source : http://ejbcacentos.blogspot.co.id/...
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5 2
More
Next Blog»
[email protected]
Dashboard
Sign Out
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 A thorough, detailed, and impartial guide to installing the EJBCA Certificate Authority 6.1.1 on CentOS 6.5 using Jboss 7.1.1. Included is a review of elliptic curve encryption and openssl certificate generation.
S u n d a y, A p r il 2 7, 2 01 4
How to Install EJBCA 6.1.1 on CentOS 6.5 Introduction Hello, and welcome to this blog. I've needed a CA in my lab for quite some time, and I decided to try ejbca ejbca for for the following reasons: 1. It's linux‐based. 2. It has a native web interface. 3. It's written on a reasonably mature middleware platform. 4. It seems fairly f ull‐featured.
I'm writing this because installing ejbca is harder than it should be. I have never been impressed by "documentation" that destroys time rather than saving it. I believe that software is only as good as a user's ability to use it. So I am documenting each step of my installation for use as a "cookbook" by others. But before I begin: it's a it's a little‐known little‐known fact that all material publ ished on Blogger Blogger is automatically automatically copyrighted. Not a GPL copyl eft, but a full‐blown Unites States of America copyright. This blog and its content are copyrighted in 2014 by VES Group Incorporated and all rights are reserved. reserved. After (too) much thought, I've decided that the best license to provide this document under is: "Creative Commons Attribution‐ NonCommercial‐ShareAlike International 4.0". The license details are included at the end of the document.
Preparation I have tried to write this how‐to in the form of a teaching document. Ideally, even a novice linux user should be able to follow these instructions and have a functional, stable, and secure ejbca installation at the end. And, honestly, even the most knowledgeable sysadmin has days where they feel like a complete beginner. So hopefully both ends of the experience spectrum will get something out of reading this. Installation requires a significant amount of planning . Here are a few things I'd like to point out. The product can be built on distributed platforms for HA and load‐spreading purposes. This guide assumes a single server for test purposes only. Storage and memory: assume that the CA will take 512MB of RAM, as a rule of thumb. The code itself is ~200MB or so, so give yourself at least a few gigs of space for l ogs, etc. Software versions: there are several pieces of software that ejbca depends on. Each has its own version dependencies. This can be challenging. How you will configure your CAs, what encryption packages to use, etc, will be detailed later in this guide. None of those specifics specifics really matter until until you have the product fully inst installed. alled. The reader should have a working knowledge of directory services and their formats. At a minimum, you should thoroughly understand: The difference between a DNS hostname and a FQDN. The basics of PKI, at least to the point of knowing how root chain validation works. validation works. http://ej bcacentos.bl ogspot.co.i d/
1/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
A minimum of X.500 notation: CN = Common Name, usually is the FQDN of your CA DN = Distinguished Name, which is the CN followed by information about the organization that owns the CA O = Organization, usually is your company name, and can include spaces C = Country, in ISO 3166‐1 alpha‐2 format (US, CA, SE, MX, etc) You are not required to have an expert understanding of java and jboss, but some knowledge is helpful. At the least, you should understand: What a .jar file is What an .ear file is The rudiments of XML (about 10 minutes of study is enough) The notion of "deploying" an application to a platform like Jboss
Passwords You will need to create a fairly large (10+) number of unique passwords just to install ejbca. So get the passwordsafe utility from Sourceforge.. Originally co‐written by Bruce Schneier, it is the only password repository I trust. I'll keep a running tally of the Sourceforge passwords we create, and have included a list of them at the end of this document.
I cannot emphasize the importance of using strong passwords enough. All of our other security steps are meaningless without strong passwords. Use passwords of at least 24 characters. Use upper and lower cases, numbers, and punctuation. I suggest using a pseudorandom password generator (such as the one in PasswordSafe) to create them.
Ejbca's Terminology The terminology ejbca uses is very confusing, even to someone experienced. Describing each term fully is more than I can do in this document,, but hopefully a brief description of the basics will document will be helpful:
Authentication Code ‐ Each Crypto Token has an associated Authentication Code that is used to encrypt the contents of that particular Crypto Token.
Certificate ‐ A data structure (usually) (usually) in X.509 format that typically contai contains: ns: A Public Key Information about the owner of the key (in X.500 format) "Certificate Extensions" defining how the certificate is meant to be used The CA certificates that validate the certificate we are examining
Certificate Extension ‐ Data field in a Certificate that "suggests" how a certificate is meant to be used. Certificate Signing Request (CSR) ‐ A file containing a Public Key, as well as optional Certificate Extension information that a CA *may* use when generating a Certificate.
Crypto Token ‐ The logical unit that stores stores all the public/private keypairs owned owned by a particular CA. By default, they are held in ejbca's database.
Enrollment Code ‐ The password (or other "Token") used to validate a certificate request. HSM ‐ Hardware Security Module. A physical device used to generate and/or store Keys. JKS ‐ Java Key Store. An unencrypted, file‐based method of storing encryptions keys. Key ‐ What ejbca refers to as a "Key" is actually a "Keypair": a Public key and its matching matching Private key. Key Algorithm ‐ The asymmetric asymmetric cryptographic alg orith orithm m used to perform p ublic key encryption encryption.. Usually RSA or Elliptic Curve. One must be specified in every certificate.
Key Alias ‐ A "friendly" name for a Key(pair) that is used for a particular purpose. Ejbca uses the following Key Aliases to refer to the Keys every ejbca CA must have for basic functionality:
defaultKey : The key used by default (Required). certSignKey : The key used for certificate signing. It must comply with the Signature Algorithm defined for the CA using the key.
crlSignKey: The key used for CRL signing. The use of this key is deprecated ‐ the certSignKey will always be used for this purpose.
keyEncryptKey: The key used for key recovery when reversible encryption is enabled. It must use the RSA http://ej bcacentos.bl ogspot.co.i d/
2/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
A minimum of X.500 notation: CN = Common Name, usually is the FQDN of your CA DN = Distinguished Name, which is the CN followed by information about the organization that owns the CA O = Organization, usually is your company name, and can include spaces C = Country, in ISO 3166‐1 alpha‐2 format (US, CA, SE, MX, etc) You are not required to have an expert understanding of java and jboss, but some knowledge is helpful. At the least, you should understand: What a .jar file is What an .ear file is The rudiments of XML (about 10 minutes of study is enough) The notion of "deploying" an application to a platform like Jboss
Passwords You will need to create a fairly large (10+) number of unique passwords just to install ejbca. So get the passwordsafe utility from Sourceforge.. Originally co‐written by Bruce Schneier, it is the only password repository I trust. I'll keep a running tally of the Sourceforge passwords we create, and have included a list of them at the end of this document.
I cannot emphasize the importance of using strong passwords enough. All of our other security steps are meaningless without strong passwords. Use passwords of at least 24 characters. Use upper and lower cases, numbers, and punctuation. I suggest using a pseudorandom password generator (such as the one in PasswordSafe) to create them.
Ejbca's Terminology The terminology ejbca uses is very confusing, even to someone experienced. Describing each term fully is more than I can do in this document,, but hopefully a brief description of the basics will document will be helpful:
Authentication Code ‐ Each Crypto Token has an associated Authentication Code that is used to encrypt the contents of that particular Crypto Token.
Certificate ‐ A data structure (usually) (usually) in X.509 format that typically contai contains: ns: A Public Key Information about the owner of the key (in X.500 format) "Certificate Extensions" defining how the certificate is meant to be used The CA certificates that validate the certificate we are examining
Certificate Extension ‐ Data field in a Certificate that "suggests" how a certificate is meant to be used. Certificate Signing Request (CSR) ‐ A file containing a Public Key, as well as optional Certificate Extension information that a CA *may* use when generating a Certificate.
Crypto Token ‐ The logical unit that stores stores all the public/private keypairs owned owned by a particular CA. By default, they are held in ejbca's database.
Enrollment Code ‐ The password (or other "Token") used to validate a certificate request. HSM ‐ Hardware Security Module. A physical device used to generate and/or store Keys. JKS ‐ Java Key Store. An unencrypted, file‐based method of storing encryptions keys. Key ‐ What ejbca refers to as a "Key" is actually a "Keypair": a Public key and its matching matching Private key. Key Algorithm ‐ The asymmetric asymmetric cryptographic alg orith orithm m used to perform p ublic key encryption encryption.. Usually RSA or Elliptic Curve. One must be specified in every certificate.
Key Alias ‐ A "friendly" name for a Key(pair) that is used for a particular purpose. Ejbca uses the following Key Aliases to refer to the Keys every ejbca CA must have for basic functionality:
defaultKey : The key used by default (Required). certSignKey : The key used for certificate signing. It must comply with the Signature Algorithm defined for the CA using the key.
crlSignKey: The key used for CRL signing. The use of this key is deprecated ‐ the certSignKey will always be used for this purpose.
keyEncryptKey: The key used for key recovery when reversible encryption is enabled. It must use the RSA http://ej bcacentos.bl ogspot.co.i d/
2/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
algorithm.
testKey: The key used by the healthcheck process to verify that a Crypto Token is usable. A 1024‐bit RSA key is recommended to reduce computation time.
Key Specification ‐The length of the modulus used by the Key Algorithm. For RSA, it is usually 2048 or 4096 bits long. For Elliptic Curve, it is usually 192, 256, 384, or 512 b its long.
Keystore ‐ A file used to store certificate information outside of the database. Normally only holds the certificates for ejbca's web interface. See: JKS
Private Key ‐ Half of a Keypair generated for use with asymmetric encryption. This is the half that is kept private, and not shared.
Public Key ‐ The other half of a Keypair, which is shared with anyone/anything you wish to establish secure communications with.
Signature Algorithm ‐The cryptographic hash algorithm used by a CA to guarantee a certificate's validity. Soft Token ‐ A Token (Crypto, or otherwise) held in the database, rather than in a different format like a JKS or HSM. Token ‐ A generic term for a secret key. This could be anything from an 8‐character ASCII password to an 8192‐bit RSA modulus. In the context of an "end entity", ejbca specifically uses this word to refer to the key used to encrypt a certificate issued to that "end entity".
Final Advice A final word of advice before we begin: You are building a device that will be the source of all trust in your environment. Details matter. Accuracy matters ‐ even more than usual. And if it isn't right, it's wrong. Go fix it.
