Hi Javier,
> Common Information on both instalations. Computers A & B
Two boxes, OK. :)
>
> ------------------------------------------------
>
> OpenCA Version : 0.9.2.4
Why not 0.9.2.5 ?
> Perl Version : perl-5.8.5-16.RHEL4
> OpenSSL Version : openssl-0.9.7a-43.4
> Operating System: CentOS 4
I used SuSE 9.3 Pro.
> DB Type: MySQL : 4.1.12-3
>
> ------------------------------------------------
>
> Problem Description:
>
> FIRST PHASE:
> In a first instalation in computer 'A', AKA 'CA'
> ./configure --with-openssl-prefix=/usr/share/ssl --with-language=es_ES
> --with-openca-user=xxx --with-openca-group=xxx
> --with-module-prefix=/var/ca/modules --with-openca-prefix=/var/ca/data
> --with-etc-prefix=/var/ca/etc --with-lib-prefix=/var/ca/lib
> --with-var-prefix=/var/ca/var --with-web-host=xxx.xxx.es
> --with-httpd-user=xxxx --with-httpd-group=xxx
> --with-httpd-fs-prefix=/var/www --with-cgi-fs-prefix=/var/www/cgi-bin
> --with-htdocs-fs-prefix=/var/www/html
my configure for ca (box A):
PREFIX=/usr/share
./configure \
--prefix=${PREFIX} \
--bindir=/usr/bin \
--with-hierarchy-level=ca \
--with-node-prefix=ca-node \
--with-httpd-fs-prefix=/srv/www/OpenCA \
--with-module-prefix=${PREFIX}/OpenCA/modules \
--with-engine=no \
--with-web-host=ca.domain \
--with-ca-organisation="CAorg" \
--with-ca-locality=Deidesheim \
--with-ca-country=DE \
--with-ldap-port=389 \
--with-ldap-root="cn=Manager,dc=net" \
--with-ldap-root-pwd="secret" \
--enable-ocspd \
--disable-rbac \
[EMAIL PROTECTED] \
--with-httpd-user=${HTTPD_USER} \
--with-httpd-group=${HTTPD_GROUP} \
--with-openca-user=openca \
--with-openca-group=openca \
--with-dist-user=admin \
--disable-db \
--enable-dbi \
--with-db-type=mysql \
--with-db-name=opencadbname \
--with-db-host=localhost \
--with-db-port=3306 \
--with-db-user=opencauser \
--with-db-passwd=xxxxx \
--disable-external-modules
make; make install-offline
!! --with-hierarchy-level= !!!
my configure for ra (box B):
PREFIX=/usr/share
./configure \
--prefix=${PREFIX} \
--bindir=/usr/bin \
--with-hierarchy-level=ra \
--with-node-prefix=ra-node \
--with-httpd-fs-prefix=/srv/www/OpenCA \
--with-module-prefix=${PREFIX}/OpenCA/modules \
--with-engine=no \
--with-web-host=pki.caorg.domain \
--with-ca-organisation="CAorg" \
--with-ca-locality=Deidesheim \
--with-ca-country=DE \
--with-ldap-port=389 \
--with-ldap-root="cn=Manager,dc=net" \
--with-ldap-root-pwd="secret" \
--enable-ocspd \
--disable-rbac \
[EMAIL PROTECTED] \
--with-httpd-user=${HTTPD_USER} \
--with-httpd-group=${HTTPD_GROUP} \
--with-openca-user=openca \
--with-openca-group=openca \
--with-dist-user=admin \
--disable-db \
--enable-dbi \
--with-db-type=mysql \
--with-db-name=opencadbname \
--with-db-host=localhost \
--with-db-port=3306 \
--with-db-user=opencadbuser \
--with-db-passwd=xxxxx \
--disable-external-modules
make; make install-online
Try again !
> So I did edit the file openca/etc/config.xml for both the CA and RA
> servers and have de-commented respectively the configuration parts
> "1. the node acts as CA only" and "2. the node acts as RA only".
OK
check dataexchange on CA (end of config.xml)
I created an extra DIR for copying files via `scp` after establishing an
network connection.
