### EJBCA Installation Properties Source: https://docs.keyfactor.com/ejbca-software/latest/install-ejbca-as-a-ca-with-a-management-ca.md Configure the installation parameters by creating an install.properties file. This example shows default values for a new installation. ```properties #install.properties ca.name=ManagementCA ca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE ca.tokentype=soft ca.tokenpassword=null ca.keytype=RSA ca.keyspec=2048 ca.signaturealgorithm=SHA256WithRSA ca.validity=3650 ca.policy=null httpsserver.hostname=localhost httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE httpsserver.password=serverpwd httpsserver.tokentype=P12 superadmin.cn=SuperAdmin superadmin.dn=CN=${superadmin.cn} superadmin.password=ejbca superadmin.batch=true java.trustpassword=changeit ``` -------------------------------- ### New Install Deployment File Example Source: https://docs.keyfactor.com/ejbca-cloud/latest/aws-creating-a-deployment-file-for-use-with-automa.md This JSON file configures a new EJBCA installation, including host details, database settings, and management CA information. Ensure all required fields are populated correctly for a successful deployment. ```json {"Host_Name":"ec2-54-173-179-211.compute-1.amazonaws.com","dbhostCheckbox":"on","database-type":"mariadb","DB_Host_Name":"alexgdbtest.c3t2klg5a2ws.us-east-1.rds.amazonaws.com","DB_Port":"3306","DB_User_Name":"admin","DB_Password":"password123!","DB_Password_Confirm":"password123!","DB_Name":"ejbca","managementcaradio":"createmca","Common_Name":"ManagementCA","ManagementCA_OU":"ec2-54-173-179-211.compute-1.amazonaws.com","ManagementCA_O":"ami-0c139d3264af000ac","mcakeyspec-input":"3072","SuperAdmin_Common_Name":"SuperAdmin","SuperAdmin_Password":"password123!","Confirm_SuperAdmin_Password":"password123!","Cert_Common_Name":""} ``` -------------------------------- ### Example Deployment Configuration JSON Source: https://docs.keyfactor.com/ejbca-cloud/latest/azure-creating-a-deployment-file-for-use-with-auto.md This is an example of a JSON configuration file that can be used to automate the deployment of EJBCA on Azure. Place this file in `/home//confwizard/params.json` for the installer to pick it up. ```json {"Host_Name":"node.hostname.com","managementcaradio":"createmca","Common_Name":"ManagementCA","ManagementCA_OU":"IT_DEPARTMENT","ManagementCA_O":"Example Company","mcakeyspec-input":"3072","SuperAdmin_Common_Name":"SuperAdmin","SuperAdmin_Password":"password123!","Confirm_SuperAdmin_Password":"password123!","Cert_Common_Name":"SuperAdmin"} ``` -------------------------------- ### Start p11-kit server and get token URL Source: https://docs.keyfactor.com/ejbca-software/latest/hardware-security-module-hsm-integration.md Lists available token URLs and starts the p11-kit server, making the local HSM accessible. The output provides the socket path for the server. ```bash # On Local (with the USB Token), get tokenURL and start p11-kit server p11tool --provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --list-token-urls (pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0101866;token=UserPIN%20%28SmartCard-HSM%29) p11-kit server --provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0101866;token=UserPIN%20%28SmartCard-HSM%29 (P11_KIT_SERVER_ADDRESS=unix:path=/run/user/1000/p11-kit/pkcs11-389; export P11_KIT_SERVER_ADDRESS;P11_KIT_SERVER_PID=390; export P11_KIT_SERVER_PID;) ``` -------------------------------- ### Download Certificate Example Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md Example of downloading a .pem certificate using a GET request. Note the wildcard Content-Type header. ```bash curl -X GET -i 'https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/CN%3DManagementCA%2CO%3DEJBCA%20Sample%2CC%3DSE/4b0b0ceb7a8e5f1f/revocationstatus' ``` -------------------------------- ### Start remaining nodes Source: https://docs.keyfactor.com/ejbca-cloud/latest/restarting-and-verifying-cluster.md After bootstrapping the first node, start the remaining nodes in the cluster using the standard service start command. ```bash [root@node2 mysql]# service mysql start [root@node3 mysql]# service mysql start ``` -------------------------------- ### Install EJBCA