RE: [Openca-Users] Chinese vs international

[Kevin Dong]

Hi Sergei,

Thanks. Yes. I translate the file using UTF-8 encoding. We have tested in
OpenCA 0.9.2.5 using part of the file I have translated, and it works well.
:)

Warmest Regards,

-Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sergei
Vyshenski
Sent: Thursday, January 19, 2006 6:54 PM
To: openca-users@lists.sourceforge.net
Subject: Re: [Openca-Users] Chinese vs international

Kevin,

1. Menu.xml is not intended for translation. It contains 
(English) keys than are used as pointers to translated 
interfaces, when selected.
If you remove or miss keys, you end up with a mess.

2. Once you specify "encoding=UTF-8" in your file, 
it might be not extremely bright idea to use GB2312 encoding
in the  field. 

3. Here in particular, and in your translation in general, 
you had better use one of the following Chinese offerings
available in UTF-8 tables:

1) Bopomofo
2) Bopomofo extended
3) one of the CJK 

Otherwise Michael will be having a hard time decoding 
your translation into one of the 3 options himself.

Since release 0.9.2.4, OpenCA supports 
only UTF-8 encoded translations of user interface.

Regards, Sergei


Kevin Dong wrote:
> Hi,
> 
> Thank you for your answer. I just want to confirm if the menu.xml supports
> the other characters. 
> 
> For Chinese GB translation, I have sent an email to Michael. We will
finish
> the translation before 29 Feb. 
> 
> 
> -Kevin Dong
>>>  
>>> ДT-Фv+
>>> cmd=setLanguage;lang=zh_CN;charset=UTF-8
>>> top
>>> 





---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Chinese vs international

[Kevin Dong]

Hi,

Thank you for your answer. I just want to confirm if the menu.xml supports
the other characters. 

For Chinese GB translation, I have sent an email to Michael. We will finish
the translation before 29 Feb. 


-Kevin Dong

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sergei
Vyshenski
Sent: Monday, January 16, 2006 7:34 PM
To: openca-users@lists.sourceforge.net
Subject: [Openca-Users] Chinese vs international

1. If you want to see Chinese among languages supported by OpenCA,
then you have to submit your translation to Michael as "i18n" suggests.
In this case you have to obey general design approach of the system.

In particular, you have to understand, that if a non-chinese user
accidentally hits some menu and finds himself around Chinese, then he 
SHOULD have possibility to navigate away from Chinese. And this possibility
implies purely English names of languages in some menus.

2. If you want to hack OpenCA to your personal needs neglecting general 
design guidelines, then why do you bother OpenCA mailing list at all?

Sergei

Kejun Dong wrote:
> Hi,
> 
> I am so sorry for having not described the problem clearly.
> Now according to i18n file, we can deploy the Chinese in to OpenCA
> correctly. But in the language tab, all the characters is in English and
now
> we want to modify the character "Chinese" into the Chinese character
"жпнд".
> When we add the "жпнд" (The Chinese character of "Chinese") in the
> menu.xmlfile, it isn't coded right. Do you think about the problem
> before? Thanks a
> lot.
> 
> - Kevin Dong & Yihua Zheng
> **
> * Kevin Dong (T-©ф+Э)
> * Tel:+86-10-58812310  Fax:+86-10-58812306
> * Network Technology and Applications Research Laboratory
> * Computer Network Information Center
> * Chinese Academy of Sciences
> **
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sergei
> Vyshenski
> Sent: Sunday, January 15, 2006 5:18 AM
> To: openca-users@lists.sourceforge.net
> Subject: Re: [Openca-Users] help: A question about use chinese in
menu.xmlfile
> 
> Have you read the file "i18n" from the root of the source distribution?
> 
> 
> жёрю│L wrote:
>> Hi,all
>> Yesterday we set up the openca system use openca-0.9.2.5 ,For our
>> need,We add the language chinese into this system.we translate the
>> openca.po to chinese and add the language chinese item just like below
>> shows:
>> 
>>  
>> жпнд
>> cmd=setLanguage;lang=zh_CN;charset=UTF-8
>> top
>> 
>> 
>> restart the openca daemon,when I want to see the language item жпнд,it
>> don't encoding right.
>> can you give me some advise for this problem.
>> thank you very much!
> 
> 
> 
> ---
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> ___
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Confusion over web form fields and associated cert fields (sorry for length)

[Kevin]

Hi List-

I'm finding myself getting confused about which OpenCA web form fields
are associated with which certificate fields as I request a certificate
using OpenCA.

For example, I just finished requesting a new certificate using the
Basic Certificate Request web form (/pub-->User-->Request a
Certificate-->Basic Certificate Request).  Then I approved it, moved it
up to the CA, issued the cert, moved it back down to the RA, then picked
up the new cert and examined the web form fields in the request and
compared them to the cert fields.

Here's what I saw:

When requesting pki-last.crt, the following fields were as follows:
==(initial web form with empty fields)=
Basic Certificate Request
Please enter your data in the following form.
Certificate Data
E-Mail  
Name
Certificate Request Group   
alternative email   
IP address  
DNS name
DNS name
User Data
Name (first and Last name)  
Email   
Department  
Telephone   
Level Of Assurance chose the LOA you would like to be authenticated 
against.
Role
Registration Authority chose the RA where you will be authenticated.
PIN [used to verify the certification request, min 10 chars (please
write 
it down for later usage)]   
Re-type your PIN for confirmation   
Choose a keysize

==form filled out and submitted gives


Confirm Certificate Request
Following are listed data received. Please check carefully information
here 
reported with the ones in your possession.
Certificate Data
E-Mail  [EMAIL PROTECTED]
NameTwo Two
Certificate Request Group   Partners
alternative email   [EMAIL PROTECTED]
IP address  001.002.003.004
DNS namefive.five.com
DNS namesix.six.com
User Data
Name (first and Last name)  Seven Seven
Email   [EMAIL PROTECTED]
Department  Nine
Telephone   101.101-1010
Level Of Assurance (LOA)basic
RoleMail Server
Registration Authority  Help Desk 1
Keysize 1024


finalizing request, I get==


Thank you for requesting your certificate from our organization, your 
request with the serial 3360 it's been successfully archived and it is
now 
waiting for approval by any of our Registration Authorities (if you are 
unsure about the receiving of your request by this server, you can check
the list of new requests).
To complete the certification process you have to go to one of our 
Registration Authority office with one of the following documents: o ID 
card or passport. o Documnetation asserting your role and authorization
for 
requesting a certificate for your organization. If you still have doubts
about the issuing process, just use the links provided in the
Information 
section to learn how to complete all the needed steps.

ADDITIONAL_ATTRIBUTE_DEPARTMENT Nine
ADDITIONAL_ATTRIBUTE_EMAIL  [EMAIL PROTECTED]
ADDITIONAL_ATTRIBUTE_REQUESTERCNSeven Seven
ADDITIONAL_ATTRIBUTE_TELEPHONE  101.101-1010
LOA 30
NOTBEFORE   Thu Sep 30 17:38:43 2004 UTC
PIN ef5ceda7b90da75595bb5ec156084140a39d80ef
RA  Help Desk 1
ROLEMail Server
SERIAL  3360
SUBJECT_ALT_NAMEemail: [EMAIL PROTECTED],IP: 001.002.003.004,DNS: 
five.five.com,DNS: six.six.com
TYPEPKCS#10



==


And the certificate itself looks like this:


==

bash-2.05b$ openssl x509 -noout -text -in pki-last.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Folkvang Certification Services,
OU=Certification Services, CN=Kevin Ford/[EMAIL PROTECTED]
Validity
Not Before: Sep 30 17:48:17 2004 GMT
Not After : Sep 30 17:48:17 2005 GMT
Subject: C=US, O=Folkvang Certification Services, OU=Partners,
CN=Two Two/serialNumber=10
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9f:72:24:73:5a:a2:64:05:01:dc:ab:14:b9:1c:
7a:1b:e9:35:7d:0b:d5:b9:ed:4f:5c:22:ab:bd:31:
04:6c:c0:f9:78:02:9b:96:fa:c5:01:09:5b:f5:a7:
fd:1b:5a:d2:8e:38:8a:b4:f2:c9:0d:a5:be:23:08:
72:ba:96:f8:39:f5:2c:06:c5:70:9c:a8:4a:f1:8c:
e6:4d:fd:bf:89:62:3f:60:9f:28:c5:57:5d:d8:d1:
24:b5:7d:c6:15:7f:64:fd:b9:6c:59:75:ad:87:16:
23:cc:3c:14:52:d8:da:7a:72:99:68:ad:ec:f3:47:
ac:8b:40:c4:0b:23:0f:18:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Certificate Policies:
Policy: 1.2.3.3.4
Policy: 1.2.3.3.5
Policy: 1.2.3.3.6
  

RE: [Openca-Users] STILL... OpenCA not sending email messages forCSRs

[Kevin]

On Tue, 2004-09-28 at 14:24, Til Obes wrote:
> > At what point in the process are your mails getting sent, 
> > Til?  Is it as
> > a part of the dataexchange process?
> > 
> 
> When i import the data on the ra.

Huh... Wonder why I'm not seeing that...

> After changing the config.xml value, have you run configure_etc.sh?

Yes.

> And restarted the daemon?

Yes.

I even revised config.xml again subsequently (to remove the "-n" option
on sendmail) and then reran configure_etc.sh and then restarted the
daemons, and I saw the impact of that change (/var/log/messages recorded
fatal errors when running sendmail -n before, and after revising
config.xml and running configure_etc.sh and restarting daemons, sendmail
runs with no -n and no errors).  But still (even after this second
revision of config.xml), I only get mails when I ask for them; not
automatically upon import of the data on the RA.  And then they come
from the CA---not the RA.  This seems backwards.  The CA would normally
be off-line and unable to send mail.

Thanks, Til.

Anyone else have any ideas?

-Kevin



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] STILL... OpenCA not sending email messages for CSRs

[Kevin]

On Mon, 2004-09-27 at 13:52, Til Obes wrote:

> Didnt find new mails. Hmm i dont know what that means.
> Hmm list, what was changed at the email sending thing?
> How do you know what num of email to send now?
> 
> Regards til
> 
> Ps: my emails are getting sent. So ist obviously a config fault

At what point in the process are your mails getting sent, Til?  Is it as
a part of the dataexchange process?

With additional troubleshooting, I also see the following noteworthy
output.

When I follow the link in /ra-node:
Utilities-->E-Mail new users
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
Didn't find new mails. No mails send!
 Sending the PIN-Mails ...
Didn't find new mails. No mails send!


When I follow the link in /ra-node:
Utilities-->Send a CRIN-mail
You need to enter some additional parameters for the requested
functionality. 

Please enter the number of a mail to send a special mail or enter
nothing to send all new mails.

(I enter nothing to send all)
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
Didn't find new mails. No mails send!
 Sending the PIN-Mails ...
Didn't find new mails. No mails send!


When I follow the link in /ra-node:
Utilities-->Send a CRIN-mail
You need to enter some additional parameters for the requested
functionality. 

Please enter the number of a mail to send a special mail or enter
nothing to send all new mails.

(I enter 8 because I see a message 8.msg in the directory
/usr/local/openca/OpenCA/var/mail/crins/)
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Try to send CRIN-mail 8 ...FAILED.
 
Unkown error.



When I look in /usr/local/open[cr]a/OpenCA/var/mail/crins/
I see:


ls /usr/local/openca/OpenCA/var/mail/crins/
1.msg  2.msg  3.msg  4.msg  5.msg  6.msg  7.msg  8.msg  mailcounter

cat /usr/local/openca/OpenCA/var/mail/crins/mailcounter
1

ls /usr/local/openra/OpenCA/var/mail/crins/
mailcounter  serials.dmb

cat /usr/local/openra/OpenCA/var/mail/crins/mailcounter
1

Should the *.msg files in /usr/local/openca/OpenCA/var/mail/crins be
showing up in /usr/local/openra/OpenCA/var/mail/crins  ???

When I use the first link above (Utilities-->E-Mail new users) but doing
so from the /ca-node URL (vice the ra-node URL), I get the following:

Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
send mail /usr/local/openca/OpenCA/var/mail/default/1.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/2.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/3.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/4.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/5.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/6.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/7.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/8.msg successful 
 Sending the PIN-Mails ...
send mail /usr/local/openca/OpenCA/var/mail/crins/1.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/2.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/3.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/4.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/5.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/6.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/7.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/8.msg successful 

and I also see postfix/sendmail getting invoked in the /var/log/messages
file, and I see the messages properly delivered to the users inboxes...

However...

Shouldn't the RA be sending these emails (not the CA)?  After all, the
CA is supposedly off-line, right?  And the RA would typically be
on-line?  Is this the way OpenCA is designed to work (CA sending mail
vice RA) or have I mixed up my configuration somehow?  And am I missing
the meaning of the config.xml option:

send_mail_automatic
yes


With this set as above, should the mails be sent automatically (without
having to follow the Utilities-->E-Mail new users link)?

BTW, this send command initially failed for me because the default
sendmail command in config.xml is:

sendmail
/usr/lib/sendmail -n -t 


and postfix has no -n option.  According to the man page, it is ignored,
but when I tried it, there were many failed attempts to invoke it with
-n and fatal errors logged in /var/log/message so I removed the -n and
then got the above behavior.

-Kevin




---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

BTW, how do I read the email message that would (apparently) be sent?

I see from examining the dataexchange import/export messages the
filename of the email message that (apparently) would be sent, and I can
read it with cat or less, but when I decode the mime with munpack, I get
a binary smime.p7m file.  It looks like this must be decoded with the
certificate itself.  Is that true?  I presume the CRIN is encoded in
this message then?  So I have to figure out why the message is not being
mailed, and also must use an S/MIME aware email client once I resolve
the first problem.  True?  Just want to make sure.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

On Sat, 2004-09-25 at 04:55, Til Obes wrote:
>  > I have the
> > default settings in config.xml for:
> > 
> > sendmail
> > /usr/lib/sendmail -n -t 
> > 
> > 
> > I've tested mailing messages from the command line with:
> > "mail -s testSubject [EMAIL PROTECTED] < 
> > filename.txt" on the
> > computer running openca and it works.
> > 
> > Any ideas?
> 
> Some lines later in the config.xml, there are 2 config options.
> Ca mail account and sendmail automatic
> regards til

I changed these settings from the default to what you see below and
still no email gets sent.  Just to make sure I wasn't missing something,
I also mailed something using this machine's sendmail binary (with the
command-line /bin/mail client) and then I grepped my mail log.  I found
only those messages that were sent from the command-line; none that were
sent in association with OpenCA certificate generation.  I requested a
new cert, approved it, issued it, and picked it up.  No email messages
were sent.

The settings now read:

sendmail
/usr/lib/sendmail -n -t 


send_mail_automatic
yes


service_mail_account
[EMAIL PROTECTED]


I made the changes to config.xml, stopped the openca servers in each
directory, then reran configure_etc.sh in OpenCA/open[cr]a/etc after
making these changes to config.xml (in each directory), and then
restarted the openca servers in each directory before requesting the new
certificate.

What am I missing?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

On Sat, 2004-09-25 at 04:55, Til Obes wrote:
>  > I have the
> > default settings in config.xml for:
> > 
> > sendmail
> > /usr/lib/sendmail -n -t 
> > 
> > 
> > I've tested mailing messages from the command line with:
> > "mail -s testSubject [EMAIL PROTECTED] < 
> > filename.txt" on the
> > computer running openca and it works.
> > 
> > Any ideas?
> 
> Some lines later in the config.xml, there are 2 config options.
> Ca mail account and sendmail automatic
> regards til
> 

Thanks, Til.

You mean these, right?


send_mail_automatic
no


service_mail_account
[EMAIL PROTECTED]



Thanks for mentioning these, Til.  I wasn't sure exactly what the guide
was referring to in Chapter 1, Section 4.1.1 when it said, "The option
send_mail_automatic configures the node interface. If the value is YES
then OpenCA sends all incoming mails during an import automatically.
This can be nice but it is dangerous too if you make a mistake."  Since
the guide mentioned that it can be dangerous, I left it off until I was
sure I understood it.  I didn't realize it was referring to the email
messages that I asked about in this thread.

Thanks.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

Hi List-

Chapter 3 of the OpenCA Guide, Section 1.2.1 reads in part:

"Once the user has requested their certificate the Certificate Authority
will process the certificate request. This may involve a face to face
identification of the user at the Trust Center. When the certificate has
been created the user will be informed by email. This email will also
include a Certificate Revocation Number (CRIN), this number should be
kept in a safe place as it will be required if the user to needs to
revoke their own certificate in the future."

Using RC6 on Gentoo Linux, I've requested 6 certificates thus far with
my test OpenCA installation and issued them all.  Now I'd like to revoke
one of them.

