“Identity management (IdM) describes the management of individual principals, their
authentication, authorization, and privileges within or across system and enterprise
boundaries with the goal of increasing security and productivity while decreasing cost,
downtime and repetitive tasks.”
I demonstrate in this short guide how to upgrade Red Hat IdM (freeIPA) from rhel 6 into 7.x
2. Promote IdM(FreeIPA) to RHEL 7
Before we starting the IdM upgrading to rhel 7 we need to ask, What is IdM ?
“Identity management (IdM) describes the management of individual principals, their
authentication, authorization, and privileges within or across system and enterprise
boundaries with the goal of increasing security and productivity while decreasing cost,
downtime and repetitive tasks.”
Why IdM, what type of problem may solved?
• Identities
– Where are my users stored? What properties do they have? How is this data made
available to systems and applications?
• Authentication
– What credentials do my users use to authenticate? Passwords? Smart Cards?
Special devices? Is there SSO? How can the same user access file stores and web
applications without requiring re-authentication?
• Access control
– Which users have access to which systems, services, applications? What commands
can they run on those systems? What SELinux context is a user is mapped to?
• Policies
– What is the strength of the password? What are the automount rules? What are
Kerberos ticket policies?
When migrating an IdM server from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 or
CentOS , the process is very similar to promoting a replica to a master:
1. A new server is created on Red Hat Enterprise Linux 7.
2. All data are migrated over to the new server.
3. All services, such as CRL and certificate creation, DNS management, Kerberos KDC
administration, are transitioned over to the new system.
Upgrading IdM into Red Hat 7.x 2
3. The overview of our lab:
Red Hat 6:
OS : rhel 6.7
IPA version: 3.x
IP: 192.168.100.20
hostname: ipa01.rhlab.dev
DNS: rhlab.dev
Red Hat 7:
OS : rhel 7.1
IPA version: 4.x
IP: 192.168.100.21
hostname: ipa02.rhlab.dev
DNS: rhlab.dev
Client:
OS : rhel 6.7
IPA client version: 3.x
IP: 192.168.100.22
hostname: client.rhlab.dev
DNS: rhlab.dev
Upgrading IdM into Red Hat 7.x 3
4. Upgrading process:
Assuming you've already IPA installed on rhel 6.7, to migrating from rhel 6 to 7, you have to have
go through these steps:
1. Update rhel 6 to latest version, and so on ipa packages.
[root@ipa01 ~]# yum update ipa-*
2. Configure firewall if required on rhel 7.
[root@ipa02 ~]# firewall-cmd --permanent –add-
port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,88/udp,464/udp,2
2/tcp}
[root@ipa02 ~]# firewall-cmd --reload
3. Installing IdM packages on rhel 7.
[root@ipa02 ~]# yum install ipa-server ipa-server-dns -y
4. Copy the Python schema update script from rhel 7 to rhel 6.
[root@ipa02 ~]# scp /usr/share/ipa/copy-schema-to-ca.py ipa01:/root/
5. Run the schema update script on rhel 6.
[root@ipa01 ~]# python copy-schema-to-ca.py
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60kerberos.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60samba.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60ipaconfig.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60basev2.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60basev3.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/60ipadns.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/61kerberos-ipav3.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/65ipasudo.ldif
ipa : INFO Installed /etc/dirsrv/slapd-PKI-
IPA//schema/05rfc2247.ldif
ipa : INFO Restarting CA DS
ipa : INFO Schema updated successfully
Upgrading IdM into Red Hat 7.x 4
5. 6. On rhel 6 create replica file for rhel 7.
[root@ipa01 ~]# ipa-replica-prepare ipa02.rhlab.dev --ip-address
192.168.100.21
Directory Manager (existing master) password:
Preparing replica for ipa01.rhlab.dev from ipa01.rhlab.dev
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-
ipa02.rhlab.dev.gpg
Adding DNS records for ipa02.rhlab.dev
Using reverse zone 2.0.192.in-addr.arpa.
The ipa-replica-prepare command was successful
7. Installing replica on rhel 7: use the --setup-ca option to set up a Dogtag Certificate
System instance and the --setup-dns option to configure the DNS server. The replica
server's IP address in this example is 192.168.100.21.
[root@ipa02 ~]# ipa-replica-install --setup-ca –ip-
address=192.168.100.21 -p password -w password -N --setup-dns –-no-
forwarder -U /var/lib/ipa/replica-info-ipa02.rhlab.dev.gpg
Run connection check to master
Check connection from replica to remote master 'ipa01.rhlab.dev':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
...
