Discussion:
[OpenXPKI-users] OpenXPKI up and running
Robert Lisiak
2007-02-03 21:13:31 UTC
Permalink
@Alex
Finally I got the openxpki server up and running (unix socket)
Many thanks for your support
The last but not least is the web front end
Will keep you in touch with :-)
soon
rlis
Hi Robert,
again, please subscribe to the openxpki-users mailing list and post
there so that more people can be of help.
--batch (--force if you already have an existing config file
installation), so that the XML files are changed. The server actually
reads the configuration from the XML files (check what your database.xml
says, for example), the openxpki.conf is just a file that is used in
creating those XML files.
I have used openxpki-configure but without the -?force
Hmmm, I guess the original installation came from the Debian package,
then.
//// with ?force is better but still no server run ////////////////
2007/02/02 16:25:54 openxpki.system.FATAL [OpenXPKI::Server::Init (141)]
I18N_OPENXPKI_SERVER_DBI_SCHEMA_CHECK_PARAMETER_NOT_UPERCASE_ONLY
2007/02/02 16:25:54 openxpki.system.FATAL [OpenXPKI::Server
(/usr/lib/perl5/OpenXPKI/Server.pm:77)] Exception during server
I18N_OPENXPKI_SERVER_DBI_SCHEMA_CHECK_PRAMETER_NOT_UPPERCASE_ONLY;
__PARAMETER__ => openxpki; __PACKAGE__ => OpenXPKI::Server::DBI::DBH;
__CALLER__ => OpenXPKI::Server::DBI::Schema::set_namespace
//////////////////////////////////////////////////
That looks like you have a namespace called 'openxpki' defined in
your database.xml. You could try to have a look for that and throw
the line away if there is one (namespaces are not needed for MySQL).
Also during the ''make i18n'' and ''make deployment'' in
/usr/local/src/trunk/package/debian I have had these error messages
....
/bin/sh: -c: line 2: syntax error near unexpected token `fi'
/bin/sh: -c: line 2: `fi'
make[3]: *** [dist] Error 2
make[3]: Leaving directory `/home/src/trunk/i18n'
Hmmm, weird. I have no idea why this is happening. Maybe Michael, who has
build the Debian scripts has one?
and I should comment #local $INPUT_RECORD_SEPARATOR; in all Makefile.PL
for this error reason !
? No, the local $INPUT_RECORD_SEPARATOR thing is for reading in files,
this does not seem to have anything to do with the error you are
getting. Uncommenting will definitely NOT help.
...
Makefile:64: *** missing separator. Stop.
that seems not related to $INPUT_RECORD_SEPARATOR stuff, but looks like
a Makefile error, not a perl error.
Any sugestions, pls
Have a nice WE
Same to you.
Regards,
Alex
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
- --
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Robert Lisiak
2007-02-03 23:31:06 UTC
Permalink
@Alex
I tried to use the OpenXPKI-Client-HTML-Mason, all compile stuff went
right with several perl module dependencies.

I have put openxpki.cgi to apache cgi-bin folder and copied "htdocs"
found in OpenXPKI-Client-HTML-Mason tree to "mason-data" but have these
errors
/////////////////////
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2] The 'comp'
parameter (undef) to HTML::Mason::Request::CGI->new() was an 'undef',
which is not one of the allowed types: scalar object
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2]
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2] Stack:
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2]
[/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm:127]
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2]
[/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm:63]
[Sat Feb 03 22:49:27 2007] [error] [client 10.1.0.2]
[/usr/lib/cgi-bin/openxpki.cgi:24]
[Sat Feb 03 23:42:48 2007] [error] [client 10.1.0.2] Premature end of
script headers: openxpki.cgi
////////////////////
I have no idea what to do now :-(
Any advise I hope will help

Salutations

- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
- --
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-05 10:11:22 UTC
Permalink
Hi Robert,

looks like you're close to your goal ...
Post by Robert Lisiak
I tried to use the OpenXPKI-Client-HTML-Mason, all compile stuff went
right with several perl module dependencies.
I have put openxpki.cgi to apache cgi-bin folder and copied "htdocs"
found in OpenXPKI-Client-HTML-Mason tree to "mason-data" but have these
You don't need to. The mason-data is just the place where Mason puts
its cache file and stuff. Just create an empty one that is writable
by your webserver user. Then either copy htdocs somewhere, or just
leave them where they are and reference them from your openxpki.cgi.
To what did you set the values of 'comp_root' and 'data_dir' in your
openxpki.cgi? They should reference the htdocs directory and the
mason-data directory.
Furthermore, did you use the LocationMatch directives from the
eg/openxpki-mason-cgi.conf directory?

