On Mon, 2004-09-20 at 00:32, Til Obes wrote: > > I suppose that some of the initialization steps may have depended upon > > those values being set correctly. What are the implications if they > > were not set correctly during those first init steps? Must I redo > > everything? > > > > It looks from the error message in the browser that there should > > already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps > > one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-* > > files in either /usr/local/open[rc]a/OpenCA/var/tmp. At what > > step is this archive > > created during the initialization? > > > > The OpenCA guide doesn't go into very much detail on these issues. > > > > Can anyone offer a bit of configuration help? > > > > Normally the backup device is a floppy disc or zip disc.
Thanks for your reply, Til, but I'm not sure that I understand. Please pardon my questions (that are probably dumb questions due to my lack of experience with OpenCA): What do you mean by "backup device"? I was talking about these devices: <name>dataexchange_device_up</name> <name>dataexchange_device_down</name> <name>dataexchange_device_local</name> Is one of these the "backup device"? For a two-interface setup, Kevin Mitcham writes to change the default settings as follows (in http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html): ========================= modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: <==== he's apparently writing about changes to the /usr/local/openca/openca/etc/config.xml file as opposed to openra/openca/etc/config.xml. ... <!-- these are the devices for the default dataexchange --> (these might not be in config.xml; if not, see below) <name>dataexchange_device_up</name> <value>/usr/local/openca/openca/var/tmp/ca-up</value> </option> <option> <name>dataexchange_device_down</name> <value>/usr/local/openca/openca/var/tmp/ca-down</value> </option> <option> <name>dataexchange_device_local</name> <value>/usr/local/openra/openca/var/tmp/ra-local</value> if the dataexchange device section is not in config.xml, go to /usr/local/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/usr/local/openca/openca/etc/servers/ca.conf.template) line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down" line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE ... ========================= Is that incorrect? > So the entry looks like /floppy or /dev/hda4/openca/export Again, not sure I follow. Should it be /dev/fd0? Or the mount point for /dev/fd0? Or the mount point of some HDD partition (say, /mnt/testing mounted at /dev/hda4 in linux) followed by a path on that partition? Should the entries be identical for the config.xml files in both /usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or should they be different? Kevin seems to be writing about about changing /usr/local/openca/OpenCA/etc/config.xml ^^^^*^ when he says to change the dataexchange_device_local to /usr/local/openra/openca/var/tmp/ra-local so I figured that this device should be set identically in both openca and openra config.xml files. Is that incorrect? > For testing you should enter at all entrys at your side I'm sorry. Again, I'm not sure which entries you're referring to here. The three devices above? Or what you mean by, "at your side." > /tmp/openca/export (must be writeable by web server) So, for both config.xml files, set all three (total of 6 devices: 2 files each with three devices?) to the same file (in say the /tmp directory---or wherever the web server user can write to)? > for example. Then you export the conf of the ca and the import on ra. > That should work then ;) > Kevin's cookbook never says to export the configuration of the ca (unless I missed it?). How do I do that? In the guide, I see this: ==================== 1.1.5. Final setup The last steps can also be done on the interface for the nodemanagement but it is a good idea to do it during the intialization to get a consistent state. The rebuild of the CA chain is necessary to verify digital signatures correctly. If you want to setup a sub CA then you must add all CA certificates of the CA chain in PEM format to the directory OPENCADIR/var/crypto/chain/ before you rebuild the chain. The really last step is the export of the configuration to the online server(s). The most OpenCA users ignore this step and handle all the communication between the different nodes of the PKI hierarchy via the interface for the node management. If this is you first OpenCA usage then you should export the configuration and import it into the online server. ^^^^^^^^^^^^^^^^^^^^^^^^ =============== But I don't see exactly how to do so in the guide (perhaps because it should be intuitively obvious to me (sorry if I'm slow on the uptake here...) In the CA Node Management page (https://mybox.example.com/cgi-bin/ca-node/node?cmd=getStaticPage;name=dataexchange), I see the following actions. Is one of these the one I use to export the configuration? ===================== General Administration Utilities Logs Language ^^^^Bold^^^^^^ Stop Daemons of Crypto Tokens Server Init Dataexchange Backup and Recovery Database Dataexchange Please choose what do you want to export from or import into the CA. Enroll data to a lower level of the hierarchy All Certificates CRLs Configuration Batchprocessors Receive data from a lower level of the hierarchy All Requests CRRs Download data from a higher level of the hierarchy All Certificates CRLs Configuration Batchprocessors Upload data to a higher level of the hierarchy All Requests CRRs ===================== I'm not even certain of the language here as relates to the "lower level" of the hierarchy or the "higher level." Is the offline CA a higher level in the hierarchy than the online RA when both services are being handled by the same computer? Or perhaps the language is meant to be interpreted generally (as though both CA and RA functions are being handled by different computers)? And what exactly is meant by "Enroll", "Receive", "Download", and "Upload". I'm sure those words have a very specific meaning with OpenCA and if they are defined in the Guide I just have not found them. I searched with Google for these words and OpenCA and found what seems to be the most relevant page (http://www.openca.org/openca/docs/online/ch03s03.html), but it doesn't really seem to define these words. I'd also like to know exactly what is meant by export and import. I think I understand, but perhaps I'm assuming something about the meaning of these words based on my use of them with other applications. Perhaps such incorrect assumptions are at the root of my problems here. If I had to guess, I'd say that exporting the CA configuration would be done by the: Download data from a higher level of the hierarchy Configuration ...action. True? Or do I do "All"? I'm terribly sorry if these are dumb questions. I really have read through the entire Guide (including the conceptual parts), (although I admit that in some cases I scanned because the section clearly did not relate directly to this issue) but it seems that there are many parts that are still unwritten. I offer my most sincere apologies if the answers to some of these questions are in the guide and I'm just not finding them. I'm sure once I get this running and do some experimentation with it, it will all become much more clear. Once I do, I'll be sure to write some supplemental guidelines on doing this whole thing to supplement Kevin's cookbook for other newbies like me since I'm too dumb to figure it out from his cookbook alone. Perhaps I could spare the list suffering though these sorts of questions again by doing so. Thanks again. -Kevin ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users