1pki-ca-kraconnector(P1K)I CA-KRA Connector Management Commanpdksi-ca-kraconnector(1)
2
3
4
6 pki-ca-kraconnector - Command-line interface for managing CA-KRA con‐
7 nectors.
8
9
11 pki [CLI-options] ca-kraconnector
12 pki [CLI-options] ca-kraconnector-show
13 pki [CLI-options] ca-kraconnector-add --input-file input-file
14 pki [CLI-options] ca-kraconnector-add --host KRA-host --port KRA-port
15 pki [CLI-options] ca-kraconnector-del --host KRA-host --port KRA-port
16
17
19 The pki-ca-kraconnector commands provide command-line interfaces to
20 manage CA-KRA connectors. This command should be applied against CAs
21 only.
22
23
24 When keys are archived, the CA communicates with the KRA through
25 authenticated persistent connections called Connectors. Because the CA
26 initiates the communication, the connector configuration is performed
27 on the CA only. A Connector is automatically configured on the issuing
28 CA whenever a KRA is set up by pkispawn.
29
30
31 A CA may have only one KRA connector. This connector can be configured
32 to talk to multiple KRAs (for high availability) only if the KRAs are
33 clones.
34
35
36 pki [CLI-options] ca-kraconnector
37 This command is to list available KRA connector commands.
38
39
40 pki [CLI-options] ca-kraconnector-show
41 This command is to view the configuration settings for the CA-KRA
42 connector configured on the CA.
43 These details can be redirected to a file, modified as needed, and
44 used as the input file for the ca-kraconnector-add command.
45
46
47 pki [CLI-options] ca-kraconnector-add --input-file input-file
48 This command is to configure the CA-KRA connector on the CA subsys‐
49 tem.
50 The input file is an XML document as provided by the pki ca-kracon‐
51 nector-show command.
52 A CA-KRA connector can only be created from an input file only if a
53 connector does not already exist.
54 If one already exists, it should be removed first.
55
56
57 pki [CLI-options] ca-kraconnector-add --host KRA-host --port KRA-port
58 This command is to add a host to an existing CA-KRA connector.
59
60
61 pki [CLI-options] ca-kraconnector-del --host KRA-host --port KRA-port
62 This command is to delete a host from the CA-KRA connector on a CA.
63 If the last KRA host is removed, the connector configuration is
64 removed from the CA.
65
66
68 The CLI options are described in pki(1).
69
70
72 To view available CA-KRA connector commands, type pki ca-kraconnector.
73 To view each command's usage, type pki ca-kraconnector-lt;commandgt;
74 --help.
75
76
77 All CA-KRA connector commands must be executed as the CA administrator.
78
79
80 To retrieve the CA-KRA connector configuration from the CA:
81
82
83 $ pki <CA admin authentication> ca-kraconnector-show
84
85
86
87 One of the most common use cases for these commands is to add a KRA
88 clone to an existing CA-KRA connector for high availability. This can
89 be done using the pki ca-kraconnector-add command as shown:
90
91
92 $ pki <CA admin authentication> ca-kraconnector-add --host kra2.example.com --port 8443
93
94
95
96 To delete a KRA clone from the connector:
97
98
99 $ pki <CA admin authentication> ca-kraconnector-del --host kra2.example.com --port 8443
100
101
102
104 Ade Lee lt;alee@redhat.comgt;.
105
106
108 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU Gen‐
109 eral Public License, version 2 (GPLv2). A copy of this license is
110 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
111
112
113
114PKI June 10, 2016 pki-ca-kraconnector(1)