Greetings,
Alex
Robert LISIAK
2007-02-05 11:26:58 UTC
Permalink
Bonjour Alex,

I doubted something like that 
I was not sure but the text from openxpki.cgi tells clearly:
# ... and of course insert the correct paths for comp_root and data_dir
below.
Will setup these and keep you in touch,
THX and soon for the “production” report.
I’ll use this ifra to build the DNSSEC Island of security.
Bonne semaine
@+
rlis
Hi Robert,
looks like you're close to your goal ...
Post by Robert Lisiak
I tried to use the OpenXPKI-Client-HTML-Mason, all compile stuff went
right with several perl module dependencies.
I have put openxpki.cgi to apache cgi-bin folder and copied "htdocs"
found in OpenXPKI-Client-HTML-Mason tree to "mason-data" but have these
You don't need to. The mason-data is just the place where Mason puts
its cache file and stuff. Just create an empty one that is writable
by your webserver user. Then either copy htdocs somewhere, or just
leave them where they are and reference them from your openxpki.cgi.
To what did you set the values of 'comp_root' and 'data_dir' in your
openxpki.cgi? They should reference the htdocs directory and the
mason-data directory.
Furthermore, did you use the LocationMatch directives from the
eg/openxpki-mason-cgi.conf directory?
Greetings,
Alex
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company founder
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Robert LISIAK
2007-02-05 16:24:52 UTC
Permalink
Bonjour Alex,
Still some errors but I feel I'm not far from the solution, hmmm I guess :-)
====================================
my Web CGI environment variable
DOCUMENT_ROOT = /usr/local/apache/htdocs
GATEWAY_INTERFACE = CGI/1.1
HTTPS = on
SCRIPT_FILENAME = /usr/lib/cgi-bin/printenv.cgi
SCRIPT_NAME = /cgi-bin/printenv.cgi
====================================
my openxpki.cgi
......
my $h = HTML::Mason::CGIHandler->new(
comp_root => "$ENV{DOCUMENT_ROOT}/openxpki",
data_dir => "$ENV{DOCUMENT_ROOT}/../mason-data",
allow_globals => [ qw( $context %session_cache ) ],
);
$h->handle_request();
.......
====================================
my error Web screen snapshot (https://my_web/openxpki/index.html)

System error
error: could not find component for initial path '/openxpki/index.html'
(component roots are: '/usr/local/apache/htdocs/openxpki')
context:
...
201: $self->{out_method} = sub { $$bufref .= $_[0] };
202: }
203: $self->{use_internal_component_caches} =
204: $self->{interp}->use_internal_component_caches;
205: $self->_initialize;
206:
207: return $self;
208: }
209:
...
code stack: /usr/local/share/perl/5.8.8/HTML/Mason/Request.pm:205
/usr/local/share/perl/5.8.8/Class/Container.pm:275
/usr/local/share/perl/5.8.8/Class/Container.pm:353
/usr/local/share/perl/5.8.8/HTML/Mason/Interp.pm:348
/usr/local/share/perl/5.8.8/HTML/Mason/Interp.pm:342
/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm:123
/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm:63
/usr/lib/cgi-bin/openxpki.cgi:27
raw error


could not find component for initial path '/openxpki/index.html'
(component roots are: '/usr/local/apache/htdocs/openxpki')
Trace begun at /usr/local/share/perl/5.8.8/HTML/Mason/Request.pm line 273
eval {...} at /usr/local/share/perl/5.8.8/HTML/Mason/Request.pm line 224
HTML::Mason::Request::_initialize('HTML::Mason::Request::CGI=HASH(0x86181a0)')
called at /usr/local/share/perl/5.8.8/HTML/Mason/Request.pm line 205
HTML::Mason::Request::new('HTML::Mason::Request::CGI', 'error_mode',
'output', 'error_format', 'html', 'cgi_request',
'HTML::Mason::FakeApache=HASH(0x86185d8)', 'out_method',
'CODE(0x814eb44)', 'interp', 'HTML::Mason::Interp=HASH(0x8613ed0)',
'comp', '/openxpki/index.html', 'args', 'ARRAY(0x845bfd4)', 'container',
'HASH(0x8613ff0)') called at
/usr/local/share/perl/5.8.8/Class/Container.pm line 275
Class::Container::call_method('HTML::Mason::Interp=HASH(0x8613ed0)',
'request', 'new', 'interp', 'HTML::Mason::Interp=HASH(0x8613ed0)', 'comp',
'/openxpki/index.html', 'args', 'ARRAY(0x845bfd4)', 'container',
'HASH(0x8613ff0)') called at
/usr/local/share/perl/5.8.8/Class/Container.pm line 353
Class::Container::create_delayed_object('interp',
'HTML::Mason::Interp=HASH(0x8613ed0)', 'comp', '/openxpki/index.html',
'args', 'ARRAY(0x845bfd4)', 'container', 'HASH(0x8613ff0)') called at
/usr/local/share/perl/5.8.8/HTML/Mason/Interp.pm line 348
HTML::Mason::Interp::make_request('HTML::Mason::Interp=HASH(0x8613ed0)',
'comp', '/openxpki/index.html', 'args', 'ARRAY(0x845bfd4)') called at
/usr/local/share/perl/5.8.8/HTML/Mason/Interp.pm line 342
HTML::Mason::Interp::exec(undef, undef) called at
/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm line 123
eval {...} at /usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm line 123
HTML::Mason::CGIHandler::_handler('HTML::Mason::CGIHandler=HASH(0x8618128)',
'HASH(0x814ec28)') called at
/usr/local/share/perl/5.8.8/HTML/Mason/CGIHandler.pm line 63
HTML::Mason::CGIHandler::handle_request('HTML::Mason::CGIHandler=HASH(0x8618128)')
called at /usr/lib/cgi-bin/openxpki.cgi line 27

- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-06 08:30:05 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
my $h = HTML::Mason::CGIHandler->new(
comp_root => "$ENV{DOCUMENT_ROOT}/openxpki",
data_dir => "$ENV{DOCUMENT_ROOT}/../mason-data",
allow_globals => [ qw( $context %session_cache ) ],
);
$h->handle_request();
Sounds like you want to be able to reach your OpenXPKI instance
at http://your_web/openxpki/? If so, please uncomment the following
line in openxpki.cgi:

$ENV{PATH_INFO} =~ s{\A /openxpki}{}xms;

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert LISIAK
2007-02-06 10:02:19 UTC
Permalink
Bonjour Alex,
OK! I have uncoment the line and have now this error in my browser
I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED; __SOCKETFILE__ =>

the server (opXpki) is up and running, there are no errors in the logs
neither apache nor opXpki.