<!-- these are the devices for the default dataexchange -->
<option>
<name>dataexchange_device_up</name>
<value>/usr/share/OpenCA/datex/ca-up</value>
</option>
<option>
<name>dataexchange_device_down</name>
<value>/usr/share/OpenCA/datex/ca-down</value>
</option>
<option>
<name>dataexchange_device_local</name>
<value>/usr/share/OpenCA/datex/ra-local</value>
</option>
and here for RA:
<!-- these are the devices for the default dataexchange -->
<option>
<name>dataexchange_device_up</name>
<value>/usr/share/OpenCA/datex/ca-down</value>
</option>
<option>
<name>dataexchange_device_down</name>
<value>/usr/share/OpenCA/datex/ra-down</value>
</option>
<option>
<name>dataexchange_device_local</name>
<value>/usr/share/OpenCA/datex/ra-local</value>
</option>
>
> I had took a look to this file in my installations and this is what I had
> in both machines:
on CA:
<!-- 1. the node acts as CA only
-->
<option>
<name>enroll_ca_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_crl_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_crr_states</name>
<value>ARCHIVED DELETED APPROVED</value>
</option>
<option>
<name>enroll_csr_states</name>
<value>ARCHIVED DELETED</value>
</option>
<option>
<name>enroll_mail_states</name>
<value>CRINS DEFAULT</value>
</option>
<option>
<name>receive_crr_states</name>
<value>APPROVED</value>
</option>
<option>
<name>receive_csr_states</name>
<value>APPROVED</value>
</option>
<option>
<name>download_ca_certificate_states</name>
<value></value>
</option>
<option>
<name>download_certificate_states</name>
<value></value>
</option>
<option>
<name>download_crl_states</name>
<value></value>
</option>
<option>
<name>download_crr_states</name>
<value></value>
</option>
<option>
<name>download_csr_states</name>
<value></value>
</option>
<option>
<name>download_mail_states</name>
<value></value>
</option>
<option>
<name>upload_crr_states</name>
<value></value>
</option>
<option>
<name>upload_csr_states</name>
<value></value>
</option>
and on RA:
<!-- 2. the node acts as RA only
-->
<option>
<name>enroll_ca_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_crl_states</name>
<value>VALID</value>
</option>
<option>
<name>enroll_crr_states</name>
<value>ARCHIVED DELETED APPROVED SIGNED PENDING NEW</value>
</option>
<option>
<name>enroll_csr_states</name>
<value>ARCHIVED DELETED</value>
</option>
<option>
<name>enroll_mail_states</name>
<value></value>
</option>
<option>
<name>receive_crr_states</name>
<value>PENDING NEW</value>
</option>
<option>
<name>receive_csr_states</name>
<value>PENDING RENEW NEW</value>
</option>
<option>
<name>download_ca_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>download_certificate_states</name>
<value>VALID</value>
</option>
<option>
<name>download_crl_states</name>
<value>VALID</value>
</option>
<option>
<name>download_crr_states</name>
<value>ARCHIVED DELETED APPROVED</value>
</option>
<option>
<name>download_csr_states</name>
<value>ARCHIVED DELETED</value>
</option>
<option>
<name>download_mail_states</name>
<value>CRINS DEFAULT</value>
</option>
<option>
<name>upload_crr_states</name>
<value>APPROVED</value>
</option>
<option>
<name>upload_csr_states</name>
<value>APPROVED</value>
</option>
> The questions then are:
>
> 1.- What is the way to assign ModuleIDs to the new RA.
I didn't need to modify. :)
> 2.- How must be decommented the config.xml lines, deleting <!...>?
Start comment <!-- comments all inside till -->
> 3.- What is the whole procedure list to set up correctly the new RA?
> ( I meant initialize DB, rebuild chain, etc)
Start with CA, initialize DB, CA-Cert, Admin cert, RA-SSL-cert (RA will
only allow connections vi https by default),
then setup RA, initialize DB.
Think about that CA is on a higher level than RA !
> 4.- It is necessary to touch something in CA (roles, etc) to it could
> know
> the existence of a new RA, if I assign to the RA a new ModuleID where it
> is
> declared in the CA?
AFAIK: Nope.
> 5.- What is the procedure with this scene to make the data exchange works
> in both directions?
See above.
>
> Any comment would be very appreciated. Thank in advance.
Just more than a comment ;)
Regards Christian
-----------------------------------------
Diese E-Mail wurde durch SquirrelMail versandt
"Webmail for nuts!"
-----------------------------------------
Bereitgestellt fuer Kunden von Scorpio IT
http://www.scorpio-it.net
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
