Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 166

Chapter 5. Registration Authority
A particular site might require more than one RA instance, each having its own set of RA agents. If
the site policy is to disallow cross-management between the RA instances, then extra configuration is
needed to ensure that the policy is not violated.
The following procedure describes how to add a new RA instance to an existing security domain. You
need administrator privileges to the system and also to the CA to perform this procedure.
Procedure 5.2. Adding a new RA instance to an existing security domain
1. On the CA, use the following procedure to add the new RA group:
a. Use the following command to start the pkiconsole. Replace "example.com" with your CA
server name.
# /usr/bin/pkiconsole https://<example.com>:9443/ca/&
Click Users and Groups, and then click Groups.
b.
Click Add to display the Edit Group Information dialog box.
c.
d. Enter the group name and description: for example, "Registration Manager2 Agents".
Click OK.
e.
2. Add the new RA authentication instance in the CA:
a. Change to the CA configuration directory, and edit the CS.cfg file
cd /var/lib/rhpki-ca/conf
vi CS.cfg
b. Search for the lines containing the string "raCertAuth".
c. Copy both lines and paste them immediately below the existing lines.
d. Make the following changes:
i. Change auths.instance.raCertAuth.agentGroup=Registration Manager
Agents to auths.instance.ra2CertAuth.agentGroup=Registration
Manager2 Agents
ii. Change auths.instance.raCertAuth.pluginName=AgentCertAuth to
auths.instance.ra2CertAuth.pluginName=AgentCertAuth
3. Add the new RA user enrollment profile to utilize the new RA authentication instance
a. Change to the CA profiles directory
cd /var/lib/rhpki-ca/profiles/ca
b. Create the new configuration file as follows:
144