8. Verifying the configuration on both systems.
Upgrading IdM into Red Hat 7.x 5
6. ◦ Verify that the IdM services are running:
root@ipa02 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
◦ Verify that both IdM CAs are configured as master servers.
[root@ipa02 ~]# kinit admin
[root@ipa02 ~]# ipa-replica-manage list
ipa01.rhlab.dev: master
ipa02.rhlab.dev: master
[root@ipa02 ~]# ipa-replica-manage list -v ipa02.rhlab.dev
ipa02.rhlab.dev: replica
last init status: None
last init ended: None
last update status: 0 Replica acquired successfully: Incremental
update started
last update ended: None
9. On rhel 6 disable renewal of CA subsystem certificate or issues CRLs.
◦ Identify which server instance is the master CA server. Both CRL generation and
renewal operations are handled by the same CA server. So, the master CA can be
identified by having the renew_ca_cert certificate being tracked by certmonger.
[root@ipa01 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert
cert-pki-ca" | grep post-save
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
◦ On the original master CA, disable tracking for all of the original CA certificates.
[root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n
"auditSigningCert cert-pki-ca"
Request "20151127184547" removed.
[root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n
"ocspSigningCert cert-pki-ca"
Request "20151127184548" removed.
[root@ipa01 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n
"subsystemCert cert-pki-ca"
Request "20151127184549" removed.
[root@ipa01 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert
Request "20151127184550" removed.
Upgrading IdM into Red Hat 7.x 6
7. ◦ Reconfigure the original master CA to retrieve renewed certificates from a new master
CA.
1. Copy the renewal helper into the certmonger service directory, and set the
appropriate permissions.
[root@ipa01 ~]# cp /usr/share/ipa/ca_renewal
/var/lib/certmonger/cas/ca_renewal
[root@ipa01 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal
2. Update the SELinux configuration.
[root@ipa01 ~]# /sbin/restorecon
/var/lib/certmonger/cas/ca_renewal
3. Restart certmonger.
[root@ipa01 ~]# service certmonger restart
4. Check that the CA is listed to retrieve certificates. This is printed in the CA
configuration.
[root@ipa01 ~]# getcert list-cas
...
CA 'dogtag-ipa-retrieve-agent-submit':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-
retrieve-agent-submit
5. Get the CA certificate database PIN.
[root@ipa01 ~]# grep internal= /var/lib/pki-ca/conf/password.conf
6. Configure certmonger to track the certificates for external renewal. This
requires the database PIN.
[root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-agent-submit
-d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" -B
/usr/lib64/ipa/certmonger/stop_pkicad -C
'/usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"' -T
"auditSigningCert cert-pki-ca" -P database_pin
New tracking request "20151127184743" added.
[root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-
agent-submit -d /var/lib/pki-ca/alias -n "ocspSigningCert
cert-pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C
'/usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert
cert-pki-ca"' -T "ocspSigningCert cert-pki-ca" -P database_pin
New tracking request "20151127184744" added.
[root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-
Upgrading IdM into Red Hat 7.x 7
8. agent-submit -d /var/lib/pki-ca/alias -n "subsystemCert cert-
pki-ca" -B /usr/lib64/ipa/certmonger/stop_pkicad -C
'/usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-
pki-ca"' -T "subsystemCert cert-pki-ca" -P database_pin
New tracking request "20151127184745" added.
[root@ipa01 ~]# getcert start-tracking -c dogtag-ipa-retrieve-
agent-submit -d /etc/httpd/alias -n ipaCert -C
/usr/lib64/ipa/certmonger/restart_httpd -T ipaCert -p
/etc/httpd/alias/pwdfile.txt
New tracking request "20151127184746" added.
◦ Stop CRL generation on the original master CA.
1. Stop CA service.
[root@ipa01 ~]# service pki-cad stop
2. Open the CA configuration file.
[root@ipa01 ~]# vim /var/lib/pki-ca/conf/CS.cfg
3. Change the values of the ca.crl.MasterCRL.enableCRLCache and
ca.crl.MasterCRL.enableCRLUpdates parameters to false to disable CRL
generation.
ca.crl.MasterCRL.enableCRLCache=false
ca.crl.MasterCRL.enableCRLUpdates=false
4. Start the CA service.
[root@ipa01service pki-cad start
◦ Configure Apache to redirect CRL requests to the new master.
1. Open the CA proxy configuration.
[root@ipa01 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf
2. Uncomment the RewriteRule on the last line and replace the ipa01 server
URL with the new Red Hat Enterprise Linux 7 server URL.
