The dataexchange of OpenCA is highly configurable. So first we have to describe some general concepts.
If you look at OpenCA from a database viewpoint then OpenCA is a tree of hierarchical organized databases. Every database is used by some web interfaces. So one node of the hierarchy consists of a database and some web interfaces. If we describe the dataexchange then we describe the dataexchange between nodes. This is the reason why we called the management interface node.
A node can exchange data with a node of a higher level of the hierarchy or with several nodes which are on a lower level of the hierarchy. If export data to a higher level of the hierarchy then we UPLOAD data and if we import data from such a node then we DOWNLOAD data. If import data from a lower level then we RECEIVE data and if export data to such a node then we ENROLL data.
If you exchange object in a security relevant area then you must define which object with which state you want to exchange. Therefore you can define in OpenCA which objects with which state you accept from which direction. Also OpenCA allows only to overwrite existing objects if you DOWNLOAD CA-certificates, CRLs, CSRs and CRRs. Status or object injections are not accepted in all other situations. OpenCA includes some default configurations to help you on the way to secure configuration.
Example 2.16. Download configuration
DOWNLOAD_CA_CERTIFICATE_STATES VALID DOWNLOAD_CERTIFICATE_STATES VALID DOWNLOAD_CRL_STATES VALID DOWNLOAD_CRR_STATES ARCHIVED DELETED APPROVED DOWNLOAD_CSR_STATES ARCHIVED DELETED DOWNLOAD_MAIL_STATES CRINS DEFAULT
Example 2.17. Export configuration
EXPORT_IMPORT_UP_DEVICE "/dev/fd0" EXPORT_IMPORT_UP_START "" EXPORT_IMPORT_UP_STOP "" EXPORT_IMPORT_UP_EXPORT "/bin/tar -cvfp @__DEVICE__@ -C @__SRC__@" EXPORT_IMPORT_UP_IMPORT "/bin/tar -xvf @__DEVICE__@ -C @__DEST__@" EXPORT_IMPORT_UP_TEST "/bin/tar -tvf @__DEVICE__@"
Example 2.18. Local export configuration
EXPORT_IMPORT_DOWN_DEVICE "openca.tar"
EXPORT_IMPORT_DOWN_START "/sbin/ifconfig eth0 up"
EXPORT_IMPORT_DOWN_STOP "/sbin/ifconfig eth0 down"
EXPORT_IMPORT_DOWN_EXPORT "/bin/tar -cvfp /usr/local/openca/var/tmp/@__DEVICE__@ -C @__SRC__@" "/usr/bin/scp /usr/local/openca/var/tmp/@__DEVICE__@ openca@ra.openca.org:/usr/local/OpenCA/var/tmp/" "rm /usr/local/openca/var/tmp/@__DEVICE__@"
EXPORT_IMPORT_DOWN_IMPORT "/usr/bin/scp openca@ra.openca.org:/usr/local/OpenCA/var/tmp/@__DEVICE__@ /usr/local/openca/var/tmp/@__DEVICE__@" "/bin/tar -xvf /usr/local/openca/var/tmp/@__DEVICE__@ -C @__DEST__@" "rm /usr/local/openca/var/tmp/@__DEVICE__@"
EXPORT_IMPORT_DOWN_TEST ""If you create a new node e.g. a second RA then you have to support this node with the dataexchange mechanism. Every interface of OpenCA must have a unique module ID. OpenCA manage the complete dataexchange with the ID of the node interface. The node interface knows which object of which datatype was already received by another node.
If you want to create a new node then you must create the corresponding files in OPENCADIR/var/log. You have simply to create some files in the directories OPENCADIR/var/log/enroll and OPENCADIR/var/log/download depending on the direction which you use for epxort. These directories contain some files of the style $number_$datatype. $number is the module ID of the node to which you want to export the data. The datatype is from the exported objects.
If you created a new module ID (e.g. you setup another RA) then you have simply to touch the file $number_$datatype. The new file is empty and so all objects will be exported.