/* e_ubsec_err.c */ /* ==================================================================== * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* NOTE: this file was auto generated by the mkerr.pl script: any changes * made to it will be overwritten when the script next updates this file, * only reason strings will be preserved. */ #include #include #include "e_ubsec_err.h" /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(0,func,0) #define ERR_REASON(reason) ERR_PACK(0,0,reason) static ERR_STRING_DATA UBSEC_str_functs[]= { {ERR_FUNC(UBSEC_F_UBSEC_CTRL), "UBSEC_CTRL"}, {ERR_FUNC(UBSEC_F_UBSEC_DH_COMPUTE_KEY), "UBSEC_DH_COMPUTE_KEY"}, {ERR_FUNC(UBSEC_F_UBSEC_DH_GENERATE_KEY), "UBSEC_DH_GENERATE_KEY"}, {ERR_FUNC(UBSEC_F_UBSEC_DSA_DO_SIGN), "UBSEC_DSA_DO_SIGN"}, {ERR_FUNC(UBSEC_F_UBSEC_DSA_VERIFY), "UBSEC_DSA_VERIFY"}, {ERR_FUNC(UBSEC_F_UBSEC_FINISH), "UBSEC_FINISH"}, {ERR_FUNC(UBSEC_F_UBSEC_INIT), "UBSEC_INIT"}, {ERR_FUNC(UBSEC_F_UBSEC_MOD_EXP), "UBSEC_MOD_EXP"}, {ERR_FUNC(UBSEC_F_UBSEC_MOD_EXP_CRT), "UBSEC_MOD_EXP_CRT"}, {ERR_FUNC(UBSEC_F_UBSEC_RAND_BYTES), "UBSEC_RAND_BYTES"}, {ERR_FUNC(UBSEC_F_UBSEC_RSA_MOD_EXP), "UBSEC_RSA_MOD_EXP"}, {ERR_FUNC(UBSEC_F_UBSEC_RSA_MOD_EXP_CRT), "UBSEC_RSA_MOD_EXP_CRT"}, {0,NULL} }; static ERR_STRING_DATA UBSEC_str_reasons[]= { {ERR_REASON(UBSEC_R_ALREADY_LOADED) ,"already loaded"}, {ERR_REASON(UBSEC_R_BN_EXPAND_FAIL) ,"bn expand fail"}, {ERR_REASON(UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"}, {ERR_REASON(UBSEC_R_DSO_FAILURE) ,"dso failure"}, {ERR_REASON(UBSEC_R_MISSING_KEY_COMPONENTS),"missing key components"}, {ERR_REASON(UBSEC_R_NOT_LOADED) ,"not loaded"}, {ERR_REASON(UBSEC_R_REQUEST_FAILED) ,"request failed"}, {ERR_REASON(UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL),"size too large or too small"}, {ERR_REASON(UBSEC_R_UNIT_FAILURE) ,"unit failure"}, {0,NULL} }; #endif #ifdef UBSEC_LIB_NAME static ERR_STRING_DATA UBSEC_lib_name[]= { {0 ,UBSEC_LIB_NAME}, {0,NULL} }; #endif static int UBSEC_lib_error_code=0; static int UBSEC_error_init=1; static void ERR_load_UBSEC_strings(void) { if (UBSEC_lib_error_code == 0) UBSEC_lib_error_code=ERR_get_next_error_library(); if (UBSEC_error_init) { UBSEC_error_init=0; #ifndef OPENSSL_NO_ERR ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_functs); ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_reasons); #endif #ifdef UBSEC_LIB_NAME UBSEC_lib_name->error = ERR_PACK(UBSEC_lib_error_code,0,0); ERR_load_strings(0,UBSEC_lib_nam
****** Running rpkid or pubd on a different server ******

The default configuration runs rpkid, pubd (if enabled) and the back end code
all on the same server. For many purposes, this is fine, but in some cases you
might want to split these functions up among different servers.

As noted briefly above, there are two separate sets of rpki.conf options which
control the necessary behavior: the run_* options and the start_* options. The
latter are usually tied to the former, but you can set them separately, and
they control slightly different things: the run_* options control whether the
back end code attempts to manage the servers in question, while the start_*
flags control whether the startup scripts should start the servers in question.

Here's a guideline to how to set up the servers on different machines. For
purposes of this description we'll assume that you're running both rpkid and
pubd, and that you want rpkid and pubd each on their own server, separate from
the back end code. We'll call these servers rpkid.example.org,
pubd.example.org, and backend.example.org.

Most of the configuration is the same as in the normal case, but there are a
few extra steps. The following supplements but does not replace the normal
instructions.

WARNING: These setup directions have not (yet) been tested extensively.

* Create rpki.conf as usual on backend.example.org, but pay particular
  attention to the settings of rpkid_server_host, irbe_server_host, and
  pubd_server_host: these should name rpkid.example.org, backend.example.org,
  and pubd.example.org, respectively.

* This example assumes that you're running pubd, so make sure that both
  run_rpkid and run_pubd are enabled in rpki.conf.

* Copy the rpki.conf to the other machines, and customize each copy to that
  machine's role:

  o start_rpkid should be enabled on rpkid.example.org and disabled on the
    others.
  o start_pubd should be enabled on pubd.example.org and disabled on the
    others.
  o start_irdbd should be enabled on backend.example.org and disabled on the
    others.

* Make sure that you set up SQL databases on all three servers; the rpki-sql-
  setup script should do the right thing in each case based on the setting of
  the start_* options.

* Run "rpkic initialize" on the back end host. This will create the BPKI and
  write out all of the necessary keys and certificates.

* "rpkic initialize" should have created the BPKI files (.cer, .key, and .crl
  files for the several servers). Copy the .cer and .crl files to the pubd and
  rpkid hosts, along with the appropriate private key: rpkid.example.org should
  get a copy of the rpkid.key file but not the pubd.key file, while
  pubd.example.org should get a copy of the pubd.key file but not the rpkid.key
  file.

* Run rpki-start-servers on each of the three hosts when it's time to start the
  servers.

* Do the usual setup dance, but keep in mind that the the back end controlling
  all of these servers lives on backend.example.org, so that's where you issue
  the rpkic or GUI commands to manage them. rpkic and the GUI both know how to
  talk to rpkid and pubd over the network, so managing them remotely is fine.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-05 01:57:56 +0000