Configuring Failover Support - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
The support subsystem (CA, TKS, and DRM) can handle requests from several TPS subsystems, so
there does not have to be a one-to-one ratio, where there is one CA for every TPS.
Figure 5.2. Scaling the TPS and Its Dependent Subsystems
For multiple TPSs to use the same CA, TKS, or DRM, simply configure each TPS to use the same
support subsystem or add the subsystems to the conn.subsystem# parameter for the TPS.
Likewise, a single TPS can handle requests from multiple Enterprise Security Clients, simply by
configuring the Phone Home URLs in the Enterprise Security Clients' esc-prefs.js files to point
to the same TPS. (This is described more in the Managing Smart Cards with the Enterprise Security
Client guide.)
The token management system as a whole, then, has very flexible scalability. Additionally subsystems
and clients can be added to improve performance without affecting the configuration of other
subsystem instances.

5.8.1. Configuring Failover Support

The subsystem instance to which the TPS connects is set in the conn.subsystem#.hostport
parameter of the CS.cfg configuration file. For example, the CA instance is set in the following
parameter:
conn.ca1.hostport=aCA.example.com:9443
To configure failover support, list multiple instances in the conn.subsystem#.hostport parameter,
separated by spaces. For example:
conn.ca1.hostport=aCA.example.com:9443 bCA.example.com:9443 cCA.example.com:9443
For failover support to be properly configured, all of the subsystem instances must have the same
policies and configuration; this means all of the subsystems must be clones. For example, if the TPS
is configured to communicate with three CAs, the three CAs must be clones of each other. This means
that the values of the other configuration parameters are the same between the instances.
164