies where, for example, the replica preparation is delegated to a user or third party. You can also use these methods in geographically distributed topologies where you might have access from the Ansible controller node.

The services and method you choose for the replica installation depend on the replica requirements, infrastructure environment, and the defined IdM topology.

Preparing a Replica Machine for Installation

You can install CA or DNS services on the replica, just as you can for IdM servers. If you have an integrated DNS in your topology, then you might want to configure DNS on at least one replica in each geographical location. This configuration is not a requirement but it ensures that the service is redundant. On the other hand, if you configure all replicas to provide DNS, the DNS zone replication might use unnecessary network bandwidth.

In this scenario, you choose to install the DNS service on the replica to have a redundant, load-balanced DNS.

The ipa-server package ensures that the dependencies for the replica installation are installed. However, you use the ipa-replica-install command to install the replica because it provides replica-specific installation options. Also, the ipa-replica-install command requires an existing IdM domain.

[root@replica ~]# dnf install ipa-server ipa-server-dns
...output omitted...

The freeipa-ldap and freeipa-ldaps services contain the ports needed to enable communication to and from the replica machine. You must open these firewall ports and ensure that the ports remain open after a system reboot. You can review the ports related to a service by using the firewall-cmd --permanent --service --get-ports command.

[root@replica ~]# firewall-cmd --permanent --service freeipa-ldaps --get-ports
80/tcp 443/tcp 88/tcp 88/udp 464/tcp 464/udp 123/udp 636/tcp
[root@replica ~]# firewall-cmd --add-service=freeipa-ldap --permanent
success
[root@replica ~]# firewall-cmd --add-service=freeipa-ldaps --permanent
success
[root@replica ~]# firewall-cmd --reload
success

You must also create the DNS record for the replica machine.

Similarly to many ipa commands, the ipa dnsrecord-add command without options or arguments can interactively prompt for the information of the DNS record to create. Some options, however, are not available in interactive mode. For example, the --a-create-reverse option, not available in interactive mode, creates the reverse DNS record for the given IP address.

[user@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: redhat123
[user@idm ~]$ ipa dnsrecord-add lab.example.com replica --a-rec=172.25.250.10 \
  --a-create-reverse
  Record name: replica
  A record: 172.25.250.10

Installing a Replica on a Non-domain Machine

The ipa-replica-install command requires access to the IdM server for the installation process. If the machine is not a member of the IdM domain, then you must provide a way to authenticate the machine.

You can install a replica on a non-domain machine by using a one-time password or by using a principal's credential.

One-time Password

This installation method is useful when many teams are involved in the installation process. For example, you might not have privileged access to the replica machine to run the ipa-replica-install command. In this scenario, you execute some tasks on the IdM server and another person completes the installation on the replica. You can provide a one-time password instead of the admin principal password.

First, you must enroll the host by using the ipa host-add --random command. The --random option requests a one-time password to authenticate to the domain. This one-time password does not allow the installation; you must allow the machine installation by adding the host to the ipaservers host group. The initial IdM server is automatically added to this host group, but replicas must be added manually by using the ipa hostgroup-add-member command.

[user@idm ~]$ ipa host-add replica.lab.example.com --random
Host name: replica.lab.example.com
-------------------------------------
Added host "replica.lab.example.com"
-------------------------------------
  Host name: replica.lab.example.com
  Random password: 3Wv4g5rc2wftUzfGyB7TjsW
  Password: True
  Keytab: False
  Managed by: replica.lab.example.com
[user@idm ~]$ ipa hostgroup-add-member ipaservers --hosts replica.lab.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: idm.lab.example.com, replica.lab.example.com
-------------------------
Number of members added 1
-------------------------
[user@idm ~]$ ipa hostgroup-show ipaservers
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: idm.lab.example.com, replica.lab.example.com

Note

The ipa host-add command verifies that the host has the corresponding DNS records in the zone. To override the verification, you can use the --force option.

This might be useful when you do not have the IP address for the DNS machine record yet and you want to prepare for the installation.

On the replica machine, run the ipa-replica-install command and provide the one-time password with the -p option. Red Hat recommends enclosing the password string in quotes to avoid special characters being interpreted by the shell. You can add the --setup-dns option if you want the replica to host a DNS service, but you must also provide the --forwarder, --no-forwarders, or the --auto-forwarders option.

[root@replica ~]# ipa-replica-install -p '4Ee>@R^V3.>!nMt6X?h5E|' \
  --setup-dns --forwarder=172.25.250.254
...output omitted...
Done.