About LocationMatch please find below what I use in my apache conf, I
picked up the sample from
http://cpan.uwinnipeg.ca/htdocs/HTML-Mason/HTML/Mason/CGIHandler.pm.html

////// my apache conf for Mason //////////
<LocationMatch "\.(cgi|html)$">
Action html-mason /usr/lib/cgi-bin/openxpki.cgi
AddHandler html-mason .html .cgi
</LocationMatch>

<LocationMatch "/usr/lib/cgi-bin/">
RemoveHandler .html .cgi
</LocationMatch>

<FilesMatch "(autohandler|dhandler)$">
Order allow,deny
Allow from all # for tests
#Deny from all
</FilesMatch>
/////////////////////////////////////////
What do you think about all above ?
Salutations
rlis
Hi Robert,
Post by Robert LISIAK
my $h = HTML::Mason::CGIHandler->new(
comp_root => "$ENV{DOCUMENT_ROOT}/openxpki",
data_dir => "$ENV{DOCUMENT_ROOT}/../mason-data",
allow_globals => [ qw( $context %session_cache ) ],
);
$h->handle_request();
Sounds like you want to be able to reach your OpenXPKI instance
at http://your_web/openxpki/? If so, please uncomment the following
$ENV{PATH_INFO} =~ s{\A /openxpki}{}xms;
Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
------------------------------------------------------------------
Alexander Klink
2007-02-06 17:27:00 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
OK! I have uncoment the line and have now this error in my browser
I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED; __SOCKETFILE__ =>
the server (opXpki) is up and running, there are no errors in the logs
neither apache nor opXpki.
Did you set the OPENXPKI_SOCKET_FILE in your Apache config (see the
example config file for an example) If yes, is the socket file read and
writable by your Apache user (putting both the daemon and the apache
user in the same group seems a good solution for that)?
Post by Robert LISIAK
About LocationMatch please find below what I use in my apache conf, I
picked up the sample from
http://cpan.uwinnipeg.ca/htdocs/HTML-Mason/HTML/Mason/CGIHandler.pm.html
Please have a look at the eg/openxpki-mason-cgi.conf file for an example
Post by Robert LISIAK
////// my apache conf for Mason //////////
<LocationMatch "\.(cgi|html)$">
Action html-mason /usr/lib/cgi-bin/openxpki.cgi
I believe this path should be relative to your server, at least I have
it set to /cgi-bin/openxpki.cgi.
Also, the LocationMatch should not include the .cgi ending. Just use the
example config file and you should be fine.

Good luck,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert Lisiak
2007-02-06 22:10:50 UTC
Permalink
Bonsoir Alex,
I followed all your indications but there are always some errors
especially about perl method "boot".
I use apache 2.2 with libapache2-mod-perl2 and I have read that v2 does
not know method "boot".
My Internet browser shows now a blank page without any indications and
the only error is perl method "boot" (below)

[Tue Feb 06 22:38:25 2007] [error] [client 10.1.0.2] failed to resolve
handler `OpenXPKI::Client::HTML::Mason::ApacheHandler': Can't locate
object method "boot" via package "mod_perl" at
/usr/lib/perl5/Apache/Table.pm line 6.\nCompilation failed in require at
/usr/lib/perl5/Apache/Request.pm line 21.\nBEGIN failed--compilation
aborted at /usr/lib/perl5/Apache/Request.pm line 21.\nCompilation failed
in require at
/usr/local/share/perl/5.8.8/OpenXPKI/Client/HTML/Mason/ApacheHandler.pm
line 11.\nBEGIN failed--compilation aborted at
/usr/local/share/perl/5.8.8/OpenXPKI/Client/HTML/Mason/ApacheHandler.pm
line 11.\nCompilation failed in require at (eval 2) line 3.\n
failed to resolve handler OpenXPKI::Client::HTML::Mason::ApacheHandler
Hi Robert,
Post by Robert LISIAK
OK! I have uncoment the line and have now this error in my browser
I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED; __SOCKETFILE__ =>
the server (opXpki) is up and running, there are no errors in the logs
neither apache nor opXpki.
Did you set the OPENXPKI_SOCKET_FILE in your Apache config (see the
example config file for an example) If yes, is the socket file read and
writable by your Apache user (putting both the daemon and the apache
user in the same group seems a good solution for that)?
Post by Robert LISIAK
About LocationMatch please find below what I use in my apache conf, I
picked up the sample from
http://cpan.uwinnipeg.ca/htdocs/HTML-Mason/HTML/Mason/CGIHandler.pm.html
Please have a look at the eg/openxpki-mason-cgi.conf file for an example
Post by Robert LISIAK
////// my apache conf for Mason //////////
<LocationMatch "\.(cgi|html)$">
Action html-mason /usr/lib/cgi-bin/openxpki.cgi
I believe this path should be relative to your server, at least I have
it set to /cgi-bin/openxpki.cgi.
Also, the LocationMatch should not include the .cgi ending. Just use the
example config file and you should be fine.
Good luck,
Alex
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-07 08:36:18 UTC
Permalink
Bonjour Robert,
Post by Robert Lisiak
I followed all your indications but there are always some errors
especially about perl method "boot".
I use apache 2.2 with libapache2-mod-perl2 and I have read that v2 does
not know method "boot".
Hmmm, I've got to admit that I've never tried it with the Apache 2 /
mod_perl2 combination. Seems there are some caveats there, probably
related to Mason. Do you have the possibility to use Apache 1.3.x and
mod_perl 1?
Post by Robert Lisiak
[Tue Feb 06 22:38:25 2007] [error] [client 10.1.0.2] failed to resolve
handler `OpenXPKI::Client::HTML::Mason::ApacheHandler': Can't locate
object method "boot" via package "mod_perl" at
This class uses the HTML::Mason::ApacheHandler class. Apparently, there
is an experimental MasonX::Apache2Handler class that does the Apache
handling for Apache2, but it would probably require some code rewrite
...