RewriteRule ^/ipa/crl/MasterCRL.bin
https://ipa02.rhlab.dev/ca/ee/ca/getCRL?
op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
3. Restart Apache.
[root@ipa01 ~]# systemctl restart httpd.service
Upgrading IdM into Red Hat 7.x 8
9. 10. Configure rhel 7 IdM instance as master.
◦ Configure CA renewal using the ipa-csreplica-manage utility.
[root@ipa02 ~]# ipa-csreplica-manage set-renewal-master
◦ Configure the new master CA to generate CRLs.
1. Stop CA service.
[root@ipa02 ~]# systemctl stop pki-tomcatd@pki-tomcat.service
2. Open the CA configuration file.
[root@ipa01 ~]# vim /etc/pki/pki-tomcat/ca/CS.cfg
3. Change the values of the ca.crl.MasterCRL.enableCRLCache and
ca.crl.MasterCRL.enableCRLUpdates parameters to true to enable CRL
generation.
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
4. Start CA service.
[root@opa02 ~]# systemctl start pki-tomcatd@pki-tomcat.service
◦ Configure Apache to disable redirect CRL requests. As a clone, all CRL requests were
routed to the original master. As the new master, this instance will respond to CRL
requests.
1. Open the CA proxy configuration.
[root@ipa02 ~]# vim /etc/httpd/conf.d/ipa-pki-proxy.conf
2. Comment out the RewriteRule argument on the last line.
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://ipa02.rhlab.dev/ca/ee/ca/getCRL?
op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
3. Restart Apache.
[root@ipa02 ~]# systemctl restart httpd.service
4. To check if the server is certificate renewal master.
# ldapsearch -H ldap://127.0.0.1 -D 'cn=Directory Manager' -W -b
cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev
'(ipaConfigString=caRenewalMaster)' -LLL Enter LDAP Password: dn:
Upgrading IdM into Red Hat 7.x 9
10. cn=CA,cn=ipa02.rhlab.dev,cn=masters,cn=ipa,cn=etc,dc=rhlab,dc=dev
objectClass: nsContainer objectClass: ipaConfigObject
objectClass: top ipaConfigString: enabledService ipaConfigString:
startOrder 50 ipaConfigString: caRenewalMaster cn: CA Note: In
the above output "caRenewalMaster" should be present.
5. To check if the server is CRL generation master.
# grep -i ca.crl.MasterCRL.enableCRL /etc/pki/pki-
tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
11. Remove rhel 6 replica from rhel 7.
◦ Stop all services on the rhel 6 system; this forces domain discovery to the rhel 7 server.
[root@ipa01 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping DNS Service
Stopping named: . [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
RHLAB-DEV... [ OK ]
PKI-IPA... [ OK ]
◦ Decommission the rhel 6 host. [ipa01.rhlab.dev]
[root@ipa02 ~]# ipa-replica-manage del ipa01.rhlab.dev
Connection to 'ipa01.rhlab.dev' failed:
Forcing removal of ipa01.rhlab.dev
Skipping calculation to determine if one or more masters would be
orphaned.
Deleting replication agreements between ipa01.rhlab.dev and r
ipa02.rhlab.dev
Failed to get list of agreements from 'ipa01.rhlab.dev ':
Forcing removal on 'ipa02.rhlab.dev'
Any DNA range on 'ipa01.rhlab.dev' will be lost
Deleted replication agreement from 'ipa02.rhlab.dev' to
'ipa01.rhlab.dev'
Background task created to clean replication data. This may take a
while.
This may be safely interrupted with Ctrl+C
◦ Remove the local IdM configuration. On [ipa01.rhlab.dev]
[root@ipa01 ~]# ipa-server-install --uninstall --U
Upgrading IdM into Red Hat 7.x 10
11. 12. Configure the client to take the new configuration.
◦ Open sssd.conf file
[root@client ~]# vim /etc/sssd/sssd.conf
◦ Update ipa_server = _srv_, ipa01.rhlab.dev , with
ipa_server = _srv_, ipa02.rhlab.dev
dns_discovery_domain = rhlab.dev
◦ Make sure that RHEL 7.1 ipa server ipaaddres is at the top in file /etc/resolv.conf
search rhlab.dev
nameserver 192.168.100.21
◦ restart sssd service
service sssd stop ;rm -Rf /var/lib/sss/db/*; service sssd start
13. Create addition replica for rhel 7 if required.
[root@ipa02 ~]# ipa-replica-prepare ipa03.rhlab.dev --ip-address
192.168.100.23
Upgrading IdM into Red Hat 7.x 11