Currently, if you are on a subsystem that is not a security domain master, pkiremove/ pkidestroy will call updateDomainXML to remove the subsystem from the security domain. This servlet does a few things:

1. removes the entry from the list of subsystems in the security domain.
2. removes a user corresponing to uid= <subsystem_type>-<host>-<port>
3. removes that user from the subsystem group.

There are some problems with this.

1. CA's which are clones of security domain CA's automatically become masters themselves. This means that when the clone is removed, updateDomainXML is not updated and the clone entry remains in the security domain. This is also true for a security domain master.

2. the user that uses the subsystem cert is created in the SubsystemGroupUpdater when the subsystem certificate is issued on the security domain. This means that there is only one such user for all clones. In general then, when clones (of a KRA for instance) are removed, they will try to remove a non-existent user. And if you remove the master instead, then there will be no subsystem user left for the clones to use!

Proposed solution A (keeping only one user in security domain):
1. Change the current setting of "Clone" in the security domain to be the name of the master, rather than "True" -- or more specifically the prototypical master. That is, if A->B and B-> C , then the prototypical master is A.
2. All subsystems will call updateDomainXML to remove themselves from the domain.
3. updateDomainXML will only remove the user and remove user from group if no clones exist with the same prototypical master.
4. In the case that the prototypical master is removed, clones will be updated to make another clone the prototypical master.

Proposed Change B:
1. When a clone is created, also create a user for this system in the security domain master, and populate with subsystem cert.
2. All subsystems will call updateDomainXML to remove their user and entry.