The Multi Group Publisher allows certificates or certificate status to be published to several groups of publishers. The purpose is both to ease maintenance and to allow for large-scale publishing to EJBCA clusters.
A group is a set of one or more other publishers (may not be other Multi Group Publishers). The Multi Group Publisher ensures that publishing is done according to the following rules:
- All groups are published to.
- For each group, a randomly selected publisher is published to.
- Publish to a large number of publishers: Many groups with one publisher each.
- Publish to one random publisher: One group with many publishers.
- Publish to multiple clusters: One group per cluster, with all of the cluster nodes publishers in it.
The following Multi Group Publisher settings are available.
Lists available publishers that can be placed in groups in the Multi Group Publisher.
To prevent misspelled publisher names, it is recommended to copy-paste from this list.
Free text field used to configure the groups.
A group is constructed of one or more publishers. Add one publisher name per line and separate groups by adding a blank line.
The example screenshot displays three groups. This type of configuration is useful if there are three clusters in different locations, and you want to publish to one node in each cluster.
The order of groups decide the order they are queued (non-direct publishing) or published (direct publishing).
It is recommended that the Multi Group Publisher itself does not use the publisher queue and that the publishers in the groups do use the queue. This allows for efficient publishing, asynchronously after a certificate issuance or certificate status change.
The following displays how to configure the Publisher Queue settings for the Multi Group Publisher:
The following displays how to configure the Publisher Queue settings for the publishers included in the groups, enabling asynchronous publishing as described above:
Publishing of Revoked Certificates Only
In high-volume environments, it can be useful to publish only revoked certificates. This is configured for all the publishers included in each group, by enabling the Publish only revoked certificates setting. Note that either all or none of the publishers in a group should have the setting Publish only revoked certificates enabled, since EJBCA checks the publisher with the lowest ID in the group to determine the value.
If all of the groups have the setting Publish only revoked certificates set for its publishers, the Multi Group Publisher will ignore any non-revoked certificates.