CentOS Installation I use CentOS in my lab, generally speaking. This is because the vast majority of actual enterprise linux installations run on Red Hat/Fedora. Debian/Ubuntu is prolific in software development environments, but that's really the only place I find it. I'm performing this installation using 64‐bit CentOS 6.5 on a vm. There is a single root partition for storage, a two‐core CPU, 2 GB of RAM (which is more than it needs), and a single ethernet network interface.
Required Software I am using ejbca version 6.1.1 , community edition. It is written in java, and runs on the jboss platform. It uses ant for jboss management, and requires a database (I use mysql) for storage.
Java: DO NOT waste time trying to get java 1.7 to work with this app at present. It can be done, but the payoff compared to the work involved makes it undesirable. Running 1.6 has ramifications for Elliptic Curve support, but the way that ejbca uses java makes them largely irrelevant. Just use the openjdk version of java 1.6 that is distributed by the standard CentOS online repos. If you install java 1.7, then the " java" command will invoke 1.7 by virtue of alternatives. Theoretically, Theoretically, alternatives should take care of redirecting all java‐related executable paths to the correct executables. However, what I found is that the the 1.7 implementation from openjdk is incomplete, and ejbca will end up needing to use portions of version 1.6. This inevitably ends up with a non‐working ejbca install. If you truly must use 1.7, you'll need to manually compile and inst install all updated versions versions of gcc, gcj, and Oracle Java. This may be necessary in a fully‐certified production environment, but I will stay with 1.6 until everything becomes part of the standard CentOS code stream.
Jboss : I'm using 7.1.1 Final . It actually is the least painful thing to deal with in this setup. Previous versions of jboss are built with the idea of multiple application deployments on a single platform ‐ the current 7.1.1 download installs with a single standalone deployment.
Ant: You'll need to download and install a current version of ant ‐ the one from CentOS is too old. I'm using ant‐1.9.3‐ 2.fc21.noarch.rpm from the Fedora repository. Mysql: I'm using the standard mysql version 5.1.73‐3.el6_5 from the CentOS repos. The version really doesn't matter, other than the various inevitable security problems you have with mysql.
Java Mysql Connector : I'm using the mysql‐connector‐java.noarch from Oracle, version 5.1.30. There is a configuration tweak in jboss that is necessary in order to use this version. Older versions do not have this problem (but may have others). http://ej bcacentos.bl ogspot.co.i d/
3/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
You do not need: tomcat/httpd, phpmyadmin, or any of the CentOS distro PKI apps.
Application Logical Layout Adding more detail to the internals of ejbca itself, the application essentially has seven distinct components: A Database Java and its database connector Jboss The ejbca Certificate Authority The ejbca Registration Authority The ejbca Validation Authority Ejbca's OCSP code No Internet "howto" is complete without at least one goofy ASCII diagram, so here it is. We will install and configure ejbca in essentially left‐to‐right order:
mysql --> java-sql-connector --> jboss --> ejbca CA --> ejbca VA --> OCSP ^ ^ | | ------ java -----
We will ignore the "Registration Authority" for now, and treat it as part of the "Certificate Authority". This build will be on a single server, so all of these functions will be performed on one box. But you can build ejbca as a set of distributed servers if you wish. There are some sensible reasons for this: CAs aren't very loaded when only issuing certs. But when answering CRL/OCSP queries, their load can become significant. You may not issue many certs, and want to take the core CA offline for security reasons. Distributed "validation" and "registration" authorities can handle the validation work and registration work while the core services are offline. But the usefulness of distributing out every little portion of an app can get a little ... hazy. My opinion is that most "distributed" applications are written by insecure devs to show how awesome they are, and needlessly complicate things. As evidence of this: WhatsApp runs over two million connections per server , and it earned those guys $19 Billion. This how‐to only covers a standalone installation. But I'll try to point out the distributed stuff as I go along.
Beginning the Installation To begin: I suggest using a "Minimal Desktop" CentOS installation in order to have gnome and a web browser. This becomes important later, as there are administrative sites and tools in Jboss and ejbca that are only reachable from localhost. If I were building a production server, I would use the "Basic Server" CentOS installation. No need to set up user accounts for now ‐ just use root. Set the timezone, etc. Set your hostname in /etc/hosts ‐ it should look something like:
127.0.0.1
localhost localhost.localdomain localhost4 localhost4.localdomain4
::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.12.34 rootca rootca.yourcompany.com
In this how‐to, I will always use the FQDN of " rootca.yourcompany.com " to represent the server. This seems like a simple decision, but there are several things to keep in mind when choosing your hostname: In a production environment, you could potentially have multiple ejbca instances configured on a single jboss installation. This would have ramifications for hostname resolution, and this level of complexity is beyond the scope of this how‐to. http://ejbcacentos.blogspot.co.id/
4/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
When running ejbca in a lab environment, it is tempting to disregard the full FQDN and only use the hostname when identifying your CAs. You would be able to get away with this by virtue of your lab's isolation from public DNS resolution. Trust me ‐ Don't do this. Define a full FQDN for your server that would be compatible with public DNS, and continue with your build as if this were true.
A Word on CA Naming and Certificates For someone who is not familiar with Certificate Authorities, it can be very confusing to keep track of the various certificates used by a CA for different functions. Here are the basics as they relate to ejbca: First, you must understand that it is possible to host multiple production CA instances on a single ejbca installation. In this example, we will configure only a single "Production CA" in order to try to keep it simple. However, ejbca uses a "Management CA" instance to generate certificates used both internally by the application, as well as to issue certificates used to secure initial access to ejbca's web administration pages. The "Management CA" is automatically created during installation, and cannot be removed. This implies that there will always be at least two CA instances on an ejbca server: The Management CA used to generate certificates for the administration of ejbca The Production CA that will be used to issue certificates for external users and devices Each CA will have unique X.500 CN field information, and will be configured separately. The Management CA is purely an internal CA that will never be resolved via DNS, so I will set the CN of the management CA to be mgmtca " ". The Production CA will use the actual FQDN of your server for its CN.
All this being said, there is an additional "very important thing" to understand about how the naming of the server relates to the certificates created by the Management CA for web administration purposes. When accessing the web interface of your ejbca server, a TLS certificate is used to encrypt the HTTPS connections to the web service hosting the interface. The initial version of this certificate will be a "self‐signed" one issued by the Management CA and created during installation. However, toward the end of this how‐to, we will replace this certificate with one issued by a "Production" CA. We do this to ensure that the server itself participates in the PKI that we establish with our "Production" CA. Also, the Management CA cert does not use an FQDN for the CN, which breaks all kinds of browser functionality. Replacing this initial certificate with one issued by the Production CA creates a situation that can be quite confusing to a beginner. The "Root Certificate" used by the Production CA to identify itself and sign new certificates will use the FQDN of the server (rootca.yourcompany.net) for its CN. The Production CA will issue a "Server Certificate" that will replace the one issued by the Management CA. This replacement certificate will permanently secure connections to the web administration pages (at https://rootca.yourcompany.net), and will al so use "rootca.yourcompany.net" f or the CN. Despite having the same CN, these are two separate certificates used for two distinct purposes. To try and keep this clear, I will always use the phrases "Root CA Certificate" and "Server Certificate" to denote these certs. To have a healthy and sane experience when building an ejbca server, it is important to understand that by the end of our install: There will be two certificates They are used for separate purposes (Root Certificate vs. Web Administration TLS) They are both issued by the same Production CA They use the same CN
Continuing the Installation... Set up resolv.conf and make sure an A record for rootca.yourcompany.net exists on the configured DNS servers. PTR records are also a g ood idea. Set up NTP and make sure it works ( ntpdate, etc)‐ correct time is mandatory. Set up ssh/vnc access as you see fit. http://ejbcacentos.blogspot.co.id/
5/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Run yum update
Firewall Configuration Ejbca uses 8080, 8442, and 8443 for CA services. Everything else is internal (3306 for sql, 9990 for jboss admin web interface, etc). The application doesn't run as root, so you can't set the ports to anything /etc/modprobe.d/ipv6_disabled.conf To be extra EXTRA awesome, follow the "extra notes" on disabling IPv6 located at:
http://wiki.centos.org/FAQ/CentOS6
Installing Software Packages Now we install our CentOS software packages. When reviewing your installation, you may have noticed that there's a version 1.5 gjc installed ‐ It's used for compilation of the java packages. It can't be removed without causing problems, and alternatives prevents it from affecting anything. Just ignore it.
yum yum yum yum
install install install install
java-1.6.0-openjdk /path/to/your/ant-noarch.rpm mysql-server mysql-connector-java
It's a pretty good idea to verify our java version with java -version , both with the implicit path and the full path you will define as JAVA_HOME in standalone.conf : /usr/lib/jvm/java/bin/java -version . Once this is done, you can be sure that java works, and executes the expected version regardless of path:
/usr/lib/jvm/java/bin/java -version java version "1.6.0_30" OpenJDK Runtime Environment (IcedTea6 1.13.3) (rhel-5.1.13.3.el6_5-x86_64) OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)
http://ejbcacentos.blogspot.co.id/
7/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
Configuring Mysql This is a basic mysql setup that isn't particularly tuned for security, but is secure enough for lab purposes. Be sure to create the mysql directori directories es and update /etc/my.cnf before starting the service for the first time, as you can't easily change the binary log location once it has been created. This config also forces utf‐8 encoding, which is a requirement of ejbca. Some of the utf‐8 config can throw errors on startup (depending on your version of mysql), so it is commented out. I enable binary logging in order to make database recovery as bulletproof as I can. But there's no substitute for a mysqldump. regular mysqldump Ejbca includes a sample backup script for this purpose. purpose.
mkdir -p /var/l /var/log/mys og/mysql/bin ql/bin chown -R mysql:mysql /var/log/mysql vi /etc/my.cnf ### Start my.cnf ### datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 #UTF-8 character-set-server=utf8 collation-server=utf8_unicode_ci init-connect='SET NAMES utf8' #character-set-client = utf8 # Logging Config # Binary logging log-bin server-id
= 1
log_bin
= /var/log/mysql/mysql-bin.log
expire_logs_days
= 10
max_binlog_size
= 100M
#log #log-error #log-slow-queries [mysqld_safe] log-error=/var/log/mysql/mysqld.log pid-file=/var/run/mysqld/mysqld.pid # Custom config #[client] #default-character-set=utf8 ### End my.cnf ###
To make a point about the mysql user continuing to own everything mysql‐related:
chown mysql:mysql /etc/my.cnf
Now, run the "secure installation" script (take the default actions), log in to mysql, and create the database and user account for ejbca:
service mysqld start http://ej bcacentos.bl ogspot.co.i d/
8/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
mysql_secure_insta mysql_secure _installatio llation n mysql -u root -p create database ejbcadb; grant all privileges on ejbcadb.* to 'ejbcadbuser'@'localhost' identified by 'password'; flush privileges; exit
Verify that you can log in to mysql as ejbcadbuser and test your access:
mysql -u ejbcad ejbcadbuser buser -p use ejbcadb; show grants for ejbcadbuser@localhost; exit
Later, we will change the permissions on the ejbcadb database to make ejbcadbuser@localhost's access a little more limited. Finalize the mysql installation by performing a service mysqld restart and checking the log at
/var/log/mysql/mysqld.log.
