Changing The Internal Database Configuration - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 3. Administrative Basics
To fulfill these functions, the Certificate System is incorporated with a Red Hat Directory Server,
referred to as the internal database or local database. The Directory Server is referenced as part of
the Certificate System configuration; when the Certificate System subsystem is configured, a new
database is created within the Directory Server. This database is used as an embedded database
exclusively by the Certificate System instance and can be managed using directory management tools
that come with the Directory Server.
The Certificate System instance database is listed with the other Directory Server databases in the
serverRoot/slapd-DS_name/db/ directory. These databases are named by default in the format
hostname-CS_instance_ID, which is the default format given during the instance configuration. For
example, for a Certificate Manager named ca1, the database name would be host.example.com-
ca1. The database name can be anything, depending on the name given during the configuration.
The subsystems use the database for storing different objects. A Certificate Manager stores all the
data, certificate requests, certificates, CRLs, and related information, while a DRM only stores key
records and related data.
WARNING
The internal database schema are configured to store only Certificate System data. Do
not make any changes to it or configure the Certificate System to use any other LDAP
directory. Doing so can result in data loss.
Additionally, do not use the internal LDAP database for any other purpose.

3.12.1. Changing the Internal Database Configuration

To change the Directory Server instance that a subsystem instance uses as its internal database:
1. Log into the subsystem administrative console.
pkiconsole https://hostname:SSLport/subsystemType
2. In the Configuration tab, select the Internal Database tab.
3. Change the Directory Server instance by changing the hostname, port, and bind DN fields.
The hostname is the fully qualified hostname of the machine on which the Directory Server is
installed, such as certificates.example.com. The Certificate System uses this name to
access the directory.
By default, the hostname of the Directory Server instance used as the internal database is shown
as localhost instead of the actual hostname. This is done to insulate the internal database from
being visible outside the system since a server on localhost can only be accessed from the
local machine. Thus, the default configuration minimizes the risk of someone connecting to this
Directory Server instance from outside the local machine.
The hostname can be changed to something other than localhost if the visibility of the internal
database can be limited to a local subnet. For example, if the Certificate System and Directory
Server are installed on separate machines for load balancing, specify the hostname of the
machine in which the Directory Server is installed.
The port number is the TCP/IP port used for non-SSL communications with the Directory Server.
104