Hello, all, and thanks again for all your work on OpenCA. We are becoming increasingly adventurous as we prepare to release 1.0.2 into production. Our final environment should host multiple client PKIs using separate instances of OpenCA in combined CA/RA mode on the same virtual guest in KVM and several separate instances of OpenCA as the public node on the same virtual guest in VServer. They use a shared database on a separate, dedicated database server (PostgreSQL). All is working very nicely including the scripts we wrote to synchronize the file systems even in a multi-PKI environment.
We've hit what we hope is our final issue in creating this environment. Since the public node is very light duty (no RA, no dataexchange, no database), it is sitting on the shared internal web server along with other light duty web sites. As an https server, it has its owned dedicated IP address among many on the web server. The PostgreSQL database server is set to be highly restrictive. Each OpenCA instance is restricted to its own database based upon IP address. Let's illustrate by saying client1 is on 10.1.1.11 and client2 is on 10.1.1.12. Both of these live on the same web server with a base address of 10.1.1.10. Our pg_hba would like something like this (trying to recall the syntax from memory): host client1user client1db 10.1.1.11 md5 host client2user client2db 10.1.1.12 md5 The problem is the web server uses the base address (in this illustration 10.1.1.10) when communicating with the database no matter which OpenCA instance is being used. Hence, the PostgreSQL authentication fails. I did not see a way in either DBI.conf or config.xml to specify a source IP address for an OpenCA instance. Is there a way to tell OpenCA which address to use when communicating with the database (or communicating in general)? If not, may we submit this as a feature request for multi-client environments like ours? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ _______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