Greetings,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Martin Bartosch
2007-02-07 08:43:53 UTC
Permalink
Hi,
Post by Alexander Klink
Hmmm, I've got to admit that I've never tried it with the Apache 2 /
mod_perl2 combination. Seems there are some caveats there, probably
related to Mason. Do you have the possibility to use Apache 1.3.x and
mod_perl 1?
yes, if I remember correctly, Mason and Apache2 currently do not mix
very well. I'd also recommend to use Apache 1.3. As an alternative,
you could also use the CGI implementation which does not depend on
mod_perl.

Of course, if you figure out how to use Apache2/mod_perl2/Mason with
OpenXPKI please let us know...

Cheers

Martin
Robert LISIAK
2007-02-07 10:08:49 UTC
Permalink
Bonjour Martin
Yes you're right, obviously I missed this preconisation.
THX
Salutations
rlisiak
Post by Martin Bartosch
Hi,
Post by Alexander Klink
Hmmm, I've got to admit that I've never tried it with the Apache 2 /
mod_perl2 combination. Seems there are some caveats there, probably
related to Mason. Do you have the possibility to use Apache 1.3.x and
mod_perl 1?
yes, if I remember correctly, Mason and Apache2 currently do not mix
very well. I'd also recommend to use Apache 1.3. As an alternative,
you could also use the CGI implementation which does not depend on
mod_perl.
Of course, if you figure out how to use Apache2/mod_perl2/Mason with
OpenXPKI please let us know...
Cheers
Martin
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Michael Bell
2007-02-09 15:12:50 UTC
Permalink
Post by Martin Bartosch
Of course, if you figure out how to use Apache2/mod_perl2/Mason with
OpenXPKI please let us know...
Today it should work but the mason guys recommend that you have the
following Perl modules installed.

CGI 3.08
libapreq2 2.05
HTML::Mason 1.30

Additionally your Mason version should 1.29-2 or higher.

Please see here: http://www.masonhq.com/?ApacheModPerl2

Best regards

Michael
--
_______________________________________________________________

Michael Bell Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
***@cms.hu-berlin.de D-10099 Berlin
_______________________________________________________________

X.509 CA Certificates / Wurzelzertifikate

http://ra.pki.hu-berlin.de
Robert LISIAK
2007-02-12 14:20:34 UTC
Permalink
Bonjour Martin,

Many thanks for this informations, I will test ASAP and I will keep you in
touch.
Post by Michael Bell
Post by Martin Bartosch
Of course, if you figure out how to use Apache2/mod_perl2/Mason with
OpenXPKI please let us know...
Today it should work but the mason guys recommend that you have the
following Perl modules installed.
CGI 3.08
libapreq2 2.05
HTML::Mason 1.30
Additionally your Mason version should 1.29-2 or higher.
Please see here: http://www.masonhq.com/?ApacheModPerl2
Best regards
Michael
--
_______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
Fax: +49 (0)30-2093 2704 Unter den Linden 6
_______________________________________________________________
X.509 CA Certificates / Wurzelzertifikate
http://ra.pki.hu-berlin.de
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Robert LISIAK
2007-02-07 10:04:26 UTC
Permalink
Bonjour Alex,

I think so, I have an idea, I'll run the first Apache (2.2) instance on
port 443 and the second one (Apache 1.3x with mod_perl1 for OpenXpki) on
port 80 and will do the Rproxy to visit OpenXpki.

Do you mind this idea, especially Rproxy flux ?

Bonne jourée
rlisiak
Post by Alexander Klink
Bonjour Robert,
Post by Robert Lisiak
I followed all your indications but there are always some errors
especially about perl method "boot".
I use apache 2.2 with libapache2-mod-perl2 and I have read that v2 does
not know method "boot".
Hmmm, I've got to admit that I've never tried it with the Apache 2 /
mod_perl2 combination. Seems there are some caveats there, probably
related to Mason. Do you have the possibility to use Apache 1.3.x and
mod_perl 1?
Post by Robert Lisiak
[Tue Feb 06 22:38:25 2007] [error] [client 10.1.0.2] failed to resolve
handler `OpenXPKI::Client::HTML::Mason::ApacheHandler': Can't locate
object method "boot" via package "mod_perl" at
This class uses the HTML::Mason::ApacheHandler class. Apparently, there
is an experimental MasonX::Apache2Handler class that does the Apache
handling for Apache2, but it would probably require some code rewrite
....
Greetings,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-07 12:23:37 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
I think so, I have an idea, I'll run the first Apache (2.2) instance on
port 443 and the second one (Apache 1.3x with mod_perl1 for OpenXpki) on
port 80 and will do the Rproxy to visit OpenXpki.
Do you mind this idea, especially Rproxy flux ?
Sounds reasonable to me, considering you make sure no-one actually uses
the webserver on port 80 directly. But a "Listen 127.0.0.1" should be
enough for that.