Creating the Directory Structure Now we're going to set up the directory structure for the app itself. I prefer to put my apps in /opt. By default, all the ejbca documentation assumes that you install it in the service user's homedir. I like to use links to generic paths so that upgrading code is easier. This method also works well with Atlassian products. The /opt/default directory is used to hold vanilla versions of code so you can easily wipe things out and start over.
mkdir /opt/d /opt/default efault cd /opt/default wget http:/ http://downl /download.jb oad.jboss.o oss.org/jbo rg/jbossas/7 ssas/7.1/jbo .1/jboss-asss-as-7.1.1. 7.1.1.Final/ Final/jbossjboss-as-7.1 as-7.1.1.Fin .1.Final.zip al.zip wget http:/ http://downl /downloads.s oads.source ourceforge. forge.net/pr net/project/ oject/ejbca/ ejbca/ejbca6 ejbca6/ejbca /ejbca_6_1_1 _6_1_1/ejbca /ejbca_ce_6_ _ce_6_1_1.zi 1_1.zip p unzip *.zip cd .. ln -s /opt/ejbca_ca_6_1_1 ejbca ln -s /opt/jboss-as-7.1.1.Final jboss cp -rp default/jboss-as-7.1.1.Final . cp -rp default/ejbca_ce_6_1_1 .
Creating the OS User Accounts Now we set up our service accounts. I made two ‐ a system account named jboss, and an ejbca account for administrative use after the server is built. It is important that jboss has /bin/bash for a shell and a /opt/jboss as a homedir.
useradd -s /bin/bash -r -d /opt/jboss -M -U jboss useradd -m -U -G jboss,wheel ejbca
Creating the Console Log Directory Now that our service user has been created, we can create the directory that will hold our jboss console logs:
mkdir -p /var/l /var/log/ejb og/ejbca ca chown jboss:jboss /var/log/ejbca At this point, the server is built, mysql is running, and we're ready to start with installing jboss. It's a good time to take a vm snapshot.
http://ej bcacentos.bl ogspot.co.i d/
9/64
4/25/2016
Instal l i ng EJBC A 6.1.1 and Jboss on CentOS 6.5
Installing Jboss It's time to install jboss. We will not configure every detail (no mail, default logging), but we will do enough to get the platform running and tweaked the way ejbca needs for installation.
Configuring the Standalone Jboss Instance We begin by configuring the jboss instance that ejbca will use. It's named " standalone", and exists by default in version 7.1.1. The /opt/jboss/bin directory contains a script named standalone.sh that is the primary start point for jboss. This script references a configuration file in the same directory named standalone.conf. We will not need to modify the startup script, but we will need to modify the configuration file. First, we make a backup of the default config:
cd /opt/jboss/bin cp standalone.conf standalone.conf.orig
The config file also contains a set of jvm options that I tweak a little bit. This is not a mandatory change, but it does allocate more memory to the jvm. I always seem to be increasing this variable for my jvms, so I'm simply doing this ahead of when I actually need to. Important: The bits below are only the parts I modified ‐ don't delete the rest of the files! I've added some commented entries that you might need to use if you're troubleshooting, but really the only things that matter are JAVA_HOME and JAVA_OPTS. Just add the comments to the top of the file and replace the default JAVA_HOME and JAVA_OPTS.
### Start standalone.conf Delta ### #ejbca config # #javaHome=/usr/lib/jvm/java #jbossHome=/opt/jboss #jbossClasspath=/usr/share/java/mysql.jar JAVA_HOME="/usr/lib/jvm/java" JAVA_OPTS="-Xms128m -Xmx512m -XX:PermSize=128m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000" ### End standalone.conf Delta ###
Creating the Jboss Init Service The /opt/jboss/bin/standalone.sh script can always be used to start and stop jboss manually. However, we need to configure a service instance named " ejbca" to handle the startup and shutdown shutdown of jboss (and subsequ subsequently, ently, ejbca). Thankfully, the jboss folks give us an example script to use. I know it is confusing to name the jboss service " ejbca", but I am assuming that this jboss instance will only run the ejbca application and not be used for any other purpose. The init script itself contains a very important variable: the path of the jboss home directory. First, we copy the examples to their proper locations:
cp /opt/jboss/bin/init.d/jboss-as-standalone.sh /etc/init.d/ejbca mkdir /etc/e /etc/ejbca jbca cp /opt/jboss/bin/init.d/jboss-as.conf /etc/ejbca/ejbca-init.conf
Then, we modify both files to be appropriate for our installation. Below are my examples. Again, these are only the changes that must be made to the default file content. http://ej bcacentos.bl ogspot.co.i d/
10/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
vi /etc/init.d/ejbca ### Start ejbca init.d Delta ### ### BEGIN INIT INFO # chkconfig - 345 97 17 # Provides:
ejbca
# Required-Start:
$remote_fs $syslog $network mysqld
# Required-Stop:
$remote_fs $syslog $network
# Short-Description: ejbca jboss instance # Description:
ejbca jboss instance
# Default-Start:
3 4 5
# Default-Stop:
0 1 2 6
### END INIT INFO # # processname: ejbca # pidfile: /var/run/jboss-standalone.pid # config: /etc/ejbca/ejbca-init.conf JBOSS_CONF="/etc/ejbca/ejbca-init.conf" JBOSS_HOME=/opt/jboss prog='ejbca jboss instance' ### End ejbca init.d Delta ###
The ejbca-init.conf file has two very important variables in it: the jboss process username, and the logfile name.
vi /etc/ejbca/ejbca-init.conf ### Start ejbca-init.conf ### # General configuration for the init.d scripts, # not necessarily for JBoss AS itself. # The username who should own the process. # JBOSS_USER=jboss # The amount of time to wait for startup # # STARTUP_WAIT=10 # The amount of time to wait for shutdown # # SHUTDOWN_WAIT=10 # Location to keep the console log # JBOSS_CONSOLE_LOG=/var/log/ejbca/console.log ### End ejbca-init.conf ###
Lastly, we use chkconfig to add our services to the rc hierarchy and set the runlevels:
chkconfig --add ejbca chkconfig --level 345 mysqld on chkconfig --level 345 ejbca on The init files should remain owned by root:root, with the default permissions.
Setting the Service Order Although we have added the ejbca service with chkconfig, and have set a start order value in the chkconfig portion of the init http://ejbcacentos.blogspot.co.id/
11/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
script header, we still need to review the service order during startup and shutdown. In my case, I have the ejbca service set with a start integer of 97, and a kill integer of 17. This puts it before the local service, but after everything else. The mysqld is set with a start of 64, and a kill of 36. By default, the mysqld service is configured to wait for the the network service to initialize before starting, and the example init script for ejbca will wait for mysqld to start. However, you still must read the contents of each runlevel init directory ( rc3.d ,
rc4.d , rc5.d ) and create/modify the needed links to manage mysqld and ejbca . Theoretically, chkconfig and yum are supposed to build these links for us automatically. But sometimes, well, things just don't work out that way. In the example below, I noted that while ejbca was added correctly, there was a missing start entry for mysqld .
cd /etc/rc.d/rc3.d ls -al|grep ejbca lrwxrwxrwx. 1 root root 15 May 1 13:30 K17ejbca -> ../init.d/ejbca lrwxrwxrwx. 1 root root 15 Apr 25 22:24 S97ejbca -> ../init.d/ejbca ls -al|grep mysqld lrwxrwxrwx. 1 root root 16 Apr 25 22:24 K36mysqld -> ../init.d/mysqld ln -s ../init.d/mysqld S64mysqld ls -al|grep mysqld lrwxrwxrwx. 1 root root 16 Apr 25 22:24 K36mysqld -> ../init.d/mysqld lrwxrwxrwx. 1 root root 16 May 1 13:32 S64mysqld -> ../init.d/mysqld
Adding Jboss Class Exports We are now ready to begin tweaking the jboss configuration in earnest. We'll start by enabling certain security functions that ejbca requires.
cd /opt/jboss/modules/sun/jdk/main vi module.xml Add the following entries to the to system export paths: Do not include the hashed start and end comments.
### Start module.xml Delta ### ### End module.xml Delta ###
Installing the Mysql Connector Adding the java mysql connector to jboss is a little convoluted. As mentioned, I am using the latest Oracle version, which is version 5.1.30. This version breaks jboss, as it requires an additional config variable that jboss doesn't expect. You can assume all versions of the connector from 5.1.30 onward will have this problem (at least until jboss fixes their side of the code). Instead of attacking this problem immediately, we will proceed with the CentOS‐distributed version of the connector, ensure that we have a working jboss installation, and then deal with updating it. First, install the CentOS‐distributed version:
yum install mysql-connector-java
http://ejbcacentos.blogspot.co.id/
12/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Now, create the directory that will hold jboss' link to mysql-connector-java.jar , and the link itself:
mkdir -p /opt/jboss/modules/com/mysql/main/ cd /opt/jboss/modules/com/mysql/main ln -s /usr/share/java/mysql-connector-java.jar mysql-connector-java.jar
Now, build the module.xml file that describes the connector. Again, do not include the triple‐hashed lines in this file, as XML does not recognize " #" as denoting a comment.
vi module.xml ### Start module.xml ###
### End module.xml ###
Starting Jboss Our next set of tweaks must be made after jboss has been started. Because our actions until now have been performed as root, we must first make the jboss user the owner of the jboss directory tree. Don't run "chown -R root:root /opt/jboss " ‐ we want root to remain the owner of the symbolic link.
chown -R jboss:jboss /opt/jboss-as-7.1.1.Final Now, we test how well our init scripting works:
service ejbca start Now that we've (hopefully!) started the service, we can check the console log (as it has just been created). It's a good idea to keep a running console session open from now on.
