<See below for the components in an Active-Active architecture for disaster recovery.
Load balancer
Distributes OCSP requests across all active data centers. The client-facing hostname or IP address must match the OCSP responder URL in the AIA (Authority Information Access) field of the certificates issued by the issuing Certificate Authority. The customer must provide and configure this load balancer following the vendor's instructions
CSP PKI Hub clusters
Each data center must host a dedicated Cryptographic Security Platform PKI Hub cluster.
Certificate status information source
The source of certificate status information is the same for all data centers. This source is either
- A CRL server hosting a CRL published by a third-party CA.
- An Entrust Certificate Authority instance accessed from CA Gateway.
CSP PKI Hub solutions
Each CSP PKI Hub cluster must have the following solutions deployed.
- Validation Authority
- CA Gateway, if the certificate status is provided by Entrust Certificate Authority
The OCSP service in an Active-Active architecture does not support the deployment of other solutions.
Database cluster
Each data center must have a dedicated database.
Hardware Security Module cluster
The following Hardware Security Module (HSM) cluster deployments are supported.
- A dedicated cluster per data center.
- A single cluster across all data centers, if the latency between data centers is low.