Initial State:

We were provided with a virtual machine (RHEL 5.3) ca.virt.sagrid.ac.za with which to repeat the OpenCA? installation. The following packages were already installed :

httpd-2.2.3-22.sl5
mod_ssl-2.2.3-22.sl5
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openldap-clients-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
openldap-2.3.43-3.el5
perl-5.8.8-18.el5

The repositories were set to the FNAL ones, so we changed them to point to the RHEL repos at mirror.ac.za: changed /etc/yum.repos.d/sl.repo and /etc/yum.repos.d/sl-security.repo. Performed an RPM update with yum update. Updated packages attached in text file.

Installation of packages needed by OpenCA?

The prerequisites for OpenCA? are listed at http://www.openca.org/~madwolf/ch03.html#id2481520 Note: we will be installing all relevant perl modules with CPAN, not with yum (rpms).

• Authen::SASL : successful
• CGI::Session : successful
• Convert::ASN1 : successful
• Digest::HMAC : already up to date
• Digest::MD5 : successful
• Digest::SHA1 : already up to date
• Encode::Unicode : successful
• IO::Socket::SSL : successful
• IO::stringy : could not find package
• MIME::Base64 : already up to date
• MIME::Lite : successful
• MIME-tools : could not find package
• MailTools? : could not find package
• Net-Server : could not find package (not good...)
• URI : successful
• X500::DN : successful
• XML::Twig : successful
• Parse::RecDescent : successful
• libintl-perl : (could not find package (install intltool instead, with yum)), eventuall found /G/GU/GUIDO/libintl-perl-1.16.tar.gz/, which was successful.
• perl-ldap (installed perl-LDAP with yum)

see the attached file for the dependencies satisfied with the rpm packages

OpenCA? also needs a mysql server, which was successfully installed, along with the dependencies perl-DBD-mysql and perl-DBI

Configuration and Installation

Configuration

The package was configured with ./configure --prefix=/opt/openca/ --with-dist-user=openca --with-httpd-user=openca --with-httpd-group=openca which ran successfully

Tests

Running make test resulted in errors in 3 tests out of 1555. See attached log file.

Installation

According to http://www.openca.org/~madwolf/ch03s03.html ran

• make install-offline
• make install-online

both of these went fine with only the problem of trying to change the permissions on the files to root:root (we want to keep them as openca:openca)

-- BruceBecker - 29 Apr 2009

• FirstUpdateOfCa.virt.sagrid.ac.za.txt: updated packages after changing repo information.

• perlRequirementsForOpenCAinstalledWithYum.txt: perl packages and requirements installed with yum.

• resultOfOpenCAConfig.txt: OpenCA? Configuration output and parameters

-- TariraiChani? - 12 May 2009

Edited /opt/openca/OpenCA/etc/config.xml see attached file

copied /opt/openca/OpenCA/etc/config.xml to /home/openca/OpenCA-0.9.2.5/src/common/etc

• [openca@ca etc]$ cp /opt/openca/OpenCA/etc/config.xml .
  /bin/cp: overwrite `./config.xml'? y
  `/opt/openca/OpenCA/etc/config.xml' -> `./config.xml'

From /home/openca/OpenCA-0.9.2.5/src/common/etc ran ./configure_etc.sh result

• [openca@ca etc]$ ./configure_etc.sh

-bash: ./configure_etc.sh: Permission denied

--++ Re-Installation

A re-installaion was conducted by TariraiChani? and the following are the configurations:

For this instance installation of OpenCA? was done in : /opt/Openca/ of ca.virt.sagrid.ac.za

First install the RA

It was configured as follows:

• > ./configure --prefix=/opt/Openca/openra --with-httpd-user=openca --with-httpd-group=openca --with-openca-prefix=/opt/Openca/openra/openca --with-etc-prefix=/opt/Openca/openra/openca/etc --with-httpd-fs-prefix=/opt/Openca/openra/httpd --with-module-prefix=/opt/Openca/openra/modules --with-node-prefix=ra-node --with-engine=no --with-web-host=localhost --enable-dbi --enable-rbac --with-hierarchy-level=ra 

• make ; make install-online

Now for the CA : Configured as follows:

