Table of Contents
OpenCA was designed for very fast and radical interface customization. Costumization is understanded as changing the functionality of the interface not the design. The design should be changed via CSS. It was a design goal to allow the user to create an interface for his own special requirements. OpenCA comes with predefined interfaces like ca, ra, public, ldap and node management but the user can merge split or completey mix the functions. This chapter will describe the ideas behind an interface.
There are three mainparts of the customization - statical webpages which show the user all the available functions, the functions itself and links which are only available for some commands.
OpenCA includes also some support for hiding functionalities. The command viewCSR, viewCert and viewCRR can be configured to only show some seletected links. This is not a security issue because it only provides a functionality like linkhiding but it shows the user a consistent interface.
The first section will describe the design to give you chance to understand what is and why it is going on before we describe the possibilities of customization in detail.
Former versions of OpenCA like 0.9.0 and 0.9.1 use several sheets to support the different commands with templates for the displayed data. This was a nice effort for the first releases but it creates a lot of trouble in some important areas. If you have hundreds of templates then you must translate hundreds of templates. It is really difficult to extract all text informations from templates and you extract really many HTML tags what means that you have style informations in your language database. The next problem is the customization. If you have hundreds of pages and you want to change smething for better CSS stylesheets then you have to change hundreds of templates - really stupid work. So the CCC camp 2003 was the right place to overcome with this solution.
libSendReply
libSendMenu
libSendStatic
several logging functions
Let us start with the easiest thing - point four. Nothing changed in this interface except of some classes for the stylesheet. All output pages of OpenCA support stylsheets now. This results in some problems with old Netscape browsers. All actual browsers like Mozilla, Microsoft Internet Explorer, Konqueror etc. have no problems. The old Netscape ones cannot interpret stylesheets correctly. They only output the pure links and not the nice tabbing style like the other browsers but it was time to make a cut and to take up the cudgels for the future (who will use Netscape 4.7 in one or two years?).
libSendReply is more dynamic than libSendStatic. Please check the source code until I checked in the docs tomorrow. It supports command panels and lists, item lists, info lists and siginfo. If you need to build statical pages then please use getStaticPage (see listCSRtype in this file for an example).
OpenCA still includes some statical webpages which will be created the command getStaticPage. If you want to change the content of a static page then please change this file.
There are two possibilites for additional functions - you can write a new one or you can use and already existing one.
If you write a new command then there are two important things. First Every command include a function cmdsFilename. This is the function which is called by the main script if the function filename is requested. Second if you implement a script which has to handle different states then please write a function checkFilename which includes all the status checks to avoid that somebody can start statusinjections.
If you want to establish the new command in the sourcecode then you must add the filename in src/common/lib/cmds/Makefile which installs the file. Additionally you have to create a file src/common/etc/rbac/cmds/filename.xml. This file has to contain the configuration for the access control. Please add after this step default entry to the access control list in src/common/etc/rbac/acl.xml
If you want to add the new command directly in an existing installation then install the file in lib/cmds and create the access control file in etc/rbac/cmds/. Please don't forget to set a correct entry in the ACL at etc/rbac/acl.xml.
EDIT, APPROVE, APPROVE_WITHOUT_SIGNING, ISSUE_CERT, ISSUE_CERT_NEW, ISSUE_CERT_RENEW, ISSUE_CERT_PENDING, ISSUE_CERT_SIGNED, ISSUE_CERT_APPROVED, DELETE, DELETE_NEW, DELETE_RENEW, DELETE_PENDING, DELETE_SIGNED, DELETE_APPROVED, RENEW, RENEW_ARCHIVED, RENEW_DELETED, GENERATE_KEY
EDIT, APPROVE, APPROVE_WITHOUT_SIGNING, REVOKE_CERT, REVOKE_CERT_NEW, REVOKE_CERT_PENDING, REVOKE_CERT_SIGNED, REVOKE_CERT_APPROVED, DELETE, DELETE_NEW, DELETE_PENDING, DELETE_SIGNED, DELETE_APPROVED
INSTALL_CERT, LDAP, REVOCATION, SENDCERT, SEND_CERT_KEY, VIEW_CSR, TOKENHANDLING, MAIL, SET_PUBLIC_PASSWD, DELETE_PUBLIC_PASSWD
Perhaps a small hint - if you setup more than one public (or any other) interface then please check that configure_etc.sh only configures this interface. If you don't check this then configure_etc.sh will reconfigure the other public interfacers too and this will crash their paths.