[OpenXPKI-users] successful install of OpenXPKI-0.1206 on Redhat EL5!

Thu, 07 Feb 2008 07:21:15 -0800 

Thanks Alex and Sergei!

I did as you suggested, updating to OpenXPKI-0.9.1206
I had originaly avoided this release as it seems the version of openssl-devel 
that comes standard with Redhat EL5 doesn't work with this build.   (missing 
ec.h)
After installing the new version of OpenXPKI it still didn't work but I have 
included a patch which seems to solve the problem with issuing certificates.  
what follows are my notes on installing, and at the end is the patch.  I hope 
this helps some people, and perhapse you guys in finishing that documentation 
:)  One thing I noticed is you seem to have missed Apache::Request and 
Config::Std in your perl module dependancy checks.  
All of these commands are run as root, then I had to set ownership back to 
openxpki for a few things.

So here it is...

Howto Install OpenXPKI on a fresh Redhat EL5 x86_64 Xen instance with only a 
few perl modules installed at the start.

tar vzxf openssl-0.9.8g.tar.gz
 cd openssl-0.9.8g
yum -y install gcc
./config shared; make; make install
ln -s /usr/local/ssl/lib/libcrypto.so.0.9.8 /lib64/

tar vzxf OpenXPKI-0.9.1206.tar.gz
cd OpenXPKI-0.9.1206
yum -y install expat-devel gettext

perl -MCPAN -e shell, setup perl

perl -MCPAN -e shell, 'install CGI::Session Class::Std DBI Data::Password 
Date::Parse DateTime Digest::SHA1 Exception::Class IO::Prompt IPC::ShareLite 
Locale::TextDomain Log::Log4perl Mail::RFC822::Address Net::IP Net::LDAP 
Net::Server Params::Validate Proc::ProcessTable Regexp::Common Sys::SigAction 
Template Test::Pod Test::Pod::Coverage  Text::CSV_XS Workflow 
XML::Filter::XInclude XML::Parser XML::SAX XML::SAX::PurePerl XML::SAX::Writer 
XML::Simple XML::Validator::Schema'

cd ..
tar vzxf OpenXPKI-Client-0.9.985.tar.gz 
cd OpenXPKI-Client-0.9.985
perl Makefile.pl; make; make install
cd ..
tar vzxf OpenXPKI-Client-HTML-Mason-0.9.1204.tar.gz 
cd OpenXPKI-Client-HTML-Mason-0.9.1204

perl -MCPAN -e shell, install Data::SpreadPagination HTML::Mason 
HTTP::Server::Simple::Mason Test::HTTP::Server::Simple WWW::Mechanize
perl Makefile.PL; make; make install
cd ..
tar vzxf apache_1.3.37.tar.gz
tar vzxf mod_perl-1.0-current.tar.gz 
 cd mod_perl-1.30
ln -s /usr/lib64/libgdbm.so.2 /usr/lib64/libgdbm.so
perl Makefile.PL APACHE_SRC=../apache_1.3.37/src DO_HTTPD=1 USE_APACI=1 
EVERYTHING=1
make; make install
cd ..
cd apache_1.3.37
make; make install
enable mod_perl, mason by adding this to httpd.conf
PerlAddVar MasonDataDir  "/usr/var/openxpki"
PerlAddVar MasonCompRoot "/usr/local/apache/htdocs"
PerlAddVar MasonAllowGlobals "$context"
PerlAddVar MasonAllowGlobals "%session_cache"

# Serve these requests through Mason.
<LocationMatch "\.html$">
  SetHandler perl-script
  PerlHandler OpenXPKI::Client::HTML::Mason::ApacheHandler
</LocationMatch>
# this is necessary to make internet explorer happy because it do not 
understand content types
<LocationMatch "\.crt$">
  SetHandler perl-script
  PerlHandler OpenXPKI::Client::HTML::Mason::ApacheHandler
</LocationMatch>

# Hide private components from users.
<LocationMatch "(handler|mhtml)$">
  Order allow,deny
  Deny from all
</LocationMatch>

# you have to set the locale prefix, the location of the socket file and
# the session directory using environment variables
SetEnv OPENXPKI_SOCKET_FILE /usr/var/openxpki/openxpki.socket
SetEnv OPENXPKI_LOCALE_PREFIX /usr/share/locale
SetEnv OPENXPKI_MASON_SESSION_DIR /usr/var/openxpki/session

 /usr/local/apache/bin/apachectl start
verify that mod_perl shows up in httpd version line, then continue...