But the problem is, I never received any emails from the OpenCA server
at any of the (all valid) email addresses that I used in requesting the
certs.

Questions:

1) Is there another way to get this CRIN so I can revoke the cert?

2) Why didn't the OpenCA server send out any email messages to the
addresses given in my CSRs?  How do I fix this?  I have postfix
installed, and /usr/lib/sendmail does exist (from postfix).  I have the
default settings in config.xml for:

sendmail
/usr/lib/sendmail -n -t 


I've tested mailing messages from the command line with:
"mail -s testSubject [EMAIL PROTECTED] < filename.txt" on the
computer running openca and it works.

Any ideas?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Root CA certificate is not a signing certificate?

[Kevin]

On Fri, 2004-09-24 at 03:22, Michael Bell wrote:
> > Shouldn't my first cert have basicConstraints CA:true instead of
> > CA:FALSE?
> 
> I think you are a little bit confused.

You're right.  I was.  Thanks for clearing that up.  :-)

> 
> 1. A root CA certificate is the self-signed certificate of the CA. This 
> certificate only signs other certificates and CRLs. CA:FALSE shows me 
> that you try to download a normal certificate. You must import the CA 
> certificate as signer (CA) certificate.
> 
> 2. The first certificate is the first certificate signed by the CA. this 
> certificate must have CA::FALSE because it is usually not the 
> certificate of sub CA.

Yesterday, I used the /pub page, chose Certificates, and then chose
Valid and downloaded all 6 certificates that I've generated with this
installation of OpenCA going by certificate serial numbers.

After reading your reply, I looked for other methods to get the root CA
certificate as a signer and this time used the CA Infos and Get CA
Certificate links and when I examine this certificate, it does have
CA:TRUE, and I see that the serial number for this root CA certificate
is serial number 0 (which was not present in the list of certificates
that I generated with the previous method---probably by design, I
guess).

I was thinking that the certificate with serial number 1 was the signer,
but now I see that it is serial number 0.

Thanks for clearing that up, Michael.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Root CA certificate is not a signing certificate?

[Kevin]

Hi List-

I recently set up RC6 more or less according to Kevin Mitcham's cookbook
as a two-interface (RA and CA) system on one computer.

I've been generating client certificates and learning more about the
software, but I've tried importing the root CA certificate (the first
cert generated in the cookbook) into a web browser as a signing
certificate and it was refused with the error, "...not a signer..."

When I look at the cert with:
openssl x509 -noout -text -in 1.crt

I see:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE

However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2.
Configuration:

"You must care about three configurationfiles and -directories
etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles.
The first file contains the configuration for the CA. This means the
file is used for the generation of the initial CA-CSR, the selfsigned
certificate (if you setup a Root CA) and the CRLs."

and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc
directories, I see this:

===
[ req ]
default_bits= 1024
default_keyfile = privkey.pem
default_md  = sha1
distinguished_name  = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca   # The extentions to
  # add to the self
signed
...
[ v3_ca]

# Extensions for a typical CA

# It's a CA certificate
basicConstraints = critical, CA:true
===

Shouldn't my first cert have basicConstraints CA:true instead of
CA:FALSE?

TIA.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Building from CVS sources: no config.xml?

[Kevin]

On Tue, 2004-09-21 at 13:52, Rosa Suárez wrote:
> Hi list,
>I've been trying to install openca-0.9.1-10.tar.gz but it happens
> to me the same.
> I dont get config files at etc. I removed etc and re-installed, but it
> didnt work at all. Any suggestions?
> 
> Thanks

I'd suggest that you upgrade to RC6.  I just installed it yesterday
according to the guidance in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html and although I had a 
couple of problems based on those instructions, I did manage to get it working and RC6 
definitely does not suffer from the problem you describe here.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] rc6 install. Errors immediately in xml_cache.log

[Kevin]

On Tue, 2004-09-21 at 12:29, Ed Eden wrote:
> 
> 
> >I don't get it? Fresh install of RC6 and I get the following in the 
> >xml_cache.log

Ed, I just installed RC6 on Gentoo Linux following the guidance at
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html (which I found to almost 
completely workable), and seem to have everything working.  I just generated my first 
client certificate a couple of hours ago.

Perhaps you could provide more information about exactly what you have
done and about what the problem is.  What exactly is it that you are
trying to do that generates the error?  If you do, then I may be able to
help.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Success! (was: Two-interface setup: problem with Import Configuration step)

[Kevin]

Hi Til and Damon-

Many thanks for your replies!

I finally made it all the way through Kevin Mitcham's OpenCA Cookbook at
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html

In doing so, I think I discovered a few mistakes, and in the near
future, I'll be documenting those in some form or another.

What would be the best way to do this?  Should I generate my own
cookbook modeled after his but including the steps that I found to be
necessary which were not included in his cookbook?  Then post this
document to the list?  Would that be best or something different?

It turns out that my original problem as reported in this thread came
about because Kevin apparently left out the step to export the
configuration, and Damon explained how to do this.  Once I did that,
following the rest of Kevin's cookbook worked fine.

With an operational two-interface setup with both CA and RA running in
different directories on one Gentoo Linux box, I think I'll be much
better able to learn all the concepts involved with operating a CA.

It is now my intent to read through the entire guide again with extra
special attention this time to the concepts part and to actually use the
software simultaneously and thus hopefully improve my understanding of
everything in the process.

Ultimately, I plan to set myself up similarly to what Damon described
for himself (two computers, one running the RA functions and connected,
the other running CA functions and disconnected) with OpenBSD as the OS
for both computers.  I tried a two-interface setup on one OpenBSD box
already and was stymied by a couple of things but perhaps with a better
understanding from experimenting with a working OpenCA installation,
I'll have better success next time.

To Michael Bell: many thanks to you for your frequent assistance to me
and for making the changes in the code that were apparently necessary
for proper installation and operation on OpenBSD.

Thank you List!

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Two-interface setup: problem with Import Configuration step

[Kevin]

On Mon, 2004-09-20 at 00:32, Til Obes wrote:
> > I suppose that some of the initialization steps may have depended upon
> > those values being set correctly.  What are the implications if they
> > were not set correctly during those first init steps?  Must I redo
> > everything?
> > 
> > It looks from the error message in the browser that there should
> > already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps
> > one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-*
> > files in either /usr/local/open[rc]a/OpenCA/var/tmp.  At what 
> > step is this archive
> > created during the initialization?
> > 
> > The OpenCA guide doesn't go into very much detail on these issues.
> > 
> > Can anyone offer a bit of configuration help?
> > 
> 
> Normally the backup device is a floppy disc or zip disc.

Thanks for your reply, Til, but I'm not sure that I understand.  Please
pardon my questions (that are probably dumb questions due to my lack of
experience with OpenCA):

What do you mean by "backup device"?  I was talking about these devices:
  dataexchange_device_up
  dataexchange_device_down
  dataexchange_device_local

Is one of these the "backup device"?

For a two-interface setup, Kevin Mitcham writes to change the default
settings as follows (in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html):

=
modify the config.xml for the ra (located in
/usr/local/openra/openca/etc)

Now onto the config.xml, for the ca and the ra.
for the CA:  < he's apparently writing about changes to the
   /usr/local/openca/openca/etc/config.xml file
   as opposed to openra/openca/etc/config.xml.
...
 
(these might not be in config.xml; if not, see below)
  dataexchange_device_up
  /usr/local/openca/openca/var/tmp/ca-up


  dataexchange_device_down
  /usr/local/openca/openca/var/tmp/ca-down


  dataexchange_device_local
  /usr/local/openra/openca/var/tmp/ra-local


if the  dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers  and look at ca-node.conf.template and 
ca.conf.template

(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0"
to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down"


line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0"
to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local"

ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
...
=

Is that incorrect?

> So the entry looks like /floppy or /dev/hda4/openca/export

Again, not sure I follow.  Should it be /dev/fd0?  Or the mount point
for /dev/fd0?  Or the mount point of some HDD partition (say,
/mnt/testing mounted at /dev/hda4 in linux) followed by a path on that
partition?

Should the entries be identical for the config.xml files in both
/usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc?  Or
should they be different?

Kevin seems to be writing about about changing
/usr/local/openca/OpenCA/etc/config.xml
   *^
when he says to change the dataexchange_device_local to
/usr/local/openra/openca/var/tmp/ra-local so I figured that this device
should be set identically in both openca and openra config.xml files. 
Is that incorrect?


> For testing you should enter at all entrys at your side

I'm sorry.  Again, I'm not sure which entries you're referring to here. 
The three devices above?  Or what you mean by, "at your side."

> /tmp/openca/export (must be writeable by web server)

So, for both config.xml files, set all three (total of 6 devices: 2
files each with three devices?) to the same file (in say the /tmp
directory---or wherever the web server user can write to)?

> for example. Then you export the conf of the ca and the import on ra.
> That should work then ;)
> 

Kevin's cookbook never says to export the configuration of the ca
(unless I missed it?).  How do I do that?

In the guide, I see this:

1.1.5. Final setup


 The last steps can also be done on the interface for the nodemanagement
but it is a good idea to do it during the intialization to get a
consistent state. The rebuild of the CA chain is necessary to verify
digital signatures correctly. If you want to setup a sub CA then you
must add all CA certificates of the CA chain in PEM format to the
directory OPENCADIR/var/crypto/chain/ before you rebuild the chain. 


The really last step is the export of the configuration to the online
server(s). The most OpenCA users ignore this step and hand

[Openca-Users] Two-interface setup: problem with Import Configuration step

[Kevin]

Hi List-

I'm very happy to report that I am farther along in Kevin Mitcham's
cookbook than I've ever been before.  My real goal is to get a
two-interface setup going on an OpenBSD 3.5 box, but I was running into
so many problems (with chroot and accessing syslog device et. al.) that
I decided to try with a Linux box first (RC6).  This is a newly built
Gentoo system, and I've worked my way through all of Kevin Mitcham's
cookbook with successful results at each step except for when I get to
here:

==
...initialize the RA database
http://myhost.wherever.edu/ra-node
Admin->Server Init, initialize DB
Admin->Server Init, Import Configuration
==

When I was modifying config.xml in the open[rc]a/OpenCA/etc directories
I wasn't quite sure how to handle this part of the instructions from
Kevin's cookbook:

==
 
(these might not be in config.xml; if not, see below)
  dataexchange_device_up
  /usr/local/openca/openca/var/tmp/ca-up


  dataexchange_device_down
  /usr/local/openca/openca/var/tmp/ca-down


  dataexchange_device_local
  /usr/local/openra/openca/var/tmp/ra-local


if the  dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers  and look at ca-node.conf.template and 
ca.conf.template

(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0"
to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down"


line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0"
to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local"

ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
==

In particular, Kevin goes into detail with modifying only the
openca/OpenCA/etc/config.xml file; not so for
openra/OpenCA/etc/config.xml.

I assumed that this last note that he writes, "ra IMPORT UP DEVICE
should be the exact same file as the CA IMPORT_DOWN_DEVICE" should apply
equally to the config.xml files (although he is writing in particular
about the template files when he says this).

Could someone tell me how these lines should look in my
open[rc]a/OpenCA/etc/config.xml files?  Or perhaps even better, share
with me a complete copy of working config.xml files for a two-interface
system (ideally based on Kevin's cookbook, but if not that's ok too)?

  dataexchange_device_up
  /usr/local/openca/openca/var/tmp/ca-up


  dataexchange_device_down
  /usr/local/openca/openca/var/tmp/ca-down


  dataexchange_device_local
  /usr/local/openra/openca/var/tmp/ra-local

The problem that I have encountered at the Import Configuration
step of initializing the RA database seems very likely to be related
to my improper settings for these lines because the error message in
the browser window is:

===
  Importing the configuration from a higher level of the hierarchy ...
(Please wait until operation completes)


Test the archive ...
/bin/tar -tvf /usr/local/openra/OpenCA/var/tmp/ca-down
FAILED


Testing archive failed!

512
===

My initial configuration for these up and down devices was this:

ares etc # cat /usr/local/openca/OpenCA/etc/config.xml|grep -C 2 dataexchange_device


  dataexchange_device_up
  /usr/local/openca/OpenCA/var/tmp/ca-up


  dataexchange_device_down
  /usr/local/openca/OpenCA/var/tmp/ca-down


  dataexchange_device_local
  /usr/local/openra/OpenCA/var/tmp/ra-local

ares etc # cat /usr/local/openra/OpenCA/etc/config.xml|grep -C 2 dataexchange_device


  dataexchange_device_up
  /usr/local/openra/OpenCA/var/tmp/ca-up


  dataexchange_device_down
  /usr/local/openra/OpenCA/var/tmp/ca-down


  dataexchange_device_local
  /usr/local/openra/OpenCA/var/tmp/ra-local



Then based on Kevin's comment, I changed it to this (and naturally reran the
magic configure_etc.sh scripts and ran the openca_stop/start scripts):
ares etc # cat /usr/local/openra/OpenCA/etc/config.xml|grep -C 2 dataexchange_device


  dataexchange_device_up
  /usr/local/openra/OpenCA/var/tmp/ca-down


  dataexchange_device_down
  /usr/local/openra/OpenCA/var/tmp/ca-up


  dataexchange_device_local
  /usr/local/openra/OpenCA/var/tmp/ra-local

ares etc # cat /usr/local/openca/OpenCA/etc/config.xml|gr

Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

On Fri, 2004-09-17 at 09:59, Michael Bell wrote:
> Kevin wrote:
> > I just installed RC6 on openbsd again, being very careful about
> > configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and
> > using gmake vice make.
> 
> Ok, good luck :)

I'd rather use CVS sources, but I'm not getting a config.xml file when I
do that (nor many others).  Should I just leave my installed RC6
directory structure in place and install CVS sources over that (thus,
hopefully preserving my config.xml file from RC6)?

> "man install" is your friend.
> 

:-) I did man install... How do you think I learned that OpenBSD install
has no -D option (or an analogue to it).  Just didn't completely
understand the -d option until I saw it in action... :-)

> > I'm at a loss here on how to proceed.  Reinstalling with the "-d" option
> > removed from the INSTALL options in Makefile.global-vars doesn't help
> > either.
> 
> If you look at the fresh CVS HEAD files then you will see that I removed 
> -D -c from Makefile.global-vars(.in).
> 

Right, and I'd like to use your changes, but as I said, something's
amiss in the config.xml area.  Apparently some others are seeing it
too.  Did you try installing with no pre-existing directory structure? 
If so, I don't understand why make install-online and make
install-offline are working for you (creating the config.xml file et.
al.) and not for me...

Thanks again, Michael.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenBSD: Cannot write to syslogdevice; Chroot httpd issue?

[Kevin]

Hi List-

I'm still working my way through Kevin's cookbook and have succeeded at
these two steps (yeah!):

-use the browser to open a page on http://myhost.wherever.edu/openra
and you should get a page.
-Also check http://myhost.wherever.edu/ra-node


But when I visit this page:

Also check http://myhost.wherever.edu/pub

I get only:

Error addMessage failed for log slot sys_syslog (6511070). Cannot write
to syslogdevice.

General Error. 64510030.

In these tests, I tried running httpd both inside and outside of its
chroot environment (in the normal root environment) so I don't think
that's the problem.  Disk space is not a problem.

Any ideas?

Initially, when I tried running apache in its chroot environment, I got
other problems (after copying over files needed in chroot environment):

OpenCA Error: Server is not online or does not accept requests
(/usr/local/openra/OpenCA/var/tmp/openca_socket -
/usr/local/openra/OpenCA/var/tmp/openca_socket ).

This arises because the socket "openca_socket" was not copied over to
the chroot environment when I copied over the /usr/local/open[rc]a
directories.  To solve that problem, I modified the openca_start/stop
script in /var/www/usr/local/openra/OpenCA/etc to use directories in the
chroot environment, and that gets me the openca_socket socket, and it
solves the problem with this socket error above, but how do I get the
openca_xml_cache socket in /usr/local/openra/OpenCA/var/tmp?  Has anyone
else done this?



-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenBSD: Unknown host new.host.name

[Kevin]

Hi List-

Please ignore this silly question.  I was up late and not thinking
clearly.  I never changed my httpd.conf file's default ServerName
setting in the SSL config section (new.host.name).

Sorry for the wasted bandwidth.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenBSD: Unknown host new.host.name

[Kevin]

Hi List-

I think I do have RC6 installed on OpenBSD now and think that I
configured it properly, but am having problems with https access.

