Synchronizing the VA Database

Now that you have an up and running EJBCA instance dedicated as a VA, the next thing to do is synchronize its database. In doing so, you'll also be setting up publishing operations between the CA and VA.

The VA database is the master database for the standalone VA installations and where the master CA will publish certificates when they are issued or revoked.

Using EJBCA Peer Publisher (recommended) 

ENTERPRISE  This is an EJBCA Enterprise feature.

For information on setting up an outgoing peer connector, see Peer Systems.

Note that when setting up a new Peer System, all previously issued certificates need to be pushed to the VA. To do this, perform the following steps:

  1. In the Admin GUI, go to Peer Systems.
  2. Click Manage for the peer connector representing the VA and select the Certificate Data Synchronization tab.
  3. Configure the relevant subset of information to synchronize and click Start to initiate the synchronization as a background task. The progress can be followed either in this view or in the Peer Systems overview.

The connecting system needs to be authorized to the /peerincoming /peerpublish/readcert /peerpublish/writecert /ca/[CAName] access rules to be able to check synchronization data and push missing or outdated certificate entries.

Using Legacy VA Publisher 

ENTERPRISE  This is an EJBCA Enterprise feature.

In the case of the VA being an OCSP responder, set the data source java:/OcspDS in JBoss. The VA data source should not be involved in transactions (a no-tx-datasource in JBoss), and it should have auto-commit (should be default in JBoss).

Related Content