<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SSLCA — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../../_static/jquery.js"></script>
<script type="text/javascript" src="../../../_static/underscore.js"></script>
<script type="text/javascript" src="../../../_static/doctools.js"></script>
<script type="text/javascript" src="../../../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../../../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" />
<link rel="up" title="Plugins" href="../index.html" />
<link rel="next" title="TCheetah" href="tcheetah.html" />
<link rel="prev" title="SSHbase" href="sshbase.html" />
<link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="tcheetah.html" title="TCheetah"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="sshbase.html" title="SSHbase"
accesskey="P">previous</a> |</li>
<li><a href="../../../index.html">home</a> | </li>
<!--<li><a href="../../../search.html">search</a> | </li>-->
<li><a href="../../../help/index.html">help</a> | </li>
<li><a href="../../../contents.html">documentation </a> »</li>
<li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../index.html" accesskey="U">Plugins</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="sslca">
<span id="server-plugins-generators-sslca"></span><h1>SSLCA<a class="headerlink" href="#sslca" title="Permalink to this headline">¶</a></h1>
<p>SSLCA is a generator plugin designed to handle creation of SSL private
keys and certificates on request.</p>
<p>Borrowing ideas from <a class="reference internal" href="cfg.html#server-plugins-generators-cfg-genshi"><em>Genshi Templates</em></a> and
the <a class="reference internal" href="sshbase.html#server-plugins-generators-sshbase"><em>SSHbase</em></a> plugin, SSLCA automates
the generation of SSL certificates by allowing you to specify key and
certificate definitions. Then, when a client requests a Path that
contains such a definition within the SSLCA repository, the matching
key/cert is generated, and stored in a hostfile in the repo so that
subsequent requests do not result in repeated key/cert recreation. In
the event that a new key or cert is needed, the offending hostfile can
simply be removed from the repository, and the next time that host
checks in, a new file will be created. If that file happens to be the
key, any dependent certificates will also be regenerated.</p>
<div class="section" id="getting-started">
<span id="id1"></span><h2>Getting started<a class="headerlink" href="#getting-started" title="Permalink to this headline">¶</a></h2>
<p>In order to use SSLCA, you must first have at least one CA configured
on your system. For details on setting up your own OpenSSL based CA,
please see <a class="reference external" href="http://www.openssl.org/docs/apps/ca.html">http://www.openssl.org/docs/apps/ca.html</a> for details of the
suggested directory layout and configuration directives.</p>
<p>For SSLCA to work, the openssl.cnf (or other configuration file) for
that CA must contain full (not relative) paths.</p>
<ol class="arabic">
<li><p class="first">Add SSLCA to the <strong>plugins</strong> line in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> and
restart the server – This enabled the SSLCA plugin on the Bcfg2
server.</p>
</li>
<li><p class="first">Add a section to your <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> called <tt class="docutils literal"><span class="pre">sslca_foo</span></tt>,
replacing foo with the name you wish to give your CA so you can
reference it in certificate definitions.</p>
</li>
<li><p class="first">Under that section, add an entry for <tt class="docutils literal"><span class="pre">config</span></tt> that gives the
location of the openssl configuration file for your CA.</p>
</li>
<li><p class="first">If necessary, add an entry for <tt class="docutils literal"><span class="pre">passphrase</span></tt> containing the
passphrase for the CA’s private key. We store this in
<tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> as the permissions on that file should have it
only readable by the bcfg2 user. If no passphrase is entry exists,
it is assumed that the private key is stored unencrypted.</p>
</li>
<li><p class="first">Optionally, Add an entry <tt class="docutils literal"><span class="pre">chaincert</span></tt> that points to the location
of your ssl chaining certificate. This is used when preexisting
certifcate hostfiles are found, so that they can be validated and
only regenerated if they no longer meet the specification. If
you’re using a self signing CA this would be the CA cert that you
generated. If the chain cert is a root CA cert (e.g., if it is a
self-signing CA), also add an entry <tt class="docutils literal"><span class="pre">root_ca</span> <span class="pre">=</span> <span class="pre">true</span></tt>. If
<tt class="docutils literal"><span class="pre">chaincert</span></tt> is omitted, certificate verification will not be
performed.</p>
</li>
<li><p class="first">Once all this is done, you should have a section in your
<tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> that looks similar to the following:</p>
<div class="highlight-python"><pre>[sslca_default]
config = /etc/pki/CA/openssl.cnf
passphrase = youReallyThinkIdShareThis?
