Re: [Openca-Users] Multiple instances of OpenCA

[Ives Steglich]

Chris Covell wrote:
Guys,
I have finally got round to installing OpenCA 0.9.2 on my test machine. I 
shall be running a set of volume tests, but in the mean time I have a 
question...

0.9.2 uses a server process to manage connections, what defines that name of 
the server process that the scripts connect to ? What I am getting at here is 
"can I run more than one instance of OpenCA on a single machine". At the 
yes you can - if you install them in different directories you can run
more than one at the same time - no problem - every installation uses it own server
processes and so on...
for all other too - i use following stuff:
i have running several instances at one system
they are organized something like:
/usr/pki/operating/001/pub  includes node, ra, pub, ldap and scep
/usr/pki/operating/001/ca   includes node, ca
/usr/pki/operating/001/modules includes perl stuff which is the same for
                               pub and ca
webaccess looks like:
http://pki.testing.tld/operating/004/pub and then /pub /ra /node for the
                                         interfaces
http://pki.testing.tld/operating/004/ca  for ca and ca-node
so i can 'simulate' the whole structe with as needed complexity and
numbr of pkis and levels... all on one system and they behave like the
ca und pub stuff where on seperated machines and the other levels too
tha dataexchange is handeled through an exchange directory like:
/usr/pki/operating/001/exchange
where for ca-ra then one have to setup the correct path at the
config.xml instead of the /dev/df0 for example:
/usr/pki/operating/001/exchange/data.001 or something
this hase to be the same filename at ca and ra of course
and for pub and ca there have to be the right exchange schema to be
activated in the config.xml file... thats all
and then i start in every installation
/usr/pki/operating/001/pub/OpenCA/etc/openca_ra start
/usr/pki/operating/001/ca/OpenCA/etc/openca_ra start
and so on for every installation 001 - 002 - 003 ...
before you have (like always) to modify config.xml and run
configure_etc.sh for every pub and ca
all special tools like, separate openssl or extra apche for the pki
are installed at /usr/pki/tools instead of /usr/bin or something for
systemwide stuff... so the pki testing environment is 'perfectly'
separeted from the rest of the system
httpd conf looks like this, for a new pki you just have to include
an identical part with changed numbers - so 001 would be 002 for example
this can be automated with a script to, very simple i think... since only
one parameter changes
this is hold in a separte file and include into the mainapacheconfig at
an apropriate place... so this include file can be used for http and https
configurations and you just have to modify at one place to keep things running
------- httpd include file -------
    #######################
    ## test pki 001
    #######################
    ## ca component
    ScriptAlias /operating/001/ca/cgi-bin/ "/usr/pki/operating/001/ca/apache/cgi-bin/"
    <Directory "/usr/pki/operating/001/ca/apache/cgi-bin/">
        AllowOverride None
        Options FollowSymLinks
        Order allow,deny
        Allow from all
    </Directory>
    Alias /operating/001/ca/ "/usr/pki/operating/001/ca/apache/htdocs/"
    <Directory "/usr/pki/operating/001/ca/apache/htdocs/">
        Options Indexes MultiViews FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    ######################
    ## pub components
    ScriptAlias /operating/001/pub/cgi-bin/ 
"/usr/pki/operating/001/pub/apache/cgi-bin/"
    <Directory "/usr/pki/operating/001/pub/apache/cgi-bin/">
        AllowOverride None
        Options FollowSymLinks
        Order allow,deny
        Allow from all
    </Directory>
    Alias /operating/001/pub/ "/usr/pki/operating/001/pub/apache/htdocs/"
    <Directory "/usr/pki/operating/001/pub/apache/htdocs/">
        Options Indexes MultiViews FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
-------------------------------
for installation i use those scripts:
you just call: ./make 001 for example and everything gets prepared
till the modification of config.xml and so on... quite simple and
some special setup and modifications of the formualrs and so on...
which can be put into scripts too of course
this three 'scripts' are outside the cvs download dir of openca-source
-------- make ---------------
#!/bin/bash
ident=$1
openca_user="pki"
openca_group="pki"
apache_user="apache"
apache_group="apache"
host="pki.fem.tu-ilmenau.de"
openssl="/usr/pki/tools"
modules="/usr/pki/operating/$ident/modules"
#pref=$9
cd openca-0.9
make clean;
../make.offline $ident $openca_user $openca_group $apache_user $apache_group \
$host $openssl $modules ca; make; make install-offline;
make clean;
../make.online $ident $openca_user $openca_group $apache_user $apache_group \
$host $openssl $modules pub; make; make install-online;
---------------------------------
-------- make.offline -----------
#!/bin/bash
#setup params
ident=$1
openca_user=$2
openca_group=$3
apache_user=$4
apache_group=$5
host=$6
openssl=$7
modules=$8
pref=$9
./configure \
 --prefix=/usr/pki/operating/$ident/$pref \
 --disable-scep \
 --with-openca-user=$openca_user \
 --with-openca-group=$openca_group \
 --with-web-host=$host \
 --with-httpd-url-prefix=/operating/$ident/$pref \
 --with-openssl-prefix=$openssl \
 --with-httpd-user=$apache_user \
 --with-httpd-group=$apache_group \
 --with-module-prefix=$modules
---------------------------------
-------- make.online ------------
#!/bin/bash
#setup params
ident=$1
openca_user=$2
openca_group=$3
apache_user=$4
apache_group=$5
host=$6
openssl=$7
modules=$8
pref=$9
./configure \
 --prefix=/usr/pki/operating/$ident/$pref \
 --enable-scep \
 --with-openca-user=$openca_user \
 --with-openca-group=$openca_group \
 --with-web-host=$host \
 --with-httpd-url-prefix=/operating/$ident/$pref \
 --with-openssl-prefix=$openssl \
 --with-httpd-user=$apache_user \
 --with-httpd-group=$apache_group \
 --with-module-prefix=$modules
---------------------------------
greetings
dalini

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users