Wednesday, August 30, 2006

LDAP Bingo!!!

Alhamdulillah, setelah mengubah LDAP dari DC-style ke X.500 style, sertifikat bisa di eksport-import ke LDAP.

Friday, August 25, 2006

https

Akhirnya, protokol https OpenCA bisa juga. Walau ternyata setelah lihat file konfigurasinya, koneksi https belum sempurna. symmetric_keylength nya masih berisi 0.

Sepertinya lebih baik menggunakan mod_ssl dibandignkan dengan apache-ssl. Karena tipe di access_control nya mendefinisikan mod_ssl.

Sekarang lebih baik mulai belajar ekspor&impor LDAP.

Tuesday, August 22, 2006

Error 6251043

Error 6251043
General Error Aborting connection - you are using a too short symmetric keylength ().

Setelah berjalan diatas protokol http, hari ini mencoba ke protokol https. Tapi masih muncul error seperti diatas.

Instalasi dan Konfigurasi OpenCA.

Manual ini dilakukan pada satu komputer yang berfungsi sekaligus sebagai CA/CA-node/RA-node/RA/LDAP.

1. Download Source Open CA
Cari versi terbaru dari OpenCA. Ketika tulisan ini dibuat adalah versi 0.9.2.5
# tar -xzvf OpenCA-0.9.2.5
# cd OpenCA-0.9.2.5

2. Instalasi Paket Pendukung
# apt-get install libxml-perl libxml-regexp-perl libdbi-perl
perl-modules libssl-dev libldap2 libldap2-dev libnet-ldap-perl
libdbd-mysql libdbd-mysql-perl libdbd-pg-perl libxml-perl
libxml-twig-perl apache apache-ssl mysql-client mysql-server openssl

3. Instalasi RA
# make distclean
# ./configure \
--prefix=/usr/local/openra \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openra/openca \
--with-etc-prefix=/usr/local/openra/openca/etc \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-module-prefix=/usr/local/openra/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ra \
# make
# make install-online

4. Instalasi CA
# make distclean
# * ./configure \
--prefix=/usr/local/openca \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openca/openca \
--with-etc-prefix=/usr/local/openca/openca/etc \
--with-httpd-fs-prefix=/usr/local/openca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ca
# make
# make install-offline

5. Membuat Database CA dan RA
# mysql -u root -p
> create database openca;
> create database openra;
> grant all privileges on openca.* to "openca"@"localhost" identified by "openca";
> grant all privileges on openra.* to "openra"@"localhost" identified by "openra";

6. Konfigurasi Web Server
Tambahkan pada file konfigurasi web server
# vi /etc/apache/httpd.conf

# OpenCA Mods
# CA Aliases
Alias /ca /usr/local/openca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/

# OpenCA Mods
# RA Aliases
Alias /ra /usr/local/openra/httpd/htdocs/ra/
Alias /pub /usr/local/openra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/

# LDAP Mods
Alias /ldap/ /usr/local/openra/httpd/htdocs/ldap/
ScriptAlias /cgi-bin/ldap/ /usr/local/openra/httpd/cgi-bin/ldap/

#OpenCA Mods Directory

AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all


AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all


AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all


AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all


# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.

AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all


AllowOverride None
Options FollowSymlinks Indexes
Order allow,deny
Allow from all


7. Konfigurasi config.xml untuk RA
# cp /usr/local/openra/openca/etc/config.xml /usr/local/openra/openca/etc/config.xml.default
# vi /usr/local/openra/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(2) The node acts as a RA only


dataexchange_device_up
/usr/local/openca/openca/var/tmp/ca-down


dataexchange_device_down
/usr/local/openra/openca/var/tmp/ra-down


dataexchange_device_local
/usr/local/openra/openca/var/tmp/ra-local



8. Konfigurasi config.xml untuk CA
# cp /usr/local/openca/openca/etc/config.xml /usr/local/openca/openca/etc/config.xml.default
# vi /usr/local/openca/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(3) The node acts as a CA only


dataexchange_device_up
/usr/local/openca/openca/var/tmp/ca-up


dataexchange_device_down
/usr/local/openca/openca/var/tmp/ca-down


dataexchange_device_local
/usr/local/openra/openca/var/tmp/ra-local


9. Setting Protokol http CA dan RA
# vi /usr/local/openra/openca/etc/access_control/*.template
set to .*
keylength 0

# vi /usr/local/openra/openca/etc/access_control/*.template
set to .*
keylength 0

10. Jalankan Magic-Script CA dan RA
/usr/local/openra/openca/etc# ./configure_etc.sh
/usr/local/openca/openca/etc#./configure_etc.sh
Pastikan tidak ada pesan error yang muncul.

11. Jalankan RA
/usr/local/openra/openca/etc# ./openca_rc stop
/usr/local/openra/openca/etc# ./openca_start start

12. Jalankan CA
/usr/local/openca/openca/etc# ./openca_rc stop
/usr/local/openca/openca/etc# ./openca_start start

.... akan dilanjutkan dengan (segera)
1. Inisialisasi RA dan CA
2. Langkah-Langkah Membuat Sertifikat

Sunday, August 13, 2006

Kemajuan

Jumat (4/08) bimbingan lagi. Tidak lama memang, tapi bimbingan dengan Pak Budi membawa kemajuan. Dimulai dari pencerahan akan pembatasan masalah. Lalu di hari Senin-nya, akhirnya setelah sekian lama saya berhasil menginstall OpenCA di mesin sendiri. Malam ini kemajuan lainnya adalah saya berhasil memunculkan interface LDAP.