In following Kevin Mitcham's cookbook, I've gone through these steps
(using gmake and egcc):

configure ra
make
make install-online
make distclean
configure ca
make
make install-offline
create and test mysql DB
edit apache httpd.conf (in OpenBSD this runs chrooted by default and I
copied over everything installed by OpenCA into the chroot environment)

edit ra and ca config.xml files (no changes necessary to
ca-node.xml.template or ca.xml.template or ra-node.xml.template or
ra.xml.template.

run the "magic script" configure_etc.sh
that script makes configuration files from the template(s)
then openca_start

But when I use the browser to open a page on
https://myhost.example.com/ra, I just get the following (exact copy of
what I'm seeing):

Unknown host new.host.name

No idea where this is coming from.  It's not in the index.html file
that the alias /ra points to, nor is it in the cgi script.
I do have correct SSL access to
the apache server (I can see the root document via https://...).

If I try http access I get:
Error Aborting connection - you are using a wrong security protocol (http).

General Error. 6251026.

I realize that this is due to the settings in ca-node.xml.template,
ca.xml.template, ra-node.xml.template, and ra.xml.template, and I'd
like to keep connections encrypted, so I've left those as is.

Any ideas where this is coming from and how to fix?

I get the same error whether I run apache chrooted or not.

Many thanks.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

Apparent temporary solution:

Remove the "-D" option from the INSTALL line of Makefile.global-vars
(don't replace it with -d), then you must mkdir the directory prefix to
the one file that install fails on in each of make install-online and
make install-offline and then run those make install-online and make
install-offline commands again, after creating the directory by hand.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

I just installed RC6 on openbsd again, being very careful about
configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and
using gmake vice make.

This time, after the install-online and install-offline commands, I see
the following in the etc files:

/usr/local/openra/OpenCA/etc # ls -al /usr/local/openra/OpenCA/etc
total 84
drwxr-xr-x  21 www  www  512 Sep 16 20:10 .
drwxr-xr-x   5 root wheel512 Sep 16 20:11 ..
drwxr-xr-x   7 www  www  512 Sep 16 20:13 access_control
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 backup.xml.template
drwxr-xr-x   6 www  www  512 Sep 16 20:10 bp
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 config.xml
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 configure_etc.sh
drwxr-xr-x   4 www  www  512 Sep 16 20:10 database
drwxr-xr-x   2 www  www  512 Sep 16 20:10 init.d
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 ldap.xml.template
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 loa.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 log.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 menu.xml.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_rc
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_start.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_stop.template
drwxr-xr-x   7 www  www  512 Sep 16 20:10 openssl
drwxr-xr-x   6 www  www  512 Sep 16 20:10 rbac
drwxr-xr-x   2 www  www  512 Sep 16 20:10 scep
drwxr-xr-x   7 www  www  512 Sep 16 20:13 servers
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 token.xml
/usr/local/openra/OpenCA/etc # ls -al /usr/local/openca/OpenCA/etc
total 84
drwxr-xr-x  21 www  www  512 Sep 16 20:41 .
drwxr-xr-x   5 root wheel512 Sep 16 20:42 ..
drwxr-xr-x   5 www  www  512 Sep 16 20:43 access_control
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 backup.xml.template
drwxr-xr-x   6 www  www  512 Sep 16 20:41 bp
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 config.xml
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 configure_etc.sh
drwxr-xr-x   4 www  www  512 Sep 16 20:41 database
drwxr-xr-x   2 www  www  512 Sep 16 20:41 init.d
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 ldap.xml.template
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 loa.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 log.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 menu.xml.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_rc
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_start.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_stop.template
drwxr-xr-x   7 www  www  512 Sep 16 20:41 openssl
drwxr-xr-x   6 www  www  512 Sep 16 20:41 rbac
drwxr-xr-x   2 www  www  512 Sep 16 20:41 scep
drwxr-xr-x   5 www  www  512 Sep 16 20:43 servers
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 token.xml

Notice that config.xml and configure_etc.sh are directories!  Not
regular files!

In fact, every file in each of those directories is a subdirectory, not
a regular file.

I guess this must have happened because I replaced the "-D" option to
install in the Makefile.global-vars file with "-d".  I did this because
OpenBSD /usr/bin/install has no "-D" option.  And there is apparently no
analogue of that option at all in OpenBSD install.

Michael, you said that you got OpenCA to install on OpenBSD (apparently
using OpenBSD gcc (2.95) vice egcc (3.3?), but did you manage to create
the node directory structures from scratch with these installs or did
the install steps just copy files into a directory structure that was
pre-existing?  If the former, how did you do it?  When I try it (without
the -d option to install), I get make install-online and make
install-offline failing with many errors about not being able to copy
files into non-existing directories (this is what -D does for you on
Linux, but as I said, there is no such option for OpenBSD install and -d
apparently just causes all files to be made into directories---also not
what I want).

I'm at a loss here on how to proceed.  Reinstalling with the "-d" option
removed from the INSTALL options in Makefile.global-vars doesn't help
either.

Anyone?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Building from CVS sources: no config.xml?

[Kevin]

Hi List-

Since Michael was kind enough to make some changes to improve
installation on OpenBSD systems, I'd like to use the most current
sources in building my test system.

So I rm -rf'd my /usr/local/open[rc]a directories and started over using
the CVS module openca-0.9.

The thing is, after ./configure and make and make install-online, I have
no config.xml file in /usr/local/openra/openca/etc.  Just to make sure
this wasn't an OpenBSD install problem, I tried the same thing with CVS
sources on a Gentoo Linux box and got the same result.  On Linux:

cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca login 
cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca co
openca-0.9

./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=apache  \
 --with-httpd-group=apache  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=ares.folkvang.org  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --enable-ocspd  \
 --with-openldap-prefix=/usr/local/lib
make
make install-online

ares openca-0.9 # ls -al /usr/local/openra/openca/etc/
total 20
drwxr-xr-x  5 apache  apache  4096 Sep 16 18:40 .
drwxr-xr-x  5 apache  apache  4096 Sep 16 18:38 ..
drwxr-xr-x  2 _openca _openca 4096 Sep 16 18:40 access_control
drwxr-xr-x  3 apache  apache  4096 Sep 16 12:42 openssl
drwxr-xr-x  2 _openca apache  4096 Sep 16 18:40 servers

On OpenBSD:

./configure \
--with-engine=no \
--with-httpd-user=www \
--with-httpd-group=www \
--with-openca-user=_openca \
--with-openca-group=_openca \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-web-host=mandible.example.com \
--with-ca-organization="Certification Services" \
--with-ca-country=US \
--with-ca-locality="Rhode Island" \
--with-ldap-port=389 \
--with-ldap-root="cn=Manager,dc=example,dc=com" \
--with-ldap-root-pwd="secret" \
--with-module-prefix=/usr/local/openra/modules \
--with-openssl-prefix=/usr/local/ssl \ --with-openldap-prefix=/usr/local
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--prefix=/usr/local/openra \
--with-service-mail-account="[EMAIL PROTECTED]" \
--with-node-prefix=ra-node \
--with-hierarchy-level=ra
make
make install-online
/usr/local/src/OpenCA/openca-0.9 # ls -al /usr/local/openra/OpenCA/etc/
total 28
drwxr-xr-x  7 root  wheel  512 Sep 16 11:52 .
drwxr-xr-x  5 root  wheel  512 Sep 16 11:46 ..
drwxr-xr-x  7 root  wheel  512 Sep 16 11:48 access_control
drwxr-xr-x  2 www   www512 Sep 16 11:52 bp
drwxr-xr-x  2 www   www512 Sep 16 11:52 database
drwxr-xr-x  3 www   www512 Sep 16 11:43 openssl
drwxr-xr-x  6 root  wheel  512 Sep 16 11:48 servers

When I did an RC6 install on Linux (same configure command), the content
of that directory was:

ares openca-0.9.2-RC6 # ls -al /usr/local/openra/openca/etc
total 180
drwxr-xr-x  10 apache  apache   4096 Sep 16 08:54 .
drwxr-xr-x   5 apache  apache   4096 Sep 16 08:54 ..
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:56 access_control
-rw-r--r--   1 _openca _openca  2665 Sep 16 08:54 backup.xml.template
drwxr-xr-x   3 apache  apache   4096 Sep 16 08:54 bp
-rw-r--r--   1 _openca _openca 29819 Sep 16 08:54 config.xml
-rwxr-xr-x   1 _openca _openca  1224 Sep 16 08:54 configure_etc.sh
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 database
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 init.d
-rw-r--r--   1 _openca _openca 24459 Sep 16 08:54 ldap.xml.template
-rw-r--r--   1 _openca _openca 10874 Sep 16 08:54 loa.xml
-rw-r--r--   1 _openca _openca   842 Sep 16 08:54 log.xml
-rw-r--r--   1 _openca _openca 31239 Sep 16 08:54 menu.xml.template
-rwxr-xr-x   1 _openca _openca   383 Sep 16 08:54 openca_rc
-rwxr-xr-x   1 _openca _openca  1893 Sep 16 08:54 openca_start.template
-rwxr-xr-x   1 _openca _openca   206 Sep 16 08:54 openca_stop.template
drwxr-xr-x   4 apache  apache   4096 Sep 16 08:54 openssl
drwxr-xr-x   3 apache  apache   4096 Sep 16 08:54 rbac
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 scep
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:56 servers
-rw-r--r--   1 _openca _openca 12399 Sep 16 08:54 token.xml

Shouldn't I have a config.xml and a configure_etc.sh (and others) as I
do here?  I do get these when I install RC6 in Linux, but not OpenBSD. 
I am working towards a single computer installation for both the online
and offline components as Kevin Mitcham writes about in his Cookbook.

Do I need to check out another module from CVS in addition to
openca-0.9?  Or has the configuration of OpenCA changed recently so as
not to use a config.xml file?

Thanks for any suggestions.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins t

Re: [Openca-Users] 0.9.2-RC6 won't install on OpenBSD 3.5

[Kevin]

On Mon, 2004-09-13 at 07:12, Michael Bell wrote:
> Hi Kevin,
> 
> I don't use ocsp too but I checked the ocspd.
> 

Thank you Michael and Ives.  I decided that I don't really need ocsp
either.

However, I'm still having difficulties with installation on OBSD3.5.

the ./configure and make steps worked:

CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openldap-prefix=/usr/local/lib

make

But...

The first problem is that the "-D" option to install is not supported in
OpenBSD 3.5 /usr/bin/install.  After reading man install on a linux box,
I decided that it probably was not necessary since the "-d" option was
being called.  So I removed it from the definition of $INSTALL in
Makefile.global-vars (make install-online was failing with a complaint
about -D being unrecognized).

Unfortunately, I still cannot make install-online.

Now the problem is this:

/usr/local/src/OpenCA/openca-0.9.2-RC6 # make install-online
installing common components because it is not a package build
make docssrc SUBTARGET=install-common
cd docs && make install-common
cd src && make install-common
make common SUBTARGET=install
cd common && make install
make etc lib var SUBTARGET=install
cd etc && make install
/usr/local/openra/openca/etc already exists, skipping configuration
cd lib && make install
make: don't know how to make /usr/local/openra/openca/lib/bp. Stop in
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/common/lib.
*** Error code 2

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 22 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 25 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 38 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 75 of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 84 of Makefile).
=

It looks like these Makefiles have not been ported to OpenBSD, but I
thought the manual said that OpenCA had been successfully installed on
OBSD.

Has anyone on the list installed OpenCA on OpenBSD?  If so, have you
done so on release 3.5 of OBSD?  I would greatly appreciate any tips on
tweaking the Makefiles (and if any other tweaks are needed).

Thanks!

-Kevin




---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5

[Kevin]

On Sat, 2004-09-11 at 19:02, dalini wrote:
> Kevin wrote:
> > Hi All-
> > 
> > I'm not sure if I've found a bug in the code or if there is an
> > incompatibility, but can anyone comment on this?
> > 
> > i386/OpenBSD3.5 (most current)
> > /usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v
> > Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs
> > gcc version 2.95.3 20010125 (prerelease, propolice)
>^^
> 
> thats 'the problem' - it should compile with a newer gcc
> i havn't checked out what is the exact problem with 2.95 and
> apps.c but a newer gcc works with the code
> 

Thanks, dalini.  I installed lang/egcs from OBSD ports which gives me
gcc 3.3.2 and tried again.

This time I get a failure with a different message:


...
`openca-xml-cache/Makefile' is up to date.
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = "de_AT",
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
cd openca-sv && make
Making all in src
Making all in docs
cd scripts && make
cd web-interfaces && make
make batch   ca  ldapnode   
pub ra  scep
cd batch && make
cd ca && make
cd ldap && make
cd node && make
cd pub && make
cd ra && make
cd scep && make
cd ocspd && make
Making all in src
if /usr/local/bin/egcc -DPACKAGE_VERSION=\"0.5.1\\x0\"
-D_USE_SEMAPHORES=1 -I. -I. -I../include   -g -O2 -MT ocspd.o -MD
-MP -MF ".deps/ocspd.Tpo"  -c -o ocspd.o `test -f 'ocspd.c' || echo
'./'`ocspd.c;  then mv ".deps/ocspd.Tpo" ".deps/ocspd.Po";  else rm -f
".deps/ocspd.Tpo"; exit 1;  fi
In file included from ocspd.c:25:
general.h:38: error: redefinition of `union semun'
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src.
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd (line 301 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).


My configure command was:
CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-ocspd  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openldap-prefix=/usr/local/lib

and then just a plain 'make'

The newly installed gcc is egcc with version:
/usr/local/src/OpenCA/openca-0.9.2-RC6 # /usr/local/bin/egcc -v
Reading specs from
/usr/local/lib/gcc-lib/i386-unknown-openbsd3.5/3.3.2/specs
Configured with:
/usr/ports/lang/egcs/stable/w-gcc-3.3.2/gcc-3.3.2/configure --verbose
--program-transform-name=s,^,e, --disable-nls --with-system-zlib
--enable-cpp --enable-languages=c,c++,f77,objc,java
--enable-sjlj-exceptions --with-gnu-as --with-gnu-ld --enable-shared
--prefix=/usr/local --sysconfdir=/etc
Thread model: single
gcc version 3.3.2

A newly built updatedb database shows only the following general.h files
on my system:

/usr/local/src/OpenCA/openca-0.9.2-RC6 # locate general.h
/usr/include/dev/raidframe/rf_general.h
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src/general.h
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/include/openca/general.h
/usr/src/sys/dev/raidframe/rf_general.h
/usr/src/usr.bin/tn3270/general/general.h

I see only one definition of union semun in that.  Is it defined
elsewhere in the OpenCA code?

Has anyone else built RC6 on an OBSD3.5 box?

TIA!

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5

[Kevin]

Hi All-

I'm not sure if I've found a bug in the code or if there is an
incompatibility, but can anyone comment on this?

i386/OpenBSD3.5 (most current)
/usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v
Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs
gcc version 2.95.3 20010125 (prerelease, propolice)

Configure line from the Cookbook with a couple of additions:

./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-ocspd  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openssl-prefix=/usr/sbin/openssl\
 --with-openldap-prefix=/usr/local/lib

make fails with:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = "de_AT",
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = "de_AT",
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Manifying blib/man3/OpenCA::XML::Cache.3p
Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm
line 418.
Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm
line 419.
cd openca-sv && make
Making all in src
source='apps.c' object='apps.o' libtool=no  depfile='.deps/apps.Po'
tmpdepfile='.deps/apps.TPo'  depmode=gcc /bin/sh ../build/depcomp  gcc
-DPACKAGE_VERSION=\"1.0.1\\x0\" -I. -I. -I../include 
-I/usr/sbin/openssl/include -g -O2 -c `test -f 'apps.c' || echo
'./'`apps.c
apps.c: In function `load_engine':
apps.c:1036: syntax error before `*'
apps.c:1037: `e' undeclared (first use in this function)
apps.c:1037: (Each undeclared identifier is reported only once
apps.c:1037: for each function it appears in.)
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/src.
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv (line 293
of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).
/usr/local/src/OpenCA/openca-0.9.2-RC6 #

TIA.

-Kevin

PS. My perl is:
/usr/local/src/OpenCA/openca-0.9.2-RC6 # perl -v

This is perl, v5.8.2 built for i386-openbsd

Copyright 1987-2003, Larry Wall

Perl may be copied only under the terms of either the Artistic License
or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to
the
Internet, point your browser at http://www.perl.com/, the Perl Home
Page.






