Hello list,
I am using a debian sarge distribution and I set up the CA on one
offline server and the pub/ra (version 0.9.2.1). I also setup multiple
CAs and RAs to get a per-client-PKI. Still in progress...
I have a few questions and I am going to try to send an email for each
set of questions. This one relates to the public interface.
1.
I encounter the following problem with the pub interface which is quite
annoying because I want this interface to be as neat as possible:
using the General/Logout fonction, I always got the following message:
"Erreur 6291049
General Error Loading command name: There is a problem with the XML
cache
(Client: The answer for the following message signals an error.
/usr/local/openra921/openca/etc/rbac/cmds/.xml
command_config/command/name"
It seems like it searches a command whose name is '' (i.e. void). I have
no idea on this one.
2.
I noticed that when OpenCA generated a certificate and the key-pair
going along with it (for a Basic Request for example), on the pub
interface, choosing such a certificate from the Certificates/Valid menu,
the following 2 options are listed :
- Change Passphrase
- Remove Key Phrase from database
To activate these functions for the pub interface, you need to edit the
access rights in the openca/etc/rbac/acl.xml file with the public
interface module # (default value: 32):
<module>1</module> to be changed to <module>(1|32)</module>
<role>.*</role>
<operation>certificate change passphrase of key</operation>
<owner>.*</owner>
and
<module>(0|1)</module> to be changes to <module>(0|1|
32)</module>
<role>.*</role>
<operation>certificate remove key</operation>
<owner>.*</owner>
Now, it is a question of choice :
- Should the user be able to change the key passphrase from the public
interface (he has to know the current passphrase to do so)? (I don't
know)
- I definitely don't think that a user should access the "certificate
remove key" option because there is no access control at all. So, I
don't understand why this option is present on the pub interface.
3.
I have got a more general question too about this interface as well, I
would like to know how more secure it is to install the Pub interface on
one server and the RA/RA Node on another server?
How to do the data exchange in that case because it is pretty automatic
otherwise? Is it possible to set this up reliably/rapidly?
Thanks in advance.
Pierre
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
