On Mon, 2004-09-20 at 00:32, Til Obes wrote:
> > I suppose that some of the initialization steps may have depended upon
> > those values being set correctly. What are the implications if they
> > were not set correctly during those first init steps? Must I redo
> > everything?
> >
> > It looks from the error message in the browser that there should
> > already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps
> > one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-*
> > files in either /usr/local/open[rc]a/OpenCA/var/tmp. At what
> > step is this archive
> > created during the initialization?
> >
> > The OpenCA guide doesn't go into very much detail on these issues.
> >
> > Can anyone offer a bit of configuration help?
> >
>
> Normally the backup device is a floppy disc or zip disc.
Thanks for your reply, Til, but I'm not sure that I understand. Please
pardon my questions (that are probably dumb questions due to my lack of
experience with OpenCA):
What do you mean by "backup device"? I was talking about these devices:
<name>dataexchange_device_up</name>
<name>dataexchange_device_down</name>
<name>dataexchange_device_local</name>
Is one of these the "backup device"?
For a two-interface setup, Kevin Mitcham writes to change the default
settings as follows (in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html):
=========================
modify the config.xml for the ra (located in
/usr/local/openra/openca/etc)
Now onto the config.xml, for the ca and the ra.
for the CA: <==== he's apparently writing about changes to the
/usr/local/openca/openca/etc/config.xml file
as opposed to openra/openca/etc/config.xml.
...
<!-- these are the devices for the default dataexchange -->
(these might not be in config.xml; if not, see below)
<name>dataexchange_device_up</name>
<value>/usr/local/openca/openca/var/tmp/ca-up</value>
</option>
<option>
<name>dataexchange_device_down</name>
<value>/usr/local/openca/openca/var/tmp/ca-down</value>
</option>
<option>
<name>dataexchange_device_local</name>
<value>/usr/local/openra/openca/var/tmp/ra-local</value>
if the dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers and look at ca-node.conf.template and
ca.conf.template
(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0"
to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down"
line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0"
to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local"
ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
...
=========================
Is that incorrect?
> So the entry looks like /floppy or /dev/hda4/openca/export
Again, not sure I follow. Should it be /dev/fd0? Or the mount point
for /dev/fd0? Or the mount point of some HDD partition (say,
/mnt/testing mounted at /dev/hda4 in linux) followed by a path on that
partition?
Should the entries be identical for the config.xml files in both
/usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or
should they be different?
Kevin seems to be writing about about changing
/usr/local/openca/OpenCA/etc/config.xml
^^^^*^
when he says to change the dataexchange_device_local to
/usr/local/openra/openca/var/tmp/ra-local so I figured that this device
should be set identically in both openca and openra config.xml files.
Is that incorrect?
> For testing you should enter at all entrys at your side
I'm sorry. Again, I'm not sure which entries you're referring to here.
The three devices above? Or what you mean by, "at your side."
> /tmp/openca/export (must be writeable by web server)
So, for both config.xml files, set all three (total of 6 devices: 2
files each with three devices?) to the same file (in say the /tmp
directory---or wherever the web server user can write to)?
> for example. Then you export the conf of the ca and the import on ra.
> That should work then ;)
>
Kevin's cookbook never says to export the configuration of the ca
(unless I missed it?). How do I do that?
In the guide, I see this:
====================
1.1.5. Final setup
The last steps can also be done on the interface for the nodemanagement
but it is a good idea to do it during the intialization to get a
consistent state. The rebuild of the CA chain is necessary to verify
digital signatures correctly. If you want to setup a sub CA then you
must add all CA certificates of the CA chain in PEM format to the
directory OPENCADIR/var/crypto/chain/ before you rebuild the chain.
The really last step is the export of the configuration to the online
server(s). The most OpenCA users ignore this step and handle all the
communication between the different nodes of the PKI hierarchy via the
interface for the node management. If this is you first OpenCA usage
then you should export the configuration and import it into the online
server. ^^^^^^^^^^^^^^^^^^^^^^^^
===============
But I don't see exactly how to do so in the guide (perhaps because it
should be intuitively obvious to me (sorry if I'm slow on the uptake
here...)
In the CA Node Management page
(https://mybox.example.com/cgi-bin/ca-node/node?cmd=getStaticPage;name=dataexchange),
I see the following actions. Is one of these the one I use to export the
configuration?
=====================
General Administration Utilities Logs Language
^^^^Bold^^^^^^
Stop Daemons of Crypto Tokens Server Init Dataexchange Backup and
Recovery Database
Dataexchange
Please choose what do you want to export from or import into the CA.
Enroll data to a lower level of the hierarchy
All
Certificates
CRLs
Configuration
Batchprocessors
Receive data from a lower level of the hierarchy
All
Requests
CRRs
Download data from a higher level of the hierarchy
All
Certificates
CRLs
Configuration
Batchprocessors
Upload data to a higher level of the hierarchy
All
Requests
CRRs
=====================
I'm not even certain of the language here as relates to the "lower
level" of the hierarchy or the "higher level." Is the offline CA a
higher level in the hierarchy than the online RA when both services are
being handled by the same computer? Or perhaps the language is meant to
be interpreted generally (as though both CA and RA functions are being
handled by different computers)? And what exactly is meant by "Enroll",
"Receive", "Download", and "Upload". I'm sure those words have a very
specific meaning with OpenCA and if they are defined in the Guide I just
have not found them.
I searched with Google for these words and OpenCA and found what seems
to be the most relevant page
(http://www.openca.org/openca/docs/online/ch03s03.html), but it doesn't
really seem to define these words. I'd also like to know exactly what
is meant by export and import. I think I understand, but perhaps I'm
assuming something about the meaning of these words based on my use of
them with other applications. Perhaps such incorrect assumptions are at
the root of my problems here.
If I had to guess, I'd say that exporting the CA configuration would be
done by the:
Download data from a higher level of the hierarchy
Configuration
...action. True? Or do I do "All"?
I'm terribly sorry if these are dumb questions. I really have read
through the entire Guide (including the conceptual parts), (although I
admit that in some cases I scanned because the section clearly did not
relate directly to this issue) but it seems that there are many parts
that are still unwritten.
I offer my most sincere apologies if the answers to some of these
questions are in the guide and I'm just not finding them. I'm sure once
I get this running and do some experimentation with it, it will all
become much more clear. Once I do, I'll be sure to write some
supplemental guidelines on doing this whole thing to supplement Kevin's
cookbook for other newbies like me since I'm too dumb to figure it out
from his cookbook alone. Perhaps I could spare the list suffering
though these sorts of questions again by doing so.
Thanks again.
-Kevin
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