---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Error 700 in attempting to initialize database

[Kevin]

On Wed, 2004-08-18 at 19:02, Tiller, Robert wrote:
> here is the config file for ca
> 
> 

Thanks, Robert.  I see a binary attachment named winmail.dat and when I
less through it, I see what looks like a ./configure line for openca
hidden in amongst alot of binary stuff.  Should I take that to mean that
you think I should start over with this as a set of configure options to
use?  Thanks for your reply.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 700 in attempting to initialize database

[Kevin]

On Wed, 2004-08-18 at 16:37, Ives Steglich wrote:
> Tiller, Robert wrote:
> > I don't know if this is the same error I had, but some earlier versions of
> > openca had a permission error on the db files.  Mainly DBM files not
> > SQL.  You might check the file permissions.
> >
> but this would not be good - i thought we solved those problems before 
> rc6... could be it was afterwards... but acutally it shouldn't happend 
> anymore - at least with cvs ,o)
> 
> yes - check file permissions in var/db/ if its not your 
> apacheuser:apachegroup just delete the files (there should be none 
> before initialization) or change the ownerchip to the apache stuff
> 

I have no files in /usr/local/open[cr]a/openca/var/db, and the ownership
of each directory itself is apacheuser:apachegroup.

Based on the error message, I was thinking that this error would be a
code problem, no?  Perhaps related to configuration?  But I'm really
without a clue.

I had to make some adjustments to the aliases that I used in httpd.conf
because I configured with --with-node-prefix=online-ra-node and
--with-node-prefix=offline-ca-node instead of the cookbook recommended
--with-node-prefix=[cr]a-node.  I just did it to help me keep straight
in my mind which was online and which was offline, but I found that it
threw a couple of small wrenches into my configuration.  I think I
ferreted them all out, but perhaps this problem is another result of
that minor change I made.

Thanks dalani and Robert for your replies though.  Any other thoughts? 
Should I simply start over from scratch?  Perhaps with a new SuSE 9.0 or
9.1 box?  I'm trying to compile OpenCA on Gentoo, but seem to have a
problem with my perl setup (see thread, Problem compiling:
XML::Parser-2.23 important vice 2.34?) so I can't make a comparison
there either---I can't even complete the make step.

Again, thanks for being so patient with an OpenCA newbie.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA Cookbook

[Kevin]

On Wed, 2004-08-18 at 12:03, Kevin Mitcham wrote:
> I'm sorry if the cookbook mislead you, or was incomplete.  I wrote it to 
> make the install procedure overall a little easier, providing a worked 
> example.  By the time I wrote it down, I had installed OpenCA several 
> times, and some of the items were already committed to memory, and 
> didn't get written down.  I did try to write out several of the problems 
> that came up in my experience, and the solutions to them.
> 
> Kevin

Hi Kevin-

Please don't apologize.  I meant what I said when I said that this was
my _lame_ excuse.  The cookbook was a big help to me; of that I'm quite
certain.  But I should not have relied on it exclusively.  That's a
lesson for me.  Your cookbook was very helpful to me.  Thanks very much
for writing it.  Once I have completed my installation and configuration
of OpenCA, I hope to be able to add my experience to what you've written
and perhaps improve upon it somewhat, but there's certainly no cause to
apologize.  Thanks very kindly for helping me out a great deal by
writing it.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Error 700 in attempting to initialize database

[Kevin]

At the risk of getting yelled at, I have another question... (sorry...)

This time I've read both the cookbook and the relevant portions of the
guide.  As usual, I've also searched the list archives, searched through
the entire guide for this particular error, and double-checked the steps
I performed in the cookbook.  I'm not finding anything to help me solve
this.  That said, however, it's true that I have not read the guide from
cover to cover.  If I'm wrong for asking a question here in such
circumstances, someone please feel free to correct me.  I promise I
won't take offense.

I'm following the steps exactly in the cookbook:
Series of tabs should be visible.  Select General->Initialization
 Phase I
Initialize the Certification Authority
Initialize Database
 
initialize-> intialize DB .(reports sucess, but a slurry of error messages 
about table not found may appear on the console)

Anyway, when I attempt to initialize the database, I get this error:
Error 700
General Error. The compilation of the command cmdGenDB failed. Can't
call method "prepare" on an undefined value at
/usr/local/openca/modules/perl5/OpenCA/DBI.pm line 2518.

When I look at line 2518 of said file, I see:
   2515   ## prepare
   2516   $self->debug ("doQuery: prepare statement");
   2517   $self->debug ("doQuery: statement nr.: ".(scalar (@
   2517 {$self->{STH}}) +1));
   2518   $self->{STH}[scalar (@{$self->{STH}})] = $self->{DB
   2518 H}->prepare ($query);
   2519   if ( (my $h = $self->{STH}[scalar (@{$self->{STH}})
   2519  -1]->state) != 0) {
   2520 $self->debug ("doQuery: prepare failed");
   2521 $self->debug ("doQuery: query: $query");
   2522 $self->debug ("doQuery: returned errorcode: $h");
   2523 $self->errno ( $OpenCA::DBI::ERROR->{PREPARE_FAIL
   2523 ED} );
   2524 return undef;
   2525   }

Not being very clueful on perl in general, I'm definitely out of my
league trying to interpret perl code.

Can anyone offer suggestions on how to resolve this?  I suppose I must
have screwed up something in my config files.  Should I post those?  If
so, just say so and I will.

Sorry to be such a pain, guys.

Thanks for any help.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA Cookbook

[Kevin Mitcham]

I'm sorry if the cookbook mislead you, or was incomplete.  I wrote it to 
make the install procedure overall a little easier, providing a worked 
example.  By the time I wrote it down, I had installed OpenCA several 
times, and some of the items were already committed to memory, and 
didn't get written down.  I did try to write out several of the problems 
that came up in my experience, and the solutions to them.

Kevin
Please read the docs in the OpenCA guide...

Thanks Martin, Til, and Johannes for pointing this out.
Guess I should've read all of the docs in their entirety before posting
but my lame excuse is that I was misled by the cookbook.  I had the
impression from reading it that it was self-contained and that I could
use it as a shortcut for installation and then read the full docs
afterwards as I experimented with OpenCA.
Sorry for the unnecessary question/time/bandwidth.
-Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] problems initializing openca (Error Login failed: 6273120.)

[Kevin]

On Wed, 2004-08-18 at 10:48, Martin Bartosch wrote:
> Hi Kevin,
> 
> just some quick notes:
> 
> The initial user/password is root/root. Of course you do not need
> to open the database from the outside.
> The initialization steps can be performed using the /ca/ frontend
> after logging in.
> Public frontend is for issuing requests and picking up certs only.
> 
> Please read the docs in the OpenCA guide...

Thanks Martin, Til, and Johannes for pointing this out.

Guess I should've read all of the docs in their entirety before posting
but my lame excuse is that I was misled by the cookbook.  I had the
impression from reading it that it was self-contained and that I could
use it as a shortcut for installation and then read the full docs
afterwards as I experimented with OpenCA.

Sorry for the unnecessary question/time/bandwidth.

-Kevin





---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] problems initializing openca (Error Login failed: 6273120.)

[Kevin]

Hi List-

Many thanks to Oliver Welter for helping me resolve my problem with
SSLOptions +StdEnvVars that was causing my "too short symmetric
keylength" error.

Now that I have that solved, I've encountered another problem in trying
to follow the guidelines in the OpenCA cookbook from Kevin Mitcham.

I do get pages when visiting all of the following:
https://myhost.wherever.edu/ra
https://myhost.wherever.edu/ra-node
https://myhost.wherever.edu/pub
https://myhost.wherever.edu/ca
https://myhost.wherever.edu/ca-node

What I get is as follows:
https://myhost.wherever.edu/ra
A purple login screen

https://myhost.wherever.edu/ra-node
A white login screen

https://myhost.wherever.edu/pub
A series of tabs labeled:
General (Logout)
CA Infos (Policy  Get CA certificate  Certificate Revocation Lists)
User (Request a Certificate  Get Requested Certificate  Test Certificate
Revoke Certificate)
Certificates (Valid  Expired  Suspended  Revoked  Search)
Requests (Certificate Requests  Certificate Revocation Requests)
Language (English  German  Spanish  French  Italian  Japanese  Polish)

https://myhost.wherever.edu/ca
A purple login screen

https://myhost.wherever.edu/ca-node
A white login screen

In the cookbook, Kevin Mitcham says:

connect to the ca: 
http://myhost.wherever.edu/openca

Series of tabs should be visible.  Select General->Initialization
 Phase I
Initialize the Certification Authority
Initialize Database
initialize-> intialize DB .(reports sucess, but a slurry of error messages 
about table not found may appear on the console)

Based upon the changes he recommends for httpd.conf, I assume he
means to connect to http://myhost.wherever.edu/ca because that's what
he makes an Alias for.

With what username/password credentials should I login?

The ones that I set up in my config.xml files?  I assumed
that these were the username/password of the mysql openca database
administrator that I created when creating the databases themselves,
but these aren't working.  When I try it I get a login failed message.
Must I permit access to port 3306 over the network?  I can connect
to the mysql server using the mysql command-line client program
running on the server machine when using these credentials,
but cannot do so through the web interface of OpenCA.

The only place I see a series of tabs is at /pub and while there
is a General tab, there is no Initialization item in it.

Am I missing something?

Any suggestions?  I checked the list archives but didn't see anything
that helped me out.  Someone reported a problem with the cookie
directory being created, but I'm not seeing the same symptoms he was.

The exact error message is:
Error Login failed.
General Error. 6273120.

Thanks again.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA cookbook

[Kevin]

I know this won't show up in the thread of the same subject because I
don't have the original or any of the follow-ups to that message in my
own email archive, but I just thought I'd try to get this point somehow
associated with the OpenCA Cookbook, thus this message.

Other changes to make to httpd.conf (aside from those already listed in
the OpenCA Cookbook):


SSLOptions +StdEnvVars


Thanks to Oliver Welter for pointing this out to me.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] too short symmetric keylength: General Error. 6251043.

[Kevin]

On Wed, 2004-08-18 at 02:49, Oliver Welter wrote:
> Hi Kevin,
> 
> I had the same problem :)
> Its likely that you have not exportet your SSL-Vars to Perl...
> Add
> SSLOptions +StdEnvVars
> to your SSL-Config in apache and it sould work
> 
> Oliver

Hi Oliver-

Yes, you were right.  This solved my problem.  Thanks very much.  I
think I'll add it to the OpenCA Cookbook thread on the list for other
changes to make to httpd.conf as a part of a first installation.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] too short symmetric keylength: General Error. 6251043.

[Kevin]

Hi List-

Many thanks for suggestions relating to my other posts here (some of
which I'm still trying to resolve), but I did get a successful
configure/make/make install of OpenCA according to the OpenCA Cookbook
that Johnny Gonzalez referred me to on a SuSE 9.0 box.  I'm still
struggling with this part on a Gentoo system, but with the SuSE system,
I may be suffering from a configuration problem, and that's what I'm
trying to resolve with this message.

I have the following error upon accessing https://localhost/ra

Error Aborting connection - you are using a too short symmetric
keylength ().
General Error. 6251043.

I saw in the archives in May where someone else had this problem and
Michael pointed out the solution by explaining that the keylength in
etc/access_control/ra.xml file was appraently the problem.

In my etc/access_control/ra.xml, I have the following:




mod_ssl
ssl
.*
.*
0
.*
128

...

And when I use Mozilla Firefox to view https://localhost/ra and click
the lock, it reports that the connection is encrypted with High-grade
Encryption (AES-256 256 bit).

Perhaps OpenCA doesn't know about the AES cipher?

Or is it this other thing that Michael mentioned in his reply to that
poster: "The empty () at the end of the errormessage looks like a 
general problem with your SSL"

I have no problems viewing other content over the https protocol.  Only
OpenCA stuff.

Any help here?

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

On Tue, 2004-08-17 at 10:37, Michael Bell wrote:
> Hi Kevin,
> 
> you are missing some files from Expat:
> 
> /usr/lib/perl5> find . -name "*xpat*"
> ./site_perl/5.8.0/i586-linux-thread-multi/XML/Parser/Expat.pm
> ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat
> ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat/Expat.bs
> ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
> 
> The important thing is the auto area which must be linked too.
> 
> Michael

Hi Michael-

Here's what I have when doing the same thing:

tombstone openca-0.9.2-RC6 # find /usr/lib/perl5/vendor_perl/5.8.4/
-name "*xpat*"
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat/Expat.so
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat/Expat.bs
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML/Parser/Expat.pm
tombstone openca-0.9.2-RC6 #

Looks pretty much the same as yours, but...

When I run the perl program "inside" (as mentioned earlier in this
thread), I get the following (abbreviated):

i686-linux::XML::GDOME (version 0.85) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::GDOME::SAX::Builder (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::GDOME::SAX::Generator (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::GDOME::SAX::Parser (version 1.00) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML (version 1.58) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::Boolean (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::Common (version 0.13) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::Literal (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::NodeList (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::Number (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::SAX (version 1.00) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::SAX::Builder (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::SAX::Generator (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::SAX::Parser (version 1.50) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXML::XPathContext (version 0.05) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::LibXSLT (version 1.57) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser (version 2.34) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Expat (version 2.34) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Style::Debug (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Style::Objects (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Style::Stream (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Style::Subs (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Parser::Style::Tree (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron (version 0.98) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::DOM (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::DOM::DOMHandler (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::Processor (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::SAXBuilder (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::SXP (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::Situation (version unknown) found in
/usr/lib/perl5/vendor_perl/5.8.4
i686-linux::XML::Sablotron::Situation::DOMHandlerDispatcher (version
unknown) found in /usr/lib/perl5/vendor_
perl/5.8.4

Is the i686-linux:: prefix in front of the Expat module somehow
preventing openca/perl from seeing that module as XML::Parser::Expat? 
What output do you get on your system from Inside?  I see that your
Expat modules are located in a directory prefixed with
...i586-linux-thread-multi...
Is this directory prefix on my system (i686-linux) causing the module to
be prefixed with the i686-linux:: string (and thus, perhaps preventing
it from being seen as XML::Parser::Expat by perl/OpenCA)?

The head of my
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML/Parser/Expat.pm
file reads as follows:
=
package XML::Parser::Expat;

require 5.004;

use strict;
...
=

Seems to me that inside should be detecting this module as written here:
XML::Parser::Expat;

but instead it seems to be finding it as i686-linux::XML::Parser::Expat;
I'm thinking that's the 

Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

I think I've found the problem now, but not sure about the best way to
fix it.

I used Tom Phoenix's perl module Inside to discover that, for some
reason, XML::Parser::Expat is installed on my system as:

i686-linux::XML::Parser::Expat (version 2.34) found in
/usr/lib/perl5/vendor_perl/5.8.4

I suppose one very difficult way to resolve the problem would be to
change all instances of XML::Parser::Expat in the OpenCA code to
i686-linux::XML::Parser::Expat, but that seems awfully silly.

Anyone have a suggestion on the best way to resolve this one?

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

On Fri, 2004-08-13 at 03:11, Michael Bell wrote:
> Kevin wrote:
> 
> > Or is this the problem?
> > "Can't locate XML/Parser.pm in @INC (@INC contains:
> > ..."
> > 
> > I don't see XML/Parser.pm in @INC either.  How do I get it there given
> > that I do have this module installed on my system?
> 
> You can link it to a directory in you @INC array. Simply run find and 
> then create an appropriate link from one of your directories in @INC to 
> the file or a directory in the path of this file. The path must look 
> exactly like for the original file.
> 

Hi again Michael and thanks for your suggestion here.  I tried it with
the following steps:

tombstone root # cat test.perl
#!/usr/bin/perl
print "[EMAIL PROTECTED] is @INC\n";

tombstone root # ./test.perl
@INC is /etc/perl /usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .
tombstone root # cd /usr/local/lib/site_perl
tombstone site_perl # ln -s \
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML XML
tombstone site_perl # ls -l
total 0
lrwxrwxrwx1 root root   47 Aug 17 08:50 XML ->
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML
tombstone site_perl # cd XML
tombstone XML # ls -l
total 156
drwxr-xr-x4 root root 4096 Aug 10 13:41 GDOME
-r--r--r--1 root root12554 Aug 10 13:41 GDOME.pm
-r--r--r--1 root root 2862 Aug 10 13:41 GDOME.pod
drwxr-xr-x3 root root 4096 Aug 10 13:54 LibXML
-r--r--r--1 root root31844 Aug 10 09:29 LibXML.pm
-r--r--r--1 root root 5338 Aug 10 09:29 LibXML.pod
-r--r--r--1 root root11061 Aug 10 09:29 LibXSLT.pm
drwxr-xr-x4 root root 4096 Aug 10 08:25 Parser
-r--r--r--1 root root27103 Aug 10 08:25 Parser.pm
drwxr-xr-x4 root root 4096 Aug 10 09:28 Sablotron
-r--r--r--1 root root29538 Aug 10 09:28 Sablotron.pm
-r--r--r--1 root root 7889 Aug 10 09:29 benchmark.pl
tombstone XML # ls -l Parser
total 48
drwxr-xr-x2 root root 4096 Aug 10 08:25 Encodings
-r--r--r--1 root root33917 Aug 10 08:25 Expat.pm
-r--r--r--1 root root 1571 Aug 10 08:25 LWPExternEnt.pl
drwxr-xr-x2 root root 4096 Aug 10 08:25 Style

So I'm thinking I've successfully linked the perl modules in
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML to a directory that is
in @INC.

