Hi, I think I'll have a go at these. You're only confused because (I think) you're trying to set it up as two seperate installs on the same machine. Read on:
On Tue, 2004-09-21 at 04:09, Kevin wrote: > What do you mean by "backup device"? I was talking about these devices: > <name>dataexchange_device_up</name> > <name>dataexchange_device_down</name> > <name>dataexchange_device_local</name> > > Is one of these the "backup device"? dataexchange_device_local is a backup device. It writes out all your data to a local file, so you can restore everything *on that node* from it later. > Is that incorrect? > > > So the entry looks like /floppy or /dev/hda4/openca/export > > Again, not sure I follow. Should it be /dev/fd0? Or the mount point > for /dev/fd0? Or the mount point of some HDD partition (say, > /mnt/testing mounted at /dev/hda4 in linux) followed by a path on that > partition? The dataexchange files are in a tar file, and tar can write to a file, or it can write directly to a device. It's nice using the floppy device directly (/dev/fd0 or similar), but if you have to move the tarfile around manually to import/export, you probably want to use a file instead. (/var/dataexchange/data-up.tar or similar) Also, there's the pre and post dataexchange, if you want to do cool stuff like bring up a network interface, scp the data, then take it down again. > > Should the entries be identical for the config.xml files in both > /usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or > should they be different? If you're running an ra and a ca on the same machine in different directories, they'll need different settings in config.xml (mainly in uncommenting the correct dataexchange sections for each) > > Kevin seems to be writing about about changing > /usr/local/openca/OpenCA/etc/config.xml > ^^^^*^ > when he says to change the dataexchange_device_local to > /usr/local/openra/openca/var/tmp/ra-local so I figured that this device > should be set identically in both openca and openra config.xml files. > Is that incorrect? Naah, I'd say you wanna backup the ca and ra to different files, so you can restore them seperately if one or the other fails. Again, this is confusing because you seem to have two seperate installs on the same machine. > > > > For testing you should enter at all entrys at your side > > I'm sorry. Again, I'm not sure which entries you're referring to here. > The three devices above? Or what you mean by, "at your side." You need to be able to get data to and from the CA, for your particular config. If you have two machines, like me, the CA needs to send data "down" and "local", and the RA needs to send data "up" and "local". There's no need to configure the others. Anyway, you should have a go at configuring a tar file export from the RA, doing an export, and seeing if you can move the resulting tar file to the CA import file location, and importing some requests. > > > /tmp/openca/export (must be writeable by web server) There's a point, if you move the files around manually as root, then try to overwrite them with openca (running as apache or httpd) it might crap out, (it'll say at the bottom of the dataexchange results html page) so you have to delete the old dataexchange file. > > So, for both config.xml files, set all three (total of 6 devices: 2 > files each with three devices?) to the same file (in say the /tmp > directory---or wherever the web server user can write to)? > > > for example. Then you export the conf of the ca and the import on ra. > > That should work then ;) > > > > Kevin's cookbook never says to export the configuration of the ca > (unless I missed it?). How do I do that? You can export the configuration of the CA to the RA, once you have dataexchange all working. What this does (as far as I know) is export things like access control lists, role based authentication.. basically which roles and users are allowed to do what. > But I don't see exactly how to do so in the guide (perhaps because it > should be intuitively obvious to me (sorry if I'm slow on the uptake > here...) No this took me a while (and some dumb emails) to get my head around too. It's like I said above. The CA *setup* menu has a link for doing a one off data exchange to a lower level, to make it simple. It's nice, but you don't have to use it, you can just use the node menu and "enroll" all data to a lower level. When you import that on your RA, the RA will get the CA cert, the RBAC, the initial admin user cert and key, (which you need for _funky_ x509 logins) > I'm not even certain of the language here as relates to the "lower > level" of the hierarchy or the "higher level." Is the offline CA a > higher level in the hierarchy than the online RA when both services are > being handled by the same computer? Now here's that old problem again. If you run the CA and the RA on the same machine, they should be the same server, all configured and run from one directory, and therefore no dataexchange is necessary, because it's all in the same database. If you try to run two seperate nodes on the same machine you need two seperate directories, two servers running, two different databases, etc. Pain in the arse. > Or perhaps the language is meant to > be interpreted generally (as though both CA and RA functions are being > handled by different computers)? And what exactly is meant by "Enroll", > "Receive", "Download", and "Upload". I'm sure those words have a very > specific meaning with OpenCA and if they are defined in the Guide I just > have not found them. There's some funny english (sorry guys), but yeah, you got the gist of it. Each node basically sends data up or down. If everything was on a seperate node, it would be CA at the top, RA(s) in the middle, and Public(s) at the bottom. (I still reckon "public" needs a cool two letter acronym. PI anyone??) No dataexchange is required between seperate components if they are on the same node. > is meant by export and import. I think I understand, but perhaps I'm > assuming something about the meaning of these words based on my use of > them with other applications. Perhaps such incorrect assumptions are at > the root of my problems here. > > If I had to guess, I'd say that exporting the CA configuration would be > done by the: > Download data from a higher level of the hierarchy > Configuration > > ...action. True? Or do I do "All"? Yeah, like it says, if you just want to do the config, and not requests or other stuff, you can do configuration, otherwise you can do all at once. > I offer my most sincere apologies if the answers to some of these > questions are in the guide and I'm just not finding them. ... > from his cookbook alone. Perhaps I could spare the list suffering > though these sorts of questions again by doing so. Blah blah humble pie yeah, whatever :) Seriously I had all the same issues. It's the type of thing that really needs ten minutes and a whiteboard to explain properly. OpenCA works much better conceptually if you actually do use seperate "nodes" (completely seperate machines) for the CA and the RA. I haven't read the openca cookbook, but this is how I run it: I have two seperate machines, both have an install of openca in /usr/local/openca, one is the CA, the other is the RA/public, each is a "node" and I use dataexchange-up to send data from the RA/public node up to the CA machine, and vice-versa. > > Thanks again. > > -Kevin > > (hope I helped) Damon ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
