Red Hat Summit29.2. Installing an IdM server configured to use eDNS
You can install an IdM server with DoT enabled by performing a non-interactive installation using the ipa-server-install utility. This procedure describes how to configure DoT with the enforced policy using the integrated DNS service. If you require the relaxed policy instead, you can skip the steps for pre-configuring clients and replicas for DoT exclusively, as the IdM server automatically discovers them.
You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.
Prerequisites
- Review the steps outlined in Preparing the system for IdM server installation.
-
For
enforcedDoT, complete the steps in Configuring client and replica systems to use DoT exclusively. Ensure the following packages are installed:
-
ipa-server -
ipa-server-dns -
ipa-server-encrypted-dns -
ipa-client-encrypted-dns
-
Procedure
Add the
dns-over-tlsservice to the systemfirewallto open port 853/TCP for DoT traffic:# firewall-cmd --add-service=dns-over-tlsOptional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, create the files:
$ openssl req \ -newkey rsa:2048 \ -nodes \ -keyout /etc/pki/tls/certs/privkey.pem \ -x509 \ -days 36500 \ -out /etc/pki/tls/certs/certificate.pem \ -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \ chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pemInstall the IdM server with integrated DNS:
참고If you do not strictly require DoT, you can omit the
--dns-policyoption. The installer then uses the defaultrelaxedpolicy.To install the IdM server with externally issued keys and certificates, specify the certificate and key paths:
# ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --dns-over-tls-cert /etc/pki/tls/certs/certificate.pem --dns-over-tls-key /etc/pki/tls/certs/privkey.pem --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -UTo install the IdM server with the integrated IdM CA, run the following command:
# ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -U
Troubleshooting
Enable detailed logging for the
unboundservice:# unbound-control verbosity 3Restart the
unboundservice to apply the updated configuration:# systemctl restart unboundMonitor real-time logs of the
unboundservice:$ journalctl -u unbound -f
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}