As described in Figure 4-1, OpenCA normally needs three unique servers to be installed. However, this would make the software less accesible. Thus, we shall describe how one can install all the components on a single server.
We shall assume the character of Woody Allen in the movie Bananas, where, while he was on trial in the court, he was assuming both the roles of the defendant and the laywer by switching places quickly.
First, we should see what software components we are going to install and on which server we should install them.
Table 6-1. Software installation matrix
| Software | CAServer | RAServer | RAOperator |
|---|---|---|---|
| Perl Generic modules | ✓ | ✓ | ✓ |
| OpenCA Perl modules | ✓ | ✓ | • |
| WWW Server | ✓ | ✓ | ✓ |
| SSL/TSL module | ✓ | ✓ | ✓ |
| LDAP Server | • | • | ✓ |
| OpenSSL | • | • | • |
Note: We must say that the above table is not final and is subject to change as the project evolves.
Using the above table, you may proceed with the installation, as described in the following chapters. Keep in mind that if you are doing an all–in–one installation, that is, all the servers on a single workstation, then you do not need to install the same software component multiple times or in different directories. If there is a special configuration setting to be made in regard with this issue, it will be noted.
It is recommended that the software components to be installed with the suggested sequence.
Information about how to find the latest version of a Perl module can be found at Appendix A.
Note: These Perl modules have to be installed in the sequence shown because of certain dependencies. However, if you make a mistake with the sequence, you will get an informative error that will indicate which module was skipped.
Convert::BER is a perl object class implementation to encode and decode objects as described by ITU-T standard X.209 (ASN.1) using Basic Encoding Rules (BER). The filename is Convert-BER-1.26.tar.gz
MIME::Base64 and MIME::QuotedPrint provide a base64 encoder/decoder and a quoted-printable encoder/decoder. These encoding methods are specified in RFC 2045 – MIME (Multipurpose Internet Mail Extensions). The filename is MIME-Base64-2.11.tar.gz
The URI perl object class provides functionality regarding the Uniform Resource Identifier, as specified in RFC 2396. The filename is URI-1.04.tar.gz
The Digest::* perl object class provides implementations for the MD5 (RFC 1321), MD2 (RFC 1319) and SHA-1 (FIPS PUB 180-1) hash functions. Also, an implementation of the HMAC (RFC 2104) MAC function is provided. The filename is Digest-MD5-2.09.tar.gz
perl-ldap provides access to LDAP servers. A requirement to install it is to already have Convert::BER installed on your system. The filename is perl-ldap-0.13.tar.gz
I have the idea the this and the above have overlapping functionality. The filename is Net-LDAPapi-1.42.tar.gz
The OpenCA–specific modules can be found at either at CPAN or at the OpenCA WWW site.
The functionality of these perl modules is not entirely OpenCA–specific. In general, they help to parse configuration files.
This perl module is used in order to access the configuration files of OpenCA. Currently, the configuration files are
ca.conf
raserver.conf
secure.cnf
This perl module provides access to configuration variables that can have three states. It is used to ease the access to the OpenCA configuration files. The filename is OpenCA-TRIStateCGI-1.02.tar.gz
This is described in three major sections, the installation of the CAServer, the RAServer and the RAOperator(s).
The installation procedure involves setting up the configuration files, copying the HTML pages to the appropriate directories and finally adding the CGI scripts in the corresponding directories.
This is the installation of the Certification Authority. Please refer to Figure 4-1 for more information.
It is assumed that you have uncompressed and untarred the OpenCA software with the following command.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the software, enter the directory created (OpenCA-0.2.0) and type
root# make install-ca
Use the following parameters when installing the OpenCA component for the CAServer.
Table 6-2. CAServer installation parameters
| Parameter | Value |
|---|---|
| OpenSSL installation directory | /usr/local/ssl |
| Base directory for CAServer | /usr/local/RAServer |
| Webserver user | nobody.nobody |
| Use found OpenSSL command | Y |
| Continue installation | yes |
| Edit openssl.cnf | Check the section called openssl.cnf configuration for OpenCA in Appendix C |
Subsequently, to install the WWW pages that accompany the CAServer do
root# make install-ca-web
Table 6-3. RAServer WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/ca |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
Finally, follow the instructions from the WWW pages to initialise the CAServer by creating the CA private key and certificate.
This is the installation of the Registration Authority. Please refer to Figure 4-1 for more information.
Note: The RAServer is supposed to be installed on a separate system than the CAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer will have to be duplicated to create the RAServer. However, for limited testing purposes, all of them could be installed on the same system.
It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the RAServer software, enter the directory created (OpenCA-0.2.0) and type
root# make install-raserver
root# make install-raserver-web
You can use the following parameters when installing the OpenCA component for the RAServer.
Table 6-4. RAServer installation parameters
| Parameter | Value |
|---|---|
| OpenSSL installation directory | /usr/local/ssl |
| Base directory for RAServer | /usr/local/RAServer |
| Webserver user | nobody.nobody |
| Use found OpenSSL command | Y |
| Continue installation | yes |
Table 6-5. RAServer WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/ra |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
This is the installation of the RA Operator. Please refer to Figure 4-1 for more information.
It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the software, enter the directory created (OpenCA-0.2.0) and type
root# make install-secure
Note: Again, the RAOperator is supposed to be installed on a separate system other than the CAServer and the RAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer and the RAServer will have to be duplicated to create the RAOperator. However, for limited testing purposes, both of them could be installed on the same system. We must say that installing the CAServer, the RAServer and the RAOperators on the same system, will make it rather difficult to use and probably error-prone in the testing.
Table 6-6. RAOperator WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/rao |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
Installation of the WWW server and the SSL/TLS WWW Server component. This will be a rather lengthly procedure, unless you manage to find RPM files. This software can be found at the section called Software packages in Chapter 5. Support information can be found at Chapter 7.
A fairly independant step is the installation of the LDAP software. This is usually installed on a RAOperator. Recommended LDAP software can be found at the section called Software packages in Chapter 5. For support information, please see Chapter 7.