Dominik Vogt via FreeIPA-users wrote: > Hi folks, > > a customer wants to use the Redhat certificate system instead of > the one built into freeipa. AFAIK both use dogtag under the hood.
Can you expand on what "instead of" means here? What type of integration are they looking for? You seem to suggest below that both would be running. > The customer wants to run the certificate system on the same > machine as the ipa server, if possible (because otherwise he needs > more hardware). Redhat support had some unspecific concerns that > RHCS might conflict with the one that is part of freeipa. > > Is it possible at all? Will it cause trouble? Has anybody some > experience with that setup? We strongly discourage running other services on an IPA server, and if they already have limited hardware then double that. Every new service expands the attack surface on the machine. While there are few details here, in worst case it would add another LDAP instance and expand an already large java process. Whether it would cause issues is largely unknown. If they carefully selected the ports to use it *might* work but yeah, not something we'd recommend or easily support. And who knows how upgrades would work. I'm sure RH support wasn't specific b/c AFAIK nobody has ever tried this. The point I'd make is that IPA is not just some service you run. Its purpose is to centralize all AAA operations. Do you really want to cheap out on that? What is the cost of downtime/losing everything to a hardware fault vs buying more hardware? If pressed I suppose I'd suggest running RHCS and IPA in separate VMs rather than on bare hardware in order to achieve separation. But this still looks like putting all eggs into one basket. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
