Synchronizing the VA Database

Now that you have an up and running EJBCA instance that you've decided to dedicate to the simple but noble existence as a VA, the next thing you're going to want to do is synchronize its database. In doing so, you'll also be setting up publishing operations between the CA and VA.

The VA database is the master database for the standalone VA installations and where the master CA will publish certificates when they are issued or revoked.

Using The EJBCA Peer Publisher (recommended)

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

For information on setting up an outgoing peer connector, see Peer Systems.

Note that when setting up a new Peer System, all previously issued certificates need to be pushed to the VA. To do this, perform the following steps:

  1. In the Admin GUI, go to Peer Systems.

  2. Click Manage for the peer connector representing the VA and select the Certificate Data Synchronization tab.

  3. Configure the relevant subset of information to synchronize and click Start to initiate the synchronization as a background task. The progress can be followed either in this view or in the Peer Systems overview.

The connecting system needs to be authorized to the /peerincoming /peerpublish/readcert /peerpublish/writecert /ca/[CAName] access rules to be able to check synchronization data and push missing or outdated certificate entries.

Using the Legacy VA Publisher

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

In the case of the VA being an OCSP responder, the data source java:/OcspDS should be set in JBoss. The VA data source should not be involved in transactions (a no-tx-datasource in JBoss), and it should have auto-commit (should be default in JBoss).