Source: https://docs.keyfactor.com/ejbca-software/latest/deployment-reference.md Performs the initial setup of EJBCA, including the creation of Certificate Authorities (CAs) and TLS keystores. This target also creates the SuperAdmin user and associated keystore. ```bash ant runinstall ``` -------------------------------- ### Start CloudHSM Client Source: https://docs.keyfactor.com/ejbca-cloud/latest/appendix-a-restoring-an-hsm-backup-to-a-new-instan.md Start the CloudHSM client service. Use either the 'start' command or the 'service' command depending on your system configuration. ```bash # sudo start cloudhsm-client ``` ```bash # sudo service cloudhsm-client start ``` -------------------------------- ### Start WildFly as a Service Source: https://docs.keyfactor.com/ejbca-software/latest/wildfly-39.md Starts the WildFly service using systemctl. ```bash systemctl start wildfly-standalone ``` -------------------------------- ### Install p11-kit and dependencies Source: https://docs.keyfactor.com/ejbca-software/latest/hardware-security-module-hsm-integration.md Installs necessary development tools and libraries for building p11-kit. This is a prerequisite for compiling and installing p11-kit from source. ```bash sudo apt install gcc make gtk-doc-tools help2man texinfo texlive-base libffi-dev libtasn1-dev gnutls-bin wget https://github.com/p11-glue/p11-kit/releases/download/0.23.15/p11-kit-0.23.15.tar.gz tar zxvf p11-kit-0.23.15.tar.gz cd p11-kit-0.23.15/ ./configure make make check sudo make install ``` -------------------------------- ### Setup libest Environment Source: https://docs.keyfactor.com/ejbca/latest/est-ra-mode-configuration.md Before running client commands, set up the environment by copying the server certificate and specifying the CA certificate to use for TLS verification. ```bash cd examples/client cp server.pem export EST_OPENSSL_CACERT=server.pem mkdir certs ``` -------------------------------- ### EJBCA REST API - Get CA Status Example Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md An example of a GET request to retrieve the status of a Certificate Authority (CA). This endpoint does not require an identifier or query parameters. ```text GET https://localhost:8443/ejbca/ejbca-rest-api/v1/ca/status ``` -------------------------------- ### Pest Client: Initial Setup for Enrollment Source: https://docs.keyfactor.com/ejbca/latest/est-ra-mode-configuration.md Initial setup command for the pest client, fetching CA certificates for enrollment. ```bash ./pest --url https://localhost:8442/.well-known/est/estnew -C ~/tmp/ManagementCA.cacert.pem -O -o output cacerts ``` -------------------------------- ### Log4jDevice Audit Event Example Source: https://docs.keyfactor.com/ejbca/latest/audit-log-overview.md Shows an example of an audit event logged by the Log4jDevice, indicating the application is starting. ```log ... INFO [Log4jDevice] 2015-03-20 12:47:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;hostname;;msg=Init, EJBCA 6.3.1Alpha (working copy) startup. ``` -------------------------------- ### PKCS #11 Token Initialization Output Example Source: https://docs.keyfactor.com/ejbca-software/latest/ibm-hpcs.md This is an example of the expected output when initializing and testing a PKCS#11 token, showing successful login and key pair generation. ```text Using slot 0 with a present token (0x0) Logging in to "GREP11 Token". Please enter User PIN: Key pair generated: Private Key Object; RSA label: ID: 01 Usage: decrypt, sign, unwrap warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) Access: sensitive, always sensitive, never extractable, local Public Key Object; RSA 2048 bits label: ID: 01 Usage: encrypt, verify, wrap Access: none ``` -------------------------------- ### Remove ExampleDS Datasource Source: https://docs.keyfactor.com/ejbca-software/latest/jboss-eap-8-0.md Remove the unused ExampleDS datasource. This is a cleanup step and may not be necessary if Galleon was used for installation. ```bash /opt/jboss/bin/jboss-cli.sh --connect '/subsystem=ee/service=default-bindings:remove()' /opt/jboss/bin/jboss-cli.sh --connect 'data-source remove --name=ExampleDS' /opt/jboss/bin/jboss-cli.sh --connect ':reload' ``` -------------------------------- ### Run