Installing KRA Clone with Replicated DS - dogtagpki/pki GitHub Wiki
This page describes the process to install KRA clone with existing DS instance which has been set up as a replica of the DS instance used by the primary KRA.
Availability: Since PKI 11.5
Create the secondary KRA with the following commands:
$ pki-server kra-create
Export the system certificates and keys from primary KRA with the following commands:
$ pki-server kra-clone-prepare \ --pkcs12-file kra-certs.p12 \ --pkcs12-password Secret.123
Optionally, the CSRs for the above certificates can be exported as well with the following commands:
$ pki-server cert-export kra_storage \ --csr-file kra_storage.csr $ pki-server cert-export kra_transport \ --csr-file kra_transport.csr $ pki-server cert-export kra_audit_signing \ --csr-file kra_audit_signing.csr $ pki-server cert-export subsystem \ --csr-file subsystem.csr
Import the system certificates and keys into the secondary KRA with the following command:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ pkcs12-import \ --pkcs12 kra-certs.p12 \ --password Secret.123
First, configure DS connection in the KRA CA with the following commands:
$ pki-server kra-db-config-mod \ --hostname secondaryds.example.com \ --port 3389 \ --secure false \ --auth BasicAuth \ --bindDN "cn=Directory Manager" \ --bindPWPrompt internaldb \ --database kra \ --baseDN dc=kra,dc=pki,dc=example,dc=com \ --multiSuffix false \ --maxConns 15 \ --minConns 3
Create a DS backend with the following command:
$ pki-server kra-db-create
Configure replication between the primary DS and the secondary DS.
Once the schema and entries are replicated, create search indexes with the following commands:
$ pki-server kra-db-index-add $ pki-server kra-db-index-rebuild
Create VLV indexes with the following commands:
$ pki-server kra-db-vlv-add $ pki-server kra-db-vlv-reindex
Prepare a deployment configuration (e.g. kra-clone.cfg
) to deploy KRA subsystem clone.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra-clone.cfg. It assumes that the primary KRA subsystem is running at https://primary.example.com:8443.
To finalize the secondary KRA installation execute the following command:
$ pkispawn \ -f /usr/share/pki/server/examples/installation/kra-clone.cfg \ -s KRA \ -D pki_cert_chain_path=ca_signing.crt \ -D pki_clone_pkcs12_path=kra-certs.p12 \ -D pki_clone_pkcs12_password=Secret.123 \ -D pki_ds_url=ldap://secondaryds.example.com:389 \ -D pki_ds_setup=False \ -v
If the CSRs are available, they can be specified with the following parameters:
-D pki_kra_storage_csr_path=kra_storage.csr \ -D pki_kra_transport_csr_path=kra_transport.csr \ -D pki_audit_signing_csr_path=kra_audit_signing.csr \ -D pki_subsystem_csr_path=subsystem.csr \