Configuring Separate RA Instances

When an RA is installed or created, it is automatically added to a default Registration Managers Group on the CA. This means that all RA managers belong to the same group, by default.

However, a particular site might require more than one RA instance, each having its own set of RA agents. If the site policy disallows cross-management between the RA instances, then extra configuration is needed to create separate RA groups.

1. Install and configure the first RA instance.

2. Add the new RA group to the Certificate Manager. a. Start the Console. For example:

pkiconsole https://server.example.com:9445/ca b. Click Users and Groups, and then click Groups.

c. Click Add to open the Edit Group Inform ation dialog box.

d. Enter the group name and description, such as Registration Manager2 Agents. e. Click OK.

3. Add the new RA authentication instance to the CA:

a. Open the CA configuration directory, and edit the CS.cfg file cd /etc/pki-ca

vi CS.cfg

b. Search for the string raCertAuth.

c. Copy those lines for the first RA instance, paste them, and edit them for the second RA instance's information. For example:

auths.instance.raCertAuth.agentGroup=Registration Manager Agents auths.instance.raCertAuth.plug-inName=AgentCertAuth

4. Add the new RA user enrollment profile to the Certificate Manager's certificate profiles list to utilize the new RA authentication instance.

a. Open the CA profiles directory.

cd /var/lib/pki-ca/profiles/ca

b. Copy the current RA profile to create the new profile. For example: cp caDualRAuserCert.cfg caDualRA2userCert.cfg

c. Edit the new file to contain the second RA instance's information. Change raCertAuth to ra2CertAuth.

5. Open the CA configuration directory, and edit the CS.cfg file. cd /var/lib/pki-ca/conf

vi CS.cfg

a. Add caDualRA2userCert to the profiles list. For example: profile.list=...[snip]...caRAserverCert,caRA2userCert Make sure to use a comma to separate the entries.

b. Search for the lines for the caDualRAuserCert profile configuration, copy them, and edit them for the second RA instance's information.

profile.caDualRAuserCert.class_id=caEnrollImpl profile.caDualRAuserCert.config=/var/lib/pki- ca/profiles/ca/caDualRAuserCert.cfg profile.caDualRA2userCert.class_id=caEnrollImpl profile.caDualRA2userCert.config=/var/lib/pki- ca/profiles/ca/caDualRA2userCert.cfg

6. Add a new URI mapping to allow the new RA agent to be registered in the new RA group. a. Open the CA web applications directory, and edit the web.xm l file:

cd /var/lib/pki-ca/webapps/ca/WEB-INF vi web.xml

b. At about line 288 in the web.xm l file is the servlet setting for the first RA's user. Copy the entire entry, including the opening and closing <servlet> tags, and edit the

<servlet>

<servlet-name> caRegisterRa2User </servlet-name>

<servlet-class> com.netscape.cms.servlet.csadmin.RegisterUser </servlet-class>

<init-param><param-name> GetClientCert </param-name>

<param-value> false </param-value> </init- param>

<init-param><param-name> authority </param-name>

<param-value> ca </param-value> </init- param>

<init-param><param-name> ID </param-name>

<param-value> caRegisterRaUser </param-value> </init-param>

<init-param><param-name> AuthMgr </param-name>

<param-value> TokenAuth </param-value> </init-param> <init-param><param-name> GroupName </param-name>

<param-value> Registration Manager2 Agents </param- value> </init-param>

<init-param><param-name> AuthzMgr </param-name>

<param-value> BasicAclAuthz </param-value> </init- param>

<init-param><param-name> resourceID </param-name>

<param-value> certServer.ca.registerUser </param- value> </init-param>

</servlet>

c. At about line 2510 in the web.xm l file is the servlet-m apping setting for the first RA's user mapping. Copy the entire entry, including the opening and closing <servlet- m apping> tags, and edit the information to match the second RA's user. For example:

<servlet-mapping>

<servlet-name> caRegisterRa2User </servlet-name>

<url-pattern> /admin/ca/registerRa2User </url-pattern> </servlet-mapping>

7. Restart the CA. For example: service pki-ca restart

8. Create the new RA instance using the pkicreate.

pkicreate -pki_instance_root=/var/lib -subsystem_type=ra -

pki_instance_name=pki-ra2 -secure_port=12899 -unsecure_port=12898 -verbose - user=pkiuser -group=pkiuser

9. Open the configuration file for the new RA instance, and edit its parameters to reflect the second RA instance information.

cd /var/lib/pki-ra2/conf/ vi CS.cfg

11. Change the caDualRAuserCert setting to caDualRA2userCert.

request.renewal.approve_request.0.profileId=caDualRAuser2Cert ...

request.user.approve_request.0.profileId=caDualRA2userCert 12. Restart the new RA instance. For example:

# service pki-ra2 restart

13. A URL was generated at the end of the pkicreate command; go to that URL to configure the second RA. For example:

http://server.example.com:12898/ra/admin/console/config/login? pin=bFyAk9nWPfgLZXffRBT9

14. When the new RA is completely configured, restart the instance. # service pki-ra2 restart