13.6. Viewing Security Domain Configuration
A security domain is a registry of PKI services. PKI services, such as CAs, register information about themselves in these domains so users of PKI services can find other services by inspecting the registry. The security domain service in Certificate System manages both the registration of PKI services for Certificate System subsystems and a set of shared trust policies.
The security domain manages the trust relationships between subsystems automatically, so if a TPS, TKS, and KRA are within the same security domain, they can communicate securely.
Note
The security domain is used during subsystem configuration. When a subsystem is being set up, it can check the security domain registry to see available instances. If it needs to create a trusted relationship with another instance — like a TPS which uses a TKS and KRA for its operations — then the security domain is used to create a TPS agent user on the selected TKS and KRA instances.
The registry provides a complete view of all PKI services provided by the subsystems within that domain. Each Certificate System subsystem must be either a host or a member of a security domain.
Only a CA can host and manage a security domain. Each CA has its own LDAP entry, and the security domain is an organizational group underneath that CA entry:
ou=Security Domain,dc=example,dc=com
Then there is a list of each subsystem type beneath the security domain organizational group, with a special object class (
pkiSecurityGroup
) to identify the group type:
cn=KRAList,ou=Security Domain,dc=example,dc=com objectClass: top objectClass: pkiSecurityGroup cn: KRAList
Each subsystem instance is then stored as a member of that group, with a special
pkiSubsystem
object class to identify the entry type:
dn: cn=server.example.com:8443,cn=KRAList,ou=Security Domain,dc=example,dc=com objectClass: top objectClass: pkiSubsystem cn: kra.example.com:8443 host: server.example.com SecurePort: 8443 SecureAgentPort: 8443 SecureAdminPort: 8443 UnSecurePort: 8080 DomainManager: false Clone: false SubsystemName: KRA server.example.com 8443