chaincert = /etc/pki/CA/chaincert.crt
root_ca = true</pre>
</div>
</li>
<li><p class="first">You are now ready to create key and certificate definitions. For
this example we’ll assume you’ve added Path entries for the key,
<tt class="docutils literal"><span class="pre">/etc/pki/tls/private/localhost.key</span></tt>, and the certificate,
<tt class="docutils literal"><span class="pre">/etc/pki/tls/certs/localhost.crt</span></tt> to a bundle or base.</p>
</li>
<li><p class="first">Defining a key or certificate is similar to defining a Cfg file.
Under your Bcfg2’s <tt class="docutils literal"><span class="pre">SSLCA/</span></tt> directory, create the directory
structure to match the path to your key. In this case this would be
something like
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/SSLCA/etc/pki/tls/private/localhost.key</span></tt>.</p>
</li>
<li><p class="first">Within that directory, create a <a class="reference internal" href="#key-xml">key.xml</a> file containing the
following:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><KeyInfo></span>
<span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"2048"</span> <span class="nt">/></span>
<span class="nt"></KeyInfo></span>
</pre></div>
</div>
</li>
<li><p class="first">This will cause the generation of an 2048 bit RSA key when a client
requests that Path. Alternatively you can specify <tt class="docutils literal"><span class="pre">dsa</span></tt> as the
keytype, or a different number of bits.</p>
</li>
<li><p class="first">Similarly, create the matching directory structure for the
certificate path, and a <a class="reference internal" href="#cert-xml">cert.xml</a> containing the following:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><CertInfo></span>
<span class="nt"><Cert</span> <span class="na">format=</span><span class="s">"pem"</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/localhost.key"</span>
<span class="na">ca=</span><span class="s">"default"</span> <span class="na">days=</span><span class="s">"365"</span> <span class="na">c=</span><span class="s">"US"</span> <span class="na">l=</span><span class="s">"New York"</span> <span class="na">st=</span><span class="s">"New York"</span>
<span class="na">o=</span><span class="s">"Your Company Name"</span> <span class="nt">/></span>
<span class="nt"></CertInfo></span>
</pre></div>
</div>
</li>
<li><p class="first">When a client requests the cert path, a certificate will be
generated using the key hostfile at the specified key location,
using the CA matching the ca attribute. ie. ca=”default” will match
[sslca_default] in your <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt></p>
</li>
</ol>
</div>
<div class="section" id="configuration">
<span id="sslca-configuration"></span><h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2>
<div class="section" id="bcfg2-conf">
<h3>bcfg2.conf<a class="headerlink" href="#bcfg2-conf" title="Permalink to this headline">¶</a></h3>
<p><tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> contains miscellaneous configuration options for the
SSLCA plugin. These are described in some detail above in
<cite>getting-started</cite>, but are also enumerated here as a reference. Any
booleans in the config file accept the values “1”, “yes”, “true”, and
“on” for True, and “0”, “no”, “false”, and “off” for False.</p>
<p>Each directive below should appear at most once in each
<tt class="docutils literal"><span class="pre">[sslca_<name>]</span></tt> section. The following directives are understood:</p>
<table border="1" class="docutils">
<colgroup>
<col width="19%" />
<col width="57%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>config</td>
<td>Path to the openssl config for the CA</td>
<td>String</td>
<td>None</td>
</tr>
<tr class="row-odd"><td>passphrase</td>
<td>Passphrase for the CA private key</td>
<td>String</td>
<td>None</td>
</tr>
<tr class="row-even"><td>chaincert</td>
<td>Path to the SSL chaining certificate for
verification</td>
<td>String</td>
<td>None</td>
</tr>
<tr class="row-odd"><td>root_ca</td>
<td>Whether or not <tt class="docutils literal"><span class="pre"><chaincert></span></tt> is a root
CA (as opposed to an intermediate cert)</td>
<td>Boolean</td>
<td>false</td>
</tr>
</tbody>
</table>
<p>Only <tt class="docutils literal"><span class="pre">config</span></tt> is required.</p>
</div>
<div class="section" id="cert-xml">
<h3>cert.xml<a class="headerlink" href="#cert-xml" title="Permalink to this headline">¶</a></h3>
<dl class="schema" id="schema:sslca-cert.xsd">
<dt id="schema:sslca-cert.xsd">
<!--[schema:sslca-cert.xsd]--><em>schema</em> <strong>sslca-cert.xsd</strong><a class="headerlink" href="#schema:sslca-cert.xsd" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Schema for <a class="reference internal" href="#server-plugins-generators-sslca"><em>SSLCA</em></a> <tt class="docutils literal"><span class="pre">cert.xml</span></tt></div></blockquote>
<dl class="last element" id="element:CertInfo">
<dt id="element:CertInfo">
<!--[element:CertInfo]--><em>element</em> <strong>CertInfo</strong><a class="headerlink" href="#element:CertInfo" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Top-level tag for describing an SSLCA generated certificate.</div></blockquote>
<dl class="last docutils" id="complexType:CertInfo">
<dt>Child elements:</dt>
<dd><ul class="first last">
<li><dl class="element" id="element:Cert">
<dt id="element:Cert">
