SlideShare a Scribd company logo

Upgrade ipa to rhel 7

Amjad Yaseen
Amjad Yaseen

“Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” I demonstrate in this short guide how to upgrade Red Hat IdM (freeIPA) from rhel 6 into 7.x

Technology
1 of 11
Download to read offline
Promote IdM(FreeIPA) to RHEL 7 Version 1.0 Prepare by Amjad Yaseen RHCA II 2015
Promote IdM(FreeIPA) to RHEL 7 Before we starting the IdM upgrading to rhel 7 we need to ask, What is IdM ? “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” Why IdM, what type of problem may solved? • Identities – Where are my users stored? What properties do they have? How is this data made available to systems and applications? • Authentication – What credentials do my users use to authenticate? Passwords? Smart Cards? Special devices? Is there SSO? How can the same user access file stores and web applications without requiring re-authentication? • Access control – Which users have access to which systems, services, applications? What commands can they run on those systems? What SELinux context is a user is mapped to? • Policies – What is the strength of the password? What are the automount rules? What are Kerberos ticket policies? When migrating an IdM server from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 or CentOS , the process is very similar to promoting a replica to a master: 1. A new server is created on Red Hat Enterprise Linux 7. 2. All data are migrated over to the new server. 3. All services, such as CRL and certificate creation, DNS management, Kerberos KDC administration, are transitioned over to the new system. Upgrading IdM into Red Hat 7.x 2
The overview of our lab: Red Hat 6: OS : rhel 6.7 IPA version: 3.x IP: 192.168.100.20 hostname: ipa01.rhlab.dev DNS: rhlab.dev Red Hat 7: OS : rhel 7.1 IPA version: 4.x IP: 192.168.100.21 hostname: ipa02.rhlab.dev DNS: rhlab.dev Client: OS : rhel 6.7 IPA client version: 3.x IP: 192.168.100.22 hostname: client.rhlab.dev DNS: rhlab.dev Upgrading IdM into Red Hat 7.x 3
Upgrading process: Assuming you've already IPA installed on rhel 6.7, to migrating from rhel 6 to 7, you have to have go through these steps: 1. Update rhel 6 to latest version, and so on ipa packages. [root@ipa01 ~]# yum update ipa-* 2. Configure firewall if required on rhel 7. [root@ipa02 ~]# firewall-cmd --permanent –add- port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,88/udp,464/udp,2 2/tcp} [root@ipa02 ~]# firewall-cmd --reload 3. Installing IdM packages on rhel 7. [root@ipa02 ~]# yum install ipa-server ipa-server-dns -y 4. Copy the Python schema update script from rhel 7 to rhel 6. [root@ipa02 ~]# scp /usr/share/ipa/copy-schema-to-ca.py ipa01:/root/ 5. Run the schema update script on rhel 6. [root@ipa01 ~]# python copy-schema-to-ca.py ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60kerberos.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60samba.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60ipaconfig.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60basev2.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60basev3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60ipadns.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/61kerberos-ipav3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/65ipasudo.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/05rfc2247.ldif ipa : INFO Restarting CA DS ipa : INFO Schema updated successfully Upgrading IdM into Red Hat 7.x 4
