RE: [Openca-Users] Two-interface setup: problem with Import Configuration step
Hi, I think I'll have a go at these. You're only confused because (I think) you're trying to set it up as two seperate installs on the same machine. Read on: On Tue, 2004-09-21 at 04:09, Kevin wrote: > What do you mean by "backup device"? I was talking about these devices: > dataexchange_device_up > dataexchange_device_down > dataexchange_device_local > > Is one of these the "backup device"? dataexchange_device_local is a backup device. It writes out all your data to a local file, so you can restore everything *on that node* from it later. > Is that incorrect? > > > So the entry looks like /floppy or /dev/hda4/openca/export > > Again, not sure I follow. Should it be /dev/fd0? Or the mount point > for /dev/fd0? Or the mount point of some HDD partition (say, > /mnt/testing mounted at /dev/hda4 in linux) followed by a path on that > partition? The dataexchange files are in a tar file, and tar can write to a file, or it can write directly to a device. It's nice using the floppy device directly (/dev/fd0 or similar), but if you have to move the tarfile around manually to import/export, you probably want to use a file instead. (/var/dataexchange/data-up.tar or similar) Also, there's the pre and post dataexchange, if you want to do cool stuff like bring up a network interface, scp the data, then take it down again. > > Should the entries be identical for the config.xml files in both > /usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or > should they be different? If you're running an ra and a ca on the same machine in different directories, they'll need different settings in config.xml (mainly in uncommenting the correct dataexchange sections for each) > > Kevin seems to be writing about about changing > /usr/local/openca/OpenCA/etc/config.xml >*^ > when he says to change the dataexchange_device_local to > /usr/local/openra/openca/var/tmp/ra-local so I figured that this device > should be set identically in both openca and openra config.xml files. > Is that incorrect? Naah, I'd say you wanna backup the ca and ra to different files, so you can restore them seperately if one or the other fails. Again, this is confusing because you seem to have two seperate installs on the same machine. > > > > For testing you should enter at all entrys at your side > > I'm sorry. Again, I'm not sure which entries you're referring to here. > The three devices above? Or what you mean by, "at your side." You need to be able to get data to and from the CA, for your particular config. If you have two machines, like me, the CA needs to send data "down" and "local", and the RA needs to send data "up" and "local". There's no need to configure the others. Anyway, you should have a go at configuring a tar file export from the RA, doing an export, and seeing if you can move the resulting tar file to the CA import file location, and importing some requests. > > > /tmp/openca/export (must be writeable by web server) There's a point, if you move the files around manually as root, then try to overwrite them with openca (running as apache or httpd) it might crap out, (it'll say at the bottom of the dataexchange results html page) so you have to delete the old dataexchange file. > > So, for both config.xml files, set all three (total of 6 devices: 2 > files each with three devices?) to the same file (in say the /tmp > directory---or wherever the web server user can write to)? > > > for example. Then you export the conf of the ca and the import on ra. > > That should work then ;) > > > > Kevin's cookbook never says to export the configuration of the ca > (unless I missed it?). How do I do that? You can export the configuration of the CA to the RA, once you have dataexchange all working. What this does (as far as I know) is export things like access control lists, role based authentication.. basically which roles and users are allowed to do what. > But I don't see exactly how to do so in the guide (perhaps because it > should be intuitively obvious to me (sorry if I'm slow on the uptake > here...) No this took me a while (and some dumb emails) to get my head around too. It's like I said above. The CA *setup* menu has a link for doing a one off data exchange to a lower level, to make it simple. It's nice, but you don't have to use it, you can just use the node menu and "enroll" all data to a lower level. When you import that on your RA, the RA will get the CA cert, the RBAC, the initial admin user cert and key, (which you need for _funky_ x509 logins) > I'm not even certain of the language here as relates to the "lower > level" of the hierarchy or the "higher level." Is the offline CA a > higher level in the hierarchy than the online RA when both services are > being handled by the same computer? Now here's that old problem again. If you run the CA and the RA on the same machine, they should be the same server, all configured and run from one dire
[Openca-Users] OT - Good Reserach Centers for PKI in Europe
HI all, Sorry for the OT, but I was researching all day long over the web about places in europe that develop researchs in PKI stuff. I'm currently working in the development of an HSM for CA integration. And I want to share some ideias with people on Europe about this. Jean smime.p7s Description: S/MIME Cryptographic Signature
RE: [Openca-Users] Two-interface setup: problem with ImportConfiguration step
A very long email ;) I did not read it all, so ist just a first small answer. The dataexchange devices are introduced at rc5 (?) in the config.xml. The were before in the server conf files. Insert at all values of the various dataexchange devices for example /tmp/openca/export. Then make a touch /tmp/openca/export. Make it chmod 777. REMEMBER it is only for testing, for a live system you have to think about security. When you initialize your ca and made your various certificates, you make Normally "export configuration to lower level" Then a tar archiv is been made at /tmp/openca/export Then you import on the lower level (ra) this tar file. When you have different machines (offline ca) you have to move that file To the location of the lower level. Thats why i posted a floppy drive or a zip drive. But when you have all on one maschine, do it like i said and you will see it will work. Regards til Ps: gn8 ;) smime.p7s Description: S/MIME cryptographic signature
RE: [Openca-Users] Two-interface setup: problem with Import Configuration step