<!--[element:Cert]--><em>element</em> <strong>Cert</strong><a class="headerlink" href="#element:Cert" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<dl class="last docutils" id="complexType:CertType">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><p class="first last">Name</p>
</th>
<th class="head"><p class="first last">Description</p>
</th>
<th class="head"><p class="first last">Values</p>
</th>
<th class="head"><p class="first last">Required</p>
</th>
<th class="head"><p class="first last">Default</p>
</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:key"></span><tt class="docutils literal"><span class="pre">key</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>The full path to the key entry to use for this certificate.
This is the <em>client</em> path; e.g., for a key defined at
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/SSLCA/etc/pki/tls/private/foo.key/key.xml</span></tt>,
<strong>key</strong> should be <tt class="docutils literal"><span class="pre">/etc/pki/tls/private/foo.key</span></tt>.</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">Yes</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:append_chain"></span><tt class="docutils literal"><span class="pre">append_chain</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Append the CA chain certificate to the generated certificate
(e.g., to produce a certificate in the format required by Nginx.)</p>
</div></blockquote>
</td>
<td><p class="first last"><p><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></p>
</p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">false</span></tt></td>
</tr>
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:c"></span><tt class="docutils literal"><span class="pre">c</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the country set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:ca"></span><tt class="docutils literal"><span class="pre">ca</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>The name of the CA (from <a class="reference internal" href="#sslca-configuration"><em>bcfg2.conf</em></a>) to use to generate this
certificate.</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">default</span></tt></td>
</tr>
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:days"></span><tt class="docutils literal"><span class="pre">days</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Time (in days) the certificate will be valid for.</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#integer"><tt class="docutils literal"><span class="pre">integer</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">365</span></tt></td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:emailaddress"></span><tt class="docutils literal"><span class="pre">emailaddress</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the email address set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:format"></span><tt class="docutils literal"><span class="pre">format</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>The certificate format to produce.</p>
</div></blockquote>
</td>
<td><p class="first last"><p><tt class="docutils literal"><span class="pre">pem</span></tt></p>
</p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">pem</span></tt></td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:l"></span><tt class="docutils literal"><span class="pre">l</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the location set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:o"></span><tt class="docutils literal"><span class="pre">o</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the organization set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:CertType:ou"></span><tt class="docutils literal"><span class="pre">ou</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the organizational unit set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:CertType:st"></span><tt class="docutils literal"><span class="pre">st</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>Override the state set in the CA config</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><p class="first last">None</p>
</td>
</tr>
</tbody>
</table>
</dd>
</dl>
</dd>
</dl>
</li>
<li><dl class="element" id="element:Group">
<dt id="element:Group">
<!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:SSLCACertGroupType"><tt class="docutils literal"><span class="pre">SSLCACertGroupType</span></tt></a></p>
</dd>
</dl>
</li>
<li><dl class="element" id="element:Client">
<dt id="element:Client">
<!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:SSLCACertGroupType"><tt class="docutils literal"><span class="pre">SSLCACertGroupType</span></tt></a></p>
</dd>
</dl>
</li>
<li><dl class="element" id="element:subjectAltName">
<dt id="element:subjectAltName">
<!--[element:subjectAltName]--><em>element</em> <strong>subjectAltName</strong><a class="headerlink" href="#element:subjectAltName" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last"><strong>subjectAltName</strong> takes only text content, which may be the following values: <a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</dd>
</dl>
</li>
</ul>
</dd>
</dl>
</dd>
</dl>
</dd>
</dl>
<dl class="complexType" id="complexType:SSLCACertGroupType">
<dt id="complexType:SSLCACertGroupType">
<!--[complexType:SSLCACertGroupType]--><em>complexType</em> <strong>SSLCACertGroupType</strong><a class="headerlink" href="#complexType:SSLCACertGroupType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>An <strong>SSLCACertGroupType</strong> is a tag used to provide logic.
