Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
10.7. Converting Masters and Clones
Only one single active CA generating CRLs can exist within the same topology. Similarly, only one OCSP receiving CRLs can exist within the same topology. As such, there can be any number of clones, but there can only be a single configured master for CA and OCSP.
For KRAs and TKSs, there is no configuration difference between masters and clones, but CAs and OCSPs do have some configuration differences. This means that when a master is taken offline — because of a failure or for maintenance or to change the function of the subsystem in the PKI — then the existing master must be reconfigured to be a clone, and one of the clones promoted to be the master.
10.7.1. Converting CA Clones and Masters
Link kopierenLink in die Zwischenablage kopiert!
- Stop the master CA if it is still running.
- Open the existing master CA configuration directory:
cd /var/lib/pki/instance_name/ca/conf
# cd /var/lib/pki/instance_name/ca/confCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
CS.cfgfile for the master, and change the CRL and maintenance thread settings so that it is set as a clone:- Disable control of the database maintenance thread:
ca.certStatusUpdateInterval=0
ca.certStatusUpdateInterval=0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Disable monitoring database replication changes:
ca.listenToCloneModifications=false
ca.listenToCloneModifications=falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Disable maintenance of the CRL cache:
ca.crl.IssuingPointId.enableCRLCache=false
ca.crl.IssuingPointId.enableCRLCache=falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Disable CRL generation:
ca.crl.IssuingPointId.enableCRLUpdates=false
ca.crl.IssuingPointId.enableCRLUpdates=falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the CA to redirect CRL requests to the new master:
master.ca.agent.host=new_master_hostname master.ca.agent.port=new_master_port
master.ca.agent.host=new_master_hostname master.ca.agent.port=new_master_portCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Stop the cloned CA server.
systemctl stop pki-tomcatd@instance_name.service
# systemctl stop pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the cloned CA's configuration directory.
cd /etc/instance_name
# cd /etc/instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
CS.cfgfile to configure the clone as the new master.- Delete each line which begins with the
ca.crl.prefix. - Copy each line beginning with the
ca.crl.prefix from the former master CACS.cfgfile into the cloned CA'sCS.cfgfile. - Enable control of the database maintenance thread; the default value for a master CA is
600.ca.certStatusUpdateInterval=600
ca.certStatusUpdateInterval=600Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable monitoring database replication:
ca.listenToCloneModifications=true
ca.listenToCloneModifications=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable maintenance of the CRL cache:
ca.crl.IssuingPointId.enableCRLCache=true
ca.crl.IssuingPointId.enableCRLCache=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable CRL generation:
ca.crl.IssuingPointId.enableCRLUpdates=true
ca.crl.IssuingPointId.enableCRLUpdates=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Disable the redirect settings for CRL generation requests:
master.ca.agent.host=hostname master.ca.agent.port=port number
master.ca.agent.host=hostname master.ca.agent.port=port numberCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Start the new master CA server.
systemctl start pki-tomcatd@instance_name.service
# systemctl start pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
10.7.2. Converting OCSP Clones
Link kopierenLink in die Zwischenablage kopiert!
- Stop the OCSP master, if it is still running.
- Open the existing master OCSP configuration directory.
cd /etc/instance_name
# cd /etc/instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
CS.cfg, and reset theOCSP.Responder.store.defStore.refreshInSecparameter to21600:OCSP.Responder.store.defStore.refreshInSec=21600
OCSP.Responder.store.defStore.refreshInSec=21600Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Stop the online cloned OCSP server.
systemctl stop pki-tomcatd@instance_name.service
# systemctl stop pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the cloned OCSP responder's configuration directory.
cd /etc/instance_name
# cd /etc/instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the
CS.cfgfile, and delete theOCSP.Responder.store.defStore.refreshInSecparameter or change its value to any non-zero number:OCSP.Responder.store.defStore.refreshInSec=15000
OCSP.Responder.store.defStore.refreshInSec=15000Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Start the new master OCSP responder server.
systemctl start pki-tomcatd@instance_name.service
# systemctl start pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}