6. On rhel 6 create replica file for rhel 7. [root@ipa01 ~]# ipa-replica-prepare ipa02.rhlab.dev --ip-address 192.168.100.21 Directory Manager (existing master) password: Preparing replica for ipa01.rhlab.dev from ipa01.rhlab.dev Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Saving dogtag Directory Server port Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info- ipa02.rhlab.dev.gpg Adding DNS records for ipa02.rhlab.dev Using reverse zone 2.0.192.in-addr.arpa. The ipa-replica-prepare command was successful 7. Installing replica on rhel 7: use the --setup-ca option to set up a Dogtag Certificate System instance and the --setup-dns option to configure the DNS server. The replica server's IP address in this example is 192.168.100.21. [root@ipa02 ~]# ipa-replica-install --setup-ca –ip- address=192.168.100.21 -p password -w password -N --setup-dns –-no- forwarder -U /var/lib/ipa/replica-info-ipa02.rhlab.dev.gpg Run connection check to master Check connection from replica to remote master 'ipa01.rhlab.dev': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK ... 8. Verifying the configuration on both systems. Upgrading IdM into Red Hat 7.x 5
◦ Verify that the IdM services are running: root@ipa02 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful ◦ Verify that both IdM CAs are configured as master servers. [root@ipa02 ~]# kinit admin [root@ipa02 ~]# ipa-replica-manage list ipa01.rhlab.dev: master ipa02.rhlab.dev: master [root@ipa02 ~]# ipa-replica-manage list -v ipa02.rhlab.dev ipa02.rhlab.dev: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None 9. On rhel 6 disable renewal of CA subsystem certificate or issues CRLs. ◦ Identify which server instance is the master CA server. Both CRL generation and renewal operations are handled by the same CA server. So, the master CA can be identified by having the renew_ca_cert certificate being tracked by certmonger. [root@ipa01 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" ◦ On the original master CA, disable tracking for all of the original CA certificates. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" Request "20151127184547" removed. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" Request "20151127184548" removed. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Request "20151127184549" removed. [root@ipa01 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert Request "20151127184550" removed. Upgrading IdM into Red Hat 7.x 6
◦ Reconfigure the original master CA to retrieve renewed certificates from a new master CA. 1. Copy the renewal helper into the certmonger service directory, and set the appropriate permissions. [root@ipa01 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/ca_renewal [root@ipa01 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal 2. Update the SELinux configuration. [root@ipa01 ~]# /sbin/restorecon /var/lib/certmonger/cas/ca_renewal 3. Restart certmonger. [root@ipa01 ~]# service certmonger restart 4. Check that the CA is listed to retrieve certificates. This is printed in the CA configuration. [root@ipa01 ~]# getcert list-cas ... CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa- retrieve-agent-submit 5. Get the CA certificate database PIN. [root@ipa01 ~]# grep internal= /var/lib/pki-ca/conf/password.conf 6. Configure certmonger to track the certificates for external renewal. This requires the database PIN. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"' -T "auditSigningCert cert-pki-ca" -P database_pin New tracking request "20151127184743" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- agent-submit -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca"' -T "ocspSigningCert cert-pki-ca" -P database_pin New tracking request "20151127184744" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- Upgrading IdM into Red Hat 7.x 7
agent-submit -d /var/lib/pki-ca/alias -n "subsystemCert cert- pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert- pki-ca"' -T "subsystemCert cert-pki-ca" -P database_pin New tracking request "20151127184745" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- agent-submit -d /etc/httpd/alias -n ipaCert -C /usr/lib64/ipa/certmonger/restart_httpd -T ipaCert -p /etc/httpd/alias/pwdfile.txt New tracking request "20151127184746" added. ◦ Stop CRL generation on the original master CA. 1. Stop CA service. [root@ipa01 ~]# service pki-cad stop 2. Open the CA configuration file. [root@ipa01 ~]# vim /var/lib/pki-ca/conf/CS.cfg 3. Change the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false to disable CRL generation. ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false 4. Start the CA service. [root@ipa01service pki-cad start ◦ Configure Apache to redirect CRL requests to the new master. 1. Open the CA proxy configuration. [root@ipa01 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf 2. Uncomment the RewriteRule on the last line and replace the ipa01 server URL with the new Red Hat Enterprise Linux 7 server URL. RewriteRule ^/ipa/crl/MasterCRL.bin https://ipa02.rhlab.dev/ca/ee/ca/getCRL? op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] 3. Restart Apache. [root@ipa01 ~]# systemctl restart httpd.service Upgrading IdM into Red Hat 7.x 8
10. Configure rhel 7 IdM instance as master. ◦ Configure CA renewal using the ipa-csreplica-manage utility. [root@ipa02 ~]# ipa-csreplica-manage set-renewal-master ◦ Configure the new master CA to generate CRLs. 1. Stop CA service. [root@ipa02 ~]# systemctl stop pki-tomcatd@pki-tomcat.service 2. Open the CA configuration file. [root@ipa01 ~]# vim /etc/pki/pki-tomcat/ca/CS.cfg 3. Change the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to true to enable CRL generation. ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true 4. Start CA service. [root@opa02 ~]# systemctl start pki-tomcatd@pki-tomcat.service ◦ Configure Apache to disable redirect CRL requests. As a clone, all CRL requests were routed to the original master. As the new master, this instance will respond to CRL requests. 1. Open the CA proxy configuration. [root@ipa02 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf 2. Comment out the RewriteRule argument on the last line. #RewriteRule ^/ipa/crl/MasterCRL.bin https://ipa02.rhlab.dev/ca/ee/ca/getCRL? op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] 3. Restart Apache. [root@ipa02 ~]# systemctl restart httpd.service 4. To check if the server is certificate renewal master. # ldapsearch -H ldap://127.0.0.1 -D 'cn=Directory Manager' -W -b cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev '(ipaConfigString=caRenewalMaster)' -LLL Enter LDAP Password: dn: Upgrading IdM into Red Hat 7.x 9
cn=CA,cn=ipa02.rhlab.dev,cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 50 ipaConfigString: caRenewalMaster cn: CA Note: In the above output "caRenewalMaster" should be present. 5. To check if the server is CRL generation master. # grep -i ca.crl.MasterCRL.enableCRL /etc/pki/pki- tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true 11. Remove rhel 6 replica from rhel 7. ◦ Stop all services on the rhel 6 system; this forces domain discovery to the rhel 7 server. [root@ipa01 ~]# ipactl stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: RHLAB-DEV... [ OK ] PKI-IPA... [ OK ] ◦ Decommission the rhel 6 host. [ipa01.rhlab.dev] [root@ipa02 ~]# ipa-replica-manage del ipa01.rhlab.dev Connection to 'ipa01.rhlab.dev' failed: Forcing removal of ipa01.rhlab.dev Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa01.rhlab.dev and r ipa02.rhlab.dev Failed to get list of agreements from 'ipa01.rhlab.dev ': Forcing removal on 'ipa02.rhlab.dev' Any DNA range on 'ipa01.rhlab.dev' will be lost Deleted replication agreement from 'ipa02.rhlab.dev' to 'ipa01.rhlab.dev' Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C ◦ Remove the local IdM configuration. On [ipa01.rhlab.dev] [root@ipa01 ~]# ipa-server-install --uninstall --U Upgrading IdM into Red Hat 7.x 10
12. Configure the client to take the new configuration. ◦ Open sssd.conf file [root@client ~]# vim /etc/sssd/sssd.conf ◦ Update ipa_server = _srv_, ipa01.rhlab.dev , with ipa_server = _srv_, ipa02.rhlab.dev dns_discovery_domain = rhlab.dev ◦ Make sure that RHEL 7.1 ipa server ipaaddres is at the top in file /etc/resolv.conf search rhlab.dev nameserver 192.168.100.21 ◦ restart sssd service service sssd stop ;rm -Rf /var/lib/sss/db/*; service sssd start 13. Create addition replica for rhel 7 if required. [root@ipa02 ~]# ipa-replica-prepare ipa03.rhlab.dev --ip-address 192.168.100.23 Upgrading IdM into Red Hat 7.x 11