The ipa-replica-install command was successful

After the machine authenticates, the password expires whether the installation succeeds or fails. You can create another one-time password by running the ipa host-mod command with the --random option.

[root@idm ~]# ipa host-mod replica.lab.example.com --random
----------------------------------------
Modified host "replica.lab.example.com"
----------------------------------------
  Host name: replica.lab.example.com
  Random password: 4Cj,5&|UF3GdB$(ovhNp?Z
...output omitted...
  Member of host-groups: ipaservers
  Keytab: False
  Managed by: replica.lab.example.com

Principal Authentication

When you use a principal account to install a replica, you do not need to enroll the machine. This installation method is useful when you have privileged access to the replica machine. You can also complete the replica installation by running one command.

You can use the ipa-replica-install command with the -w option to provide a password for the authentication. The -w option by itself assumes that the password passed as an argument is the admin user password. To provide a principal other than the admin user, use the --principal option with -w option.

This example uses the admin user password and installs a CA on the replica.

[root@replica ~]# ipa-replica-install -w redhat123 --setup-ca
...output omitted...
Done.

The ipa-replica-install command was successful

Installing a Replica on an IdM Client

You can configure an existing IdM client as a replica by using the ipa-replica-install command. Because this method uses a privileged principal authentication, you do not need to add the host to the ipaservers host group.

[root@client ~]# ipa-replica-install -w RedHat123^

By default, this command expects the admin user password. To use another user, you can use the --principal option or authenticate before running the ipa-replica-install command by using the kinit command.

Installing a Hidden Replica

You can configure the replica as a hidden replica during installation by adding the --hidden-replica option to the ipa-replica-install command.

The SRV record creation is omitted when installing a hidden replica, which makes the replica unusable by clients. You can use a hidden replica to make backups, or to perform bulk loads or extensive API queries.

You can enable a hidden replica for it to be visible to clients. You can use the ipa server-state --state=enabled command to enable a hidden replica. To hide a replica, define the replica state as hidden. Some roles might be removed when you hide a replica.

[root@idm ~]# ipa server-state client.lab.example.com --state=enabled
-------------------------------------------------
Changed server state of "client.lab.example.com".
-------------------------------------------------
[root@idm ~]# ipa server-state client.lab.example.com --state=hidden
-------------------------------------------------
Changed server state of "client.lab.example.com".
-------------------------------------------------

Uninstalling a Replica

You might want to uninstall a replica as part of the lifecycle process of the machine. Before you uninstall, review the services running on the replica. Ensure that the services are running on other replicas or move them to avoid service interruption. Also, review the replication agreements of the replica; uninstalling the replica might leave other replicas isolated.

Replication agreements are discussed in a later chapter.

You can also review the IdM web UI before removing a replica. The web UI shows a warning when a service is not redundant. Navigate to IPA Server → Topology to see an overview of the assigned host roles and running services in the topology.

Another use case for the uninstallation is when the replica installation fails. It is possible that some components were not installed correctly or completely. In this scenario, Red Hat recommends uninstalling the replica to avoid unexpected behavior when you retry the installation process.

Removing the Replica Server

On the replica machine, use the ipa-server-install --uninstall command to remove the components and configuration. Back up any information that you might need, and ensure that DNS and CA services in the IdM topology are not affected by the replica removal.

[root@replica ~]# ipa-server-install --uninstall

On an IdM server, use the ipa server-del command to delete the replica from the topology. To avoid the undesired reuse of the machine as a replica, delete the DNS records related to the replica.

[user@idm ~]$ ipa server-del replica.lab.example.com
[user@idm ~]$ ipa dnsrecord-del lab.example.com replica
No option to delete specific record provided.
Delete all? Yes/No (default No): yes
-------------------------
Deleted record "replica"
-------------------------

You can also remove existing replication agreements by using the ipa-replica-manage del command.

[user@idm ~]$ ipa-replica-manage del replica.lab.example.com --force
Updating DNS system records
ipa: WARNING: Ignoring topology connectivity errors.
ipa: WARNING: Failed to cleanup replica.lab.example.com DNS entries: no matching entry found
ipa: WARNING: You may need to manually remove them from the tree
---------------------------------------------
Deleted IPA server "replica.lab.example.com"
---------------------------------------------

Note

Management of replication agreements is covered in a later chapter.

References

For more information about replica installation, refer to the Planning the Replica Topology chapter in the Planning Identity Management guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/planning_identity_management/index

For more information about replica installation, refer to the Installing an IdM Replica chapter in the Installing Identity Management guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/installing_identity_management/index

For more information about replicas, refer to the Managing replication in Identity Management guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_replication_in_identity_management/index

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8