9.5. Configuring Separate RA Instances

When an RA is installed or created, it is automatically added to a default Registration Managers Group on the CA. This means that all RA managers belong to the same group, by default.
However, a particular site might require more than one RA instance, each having its own set of RA agents. If the site policy disallows cross-management between the RA instances, then extra configuration is needed to create separate RA groups.
  1. Install and configure the first RA instance.
  2. Add the new RA group to the Certificate Manager.
    1. Start the Console. For example:
      pkiconsole https://server.example.com:9445/ca
    2. Click Users and Groups, and then click Groups.
    3. Click Add to open the Edit Group Information dialog box.
    4. Enter the group name and description, such as Registration Manager2 Agents.
    5. Click OK.
  3. Add the new RA authentication instance to the CA:
    1. Open the CA configuration directory, and edit the CS.cfg file
      cd /etc/pki-ca
      
      vi CS.cfg
    2. Search for the string raCertAuth.
    3. Copy those lines for the first RA instance, paste them, and edit them for the second RA instance's information. For example:
       auths.instance.raCertAuth.agentGroup=Registration Manager Agents
       auths.instance.raCertAuth.plug-inName=AgentCertAuth
       auths.instance.ra2CertAuth.agentGroup=Registration Manager2 Agents    
       auths.instance.ra2CertAuth.plug-inName=AgentCertAuth
  4. Add the new RA user enrollment profile to the Certificate Manager's certificate profiles list to utilize the new RA authentication instance.
    1. Open the CA profiles directory.
      cd /var/lib/pki-ca/profiles/ca
    2. Copy the current RA profile to create the new profile. For example:
      cp caDualRAuserCert.cfg caDualRA2userCert.cfg
    3. Edit the new file to contain the second RA instance's information. Change raCertAuth to ra2CertAuth.
  5. Open the CA configuration directory, and edit the CS.cfg file.
    cd /var/lib/pki-ca/conf
    
    vi CS.cfg
    1. Add caDualRA2userCert to the profiles list. For example:
      profile.list=...[snip]...caRAserverCert,caRA2userCert
      Make sure to use a comma to separate the entries.
    2. Search for the lines for the caDualRAuserCert profile configuration, copy them, and edit them for the second RA instance's information.
       profile.caDualRAuserCert.class_id=caEnrollImpl
       profile.caDualRAuserCert.config=/var/lib/pki-ca/profiles/ca/caDualRAuserCert.cfg
       profile.caDualRA2userCert.class_id=caEnrollImpl
       profile.caDualRA2userCert.config=/var/lib/pki-ca/profiles/ca/caDualRA2userCert.cfg
  6. Add a new URI mapping to allow the new RA agent to be registered in the new RA group.
    1. Open the CA web applications directory, and edit the web.xml file:
      cd /var/lib/pki-ca/webapps/ca/WEB-INF
      
      vi web.xml
    2. At about line 288 in the web.xml file is the servlet setting for the first RA's user. Copy the entire entry, including the opening and closing <servlet> tags, and edit the information to match the second RA's user. For example:
      <servlet>
       <servlet-name>  caRegisterRa2User  </servlet-name>
       <servlet-class> com.netscape.cms.servlet.csadmin.RegisterUser  </servlet-class>
             <init-param><param-name>  GetClientCert  </param-name>
                         <param-value> false       </param-value> </init-param>
             <init-param><param-name>  authority   </param-name>
                         <param-value> ca          </param-value> </init-param>
             <init-param><param-name>  ID          </param-name>
                         <param-value> caRegisterRaUser </param-value> </init-param>
             <init-param><param-name>  AuthMgr     </param-name>
                         <param-value> TokenAuth </param-value> </init-param>
             <init-param><param-name>  GroupName    </param-name>
                         <param-value> Registration Manager2 Agents </param-value> </init-param>
             <init-param><param-name>  AuthzMgr    </param-name>
                         <param-value> BasicAclAuthz </param-value> </init-param>
             <init-param><param-name>  resourceID  </param-name>
                         <param-value> certServer.ca.registerUser </param-value> </init-param>
      </servlet>
    3. At about line 2510 in the web.xml file is the servlet-mapping setting for the first RA's user mapping. Copy the entire entry, including the opening and closing <servlet-mapping> tags, and edit the information to match the second RA's user. For example:
         <servlet-mapping>
            <servlet-name>  caRegisterRa2User </servlet-name>
            <url-pattern>   /admin/ca/registerRa2User  </url-pattern>
         </servlet-mapping>
  7. Restart the CA. For example:
    service pki-ca restartt
  8. Create the new RA instance using the pkicreate.
    pkicreate -pki_instance_root=/var/lib -subsystem_type=ra -pki_instance_name=pki-ra2 -secure_port=12899 -unsecure_port=12898 -verbose -user=pkiuser -group=pkiuser
  9. Open the configuration file for the new RA instance, and edit its parameters to reflect the second RA instance information.
    cd /var/lib/pki-ra2/conf/
    
    vi CS.cfg
  10. Change the registerRaUser setting to registerRa2User.
    conn.ca1.servlet.addagent=/ca/admin/ca/registerRa2User
  11. Change the caDualRAuserCert setting to caDualRA2userCert.
    request.renewal.approve_request.0.profileId=caDualRAuser2Cert
    ...
    request.user.approve_request.0.profileId=caDualRA2userCert
  12. Restart the new RA instance. For example:
    # service pki-ra2 restart
  13. A URL was generated at the end of the pkicreate command; go to that URL to configure the second RA. For example:
    http://server.example.com:12898/ra/admin/console/config/login?pin=bFyAk9nWPfgLZXffRBT9
  14. When the new RA is completely configured, restart the instance.
    # service pki-ra2 restart