As covered in Section 10.1.7, “Custom Configuration and Clones”, configuration information is not updated in clone instances if it is made after the clone is created. Likewise, changes made to a clone are not copied back to the master instance.
If a new DRM is installed or cloned after a clone CA is created, then the clone CA does not have the new DRM connector information in its configuration. This means that the clone CA ignores any archival requests from the DRM because it does not recognize it as a legitimate client.
Whenever a new DRM is created or cloned, copy its connector information into all of the cloned CAs in the deployment.
- On the master clone machine, open the master CA's
CS.cfgfile, and copy all of theca.connector.KRA.*lines for the new DRM connector.[root@master ~]# vim /var/lib/pki-ca/conf/CS.cfg
- Stop the clone CA instance. For example:
[root@clone-ca ~] service pki-ca stop
- Open the clone CA's
CS.cfgfile.[root@clone-ca ~]# vim /var/lib/pki-ca/conf/CS.cfg
- Copy in the connector information for the new DRM instance or clone.
ca.connector.KRA.enable=true ca.connector.KRA.host=server-kra.example.com ca.connector.KRA.local=false ca.connector.KRA.nickName=subsystemCert cert-pki-ca ca.connector.KRA.port=10444 ca.connector.KRA.timeout=30 ca.connector.KRA.transportCert=MIIDbD...ZR0Y2zA== ca.connector.KRA.uri=/kra/agent/kra/connector
- Start the clone CA.
[root@clone-ca ~] service pki-ca start