* ./configure --prefix=/opt/Openca/openca --with-httpd-user=openca --with-httpd-group=openca --with-openca-prefix=/opt/Openca/openca/openca --with-etc-prefix=/opt/Openca/openca/openca/etc --with-httpd-fs-prefix=/opt/Openca/openca/httpd --with-module-prefix=/opt/Openca/openca/modules --with-node-prefix=ca-node --with-engine=no --with-web-host=localhost --enable-dbi--enable-rbac --with-hierarchy-level=ca 

• make; make install-offline
• create the DB: mysql -uroot -p mysql ; create database openca; create database openra; grant all privileges on openca to openca identified by "openca"; grant all privileges on openra to openra identified by "openra";
• test the DB :

   mysql -uopenca -p use openca ; show tables (should return empty set, as DB is empty) exit ;  mysql -uopenra -p use openra show tables (should return empty set, as DB is empty) exit; 

• Be sure to start the SQL DB server with:

  service mysqld start <verbatim> Otherwise the following error will be encountered when starting mysql: </verbatim>[openca@ca OpenCA-0.9.2.5]$ mysql ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) 

• Next, apache httpd.conf was edited as follows: in the script aliases section, add:

  # OpenCA Mods 
  # CA Aliases 
  Alias       /ca /opt/Openca/openca/httpd/htdocs/ca/ 
  Alias       /ca-node /opt/Openca/openca/httpd/htdocs/ca-node/ 
  ScriptAlias /cgi-bin/ca/ /opt/Openca/openca/httpd/cgi-bin/ca/ 
  ScriptAlias /cgi-bin/ca-node/ /opt/Openca/openca/httpd/cgi-bin/ca-node/ 
  # OpenCA Mods 
  # RA Aliases 
  Alias       /ra /opt/Openca/openra/httpd/htdocs/ra/ 
  Alias       /pub /opt/Openca/openra/httpd/htdocs/pub/ 
  Alias       /ra-node /opt/Openca/openra/httpd/htdocs/ra-node/ 
  ScriptAlias /cgi-bin/ra/ /opt/Openca/openra/httpd/cgi-bin/ra/
  ScriptAlias /cgi-bin/pub/ /opt/Openca/openra/httpd/cgi-bin/pub/
  ScriptAlias /cgi-bin/ra-node/ /opt/Openca/openra/httpd/cgi-bin/ra-node/
  # OpenCA Mods 
  <Directory "/opt/Openca/openca/httpd/cgi-bin/"> AllowOverride None
  Options ExecCGI 
  Order allow,deny
  Allow from all 
  </Directory>
  
  <Directory "/opt/Openca/openra/httpd/cgi-bin/">AllowOverride None 
  Options ExecCGI
  Order allow,deny 
  Allow from all 
  </Directory>
  
  <Directory "/opt/Openca/openca/httpd/htdocs/">
  AllowOverride None 
  Options FollowSymLinks Indexes 
  Order allow,deny 
  Allow from all
  </Directory>
  
  <Directory "/opt/Openca/openra/httpd/htdocs/">
  AllowOverride None 
  Options FollowSymLinks Indexes
  Order allow,deny 
  Allow from all
  </Directory>
  
  # OpenCA Mods 
  # adding dir to symlinks following for cert retrieval
  # not totally clear WHY openca puts a symlink here, but it did. 
  <Directory "/opt/Openca/openra/httpd/cgi-bin/pub"> 
  AllowOverride None 
  Options FollowSymLinks Indexes 
  Order allow,deny 
  Allow from all
  </Directory>
  

Be sure to Comment out the existing ScriptAlias? that may conflict with the ones entered. Important configuration here is in the SSL-Config of httpd.conf. SSL-Vars should be exported to Perl by adding:

SSLOptions +StdEnvVars

If this is not done the following error will be encountered when accessing the ra-node or the ca-node from the web browser!:

Error 
Aborting connection - you are using a too short symmetric keylength (). 
General Error. 6251043.

Next is to modify the config.xml for the ra (located in /opt/Openca/openra/openca/etc) and for the ca (located in /opt/Openca/openca/openca/etc). Now onto the config.xml, for the ca and the ra.