Regards,
Alex
Robert LISIAK
2007-02-07 15:31:43 UTC
Permalink
Bonjour Alex,

I got the openxpki web front end working !
Great Success says Borat ;-)

Now I would like to know how to manage the users accounts, new realm / CA
creation etc...

Any administrator guide exist ?

- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-08 08:53:43 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
I got the openxpki web front end working !
Great Success says Borat ;-)
:-)
Post by Robert LISIAK
Now I would like to know how to manage the users accounts, new realm / CA
creation etc...
Any administrator guide exist ?
Unluckily, not yet. As for the user accounts, have a look at auth.xml.
There you can choose, which authentication stacks you want to offer
(those are the ones displayed on the front page) and which users you
have for them or which external programs you call to do the
authentication.
As for PKI realms, have a look at config.xml, this is where the
configuration takes place. Note that for now, if you have more than one
PKI realm, you can not include the same files twice.
I guess the next step would be to generate a CA key using openxpkiadm
key generate (see openxpkiadm man for documentation) and that create a
self-signed (testing) CA certificate (you need to do this youself, for
example using openssl, or it might have already been done by the Debian
package for you?). Then you can try out the certificate requests and
creation for starters.
Let me know if anything is unclear.

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert LISIAK
2007-02-08 15:46:25 UTC
Permalink
Bonjour Alex,

After changing an xml file (eg:auth.xlm) what I have to do?

Simply restart the server (openxpkictl stop|start) ?

I have already a few CA and their materials managed with tinyca.

May I reuse those materials, especially cacert.key and cacert.pem, with
OpenXpki ?
Hi Robert,
Post by Robert LISIAK
I got the openxpki web front end working !
Great Success says Borat ;-)
:-)
Post by Robert LISIAK
Now I would like to know how to manage the users accounts, new realm / CA
creation etc...
Any administrator guide exist ?
Unluckily, not yet. As for the user accounts, have a look at auth.xml.
There you can choose, which authentication stacks you want to offer
(those are the ones displayed on the front page) and which users you
have for them or which external programs you call to do the
authentication.
As for PKI realms, have a look at config.xml, this is where the
configuration takes place. Note that for now, if you have more than one
PKI realm, you can not include the same files twice.
I guess the next step would be to generate a CA key using openxpkiadm
key generate (see openxpkiadm man for documentation) and that create a
self-signed (testing) CA certificate (you need to do this youself, for
example using openssl, or it might have already been done by the Debian
package for you?). Then you can try out the certificate requests and
creation for starters.
Let me know if anything is unclear.
Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
------------------------------------------------------------------
Alexander Klink
2007-02-08 23:24:39 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
After changing an xml file (eg:auth.xlm) what I have to do?
Simply restart the server (openxpkictl stop|start) ?
Yes.
Post by Robert LISIAK
I have already a few CA and their materials managed with tinyca.
May I reuse those materials, especially cacert.key and cacert.pem, with
OpenXpki ?
Of course. If you already have an existing key, you just need to
set the location of it in your token.xml file.
Import the CA certificate using openxpkiadm certificate import and
make an alias for the identifier using openxpkiadm certificate alias
and you should be fine. You can then also import the already issued
certificates using openxpkiadm certificate import (but you need to
specify the issuer for certificate that are not self-signed).

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert LISIAK
2007-02-12 14:13:02 UTC
Permalink
Bonjour Alex,
Accordingly to your advice I have set up
- - token.xml - OK!? (I'm not really sure)
<token id="my_CA.org" super="../token{default}">
<!-- CA key (PEM encoded) -->
<key>/usr/etc/openxpki/ca/my_CA.org/cakey.pem</key>
<!-- CA passphrase fragments -->
<secret>my_CA.org_passphrase</secret>
</token>
- - Imported existing CA keys – OK ! (cmd. openxpkiadm certificate list
- --all –v shows my CA key)
- - Aliased imported keys – OK ! (openxpkiadm certificate alias –realm ….
ends with status “Successfully created alias in realm
I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA )

but when I logon to OpenXpki as “operator” and I'm looking for my CA key
in List issuing CAs of CA Info I can see only the NOT Usable
testdummyca1&2.

I remember that you wrote me about the config.xml also but I do not know
what to do exactly.

It would seem that I have to change or to replace all "testdummyca1" by
"my_CA.org" is exact ???

Salutations
Hi Robert,
As for PKI realms, have a look at config.xml, this is where the
configuration takes place. Note that for now, if you have more than one
PKI realm, you can not include the same files twice.
I guess the next step would be to generate a CA key using openxpkiadm
key generate (see openxpkiadm man for documentation) and that create a
self-signed (testing) CA certificate (you need to do this youself, for
example using openssl, or it might have already been done by the Debian
package for you?). Then you can try out the certificate requests and
creation for starters.
Let me know if anything is unclear.
Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
OpenXPKI-users mailing list
https://lists.sourceforge.net/lists/listinfo/openxpki-users
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-12 15:11:52 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
Bonjour Alex,
Accordingly to your advice I have set up
- - token.xml - OK!? (I'm not really sure)
<token id="my_CA.org" super="../token{default}">
<!-- CA key (PEM encoded) -->
<key>/usr/etc/openxpki/ca/my_CA.org/cakey.pem</key>
<!-- CA passphrase fragments -->
<secret>my_CA.org_passphrase</secret>
This should not be your passphrase, but a reference to a secret group
identifier configured in config.xml. For example, if you use 'default',
you should be just fine.
Post by Robert LISIAK
- - Imported existing CA keys – OK ! (cmd. openxpkiadm certificate list
- --all –v shows my CA key)
does it show it without --all, though? It should be there if you set the
aliases correctly.
Post by Robert LISIAK
but when I logon to OpenXpki as “operator” and I'm looking for my CA key
in List issuing CAs of CA Info I can see only the NOT Usable
testdummyca1&2.
Try setting the secret as described above and logging in as root
(Operator stack). You should be able to unlock your CA key from within
the webinterface then (after doing the things I mention below).
Post by Robert LISIAK
I remember that you wrote me about the config.xml also but I do not know
what to do exactly.
It would seem that I have to change or to replace all "testdummyca1" by
"my_CA.org" is exact ???
Well, there are four occurences of testdummyca1 in the config.xml file.
The first one is the ca id, which is an internal identifier, which you
can set to whatever you like, the second is the reference to the token,
which should be myCA.org if you defined this as the token name in
token.xml, the next one is the alias, which should match the alias you
used in openxpkiadm certificate alias, and the last one is the CRL
location, which just needs to point to a valid directory.
In summary: Replace those as you see it fit ...

