此内容没有您所选择的语言版本。

10.3. Updating CA-KRA Connector Information After Cloning


As covered in Section 2.7.9, “Custom Configuration and Clones”, configuration information is not updated in clone instances if it is made after the clone is created. Likewise, changes made to a clone are not copied back to the master instance.
If a new KRA is installed or cloned after a clone CA is created, then the clone CA does not have the new KRA connector information in its configuration. This means that the clone CA is not able to send any archival requests to the KRA.
Whenever a new KRA is created or cloned, copy its connector information into all of the cloned CAs in the deployment. To do this, use the pki ca-kraconnector-add command.
If it is required to do this manually, follow these steps:
  1. On the master clone machine, open the master CA's CS.cfg file, and copy all of the ca.connector.KRA.* lines for the new KRA connector.
    [root@master ~]# vim /var/lib/pki/instance_name/ca/conf/CS.cfg
  2. Stop the clone CA instance. For example:
    [root@clone-ca ~]# systemctl stop pki-tomcatd@instance_name.service
  3. Open the clone CA's CS.cfg file.
    [root@clone-ca ~]# vim /var/lib/pki/instance_name/ca/conf/CS.cfg
  4. Copy in the connector information for the new KRA instance or clone.
    ca.connector.KRA.enable=true ca.connector.KRA.host=server-kra.example.com
    ca.connector.KRA.local=false ca.connector.KRA.nickName=subsystemCert cert-pki-ca
    ca.connector.KRA.port=10444 ca.connector.KRA.timeout=30
    ca.connector.KRA.transportCert=MIIDbD...ZR0Y2zA==
    ca.connector.KRA.uri=/kra/agent/kra/connector
    
  5. Start the clone CA.
    [root@clone-ca ~]# systemctl start pki-tomcatd@instance_name.service
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.