On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users wrote: > > a customer wants to use the Redhat certificate system instead of > > the one built into freeipa. AFAIK both use dogtag under the hood. > > Can you expand on what "instead of" means here? What type of integration > are they looking for? You seem to suggest below that both would be running.
I'm really no freeipa expert. All I know is that some certificate system is normally installed with the ipa-server package. The customer wants to use RHCS instead because of some feature that's only present in RHCS. (We've already dicussed that with Redhat support.). If possible, we want to disable the certificate system that comes with freeipa and use only RHCS. The point is that the customer wants some evidence against running RHCS on the freeipa server. (Not just security and availability issues.) Thank you very much for the additional information below, that really helps a lot. > > The customer wants to run the certificate system on the same > > machine as the ipa server, if possible (because otherwise he needs > > more hardware). Redhat support had some unspecific concerns that > > RHCS might conflict with the one that is part of freeipa. > > > > Is it possible at all? Will it cause trouble? Has anybody some > > experience with that setup? > > We strongly discourage running other services on an IPA server, and if > they already have limited hardware then double that. Every new service > expands the attack surface on the machine. > > While there are few details here, in worst case it would add another > LDAP instance and expand an already large java process. Whether it would > cause issues is largely unknown. If they carefully selected the ports to > use it *might* work but yeah, not something we'd recommend or easily > support. And who knows how upgrades would work. > > I'm sure RH support wasn't specific b/c AFAIK nobody has ever tried this. > > The point I'd make is that IPA is not just some service you run. Its > purpose is to centralize all AAA operations. Do you really want to cheap > out on that? What is the cost of downtime/losing everything to a > hardware fault vs buying more hardware? > > If pressed I suppose I'd suggest running RHCS and IPA in separate VMs > rather than on bare hardware in order to achieve separation. But this > still looks like putting all eggs into one basket. Ciao Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
