Red Hat Summit6.2. Interactive installation of an IdM server without integrated DNS and with an external CA as the root CA
During the interactive installation using the ipa-server-install utility, you are asked to supply basic configuration of the system, for example the realm, the administrator’s password and the Directory Manager’s password.
The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.
Follow this procedure to install a server:
- Without integrated DNS
- With an external certificate authority (CA) as the root CA
Prerequisites
-
You have determined the type of the external CA to specify with the
--external-ca-typeoption. See theipa-server-install(1) man page for details. If you are using a Microsoft Certificate Services certificate authority (MS CS CA) as your external CA: you have determined the certificate profile or template to specify with the
--external-ca-profileoption. By default, theSubCAtemplate is used.For more information about the
--external-ca-typeand--external-ca-profileoptions, see Options used when installing an IdM CA with an external CA as the root CA.
Procedure
Run the ipa-server-install utility with the
--external-caoption.If you are using the Microsoft Certificate Services (MS CS) CA, also use the
--external-ca-typeoption and, optionally, the--external-ca-profileoption:[root@server ~]# ipa-server-install --external-ca --external-ca-type=ms-cs --external-ca-profile=<oid>/<name>/defaultIf you are not using MS CS to generate the signing certificate for your IdM CA, no other option may be necessary:
# ipa-server-install --external-ca
The script prompts to configure an integrated DNS service. Press Enter to select the default
nooption.Do you want to configure integrated DNS (BIND)? [no]:The script prompts for several required settings and offers recommended default values in brackets.
- To accept a default value, press Enter.
To provide a custom value, enter the required value.
Server host name [server.idm.example.com]: Please confirm the domain name [idm.example.com]: Please provide a realm name [IDM.EXAMPLE.COM]:警告Plan these names carefully. You will not be able to change them after the installation is complete.
Enter the passwords for the Directory Server superuser (
cn=Directory Manager) and for the IdM administration system user account (admin).Directory Manager password: IPA admin password:Enter
yesto confirm the server configuration.Continue to configure the system with these values? [no]: yesDuring the configuration of the Certificate System instance, the utility prints the location of the certificate signing request (CSR):
/root/ipa.csr:... Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as: /sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificateWhen this happens:
-
Submit the CSR located in
/root/ipa.csrto the external CA. The process differs depending on the service to be used as the external CA. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.
重要Be sure to get the full certificate chain for the CA, not just the CA certificate.
Run
ipa-server-installagain, this time specifying the locations and names of the newly-issued CA certificate and the CA chain files. For example:# ipa-server-install --external-cert-file=/tmp/servercert20170601.pem --external-cert-file=/tmp/cacert.pem
-
Submit the CSR located in
- The installation script now configures the server. Wait for the operation to complete.
The installation script produces a file with DNS resource records:
the /tmp/ipa.system.records.UFRPto.dbfile in the example output below. Add these records to the existing external DNS servers. The process of updating the DNS records varies depending on the particular DNS solution.... Restarting the KDC Please add records in this file to your DNS system: /tmp/ipa.system.records.UFRBto.db Restarting the web server ...重要The server installation is not complete until you add the DNS records to the existing DNS servers.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}