tail -f /var/log/ejbca/console.log
You should see something like this at the end of the file: 22:51:40,482 INFO [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-2) Starting Coyote HTTP/1.1 on http--127.0.0.1-8080 22:51:40,688 INFO
[org.jboss.as.remoting] (MSC service thread 1-3) JBAS017100: Listening on /127.0.0.1:4447
22:51:40,690 INFO
[org.jboss.as.remoting] (MSC service thread 1-2) JBAS017100: Listening on /127.0.0.1:9999
22:51:40,699 INFO
[org.jboss.as.server.deployment.scanner] (MSC service thread 1-3) JBAS015012: Started
FileSystemDeploymentService for directory /opt/jboss/standalone/deployments 22:51:40,773 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990 22:51:40,774 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss AS 7.1.1.Final "Brontes" started in 1528ms - Started 130 of 204 services (74 services are passive or on-demand)
This tells you several important things: The jboss admin webpage is only available to localhost by default, so you should install Firefox in your gnome session http://ejbcacentos.blogspot.co.id/
13/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
if you don't already have it. The default URL for the admin webpage is something like: http://localhost:9990/console/App.html#server-
overview When you see this in the log, jboss has finished loading:
"7.1.1.Final "Brontes" started in xxxx ms"
Enabling the Mysql Connector Now that the jboss service is running, we can enable our mysql connector. We will do this using the jboss command line interface, which will update the configuration of the standalone instance. But before we make the change, we will first back up the configuration:
cd /opt/jboss/standalone/configuration cp standalone.xml standalone.xml.initial Now, we run a registration command from the jboss CLI (the small text is a single line):
cd /opt/jboss/bin sh jboss-cli.sh connect /subsystem=datasources/jdbc-driver=com.mysql.jdbc.Driver:add(driver-name=com.mysql.jdbc.Driver,driver-module-
name=com.mysql,driver-xa-datasource-class-name=com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource)
:reload exit
This cli action defines our mysql driver in /opt/jboss/standalone/configuration/standalone.xml , then reloads jboss. The actual definition is: ### Start standalone.xml Snip ###
com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource
### End standalone.xml Snip ###
The standalone.xml file is the primary configuration file in jboss, and we will be working with it several times during installation. However, it does not normally need to be changed once our installation is complete. If we have been successful with our changes, we should see the following message appear in the console log when restarting jboss: 22:46:29,580 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 27) JBAS010404: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1)
Removing the Default h2 Datasource and Driver By default, the standalone instance is defined with an h2/hsqldb database connector, and an example database. If left unchanged, ejbca is preconfigured to use it for example purposes. We will not use it, so we modify standalone.xml to disable it.
vi standalone.xml
### Start standalone.xml Delta ###
Remove the following:
http://ejbcacentos.blogspot.co.id/
jdbc:h2:mem:test;DB_CLOSE_DELAY=-1
14/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
h2
sa
sa
Also remove: org.h2.jdbcx.JdbcDataSource
### End standalone.xml Delta ###
Now, if you watch the console log when restarting jboss, you should no longer see: 22:46:29,570 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 27) JBAS010403:
Deploying JDBC-compliant driver class org.h2.Driver (version 1.3)
But you should continue to see: 22:46:29,580 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 27) JBAS010404:
Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1)
Updating the Mysql Connector Now that we have a functioning mysql connector, let's break it! First, download the latest platform‐independent version of the connector from Oracle (I assume this will be version 5.1.30). Oracle, of course, has to do things its own way, and refers to the connector as "Connector/J". Now expand the .tar or .zip file that you downloaded, and copy the mysql-connector-java-5.1.30-bin.jar file to
/usr/share/java: cp /your/download/location/mysql-connector-java-5.1.30-bin.jar /usr/share/java Verify its permissions:
ls -al /usr/share/java/mysql-connector-java-5.1.30-bin.jar -rw-r--r--.
1 root root
954041 May
1 01:22 mysql-connector-java-5.1.30-bin.jar
Next, delete and recreate the link mysql-connector-java.jar " " such that it points to the new file:
cd /usr/share/java rm mysql-connector-java.jar ln -s mysql-connector-java-5.1.30-bin.jar mysql-connector-java.jar
Once this is done, jboss will fail to load the connector at startup, as shown in the console log: 01:16:31,500 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 17) JBAS014612: Operation ("add") failed - address: ([ ("subsystem" => "datasources"), ("jdbc-driver" => "com.mysql.jdbc.Driver") ]): org.jboss.msc.service.DuplicateServiceException: Service jboss.jdbc-driver.com_mysql_jdbc_Driver is already registered
The fix for this is quite simple: add a single line to standalone.xml to update the driver stanza:
http://ejbcacentos.blogspot.co.id/
15/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
### Start standalone.xml Delta ###
com.mysql.jdbc.Driver
com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource
### End standalone.xml Delta ###
Restart the service, and the updated connector now loads properly.
Configuring the Jboss Web Admin User Our last jboss installation step is to create the account used to access the jboss admin webpage. We use a specific script for this:
sh /opt/jboss/bin/add-user.sh What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): a Enter the details of the new user to add. Realm (ManagementRealm) : Username : jadmin Password : Re-enter Password : About to add user 'jadmin' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'jadmin' to file '/opt/jboss-as-7.1.1.Final/standalone/configuration/mgmt-users.properties' Added user 'jadmin' to file '/opt/jboss-as-7.1.1.Final/domain/configuration/mgmt-users.properties'
You should now be able to reach the jboss web console interface and view/change various config items. At this time, you do not need to change anything. This is a jboss‐specific user account not used anywhere else in our build. This is a good time to take a vm snapshot.
Installing Ejbca Before we proceed, you should know that ejbca's initial configuration can be divided into a few specific parts: The .properties files in the /opt/ejbca/conf directory The initial keystore files in /opt/ejbca/p12 The jboss config in standalone.xml You should also know these general rules for working with ejbca's configuration: First, assume that nothing in the configuration will be changed during deployment, and that only the ejbca.ear file is touched by this action. The mysql database will be auto‐populated when we first deploy ejbca, but will not otherwise be touched by any of the ant scripts. The database does not store any configuration data, but it can be affected by every configuration change you make. The ant install command tries to create the keystore files each time it is run, even if the files exist. Portions of standalone.xml can be changed by b oth ant build and ant install, but only in response to changes made to our .properties files. http://ejbcacentos.blogspot.co.id/
16/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Once our initial installation is complete, ant will not change standalone.xml unless we have changed a
.properties file.
Ejbca Properties Files
Ejbca uses flat text " .properties" files for its primary configuration. These files are referenced when compiling ejbca.ear with
ant, and generally are not referenced by the running application. The install.properties file is only referenced when running ant install, and is not referenced by ant deploy. Some files actually contain parameters to allow runtime parsing of variables in the properties files, but this functionality is disabled b y default. Initially, ejbca has sample versions of all properties files in the /opt/ejbca/conf directory. The ones that are required by our build are:
certstore.properties
‐ Defines the certificate store variabl es
cesecore.properties
‐ Defines the core security engine variables
crlstore.properties
‐ Defines the CRL store variabl es
database.properties
‐ Defines how ejbca will access the db
ejbca.properties
‐ Defines the basic variables for ejbca itself
install.properties
‐ Used by "ant install" during installation
mail.properties
‐ Defines how the ejbca SMTP connector will function
ocsp.properties
‐ Defines how OCSP itself will function
va.properties
‐ Defines how the validation authority will function
va-publisher.properties ‐ Defines how the validation authority will access the db web.properties
‐ Defines variabl es for ejbca's web interface
There are multiple jndi.* files, and a file called extendedkeyusage.properties in the conf directory as well. They are required, but will not be configured further, and can be ignored. There are also two directories, logdevices and plugins, that can also be ignored. First, we create a new directory called: /opt/ejbca/conf/sample, and move all .sample files to it for cl arity and backup purposes:
cd /opt/ejbca/conf mkdir sample mv *.sample sample Now we copy a specific subset of files back to the main directory:
cp cp cp cp cp cp cp cp
sample/certstore.properties.sample certstore.properties sample/cesecore.properties.sample cesecore.properties sample/crlstore.properties.sample crlstore.properties sample/database.properties.sample database.properties sample/ejbca.properties.sample ejbca.properties sample/install.properties.sample install.properties sample/mail.properties.sample mail.properties sample/web.properties.sample web.properties
We will configure these files, then test our installation before proceeding. With only these files defined, ejbca will be operate without validation functionality. There are a great number of variables to set, and I will not go into detail on each one. However, here are simplified configurations that I am using for each file. Each file is a complete working config. I have stripped out most of the default comments and added some of my own. It's a very good idea to take the configs I give here and use them as a reference for your own configuration rather than cutting and pasting. It's the best way to learn all of the variables. You must enter your own email addresses, passwords, FQDNs, and X.500 CN / DN values. The Start and End comments are not needed in each config. http://ejbcacentos.blogspot.co.id/
17/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
certstore.properties ### Start certstore.properties ### # ------------ RFC 4387 Certificate store configuration --------------------certstore.enabled=true # This is the web directory that the web interface for the cert store will use. # It is not the full path! certstore.contextroot=/certificates # This is an unused alternate location #certstore.contextroot=/ejbca/publicweb/certificates ### End certstore.properties ###
cesecore.properties ### Start cesecore.properties ### #allow.external-dynamic.configuration=false # You do not need to configure this password! #ca.keystorepass=!secret! #ca.rngalgorithm=SHA1PRNG #ca.serialnumberoctetsize=8 ca.toolateexpiredate=80000000 #ca.toolateexpiredate=2038-01-19 03:14:08+00:00 #ca.doPermitExtractablePrivateKeys=true #forbidden.characters = \n\r;!\u0000%`?$~ #intresources.preferredlanguage=EN #intresources.secondarylanguage=SE #These variables will enable explicit logging. You can turn them off later securityeventsaudit.implementation.X=org.cesecore.audit.impl.log4j.Log4jDevice securityeventsaudit.implementation.X=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice #securityeventsaudit.implementation.0=null #securityeventsaudit.implementation.1=null #securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterDummy (default) #securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExportCsv #securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterXml #securityeventsaudit.deviceproperty.X.key.subkey=value # More log config below securityeventsaudit.implementation.0=org.cesecore.audit.impl.log4j.Log4jDevice securityeventsaudit.implementation.1=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml #securityeventsaudit.deviceproperty.1.export.dir=/tmp/ #securityeventsaudit.deviceproperty.1.export.fetchsize=1000 #securityeventsaudit.deviceproperty.1.validate.fetchsize=1000 #ecdsa.implicitlyca.q=883423532389192164791648750360308885314476597252960362792450860609699839 #ecdsa.implicitlyca.a=7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc #ecdsa.implicitlyca.b=6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a #ecdsa.implicitlyca.g=020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf #ecdsa.implicitlyca.n=883423532389192164791648750360308884807550341691627752275345424702807307
http://ejbcacentos.blogspot.co.id/
18/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
### End cesecore.properties ###
crlstore.properties ### Start crlstore.properties ### # This is all very similar to certstore.properties # ------------ RFC 4387 CRL store configuration --------------------crlstore.enabled=true crlstore.contextroot=/crls #crlstore.contextroot=/ejbca/publicweb/crls ### End crlstore.properties ###
database.properties ### Start database.properties ### # ------------- Database configuration -----------------------#This variable is used in our standalone.xml stanza datasource.jndi-name=EjbcaDS # This is the TYPE of db, not the NAME OF the db database.name=mysql # Be sure to use utf-8 database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb?characterEncoding=UTF-8 database.driver=com.mysql.jdbc.Driver database.username=ejbcadbuser # Change this to your mysql user password: database.password=pumpkin ### End database.properties ###
ejbca.properties ### Start ejbca.properties ### # The next two variables are very important... appserver.home=/opt/jboss appserver.type=jboss # Initially, we will set this to false. Once the install is complete, we change # this to true. # But DO NOT set it to "ca"! #ejbca.productionmode=true ejbca.productionmode=false #allow.external-dynamic.configuration=false # Don't set these! #ca.xkmskeystorepass= #ca.cmskeystorepass= approval.defaultrequestvalidity=28800 approval.defaultapprovalvalidity=28800 #approval.excludedClasses=org.ejbca.extra.caservice.ExtRACAServiceWorker #approval.excludedClasses=org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean #approval.excludedClasses=org.ejbca.core.protocol.cmp.RevocationMessageHandler #approval.excludedClasses=
http://ejbcacentos.blogspot.co.id/
19/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
healthcheck.amountfreemem=32 healthcheck.dbquery=Select 1 From CertificateData where fingerprint='XX' healthcheck.authorizedips=127.0.0.1 healthcheck.catokensigntest=true healthcheck.publisherconnections=true #healthcheck.maintenancefile=~/maintenance.properties #healthcheck.maintenancepropertyname=DOWN_FOR_MAINTENANCE healthcheck.okmessage=ALLOK healthcheck.sendservererror=true #healthcheck.customerrormessage=EJBCANOTOK # It's important to change this to 8: ejbca.passwordlogrounds=8 ### End ejbca.properties ###
install.properties ### Start install.properties ### # In every case that "CA" is mentioned in this file, it refers to the "management" CA ONLY. # This will be the initial name of the management CA instance # ejbca will use this for administration purpose, not your production CAs # Note that the CN given here is NOT the FQDN of your CA! # Why does this matter? This certificate will be temporarily installed # on your browser as a trusted root CA, but will not be communicated # with. ca.name=mgmtca ca.dn=CN=mgmtca,O=Your Company,C=US ca.tokentype=soft ca.tokenpassword=null # This is the path to a "catoken.properties" file that will be created when 'ant # install' is run. It will contain encryption parameters used by the mgmt CA. # You will not edit this properties file yourself. ca.tokenproperties=/opt/ejbca/conf/catoken.properties # THIS IS IMPORTANT # You can assume that ejbca cannot use EC algorithms for the management CA. # This does not mean that ejbca cannot issue certificates that use EC. # It just means that the management CA will use RSA for internal purposes. # The reason for this limitation is that the various EC algorithms are # not equally supported by the various java flavors that could be used. # More importantly, ejbca does not include any sort of logic to identify # the version of java you are using to limit or correct your options. # Choosing an unsupported algorithm here leads to a corrupt installation. # This can waste a great amount of time, so just avoid EC. # You can use EC later with the actual production CAs you define. # Keyspec for RSA keys is size of RSA keys (1024, 2048, 4096, 8192). ca.keyspec=4096 # The keytype for the administrative CA, can be RSA, ECDSA or DSA ca.keytype=RSA # Even though SHA1 is still largely in use as a certificate hashing # algorithm, I strongly suggest that you go with SHA256WithRSA. # Also, please note that the "with/With" in the hash names is indeed # case-sensitive. Stay classy, Oracle. # SHA1WithRSA, SHA1withECDSA, SHA256WithRSA, SHA256withECDSA. ca.signaturealgorithm=SHA256WithRSA # I set a CA validity of 10 years (including the leap years, rain man)
http://ejbcacentos.blogspot.co.id/
20/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
ca.validity=3652 ca.policy=null ca.certificateprofile=ROOTCA ### End install.properties ###
mail.properties ### Start mail.properties ### # This config is for the ejbca application mailer, not the jboss mailer. We will # set that up later. For now, we just point to the local mail server in order to # prevent errors in the console log. mail.jndi-name=java:/EjbcaMail mail.user=ejbca mail.password=honeybunny mail.smtp.host=localhost mail.smtp.port=25 #mail.smtp.auth=false #mail.smtp.starttls.enable=false
[email protected] #mail.debug=false mail.contentencoding=UTF-8 ### End mail.properties ###
web.properties ### Start web.properties ### # The key to this portion of the config is understanding that this file affects # the certificate used by the ejbca admin webpage. In install.properties, we # defined variables for the management CA root certificate. But that certificate # is not used for session TLS. The management CA issues a separate "server # certificate" for that purpose that is defined here. # # ------------ Web GUI configuration --------------------# Can not be set to false, commented away means that web will be configured. #web.noconfigure=true # Can not be set to false, commented away means that web will be configured. # web.nosslconfigure=true # You do not need to set this password! #java.trustpassword=changeit superadmin.cn=superadmin superadmin.dn=CN=${superadmin.cn},O=Your Company,C=US # You do not need to set this password! #superadmin.password=ejbca superadmin.batch=true # You do not need to set this password! #httpsserver.password=serverpwd httpsserver.hostname=rootca.yourdomain.net httpsserver.dn=CN=${httpsserver.hostname},O=Your Company,C=US # This is the port that will host the unencrypted Ejbca Public Web page. httpserver.pubhttp=8080 # This is the port that will host the encrypted Ejbca Public Web page,
http://ejbcacentos.blogspot.co.id/
21/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
# without client certificate authentication. httpserver.pubhttps=8442 # This is the port that will host the encrypted Ejbca Public Web page, # as well as the Administration page. Accessing content hosted on # this port requires client certificate authentication. # Note that the Ejbca Public Web page link to the administration # page will try to include this port in the URL, regardless of any # port redirection you may be using. This will fixed at the end of # the how-to. httpserver.privhttps=8443 #httpserver.external.privhttps=443 #Don't set these up unless you use an apache proxy for port translation #httpserver.external.fqdn= #httpserver.external.fqdn=${httpsserver.hostname} #httpsserver.bindaddress.pubhttp=0.0.0.0 #httpsserver.bindaddress.pubhttps=0.0.0.0 #httpsserver.bindaddress.privhttps=0.0.0.0 web.availablelanguages=EN,DE,ES,FR,IT,JA,PT,SE,UA,ZH,BS web.contentencoding=UTF-8 #hardtoken.diplaysensitiveinfo=true #web.docbaseuri=disabled #web.docbaseuri=internal #web.docbaseuri=http://www.ejbca.org #web.reqcertindb=true web.selfreg.enabled=false web.selfreg.defaultcerttype=1 web.selfreg.certtypes.1.description=User certificate web.selfreg.certtypes.1.eeprofile=SOMEPROFILE web.selfreg.certtypes.1.certprofile=ENDUSER #web.selfreg.certtypes.1.usernamemapping=CN web.renewalenabled=false #web.manualclasspathsenabled=true web.errorpage.notification=An exception has occurred. web.errorpage.stacktrace=true #web.enableproxiedauth=true web.log.adminremoteip=true #web.log.adminforwardedip=true ### End web.properties ###
Initial Deployment Now that we have a basic set of properties files, we can do our initial deployment of ejbca to jboss. Open a terminal session to solely monitor the jboss console file:
tail -f /var/log/ejbca/console.log The jboss user must be the owner of both the jboss directory tree and the ejbca directory tree. Before running our initial deployment, it's a requirement to ensure that this is the true.