However, when I run the ./configure and make commands now, I get a
slightly different error:

XML-Twig-3.09/MANIFEST
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
Checking if your kit is complete...
Looks good
Warning: prerequisite XML::Parser 2.23 not found.
Writing Makefile for XML::Twig
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
/usr/bin/perl5.8.4 speedup Twig.pm.slow > Twig.pm
Can't locate loadable object for module XML::Parser::Expat in @INC (@INC
contains: ../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib 

/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at
/usr/local/lib/site_perl/XML/Parser.pm line 14
Compilation failed in require at /usr/local/lib/site_perl/XML/Parser.pm
line 14.
BEGIN failed--compilation aborted at
/usr/local/lib/site_perl/XML/Parser.pm line 18.
Compilation failed in require at speedup line 5.
BEGIN failed--compilation aborted at speedup line 5.
make[4]: *** [Twig.pm] Fehler 255
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
make[3]: *** [XML-Twig-3.09] Error 2
make[3]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[2]: *** [modules] Error 2
make[2]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src'
make: *** [src] Error 2

Strangely, when I run make a second time, immediately after getting this
error, it does complete successfully.  I'm not sure if it's skipping
over the portions that caused the failure initially or if it's including
them and getting it right the second time or what, but I'd still like to
resolve the problem with XML::Parser just on general principle---perha

[Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

Hi List-

Thanks very kindly to Johnny Gonzalez for pointing it out to me, and to
Kevin Mitcham for writing it, I've been using the OpenCA Cookbook to get
myself started.

Unfortunately, I'm having problems already.  Perhaps I need a different
perl module installed.  make gives me the following error message:

==
...
XML-Twig-3.09/MANIFEST
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
Checking if your kit is complete...
Looks good
Warning: prerequisite XML::Parser 2.23 not found.
Writing Makefile for XML::Twig
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
/usr/bin/perl5.8.4 speedup Twig.pm.slow > Twig.pm
Can't locate XML/Parser.pm in @INC (@INC contains:
../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib
../IO-stringy-2.108/blib/lib ../MIME-tools-5.411/blib/lib
../MailTools-1.58/blib/lib ../Net-Server-0.86/blib/lib
../XML-Twig-3.09/blib/lib ../libintl-perl-1.10/blib/lib
../openca-ac/blib/lib ../openca-configuration/blib/lib
../openca-crl/blib/lib ../openca-crypto/blib/lib ../openca-db/blib/lib
../openca-dbi/blib/lib ../openca-ldap/blib/lib ../openca-log/blib/lib
../openca-openssl/blib/lib ../openca-pkcs7/blib/lib
../openca-req/blib/lib ../openca-session/blib/lib
../openca-statemachine/blib/lib ../openca-tools/blib/lib
../openca-tristatecgi/blib/lib ../openca-ui-html/blib/lib
../openca-x509/blib/lib ../openca-xml-cache/blib/lib
../perl-ldap-0.28/blib/lib ../Digest-SHA1-2.02/blib/arch
../IO-Socket-SSL-0.92/blib/arch ../IO-stringy-2.108/blib/arch
../MIME-tools-5.411/blib/arch ../MailTools-1.58/blib/arch
../Net-Server-0.86/blib/arch ../XML-Twig-3.09/blib/arch
../libintl-perl-1.10/blib/arch ../openca-ac/blib/arch
../openca-configuration/blib/arch ../openca-crl/blib/arch
../openca-crypto/blib/arch ../openca-db/blib/arch
../openca-dbi/blib/arch ../openca-ldap/blib/arch ../openca-log/blib/arch
../openca-openssl/blib/arch ../openca-pkcs7/blib/arch
../openca-req/blib/arch ../openca-session/blib/arch
../openca-statemachine/blib/arch ../openca-tools/blib/arch
../openca-tristatecgi/blib/arch ../openca-ui-html/blib/arch
../openca-x509/blib/arch ../openca-xml-cache/blib/arch
../perl-ldap-0.28/blib/arch /etc/perl
/usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at speedup
line 5.
BEGIN failed--compilation aborted at speedup line 5.
make[4]: *** [Twig.pm] Fehler 2
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
make[3]: *** [XML-Twig-3.09] Error 2
make[3]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[2]: *** [modules] Error 2
make[2]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src'
make: *** [src] Error 2
tombstone openca-0.9.2-RC6 # epm -q XML-Parser
XML-Parser-2.34
==

It looks like make wants XML::Parser 2.23 and I have XML::Parser-2.34. 
Is this an important dependency?  I mean, does 2.34 lose something that
2.23 has?  If not, can someone offer any hints as to how to get around
this?  I configured with Kevin's configure line (or very near to it):

tombstone openca-0.9.2-RC6 # ./configure   --prefix=/usr/local/openra  
--with-httpd-user=apache   --with-httpd-group=apache  
--with-openca-prefix=/usr/local/openra/openca  
--with-etc-prefix=/usr/local/openra/openca/etc  
--with-httpd-fs-prefix=/usr/local/openra/httpd  
--with-module-prefix=/usr/local/openra/modules  
--with-node-prefix=ra-node   --with-engine=no  
--with-web-host=gnosys.gnosys.us   --enable-ocspd   --enable-dbi  
--enable-rbac   --with-hierarchy-level=ra

Or is this the problem?
"Can't locate XML/Parser.pm in @INC (@INC contains:
..."

I don't see XML/Parser.pm in @INC either.  How do I get it there given
that I do have this module installed on my system?

Any thoughts?

Thanks!

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)

[Kevin]

On Thu, 2004-08-12 at 11:32, Michael Bell wrote:
> Hi Kevin,
> 
> I finally found a solution. I installed JAI into my Apache FOP and now I 
> can compile working PDF files by using JPEG and PNG. Actually I'm 
> commiting new versions of the openca guide.
> 
> Michael

Cool!  Thanks for letting me know.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Re: images in openca-guide.pdf

[Kevin]

On Thu, 2004-08-12 at 10:18, Kevin wrote:
> On Thu, 2004-08-12 at 09:29, Michael Bell wrote:
> > BTW if I look at openca-guide.pdf with gv then I see the images. If 
> > somebody can explain this then this would help a lot to fix the problems 
> > with acrobat reader.
> > 
...
> I'm gonna upgrade to the latest available in Gentoo portage right now to
> see if that helps:
> [ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2]  0 kB
> [ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif  522 kB
> [ebuild U ] app-text/acroread-5.09 [5.08] -cjk  9,066 kB
> 
> I'll post my results.
> 

After the upgrades, I get the same results as before.

Not sure what else it could be...

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)

[Kevin]

On Thu, 2004-08-12 at 09:29, Michael Bell wrote:
> Kevin wrote:
> 
> > "The data exchange between such isolated databases can be handled
> > automatically if you use a distributed database system but in the sense
> > of OpenCA such a distributed database system is only on database in our
> > tree."   ^^
> > 
> > Is this word, "on" supposed to be "one"?
> 
> You are right. "one" is correct.
> 

Thanks.

> BTW if I look at openca-guide.pdf with gv then I see the images. If 
> somebody can explain this then this would help a lot to fix the problems 
> with acrobat reader.
> 

I used xpdf and acrobat reader and saw no images (using the guide from
openca-0.9.2-RC6).  When I used gv, I saw the black-and-white line
drawings, but not the color drawing of the life-cycle of objects that I
see in the .html file with a web browser.  Actually, when I turned to
the page for the life-cycle of objects in gv, I saw a very brief (<1
second) flash of the color drawing but then it disappeared and the page
was blank.

I'm using the following versions of the pdf viewers:
acroread-5.08
xpdf-2.03
gv-3.5.8-r2

I'm gonna upgrade to the latest available in Gentoo portage right now to
see if that helps:
[ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2]  0 kB
[ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif  522 kB
[ebuild U ] app-text/acroread-5.09 [5.08] -cjk  9,066 kB

I'll post my results.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin Mitcham]

At the Dartmouth PKI lab, we spent a good bit of time working on an very 
easy intial setup for single-server OpenCA.
We eventually generated a CD image with a script to help set up the 
initial versions.  It generates a minimal (and not secure) CA that 
should be enough to get people started.

You can learn more at
http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html
Hope this helps.  I've been mostly moved on to other projects, and so 
haven't been following the list as closely as I'd like to.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Thu, 2004-08-12 at 08:01, Johnny Gonzalez wrote:
> Hello Kevin,
>  
> I suggest you to read a document made by another Kevin, "Kevin
> Mitcham", He wrote a document called OpenCA Cookbook, this document
> covers all the steps to configure and install OpenCA versions 0.9.2.X,
> read it and all of your questions, related to the instalation
> process, will be solved.
>  
> The link to Kevin Mitcham's Posting to the mail archive is:
>  
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html
>  
> Hope this will help you,
>  
>  
> Johnny Gonzalez L.

Hi Johnny-

This looks very helpful!  Thanks, I'll study it in detail before posting
again.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Wed, 2004-08-11 at 19:34, Kevin wrote:
> On Wed, 2004-08-11 at 18:52, Ives Steglich wrote:
> > Kevin wrote:
> > > Hi List-
> > > 
> > > I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
> > > tarball (Is this the latest non-CVS source?  If not, where's the best
...
> > > of complexity.  Is there some way to get the full functionality of
> > > OpenCA in a test environment by installing everything on one computer?
> > > 
> > yes you can simply install everything on one system
> > just use different directories for ca and pub stuff
> > 
> 
> Sorry if I'm being dense here, but how does this translate into
> ./configure options and/or make targets?
> 
> By "use different directories" do you mean while setting the configure
> options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX,
> --with-ra-prefix=DIR, etc.) or something else.  It looks like these all
> default to different values anyway...  Am I missing something?
> 

I'm reading the guide again with the benefit of the images, and it
occurs to me that my question here may not be clear so I'll try to
clarify.

Section 4.2.1 (How to setup two management interfaces on one
server?---Online Components) of the guide reads as follows:

"The first installation uses only the normal steps - ./configure
--with-node-prefix=online_node --with-your-options, make, make test,
make install-online, edit OPENCADIR/etc/config.xml and
OPENCADIR/etc/configure_etc.sh. Please use your options to configure the
software and use the hierarchy level ra."

I have a better understanding of the word "node" in this context, but
I'm still not sure I have a complete understanding of it.  Michael
explained that "management interface" and "node interface" are the same,
and it is used for data exchange, and I see the images depicting the
node in the design part of the guide, but I'd like to ask some questions
to confirm my understanding (or correct it).

The configure options above use the literal string, "online_node", and
below in section 4.2.2 (Offline Components) the literal string
"offline_node".  If a node is a management interface, can the string be
any arbitary string in this "--with-node-prefix" configure option?  Or
must it match the hostname of the computer or some other parameter?  How
are these node-prefixes used later by the software?  If I install
everything on one server computer, is the node-prefix "online_node" (as
used in the configure step above) associated with a TCP port or a unix
domain socket that is open on the computer (and perhaps another TCP port
or socket for the string "offline_node") (this is what I think of when I
read, "interface") or is it just a hyperlink by the name of
"online_node" in a web page generated by the software for doing
management/data exchange tasks with a browser or what?  If the
node-prefix can be any arbitrary string, is there a typical value that
is used for it?  Are the strings "online_node" and "offline-node" ok for
that?  Do these strings become part of the certificates issued by
OpenCA?

> > you will then have full functionality as if both parts where on separate 
> > systems - the only thing thats different - the dataexchange between them 
> > would happen at the local filesystem (you have to change the path at 
> > config.xml usaly set to /dev/fd0)
> > 
> > you can even install ca and pub components to the same directory, then 
> > you don't have to do dataexchange for the first testing steps... (so no 
> > node interfaces is actually used)
> > 
> 
> Again, how does this translate into ./configure options and/or make
> targets?  Would I just run:
> ./configure (but what options... or are there any special options for a
> single-computer installation?... I realize of course that there are many
> options that relate to my httpd and so forth, but I mean those that are
> specifically for OpenCA related to a single-computer installation... or
> are there any?)
> make
> make test
> make install-ca
> make install-ext
> any others?
> 
> What about:
> install-ldap
> install-node
> etc.
> 
> And exactly what is meant by "node" here (a computer?)?
> 
> > i will send some scripts tomorrow - which can be used
> > to setup a simple testing system and also generates the necessary 
> > apache.conf entries - which can be simply included then
> > 
> 
> Thank you, dalani!
> 
> -Kevin
> 

I guess my other questions still stand.  Please pardon me if I'm being
dense here.  At first blush, installing OpenCA looks a bit more
complicated than the typical server s

[Openca-Users] Typo in openca-guide?

[Kevin]

Hi List-

Really quick question:

Section 1 of the guide "Basic Heirarchy" reads in part...

"The data exchange between such isolated databases can be handled
automatically if you use a distributed database system but in the sense
of OpenCA such a distributed database system is only on database in our
tree."   ^^

Is this word, "on" supposed to be "one"?  I can make sense of either
sentence but in my first read of this, I assumed it was supposed to be a
"one" and also assumed that the images in openca-guide.pdf were missing
because they had yet to be added.  Michael Bell pointed me to the
openca-guide.html and now I see the images, but just thought I would
double-check this typo, if that's what it is.

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Thu, 2004-08-12 at 02:47, Oliver Welter wrote: 
> Hi Kevin,

Hi Oliver.

> have a look at the "openca-guide.pdf" in the docs directory. There is a 
> chapter about installation and a brief description how to install both 
> interfaces onto one directory

Yes, I studied that pretty thoroughly, and my questions actually
arose from doing so.  Thanks for your reply, Oliver.

> Oliver
> 


> 
> On Thu, 2004-08-12 at 03:24, Michael Bell wrote:
> Kevin wrote:
> > ... and it's becoming clear that a typical test
> > installation of the OpenCA software involves two separate server
> > computers: one connected to a network (CA?) and the other NOT connected
> > to a network (RA?).
> 
> Small security warning - the CA is OFFLINE and the RA stuff is online.
> 

Ah!  Ok.  Thanks for pointing that out.

> > 4.2 How to setup two management interfaces on one server?
> > 
> > Exactly what is meant by "management interface" here?  Probably not
> > "Network Interface" (as in Network Interface Card)... perhaps "Web
> > Interface"? (as in, a different TCP port for each management function)? 
> > I'm guessing that if I can learn this part, my first question will be
> > moot.
> 
> The management interface is the node interface. It is used for 
> dataexchange. Please take a look at the pictures in the DEsign part of 
> the OpenCA guide. BTW if the images in openca-guide.pdf are still broken 
> then please use the HTML version of the guide. It looks like I have a 
> problem with Apache FOP.
> 

Yes, the images are still broken in openca-guide.pdf.  I saw the
references to them, but assumed that they were meant to be added later. 
Thanks for explaining this.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Wed, 2004-08-11 at 18:52, Ives Steglich wrote:
> Kevin wrote:
> > Hi List-
> > 
> > I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
> > tarball (Is this the latest non-CVS source?  If not, where's the best
> > place to get the tarballs with openca.org down?) and looking at the
> > README and INSTALL files, and it's becoming clear that a typical test
> > installation of the OpenCA software involves two separate server
> > computers: one connected to a network (CA?) and the other NOT connected
> > to a network (RA?).  Since this will be my first installation and
> > strictly for my own testing purposes, I don't need (or want) that degree
> > of complexity.  Is there some way to get the full functionality of
> > OpenCA in a test environment by installing everything on one computer?
> > 
> yes you can simply install everything on one system
> just use different directories for ca and pub stuff
> 

Sorry if I'm being dense here, but how does this translate into
./configure options and/or make targets?

By "use different directories" do you mean while setting the configure
options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX,
--with-ra-prefix=DIR, etc.) or something else.  It looks like these all
default to different values anyway...  Am I missing something?

> you will then have full functionality as if both parts where on separate 
> systems - the only thing thats different - the dataexchange between them 
> would happen at the local filesystem (you have to change the path at 
> config.xml usaly set to /dev/fd0)
> 
> you can even install ca and pub components to the same directory, then 
> you don't have to do dataexchange for the first testing steps... (so no 
> node interfaces is actually used)
> 

Again, how does this translate into ./configure options and/or make
targets?  Would I just run:
./configure (but what options... or are there any special options for a
single-computer installation?... I realize of course that there are many
options that relate to my httpd and so forth, but I mean those that are
specifically for OpenCA related to a single-computer installation... or
are there any?)
make
make test
make install-ca
make install-ext
any others?

