Hi Dave,
Since PKI is so much flexible, your PKI architecture would be
influenced by many factors such as number of subscribers, the
diversity of your subscribers PKI needs, real time access,
initial and operating cost, etc. Also, when you mentioned "HA",
what kind of "HA" it is; e.g. HA for obtaining new cert, renewal
cert, obtaining the latest revocation status information? HA
for certificate publication in the repository? HA for CA access
to the repository? What is the requirement in your PKI CP?
Not knowing these factors are, it would be very difficult to
come up with the "best" "HA" design for your circumstances.
Regards,
Erwin
We are in the planning stages of
deploying a CA using dogtags. Here is what we know we need
and what resources we have to work with. Any suggestions are
welcome!
A primary CA - only used to create the subordinate CAs.
A subordinate CA - this would actually create the certs.
We have 2 servers with shared fiber channel storage. Each
currently has LDAP (389 project) installed and are
replicating between themselves. The LDAP servers run on
their own IPs. Also, these 2 servers are a corosync cluster
with 4 resource groups: puppet, mysql, apache, snmptrapd and
syslog-ng. Each of these have their own IP as well. None of
these services are load-balanced. They are either on one or
the other servers- all the files these services need are
supported with fibre channel storage.
Now the CA. Here is what I have considered:
1) CA1 runs on server1- it uses the local LDAP server for
storage
2) CA2 runs on server2- it uses the local LDAP server for
storage
3) A clone of CA1 runs on server2 using server2's LDAP
storage
4) A clone of CA2 runs on server1 using server1's LDAP
storage
Ideally, we would run the service like we do apache. It
would run on either host, but only one a time. It would have
its files on shared storage to support this. The problem
with this setup is the LDAP storage is the single point of
failure as I cannot refer to 2 LDAP servers at the same
time, afaik.
For HA, it seems that the best I could do would be to have
both LDAP servers and all 4 PKI instances installed on
shared storage.
Any thoughts on this are greatly appreciated.
Thanks,
Dave
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users