service ejbca stop chown -R jboss:jboss /opt/jboss-as-7.1.1.Final chown -R jboss:jboss /opt/ejbca_ce_6_1_1 service ejbca start http://ejbcacentos.blogspot.co.id/
22/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
cd /opt/ejbca sudo -u jboss ant deploy Always execute ant as the jboss user. Otherwise, the files it creates will be owned by root, and you'll have 99 problems. Also, you must always execute ant from the /opt/ejbca directory, as that is where build.xml is located. You could use a path variable when executing ant , but I find that just changing directory to /opt/ejbca is easier. Lastly, jboss must be running when you run ant. The deployment process itself pulls information from our config data, uses that information to compile an ejbca.ear file, then prompts jboss to deploy it. Because this is our first deployment, ant also does the following: Adds our ejbca mail configuration to standalone.xml Adds our ejbca datasource information to standalone.xml Populates the database with the initial schema While all this is happening, you'll see new messages quickly arrive in the console log, but you can usually spot a nice summary section that is given before the actual compilation of ejbca.ear begins: display-properties:
[echo] [echo] ---------- EJBCA 6.1.1 (working copy) CONFIGURATION PROPERTIES ----------
[echo] appserver.type
= jboss
[echo] appserver.subtype
= jboss7
[echo] appserver.home
= /opt/jboss
[echo] java.version
= 1.6.0_30
[echo] ocsp.defaultresponder
= CN=rootca.yourcompany.net,O=Your Company,C=US
[echo] ocsp.signaturealgorithm
= SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA
[echo] datasource.jndi-name
= EjbcaDS
[echo] datasource.jndi-name-prefix = java:/
[echo] database.name
= mysql
[echo] database.url
= jdbc:mysql://127.0.0.1:3306/ejbcadb?characterEncoding=UTF-8
[echo] database.driver
= com.mysql.jdbc.Driver
[echo] database.username
= ejbcadbuser
[echo] database.password
= ***
[echo] database.useSeparateCertificateTable = false [echo] database.valid.connection.sql = select 1 [echo] mail.jndi-name
= java:/EjbcaMail
[echo] mail.from
=
[email protected]
[echo] mail.user
= ejbca
[echo] mail.password
= ***
[echo] mail.smtp.host
= localhost
[echo] mail.smtp.port
= 25
[echo] mail.smtp.auth
= false
[echo] mail.debug
= false
[echo] httpserver.pubhttp
= 8080
[echo] httpserver.pubhttps [echo] httpserver.privhttps
= 8442 = 8443
[echo] httpserver.external.privhttps = 8443 [echo] httpsserver.hostname
= rootca.yourcompany.net
[echo] httpsserver.password
= ***
[echo] httpserver.external.fqdn = [echo] web.contentencoding
= UTF-8
[echo] web.renewalenabled
= false
[echo] ejbcaws.enabled
= true
[echo] cmp.tcp.enabled
= false
[echo] cmp.tcp.portno
= 829
[echo] cmp.tcp.logdir
= ./log
[echo] cmp.tcp.conffile
=
[echo] xkms.enabled [echo] xkms.serviceport
= false = 8080
Deployment Error Messages You'll also see various log messages showing errors on compilation. The following errors can be ignored ‐ they're bugs in jboss: http://ejbcacentos.blogspot.co.id/
23/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
06:05:16,848 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) JBAS014612: Operation ("composite") failed - address: ([]): java.lang.IllegalArgumentException 06:05:39,477 ERROR [org.hibernate.internal.util.xml.ErrorLogger] (MSC service thread 1-4) HHH000196: Error parsing XML (21) : cvc-complex-type.3.1: Value '1.0' of attribute 'version' of element 'entity-mappings' is not valid with respect to the corresponding attribute use. Attribute 'version' has a fixed value of '2.0'. 15:29:58,915 SEVERE [javax.enterprise.resource.webcontainer.jsf.application] (MSC service thread 1-2) JSF1051: Service entry 'org.jboss.as.web.deployment.jsf.JsfInjectionProvider' does not extend DiscoverableInjectionProvider.
Entry will be ignored.
This message refers to the fact that the community version of ejbca does not support database integrity protection: 06:06:13,175 INFO
[org.cesecore.dbprotection.ProtectedData] (MSC service thread 1-4) No database integrity
protection available in this version of EJBCA.
You'll always see these errors no matter what you do. Any other errors and failures should be dealt with before trying to proceed to an installation. But eventually you'll see something like these messages if the deployment is successful: 01:38:38,724 INFO
[org.jboss.as] (MSC service thread 1-1) JBAS015874: JBoss AS 7.1.1.Final "Brontes" started in
7761ms - Started 2855 of 2968 services (111 services are passive or on-demand) 01:38:38,769 INFO
[org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018559: Deployed "ejbca.ear"
Finally, note that you will see tons of the following messages returned directly by ant during every operation: appserver.error.message: [echo] jndi.properties.file: /opt/ejbca_ce_6_1_1/conf/jndi.properties.jboss7
These messages can be safely ignored.
More Detail on Ant Why did we do an ant deploy before an ant install? There are two reasons: To test that the ejbca.ear file is successfully compiled from what we have built so far. Running ant deploy while reading the logs gives us a chance to fix mistakes before proceeding. Once installation is complete, it becomes much more difficult to fix configuration mistakes. More importantly, the ejbca.ear file must exist before the install script can execute. It is worth taking the time to describe what the various ant command scripts do in slightly greater detail, and to learn a few new ones. They are very useful when fixing with troublesome installations. As you know, the ant deploy script creates temporary files used to compile ejbca.ear, compiles the ejbca.ear file, and then prompts jboss to deploy it. It is worth mentioning that there are two distinct functions ("targets") being called: First, ant runs the build target that performs the preparation and compilation. Then ant uses the jboss jee.deploy target to perform the actual transfer to jboss. The build process can be called directly using ant build . But ant deploy always runs both targets. The ant install script takes your configuration files, uses their information to create further configuration (such as the keystore files), and copies these new files to their proper locations. Various changes to jboss are also made by this script, and a f ull d eployment must be performed manually once installation is complete. A separate script for installation is required to segregate one‐time actions (like generating the keystores) from the repetitive actions of deployment. You do not need to rebuild everything each time you deploy! The ant clean command will clear temporary files created by prior deployments that may accidentally persist. Deleting them can help resolve deployment errors that may arise. If you continue to receive errors during deployment after trying ant clean, you may need to use a deprecated command: ant bootstrap. Theoretically, all of its functions are now performed by ant deploy.
http://ejbcacentos.blogspot.co.id/
24/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
As you might expect, all of these commands must be executed as the jboss user. If this is not done, you'll likely see these errors upon service start or deployment: 06:31:45,480 SEVERE [javax.enterprise.resource.webcontainer.jsf.application] (MSC service thread 1-4) JSF1051: Service entry 'org.jboss.as.web.deployment.jsf.JsfInjectionProvider' does not extend DiscoverableInjectionProvider. Entry will be ignored. 06:31:43,811 INFO [org.jboss.as.controller] (Controller Boot Thread) JBAS014774: Service status report JBAS014777:
Services which failed to start: service jboss.web.connector.httpspub:
org.jboss.msc.service.StartException in service jboss.web.connector.httpspub: JBAS018007: Error starting web connector service jboss.web.connector.httpspriv: org.jboss.msc.service.StartException in service jboss.web.connector.httpspriv: JBAS018007: Error starting web connector
Assuming that we are not seeing these (or any other) errors, we can proceed with our installation. It is a good idea to restart jboss, then perform the install. This avoids out‐of‐memory errors that jboss can occasionally throw. If you do happen to lock up jboss with an out‐of‐memory condition, just " kill -9" the jboss process and do a service
ejbca restart. You should then be able to perform your ant command successfully. If this does not resolve the errors, try the new ant commands given above.
service ejbca restart cd /opt/ejbca sudo -u jboss ant install
The Initial Keystores I've mentioned the keystore files several times, but haven't fully described what they are. The keystores hold the certificates used by ejbca to secure its web portal, nothing more. Their prominence during installation makes them seem very important, but they have little relevance to the actual "Certificate Authority" functions of ejbca. They are not used to store keys and certificates generated by ejbca once the application is in production ‐ that information is (usually) held in the database. In a distributed installation, they have an important role in cross‐server authentication. When the install script runs, it will perform various operations until it must prompt you for the passwords to be used for your keystore files. Again, the keystore files are located in /opt/ejbca/p12, and are:
tomcat.jks ‐ Holds the actual certificate (and its signing chain) used by jboss to secure the ejbca web portals with TLS. truststore.jks ‐ Stores a copy of the root CA key that issued the TLS certificate (initially this is the management CA). After creation, these files are copied by the install script to /opt/jboss/standalone/configuration/keystore , and
tomcat.jks is renamed keystore.jks in the new directory. It is critical to understand that while ant creates the keystores in /opt/ejbca/p12, jboss uses the keystores in the
/opt/jboss/standalone/configuration/keystore directory for TLS. The superadmin.p12 file that contains the client certificate used to authenticate the default administrator account is also located in /opt/ejbca/p12. It is not copied to the jboss directory with the other keystores. The java tool used to manage the keystores is called keytool, and (in our installation) is called by a link in /usr/bin/. Through
alternatives, this link points to /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/keytool . This tool seems to be the primary source of my problems with Elliptic Curve support ‐ the 1.6 version isn't fully‐functioned for EC algorithms, and ejbca isn't smart enough to parse EC keystore requests and prevent unsupported ones from being passed to the tool. The easiest way to deal with this problem is to simply use RSA encryption for our keystores, as I have done in the examples. Note that keytool is only used to manage keystore files. The targets used by ejbca to respond to certificate requests will be able to generate EC certificates just fine. Also note that the ejbca configuration files for the keystores refer to EC support in various places. You are welcome to play with your setup to try and find a working EC config, but I will not discuss this further.
http://ejbcacentos.blogspot.co.id/
25/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
As mentioned, ant install generates the initial copies of the keystores based on the configuration in install.properties and
web.properties. Depending on how thoroughly you configured these files, ant install may prompt you for a good deal of information required to create the initial certificates. But if you have stayed close to the examples, you should only be prompted for the three passwords that will be used to authenticate the keystores:
Please enter the password of the truststore with the CA certificate for https? [changeit] Please enter the password of the keystore with the TLS key for https [serverpwd]
(and later) Please enter the superadmin password (default: ejbca) ? [ejbca]
To clarify what each password is for: The "truststore with the CA certificate for https " is the truststore.jks file. The "keystore with the TLS key for https " is the tomcat.jks file. The "superadmin password " is the password for the superadmin.p12 file. You can include these passwords in the .properties files, and not be prompted for them. However, my personal feeling is that you should never have passwords stored in clear text.
Unfortunately, ejbca keeps clear copies of the keystore passwords in standalone.xml. Ideally, ejbca would only store these passwords in hashed form, but there is nothing we can do about this at the moment, short of rewriting the install script.
While keystore creation is taking place, ant install will return messages like these: [echo] Initializing CA with 'mgmtCA' 'CN=mgmtca,O=Your Company,C=US' 'soft' '4096' 'RSA' '3650' 'null' 'SHA384withRSA' /home/ejbca/conf/catoken.properties
-superadmincn 'SuperAdmin'...