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert LISIAK
2007-02-14 15:55:55 UTC
Permalink
Post by Alexander Klink
Well, there are four occurences of testdummyca1 in the config.xml file.
The first one is the ca id, which is an internal identifier, which you
can set to whatever you like,
This is not "whatever I like"!!!
If I change the “ca_id” to my_CA.org the server won't start I have to
leave the "testdummyca1".
Post by Alexander Klink
the second is the reference to the token,
which should be myCA.org if you defined this as the token name in
token.xml,
OK! done
Post by Alexander Klink
the next one is the alias, which should match the alias you
used in openxpkiadm certificate alias, and the last one is the CRL
location, which just needs to point to a valid directory.
OK! done
Now I can see my_CA.org certificate with name "testdummyca1" and his
status is USABLE so I would try the CSR request, for do that I used John
Doe (user) account for login to test then choose the New Request (CSR)
Choose the workflow type: CSR + OK!
Choose the role: User + OK!
I18N_OPENXPKI_CLIENT_HTML_MASON_CREATE_CSR_GET_PROFILE_TITLE
I18N_OPENXPKI_CLIENT_HTML_MASON_CREATE_CSR_GET_PROFILE_DESCRIPTION
User profile + OK!
Choose a naming style: CSR with DC style + OK!
Select the way of the key generation: Automatic Browser detection + OK!
Creating the name of the certificate:
uid : testuser
CN = default
OU = default
remainder as defaults

Errors
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR => File
does not exist: /usr/etc/openxpki/workflow_activity_null.xml at
/usr/local/share/perl/5.8.8/Workflow/Config/XML.pm line 85

Tried with others parameters and have still same error.

What is the next step ?

- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-15 15:10:11 UTC
Permalink
Hi Robert,
Post by Robert LISIAK
Post by Alexander Klink
Well, there are four occurences of testdummyca1 in the config.xml file.
The first one is the ca id, which is an internal identifier, which you
can set to whatever you like,
This is not "whatever I like"!!!
If I change the “ca_id” to my_CA.org the server won't start I have to
leave the "testdummyca1".
Sorry, I missed that you have to change the corresponding occurence of
testdummyca1 in profile.xml then, too.
Post by Robert LISIAK
Select the way of the key generation: Automatic Browser detection + OK!
uid : testuser
CN = default
OU = default
remainder as defaults
Errors
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR => File
does not exist: /usr/etc/openxpki/workflow_activity_null.xml at
/usr/local/share/perl/5.8.8/Workflow/Config/XML.pm line 85
Hmmm, weird. Works here. Do you have the workflow_activity_null.xml
at the location? It is available in my deployment directory ...
Can you please post a listing of /usr/etc/openxpki?

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Julia Dubenskaya
2007-02-15 15:27:54 UTC
Permalink
Hi,

Sorry, I didn't notice this question earlier.
Post by Alexander Klink
Post by Robert LISIAK
Errors
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR => File
does not exist: /usr/etc/openxpki/workflow_activity_null.xml at
/usr/local/share/perl/5.8.8/Workflow/Config/XML.pm line 85
Hmmm, weird. Works here. Do you have the workflow_activity_null.xml
at the location? It is available in my deployment directory ...
Can you please post a listing of /usr/etc/openxpki?
If OpenXPKI was installed and deployed by root, the directory /usr/etc/openxpki is owned by root
with permissions 750 and apache user cannot access any workflow*.xml files.

Something like
chown -R www:www /usr/etc/openxpki
should help.

Best regards,
Julia.
Alexander Klink
2007-02-15 15:35:03 UTC
Permalink
Hi Julia,
Robert,
Post by Julia Dubenskaya
Post by Alexander Klink
Post by Robert LISIAK
Errors
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR => File
does not exist: /usr/etc/openxpki/workflow_activity_null.xml at
/usr/local/share/perl/5.8.8/Workflow/Config/XML.pm line 85
Hmmm, weird. Works here. Do you have the workflow_activity_null.xml
at the location? It is available in my deployment directory ...
Can you please post a listing of /usr/etc/openxpki?
If OpenXPKI was installed and deployed by root, the directory /usr/etc/openxpki is owned by root
with permissions 750 and apache user cannot access any workflow*.xml files.
Correct, but from the error message it does not look like the Apache
user is trying to access the file (why should he, anyways?), but the
OpenXPKI daemon (SERVICE_DEFAULT_...) is trying to access it.
Post by Julia Dubenskaya
Something like
chown -R www:www /usr/etc/openxpki
should help.
I doubt it. Looks to me like the file might be missing ...

