[ic] automating catalog setup

[interch]

We have been using IC as the base for part of our e-commerce system for a
little over a year now.  We are now to the point where in the next 3-4
months we will be adding on probably 20-50 new catalogs per week, and I am
thinking of the best way to automate this process.


First of all, my thought is to make a catalog setup script that is cgi
based, so that we have the option of posting to it via a web form, or
directly from other applications, such as our crm.

We also setup a unix account for each catalog, with the username the same
as the catalog name.  Each user is in the interch group.  No login access
is given to the unix user unless we specifically enable it (most of our
clients don't need it, and often if they do, we are the ones doing the
customization for them anyways).


The two questions that keep coming into my mind are these:

1.  Do I extend/modify makecat, or just write our own cgi script from
scratch to do the catalog setup.


2.  What is the best/most secure way to add a unix account remotely?  It
would need to be something that could be initiated from windows and unix.



I feel comfortable doing the catalog setup via a cgi script running as
user interch under suexec, since we already have a good PKI infrastructure
and it is fairly easy to issue specific purpose certificates, and have the
applications that call the cgi script connect via https to the webserver
using the that certificate.  We already have a number of web based admin
areas that only allow connections to users that have certain certificates
(on a per url or per server basis, whatever makes sense at the time).

I'm not so sure I would feel comfortable adding system users in the same
manner.  Given that we would use certificates for authentication, and
probably even another password authentication on top of that built into
the script itself, I'm not so sure that I don't feel comfortable with it
either.


The end goal here is to be able to enter the client information once, into
our crm at the time of sale, and then be able to trigger all other setup
steps from the crm, with the crm sending the data to the different setup
scripts/applications.  I am thinking about having all the setup scripts as
cgi scripts because it is then pretty easy to have a standard internal API
based on an https POST that the crm can use to trigger any event we need
to happen on our servers.  This is also fairly platform independant also,
the crm will not need to know if the server side is solaris, freebsd,
windows, etc...

Of course I could also use ssh to trigger events/send data instead of
using an https POST to a cgi script, or even our own custom ssl
client/server, but would that
really be that much more secure than authenticating using client
certificates with apache?


Cheers,

Chris Ochs