What about:
install-ldap
install-node
etc.

And exactly what is meant by "node" here (a computer?)?

> i will send some scripts tomorrow - which can be used
> to setup a simple testing system and also generates the necessary 
> apache.conf entries - which can be simply included then
> 

Thank you, dalani!

-Kevin



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Single computer installation of OpenCA

[Kevin]

Hi List-

I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
tarball (Is this the latest non-CVS source?  If not, where's the best
place to get the tarballs with openca.org down?) and looking at the
README and INSTALL files, and it's becoming clear that a typical test
installation of the OpenCA software involves two separate server
computers: one connected to a network (CA?) and the other NOT connected
to a network (RA?).  Since this will be my first installation and
strictly for my own testing purposes, I don't need (or want) that degree
of complexity.  Is there some way to get the full functionality of
OpenCA in a test environment by installing everything on one computer?

A possibly-related question is about the guide itself.  It reads as
follows:

4.2 How to setup two management interfaces on one server?

Exactly what is meant by "management interface" here?  Probably not
"Network Interface" (as in Network Interface Card)... perhaps "Web
Interface"? (as in, a different TCP port for each management function)? 
I'm guessing that if I can learn this part, my first question will be
moot.

I browsed the list archives for this question but didn't see it. 
Apologies if it's been asked before.

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] How to reach Massimiliano Pala

[Kevin]

Hi All-

I've been trying to send a non-list-type (ie. personal) email to
Massimiliano Pala (at [EMAIL PROTECTED]), but my MTA is reporting that
the destination MTA is refusing the message.  Here's the error:

Hi. This is the qmail-send program at
smtpout01-04.mesa1.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[EMAIL PROTECTED]>:
217.133.34.6 does not like recipient.
Remote host said: 550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied
Giving up on 217.133.34.6.

Does anyone here know how I can reach him via email?

TIA.

-Kevin



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA cookbook

[Kevin Mitcham]

I've been working on getting some documents and files together to make 
an easy installation of OpenCA.  Here is what I've got so far.  I 
realize it isn't setting things up in the most secure fashion, but I'm 
hoping to help folks get past the initial steps before getting more 
complicated.

I'd appreciate any comments or pointers about what might be wrong or 
unclear in this document.

Thanks
to install from source
(actual commands marked with a "*")
(We ran on Debian "unstable")
(assumes an apache install using default options)


download new tarball from 
http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc
into a source directory
Alternately, get the latest snapshot
We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me 
some problems.

* gunzip openca-0.9.2-RC4.tar.gz 
* tar xvf openca-0.9.2-RC4.tar 

* make distclean 

first install the ra
(may want to update the web-host value)

* ./configure \
  --prefix=/usr/local/openra \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openra/openca \
  --with-etc-prefix=/usr/local/openra/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openra/httpd \
  --with-module-prefix=/usr/local/openra/modules \
  --with-node-prefix=ra-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \
  --with-hierarchy-level=ra \

* make
* make install-online  


Now for the CA
(may want to update the web-host value)

* make distclean
* ./configure \
  --prefix=/usr/local/openca \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openca/openca \
  --with-etc-prefix=/usr/local/openca/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openca/httpd \
  --with-module-prefix=/usr/local/openca/modules \
  --with-node-prefix=ca-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \
  --with-hierarchy-level=ca 
  
* make
* make install-offline

create the DB:
*mysql -uroot -p mysql

create database openca;
create database openra;
grant all privileges on openca.* to [EMAIL PROTECTED] identified by "openca";
grant all privileges on openra.* to [EMAIL PROTECTED] identified by "openra";

test the DB
* mysql -uopenca -p
use openca
show tables
(should return empty set, as DB is empty)
exit;
* mysql -uopenra -p
use openra
show tables
(should return empty set, as DB is empty)
exit;

edit the apache httpd.conf (location varies, but this is the apache config file)
in the script aliases section, add:
# OpenCA Mods
# CA Aliases
Alias   /ca /usr/local/openca/httpd/htdocs/ca/
Alias   /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ 
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/

# OpenCA Mods
# RA Aliases
Alias   /ra /usr/local/openra/httpd/htdocs/ra/
Alias   /pub /usr/local/openra/httpd/htdocs/pub/
Alias   /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/

# OpenCA Mods

 AllowOverride None
 Options ExecCGI
 Order allow,deny
 Allow from all


 AllowOverride None
 Options ExecCGI
 Order allow,deny
 Allow from all


 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all


 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all

# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.

 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all


modify the config.xml for the ra (located in /usr/local/openra/openca/etc)

Now onto the config.xml, for the ca and the ra.
for the CA:
general options 
ca_organization
ca_locality
ca_country
service_mail_account (set to [EMAIL PROTECTED])
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openca
db_host -> localhost  (or whatever)
db_port -> 3306  (the mysql default port)
db_user -> openca
db_passwd -> XXX
configuration of absolute paths
(as needed.  once again, looks like some of the work is already done)
dataexchange configuration
de-activate dfault, by adding comment  brackets
activate mode 1, node acts as CA only by removing comment brackets
configuration of relative paths
(as needed.  Not done first time through due to error)  

 
(these might not be in config.xml; if not, see below)
  dataexchange_device_up
  /usr/local/openca/openca/var/tmp/ca-up


  dataexchange_device_down
  /usr/loc

[Openca-Users] problem starting openca

[Kevin Mitcham]

Using RC4, I'm having the following problem starting up the server:
[EMAIL PROTECTED]:/usr/local/openra/openca/etc# ./openca_start
Content-Type: text/html


PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
http://www.w3.org/1999/xhtml"; lang="C" 
xml:lang="C">Configuration Error
Error 
690 Configuration Error. Cannot initialize 
OpenCA::DBI class! The database returns errorcode 0. (Success (error 
10070: __OLD__ERRVAL__)).





OpenCA: Error Trapped: Cannot initialize OpenCA::DBI class! The database 
returns errorcode 0. (Success (error 10070: __OLD__ERRVAL__)) at 
/usr/local/openra/modules/perl5/OpenCA/UI/HTML.pm line 147,  line 88.
Compilation failed in require at 
/usr/local/openra/openca/lib/servers/ra-node/functions/initServer line 
207,  line 88.
Compilation failed in require at ./openca_start line 62,  line 88.

I've checked and re-checked the Database part of the config.xml, and it 
all seems good to me.  Any hints from the more experienced parts of the 
world?

Kevin

---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Problem sending CRIN-Mail

[Kevin Mitcham]

To fix this bug, I replaced line 2576 in OpenSSL.pm
$smime->encrypt(CERTIFICATE  => $sign_x509)
with
$smime->encrypt(CERTIFICATE  => $enc_x509)
I was having the same problem with unreadable CRIN-mail, and so I 
updated the file with this fix and re-installed OpenCA.  Unfortunately, 
now the RA won't send email at all.

I have confirmed that send_mail_automatic is set to yes, and that 
sendmail is configured correctly.  I can send the generated crin mails 
(from var/temp/mail/crins) by hand, but they are still unreadable.

The problem is mostly just an annoyance at this point, as we have 
another (later) version of OpenCA running, and generating CRIN-mail 
correctly.

Are the CRIN-mail messages the only way to revoke certificates?  Is 
there a way for the admin to revoke a certificate without having the 
CRIN code: [ revocation pin ]?  Or to find out the CRIN code?

For example, to revoke the certificate of a user who is no longer 
affiliated with the CA orginization.

Kevin

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Certificate Renewal

[Kevin Mitcham]

I'm unclear on how OpenCA handles renewing User certificates.

Is it even possible?  Where is it handled in the GUI?

Thanks

Kevin




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] RA CSR upload problesm

[Kevin Mitcham]

The best part about stupid problems is that the solutions are often easy 
and quick.  Fixing the config.xml file solved the problem immediately, 
thank you very much.

Kevin

Michael Bell wrote:
Kevin Mitcham wrote:

I'm having trouble uploading CSRs from my RA to the CA.

I submit the request, and approve it without signing, and everything 
seems to work.  However, when I go to the RA-Node/dataexchange to 
"upload data to a higher level" the export file is empty (except for 
the directory structure and module.id file)- no certificate requests 
are exported.
I'm trying to run it down in the source code myself, and failing.  Any 
suggestions?

I am running a snapshot from CVS as of April 18th-essentially RC4.


Did you correctly choose the appropriate configuration template for the 
dataexchange in config.xml before you are running configure_etc.sh on 
the RA and on the CA? OpenCA's dataexchange does not export or import 
anything if you don't change the used template in config.xml. We must do 
this for security reasons to avoid impacts into the infrastructure of 
the CA.

Best regards

Michael


smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] RA CSR upload problesm

[Kevin Mitcham]

I'm having trouble uploading CSRs from my RA to the CA.

I submit the request, and approve it without signing, and everything 
seems to work.  However, when I go to the RA-Node/dataexchange to 
"upload data to a higher level" the export file is empty (except for the 
directory structure and module.id file)- no certificate requests are 
exported.
I'm trying to run it down in the source code myself, and failing.  Any 
suggestions?

I am running a snapshot from CVS as of April 18th-essentially RC4.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate

[Kevin Mitcham]

Kevin Mitcham wrote:

I've got a complete new CVS snapshot, and I'm still getting the same 
error message.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting (11). )..


Michael Bell wrote:

This looks definitly like an OpenSSL crash. Errorcode 11 means crypto 
lib failed. This is a direct errorcode from OpenSSL. Can you downgrade 
to 0.9.7c please and try it with this version?

We reinstalled with 0.9.7c, and seem to have moved past this problem. 
Hopefully we will get a little more along before we need more help. 
Thanks for the advice.

Kevin Mitcham


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate

[Kevin Mitcham]

It is necessary to install at minimum the whole stuff from 
src/modules/openca-openssl again. The better way is to replace the two 
files in the source and then to make and install again. Usually such an 
update does not overwrite any existing data or configuration. BTW we 
moved our deadline to 13 o'clock CEST but then I tag RC4 on CVS. So I 
think there will be a new RC available via CVS and SourceForge at 15 
o'clock CEST. This is GMT/UTC+2.

I've got a complete new CVS snapshot, and I'm still getting the same 
error message.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting (11). )..


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate

[Kevin Mitcham]

I am getting this same error when I try to generate the intial
administrator certificate.  The Certificate is being generated, but
the error show up.
   Error 6794
 General Error. Cannot encrypt PIN-mail! Aborting!
OpenCA::OpenSSL returns errorcode 8012006
(OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: )..


Michael Bell wrote:
Can you try CVS versions from OpenSSL.pm and SMIME.pm please? OpenSSL.pm
v1.108 and SMIME.pm v1.7 have a better errordetection. They can detect
installation problems so that we can reduce the number of possible errors.
I think this is the only way to solve your problem.
Is that a simple file replace, or is there more to updating the files 
than that?  Should I get an entirely new snapshot?

I tried the simple file replace, and generated errors when I tried to 
restart openca (output slightly modfied to hide path info):

# ./openca_start
OpenCA::OpenSSL object version 0.9.103 does not match bootstrap 
parameter 0.9.108 at /usr/lib/perl/5.8/XSLoader.pm line 91.
Compilation failed in require at /modules/perl5/OpenCA/AC.pm line 557.
BEGIN failed--compilation aborted at /modules/perl5/OpenCA/AC.pm line 557.
Compilation failed in require at 
/openca/lib/servers/node/functions/initServer line 23.
BEGIN failed--compilation aborted at 
/openca/lib/servers/node/functions/initServer line 23.
Compilation failed in require at ./openca_start line 49.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error "Cannot encrypt PIN-mail" - Issue the certificate

[Kevin Mitcham]

Kevin Mitcham wrote:

I am getting this same error when I try to generate the intial 
administrator certificate.  The Certificate is being generated, but 
the error show up.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: )..

I can't seem to find the correct place to add the suggested debug lines.


Michael Bell wrote:

Perhaps you have this problem too because of an installation bug. The 
tool openca-sv was installed to exec_prefix but the path in token.xml 
was set to prefix. Please check that the path to openca-sv is correct in 
token.xml. We updated OpenSSL.pm and SMIME.pm to return better 
errormessages. RC4 will report a wrong path correctly.

Michael
We have updated/patched the local OpenSSL (0.9.7d 17 Mar 2004) as per 
the earlier not, and I checked the token.xml path to openca-sv.  So far 
as I can tiell, it is correct.  The values point to the actual location 
of openca-sv.

-rwxr-xr-x1 root root   321762 Apr  8 14:30 
/usr/local/openca.0.9.2/bin/openca-sv

Restarting the server, apache and the entire machine after the patch 
didn't resolve the issue either.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error "Cannot encrypt PIN-mail" - Issue the certificate

[Kevin Mitcham]

I am getting this same error when I try to generate the intial 
administrator certificate.  The Certificate is being generated, but the 
error show up.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: )..

I can't seem to find the correct place to add the suggested debug lines.

I am running openca-0.9.2-RC3:
Module  Version
OpenSSL 0.9.103
Tools   0.4.3
DB  0.9.99
Configuration   1.5.3
TRIStateCGI 1.5.5
REQ 0.9.54
X5090.9.52
CRL 0.9.22
PKCS7   0.9.17
and the config is as follows:
./configure \
  --prefix=${PREFIX} \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=${PREFIX}/openca \
  --with-etc-prefix=${PREFIX}/openca/etc \
  --with-httpd-fs-prefix=${PREFIX}/httpd \
  --with-module-prefix=${PREFIX}/modules \
  --with-engine=no \
  --with-web-host=openca.dartmouth.edu \
  --with-ca-organization="Dartmouth" \
  --with-ca-country=US \
  --with-ca-locality=Hanover \
  --enable-ocspd \
  --enable-dbi \
  --with-db-host=openca.dartmouth.edu \
  --with-db-port=3306 \
  --with-db-user=openca \
  --with-db-passwd=Wah7Eegh \
  --disable-rbac \
  --with-hierarchy-level=ra \
  --with-service-mail-account="[EMAIL PROTECTED]" \
  --enable-update-ldap-automatic
Any hints/clues?

Thanks.

Kevin Mitcham
Dartmouth PKI Lab


smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] online.conf file

[Kevin Mitcham]

I"m having trouble finding the online.conf file, which is referenced in 
several of the documents as part of the configuartion of the ldap.

I'm looking in the servers/ directory, and the online.conf file is not 
present.  Do I need to create it manually, or should it have been 
generated by the install?

Kevin Mitcham
Dartmouth PKI Lab
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] HSM with OpenCA

[Kevin Blanchard]

Has anyone used the ncipher devices with openca?


--- Adam Tresch <[EMAIL PROTECTED]> wrote:
> Hi Chris,
> 
> i have tested the OpenCA with Luna SA on Solaris and
> received success.
> This version of HSM can be used with all of the
> OpenCA components as a
> WEB Server accelerator/key store and of course as a
> Root key stroe.
> This devices are fast enough to handle a lot of
> transactions per second
> and possible to use in HA environment also if
> needed.
> 
> i have planned to test the luna 2 device also, but
> it is not a root key
> store token, because is secure enough for a
> production system, but for
> testing and some small medium level security is good
> enough.
> 
> The Luna SA installation is almost the same as the
> luna CA3
> installation, only some commands are different.
> 
> If you have additional questions do not hesitate...
> :-)
> 
> Adam
> 
> 
> 
> On Mon, 2003-10-20 at 17:45, Chris Covell wrote:
> > Hello there,
> > 
> > we are keen to use an HSM with OpenCA, looking
> back through the archives it 
> > seems that some people say they have the Chrisalis
> Luna CA3 working and also 
> > ChrysalisITS LunaSA. There has been mention of the
> Luna 2 token also.
> > 
> > I am keen to learn more about these devices before
> we go and buy one !!! So am 
> > keen to talk with someone with some real world
> expirence of using these 
> > devices. My questions are ...
> > 
> > * Which devices have people really got working ?
> > 
> > * What platforms are they using (SUN/Solaris,
> Linux etc) ?
> > 
> > * Are there any gotchas or undocumented problems ?
> > 
> > * OpenCA version. I am running 0.9.1-1 in
> production do these devices only 
> > work with v0.9.2 ?
> > 
> > Chris...
> > 
> > 
> > 
> > 
> >
>
---
> > This SF.net email sponsored by: Enterprise Linux
> Forum Conference & Expo
> > The Event For Linux Datacenter Solutions &
> Strategies in The Enterprise 
> > Linux in the Boardroom; in the Front Office; & in
> the Server Room 
> > http://www.enterpriselinuxforum.com
> > ___
> > Openca-Users mailing list
> > [EMAIL PROTECTED]
> >
>
https://lists.sourceforge.net/lists/listinfo/openca-users
> 
> 
> 
> 
>
---
> This SF.net email is sponsored by OSDN developer
> relations
> Here's your chance to show off your extensive
> product knowledge
> We want to know what you know. Tell us and you have
> a chance to win $100
>
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> ___
> Openca-Users mailing list
> [EMAIL PROTECTED]
>
https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Smartcard Logon to Windows 2000 domain using OpenCA certification authority

[Kevin Blanchard]

I ran into this problem with one client. Unfortunately, AD made it so difficult, even using something as broad as a standard issues DoD certificate some work had to be done by hand. If you hoping for an automated approach check out this a product named simplesync ( http://www.cps-systems.com/products/default.asp ) . It works great for syncing up data between ldap and AD and I know at one point had worked with them to do Windows Single Sign on with smartcard and CAC cards, so it may do the trick for you.  I think the product is about $10k or so but well worth the money.
 
kb
ps- if you mention I sent you that way they may get you a better price, but feel free to email me privately if you have any further questions.
 
