Thanks Jack,
That did it. I'll add some "Lessons Learned" as well.
1.) You must first disable the profile you want to edit in CA Agent. Then open pkiconsole
to edit the actual Certificate Profile.
-This step is easily missed!
2.) If you don't know what profile you're trying to edit, from CA Agent -> List
Requests -> Show all requests.
-Since I'm working with SCEP, I needed to find out what profile was being used, so
I could modify it with the correct OCSP URI.
For the remaining questions:
Q1. Q2.Q3, and Q6 are not valid. I had incorrectly assumed that the OCSP relayed requests
or pulled the CRL, thus being the initiator. This is not the case. When the OCSP
registers with the CA, the CA creates a OCSPPublisher that is setup to publish the CRL to
the OCSP. ***Note: Each OCSP you register over writes the prior. If all of your OCSPs
are cloned from a single instance, this does not cause an issue. If they are clones of a
single OCSP instance, LDAP handles the replication for the group. If you have multiple
OCSP clusters, this causes an issue though. You will need to manually go into pkiconsole
and create a new OCSPPublisher and Publishing Rule for the previous OCSP.
Example:
OCSP1 registers Master with CA1 -> OCSPPublisher=OCSP1
OCSP2 Clone of OCSP1 registers with CA1 -> OCSPPublisher=OCSP2 (Still works because
OCSP1 and OCSP2 have LDAP replication.)
OCSP3 registers Master with CA1 -> OCSPPublisher=OCSP3 (OCSP1 and 2 no longer get
CRL. OCSP3 gets it.)
OCSP4 Clone of OCSP3 registers with CA1 -> OCSPPublisher=OCSP4 (OCSP1 and 2 no
longer get CRL. OCSP4 gets it and LDAP replicates it to OCSP3.)
Solution:
Register OCSPPublisher1 as a new Publisher and create a Publishing Rule for it.
Ensure you have 1 OCSPPublisher for each cluster of OCSPs.
Solution Enhancement:
Automatically name the OCSPPublisher the name of the OCSP Server, if it's not a Clone
of an existing OCSP instance and create the appropriate Publishing Rule.
Thank you
Paul
----- Original Message -----
From: John Magne <jmagne(a)redhat.com>
To: orrious(a)yahoo.com
Cc: pki-users(a)redhat.com; pki-devel(a)redhat.com
Sent: Wednesday, August 28, 2013 1:37 PM
Subject: Re: [Pki-devel] Enterprise CA Architecture
As for your OCSP query, try this:
Use the console to edit the certificate profile you are using.
I'm assuming it is caUserCert
You can also do this with config files if you want.
Look in /var/lib/pki-ca/profiles/ca/caUserCert.cfg
Anyway, there is an entry of the AIA extension that looks like this in the file:
policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.userCertSet.5.default.name=AIA Extension Default
policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.userCertSet.5.default.params.authInfoAccessCritical=false
policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
Either using editor or the console, put something in there for this setting:
policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=blah-url
Restart the server and try to issue a cert with this profile.
Also, when the agent approves the cert request, it has the chance to change this setting
on that page as well.
For your load balancer issue. Just as a quick test you might venture into your OCSP's
conf/CS.cfg file and observe the entries that are pointing you to the CA.
I haven't not tried this but it might be possible to change one of those settings to
your LB and see what happens. If there is a more elegant way to do this, others can chime
in.
thanks,
jack
----- Original Message -----
From: orrious(a)yahoo.com
To: pki-users(a)redhat.com, pki-devel(a)redhat.com
Sent: Tuesday, August 27, 2013 3:31:59 PM
Subject: [Pki-devel] Enterprise CA Architecture
Hi Everyone,
I am setting up a Dogtag 9.0.3 CA PoC and have a couple deployment questions.
My goal is to have a secure and redundant CA and subsystems. The RA is
external, redundant, and outside the scope of the discussion (for now).
OCSP services will more than likely be distributed in multiple Server/LB
pairs behind a single GTM VIP.
I am documenting each step of the install and will happily provide it so
others don't have to ask the same questions.
Thank you for taking the time to read and provide feedback.
Scenario:
I have successfully deployed CA1 and cloned CA2 from CA1. The VIP: CA.lab
load balances all incoming ports to both servers, during testing.
Q1.) When I configure OCSP1, it will not allow me to configure it to the VIP:
CA.lab. Instead I must select either CA1.lab or CA2.lab. Is there a way to
configure the OCSP to connect to the VIP rather than a specific CA server?
Q2.) If I am unable to configure OCSP against a VIP, should I configure
OCSP1->CA1 and OCSP2->CA2?
Q3.) If Q2 is True and one of the CA's is down will OCSP failover to the
other CA or will it just not answer a request.
Q4.) For the Dogtag Web pages, how do I change the server name in the URI to
the VIP, rather than the actual host name of the server? i.e, I go to
https://ca.lab:9445/ca/services. Depending on the server I am load balanced
to, the URLs for "Dogtag Certificate System", 'SSL End Users
Services", and
"Agent Services" all go to CA1.lab:944x/ca.. rather than
https://ca.lab:944x/ca This also pertains to OCSP pages.
Q5.) Certificates issues by default contain the OCSP service of the CA server
that issued the Certificate. i.e.
http://ca1.lab:9180/ca/ocsp. Can this
URI be changed to the LB VIP:
http://ca.lab:9180/ca/ocsp or can the VIP only
be added to the certificate? If it can only be added, can the priority be
changed so the VIP is queried first, as the CA would be firewalled in
production and inaccessible.
Q6.) Should the OCSP services become unavailable, I would also like to
publish the CRL in the certificates. What is the best performance for large
CRLs, say 100K entries; a web page or LDAP?
Kind Regards,
Paul
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel