PKI Server Subsystem CLI - dogtagpki/pki GitHub Wiki
The following commands can be used to manage PKI subsystems in an instance. If not specified the default instance is pki-tomcat.
Each subsystem has a corresponding a web application. The web application files are stored in /usr/share/pki/ca/webapps/<subsystem> unless it’s customized.
Each subsystem can be enabled or disabled. When a subsystem is enabled, a deployment descriptor is created in /var/lib/pki/<instance>/conf/Catalina/localhost/<subsystem>.xml, for example:
<Context docBase="/usr/share/pki/ca/webapps/ca" crossContext="true"> <Manager secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" alwaysUseSession="true" secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> <Realm className="com.netscape.cms.tomcat.ProxyRealm"/> <Resources allowLinking="true"/> </Context>
When Tomcat detects the new deployment descriptor, it will deploy the web application.
When a subsystem is disabled, the above deployment descriptor is removed. When Tomcat detects that the deployment descriptor is removed, it will undeploy the web application.
All subsystems are enabled by default. However, if a subsystem fails to start due to a selftest failure, it will automatically be disabled to prevent it from running in an inconsistent state.
To list all available subsystems in an instance and to show their statuses execute the following command:
$ pki-server subsystem-find ----------------- 2 entries matched ----------------- Subsystem ID: kra Instance ID: pki-tomcat Enabled: False Subsystem ID: ca Instance ID: pki-tomcat Enabled: True
To display the status of a particular subsystem execute the following command:
$ pki-server subsystem-show ca Subsystem ID: ca Instance ID: pki-tomcat Enabled: True
To enable a subsystem execute the following command:
$ pki-server subsystem-enable kra ----------------------- Subsystem "kra" enabled ----------------------- Subsystem ID: kra Instance ID: pki-tomcat Enabled: True
It may take a few seconds for Tomcat to notice this change and deploy the subsystem. It’s not necessary to restart the instance.
To disable a subsystem execute the following command:
$ pki-server subsystem-disable kra ------------------------ Subsystem "kra" disabled ------------------------ Subsystem ID: kra Instance ID: pki-tomcat Enabled: False
It may take a few seconds for Tomcat to notice this change and undeploy the subsystem. It’s not necessary to restart the instance.