Gambin Dejan <[EMAIL PROTECTED]> wrote:
Hello,I would like to explain and share with you my problems regardingSmartcard logon to Windows 2000 domain using OpenCA.There is a document in Microsoft knowledge base defining therequirements a Domain Controller (DC) has to have to be able to acceptsmartcard users logon to domain. The problem is that DC certificate musthave some specific extensions and/or their values, the most importantare:1. A DC certificate must have the subject alternative name extensionwith other name=GUID of CD and DNS name=DNS name of DC.2. It must have a specific "Certificate template" extension with bmpvalue "DomainController"Now, the problem is that I didn't know how to incorporate it in OpenCAext file, so I had to use ASN.1 OIDS for this. I have exported a DCcertificate issued by Microsoft CA, parsed it with asn1parse utility
 andexported the required extension into DER file. Then I did a hex dump ofthe DER file and copied the result in the OpenCA ext file afterthe:subjectAltName=DER: and 1.3.6.1.4.1.311.20.2=DER: (the last is theOID of certificate template extension)The second and bigger problem is in issuing the certificate for thesmartcard user. This certificate is also specific:1. It must have the subject alternative name extension with other name =principal name = prinicpal_name_of_the _user (for example[EMAIL PROTECTED]).2. It must have a specific "Certificate template" extension with bmpvalue "SmartcardUser" (or "SmartcardLogon").I have solved this problem in a similar way to the one described above,but the problem remains: How can I automate this for issuingcertificates to many different users? Obviously, something has tobe doneon OpenCA side to simplify this such that administrator can choose theDomain user and generate a
 certificate from him. Since OpenCA uses LDAP,there must be some kind of integration between LDAP and ActiveDirectory, and subjectAltName parameter in OpenCA ext file has to befilled automatically with the principal name of the chosen user.I would like to know is there anyone who has been playing with this andmaybe solved the problem in some practical manner? Is there any plans oracitivities for doing it in the future?I would appreciate any suggestion I can getBest regardsDejan Gambin---This SF.net email is sponsored by OSDN developer relationsHere's your chance to show off your extensive product knowledgeWe want to know what you know. Tell us and you have a chance to win $100http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54___Openca-Users mailing
 list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RedHat Installation Issue

[Kevin Blanchard]

out of curiosity... what is the output of your "perl -V" ?
Christopher Harrington <[EMAIL PROTECTED]> wrote:
On Fri, 2003-10-10 at 10:43, Kevin Blanchard wrote:> I having been doing some work with openca on RH9, my first> recommendation is to download a version of apache from their site and> recompile it before going any further. My exp. with RH is that many of> the compiled binaries are incomplete. Try downloading it, recompile> and then try it again, and let me know if you still get the same> error, and make sure you install apache in a NEW directory, now the> same :)I removed the RH9 Apache install and compiled from source. I get thesame error in the logs:[Fri Oct 10 15:55:08 2003] [error] [client 127.0.0.1] Undefinedsubroutine &main::configError called at /usr/local/apache2/cgi-bin/ca/caline 86., referer: http://localhost/ca/index.htmlconfigError is not defined somewhere. My guess is it is
 defined in apackage or module that I dont have or have the wrong version of.Is there a way to find out where this file is defined?--Chris---This SF.net email is sponsored by: SF.net Giveback Program.SourceForge.net hosts over 70,000 Open Source Projects.See the people who have HELPED US provide better services:Click here: http://sourceforge.net/supporters.php___Openca-Users mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RedHat Installation Issue

[Kevin Blanchard]

I having been doing some work with openca on RH9, my first recommendation is to download a version of apache from their site and recompile it before going any further. My exp. with RH is that many of the compiled binaries are incomplete. Try downloading it, recompile and then try it again, and let me know if you still get the same error, and make sure you install apache in a NEW directory, now the same :)Kevin BlanchardPresident / CEONykon Systemshttp://www.nykon-systems.net"Making Linux a little less scary since 2001"

[Openca-Users] OpenCA-0.9.1, Windows XP, IE 6, svc pack 1

[Kevin Metz]

I looked in the archives and found something close but not
my exact problem.

 

When I go and try to request a certificate and click on the ‘auto-dectect’ I go through the first step of putting in
all the information. And then I get the confirmation page, and I get the ‘Default’
cryptographic device (‘ve selected 1024 as the
key size). When I click on the ‘Continue’ button at the bottom of
the page, I get nothing. I can’t find anything in the error logs either.
Now, I’m able to request a certificate using Netscape and it works. But I’m
really hoping to get it working with Internet Explorer as well.

 

Any information or suggestions would be greatly appreciated!

 

Kevin

[Openca-Users] Web mail with certificates?

[Kevin Metz]

Ok...this might be a little off topic. But I'm hoping since everyone
here is running certificate servers maybe someone knows.

I'd like to get a web based e-mail system running, but it needs to be
able to sign and encrypt e-mails and vice versa just like outlook and
Netscape can do. Does anyone know if this is possible in a Web based
e-mail system? I've found one or two that say they can do PGP, but
that's about as far as I've gotten.

Since I don't know how to program myself obviously it would need to be
something that's pretty much already put together.

Thanks!

Kevin





---
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Invalid expiry date

[Kevin Metz]

I'm getting closer!! I was finally able to reverse engineer the backup 
process and import all my old certs, along with my old cacert. And they 
all list now in the database. So I'm VERY happy. How-ever it seems I 
keep running into stops, and this is my latest. I'm trying to sign a 
certificate, and at the very last step, where I'm trying to issue the 
certificate, I get this error

Using configuration from /usr/local/OpenCA/etc/openssl/openssl/User.conf
entry 2: invalid expiry date
unable to write 'random state'
General Error Trapped 6757: Error while storing the request's serial in 
cert-object at /usr/local/OpenCA/lib/functions/misc-utils.lib line 38.
Compilation failed in require at /usr/local/OpenCA/apache/cgi-bin/ca/ca 
line 194.


My cacert is valid until 2007 (I think I picked like 5 years or 
something). Is it possible thats getting picked up as being invalid? And 
so therefore it won't issue any other certs?

Thanks again for your helpand patience.

Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

RE: [Openca-Users] Upgrading

[Kevin Metz]

Let me first just say thanks for the feedback! My problem was a little 
less complicated than that. I was using a much earlier version, like 
0.2.0 I think. All I really needed was to import the old certs, not the 
old database or anything like that.

The fix was, to go to the Registration Authority server, then the 
Registration Authority Admin page. Next click on Input and Output. From 
there I clicked on Export All. I then found the tar file in 
/tmp/openca-outca.tar. I untarred it, went to the CERTIFICATE directory, 
then the VALID directory. I copied all of my valid certificates into 
there. Once that was done, went to the Import all screen. Once I did 
that, it then loaded up all my old certificates into the current 
database. Kinda kludgy, but I think it works.

Again, THANKS! Just thought I'd post my follow-up in case anyone else 
has the same kind of problem.

Kevin



---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Upgrading

[Kevin Metz]

I ran a old version of OpenCA and am now forced to upgrade. I downloaded 
the RC2 candidate, and after much puzzling and tweaking I've got the 
basics working. Now, what I REALLY need is to be able to import all my 
old certificates. I never backed them up to disk, so I don't have a tar 
file or anything. How-ever I've got the old OpenCA directory with all 
the files. I already got the certificate keys over and all, and can sign 
new certificates with no problem. How-ever I've tried copying over the 
old certificates, with no success. I've tried the openca-importcerts 
several times with no success. Since this version uses a database, I 
really need to get these imported since there seems to be no other 
alternative. Any assistance would be GREATLY appreciated

Thanks

Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] Approving a Requested Certificate

[Kevin Elliott]

I am unable to approve certificates in IE, since the crypto signing
functionality has not been built out. I may attempt to build that
soon... But first, I am unable to approve in Netscape either. Nothing
happens, and occasionally I can see a small box pop up and then disappear
quickly. I have tried with Netscape 4.72 and 4.78. Also, I am unable
to import the CA cert from IE or Netscape. IE can SAVE the file as a .cer
DER x.509, but it is unable to import it. Netscape pops up a box saying
No Data, or something to that effect. Anyone know how to solve either of
these situations?

Much Regards,

Kevin Elliott

___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Newer Versions

[Kevin Elliott]

Robert,

Thanks for the clarification, that helped very much.

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Hannemann
Sent: Wednesday, August 01, 2001 9:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Newer Versions


Kevin Elliott wrote:
>
Good Morning,

you have to use the openssl-SNAP-20010307.tar.gz e.g. from

ftp://ftp.dti.ad.jp/pub/net/OpenCA/tools/

please take a look at the openssl user mailing list, there are
infoamtions about the used libraries.

Regards,
Robert


> In response to my own message, I did some more research, and looked in my
> web server's error log, and found:
>
> unknown option -subj
> req [options] outfile
> where options  are
>  -inform arginput format - DER or PEM
>  -outform arg   output format - DER or PEM
>  -in arginput file
>  -out arg   output file
>  -text  text form of request
>  -noout do not output REQ
>  -verifyverify signature on REQ
>  -modulus   RSA modulus
>  -nodes don't encrypt the output key
>  -key file  use the private key contained in file
>  -keyform arg   key file format
>  -keyout argfile to send the key to
>  -rand file:file:...
> load the file (or the files in the directory) into
> the random number generator
>  -newkey rsa:bits generate a new RSA key of 'bits' in size
>  -newkey dsa:file generate a new DSA key, parameters taken from CA in
'file'
>  -[digest]  Digest to sign with (md5, sha1, md2, mdc2)
>  -config file   request template file.
>  -new   new request.
>  -x509  output a x509 structure instead of a cert. req.
>  -days  number of days a x509 generated by -x509 is valid for.
>  -newhdroutput "NEW" in the header lines
>  -asn1-kludge   Output the 'request' in a format that is wrong but some
CA's
> have been reported as requiring
>  -extensions .. specify certificate extension section (override value in
> config file)
>  -reqexts ..specify request extension section (override value in
config
> file)
> Can't call method "getTXT" on an undefined value at cmds/genCAReq line 70,
>  line 32.
> Compilation failed in require at /home/apache/cgi-bin/ca/ca line 160, 
> line 32.
>
> This tells me that I'm probably using the wrong OpenSSL version since a
flag
> does not exist for the current one installed. I have OpenSSL 0.9.6 24 Sep
> 2000 installed, but I updated it to a 2001Jul30 snapshot, and I still get
> the same error.
>
> -Kevin Elliott
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin
> Elliott
> Sent: Wednesday, August 01, 2001 4:57 PM
> To: Openca-Users
> Subject: [Openca-Users] Newer Versions
>
> Greetings,
>
> Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_
> better for me. Congrats! Much cleaner install using configure too. I'm
> having problems generating the CA request though. I have no problem using
> the interface to create the Key, which i confirmed is at
> /usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request,
I
> get a blank screen, and view source shows that the html was completed,
just
> no content in the middle of the source. The file careq.pem is not created.
>
> Any ideas?
>
> Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro
> pages so people don't get confused, like I did ;]
>
> -Kevin Elliott
>
> ___
> Openca-Users mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/openca-users
>
> ___
> Openca-Users mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/openca-users

___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Newer Versions

[Kevin Elliott]

In response to my own message, I did some more research, and looked in my
web server's error log, and found:

unknown option -subj
req [options] outfile
where options  are
 -inform arginput format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arginput file
 -out arg   output file
 -text  text form of request
 -noout do not output REQ
 -verifyverify signature on REQ
 -modulus   RSA modulus
 -nodes don't encrypt the output key
 -key file  use the private key contained in file
 -keyform arg   key file format
 -keyout argfile to send the key to
 -rand file:file:...
load the file (or the files in the directory) into
the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -[digest]  Digest to sign with (md5, sha1, md2, mdc2)
 -config file   request template file.
 -new   new request.
 -x509  output a x509 structure instead of a cert. req.
 -days  number of days a x509 generated by -x509 is valid for.
 -newhdroutput "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
have been reported as requiring
 -extensions .. specify certificate extension section (override value in
config file)
 -reqexts ..specify request extension section (override value in config
file)
Can't call method "getTXT" on an undefined value at cmds/genCAReq line 70,
 line 32.
Compilation failed in require at /home/apache/cgi-bin/ca/ca line 160, 
line 32.

This tells me that I'm probably using the wrong OpenSSL version since a flag
does not exist for the current one installed. I have OpenSSL 0.9.6 24 Sep
2000 installed, but I updated it to a 2001Jul30 snapshot, and I still get
the same error.

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kevin
Elliott
Sent: Wednesday, August 01, 2001 4:57 PM
To: Openca-Users
Subject: [Openca-Users] Newer Versions


Greetings,

Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_
better for me. Congrats! Much cleaner install using configure too. I'm
having problems generating the CA request though. I have no problem using
the interface to create the Key, which i confirmed is at
/usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I
get a blank screen, and view source shows that the html was completed, just
no content in the middle of the source. The file careq.pem is not created.

Any ideas?

Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro
pages so people don't get confused, like I did ;]

-Kevin Elliott



___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Newer Versions

[Kevin Elliott]

Greetings,

Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_
better for me. Congrats! Much cleaner install using configure too. I'm
having problems generating the CA request though. I have no problem using
the interface to create the Key, which i confirmed is at
/usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I
get a blank screen, and view source shows that the html was completed, just
no content in the middle of the source. The file careq.pem is not created.

Any ideas?

Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro
pages so people don't get confused, like I did ;]

-Kevin Elliott



___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] No Net::LDAPapi necessary

[Kevin Elliott]

I downloaded OpenCA-0.2.0-5.tar.gz 26 Jan 2001 0.2.0 patch 5 (Unstable -
Release Info) .

Whatever versions come in that package, is the one I've been using. They are
the "stable" distributions. I believe a new package should be release under
the stable from pre 0.8.0 then, because it's clear those releases are much
more stable than the existing ones which have had numerous problems.

Is there CVS access?

-Kevin Elliott


> Kevin Elliott wrote:
> >
> > Michael,
> >
> > Thanks for the clarification. Although, the cgi still requires
> Net::LDAPapi
> > so I'm assuming you have sub/includes still?
>
> I can't find Net::LDAPapi on my machine (I search via find / -name
> "*LDAP*" -print). What do you mean with "the cgi"?

it looks like you two are speaking about very different openca versions,
the very old 0.2.0 and the bleeding edge, resp.
when i grep in the versions i've got installed here, i get:

/usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:#use
Net::LDAPapi;
/usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if(
($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) {
/usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if(
($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) {
/usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if(
($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) {
/usr/local/apache-1.3.20/cgi-bin/openca-0.8.0-20010610/ra/RAServer:use
Net::LDAP;
/usr/local/apache-1.3.20/cgi-bin/openca-20010309/ra/RAServer:use Net::LDAP;
/usr/local/apache-1.3.20/cgi-bin/openca-20010326/ra/RAServer:use Net::LDAP;
/usr/local/apache-1.3.20/cgi-bin/openca-20010427/ra/RAServer:use Net::LDAP;

rj





___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] ie_enroll.scp

[Kevin Elliott]

Robert,

Sorry for my confusion, but are you developing an IE interface to
the CAPI with Javascript or VBScript in order to successfully
generate a certificate request and install the cert using CryptoAPI
in Windows?

Best Regards,

Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Hannemann
Sent: Tuesday, July 31, 2001 6:30 AM
To: [EMAIL PROTECTED]
Subject: [Openca-Users] ie_enroll.scp


Hello, 

in the ie_enroll.scp there are the following lines

  if( checkField( myForm.locality, "Organization" )) {
  szName += ", L=" + myForm.locality.value; 

and 

  if( checkField( myForm.state, "Organization" )) {
  szName += ", S=" + myForm.organization.value; 

is it o.k. to check against "Organization" and in the second part to
append the organization value ?