Recommended

Data Guard on EBS R12 DB 10g
Data Guard on EBS R12 DB 10gData Guard on EBS R12 DB 10g
Data Guard on EBS R12 DB 10g
Ibrahim Malek
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
Bangladesh Network Operators Group
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
Angel Borroy López
 
Moving Graphs to Production At Scale
Moving Graphs to Production At ScaleMoving Graphs to Production At Scale
Moving Graphs to Production At Scale
Neo4j
 
Presentation on rhce
Presentation on rhcePresentation on rhce
Presentation on rhce
G Raveena Nair
 
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleGraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
Neo4j
 

Recommended

Data Guard on EBS R12 DB 10g
Data Guard on EBS R12 DB 10gData Guard on EBS R12 DB 10g
Data Guard on EBS R12 DB 10g
Ibrahim Malek
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
Bangladesh Network Operators Group
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
Angel Borroy López
 
Moving Graphs to Production At Scale
Moving Graphs to Production At ScaleMoving Graphs to Production At Scale
Moving Graphs to Production At Scale
Neo4j
 
Presentation on rhce
Presentation on rhcePresentation on rhce
Presentation on rhce
G Raveena Nair
 
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleGraphConnect 2014 SF: From Zero to Graph in 120: Scale
GraphConnect 2014 SF: From Zero to Graph in 120: Scale
Neo4j
 
Oracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxOracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linux
Ravi Kumar Lanke
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
maclean liu
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC
 
Consul and Complex Networks
Consul and Complex NetworksConsul and Complex Networks
Consul and Complex Networks
slackpad
 
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios
 
Production Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated World
Sean Chittenden
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
Angel Borroy López
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
Sean Chittenden
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
Miguel Rodriguez
 
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
Neo4j
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Amit Aggarwal
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 
How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7
VCP Muthukrishna
 
How to Change Hostname in CentOS 7 or RHEL 7
How to Change Hostname in CentOS 7 or RHEL 7How to Change Hostname in CentOS 7 or RHEL 7
How to Change Hostname in CentOS 7 or RHEL 7
VCP Muthukrishna
 

More Related Content

What's hot

图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
maclean liu
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 

What's hot (20)

Oracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxOracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linux
 
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
图文详解安装Net backup 6.5备份恢复oracle 10g rac 数据库
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
Consul and Complex Networks
Consul and Complex NetworksConsul and Complex Networks
Consul and Complex Networks
 
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
 
Production Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated World
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
Modern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSDModern tooling to assist with developing applications on FreeBSD
Modern tooling to assist with developing applications on FreeBSD
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
 
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian RobinsonGraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
GraphConnect Europe 2016 - Moving Graphs to Production at Scale - Ian Robinson
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
 

Viewers also liked

Viewers also liked (20)

How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7
 
How to Change Hostname in CentOS 7 or RHEL 7
How to Change Hostname in CentOS 7 or RHEL 7How to Change Hostname in CentOS 7 or RHEL 7
How to Change Hostname in CentOS 7 or RHEL 7
 
SystemD Usage Guide
SystemD Usage GuideSystemD Usage Guide
SystemD Usage Guide
 
Configure Run Levels RHEL 7 or CentOS 7
Configure Run Levels RHEL 7 or CentOS 7Configure Run Levels RHEL 7 or CentOS 7
Configure Run Levels RHEL 7 or CentOS 7
 
How To Reset root Password on CentOS 7
How To Reset root Password on CentOS 7How To Reset root Password on CentOS 7
How To Reset root Password on CentOS 7
 
Rhel6 vs rhel7
Rhel6 vs rhel7Rhel6 vs rhel7
Rhel6 vs rhel7
 
Kvm virtualization in_rhel_7
Kvm virtualization in_rhel_7Kvm virtualization in_rhel_7
Kvm virtualization in_rhel_7
 
Kickstart, Puppet, Docker
Kickstart, Puppet, DockerKickstart, Puppet, Docker
Kickstart, Puppet, Docker
 
マイコンボード色々
マイコンボード色々マイコンボード色々
マイコンボード色々
 
How To Create RDS Database for WordPress in AWS on RHEL 7 or CentOS 7
How To Create RDS Database for WordPress in AWS on RHEL 7 or CentOS 7How To Create RDS Database for WordPress in AWS on RHEL 7 or CentOS 7
How To Create RDS Database for WordPress in AWS on RHEL 7 or CentOS 7
 