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Julia Dubenskaya
2007-02-15 15:48:43 UTC
Permalink
Hi Alex,
Robert
Post by Alexander Klink
Post by Julia Dubenskaya
If OpenXPKI was installed and deployed by root, the directory /usr/etc/openxpki is owned by root
with permissions 750 and apache user cannot access any workflow*.xml files.
Correct, but from the error message it does not look like the Apache
user is trying to access the file (why should he, anyways?), but the
OpenXPKI daemon (SERVICE_DEFAULT_...) is trying to access it.
Post by Julia Dubenskaya
Something like
chown -R www:www /usr/etc/openxpki
should help.
I doubt it. Looks to me like the file might be missing ...
On my test machine openxpki user is the same as Apache user (www).
Thats why I wrote 'Something like'. I just meant that permission problem
was the reason because I've already had the same error on my intallation.

But maybe on Robert's machine file is really missing ?
That would be interesting why ...
;)

Best regards,
Julia.
Alexander Klink
2007-02-15 15:52:50 UTC
Permalink
Hi,
Post by Julia Dubenskaya
Post by Alexander Klink
Post by Julia Dubenskaya
Something like
chown -R www:www /usr/etc/openxpki
should help.
I doubt it. Looks to me like the file might be missing ...
On my test machine openxpki user is the same as Apache user (www).
Thats why I wrote 'Something like'. I just meant that permission problem
was the reason
OK, you're right there, this might actually be the reason. Robert, could
you send an output of ls -l /usr/etc/openxpki, please, so that we can
hopefully rule this out as the root of the problem?
Post by Julia Dubenskaya
because I've already had the same error on my intallation.
OK, interesting to know. Apparently we all have different deployment
scenarios so that we run into different problems - Martin and I are
deploying and running below ~ as our primary user, Michael always
uses Debian packages, ...
Post by Julia Dubenskaya
But maybe on Robert's machine file is really missing ?
That would be interesting why ...
;)
Definitely, sounds strange to me ...

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert Lisiak
2007-02-15 20:42:02 UTC
Permalink
Bonjour Julia & Alex

Definitely I pose many problems to you ;-)

Perhaps it would be better if I follow the "debian packages" deploy ???

Anyway after changing the files/folder (/usr/etc/openxpki) rights to
apache owner and chmod those to 755 I have a new error:

Errors

* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR =>
Cannot include action class
'OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole': Can't
locate OpenXPKI/Server/Workflow/Activity/Tools/ChangeSessionRole.pm in
@INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5
/usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at
(eval 1099) line 3.

In fact I discovered that I have no the ChangeSessionRole.pm.

I have found this post
www.mail-archive.com/openxpki-***@lists.sourceforge.net/msg00016.html
but I do not know what these all would means.

Salutations
rlis
Post by Alexander Klink
Hi,
Post by Julia Dubenskaya
Post by Alexander Klink
Post by Julia Dubenskaya
Something like
chown -R www:www /usr/etc/openxpki
should help.
I doubt it. Looks to me like the file might be missing ...
On my test machine openxpki user is the same as Apache user (www).
Thats why I wrote 'Something like'. I just meant that permission problem
was the reason
OK, you're right there, this might actually be the reason. Robert, could
you send an output of ls -l /usr/etc/openxpki, please, so that we can
hopefully rule this out as the root of the problem?
Post by Julia Dubenskaya
because I've already had the same error on my intallation.
OK, interesting to know. Apparently we all have different deployment
scenarios so that we run into different problems - Martin and I are
deploying and running below ~ as our primary user, Michael always
uses Debian packages, ...
Post by Julia Dubenskaya
But maybe on Robert's machine file is really missing ?
That would be interesting why ...
;)
Definitely, sounds strange to me ...
Regards,
Alex
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-16 09:35:50 UTC
Permalink
Hi Robert,
Post by Robert Lisiak
Definitely I pose many problems to you ;-)
That's fine, as our first "non-development user", you are supposed to,
it helps us with finding deployment bugs and problems, too.
Thanks for your patience with us.
Post by Robert Lisiak
Perhaps it would be better if I follow the "debian packages" deploy ???
Hmmm, it looks like you're pretty close to having a running
installation. I'm not sure the Debian deployment would help with the
problems you are currently encountering.
Post by Robert Lisiak
Anyway after changing the files/folder (/usr/etc/openxpki) rights to
Hmmm, weird that you have to do that. Do you still remember which
permissions it had before you changed it?
Post by Robert Lisiak
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR =>
Cannot include action class
'OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole': Can't
locate OpenXPKI/Server/Workflow/Activity/Tools/ChangeSessionRole.pm in
@INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5
/usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at
(eval 1099) line 3.
In fact I discovered that I have no the ChangeSessionRole.pm.
That is correct, it was deleted a few weeks ago. Unfortunately, it seems
like it was still referenced in a configuration file
(workflow_activity_scep_request.xml). Could you try deleting the
following three lines from the file (or just downloading the latest
version from SVN):
<action name="change_session_role_to_ca_operator"
class="OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole"
role="CA Operator">
</action>

I'm still wondering why you run into this problem, though, as it works
fine here even after deleting my stale copy of ChangeSessionRole.pm -
anybody got an idea?

