CS was not designed to retrieve its singing key reliably in a HSM failover environment. Adding such support will be beneficial to sites with intent to support high availability.
Checked into DOGTAG_10_2_RHEL_BRANCH:
Cherry-picked to the following branches:
master
DOGTAG_10_2
DOGTAG_10_2_6
Information about this fix:
pushed to DOGTAG_10_2_RHEL_BRANCH
commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1 Author: Christina Fu cfu@redhat.com Date: Wed Sep 30 13:55:05 2015 +0200
Ticket #1593 auto-shutdown - for HSM failover support This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached.
Metadata Update from @cfu: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2152
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.