LSOF Command Usage on RHEL 7
LSOF Command Usage on RHEL 7LSOF Command Usage on RHEL 7
LSOF Command Usage on RHEL 7
 
How To Install and Generate Audit Reports in CentOS 7 or RHEL 7
How To Install and Generate Audit Reports in CentOS 7 or RHEL 7How To Install and Generate Audit Reports in CentOS 7 or RHEL 7
How To Install and Generate Audit Reports in CentOS 7 or RHEL 7
 
How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7
 
How To Install and Configure Splunk on RHEL 7 in AWS
How To Install and Configure Splunk on RHEL 7 in AWSHow To Install and Configure Splunk on RHEL 7 in AWS
How To Install and Configure Splunk on RHEL 7 in AWS
 
How To Manage Services on RHEL 7 or CentOS 7
How To Manage Services on RHEL 7 or CentOS 7How To Manage Services on RHEL 7 or CentOS 7
How To Manage Services on RHEL 7 or CentOS 7
 
How to Manage journalctl Logging System on RHEL 7
How to Manage journalctl Logging System on RHEL 7How to Manage journalctl Logging System on RHEL 7
How to Manage journalctl Logging System on RHEL 7
 
How To Install and Configure Log Rotation on RHEL 7 or CentOS 7
How To Install and Configure Log Rotation on RHEL 7 or CentOS 7How To Install and Configure Log Rotation on RHEL 7 or CentOS 7
How To Install and Configure Log Rotation on RHEL 7 or CentOS 7
 
How To Configure Apache VirtualHost on RHEL 7 on AWS
How To Configure Apache VirtualHost on RHEL 7 on AWSHow To Configure Apache VirtualHost on RHEL 7 on AWS
How To Configure Apache VirtualHost on RHEL 7 on AWS
 
How To Install and Configure Chrony on RHEL 7
How To Install and Configure Chrony on RHEL 7How To Install and Configure Chrony on RHEL 7
How To Install and Configure Chrony on RHEL 7
 
Install and Configure WordPress in AWS on RHEL 7 or CentOS 7
Install and Configure WordPress in AWS on RHEL 7 or CentOS 7Install and Configure WordPress in AWS on RHEL 7 or CentOS 7
Install and Configure WordPress in AWS on RHEL 7 or CentOS 7
 

Similar to Upgrade ipa to rhel 7

Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Chanaka Lasantha
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
maclean liu
 
Ranger admin dev overview
Ranger admin dev overviewRanger admin dev overview
Ranger admin dev overview
Tushar Dudhatra
 

Similar to Upgrade ipa to rhel 7 (20)

Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical NagiosNagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
Nagios Conference 2014 - Leland Lammert - Distributed Heirarchical Nagios
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
 
Ranger admin dev overview
Ranger admin dev overviewRanger admin dev overview
Ranger admin dev overview
 
RAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptxRAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptx
 
Control your deployments with Capistrano
Control your deployments with CapistranoControl your deployments with Capistrano
Control your deployments with Capistrano
 
Monitoring CloudStack and components
Monitoring CloudStack and componentsMonitoring CloudStack and components
Monitoring CloudStack and components
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
OSMC 2021 | Monitoring @ G&D
OSMC 2021 | Monitoring @ G&DOSMC 2021 | Monitoring @ G&D
OSMC 2021 | Monitoring @ G&D
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to Chef
 
Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0Powervc upgrade from_1.3.0.2_to_1.3.2.0
Powervc upgrade from_1.3.0.2_to_1.3.2.0
 
F5 Meetup presentation automation 2017
F5 Meetup presentation automation 2017F5 Meetup presentation automation 2017
F5 Meetup presentation automation 2017
 