Child entries of an SSLCACertGroupType tag only apply to
machines that match the condition specified – either
membership in a group, or a matching client name.
<a class="reference internal" href="#attribute:SSLCACertGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to negate
the sense of the match.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:SSLCACertGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td>
<td><blockquote class="first last">
<div>The name of the client or group to match on. Child entries
will only apply to this client or group (unless
<a class="reference internal" href="#attribute:SSLCACertGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:SSLCACertGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td>
<td><blockquote class="first last">
<div>Negate the sense of the match, so that child entries only
apply to a client if it is not a member of the given group
or does not have the given name.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last simple">
<li><a class="reference internal" href="#element:Cert"><tt class="docutils literal"><span class="pre">Cert</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li>
<li><a class="reference internal" href="#element:subjectAltName"><tt class="docutils literal"><span class="pre">subjectAltName</span></tt></a></li>
</ul>
</dd>
</dl>
</dd>
</dl>
<div class="section" id="example">
<h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><CertInfo></span>
<span class="nt"><SubjectAltName></span>test.example.com<span class="nt"></SubjectAltName></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">"apache"</span><span class="nt">></span>
<span class="nt"><Cert</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/foo.key"</span> <span class="na">days=</span><span class="s">"730"</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">"nginx"</span><span class="nt">></span>
<span class="nt"><Cert</span> <span class="na">key=</span><span class="s">"/etc/pki/tls/private/foo.key"</span> <span class="na">days=</span><span class="s">"730"</span>
<span class="na">append_chain=</span><span class="s">"true"</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"></CertInfo></span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="key-xml">
<h3>key.xml<a class="headerlink" href="#key-xml" title="Permalink to this headline">¶</a></h3>
<dl class="schema" id="schema:sslca-key.xsd">
<dt id="schema:sslca-key.xsd">
<!--[schema:sslca-key.xsd]--><em>schema</em> <strong>sslca-key.xsd</strong><a class="headerlink" href="#schema:sslca-key.xsd" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Schema for <a class="reference internal" href="#server-plugins-generators-sslca"><em>SSLCA</em></a> <tt class="docutils literal"><span class="pre">key.xml</span></tt></div></blockquote>
<dl class="last element" id="element:KeyInfo">
<dt id="element:KeyInfo">
<!--[element:KeyInfo]--><em>element</em> <strong>KeyInfo</strong><a class="headerlink" href="#element:KeyInfo" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Top-level tag for describing an SSLCA generated key.</div></blockquote>
<dl class="last docutils" id="complexType:KeyInfo">
<dt>Child elements:</dt>
<dd><ul class="first last">
<li><dl class="element" id="element:Key">
<dt id="element:Key">
<!--[element:Key]--><em>element</em> <strong>Key</strong><a class="headerlink" href="#element:Key" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<dl class="last docutils" id="complexType:KeyType">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><p class="first last">Name</p>
</th>
<th class="head"><p class="first last">Description</p>
</th>
<th class="head"><p class="first last">Values</p>
</th>
<th class="head"><p class="first last">Required</p>
</th>
<th class="head"><p class="first last">Default</p>
</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><p class="first last"><span class="target" id="attribute:KeyType:bits"></span><tt class="docutils literal"><span class="pre">bits</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>The key length</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#nonNegativeInteger"><tt class="docutils literal"><span class="pre">nonNegativeInteger</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">2048</span></tt></td>
</tr>
<tr class="row-odd"><td><p class="first last"><span class="target" id="attribute:KeyType:type"></span><tt class="docutils literal"><span class="pre">type</span></tt></p>
</td>
<td><blockquote class="first last">
<div><p>The key type</p>
</div></blockquote>
</td>
<td><p class="first last"><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></p>
</td>
<td><p class="first last">No</p>
</td>
<td><tt class="first last docutils literal"><span class="pre">rsa</span></tt></td>
</tr>
</tbody>
</table>
</dd>
</dl>
</dd>
</dl>
</li>
<li><dl class="element" id="element:Group">
<dt id="element:Group">
<!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:SSLCAKeyGroupType"><tt class="docutils literal"><span class="pre">SSLCAKeyGroupType</span></tt></a></p>
</dd>
</dl>
</li>
<li><dl class="element" id="element:Client">
<dt id="element:Client">
<!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:SSLCAKeyGroupType"><tt class="docutils literal"><span class="pre">SSLCAKeyGroupType</span></tt></a></p>
</dd>
</dl>
</li>
</ul>
</dd>
</dl>
</dd>
</dl>
</dd>
</dl>
<dl class="complexType" id="complexType:SSLCAKeyGroupType">
<dt id="complexType:SSLCAKeyGroupType">
<!--[complexType:SSLCAKeyGroupType]--><em>complexType</em> <strong>SSLCAKeyGroupType</strong><a class="headerlink" href="#complexType:SSLCAKeyGroupType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>An <strong>SSLCAKeyGroupType</strong> is a tag used to provide logic.
