hi,
We need to deploy an Idm environment in a firewalled network with different layers (untrusted/semi-trusted/trusted).
In the untrusted network there will be no Idm servers. In the trusted, we will have replicas with the base services (ldap/kerberos/dns). Hosts in the untrusted zone will talk to these replicas.
In the trusted zone we will have replicas with the CA functionality as well, and obviously the idm servers will communicate between the semi-trusted and trusted zone.
According to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
"If you set up a replica without a CA, it will forward all requests for certificate operations to the CA server in your topology."
The question is: will certmonger on hosts in the untrusted zone be able to request and renew certificates and have the requests proxied to the trusted zone servers with the CA service? I know mod_rewrite can do this using the [P] flag (https://httpd.apache.org/docs/2.4/rewrite/proxy.html), but is this something we can use for our goal?
Thanks!
-- Groeten, natxo
Natxo Asenjo via FreeIPA-users wrote:
hi,
We need to deploy an Idm environment in a firewalled network with different layers (untrusted/semi-trusted/trusted).
In the untrusted network there will be no Idm servers. In the trusted, we will have replicas with the base services (ldap/kerberos/dns). Hosts in the untrusted zone will talk to these replicas.
In the trusted zone we will have replicas with the CA functionality as well, and obviously the idm servers will communicate between the semi-trusted and trusted zone.
According to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
"If you set up a replica without a CA, it will forward all requests for certificate operations to the CA server in your topology."
The question is: will certmonger on hosts in the untrusted zone be able to request and renew certificates and have the requests proxied to the trusted zone servers with the CA service? I know mod_rewrite can do this using the [P] flag (https://httpd.apache.org/docs/2.4/rewrite/proxy.html), but is this something we can use for our goal?
It depends on the certmonger "ca" used to request the cert on those hosts.
If the request uses the "IPA" CA then certmonger will use the IPA API to make cert requests. As long as it can contact an IPA master then the request will be handled properly. e.g. if you used ipa-getcert to obtain the cert. This is shorthand for getcert -c IPA ...
If you used another CA, like the one used to renew the CA certificates (dogtag-*) then yes, it would need to talk directly to the CA.
I'm guessing it is the former as that is the typical use case.
rob
freeipa-users@lists.fedorahosted.org