[Pki-users] Best High Availability Design

[Dave Augustus]

We are in the planning stages of deploying a CA using dogtags. Here is 
what we know we need and what resources we have to work with. Any 
suggestions are welcome!

A primary CA - only used to create the subordinate CAs.
A subordinate CA - this would actually create the certs.

We have 2 servers with shared fiber channel storage. Each currently has  
LDAP (389 project) installed and are replicating between themselves. The 
LDAP servers run on their own IPs.  Also, these 2 servers are a corosync 
cluster with 4 resource groups: puppet, mysql, apache, snmptrapd and 
syslog-ng. Each of these have their own IP as well. None of these 
services are load-balanced. They are either on one or the other servers- 
all the files these services need are supported with fibre channel storage.

Now the CA. Here is what I have considered:
1) CA1 runs on server1- it uses the local LDAP server for storage
2) CA2 runs on server2- it uses the local LDAP server for storage
3) A clone of CA1 runs on server2 using server2's LDAP storage
4) A clone of CA2 runs on server1 using server1's LDAP storage

Ideally, we would run the service like we do apache. It would run on 
either host, but only one a time. It would have its files on shared 
storage to support this. The problem with this setup is the LDAP storage 
is the single point of failure as I cannot refer to 2 LDAP servers at 
the same time, afaik.

For HA, it seems that the best I could do would be to have both LDAP 
servers and all 4 PKI instances installed on shared storage.

Any thoughts on this are greatly appreciated.

Thanks,
Dave