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
Nagios Conference 2014 - Rob Hassing - How To Maintain Over 20 Monitoring App...
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Presentation Progress TA
Presentation Progress TA Presentation Progress TA
Presentation Progress TA
 
Free ipa installation and cluster configuration, freeipa client connection
Free ipa installation and cluster configuration, freeipa client connectionFree ipa installation and cluster configuration, freeipa client connection
Free ipa installation and cluster configuration, freeipa client connection
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Upgrade ipa to rhel 7

  • 1. Promote IdM(FreeIPA) to RHEL 7 Version 1.0 Prepare by Amjad Yaseen RHCA II 2015
  • 2. Promote IdM(FreeIPA) to RHEL 7 Before we starting the IdM upgrading to rhel 7 we need to ask, What is IdM ? “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” Why IdM, what type of problem may solved? • Identities – Where are my users stored? What properties do they have? How is this data made available to systems and applications? • Authentication – What credentials do my users use to authenticate? Passwords? Smart Cards? Special devices? Is there SSO? How can the same user access file stores and web applications without requiring re-authentication? • Access control – Which users have access to which systems, services, applications? What commands can they run on those systems? What SELinux context is a user is mapped to? • Policies – What is the strength of the password? What are the automount rules? What are Kerberos ticket policies? When migrating an IdM server from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 or CentOS , the process is very similar to promoting a replica to a master: 1. A new server is created on Red Hat Enterprise Linux 7. 2. All data are migrated over to the new server. 3. All services, such as CRL and certificate creation, DNS management, Kerberos KDC administration, are transitioned over to the new system. Upgrading IdM into Red Hat 7.x 2
  • 3. The overview of our lab: Red Hat 6: OS : rhel 6.7 IPA version: 3.x IP: 192.168.100.20 hostname: ipa01.rhlab.dev DNS: rhlab.dev Red Hat 7: OS : rhel 7.1 IPA version: 4.x IP: 192.168.100.21 hostname: ipa02.rhlab.dev DNS: rhlab.dev Client: OS : rhel 6.7 IPA client version: 3.x IP: 192.168.100.22 hostname: client.rhlab.dev DNS: rhlab.dev Upgrading IdM into Red Hat 7.x 3
  • 4. Upgrading process: Assuming you've already IPA installed on rhel 6.7, to migrating from rhel 6 to 7, you have to have go through these steps: 1. Update rhel 6 to latest version, and so on ipa packages. [root@ipa01 ~]# yum update ipa-* 2. Configure firewall if required on rhel 7. [root@ipa02 ~]# firewall-cmd --permanent –add- port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,88/udp,464/udp,2 2/tcp} [root@ipa02 ~]# firewall-cmd --reload 3. Installing IdM packages on rhel 7. [root@ipa02 ~]# yum install ipa-server ipa-server-dns -y 4. Copy the Python schema update script from rhel 7 to rhel 6. [root@ipa02 ~]# scp /usr/share/ipa/copy-schema-to-ca.py ipa01:/root/ 5. Run the schema update script on rhel 6. [root@ipa01 ~]# python copy-schema-to-ca.py ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60kerberos.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60samba.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60ipaconfig.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60basev2.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60basev3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/60ipadns.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/61kerberos-ipav3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/65ipasudo.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI- IPA//schema/05rfc2247.ldif ipa : INFO Restarting CA DS ipa : INFO Schema updated successfully Upgrading IdM into Red Hat 7.x 4