After this, you will see another summary stanza describing the management CA being created:
[echo] [echo] ------------------- CA Properties ---------------[echo] ca.name
: mgmtca
[echo] ca.dn
: CN=mgmtca,O=Your Company,C=US
[echo] ca.tokentype
: soft
[echo] ca.keytype
: RSA
[echo] ca.keyspec
: 4096
[echo] ca.signaturealgorithm
: SHA256WithRSA
[echo] ca.validity
: 3650
[echo] ca.policy
: null
[echo] ca.tokenproperties
: /opt/ejbca/conf/catoken.properties
[echo] httpsserver.hostname
: rootca.yourcompany.net
[echo] httpsserver.dn
: CN=rootca.yourcompany.net,O=Your Company,C=US
[echo] superadmin.cn
: superadmin
[echo] superadmin.dn
: CN=superadmin,O=Your Company,C=US
[echo] superadmin.batch
: true
[echo] appserver.home
: /opt/jboss
[echo]
If the keystore creation fails due to an invalid encryption configuration (like trying to use EC), ant install will return a message like: [java] org.ejbca.ui.cli.ErrorAdminCommandException: org.cesecore.certificates.ca.InvalidAlgorithmException: Signature algorithm SHA384withRSA is not one of the allowed signature algorithms. Available algorithms: {SHA1WithRSA,SHA256WithRSA,SHA384WithRSA,SHA512WithRSA,SHA256WithRSAAndMGF1, SHA1withECDSA,SHA224withECDSA,SHA256withECDSA,SHA384withECDSA,SHA1WithDSA, GOST3411withECGOST3410,GOST3411withDSTU4145}.
http://ejbcacentos.blogspot.co.id/
26/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
and the console log will include messages like: 06:21:15,184 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-2) Failed to load keystore type JKS with path /opt/jboss/standalone/configuration/keystore/keystore.jks due to /opt/jboss/standalone/configuration/keystore/keystore.jks (No such file or directory): java.io.FileNotFoundException: /opt/jboss/standalone/configuration/keystore/keystore.jks (No such file or directory) 06:21:15,188 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-2) Error initializing endpoint: java.io.FileNotFoundException: /opt/jboss/standalone/configuration/keystore/keystore.jks (No such file or directory)
Troubleshooting keystore creation boils down to interpreting the errors in both ant output and the console log. But p roblems usually stem from the keytool command syntax that ant install puts together. You can infer this syntax from the messages given in the ant console output.
Finalizing the Installation Aside from keystore creation, the install script also does the following: Builds the actual management CA instance in the database Updates standalone.xml with keystore, web session, and security information. In the log file, you will see many new messages, primarily relating to encryption functions for the keystore files. But the best way to get a feeling for how your installation is proceeding is to look for the following messages spread through the output: 06:20:59,482 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context:
/${app.name}/publicweb/status 06:20:59,484 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context:
/ejbca/publicweb/apply 06:20:59,491 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context:
/ejbca/publicweb/webdist 06:20:59,506 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context: /ejbca/publicweb
06:20:59,516 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context:
/ejbca/publicweb/healthcheck 06:20:59,521 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context: /ejbca/clearcache
06:20:59,521 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context: /ejbca/ejbcaws
06:20:59,571 INFO
[org.jboss.web] (MSC service thread 1-4) JBAS018210: Registering web context: /ejbca
06:20:59,727 INFO
[org.jboss.web] (MSC service thread 1-1) JBAS018210: Registering web context: /crls
06:20:59,728 INFO
[org.jboss.web] (MSC service thread 1-2) JBAS018210: Registering web context: /certificates
06:21:00,141 INFO
[org.jboss.web] (MSC service thread 1-3) JBAS018210: Registering web context: /ejbca/adminweb
06:21:16,576 INFO
[org.jboss.web] (MSC service thread 1-1) JBAS018210: Registering web context: /ejbca/doc
WSDL published to: file:/opt/jboss-as-7.1.1.Final/standalone/data/wsdl/ejbca.ear/ejbca-wsejb.jar/EjbcaWSService.wsdl
If you see these contexts being successfully registered, you can feel assured that the various functions of ejbca are being successfully built. But note that most of these contexts are dynamic in nature, and usually cannot be browsed to check their function ‐ you must create your own CAs first. Also, some services, like the healthcheck, are only available from localhost (as shown in the properties files). The installation will likely end with an error message that will go away once we manually perform a deployment (although ant will report the installation as " BUILD SUCCESSFUL"): 06:31:43,812 ERROR [org.jboss.as] (Controller Boot Thread) JBAS015875: JBoss AS 7.1.1.Final "Brontes" started (with errors) in 162ms - Started 135 of 218 services (2 services failed or missing dependencies, 80 services are passive or on-demand)
Recovering from a Failed Install Chances are that you will discover mistakes after your first installation attempt. If you did not (or could not) make a vm snapshot immediately prior to running ant install, all hope is not lost! Perform these steps, and verify that you no longer receive unexpected errors in your console log before proceeding. If you just can't shake weird errors in the log, you really have no other choice than to completely start over. http://ejbcacentos.blogspot.co.id/
27/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
service ejbca stop mysql -u root -p drop database ejbcadb; create database ejbcadb; exit rm rm rm rm rm vi
/opt/ejbca/p12/tomcat.jks /opt/ejbca/p12/truststore.jks /opt/ejbca/p12/superadmin.p12 /opt/jboss/standalone/configuration/keystore/keystore.jks /opt/jboss/standalone/configuration/keystore/truststore.jks /opt/jboss/standalone/configuration/standalone.xml
### Start standalone.xml Delta ###
Remove:
### End standalone.xml Delta ###
service sudo -u sudo -u sudo -u
ejbca jboss jboss jboss
start ant clean ant deploy ant install
Checking the Keystores Regardless of whether or not we had problems with their creation, it is quite important to check the contents of the keystore files prior to continuing with the build. This ensures not only that the contents are correct, but also that the passwords associated with the files are the ones we expect. We will check both the ejbca and the jboss copies:
cd /opt/ejbca/p12 keytool -list -v -keystore tomcat.jks keytool -list -v -keystore truststore.jks cd /opt/jboss/standalone/configuration/keystore keytool -list -v -keystore keystore.jks keytool -list -v -keystore truststore.jks
Again, the contents of tomcat.jks/keystore.jks should initially be: The root CA certificate used to identify your management CA. The TLS certificate for your server, which will be issued to the FQDN of your server. An additional copy of the management CA certificate chained to the TLS certificate as the signing authority. http://ejbcacentos.blogspot.co.id/
28/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
A "key" thing to note regarding keytool: when running the list commands above, you may notice that the keys will be successfully listed regardless of the password (or lack of one) that you enter. However, you will see the following stanza at the top of the list output:
***************** WARNING WARNING WARNING ***************** * The integrity of the information stored in your keystore * * has NOT been verified! In order to verify its integrity, * * you must provide your keystore password. * ***************** WARNING WARNING WARNING *****************
This functionality is by design. Ejbca, for its part, takes the passwords that are entered during installation and uses them as the authentication codes for the keystores, storing them in the standalone.xml stanzas mentioned in the previous section. If jboss cannot validate the keystores with the passwords stored in standalone.xml at start time, the service will eventually start, but will fail to start ejbca.ear, and will report the following message in the console log: 20:45:43,566 ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-4) Failed to load keystore type JKS with path /opt/jboss/standalone/configuration/keystore/keystore.jks due to Keystore was tampered with, or password was incorrect: java.io.IOException: Keystore was tampered with, or password was incorrect
Returning to our own tests of the keystores, the output of a list operation (with the proper password) will look something like this (some of the extensions are omitted for brevity):
### Start keystore.jks ### Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entriesAlias name: cacert Creation date: Apr 26, 2014 Entry type: trustedCertEntry Owner: C=US, O=Your Company, CN=mgmtca Issuer: C=US, O=Your Company, CN=mgmtca Serial number: 1e1369e62435a307 Valid from: Sat Apr 26 06:20:16 GMT-08:00 2014 until: Tue Apr 23 06:20:16 GMT-08:00 2024 Certificate fingerprints: MD5:
CB:04:B3:2A:5A:AA:AA:AA:54:BB:C1:3E:72:A2:F1:62
SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] ... ] ******************************************* ******************************************* Alias name: rootca.yourcompany.net Creation date: Apr 26, 2014 Entry type: PrivateKeyEntry Certificate chain length: 2
http://ejbcacentos.blogspot.co.id/
29/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Certificate[1]: Owner: C=US, O=Your Company, CN=rootca.yourcompany.net Issuer: C=US, O=Your Company, CN=mgmtca Serial number: 5a797a3381345da2 Valid from: Sat Apr 26 06:10:21 GMT-08:00 2014 until: Mon Apr 25 06:10:21 GMT-08:00 2016 Certificate fingerprints: MD5:
AF:C1:26:10:24:9D:FE:08:45:F0:45:CA:57:33:BB:FE
SHA1: 11:5F:8F:A2:AC:E6:D2:3C:1E:CC:6A:A8:3B:9F:57:8D:4E:D6:59:3C Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] ... ] Certificate[2]: Owner: C=US, O=Your Company, CN=MgmtCA Issuer: C=US, O=Your Company, CN=MgmtCA Serial number: 1e1369ef834ea307 Valid from: Sat Apr 26 06:20:16 GMT-08:00 2014 until: Tue Apr 23 06:20:16 GMT-08:00 2024 Certificate fingerprints: MD5:
CB:04:B3:2A:5A:7B:40:72:54:BB:C1:3E:72:A2:F1:62
SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] ... ] ******************************************* ******************************************* ### End keystore.jks ###
The truststore.jks file contains the keys of all authorities trusted by jboss, which initially is only the management CA:
### Start truststore.jks ### Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: mgmtca Creation date: Apr 26, 2014 Entry type: trustedCertEntry
http://ejbcacentos.blogspot.co.id/
30/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Owner: C=US, O=Your Company, CN=mgmtca Issuer: C=US, O=Your Company, CN=mgmtca Serial number: 1e1369ef834ea307 Valid from: Sat Apr 26 06:20:16 GMT-08:00 2014 until: Tue Apr 23 06:20:16 GMT-08:00 2024 Certificate fingerprints: MD5:
CB:04:B3:2A:5A:7B:40:72:54:BB:C1:3E:72:A2:F1:62
SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] ... ] ******************************************* ******************************************* ### End truststore.jks ###
If your outputs vary wildly from what is shown above, you will need to go back and revalidate your properties files, then reinstall your server. This is where vm snapshots become very handy.
