Instalasi dan Konfigurasi OpenCA.
Manual ini dilakukan pada satu komputer yang berfungsi sekaligus sebagai CA/CA-node/RA-node/RA/LDAP.
1. Download Source Open CA
Cari versi terbaru dari OpenCA. Ketika tulisan ini dibuat adalah versi 0.9.2.5
# tar -xzvf OpenCA-0.9.2.5
# cd OpenCA-0.9.2.5
2. Instalasi Paket Pendukung
# apt-get install libxml-perl libxml-regexp-perl libdbi-perl
perl-modules libssl-dev libldap2 libldap2-dev libnet-ldap-perl
libdbd-mysql libdbd-mysql-perl libdbd-pg-perl libxml-perl
libxml-twig-perl apache apache-ssl mysql-client mysql-server openssl
3. Instalasi RA
# make distclean
# ./configure \
--prefix=/usr/local/openra \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openra/openca \
--with-etc-prefix=/usr/local/openra/openca/etc \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-module-prefix=/usr/local/openra/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ra \
# make
# make install-online
4. Instalasi CA
# make distclean
# * ./configure \
--prefix=/usr/local/openca \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openca/openca \
--with-etc-prefix=/usr/local/openca/openca/etc \
--with-httpd-fs-prefix=/usr/local/openca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ca
# make
# make install-offline
5. Membuat Database CA dan RA
# mysql -u root -p
> create database openca;
> create database openra;
> grant all privileges on openca.* to "openca"@"localhost" identified by "openca";
> grant all privileges on openra.* to "openra"@"localhost" identified by "openra";
6. Konfigurasi Web Server
Tambahkan pada file konfigurasi web server
# vi /etc/apache/httpd.conf
# OpenCA Mods
# CA Aliases
Alias /ca /usr/local/openca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/
# OpenCA Mods
# RA Aliases
Alias /ra /usr/local/openra/httpd/htdocs/ra/
Alias /pub /usr/local/openra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/
# LDAP Mods
Alias /ldap/ /usr/local/openra/httpd/htdocs/ldap/
ScriptAlias /cgi-bin/ldap/ /usr/local/openra/httpd/cgi-bin/ldap/
#OpenCA Mods Directory
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymlinks Indexes
Order allow,deny
Allow from all
7. Konfigurasi config.xml untuk RA
# cp /usr/local/openra/openca/etc/config.xml /usr/local/openra/openca/etc/config.xml.default
# vi /usr/local/openra/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(2) The node acts as a RA only
dataexchange_device_up
/usr/local/openca/openca/var/tmp/ca-down
dataexchange_device_down
/usr/local/openra/openca/var/tmp/ra-down
dataexchange_device_local
/usr/local/openra/openca/var/tmp/ra-local
8. Konfigurasi config.xml untuk CA
# cp /usr/local/openca/openca/etc/config.xml /usr/local/openca/openca/etc/config.xml.default
# vi /usr/local/openca/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(3) The node acts as a CA only
dataexchange_device_up
/usr/local/openca/openca/var/tmp/ca-up
dataexchange_device_down
/usr/local/openca/openca/var/tmp/ca-down
dataexchange_device_local
/usr/local/openra/openca/var/tmp/ra-local
9. Setting Protokol http CA dan RA
# vi /usr/local/openra/openca/etc/access_control/*.template
set to .*
keylength 0
# vi /usr/local/openra/openca/etc/access_control/*.template
set to .*
keylength 0
10. Jalankan Magic-Script CA dan RA
/usr/local/openra/openca/etc# ./configure_etc.sh
/usr/local/openca/openca/etc#./configure_etc.sh
Pastikan tidak ada pesan error yang muncul.
