Show Table of Contents
3.3. Updating CA-KRA Connector Information After Cloning
Configuration information is not updated in clone instances if it is made after the clone is created. Likewise, changes made to a clone are not copied back to the master instance.
If a new KRA is installed or cloned after a clone CA is created, then the clone CA does not have the new KRA connector information in its configuration. This means that the clone CA ignores any archival requests from the KRA because it does not recognize it as a legitimate client.
Whenever a new KRA is created or cloned, copy its connector information into all of the cloned CAs in the deployment.
- On the master clone machine, open the master CA's
CS.cfgfile, and copy all of theca.connector.KRA.*lines for the new KRA connector.[root@master ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
- Stop the clone CA instance. For example:
[root@clone-ca ~] systemctl stop pki-tomcatd@instance_name.service
- Open the clone CA's
CS.cfgfile.[root@clone-ca ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
- Copy in the connector information for the new KRA instance or clone.
ca.connector.KRA.enable=true ca.connector.KRA.host=server-kra.example.com ca.connector.KRA.local=false ca.connector.KRA.nickName=subsystemCert cert-pki-ca ca.connector.KRA.port=8443 ca.connector.KRA.timeout=30 ca.connector.KRA.transportCert=MIIDbD...ZR0Y2zA== ca.connector.KRA.uri=/kra/agent/kra/connector
- Start the clone CA.
[root@clone-ca ~] systemctl start pki-tomcatd@instance_name.service
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.