• for the CA: general options
  • ca_organization = CSIR
  • ca_locality = Pretoria
  • ca_country = South Africa
  • service_mail_account dbmodule ->;
  • DBI for the mysql database db_type->;
  • mysql db_name ->
  • openca db_host -> localhost
  • db_port -> 3306
  • db_user -> openca
  • db_passwd -> openca
• configuration of absolute paths (usually done automatically by the installation)
• dataexchange configuration
• de-activate default, by adding comment brackets
• activate mode
  • 1, node acts as CA only by removing comment brackets and mode
  • 2 for node acts as RA only
• configuration of relative paths (Used the paths generated by the installation)

<!-- these are the devices for the default dataexchange --> 
(these might not be in config.xml; if not, see below)
<name>dataexchange_device_up</name>
<value>/opt/Openca/openca/openca/var/tmp/ca-up</value>
</option>
<option><name>dataexchange_device_down</name
<value>/opt/Openca/openca/openca/var/tmp/ca-down</value>
</option>
<option><name>dataexchange_device_local</name>
<value>/opt/Openca/openra/openca/var/tmp/ra-local</value>

These are usually inserted during the installation. If the dataexchange device section is not in config.xml, go to /opt/Openca/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/opt/Openca/openca/openca/etc/servers/ca.conf.template) Change this line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/opt/Openca/openca/openca/var/tmp/ca-down" Change this line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/opt/Openca/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE Also important is to update items in /opt/Openca/openca/openca/etc/access_control (do a similar update for RA)

1. ca-node.xml.template : set to .* ; keylength 0
2. ca.xml.template set to .* ; keylength 0

Important as well to insert the password of the database in /opt/Openca/openca/openca/etc/database/DBI.conf

<openca>
<database_config>
<debug>0</debug>
<type>mysql</type>
<name>openca</name>
<host>localhost</host>
<port>3306</port>
<user>openca</user>
<passwd>openca</passwd>
<namespace></namespace>
<environment>

If this is not done the following error will be encountered on openca_start:

Configuration error: Cannot initialize OpenCA::DBI class! The database returns errorcode 10075. 

(The database passphrase is missing. There must be a database passphrase. (error 11111: Do not commit if the database or the module itself fails.)) Return to the ra etc dir /opt/Openca/openra/openca/etc and run the "magic script" configure_etc.sh This script makes configuration files from the template(s). Then run openca_start. Any errors encountered relating to missing .pm then do a locate of the missing perl module then add its path to the openca_start script with "use". e.g

Error missing PKCS7.pm

Then do:

[openca@ca ~]$ locate PKCS7.pm  
/home/openca/OpenCA-0.9.2.5/src/modules/openca-pkcs7/PKCS7.pm
/home/openca/OpenCA-0.9.2.5/src/modules/openca-pkcs7/blib/lib/OpenCA/PKCS7.pm
/opt/Openca/openra/modules/perl5/OpenCA/PKCS7.pm

then in the openca_start script add

use lib '/opt/Openca/openra/modules/perl5'

When the openca server is successfully started then use the browser to open a page on ca.virt.sagrid.ac.za/ra Remember to start the webserver with /etc/init.d/httpd restart

Next switch dir to /opt/Openca/openca/openca/etc run the "magic script" configure_etc.sh that script makes configuration files from the template(s). Errors where encountered where the module Openca::Openssl could not be executed despite the fact that the latest version of the module was installed. To proceed, a manual re-installation of the module was done. This module was downloaded at: http://search.cpan.org/~madwolf/OpenCA-OpenSSL-0.9.91/OpenSSL.pod otherwise any missing .pm errors just do the same as was done above for the ra openca_start . Use the browser to open a page on http:// ca.virt.sagrid /ca and you should get a page. Also check http:// ca.virt.sagrid /ca-node if the pages work, openca is installed.

Initialization of OpenCA?

Configure an installed/compiled OpenCA? installation connect to the ca: http:// ca.virt.sagrid /ca

Series of tabs should be visible. Select General -> Initialization Phase I : Initialize the Certification Authority -> Initialize Database

• initialization -> initialize DB
  • initialize phase 1 -> generate new secret key: des3 rsa 1024 ( 2048) (pwd set to protect the key)
  • initialize phase 1 -> generate new cert request:
    • *Email: tchani@csirNOSPAM.co.za
    • common name: Tarirai Chani
    • Organizational Unit: Meraka
    • Organization: CSIR
    • Country: SA (NOTE: Using RSA may generate errors due to limitations in string characters specified in the config.xml template)
    • Password: Use password generated for CA key above
  • Self Signed CA Certificate (from already generated request): 730 days
  • Rebuild CA Chain
  • Phase II initialize
    • Create the initial administrator -> Create a new request