  • 5. 6. On rhel 6 create replica file for rhel 7. [root@ipa01 ~]# ipa-replica-prepare ipa02.rhlab.dev --ip-address 192.168.100.21 Directory Manager (existing master) password: Preparing replica for ipa01.rhlab.dev from ipa01.rhlab.dev Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Saving dogtag Directory Server port Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info- ipa02.rhlab.dev.gpg Adding DNS records for ipa02.rhlab.dev Using reverse zone 2.0.192.in-addr.arpa. The ipa-replica-prepare command was successful 7. Installing replica on rhel 7: use the --setup-ca option to set up a Dogtag Certificate System instance and the --setup-dns option to configure the DNS server. The replica server's IP address in this example is 192.168.100.21. [root@ipa02 ~]# ipa-replica-install --setup-ca –ip- address=192.168.100.21 -p password -w password -N --setup-dns –-no- forwarder -U /var/lib/ipa/replica-info-ipa02.rhlab.dev.gpg Run connection check to master Check connection from replica to remote master 'ipa01.rhlab.dev': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK ... 8. Verifying the configuration on both systems. Upgrading IdM into Red Hat 7.x 5
  • 6. ◦ Verify that the IdM services are running: root@ipa02 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful ◦ Verify that both IdM CAs are configured as master servers. [root@ipa02 ~]# kinit admin [root@ipa02 ~]# ipa-replica-manage list ipa01.rhlab.dev: master ipa02.rhlab.dev: master [root@ipa02 ~]# ipa-replica-manage list -v ipa02.rhlab.dev ipa02.rhlab.dev: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None 9. On rhel 6 disable renewal of CA subsystem certificate or issues CRLs. ◦ Identify which server instance is the master CA server. Both CRL generation and renewal operations are handled by the same CA server. So, the master CA can be identified by having the renew_ca_cert certificate being tracked by certmonger. [root@ipa01 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" ◦ On the original master CA, disable tracking for all of the original CA certificates. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" Request "20151127184547" removed. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" Request "20151127184548" removed. [root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Request "20151127184549" removed. [root@ipa01 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert Request "20151127184550" removed. Upgrading IdM into Red Hat 7.x 6
  • 7. ◦ Reconfigure the original master CA to retrieve renewed certificates from a new master CA. 1. Copy the renewal helper into the certmonger service directory, and set the appropriate permissions. [root@ipa01 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/ca_renewal [root@ipa01 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal 2. Update the SELinux configuration. [root@ipa01 ~]# /sbin/restorecon /var/lib/certmonger/cas/ca_renewal 3. Restart certmonger. [root@ipa01 ~]# service certmonger restart 4. Check that the CA is listed to retrieve certificates. This is printed in the CA configuration. [root@ipa01 ~]# getcert list-cas ... CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa- retrieve-agent-submit 5. Get the CA certificate database PIN. [root@ipa01 ~]# grep internal= /var/lib/pki-ca/conf/password.conf 6. Configure certmonger to track the certificates for external renewal. This requires the database PIN. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"' -T "auditSigningCert cert-pki-ca" -P database_pin New tracking request "20151127184743" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- agent-submit -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca"' -T "ocspSigningCert cert-pki-ca" -P database_pin New tracking request "20151127184744" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- Upgrading IdM into Red Hat 7.x 7
