Best Practices

From OpenXPKI Wiki

Contents 1 Overview 2 Databases 2.1 Choosing a database 2.2 MySQL 2.3 Oracle 3 Operating systems and distributions 3.1 Debian GNU/Linux 4 Housekeeping 4.1 Automating core PKI tasks 4.2 Cleaning up system resources

Overview

This page contains specific information gained from running OpenXPKI in production environments. It describes installation and configuration details which we found work well in our environment. They may serve as a good starting point for your own installation. However, please do not adopt them blindly, as they may contain assumptions on particular production environment which may not be appropriate for your situation.

Databases

Choosing a database

Although technically supported by OpenXPKI, SQLite should not be used for production systems. Erratic behaviour can happen if OpenXPKI is used with SQLite in a multiuser environment where multiple connections are simultaneously opened to the database.

MySQL

Oracle

• Database schema for Oracle installations (including privilege separation)

Operating systems and distributions

Debian GNU/Linux

• Debian Package Installation (Install on Debian using pre-built packages)
• Debian Etch Installation (old)
• Configuring OpenXPKI to use MySQL on Debian (old - package installation uses MySQL by default)
• Setting up an SCEP server on Debian

Housekeeping

This section describes proven ways to periodically clean up system resources and automate routine PKI jobs in an OpenXPKI installation. The jobs described are designed to run without user interaction, making it possible to invoke them regularly by the system scheduler (e. g. cron).

Automating core PKI tasks

• Automatically issue and publish CRLs (e. g. via cron)

Cleaning up system resources

• Clean up shared memory
• Clean up left-over temporary files
• Delete superfluous workflow instances and related data