Child entries of an SSLCAKeyGroupType tag only apply to
machines that match the condition specified – either
membership in a group, or a matching client name.
<a class="reference internal" href="#attribute:SSLCAKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to negate
the sense of the match.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:SSLCAKeyGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td>
<td><blockquote class="first last">
<div>The name of the client or group to match on. Child entries
will only apply to this client or group (unless
<a class="reference internal" href="#attribute:SSLCAKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:SSLCAKeyGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td>
<td><blockquote class="first last">
<div>Negate the sense of the match, so that child entries only
apply to a client if it is not a member of the given group
or does not have the given name.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last simple">
<li><a class="reference internal" href="#element:Key"><tt class="docutils literal"><span class="pre">Key</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li>
</ul>
</dd>
</dl>
</dd>
</dl>
<div class="section" id="id2">
<h4>Example<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h4>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><KeyInfo></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">"fast"</span><span class="nt">></span>
<span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"1024"</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">"secure"</span><span class="nt">></span>
<span class="nt"><Key</span> <span class="na">type=</span><span class="s">"rsa"</span> <span class="na">bits=</span><span class="s">"4096"</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"></KeyInfo></span>
</pre></div>
</div>
</div>
</div>
</div>
<div class="section" id="automated-bcfg2-ssl-authentication">
<h2>Automated Bcfg2 SSL Authentication<a class="headerlink" href="#automated-bcfg2-ssl-authentication" title="Permalink to this headline">¶</a></h2>
<p>This section describes one possible scenario for automating ssl
certificate generation and distribution for bcfg2 client/server
communication using SSLCA. The process involves configuring a
certificate authority (CA), generating the CA cert and key pair,
configuring the bcfg2 SSLCA plugin and a Bundle to use the SSLCA
generated certs to authenticate the bcfg2 client and server.</p>
<div class="section" id="openssl-ca">
<h3>OpenSSL CA<a class="headerlink" href="#openssl-ca" title="Permalink to this headline">¶</a></h3>
<p>If you already have a SSL CA available you can skip this section,
otherwise you can easily build one on the server using openssl. The
paths should be adjusted to suite your preferences.</p>
<ol class="arabic">
<li><p class="first">Prepare the directories and files:</p>
<div class="highlight-python"><pre>mkdir -p /etc/pki/CA/newcerts
mkdir /etc/pki/CA/crl
echo '01' > /etc/pki/CA/serial
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/crlnumber</pre>
</div>
</li>
<li><p class="first">Edit the <tt class="docutils literal"><span class="pre">openssl.cnf</span></tt> config file, and in the <strong>[ CA_default ]</strong>
section adjust the following parameters:</p>
<div class="highlight-python"><pre>dir = /etc/pki # Where everything is kept
certs = /etc/pki/CA/certs # Where the issued certs are kept
database = /etc/pki/CA/index.txt # database index file.
new_certs_dir = /etc/pki/CA/newcerts # default place for new certs.