tar vzxf openxpki-deployment-0.9.1207.tar.gz
cd openxpki-deployment
perl -MCPAN -e shell, install Config::Std
make; adduser openxpki; make install
openxpkiadm deploy
cd ..
yum -y install mysql-server mysql
/etc/init.d/mysqld start
set mysqld password
create database openxpki
openxpki-configure --createdirs
database setup to point to  MySQL, openxpki database
add apache user nobody to openxpki group
chmod -R g+w /usr/var/openxpki/

openxpkiadm initdb
openxpkiadm key generate --realm I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA --group 
default
openssl req -new -x509 -extensions v3_ca -key  
/usr/etc/openxpki/ca/testdummyca1/cakey.pem -out cacert.pem -days 720
openxpkiadm certificate import --file cacert.pem 
openxpkiadm certificate alias --config /usr/etc/openxpki/config.xml  --realm 
I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA --alias testdummyca1 --identifier 
4LK01bn3X-udfOontW5Afddhjvw

perl -MCPAN -e shell, install install Apache::Request
make httpd.conf setting to run apache as group openxpki (could have jus added 
nobody to the web server group..)
tar vzxf openxpki-i18n-0.9.1204.tar.gz
cd openxpki-i18n-0.9.1204; make; make install

openxpkictl start

login as CA, unlock CA key using password set during key generation
login as aUser, create a CSR
login as RA sign CSR, get this error:
2008/02/07 08:40:57 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => 
OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert; __ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CERT_KEYFILE_DOES_NOT_EXIST; reset 
workflow to old state 'PREPARED'
2008/02/07 08:40:57 Workflow.ERROR Caught exception from action: 
I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_FORKING;
 __EVAL_ERROR__ => 
I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_TOOLS_FORKWORKFLOWINSTANCE_ERROR_EXECUTING_ACTIVITY;
 __STATE__ => ; __EVAL_ERROR__ => I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; 
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_cert; 
__ERRVAL__ => 
I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CERT_KEYFILE_DOES_NOT_EXIST; reset 
workflow to old state 'SPAWNING_CERT_ISSUANCE'

change ENGINE to OPENXPKI in 
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/OpenXPKI/Crypto/Backend/OpenSSL/Command/issue_cert.pm
aka patch like this:
[EMAIL PROTECTED] openxpki]# diff -u /tmp/issue_cert.pm 
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/OpenXPKI/Crypto/Backend/OpenSSL/Command/issue_cert.pm
--- /tmp/issue_cert.pm  2008-02-07 08:42:45.000000000 -0600
+++ 
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/OpenXPKI/Crypto/Backend/OpenSSL/Command/issue_cert.pm
    2008-02-07 08:43:49.000000000 -0600
@@ -51,7 +51,7 @@
             message => 
"I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CERT_MISSING_KEYFILE");
     }
     my $key_store = $self->{ENGINE}->get_key_store();
-    if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'ENGINE'))
+    if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'OPENXPKI'))
     {
         if (not -e $self->{KEYFILE})
         {

trying again will give permission denied on cakey.pem's location, since it was 
created as root, change the permissions to actualy make the key usable by 
openxpki:
chown -R openxpki:openxpki /usr/etc/openxpki

Again login as aUser, create a second CSR, login as RA.

Then signing CSRs worked!  All together a fascinating project, I hope this 
patch helps you guys.

-Nate



----- Original Message -----
From: "Alexander Klink" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Wednesday, February 6, 2008 2:19:22 AM (GMT-0600) America/Chicago
Subject: Re: [OpenXPKI-users] openxpki stuck at APPROVAL state when signing a 
CSR

Hi Nathan,

On Tue, Feb 05, 2008 at 09:32:16AM -0600, Nathan Yehle wrote:
> I have it installed, and everything looks great 
Glad to hear that ...

> but when I login as external dynamic "someUser", password "User", issue a 
> CSR, and then login as "someRA" password "RA Operator" and try signing the 
> certificate, the web gui seems to just loop, flipping between "Certificate 
> Signing Request #2559 (APPROVAL)" and Certificate Signing Request: Approval 
> screens, when I click "Approve CSR with Signature" it just goes back to the 
> Certificate signing request (APPROVAL) screen, clicking "Approve CSR"  just 
> takes me back tpo the Signing request screen.  This seems to continue forever 
> no matter what I try...

As Sergei noted, your installation is a bit old. Contrary to the
behaviour on the live CD, the "old" usage was to approve the CSR and
then hit the "persist CSR" button, which would trigger the certificate
issuance. As this is (obviously :-) confusing, I combined the approval
and persisting in SVN revision 1129.
I'd suggest updating to the latest SVN revision to make sure you're up
to date.

HTH,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer
        [EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

--- /tmp/issue_cert.pm	2008-02-07 08:42:45.000000000 -0600
+++ /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/OpenXPKI/Crypto/Backend/OpenSSL/Command/issue_cert.pm	2008-02-07 08:43:49.000000000 -0600
@@ -51,7 +51,7 @@
             message => "I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_ISSUE_CERT_MISSING_KEYFILE");
     }
     my $key_store = $self->{ENGINE}->get_key_store();
-    if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'ENGINE'))
+    if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'OPENXPKI'))
     {
         if (not -e $self->{KEYFILE})
         {

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to