EJBCA Installation Command Source: https://docs.keyfactor.com/ejbca-software/latest/install-ejbca-as-a-ca-with-a-management-ca.md Execute the Gradle wrapper to initialize the EJBCA environment and perform the initial installation steps. ```bash $ ./gradlew runinstall ``` -------------------------------- ### Example Kerberos Configuration (krb5.conf) Source: https://docs.keyfactor.com/ejbca/latest/part-3b-ejbca-policy-server-configuration.md This is an example krb5.conf file that can be tailored to match your domain configuration. Ensure the 'enctypes' parameters align with your Key Tab file's supported ciphers. ```ini [libdefaults] default_realm = YOURCOMPANY.COM default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] YOURCOMPANY.COM = { kdc = yourcompany.com default_domain = yourcompany.com } [domain_realm] .yourcompany.com = YOURCOMPANY.COM ``` -------------------------------- ### Certificate Revocation Status Example Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md Example of a successful GET request to retrieve the revocation status of a certificate, including the JSON response body. ```APIDOC ## GET /ca/{issuer_dn}/certificate/{serial_number}/revocationstatus ### Description Retrieves the revocation status of a specific certificate. ### Method GET ### Endpoint `/ca/{issuer_dn}/certificate/{serial_number}/revocationstatus` ### Parameters #### Path Parameters - **issuer_dn** (string) - Required - The distinguished name of the issuer CA. - **serial_number** (string) - Required - The serial number of the certificate. ### Request Example ```bash curl -X GET -i 'https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/CN%3DManagementCA%2CO%3DEJBCA%20Sample%2CC%3DSE/4b0b0ceb7a8e5f1f/revocationstatus' ``` ### Response #### Success Response (200) - **issuer_dn** (string) - The distinguished name of the issuer CA. - **serial_number** (string) - The serial number of the certificate. - **revocation_reason** (string) - The reason for revocation (e.g., KEY_COMPROMISE). - **revocation_date** (string) - The date and time of revocation in ISO 8601 format. - **revoked** (boolean) - Indicates if the certificate is revoked. #### Response Example ```json { "issuer_dn": "CN=ManagementCA,O=EJBCA Sample,C=SE", "serial_number": "4b0b0ceb7a8e5f1f", "revocation_reason": "KEY_COMPROMISE", "revocation_date": "2018-06-27T08:07:52Z", "revoked": true } ``` ``` -------------------------------- ### Remove ExampleDS Datasource in WildFly Source: https://docs.keyfactor.com/ejbca-software/latest/wildfly-32.md Use this command to remove the ExampleDS datasource if it's not in use. This step is unnecessary if Galleon was used for setup. ```bash /opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=ee/service=default-bindings:remove()' /opt/wildfly/bin/jboss-cli.sh --connect 'data-source remove --name=ExampleDS' /opt/wildfly/bin/jboss-cli.sh --connect ':reload' ``` -------------------------------- ### Example External Scripts Allow List Source: https://docs.keyfactor.com/ejbca/latest/external-command-certificate-validator.md This is an example of a syntactically valid allow list for external scripts. Lines starting with '#' are comments. An empty list blocks all scripts. ```plaintext # ----------------------------------------------------------------------- # This is an example, this configuration does not necessarily make sense # ----------------------------------------------------------------------- /bin/echo # X.509 Certificate Linter by Amazon # https://github.com/awslabs/certlint /opt/certlint/certlint /opt/certlint/cablint # X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280 # https://github.com/zmap/zlint /opt/scripts/zlint.sh #/opt/scripts/IAmDisabled.sh ``` -------------------------------- ### Register Server and Add Client Certificates Source: https://docs.keyfactor.com/ejbca-software/latest/thales-luna-hsm Examples of using sudo to register the server and add client certificates, as these operations involve updating root-owned files and directories. ```bash $ sudo /usr/lunasa/bin/vtl addServer -n lunasa.int.primekey.com -c server.pem $ sudo /usr/lunasa/bin/vtl createCert -n milton ``` -------------------------------- ### Basic GET