Product SiteDocumentation Site

16.8. Promoting a Replica to a FreeIPA Server

The only difference between a replica and the master server is that the master owns the master CA in the PKI hierarchy. The replica database is cloned (or copied) from that master database.
This means that it is possible to change a replica server to a master server by changing its CA configuration and promoting the cloned database to be a master database.

16.8.1. Promoting a Replica with a Dogtag Certificate System CA

  1. On the replica server, stop the CA server.
    service pki-ca stop
  2. Open the CA's configuration directory.
    cd /var/lib/pki-ca/conf
  3. Edit the CS.cfg file to configure the replica's CA as a master.
    1. Delete each line which begins with the ca.crl. prefix.
    2. Copy each line beginning with the ca.crl. prefix from the CA CS.cfg file on the master server into the replica server's CA CS.cfg file.
    3. Enable control of the database maintenance thread; the default value for a master CA is 600.
      ca.certStatusUpdateInterval=600
    4. Enable monitoring database replication:
      ca.listenToCloneModifications=true
    5. Enable maintenance of the CRL cache:
      ca.crl.IssuingPointId.enableCRLCache=true
    6. Enable CRL generation:
      ca.crl.IssuingPointId.enableCRLUpdates=true
    7. Disable the redirect settings for CRL generation requests:
      master.ca.agent.host=hostname
      master.ca.agent.port=port number
  4. Start the CA server.
    service pki-ca start

16.8.2. Promoting a Replica with a Self-Signed CA

  1. Copy the /var/lib/ipa/ca_serialno file from the master server to the replica.
  2. Import the CA certificate into the replica 389 Directory Server NSS database:
    # cd /etc/dirsrv/slapd-REALM
    # pk12util -i /path/to/cacert.p12 -d .
    
    The password on the PKCS#12 file is stored as /etc/dirsrv/slapd-REALM/pwdfile.txt on the original server.
  3. Delete the existing replication agreements between the replica and master server:
    # ipa-replica-manage del master.example.com
    
This results in two identical FreeIPA servers which are unaware of one another. The old master server can be shut down and replaced with the other server without affecting the domain.