[Pki-users] General Cloning Question

[Marc Sauton]

Mike Mercier wrote:
> Hello,
>
> I am in the process of setting up a dogtag system with cloning.
>
> I have the following up and running:
>
> CA (on server service-1), KRA, OCSP, RA, TKS, and TPS
>
> I have already cloned the CA (on server service-2) and have a question
> about what security domain to join when cloning the rest of the sub
> systems?
> Should the clone of the other sub systems join the primary domain
> (service-1) or the cloned domain (service-2)?
>
> Thanks,
> Mike
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   
That would be the primary domain as there should be no such cloned domain.
The security domain is a configuration registry for the PKI services 
that provides with much easier configuration mechanisms to connect the 
different sub systems's trusted relations and policies, versus having to 
do all those configurations manually like in older versions of the 
product, this helps a lot when setting KRA, OCSP, TKS with a CA.
The cloned CA must belong to the same "security domain" as the "master" 
CA instance.
Although you can create and select any "security domain" you have, the 
cloned subsystems must belong to the same "security domain", or at least 
to the same "security domain" of their respective "masters" if you have 
several "security domains". (and each sub system can only belong to one 
"security domain" at a time)
A root ca should probably have its own "security domain". It is fairly 
flexible and settings may depend on your needs.
Some doc:
http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration.html#Administration_Guide-Installation_and_Configuration-Deployment_Considerations
There will be an updated documentation for RHCS 8.0 sometime soon.
M.