On Mon, 2004-09-20 at 00:32, Til Obes wrote: > > I suppose that some of the initialization steps may have depended upon > > those values being set correctly. What are the implications if they > > were not set correctly during those first init steps? Must I redo > > everything? > > > > It looks from the error message in the browser that there should > > already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps > > one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-* > > files in either /usr/local/open[rc]a/OpenCA/var/tmp. At what > > step is this archive > > created during the initialization? > > > > The OpenCA guide doesn't go into very much detail on these issues. > > > > Can anyone offer a bit of configuration help? > > > > Normally the backup device is a floppy disc or zip disc. Thanks for your reply, Til, but I'm not sure that I understand. Please pardon my questions (that are probably dumb questions due to my lack of experience with OpenCA): What do you mean by "backup device"? I was talking about these devices: dataexchange_device_up dataexchange_device_down dataexchange_device_local Is one of these the "backup device"? For a two-interface setup, Kevin Mitcham writes to change the default settings as follows (in http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html): = modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: < he's apparently writing about changes to the /usr/local/openca/openca/etc/config.xml file as opposed to openra/openca/etc/config.xml. ... (these might not be in config.xml; if not, see below) dataexchange_device_up /usr/local/openca/openca/var/tmp/ca-up dataexchange_device_down /usr/local/openca/openca/var/tmp/ca-down dataexchange_device_local /usr/local/openra/openca/var/tmp/ra-local if the dataexchange device section is not in config.xml, go to /usr/local/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/usr/local/openca/openca/etc/servers/ca.conf.template) line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down" line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE ... = Is that incorrect? > So the entry looks like /floppy or /dev/hda4/openca/export Again, not sure I follow. Should it be /dev/fd0? Or the mount point for /dev/fd0? Or the mount point of some HDD partition (say, /mnt/testing mounted at /dev/hda4 in linux) followed by a path on that partition? Should the entries be identical for the config.xml files in both /usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or should they be different? Kevin seems to be writing about about changing /usr/local/openca/OpenCA/etc/config.xml *^ when he says to change the dataexchange_device_local to /usr/local/openra/openca/var/tmp/ra-local so I figured that this device should be set identically in both openca and openra config.xml files. Is that incorrect? > For testing you should enter at all entrys at your side I'm sorry. Again, I'm not sure which entries you're referring to here. The three devices above? Or what you mean by, "at your side." > /tmp/openca/export (must be writeable by web server) So, for both config.xml files, set all three (total of 6 devices: 2 files each with three devices?) to the same file (in say the /tmp directory---or wherever the web server user can write to)? > for example. Then you export the conf of the ca and the import on ra. > That should work then ;) > Kevin's cookbook never says to export the configuration of the ca (unless I missed it?). How do I do that? In the guide, I see this: 1.1.5. Final setup The last steps can also be done on the interface for the nodemanagement but it is a good idea to do it during the intialization to get a consistent state. The rebuild of the CA chain is necessary to verify digital signatures correctly. If you want to setup a sub CA then you must add all CA certificates of the CA chain in PEM format to the directory OPENCADIR/var/crypto/chain/ before you rebuild the chain. The really last step is the export of the configuration to the online server(s). The most OpenCA users ignore this step and handle all the communication between the different nodes of the PKI hierarchy via the interface for the node management. If this is you first OpenCA usage then you should export the configuration and import it into the online server. ^^^
Re: [Openca-Users] rbac & generate a new rol
Pedro Jossi wrote: i have openca 0.9.1.8 Error 690 Error de Configuración. Falta la Siguiente Clave de Configuración : OPENSSL_SAMPLE_EXT. ca.conf should contain something like this: OPENSSL_SAMPLE_EXT "@etc_prefix@/openssl/sample-openssl.ext" Michael -- ___ Michael BellHumboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin ___ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] rbac & generate a new rol
Hi all! i have openca 0.9.1.8 i have this error generating a new rol... How should I proceed? thanks PJ Error 690 Error de Configuración. Falta la Siguiente Clave de Configuración : OPENSSL_SAMPLE_EXT.
Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)
Kevin wrote: I'm at a loss here on how to proceed. Reinstalling with the "-d" option removed from the INSTALL options in Makefile.global-vars doesn't help either. If you look at the fresh CVS HEAD files then you will see that I removed -D -c from Makefile.global-vars(.in). Right, and I'd like to use your changes, but as I said, something's amiss in the config.xml area. Apparently some others are seeing it too. Did you try installing with no pre-existing directory structure? If so, I don't understand why make install-online and make install-offline are working for you (creating the config.xml file et. al.) and not for me... You must remove the complete etc-area before you start the installation. If OpenCA detects a directory etc/ before the installation then nothing will be installed. I tested the installation some minutes before again and it works. Should I send you my complete test environment for OpenBSD? It has a size of 154 kBytes plus a small description). Michael -- ___ Michael BellHumboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin ___ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenBSD: Cannot write to syslogdevice; Chroot httpd issue?
Kevin wrote: But when I visit this page: Also check http://myhost.wherever.edu/pub I get only: Error addMessage failed for log slot sys_syslog (6511070). Cannot write to syslogdevice. General Error. 64510030. I think you are missing a perl module. You can deactivate the syslog logging by removing the relevant slot area in etc/log.xml (syslog is the first slot). Initially, when I tried running apache in its chroot environment, I got other problems (after copying over files needed in chroot environment): OpenCA Error: Server is not online or does not accept requests (/usr/local/openra/OpenCA/var/tmp/openca_socket - /usr/local/openra/OpenCA/var/tmp/openca_socket ). This arises because the socket "openca_socket" was not copied over to the chroot environment when I copied over the /usr/local/open[rc]a directories. To solve that problem, I modified the openca_start/stop script in /var/www/usr/local/openra/OpenCA/etc to use directories in the chroot environment, and that gets me the openca_socket socket, and it solves the problem with this socket error above, but how do I get the openca_xml_cache socket in /usr/local/openra/OpenCA/var/tmp? Has anyone else done this? The socket of the XML cache is defined in the file src/common/lib/functions/initServer but this socket should not be relevant for the chroot environment because the OpenCA server runs outside of the chroot environment. Michael -- ___ Michael BellHumboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin ___ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
