CALinux wrote:
thank you for the new release, now make it's right, but there is an error on the hierarchy level:
Ok, let's take a look at it.
It looks like a mistake during the configuration of the code. I think you enter the wrong value to --with-hierarchy-level. The hierarchylevel describes the level of the export/import. I know that it is not really intuitive but it's necessary.make[10]: Entering directory `/usr/local/src/openca-0.9.1/src/web-interfaces/node/i18n/C' + /usr/bin/install -c -c -o apache -g apache -m 644 node.conf /usr/local/CA/OpenCA/etc/servers//usr/local/CA/hierarchy_node.conf /usr/bin/install: cannot create regular file `/usr/local/CA/OpenCA/etc/servers//usr/local/CA/hierarchy_node.conf': No such file or directory make[10]: *** [node.conf] Error 1 make[10]: Leaving directory `/usr/local/src/openca-0.9.1/src/web-interfaces/node/i18n/C'
Examples: <--> is the roadrunner with the floppy or disc :)
CA <--> RA/pub
configure CA: --with-hierarchy-level=ca
configure RA/pub: --with-hierarchy-level=ra
CA/RA <--> pub
configure CA/RA: --with-hierachy-level=ra
configure pub: --with-hierarch-level=pub
You can setup three databases too if you await denial of service attacks against the public interface. In this case you would setup the following:
CA <--> RA <--> pub
CA (offline perhaps with a HSM): --with-hierarchy-level=ca
RA (behind a firewall): --with-hierarchy-level=ra
pub (in the internet): --with-hierarchy-level=pub
If pub crashs because of a denial of service attack or any other attack your RA and CA databases are not affected. It is also not possible to inject an APPROVED_REQUEST from the pub database into the RA database because the export/import-system will only import PENDING_REQUESTs from the pub database.
The option --with-hierarchy-level describes the interface of the dataexchange. If you look into the *node.conf then you will find some options like DOWNLOAD_CRR_STATES. These states define which states will be exchanged.
DOWNLOAD - import data from a higher level
ENROLL - export data to lower level
UPLOAD - export data to a higher level
RECEIVE - import data from a lower level
--with-hierarchy-level only performs a first preconfiguration but now it is possible to build a very fine tuned hierarchy.
P.S. During the make install-ca there was another error on the file
verify.c in the path
/usr/local/src/openca-0.9.1/src/openca-sv/src/ at the line 322,
where X509_STORE_set_flags(cert_store, vflags);
isn't recognized.
Best regards
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
