Hi Martin,
> so I hope my tests can help improving the software for the next release.
It already helps because we now start taking care about the redundancies
in the OpenSSL configuration.
> Currently it seems I have to modify the etc/servers/*.conf.template
> directly to modify settings like the location of the OpenSSL executable.
> This should be addressed by the xml configuration too, I suppose.
RC4 checks the envrionment. The next snapshot only use token.xml.
> Currently my OpenCA::Token::nCipher is a quick hack, I simply removed
> all references to Passwords and claim that the module is always
> online. Access to the nCipher HSM is done via the wrapper.
> Later I will add code to detect if the module is logged in.
Usually every new module is a quick hack :)
> It fails when creating RSA keys for Admin certificates, though.
> I have not yet figured out what is wrong.
Usually HSMs doesn't like to create RSA keys and then publish them. The
solution is like always "simple".
1. You have to create a new token in token.xml.
2. Give the token a name "XYZ".
3. Set the default_token to this token name.
4. Configure this token like a normal token without using the HSM.
> Debugging is a bit painful because command line arguments to
> OpenSSL are not logged anywhere. I tried to add my own debugging
> code but there are lots of places where this code must be inserted.
OpenCA::OpenSSL supports debugging via the switch DEBUG. You can activate
it via the following methods (all should work):
1. $cryptoShell->{DEBUG} = 1;
2. Add a DEBUG option to the token in token.xml.
<option>
<name>DEBUG</name>
<value>1</value>
</option>
3. go to the sourcecode (OpenSSL.pm) and set $self->{DEBUG} = 1;
> BTW: Any ideas for adding decent debugging/logging?
Actually I am thinking about removing all the HTML stuff from debugging
output and directing it to STDERR. What do you think about it (at minimum
for OpenSSL.pm)? Many people asked for such a level-based debugging but we
never defined such levels. If you have some time then propose a first
standard. I add it to our tech docs and new debugging code has to follow
these rules. The variables should be DEBUG and DEBUG_LEVEL but I have no
idea for a good definition of DEBUG_LEVELs. Perhaps we should store the
DEBUG_LEVEL in DEBUG to support old software. Required are level- and
module-based debugging.
> While you are at it please remember to remove the check for the
> mandatory opensslEngineArg in lib/functions/initServer.
I removed this yesterday too.
> I understand that the canonical place for engine definition is
> token.xml, then?
YES.
Thanks for the examples. Sometimes I remove some mails to fast.
Michael
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