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert Lisiak
2007-02-16 23:10:19 UTC
Permalink
Post by Alexander Klink
That's fine, as our first "non-development user", you are supposed to,
it helps us with finding deployment bugs and problems, too.
Thanks for your patience with us.
As well as you :-)
Post by Alexander Klink
Post by Robert Lisiak
Anyway after changing the files/folder (/usr/etc/openxpki) rights to
Hmmm, weird that you have to do that. Do you still remember which
permissions it had before you changed it?
It was, as you presumed
owner was : root:root
and rights were, I guess, 744
Post by Alexander Klink
Post by Robert Lisiak
* I18N_OPENXPKI_SERVICE_DEFAULT_COMMAND_EXECUTION_ERROR; ERROR =>
Cannot include action class
'OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole': Can't
locate OpenXPKI/Server/Workflow/Activity/Tools/ChangeSessionRole.pm in
@INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5
/usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at
(eval 1099) line 3.
In fact I discovered that I have no the ChangeSessionRole.pm.
That is correct, it was deleted a few weeks ago. Unfortunately, it seems
like it was still referenced in a configuration file
(workflow_activity_scep_request.xml). Could you try deleting the
following three lines from the file (or just downloading the latest
<action name="change_session_role_to_ca_operator"
class="OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole"
role="CA Operator">
</action>
I deleted the lines above and could process CSR request (pending), then
I could approve the CRS which changed the status from pending to approval.
What's next ? I want to provide the couple of self signed keys (X.509)
as asked by CSR ?
BTW, as you advise, (or just downloading the latest
version from SVN) and when I do
svn up https://openxpki.svn.sourceforge.net/svnroot/openxpki/trunk trunk
have I to follow the process from start ???
I mean :
- - make/install the OpenXPKI core modules (trunk/perl-modules/core/trunk)
- - make/install the Client base module (trunk/clients/perl/OpenXPKI-Client)
- - make/install the web frontend module
(trunk/clients/perl/OpenXPKI-Client-
HTML-Mason)
- - make/install the deployment module (trunk/deployment)
and
openxpkiadm deploy
and so ?

For now I use the 727 revision
Have a nice WE
Post by Alexander Klink
I'm still wondering why you run into this problem, though, as it works
fine here even after deleting my stale copy of ChangeSessionRole.pm -
anybody got an idea?
Regards,
Alex
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Alexander Klink
2007-02-26 10:42:30 UTC
Permalink
Hi Robert,

sorry for the late reply, I was away on a workshop last week.
Post by Robert Lisiak
Post by Alexander Klink
(workflow_activity_scep_request.xml). Could you try deleting the
following three lines from the file (or just downloading the latest
<action name="change_session_role_to_ca_operator"
class="OpenXPKI::Server::Workflow::Activity::Tools::ChangeSessionRole"
role="CA Operator">
</action>
I deleted the lines above and could process CSR request (pending), then
I could approve the CRS which changed the status from pending to approval.
Good.
Post by Robert Lisiak
What's next ?
If your CA key is usable, you can try 'Persist CSR', which saves the
CSR in the database and triggers the certificate issuance (I guess the
button should have a better name).
Post by Robert Lisiak
I want to provide the couple of self signed keys (X.509)
as asked by CSR ?
What do you mean by that?
Post by Robert Lisiak
BTW, as you advise, (or just downloading the latest
version from SVN) and when I do
svn up https://openxpki.svn.sourceforge.net/svnroot/openxpki/trunk trunk
have I to follow the process from start ???
- - make/install the OpenXPKI core modules (trunk/perl-modules/core/trunk)
- - make/install the Client base module (trunk/clients/perl/OpenXPKI-Client)
- - make/install the web frontend module
(trunk/clients/perl/OpenXPKI-Client-
HTML-Mason)
- - make/install the deployment module (trunk/deployment)
and
openxpkiadm deploy
and so ?
That depends a bit on what changed. You need to make, install the core
modules if something changed there (which is what happens most often),
and then restart the server.
If something in the client base module changes, you need to reinstall
it (should happen very seldom). If something in the web frontend module
changes, you have to reinstall it and restart your apache server
(happens once in a while, but normally only things in htdocs/ change,
for which you don't need to do anything at all).
You need to reinstall the deployment module only if something changed
there (which is quite rare, too). You only need to redo the deployment
if the config file structure changes (which still happens once in a
while), but you might be able to change it manually (for example as
above), too.

Regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
ak-***@cynops.de | working @ urn:oid:1.3.6.1.4.1.11417
Robert Lisiak
2007-02-16 21:45:17 UTC
Permalink
I have replace testdummyca1 by my_CA.org within profile.xml but the
server does not run ;-(
Anyway I tried to replace all testdummyca1 entry to my_CA.org within all
below
config.xml
openxpki.conf
profile.xml
without results, the openxpki server does not run ;-(
will find the way round
Hi Robert,
Post by Robert LISIAK
Post by Alexander Klink
Well, there are four occurences of testdummyca1 in the config.xml file.
The first one is the ca id, which is an internal identifier, which you
can set to whatever you like,
This is not "whatever I like"!!!
If I change the ?ca_id? to my_CA.org the server won't start I have to
leave the "testdummyca1".
Sorry, I missed that you have to change the corresponding occurence of
testdummyca1 in profile.xml then, too.
- --
***@k
+33 687.77.65.73
ICQ UIN : 179675117
<><
system and network security advise
not another RFID company member
- ------------------------------------------------------------------
* Internet access sharing DSL/Cable/Others (base : GNU/Linux)
* Internet access protect by Firewall
* Virtual Private Network over Internet
* Remote administration via crypto channel (VPN)
- ------------------------------------------------------------------
Loading...