Request to EJBCA REST API Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md This is an example of a basic GET request to check the status of a certificate. The REST API requires client certificate authentication. ```http GET https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/status ``` -------------------------------- ### Build and Deploy Sample Plugin Source: https://docs.keyfactor.com/ejbca/latest/creating-plugins.md Commands to build and deploy a sample plugin from the EJBCA source directory. This involves specifying the plugin configuration path. ```bash ant build -Dejbca.plugin.conf.path=/home/user/Dev/workspace/ejbca-trunk/src/samples/plugins ant deployear ``` -------------------------------- ### Get Certificate Status Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md Retrieves the status of the EJBCA certificate management service. This is a basic GET request example that can be invoked using tools like cURL or a web browser. ```APIDOC ## GET /certificate/status ### Description Retrieves the status of the EJBCA certificate management service. ### Method GET ### Endpoint https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/status ### Request Example (No request body for GET request) ### Response #### Success Response (200) - **status** (string) - The status of the service (e.g., "OK"). - **version** (string) - The version of the service. - **revision** (string) - The revision of the service. #### Response Example { "status": "OK", "version": "1.0", "revision": "ALPHA" } ``` -------------------------------- ### Example: Importing a Single Certificate Source: https://docs.keyfactor.com/ejbca/latest/importing-certificates.md This example demonstrates importing a certificate for a user named 'myuser' with specific profiles and email. The end entity and certificate will be created or updated based on the provided details. ```bash bin/ejbca.sh ca importcert myuser mypassword SomeCAName ACTIVE --email mymail@example.com mycertificate.pem --eeprofile EMPTY --certprofile ENDUSER ``` -------------------------------- ### Start JBoss/WildFly with nShield HSM Source: https://docs.keyfactor.com/ejbca/latest/ncipher-nshield-nethsm Starts JBoss/WildFly using the `preload` command to ensure the required key stores are loaded from the nShield HSM. This command assumes EJBCA and nShield are installed in their default locations. ```bash $ ~nfast/bin/preload -c ejbca $APPSRV_HOME/bin/standalone.sh ``` -------------------------------- ### EJBCA Starting Event Log (Log4jDevice) Source: https://docs.keyfactor.com/ejbca/latest/security-audit-events.md Example of an EJBCA startup event as logged by Log4jDevice in the server log. ```log ... INFO [Log4jDevice] 2015-03-20 12:47:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup. ``` -------------------------------- ### META-INF/services File Example Source: https://docs.keyfactor.com/ejbca/latest/services.md This file lists the implementing classes for a given interface. It should be named META-INF/services/ followed by the fully qualified interface name. ```text # Example file. Should be named META-INF/services/org.ejbca.core.model.services.IWorker com.example.ejbca.MyWorker com.example.ejbca.MyOtherWorker ``` -------------------------------- ### Enroll Keystore Request Example Source: https://docs.keyfactor.com/ejbca/latest/ejbca-rest-interface.md Provides an example of a POST request to enroll a keystore, including the required headers, endpoint, and JSON request body with snake_case field names. ```APIDOC ## POST /certificate/enrollkeystore ### Description Enrolls a keystore with the EJBCA instance. ### Method POST ### Endpoint https://[DOMAIN_NAME]:[PORT]/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore ### Request Body - **username** (string) - Required - The username for enrollment. - **password** (string) - Required - The password for enrollment. - **key_alg** (string) - Required - The key algorithm (e.g., RSA). - **key_spec** (string) - Required - The key specification (e.g., 2048). ### Request Example ```bash curl -X POST -H 'Content-Type: application/json' -i 'https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore' --data '{ "username":"testUser", "password":"foo123", "key_alg":"RSA", "key_spec":"2048" }' ``` ``` -------------------------------- ### EJBCA Starting Event Data (IntegrityProtectedDevice) Source: https://docs.keyfactor.com/ejbca/latest/security-audit-events.md Example of an EJBCA startup event stored in the database using IntegrityProtectedDevice, showing the structure of the AuditRecordData table. ```sql mysql> select * from AuditRecordData where eventType='EJBCA_STARTING' ... \G pk: 24861ebf7f00010106e5a024d82c694d additionalDetails: ... Init, EJBCA 6.7.0 Enterprise (r25420) startup. ... authToken: StartServicesServlet.init customId: NULL eventStatus: SUCCESS eventType: EJBCA_STARTING module: SERVICE nodeId: hostname rowProtection: 1:2:123:4d2f6... rowVersion: 0 searchDetail1: hostname searchDetail2: NULL sequenceNumber: 17640195 service: EJBCA timeStamp: 1426205614754 ``` -------------------------------- ### Start CloudHSM Client Source: https://docs.keyfactor.com/ejbca-cloud/latest/5-configure-the-cloudhsm-client.md Use this command to start the cloudhsm-client service. Ensure you have root permissions. ```bash # sudo start cloudhsm-client or # sudo service cloudhsm-client start ``` -------------------------------- ### Example output of system_restore.sh Source: https://docs.keyfactor.com/ejbca-cloud/latest/restoring-with-the-restore-script-in-azure.md This is an example of the output you can expect when running the system_restore.sh script. It shows the progress of the restore process, including database operations, decryption, and service restarts. ```bash [root@localhost azure-user]# /opt/PrimeKey/support/system_restore.sh -b ejbca_db-localhost.localdomain-1765903077.tar.gz Current working directory: /home/azure-user 2025-12-16 16:42:19,301 INFO: Making sure MySQL Galera is running with default password... 2025-12-16 16:42:19,309 INFO: Database is available...Restoring system. 2025-12-16 16:42:19,310 INFO: Checking for Galera cluster... 2025-12-16 16:42:19,318 INFO: Not a clustered node. Continuing... 2025-12-16 16:42:19,319 INFO: Backing up and dropping old database... 2025-12-16 16:42:19,321 INFO: Old database file will be located at: 2025-12-16 16:42:19,322 INFO: /opt/PrimeKey/support/backup_files/ejbca_backup_before_restore-localhost.localdomain-1765903339.sql 2025-12-16 16:42:19,473 INFO: Encrypting backup with OpenSSL... 2025-12-16 16:42:19,537 INFO: Attempting to decrypt backup file... 2025-12-16 16:42:19,538 INFO: This will try multiple decryption methods automatically... 2025-12-16 16:42:19,540 INFO: No method file found or unknown method. Trying all decryption methods... 2025-12-16 16:42:19,541 INFO: Trying age decryption... 2025-12-16 16:42:19,641 INFO: Age decryption failed, trying OpenSSL methods... 2025-12-16 16:42:19,643 INFO: Trying modern OpenSSL AES-256-CBC decryption... enter AES-256-CBC decryption password: 2025-12-16 16:42:35,388 INFO: Successfully decrypted with modern OpenSSL method! 2025-12-16 16:42:35,389 INFO: Successfully decrypted backup file. 2025-12-16 16:42:35,391 INFO: Extracting backup archive... 2025-12-16 16:42:35,457 INFO: Successfully extracted backup archive. 2025-12-16 16:42:35,468 INFO: Stopping WildFly and Apache 2025-12-16 16:42:38,619 INFO: This does not appear to be a backup of external database data, restoring local data. 2025-12-16 16:42:42,444 INFO: Restoring database from backup. 2025-12-16 16:42:45,705 INFO: Creating backups of TLS/SSL files and moving new files into place. 2025-12-16 16:42:45,706 INFO: Existing TLS/SSL files will be backed up to /etc/httpd/ssl_backup_1765903339. 2025-12-16 16:42:45,711 INFO: Backing up existing wizard configuration and restoring config file from backup... 2025-12-16 16:42:45,715 INFO: Restoring start.sh file from backup. NOT rotating into place since it contains an old database password. 2025-12-16 16:42:45,716 INFO: It will be restored to /opt/wildfly/bin/start_DATE.sh. 2025-12-16 16:42:45,758 INFO: Creating WildFly credential store... 2025-12-16 16:42:45,761 INFO: Backup created: /opt/PrimeKey/wildfly_config/ejbca-credstore.cs.bak-1765903339 2025-12-16 16:42:45,763 INFO: Creating new credential store Credential Store has been successfully created 2025-12-16 16:42:46,673 INFO: Updating wildfly credential store password in WildFly configuration. 