11. Jalankan RA
/usr/local/openra/openca/etc# ./openca_rc stop
/usr/local/openra/openca/etc# ./openca_start start
12. Jalankan CA
/usr/local/openca/openca/etc# ./openca_rc stop
/usr/local/openca/openca/etc# ./openca_start start
.... akan dilanjutkan dengan (segera)
1. Inisialisasi RA dan CA
2. Langkah-Langkah Membuat Sertifikat
1. Download Source Open CA
Cari versi terbaru dari OpenCA. Ketika tulisan ini dibuat adalah versi 0.9.2.5
# tar -xzvf OpenCA-0.9.2.5
# cd OpenCA-0.9.2.5
2. Instalasi Paket Pendukung
# apt-get install libxml-perl libxml-regexp-perl libdbi-perl
perl-modules libssl-dev libldap2 libldap2-dev libnet-ldap-perl
libdbd-mysql libdbd-mysql-perl libdbd-pg-perl libxml-perl
libxml-twig-perl apache apache-ssl mysql-client mysql-server openssl
3. Instalasi RA
# make distclean
# ./configure \
--prefix=/usr/local/openra \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openra/openca \
--with-etc-prefix=/usr/local/openra/openca/etc \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-module-prefix=/usr/local/openra/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ra \
# make
# make install-online
4. Instalasi CA
# make distclean
# * ./configure \
--prefix=/usr/local/openca \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openca/openca \
--with-etc-prefix=/usr/local/openca/openca/etc \
--with-httpd-fs-prefix=/usr/local/openca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ca
# make
# make install-offline
5. Membuat Database CA dan RA
# mysql -u root -p
> create database openca;
> create database openra;
> grant all privileges on openca.* to "openca"@"localhost" identified by "openca";
> grant all privileges on openra.* to "openra"@"localhost" identified by "openra";
6. Konfigurasi Web Server
Tambahkan pada file konfigurasi web server
# vi /etc/apache/httpd.conf
# OpenCA Mods
# CA Aliases
Alias /ca /usr/local/openca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/
# OpenCA Mods
# RA Aliases
Alias /ra /usr/local/openra/httpd/htdocs/ra/
Alias /pub /usr/local/openra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/
# LDAP Mods
Alias /ldap/ /usr/local/openra/httpd/htdocs/ldap/
ScriptAlias /cgi-bin/ldap/ /usr/local/openra/httpd/cgi-bin/ldap/
#OpenCA Mods Directory
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
AllowOverride None
Options FollowSymlinks Indexes
Order allow,deny
Allow from all
7. Konfigurasi config.xml untuk RA
# cp /usr/local/openra/openca/etc/config.xml /usr/local/openra/openca/etc/config.xml.default
# vi /usr/local/openra/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(2) The node acts as a RA only
8. Konfigurasi config.xml untuk CA
# cp /usr/local/openca/openca/etc/config.xml /usr/local/openca/openca/etc/config.xml.default
# vi /usr/local/openca/openca/etc/config.xml
general options
ca_organization PAUME
ca_locality ITB
ca_country ID
service_mail_account (set to za@students.ee.itb.ac.id)
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openra
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openra
db_passwd -> openra
dataexchange configuration
(3) The node acts as a CA only
9. Setting Protokol http CA dan RA
# vi /usr/local/openra/openca/etc/access_control/*.template
# vi /usr/local/openra/openca/etc/access_control/*.template
10. Jalankan Magic-Script CA dan RA
/usr/local/openra/openca/etc# ./configure_etc.sh
/usr/local/openca/openca/etc#./configure_etc.sh
Pastikan tidak ada pesan error yang muncul.
11. Jalankan RA
/usr/local/openra/openca/etc# ./openca_rc stop
/usr/local/openra/openca/etc# ./openca_start start
12. Jalankan CA
/usr/local/openca/openca/etc# ./openca_rc stop
/usr/local/openca/openca/etc# ./openca_start start
.... akan dilanjutkan dengan (segera)
1. Inisialisasi RA dan CA
2. Langkah-Langkah Membuat Sertifikat
posted by za at 1:51 AM
0 Comments:
Post a Comment
<< Home