11.4. Cloning a Subsystem Silently


Only CA and DRM instances can be cloned using pkisilent. The other subsystem clones must be configured using the HTML-based configuration wizard.
When creating a new subsystem, there are options to set the type of keys to generate and to back up the keys to a PKCS #12 file. For cloning a subsystem, there are no key generation options. Instead, the parameters contain information pointing to the PKCS #12 file for the master subsystem and the URL for the subsystem to clone:
  • -clone true (which sets that the new instance will be a clone)
  • -clone_p12_file and -clone_p12_password, which gives the name of the master's PKCS #12 key file in the clone's /var/lib/instance_name/alias directory and the password to access it
  • -clone_start_tls, which sets whether to use Start TLS for replication between clones
Additionally, a clone must have some configuration in common with its master:
  • The same security domain, set in the -sd_* parameters
  • The same LDAP base DN and database name, set in the -ldap_* parameters (either the hostname or the port must be different, since the clone does require a separate Directory Server instance)
  • The same issuing CA for its certificates, set in either the -ca_* parameters or possibly self-signed, for a CA
Aside from the differences in creating the subsystem certificates, the configuration for the clone (joining the security domain, creating the admin user, setting up the internal LDAP directories) is the same as with any other subsystem configuration.
For example, this clones a CA instance (all parameters should be on one line):
pkisilent ConfigureCA -cs_hostname localhost 
          -cs_port 9445 
          -subsystem_name "clone-ca2" 
          -client_certdb_dir /tmp/ 
          -client_certdb_pwd password 
          -preop_pin sYY8er834FG9793fsef7et5 
          _doman_name "example\ domain"
          -sd_hostname "domain.example.com" 
          -sd_admin_port 9445 
          -sd_agent_port 9443 
          -sd_ssl_port 9444 
          -sd_admin_name admin 
          -sd_admin_password secret 
          -admin_user admin 
          -admin_email "admin@example.com" 
	  -admin_password secret 
	  -agent_name jsmith
          -agent_key_size 2048
          -agent_key_type rsa 
          -key_type rsa 
          -key_size 2048 
	  -agent_cert_subject "'CN=jsmith,ou=clone-ca2,o=Example Domain'"
          -ldap_host ldap-server.example.com 
          -ldap_port 389
          -bind_dn "'cn=Directory Manager'" 
          -bind_password secret
          -base_dn "dc=ca.example.com-clone-ca2"
          -db_name "ca.example.com-clone-ca2"
          -clone true 
          -clone_p12_file backup.p12 
          -clone_p12_password secret 
          -clone_start_tls false 
          -master_instance_name pki-ca 
          -ca_hostname server.example.com 
          -ca_non_ssl_port 9180 
          -ca_ssl_port 9443 
          -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca\ domain" 
          -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" 
          -ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" 
          -ca_sign_cert_subject_name "cn=ca\ signing\ cert,o=testca\ domain" 
          -ca_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca\ domain"
          -token_name "internal"