Red Hat: Identity Management Server Setup and HA on RHEL 7

cropped-oversaturateddetail.jpg

Introduction

Red Hat Identity Management Server provides is a centralized identity management server for Linux, Mac, Windows.

In this post we are going to setup and configure a HA deployment of Red Hat IDM on two RHEL 7.x servers.

Red Hat Identity Management Server is based on the upstream project, FreeIPA.

Prerequisites

Only a couple of prerequisites for a simple lab setup

  • You need working dns with forward and reverse entries for both IDM servers
  • NSCD needs to be disabled on each IDM server
  • Proper hostname needs to be set on each IDM node (cannot use localhost)
  • IPV6 needs to be enabled, but you do not need to have an IPV6 address on external interfaces

Firewall Configuration

Firewalld needs to be running and enabled. Iptables should be disabled and stopped.

The following ports/services need to be allowed on each node.

Service Ports Protocol
HTTP/HTTPS 80, 443 TCP
LDAP/LDAPS 389, 636 TCP
Kerberos 88, 464 TCP and UDP
DNS 53 TCP and UDP
NTP 123 UDP

Run the following commands to open these ports

# firewall-cmd –permanent –add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,123/tcp}

Now reload firewalld

# firewall-cmd –reload

Now verify that the ports are open

# iptables -L

Installing Packages

This procedure as documented with configure the following

  • IDM installed without integrated DNS
  • IDM with IDM CA as the root CA (default)

Note, as stated above, we are not going to integrate our IDM install with DNS, however if you are interested in this please refer to the following document.

On the first cluster node run the following command.

# yum install ipa-server

Again, on the same node as above, run the following command.

# ipa-server-install

Screenshot from 2019-07-31 16-50-26.png

You will be prompted to configure integrated DNS via Bind – select no.

Next, you will be prompted to enter the host name of your server. In this instance our hostname is idm1.lab.localdomain.

Screenshot from 2019-07-31 16-51-30

Now we will be prompted to enter a Realm name, we will use our domain name here.

Screenshot from 2019-07-31 16-54-03

We now need to enter a password for Directory Manager.

Screenshot from 2019-07-31 16-55-07.png

Next, you will need to enter an password for a IP admin user

Screenshot from 2019-07-31 16-56-01

Next enter “Yes” to confirm

Screenshot from 2019-07-31 16-56-16.png

Allow the install time to run.

Initial Testing

Run the following command, and enter the admin password

# kinit admin
Password for admin@LAB.LOCALDOMAIN:

Now run “ipa user-find admin”  If this command returns with the expected output (shown below) you now have a functional IDM server.

 

# ipa user-find admin
————–
1 user matched
————–
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@LAB.LOCALDOMAIN
UID: 1550800000
GID: 1550800000
Account disabled: False
—————————-
Number of entries returned 1
—————————-

Accessing the WebUI

In your browser of choice, navigate to the following url. Modify the url to fit your environment.

https://<FQDN_of_idm_server>/ipa/ui

Screenshot from 2019-08-01 14-30-43.png

Log in using the admin credentials.

HA: Setting up an IDM Replica Server

Replicas share internal user info, along with servers and certificates. Data in kept in sync between servers by a process called replication (duh).  Before we move forward lets define a few terms in context of IDM.

  • Server: An IDM server. Manages all IDM services.
  • Replica: basically a copy of a server, and once in sync, they are identical to servers
  • Clients: Belong the the kerberos domain and consume services

You can read more about servers and replicas here.  There are a number of prerequisites and assumptions that are worth reading about. We are not going to go into them here.

Preparing a Replica

First and foremost, you will need to configure your replica server to have the same firewall ports open (see above), and you will need to ensure that the ipa-server package is installed.

Below we are going to install the ipa-server package and its dependencies. Ensure that you are installing the same package versions between both hosts.

[root@idm2 ~]# yum install ipa-server

Note that you are not going to run the ipa-server-install script on this host.

Adding the Replica as an IDM Client

Before you can add a replica, you must first add it as an IPA (IDM) client. As you can see the command below is run on the replica-to-be. There are other options for the command below, but since we have not integrated with DNS we will keep things simple.

[root@idm2 ~]# ipa-client-install

See details below.

Screenshot from 2019-08-01 14-52-55.png

You will be prompted for your IPA/IDM admin id and password.

Screenshot from 2019-08-01 15-14-37.png

We can validate with the command below.

[root@idm2 ~]# getent passwd admin
admin:*:1550800000:1550800000:Administrator:/home/admin:/bin/bash

In the WebUI you should now see both the original IDM host and the future replicant.

Screenshot from 2019-08-01 15-31-24

Running the Replica Install

Once our replica server has been added as an IDM client, we now are free to configure it as a replica.

Run the command below on the replica-to-be.

[root@idm2 ~]# ipa-replica-install

Screenshot from 2019-08-01 16-04-14

More output below.

Screenshot from 2019-08-01 16-04-33.png

Replicating CA Service

In the screenshot above, you can see that the CA service is not automatically replicated, so we must also run “ipa-ca-install on the replica server [idm2.lab.localdomain].

[root@idm2 ~]# ipa-ca-install

Output below.

Screenshot from 2019-08-01 16-11-20

More output below.

Screenshot from 2019-08-01 16-35-57

Additional Resources

LINUX DOMAIN IDENTITY, AUTHENTICATION, AND POLICY GUIDE

FreeIPA

Red Hat Identity Manager: Part 1 – Overview and Getting started

One thought on “Red Hat: Identity Management Server Setup and HA on RHEL 7

  1. Pingback: Latest technical articles & videos. - CertDepot

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.