OpenCA认证管理中心的构建

OpenCA认证管理中心的构建需要：–Perl5.6.1以上–MySQL–OpenSSL0.9.7以上–LDAPlibrary–Perlmodule：XML-Parser–Apache+mod_ssl打开VMware，选择：打开，指向目录到Fedora底下，打开虚拟机。启动虚拟机，进入Linux,使用root帐户，密码为：123456为防止IP地址冲突，我们最好修改虚拟机的IP地址ifconfigeth0本机IPifconfig/*查看本机IP启动mysql服务servicemysqldstart以root身份进入mysqlmysql–uroot–p输入密码openca创建openca数据库createdatabaseopenca;添加使用者的管理权限grantallprivilegesonopenca.*toopenca@127.0.0.1identifiedby“openca”;使用数据库opencauseopenca；显示数据库中的表，应该是：emptysetshowtables;退出mysqlexit;编辑/etc/httpd/conf下的httpd.conf文件在其头部加入下面的内容；#OpenCAMods#CAAliasesAlias/ca//usr/local/openca/httpd/htdocs/ca/Alias/ca-node//usr/local/openca/httpd/htdocs/ca-node/ScriptAlias/cgi-bin/ca//usr/local/openca/httpd/cgi-bin/ca/ScriptAlias/cgi-bin/ca-node//usr/local/openca/httpd/cgi-bin/ca-node/#OpenCAMods#RAAliasesAlias/ra//usr/local/openra/httpd/htdocs/ra/Alias/pub//usr/local/openra/httpd/htdocs/pub/Alias/ra-node//usr/local/openra/httpd/htdocs/ra-node/ScriptAlias/cgi-bin/ra//usr/local/openra/httpd/cgi-bin/ra/ScriptAlias/cgi-bin/pub//usr/local/openra/httpd/cgi-bin/pub/ScriptAlias/cgi-bin/ra-node//usr/local/openra/httpd/cgi-bin/ra-node/#OpenCAModsDirectory/usr/local/openca/httpd/cgi-bin/AllowOverrideNoneOptionsExecCGIOrderallow,denyAllowfromall/DirectoryDirectory/usr/local/openra/httpd/cgi-bin/AllowOverrideNoneOptionsExecCGIOrderallow,denyAllowfromall/DirectoryDirectory/usr/local/openca/httpd/htdocs/AllowOverrideNoneOptionsFollowSymLinksIndexesOrderallow,denyAllowfromall/DirectoryDirectory/usr/local/openra/httpd/htdocs/AllowOverrideNoneOptionsFollowSymLinksIndexesOrderallow,denyAllowfromall/Directory#OpenCAMods#addingdirtosymlinksfollowingforcertretrieval#nottotallyclearWHYopencaputsasymlinkhere,butitdid.Directory/usr/local/openra/httpd/cgi-bin/pubAllowOverrideNoneOptionsFollowSymLinksIndexesOrderallow,denyAllowfromall/Directory安装OpenCA进入文件夹/home/student/openca/打开openca-tool，编译安装./configure–enable-enginemakemakeinstall退回上一级，进入openca先安装RA服务，RA服务包括ra,pub,ra-node等--prefix=(指定RA目录）--with-openssl-prefix=(指定openssl位置)--with-module-prefix=(指定perl模块位置)--with-node-prefix=(指定RA服务器节点管理)--with-web-host=(指定服务器名称可使用IP或domainname)--with-httpd-user=(指定web资料夹用户)--with-httpd-group=(指定web资料夹组)--with-httpd-fs-prefix=(指定web资料夹位置)--with-engine=no--enable-ocspd(启动线上回应)--enable-dbi(启动数据库)--enable-rbac--with-hierarchy-level=ra(安装阶层)安装命令如下：./configure--prefix=/usr/local/openra--with-openssl-prefix=/usr/include/openssl--with-module-prefix=/usr/local/openra/modules--with-node-prefix=ra-node--with-httpd-user=apache--with-httpd-group=apache--with-httpd-fs-prefix=/usr/local/openra/httpd--with-engine=no--enable-ocspd--enable-dbi--enable-rbac--with-hierarchy-level=ra--with-web-host=本机IP命令选项之间由空格隔开makemakeinstall-onlineonline模式用于RA的安装CA包括ca,ca-node,CA服务的安装和RA相似，将上述配制命令中的ra均改为ca即可，而后使用offline模式安装，即：./configure--prefix=/usr/local/openca--with-openssl-prefix=/usr/include/openssl--with-module-prefix=/usr/local/openca/modules--with-node-prefix=ca-node--with-httpd-user=apache--with-httpd-group=apache--with-httpd-fs-prefix=/usr/local/openca/httpd--with-engine=no--enable-ocspd--enable-dbi--enable-rbac--with-hierarchy-level=ca--with-web-host=本机IPmakemakeinstall-offline安装完CA后检查一下perlmodules是否已经复制到该文件夹下，正常在/usr/local/openca/下即可看到modules文件夹，如果没有，从RA中复制过来：cd/usr/local/openracp–Rmodules/usr/local/openca/接下来进行组态设定，修改/usr/local/openra/OpenCA/etc/底下的config.xml文件!--generaloptions---ca_organization---CA/*设定组织名称ca_locality---LF/*设定地区名称ca_country---CN/*设定国家代码service_mail_account---yourname@domain.net/*管理者email!—databaseconfiguration---dbmodule---DBIdb_type---mysql/*设定数据库类别db_name---openca/*设定mysql数据库的名称db_host---127.0.0.1db_port---3306db_user---openca/*进入openca的帐户db_passwd---openca/*该帐户的密码!—dataexchangeconfiguration---/*设定RA和CA的数据交换1.thenodeactsasCAonly/*若是CA就启动(就是拿掉!----注解)2.thenodeactsasRAonly/*若是RA就启动(就是拿掉!----注解)!--thesearethedevicesforthedefaultdataexchange---/*设定数据交换方向optionnamedataexchange_device_up/namevalue/usr/local/openra/OpenCA/var/tmp/ra-up/value/*RA的config.xml設定/option若是CA则将ra改为caoptionnamedataexchange_device_down/namevalue/usr/local/openra/OpenCA/var/tmp/ra-down/value/optionoptionnamedataexchange_device_local/namevalue/usr/local/openra/OpenCA/var/tmp/ra-local/value/option修改/usr/local/openra/OpenCA/etc/access_control下的pub.xml.template文件为可使用任何协议，并取消密码长度限制，取消登入密码限制protocol.*/protocol/*这里如果为ssl，代表只能以https进入，设成.*则代表http或https均能进入。symmetrickeylength128/symmetrickeylength/*这里代表密码长度，一般是修改成symmetrickeylength0/symmetrickeylengthlogintypepasswd，取消登入密码限制，均改为nonemap_roleyes均改为no(配合上述logintype使用)其他ra-node.xml.template、ra.xml.template也照以上设置，同样在/usr/local/openca/OpenCA/etc/access_control底下的ca-node.xml.template、ca.xml.template也按以上设置启动前先到/usr/local/openca/OpenCA/及/usr/local/openra/OpenCA/下将var目录下面的文件夹权限设成777。并将会读取到的conf文件权限改成644，即：修改var文件夹权限cd/usr/local/openca;chmod–R777varcd/usr/local/openra;chmod–R777var将conf文件权限改成644cd/usr/local/openca/etc/servers;chmod–R644*cd/usr/local/openra/etc/servers;chmod–R644*进入/usr/local/openra/Open