2025-12-16 16:42:46,676 INFO: Adding alias to credential store... Alias "wildfly" has been successfully stored 2025-12-16 16:42:47,872 INFO: Starting WildFly... 2025-12-16 16:42:48,889 INFO: Starting Apache... 2025-12-16 16:42:50,053 INFO: Done. ``` -------------------------------- ### Sample server.cnf Configuration Source: https://docs.keyfactor.com/ejbca-cloud/latest/example-configuration.md This is a comprehensive example of a server.cnf configuration file used for MariaDB and Galera Cluster setups. It covers basic settings, Galera Cluster specifics, synchronization, and performance tuning parameters. ```ini # # These groups are read by MariaDB server. # Use it for options that only the server (but not clients) should see # # See the examples of server my.cnf files in /usr/share/mysql/ # # this is read by the standalone daemon and embedded servers # # For explanations see # http://dev.mysql.com/doc/mysql/en/server-system-variables.html # This will be passed to all mysql clients # It has been reported that passwords should be enclosed with ticks/quotes # escpecially if they contain "#" chars... # Remember to edit /etc/mysql/debian.cnf when changing the socket location. [client] port = 3306 socket = /var/run/mysqld/mysqld.sock # Here is entries for some specific programs # The following values assume you have at least 32M ram # This was formally known as [safe_mysqld]. Both versions are currently parsed. [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 syslog [mysqld] # # * Basic Settings # user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql # Configure the tmp directory to reside on the data partion where we have enough space for SSTs. # (Xtrabackup will use this variable.) tmpdir = /var/lib/mysql/tmp character_set_server=utf8 collation_server=utf8_unicode_ci lc_messages_dir = /usr/share/mysql lc_messages = en_US skip-external-locking wsrep_on=ON # gcache.size is how much data we will cache and use for IST. # If more data has been produced since the node was disconnected an SST will be triggered. # By setting it to 16G a customer can issue about 0.5M certs before connecting a second node without SST. # (Nothing wrong with SSTs, but during IST it easer to follow the sync progress and it looks more user friendly.) # pc.npvo=true: Recent primary component overrides older ones in case of conflicting prims. # ## Can only be set in URL due to a bug: pc.wait_prim=false: The node waits for primary component forever # pc.weight=2: Default weight for the node that can be overridden by parameters in the gcomm URL #Uncomment this and you are setting up Galera recommendations with the default paths in the EJBCA Cloud Galera Clustering Guide otherwise add your own #wsrep_provider_options="socket.ssl_key=/etc/mysql/localhost-Key.pem;socket.ssl_cert=/etc/mysql/localhost.pem;socket.ssl_ca=/etc/mysql/localhost-CA.pem;gcache.size=6G;gcache.page_size=512M; pc.npvo=true;" # Galera Cluster Configuration wsrep_cluster_name=ejbca_cluster #wsrep_cluster_address="gcomm://" wsrep_cluster_address="gcomm://172.16.0.103" wsrep_node_name=EJBCANode1 wsrep_node_address="172.16.0.36" # Galera Synchronization Configuration wsrep_sst_auth=repl_user:i-04811bfcfa454383e wsrep_sst_method=mariabackup # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 bind-address = 0.0.0.0 # # * Fine Tuning # max_connections = 200 connect_timeout = 5 # The number of seconds the server waits for activity on a noninteractive connection before closing it. (Default 28800s) wait_timeout = 3600 max_allowed_packet = 256M thread_cache_size = 128 sort_buffer_size = 4M bulk_insert_buffer_size = 16M tmp_table_size = 32M max_heap_table_size = 32M # Turn off reverse DNS lookup of clients skip-name-resolve # # * MyISAM # # This replaces the startup script and checks MyISAM tables if needed # the first time they are touched. On error, make copy and try a repair. myisam_recover = BACKUP key_buffer_size = 32M #open-files-limit = 2000 table_open_cache = 400 myisam_sort_buffer_size = 128M concurrent_insert = 2 read_buffer_size = 2M read_rnd_buffer_size = 1M # # * Query Cache Configuration # # Disable to query cache to avoid locking query_cache_limit=0 query_cache_type=0 query_cache_size=0 ```