  • 8. agent-submit -d /var/lib/pki-ca/alias -n "subsystemCert cert- pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert- pki-ca"' -T "subsystemCert cert-pki-ca" -P database_pin New tracking request "20151127184745" added. [root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve- agent-submit -d /etc/httpd/alias -n ipaCert -C /usr/lib64/ipa/certmonger/restart_httpd -T ipaCert -p /etc/httpd/alias/pwdfile.txt New tracking request "20151127184746" added. ◦ Stop CRL generation on the original master CA. 1. Stop CA service. [root@ipa01 ~]# service pki-cad stop 2. Open the CA configuration file. [root@ipa01 ~]# vim /var/lib/pki-ca/conf/CS.cfg 3. Change the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false to disable CRL generation. ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false 4. Start the CA service. [root@ipa01service pki-cad start ◦ Configure Apache to redirect CRL requests to the new master. 1. Open the CA proxy configuration. [root@ipa01 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf 2. Uncomment the RewriteRule on the last line and replace the ipa01 server URL with the new Red Hat Enterprise Linux 7 server URL. RewriteRule ^/ipa/crl/MasterCRL.bin https://ipa02.rhlab.dev/ca/ee/ca/getCRL? op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] 3. Restart Apache. [root@ipa01 ~]# systemctl restart httpd.service Upgrading IdM into Red Hat 7.x 8
  • 9. 10. Configure rhel 7 IdM instance as master. ◦ Configure CA renewal using the ipa-csreplica-manage utility. [root@ipa02 ~]# ipa-csreplica-manage set-renewal-master ◦ Configure the new master CA to generate CRLs. 1. Stop CA service. [root@ipa02 ~]# systemctl stop pki-tomcatd@pki-tomcat.service 2. Open the CA configuration file. [root@ipa01 ~]# vim /etc/pki/pki-tomcat/ca/CS.cfg 3. Change the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to true to enable CRL generation. ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true 4. Start CA service. [root@opa02 ~]# systemctl start pki-tomcatd@pki-tomcat.service ◦ Configure Apache to disable redirect CRL requests. As a clone, all CRL requests were routed to the original master. As the new master, this instance will respond to CRL requests. 1. Open the CA proxy configuration. [root@ipa02 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf 2. Comment out the RewriteRule argument on the last line. #RewriteRule ^/ipa/crl/MasterCRL.bin https://ipa02.rhlab.dev/ca/ee/ca/getCRL? op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] 3. Restart Apache. [root@ipa02 ~]# systemctl restart httpd.service 4. To check if the server is certificate renewal master. # ldapsearch -H ldap://127.0.0.1 -D 'cn=Directory Manager' -W -b cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev '(ipaConfigString=caRenewalMaster)' -LLL Enter LDAP Password: dn: Upgrading IdM into Red Hat 7.x 9
  • 10. cn=CA,cn=ipa02.rhlab.dev,cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 50 ipaConfigString: caRenewalMaster cn: CA Note: In the above output "caRenewalMaster" should be present. 5. To check if the server is CRL generation master. # grep -i ca.crl.MasterCRL.enableCRL /etc/pki/pki- tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true 11. Remove rhel 6 replica from rhel 7. ◦ Stop all services on the rhel 6 system; this forces domain discovery to the rhel 7 server. [root@ipa01 ~]# ipactl stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: RHLAB-DEV... [ OK ] PKI-IPA... [ OK ] ◦ Decommission the rhel 6 host. [ipa01.rhlab.dev] [root@ipa02 ~]# ipa-replica-manage del ipa01.rhlab.dev Connection to 'ipa01.rhlab.dev' failed: Forcing removal of ipa01.rhlab.dev Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa01.rhlab.dev and r ipa02.rhlab.dev Failed to get list of agreements from 'ipa01.rhlab.dev ': Forcing removal on 'ipa02.rhlab.dev' Any DNA range on 'ipa01.rhlab.dev' will be lost Deleted replication agreement from 'ipa02.rhlab.dev' to 'ipa01.rhlab.dev' Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C ◦ Remove the local IdM configuration. On [ipa01.rhlab.dev] [root@ipa01 ~]# ipa-server-install --uninstall --U Upgrading IdM into Red Hat 7.x 10
  • 11. 12. Configure the client to take the new configuration. ◦ Open sssd.conf file [root@client ~]# vim /etc/sssd/sssd.conf ◦ Update ipa_server = _srv_, ipa01.rhlab.dev , with ipa_server = _srv_, ipa02.rhlab.dev dns_discovery_domain = rhlab.dev ◦ Make sure that RHEL 7.1 ipa server ipaaddres is at the top in file /etc/resolv.conf search rhlab.dev nameserver 192.168.100.21 ◦ restart sssd service service sssd stop ;rm -Rf /var/lib/sss/db/*; service sssd start 13. Create addition replica for rhel 7 if required. [root@ipa02 ~]# ipa-replica-prepare ipa03.rhlab.dev --ip-address 192.168.100.23 Upgrading IdM into Red Hat 7.x 11