certificate = /etc/pki/CA/certs/bcfg2ca.crt # The CA certificate
serial = /etc/pki/CA/serial # The current serial number
crl_dir = /etc/pki/CA/crl # Where the issued crl are kept
crlnumber = /etc/pki/CA/crlnumber # the current crl number
crl = /etc/pki/CA/crl.pem # The current CRL
private_key = /etc/pki/CA/private/bcfg2ca.key # The private key</pre>
</div>
</li>
<li><p class="first">Create the CA root certificate and key pair. You’ll be asked to
supply a passphrase, and some organizational info. The most
important bit is <strong>Common Name</strong> which you should set to be the
hostname of your bcfg2 server that your clients will see when doing
a reverse DNS query on it’s ip address.:</p>
<div class="highlight-python"><pre>openssl req -new -x509 -extensions v3_ca -keyout bcfg2ca.key \
-out bcfg2ca.crt -days 3650</pre>
</div>
</li>
<li><p class="first">Move the generated cert and key to the locations specified in
<tt class="docutils literal"><span class="pre">openssl.cnf</span></tt>:</p>
<div class="highlight-python"><pre>mv bcfg2ca.key /etc/pki/CA/private/
mv bcfg2ca.crt /etc/pki/CA/certs/</pre>
</div>
</li>
</ol>
<p>Your self-signing CA is now ready to use.</p>
</div>
<div class="section" id="bcfg2">
<h3>Bcfg2<a class="headerlink" href="#bcfg2" title="Permalink to this headline">¶</a></h3>
<div class="section" id="id3">
<h4>SSLCA<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4>
<p>The SSLCA plugin was not designed specifically to manage bcfg2
client/server communication though it is certainly able to provide
certificate generation and management services for that
purpose. You’ll need to configure the <strong>SSLCA</strong> plugin to serve the
key, and certificate paths that we will define later in our client’s
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> file.</p>
<p>The rest of these instructions will assume that you’ve configured the
<strong>SSLCA</strong> plugin as described above and that the files
<tt class="docutils literal"><span class="pre">SSLCA/etc/pki/tls/certs/bcfg2client.crt/cert.xml</span></tt> and
<tt class="docutils literal"><span class="pre">SSLCA/etc/pki/tls/private/bcfg2client.key/key.xml</span></tt> represent the
cert and key paths you want generated for SSL auth.</p>
</div>
<div class="section" id="client-bundle">
<h4>Client Bundle<a class="headerlink" href="#client-bundle" title="Permalink to this headline">¶</a></h4>
<p>To automate the process of generating and distributing certs to the
clients we need define at least the Cert and Key paths served by the
SSLCA plugin, as well as the ca certificate path in a Bundle. For
example:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/bcfg2client.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span>
</pre></div>
</div>
<p>Here’s a more complete example bcfg2-client bundle:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Bundle</span> <span class="na">name=</span><span class="s">'bcfg2-client'</span><span class="nt">></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/bcfg2.conf'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/cron.d/bcfg2-client'</span><span class="nt">/></span>
<span class="nt"><Package</span> <span class="na">name=</span><span class="s">'bcfg2'</span><span class="nt">/></span>
<span class="nt"><Service</span> <span class="na">name=</span><span class="s">'bcfg2'</span><span class="nt">/></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">'rpm'</span><span class="nt">></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/sysconfig/bcfg2'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/certs/bcfg2client.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"><Group</span> <span class="na">name=</span><span class="s">'deb'</span><span class="nt">></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/default/bcfg2'</span> <span class="na">altsrc=</span><span class="s">'/etc/sysconfig/bcfg2'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/certs/bcfg2ca.crt'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/certs/bcfg2ca.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/certs/bcfg2client.crt'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/certs/bcfg2client.crt'</span><span class="nt">/></span>
<span class="nt"><Path</span> <span class="na">name=</span><span class="s">'/etc/ssl/private/bcfg2client.key'</span> <span class="na">altsrc=</span><span class="s">'/etc/pki/tls/private/bcfg2client.key'</span><span class="nt">/></span>
<span class="nt"></Group></span>
<span class="nt"></Bundle></span>
</pre></div>
</div>
<p>In the above example we told Bcfg2 that it also needs to serve
<tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt>. This is optional but convenient.</p>
<p>The <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> client config needs at least 5 parameters set for
SSL auth.</p>
<ol class="arabic simple">