Also i get an error (in the browser bottom-line ) when i confirm the
ie-cert request with an IE - nothing happens when i press "continue" .
How can i watch those errors ( any log files ) ?

Thanks for your help,

Robert

___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Net::LDAPapi Module compile fails

[Kevin Elliott]

I'm still not able to APPROVE certificates. It just redraws the screen with
no edittable fields, and the same buttons. I'm guessing it is suppose to ask
the browser to sign the request? Any ideas?

Thanks in advance...

Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kevin
Elliott
Sent: Monday, July 30, 2001 10:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [Openca-Users] Net::LDAPapi Module compile fails


To all regarding this issue, that perl problem was solved 20 minutes after
I faced the problem by simply relinking /usr/local/bin/perl to a 5.003
version as I stated before. The "na" problem went away. There were still
pointer dereferencing issues that showed up everywhere. It was finally
solved by using OpenLDAP 1.2.2 instead of 2.0.1. I'm guessing there are some
changes in 2.0.1 from 1.2.2, more specifically, things like void pointers
in front of integer definitions, and the like, instead of raw integers.

So, I thankfully got that part working. Only thing now, is I can't get a
certificate approved now. I click the approve, and then it shows me the
same page with no fields, and just text for the cert details, and has
the approve button. Very odd.

-Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of root
Sent: Monday, July 30, 2001 3:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails


Kevin Elliott wrote:
>
> Robert,
>
> Thanks for the assistance. Unfortunately, that post did not help and was
> slightly
> unrelated. In that post, a variable "na" was not defined. In my particular
> case,
> it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well.
Both
> with
> the same results. I have also tried using just Perl 5.003, and 5.6.
>
> Anyone else know what's wrong?
>
> -Kevin Elliott
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
> Hannemann
> Sent: Friday, July 27, 2001 3:03 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails
>
> Hi Kevin,
>
> i´ve found a mail in the openssl mailinglist - hope this will help ...
>
>
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00
> 377.html
>
> Regards,
>
> Robert
>
> Kevin Elliott wrote:
> >
> > Greetings,
> >
> > I've been attempting to install the Net::LDAPapi perl module, but there
> are
> > some conflicts
> > and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas?
I'm
> > including the compile log.
> >
> > Thanks,
> >
> > Kevin
> >
> > Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]>
> >
> > Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl),
> >  (default: /usr/local/bin/perl)?
> >
> > Select your Development Kit:
> >   1.  Netscape (default)
> >   2.  University of Michigan
> >   3.  ISODE (compiled with LDAP)
> > Choose: 2
> > Location of LDAP Include Files (default: /usr/include):
> > Location of LDAP Library Files (default: /usr/lib):
> > Using Kerberos for Authentication (default: n)?
> > Checking if your kit is complete...
> > Looks good
> > Writing Makefile for Net::LDAPapi
> > mkdir blib
> > mkdir blib/lib
> > mkdir blib/lib/Net
> > mkdir blib/arch
> > mkdir blib/arch/auto
> > mkdir blib/arch/auto/Net
> > mkdir blib/arch/auto/Net/LDAPapi
> > mkdir blib/lib/auto
> > mkdir blib/lib/auto/Net
> > mkdir blib/lib/auto/Net/LDAPapi
> > mkdir blib/man3
> > cp LDAPapi.pm blib/lib/Net/LDAPapi.pm
> > AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi)
> > /usr/local/bin/perl constant.gen >constant.h
> >
>
/usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5
> > /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp  -typemap
> > /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs
>
> > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c
> >
cc -c  -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2
>
>-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5
> .6
> > .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c
> > In file included from LDAPapi.xs:21:
> > ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined
> > /usr/include/ldap.h:88: warning: this is the location of the previous
> > definition
> > ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined
> > /usr/include/ldap.h:89: warning: this is the location of

RE: [Openca-Users] No Net::LDAPapi necessary

[Kevin Elliott]

The perl that gets executed from Apache is CGI. It sits in a cgi directory,
and gets executed like a cgi would. Hence, it's a cgi. So, with that in
mind,
without Net::LDAPapi installed, you will not be able to execute these cgis.
Perl will exit saying it can't find the module you are trying to include.

Puzzles me how you dont have a file with that name.

[root@web1 cgi-bin]# grep Net *
RAServer:use Net::LDAPapi;
RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port))
== -1) {
RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port))
== -1) {
RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port))
== -1) {

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael
Bell
Sent: Tuesday, July 31, 2001 4:43 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] No Net::LDAPapi necessary


Kevin Elliott wrote:
>
> Michael,
>
> Thanks for the clarification. Although, the cgi still requires
Net::LDAPapi
> so I'm assuming you have sub/includes still?

I can't find Net::LDAPapi on my machine (I search via find / -name
"*LDAP*" -print). What do you mean with "the cgi"?

Cheers,

Michael
--

Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - DatacenterEmail (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin   Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6  Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany  [OpenCA Core
Developer]

http://openca.sourceforge.net


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] No Net::LDAPapi necessary

[Kevin Elliott]

Michael,

Thanks for the clarification. Although, the cgi still requires Net::LDAPapi
so I'm assuming you have sub/includes still?

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael
Bell
Sent: Monday, July 30, 2001 5:31 AM
To: [EMAIL PROTECTED]
Subject: [Openca-Users] No Net::LDAPapi necessary


Hi,

I have to apologize me to all people who ask for Net::LDAPapi for the
complete wrong answers.

There is a big different between Net::LDAP and Net::LDAPapi. OpenCA uses
Net::LDAP and NOT Net::LDAPapi. So please install Net::LDAP (>=v0.22)
and all should work fine. (I realize my mistake only when I saw the
versionnumbers of Net::LDAPapi.)

Sorry for wasting your time :-(

Cheers,

Michael
--

Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - DatacenterEmail (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin   Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6  Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany  [OpenCA Core
Developer]

http://openca.sourceforge.net


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Net::LDAPapi Module compile fails

[Kevin Elliott]

To all regarding this issue, that perl problem was solved 20 minutes after
I faced the problem by simply relinking /usr/local/bin/perl to a 5.003
version as I stated before. The "na" problem went away. There were still
pointer dereferencing issues that showed up everywhere. It was finally
solved by using OpenLDAP 1.2.2 instead of 2.0.1. I'm guessing there are some
changes in 2.0.1 from 1.2.2, more specifically, things like void pointers
in front of integer definitions, and the like, instead of raw integers.

So, I thankfully got that part working. Only thing now, is I can't get a
certificate approved now. I click the approve, and then it shows me the
same page with no fields, and just text for the cert details, and has
the approve button. Very odd.

-Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of root
Sent: Monday, July 30, 2001 3:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails


Kevin Elliott wrote:
>
> Robert,
>
> Thanks for the assistance. Unfortunately, that post did not help and was
> slightly
> unrelated. In that post, a variable "na" was not defined. In my particular
> case,
> it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well.
Both
> with
> the same results. I have also tried using just Perl 5.003, and 5.6.
>
> Anyone else know what's wrong?
>
> -Kevin Elliott
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
> Hannemann
> Sent: Friday, July 27, 2001 3:03 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails
>
> Hi Kevin,
>
> i´ve found a mail in the openssl mailinglist - hope this will help ...
>
>
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00
> 377.html
>
> Regards,
>
> Robert
>
> Kevin Elliott wrote:
> >
> > Greetings,
> >
> > I've been attempting to install the Net::LDAPapi perl module, but there
> are
> > some conflicts
> > and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas?
I'm
> > including the compile log.
> >
> > Thanks,
> >
> > Kevin
> >
> > Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]>
> >
> > Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl),
> >  (default: /usr/local/bin/perl)?
> >
> > Select your Development Kit:
> >   1.  Netscape (default)
> >   2.  University of Michigan
> >   3.  ISODE (compiled with LDAP)
> > Choose: 2
> > Location of LDAP Include Files (default: /usr/include):
> > Location of LDAP Library Files (default: /usr/lib):
> > Using Kerberos for Authentication (default: n)?
> > Checking if your kit is complete...
> > Looks good
> > Writing Makefile for Net::LDAPapi
> > mkdir blib
> > mkdir blib/lib
> > mkdir blib/lib/Net
> > mkdir blib/arch
> > mkdir blib/arch/auto
> > mkdir blib/arch/auto/Net
> > mkdir blib/arch/auto/Net/LDAPapi
> > mkdir blib/lib/auto
> > mkdir blib/lib/auto/Net
> > mkdir blib/lib/auto/Net/LDAPapi
> > mkdir blib/man3
> > cp LDAPapi.pm blib/lib/Net/LDAPapi.pm
> > AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi)
> > /usr/local/bin/perl constant.gen >constant.h
> >
>
/usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5
> > /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp  -typemap
> > /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs
>
> > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c
> >
cc -c  -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2
>
>-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5
> .6
> > .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c
> > In file included from LDAPapi.xs:21:
> > ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined
> > /usr/include/ldap.h:88: warning: this is the location of the previous
> > definition
> > ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined
> > /usr/include/ldap.h:89: warning: this is the location of the previous
> > definition
> > ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined
> > /usr/include/ldap.h:90: warning: this is the location of the previous
> > definition
> > ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined
> > /usr/include/ldap.h:92: warning: this is the location of the previous
> > definition
> > ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined
> > /usr/inc

RE: [Openca-Users] Net::LDAPapi Module compile fails

[Kevin Elliott]

Robert,

Thanks for the assistance. Unfortunately, that post did not help and was
slightly
unrelated. In that post, a variable "na" was not defined. In my particular
case,
it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well. Both
with
the same results. I have also tried using just Perl 5.003, and 5.6.

Anyone else know what's wrong?

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Hannemann
Sent: Friday, July 27, 2001 3:03 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails


Hi Kevin,

i´ve found a mail in the openssl mailinglist - hope this will help ...

http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00
377.html

Regards,

Robert


Kevin Elliott wrote:
>
> Greetings,
>
> I've been attempting to install the Net::LDAPapi perl module, but there
are
> some conflicts
> and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm
> including the compile log.
>
> Thanks,
>
> Kevin
>
> Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]>
>
> Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl),
>  (default: /usr/local/bin/perl)?
>
> Select your Development Kit:
>   1.  Netscape (default)
>   2.  University of Michigan
>   3.  ISODE (compiled with LDAP)
> Choose: 2
> Location of LDAP Include Files (default: /usr/include):
> Location of LDAP Library Files (default: /usr/lib):
> Using Kerberos for Authentication (default: n)?
> Checking if your kit is complete...
> Looks good
> Writing Makefile for Net::LDAPapi
> mkdir blib
> mkdir blib/lib
> mkdir blib/lib/Net
> mkdir blib/arch
> mkdir blib/arch/auto
> mkdir blib/arch/auto/Net
> mkdir blib/arch/auto/Net/LDAPapi
> mkdir blib/lib/auto
> mkdir blib/lib/auto/Net
> mkdir blib/lib/auto/Net/LDAPapi
> mkdir blib/man3
> cp LDAPapi.pm blib/lib/Net/LDAPapi.pm
> AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi)
> /usr/local/bin/perl constant.gen >constant.h
>
/usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5
> /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp  -typemap
> /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs >
> LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c
> cc -c  -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2
>-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5
.6
> .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c
> In file included from LDAPapi.xs:21:
> ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined
> /usr/include/ldap.h:88: warning: this is the location of the previous
> definition
> ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined
> /usr/include/ldap.h:89: warning: this is the location of the previous
> definition
> ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined
> /usr/include/ldap.h:90: warning: this is the location of the previous
> definition
> ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined
> /usr/include/ldap.h:92: warning: this is the location of the previous
> definition
> ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined
> /usr/include/ldap.h:151: warning: this is the location of the previous
> definition
> ldap_compat.h:20: warning: `LDAP_OPT_OFF' redefined
> /usr/include/ldap.h:152: warning: this is the location of the previous
> definition
> LDAPapi.xs: In function `av2modvals':
> LDAPapi.xs:95: `na' undeclared (first use in this function)
> LDAPapi.xs:95: (Each undeclared identifier is reported only once
> LDAPapi.xs:95: for each function it appears in.)
> LDAPapi.xs: In function `parse1mod':
> LDAPapi.xs:197: `na' undeclared (first use in this function)
> LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_option':
> LDAPapi.xs:385: dereferencing pointer to incomplete type
> LDAPapi.xs:386: dereferencing pointer to incomplete type
> LDAPapi.xs:387: dereferencing pointer to incomplete type
> LDAPapi.xs:389: dereferencing pointer to incomplete type
> LDAPapi.xs:390: dereferencing pointer to incomplete type
> LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_option':
> LDAPapi.xs:407: dereferencing pointer to incomplete type
> LDAPapi.xs:408: dereferencing pointer to incomplete type
> LDAPapi.xs:409: dereferencing pointer to incomplete type
> LDAPapi.xs:410: dereferencing pointer to incomplete type
> LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search':
> LDAPapi.xs:578: `na' undeclared (first use in this function)
> LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_s':
> LDAPapi.xs:614: `na'

[Openca-Users] Net::LDAPapi Module compile fails

[Kevin Elliott]

Greetings,

I've been attempting to install the Net::LDAPapi perl module, but there are
some conflicts
and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm
including the compile log.

Thanks,

Kevin



Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]>

Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl),
 (default: /usr/local/bin/perl)?

Select your Development Kit:
  1.  Netscape (default)
  2.  University of Michigan
  3.  ISODE (compiled with LDAP)
Choose: 2
Location of LDAP Include Files (default: /usr/include):
Location of LDAP Library Files (default: /usr/lib):
Using Kerberos for Authentication (default: n)?
Checking if your kit is complete...
Looks good
Writing Makefile for Net::LDAPapi
mkdir blib
mkdir blib/lib
mkdir blib/lib/Net
mkdir blib/arch
mkdir blib/arch/auto
mkdir blib/arch/auto/Net
mkdir blib/arch/auto/Net/LDAPapi
mkdir blib/lib/auto
mkdir blib/lib/auto/Net
mkdir blib/lib/auto/Net/LDAPapi
mkdir blib/man3
cp LDAPapi.pm blib/lib/Net/LDAPapi.pm
AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi)
/usr/local/bin/perl constant.gen >constant.h
/usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5
/5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp  -typemap
/usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs >
LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c
cc -c  -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2  
   -DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5.6
.0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c
In file included from LDAPapi.xs:21:
ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined
/usr/include/ldap.h:88: warning: this is the location of the previous
definition
ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined
/usr/include/ldap.h:89: warning: this is the location of the previous
definition
ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined
/usr/include/ldap.h:90: warning: this is the location of the previous
definition
ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined
/usr/include/ldap.h:92: warning: this is the location of the previous
definition
ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined
/usr/include/ldap.h:151: warning: this is the location of the previous
definition
ldap_compat.h:20: warning: `LDAP_OPT_OFF' redefined
/usr/include/ldap.h:152: warning: this is the location of the previous
definition
LDAPapi.xs: In function `av2modvals':
LDAPapi.xs:95: `na' undeclared (first use in this function)
LDAPapi.xs:95: (Each undeclared identifier is reported only once
LDAPapi.xs:95: for each function it appears in.)
LDAPapi.xs: In function `parse1mod':
LDAPapi.xs:197: `na' undeclared (first use in this function)
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_option':
LDAPapi.xs:385: dereferencing pointer to incomplete type
LDAPapi.xs:386: dereferencing pointer to incomplete type
LDAPapi.xs:387: dereferencing pointer to incomplete type
LDAPapi.xs:389: dereferencing pointer to incomplete type
LDAPapi.xs:390: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_option':
LDAPapi.xs:407: dereferencing pointer to incomplete type
LDAPapi.xs:408: dereferencing pointer to incomplete type
LDAPapi.xs:409: dereferencing pointer to incomplete type
LDAPapi.xs:410: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search':
LDAPapi.xs:578: `na' undeclared (first use in this function)
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_s':
LDAPapi.xs:614: `na' undeclared (first use in this function)
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_st':
LDAPapi.xs:660: `na' undeclared (first use in this function)
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_msgid':
LDAPapi.xs:747: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_msgtype':
LDAPapi.xs:757: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_lderrno':
LDAPapi.xs:769: dereferencing pointer to incomplete type
LDAPapi.xs:770: dereferencing pointer to incomplete type
LDAPapi.xs:771: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_lderrno':
LDAPapi.xs:787: dereferencing pointer to incomplete type
LDAPapi.xs:788: dereferencing pointer to incomplete type
LDAPapi.xs:789: dereferencing pointer to incomplete type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_rebind_proc':
LDAPapi.xs:1016: warning: passing arg 2 of `ldap_set_rebind_proc' from
incompatible pointer type
LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_url_parse':
LDAPapi.xs:1137: `sv_undef' undeclared (first use in this function)
make: *** [LDAPapi.o] Error 1


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users