A username/password is provided to an IPA administrator to be used to make the initial connection to an entitlement server. This initial request results in a cert and key in PEM format. All subsequent communication to the entitlement server (get entitlements, return entitlements, query, etc) will be done using this cert/key for authentication.

We need to share this key/cert with all other replicas. It is possible that one or more replicas could be created by the time this cert/key is created so storing the value in LDAP is the easiest way to share it.

We need a daemon that will:

• pull the cert/key from LDAP
• decrypt the key
• query candlepin for entitlement certs
• validate the certs and obtain the # of entitlements
• count the # of hosts
• compare the values
• syslog any problems found

We want to store the private key in LDAP but will encrypt it. There are a number of options available to us for the encryption key but I think I'll go with one of the following:

• Use the kerberos master key
• Use the 389-ds NSS database pin