<li><tt class="docutils literal"><span class="pre">key</span></tt> : This is the host specific key that SSLCA will generate.</li>
<li><tt class="docutils literal"><span class="pre">certificate</span></tt> : This is the host specific cert that SSLCA will
generate.</li>
<li><tt class="docutils literal"><span class="pre">ca</span></tt> : This is a copy of your CA certificate. Not generated by
SSLCA.</li>
<li><tt class="docutils literal"><span class="pre">user</span></tt> : Usually set to fqdn of client. This <em>shouldn’t</em> be
required but is as of 1.3.0. See:
<a class="reference external" href="http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019">http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019</a></li>
<li><tt class="docutils literal"><span class="pre">password</span></tt> : Set to arbitrary string when using certificate
auth. This also <em>shouldn’t</em> be required. See:
<a class="reference external" href="http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019">http://trac.mcs.anl.gov/projects/bcfg2/ticket/1019</a></li>
</ol>
<p>Here’s what a functional <strong>[communication]</strong> section in a
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> genshi template for clients might look like.:</p>
<div class="highlight-python"><pre>[communication]
protocol = xmlrpc/ssl
{% if metadata.uuid != None %}\
user = ${metadata.uuid}
{% end %}\
password = DUMMYPASSWORDFORCERTAUTH
{% choose %}\
{% when 'rpm' in metadata.groups %}\
certificate = /etc/pki/tls/certs/bcfg2client.crt
key = /etc/pki/tls/private/bcfg2client.key
ca = /etc/pki/tls/certs/bcfg2ca.crt
{% end %}\
{% when 'deb' in metadata.groups %}\
certificate = /etc/ssl/certs/bcfg2client.crt
key = /etc/ssl/private/bcfg2client.key
ca = /etc/ssl/certs/bcfg2ca.crt
{% end %}\
{% end %}\</pre>
</div>
<p>As a client will not be able to authenticate with certificates it does
not yet posses we need to overcome the chicken and egg scenario the
first time we try to connect such a client to the server. We can do so
using password based auth to boot strap the client manually specifying
all the relevant auth parameters like so:</p>
<div class="highlight-python"><pre>bcfg2 -qv -S https://fqdn.of.bcfg2-server:6789 -u fqdn.of.client \
-x SUPER_SECRET_PASSWORD</pre>
</div>
<p>If all goes well the client should recieve a freshly generated key and
cert and you should be able to run <tt class="docutils literal"><span class="pre">bcfg2</span></tt> again without specifying
the connection parameters.</p>
<p>If you do run into problems you may want to review
<a class="reference internal" href="../../../appendix/guides/authentication.html#appendix-guides-authentication"><em>Authentication</em></a>.</p>
</div>
</div>
</div>
<div class="section" id="todo">
<h2>TODO<a class="headerlink" href="#todo" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>Add generation of pkcs12 format certs</li>
</ol>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../../../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">SSLCA</a><ul>
<li><a class="reference internal" href="#getting-started">Getting started</a></li>
<li><a class="reference internal" href="#configuration">Configuration</a><ul>
<li><a class="reference internal" href="#bcfg2-conf">bcfg2.conf</a></li>
<li><a class="reference internal" href="#cert-xml">cert.xml</a><ul>
<li><a class="reference internal" href="#example">Example</a></li>
</ul>
</li>
<li><a class="reference internal" href="#key-xml">key.xml</a><ul>
<li><a class="reference internal" href="#id2">Example</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#automated-bcfg2-ssl-authentication">Automated Bcfg2 SSL Authentication</a><ul>
<li><a class="reference internal" href="#openssl-ca">OpenSSL CA</a></li>
<li><a class="reference internal" href="#bcfg2">Bcfg2</a><ul>
<li><a class="reference internal" href="#id3">SSLCA</a></li>
<li><a class="reference internal" href="#client-bundle">Client Bundle</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#todo">TODO</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="sshbase.html"
title="previous chapter">SSHbase</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="tcheetah.html"
title="next chapter">TCheetah</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../../_sources/server/plugins/generators/sslca.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="tcheetah.html" title="TCheetah"
>next</a> |</li>
<li class="right" >
<a href="sshbase.html" title="SSHbase"
>previous</a> |</li>
<li><a href="../../../index.html">home</a> | </li>
<!--<li><a href="../../../search.html">search</a> | </li>-->
<li><a href="../../../help/index.html">help</a> | </li>
<li><a href="../../../contents.html">documentation </a> »</li>
<li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../index.html" >Plugins</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
469
