Multi Group Publisher

The Multi Group Publisher allows certificates or certificate status to be published to several groups of publishers. The purpose is both to ease maintenance and to allow for large-scale publishing to EJBCA clusters.

A group is a set of one or more other publishers (may not be other Multi Group Publishers). The Multi Group Publisher ensures that publishing is done according to the following rules:

  1. All groups are published to.

  2. For each group, a randomly selected publisher is published to.

Use Cases

  • Publish to a large number of publishers: Many groups with one publisher each.

  • Publish to one random publisher: One group with many publishers.

  • Publish to multiple clusters: One group per cluster, with all of the cluster nodes publishers in it.

Settings

The following Multi Group Publisher settings are available.

images/download/attachments/26772450/multi_group_publisher.jpg

Setting

Description

Available Publishers

Lists available publishers that can be placed in groups in the Multi Group Publisher.

To prevent misspelled publisher names, it is recommended to copy-paste from this list.

Publisher groups

Free text field used to configure the groups.

A group is constructed of one or more publishers. Add one publisher name per line and separate groups by adding a blank line.

The example screenshot displays three groups. This type of configuration is useful if there are three clusters in different locations, and you want to publish to one node in each cluster.

First group

Aachen Publisher 1
Aachen Publisher 2
Aachen Publisher 3

Second group

San Mateo Publisher 1
San Mateo Publisher 2

Third group

Solna Publisher 1
Solna Publisher 2
Solna Publisher 3

The order of groups decide the order they are queued (non-direct publishing) or published (direct publishing).
The order of publishers inside groups are of no importance, and publishers are always shown in alphabetical order.

Publisher Queues

It is recommended that the Multi Group Publisher itself does not use the publisher queue and that the publishers in the groups do use the queue. This allows for efficient publishing, asynchronously after a certificate issuance or certificate status change.

The following displays how to configure the Publisher Queue settings for the Multi Group Publisher:

images/download/attachments/26772450/multi_group_queue_settings_self.jpg

The following displays how to configure the Publisher Queue settings for the publishers included in the groups, enabling asynchronous publishing as described above:

images/download/attachments/26772450/multi_group_queue_settings_groups.jpg

Publishing of Revoked Certificates Only

In high-volume environments, it can be useful to publish only revoked certificates. This is configured for all the publishers included in each group, by enabling the Publish only revoked certificates setting. Note that either all or none of the publishers in a group should have the setting Publish only revoked certificates enabled, since EJBCA checks the publisher with the lowest ID in the group to determine the value.

If all of the groups have the setting Publish only revoked certificates set for its publishers, the Multi Group Publisher will ignore any non-revoked certificates.