1pki-ca-kraconnector(P1K)I CA-KRA Connector Management Commanpdksi-ca-kraconnector(1)
2
3
4
6 pki-ca-kraconnector - Command-Line Interface for managing CA-KRA con‐
7 nectors.
8
9
11 pki [CLI options] ca-kraconnector
12 pki [CLI options] ca-kraconnector-show
13 pki [CLI options] ca-kraconnector-add --input-file <input file> | --host <KRA host> --port <KRA port>
14 pki [CLI options] ca-kraconnector-del --host <KRA host> --port <KRA port>
15
16
18 The pki-ca-kraconnector commands provide command-line interfaces to
19 manage CA-KRA connectors. This command should be applied against CAs
20 only.
21
22 When keys are archived, the CA communicates with the KRA through
23 authenticated persistent connections called Connectors. Because the CA
24 initiates the communication, the connector configuration is performed
25 on the CA only. A Connector is automatically configured on the issuing
26 CA whenever a KRA is set up by pkispawn.
27
28 A CA may have only one KRA connector. This connector can be configured
29 to talk to multiple KRAs (for high availability) only if the KRAs are
30 clones.
31
32 pki [CLI options] ca-kraconnector
33 This command is to list available KRA connector commands.
34
35 pki [CLI options] ca-kraconnector-show
36 This command is to view the configuration settings for the CA-KRA
37 connector configured on the CA. These details can be redirected to
38 a file, modified as needed, and used as the input file for the ca-
39 kraconnector-add command.
40
41 pki [CLI options] ca-kraconnector-add --input-file <input_file>
42 This command is to configure the CA-KRA connector on the CA subsys‐
43 tem. The input file is an XML document as provided by the ca-kra‐
44 connector-show command.
45
46 A CA-KRA connector can only be created from an input file only if a
47 connector does not already exist. If one already exists, it should
48 be removed first.
49
50 pki [CLI options] ca-kraconnector-add --host <KRA host> --port <KRA
51 Port>
52 This command is to add a host to an existing CA-KRA connector.
53
54 pki [CLI options] ca-kraconnector-del --host <KRA Host> --port <KRA
55 Port>
56 This command is to delete a host from the CA-KRA connector on a CA.
57 If the last KRA host is removed, the connector configuration is
58 removed from the CA.
59
60
62 The CLI options are described in pki(1).
63
64
66 To view available CA-KRA connector commands, type pki ca-kraconnector.
67 To view each command's usage, type pki ca-kraconnector-<command>
68 --help.
69
70 All CA-KRA connector commands must be executed as the CA administrator.
71
72 To retrieve the CA-KRA connector configuration from the CA:
73
74 pki <CA admin authentication> ca-kraconnector-show
75
76 One of the most common use cases for these commands is to add a KRA
77 clone to an existing CA-KRA connector for high availability. This can
78 be done using the pki ca-kraconnector-add command as shown:
79
80 pki <CA admin authentication> ca-kraconnector-add --host kra2.exam‐
81 ple.com --port 8443
82
83 To delete a KRA clone from the connector:
84
85 pki <CA admin authentication> ca-kraconnector-del --host kra2.exam‐
86 ple.com --port 8443
87
88
90 Ade Lee <alee@redhat.com>.
91
92
94 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General
95 Public License, version 2 (GPLv2). A copy of this license is available
96 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
97
98
99
100version 10.3 June 10, 2016 pki-ca-kraconnector(1)