Production Deployment and Test Now we can perform our first true deployment that should give us a functional ejbca server:
sudo -u jboss ant deploy It's a good idea to restart jboss a few times following this step, to make sure that ejbca restarts successfully:
service ejbca restart service ejbca restart service ejbca restart Assuming there are no errors, the ejbca web portals are now active. There are a few of them:
http://rootca.yourcompany.net ‐ This is the unencrypted default webpage for Jboss. It refers to an "Administration Console", which is only available to localhost and uses the jadmin account we created earlier. Otherwise, it doesn't interact with ejbca. http://rootca.yourcompany.net/ejbca ‐ This is the public ejbca webpage. The primary functions of ejbca are accessed from here. https://rootca.yourcompany.net/ejbca ‐ This is the encrypted version of the page above. At present, you must have the superadmin.p12 certificate installed in your browser to reach this page, but we will change this once ejbca is fully functional. http://rootca.yourcompany.net/ejbca/adminweb ‐ This is the primary administration webpage for ejbca. Nearly all of our production configuration is performed from this page. It requires the superadmin.p12 certificate as well. It is a good idea to test access to each of these pages individually, using a fresh browser session each time. But we need to open an scp session to our server and retrieve the superadmin.p12 certificate before we can access the ejbca administration webpage. The superadmin certificate only grants our browser the ability to log in to the administration interface of the ejbca application‐ not the jboss web console. In Firefox, the superadmin certificate is installed by opening:
Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates
http://ejbcacentos.blogspot.co.id/
31/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
and selecting "Import" from the "Your Certificates " tab. You will need to enter the superadmin password you entered during ant
install to decrypt the file. Once we have installed superadmin.p12, we can browse to:
https://rootca.yourcompany.net/ejbca/adminweb and arrive at the administration webpage after being prompted for the certificate.
Adding the Validation Authority Now that we are reasonably sure that the management CA is functional, we can add validation functions to our server. Primekey refers to the processes that perform certificate validation (CMP, OCSP, CRL distribution) as being the "Validation Authority". It is important to note that you can legitimately have a CA without validation ability, and skip this entire section of the how‐to. But certificate validation is a core function of PKI, so I suggest you add it now. Referring back to our ASCII logical layout diagram:
mysql --> java-sql-connector --> jboss --> ejbca CA --> ejbca VA --> OCSP ^ ^ | | ------ java -----
What this diagram does not show is that the Validation Authority has its own Jboss datasource that is discrete from the one used by the Certificate Authority. However, in our standalone environment, this connection is to the same database ( ejbcadb) that the Certificate Authority uses. Defining the VA's datasource is the purpose of the va-publisher.properties file. Like the CA datasource, the VA datasource configuration will be added to standalone.xml during deployment (once the VA‐specific .properties files are created). It is worth noting how Primekey uses the term "publisher". It describes the notion of a particular ejbca component "publishing" information (from a datasource) to a separate server in a distributed ejbca installation. In our case, our standalone server is only "publishing" to its own Validation Authority service, but we still need the "publisher" to be defined in va-publisher.properties. The va.properties file defines general operation of the Validation Authority, such as its healthcheck function. The ocsp.properties file defines OCSP protocol functionality. The first step towards enabling the Validation Authority is to create the validation‐related properties files in the /opt/ejbca/conf directory:
cp sample/ocsp.properties.sample ocsp.properties cp sample/va.properties.sample va.properties cp sample/va-publisher.properties.sample va-publisher.properties
Like the examples above, here are files I am using:
ocsp.properties ### Start ocsp.properties ### # ------------ OCSP responder configuration --------------------ocsp.enabled=true #ocsp.enabled=false # This is the path for the OCSP URL ocsp.contextroot=/ejbca/publicweb/status #ocsp.contextroot=/status # This is the DN of the CA that will respond to requests for unknown certs
http://ejbcacentos.blogspot.co.id/
32/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
ocsp.defaultresponder=CN=defaultca,O=Your Company,C=US ocsp.includecertchain=true ocsp.includesignercert=true ocsp.responderidtype=keyhash ocsp.signaturealgorithm=SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA ocsp.signingCertsValidTime=300 ocsp.warningBeforeExpirationTime=10000 ocsp.nonexistingisgood=false #ocsp.nonexistingisgood.uri.1=.*/thisEndingIsGood$ #ocsp.nonexistingisgood.uri.2=^http://good.myhost.nu:8080/.* #ocsp.nonexistingisbad.uri.1=.*/thisEndingIsBad$ #ocsp.nonexistingisbad.uri.2=^http://bad.myhost.nu:8080/.* ocsp.nonexistingisrevoked=false #ocsp.nonexistingisrevoked.uri.1=.*/thisEndingIsRevoked$ #ocsp.nonexistingisrevoked.uri.2=^http://revoked.myhost.nu:8080/.* ocsp.expiredcert.retentionperiod = 31536000 #ocsp.expiredcert.retentionperiod = -1 ocsp.untilNextUpdate = 0 #ocsp.999.untilNextUpdate = 50 ocsp.revoked.untilNextUpdate = 0 #ocsp.999.revoked.untilNextUpdate = 50 ocsp.maxAge = 30 #ocsp.999.maxAge = 100 ocsp.revoked.maxAge = 30 #ocsp.999.revoked.maxAge = 100 #ocsp.extensionoid= #ocsp.extensionclass= #ocsp.uniddatsource= #ocsp.unidtrustdir= #ocsp.unidcacert= #ocsp.signaturerequired=false #ocsp.rekeying.trigging.password= #ocsp.rekeying.wsurl = https://milton:8443/ejbca/ejbcaws/ejbcaws #ocsp.rekeying.update.time.in.seconds= #ocsp.rekeying.safety.margin.in.seconds= #ocsp.rekeying.trigging.hosts= # Default: false ocsp.trx-log = true ocsp.log-date = yyyy-MM-dd:HH:mm:ss:z #ocsp.log-timezone = GMT #ocsp.trx-log-pattern = \\$\\{(.+?)\\} #ocsp.trx-log-order = ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN _SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${PROCESS_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_ NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS} ocsp.audit-log = true #ocsp.audit-log-pattern = \\$\\{(.+?)\\} #ocsp.audit-log-order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";REPLY TIME:${REPLY_TIME};\nTIME TO PROCESS:${PROCESS_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS} #ocsp.log-safer = true ### End ocsp.properties ###
va.properties ### Start va.properties ###
http://ejbcacentos.blogspot.co.id/
33/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
#------------------- Validation Authority (VA) Healthcheck settings ------------ocsphealthcheck.signtest=true ocsphealthcheck.checkSigningCertificateValidity=true # The example below defines the alias 'root' for 'O4RdnGNf3WPioslAQsX71aR1/MI' and then: # http://myhost.com:8080/certificates/search.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI is the same as http://myhost.com:8080/certificates/search.cgi?alias=root # http://myhost.com:8080/crls/search.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI is the same as http://myhost.com:8080/crls/search.cgi?alias=root # http://myhost.com:8080/crls/search.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI&delta= is the same as http://myhost.com:8080/crls/search.cgi?alias=root&delta= # Copy the sKIDHash from http://myhost.com:8080/crls/search.cgi or http://myhost.com:8080/certificates/search.cgi and paste it in the config file and restart the application server. # The downloaded file will use the alias for the name. # Here is the example: #va.sKIDHash.alias.root=O4RdnGNf3WPioslAQsX71aR1/MI ### End va.properties ###
va‐publisher.properties ### Start va-publisher.properties ### #-------------- Validation Authority(VA) publisher db configuration------------------------# All the "ocsp-database.*" properties are used to configure the VA connection to the database. # # In "PrimeKeyese": Configure these options if you are configuring EJBCA that will publish # certificates to a VA.
ocsp-datasource.jndi-name=OcspDS ocsp-database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb?characterEncoding=UTF-8 ocsp-database.driver=com.mysql.jdbc.Driver ocsp-database.username=ejbcadbuser
# Set your database user password here ocsp-database.password=pumpkin ### End va-publisher.properties ###
To enable the VA, we perform the same set of commands we ran before our initial deployment:
service ejbca stop chown -R jboss:jboss /opt/jboss-as-7.1.1.Final chown -R jboss:jboss /opt/ejbca_ce_6_1_1 service ejbca start cd /opt/ejbca sudo -u jboss ant deploy
Note that in ocsp.properties, we define the " ocsp.defaultresponder". This is the DN of the CA that will answer OCSP requests for unknown CAs. Primekey recommends that you use the management CA for this, but I think that's a poor idea. I use an empty "default" CA solely for this purpose. This brings the total number of certificate authorities in our initial installation to three: mgmtca rootca.yourcompany.net defaultca We will create the defaultca near the end of the how‐to. For now, just remember this entry in ocsp.properties. Until the defaultca is created, you will repetitively see the following message in the console log: http://ejbcacentos.blogspot.co.id/
34/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
06:06:13,379 INFO
[org.cesecore.certificates.ocsp.cache.OcspSigningCache] (MSC service thread 1-4) Default OCSP
responder with subject 'CN=defaultca' was not found. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error).
Lastly, if for whatever reason you have problems with your va-publisher.properties file, you may see the following warning: 06:31:45,632 WARN
[org.ejbca.core.protocol.certificatestore.CertificateCache] (MSC service thread 1-2)
org.bouncycastle.ocsp.OCSPException: problem creating ID: java.security.NoSuchProviderException: no such provider: BC
"BC" is the default bouncycastle (the OCSP java module) instance name. This is another good point to take a vm snapshot. I really like the name "bouncycastle".
Building the Initial Production CA Administration Overview We are now at the point where we create our first CA. This is accomplished via the web admin interface:
Administration Homepage
Before we start configuring, here is a brief description of the interface: CA Functions ‐ This section is to configure the Certificate Authority functions of ejbca. RA Functions ‐ This section is to configure the Registration Authority functions of ejbca. Supervisor Functions ‐ This section is to view ejbca logs and approve requests. System Functions ‐ This section has some validation functions, some administration functions, and general preferences/configuration. Here, we revisit the idea of the "Registration Authority". In ejbca, the RA is functionality that manages requests for new certificates. It regulates the user accounts associated with each CA and the types of certificates a user is allowed to request. It also answers queries about certificates that have already been issued, although this function is distinct from the Validation Authority. In terms of our build, it was installed with the core CA functions, and is not configured separately. However, the RA can be distributed to a separate ejbca installation used only for registration.
CA Creation Workflow We will assume that most of the certificates to be issued by our CA will be for standard HTTPS connections using TLS, so the http://ejbcacentos.blogspot.co.id/
35/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
example configuration will be geared towards this purpose. By the time we finish, we should have a certificate that we can install on any standard Apache server. It is useful to have a written workflow for creating CAs in ejbca, as you can have different CAs for different purposes, each configured differently. Here is the flow we will follow: 1. Create a Certificate Profile ‐ Defines set of certificate values to be used as a template 2. Create an End Entity Profile ‐ Essentially the same as a user template 3. Create the Certificate Authority ‐ Creating the actual Certificate Authority
Once these steps are complete, we will create an End Entity and issue it a certificate. We could create the Certificate Authority first, but I specifically use this order to illustrate a few concepts: You should know the algorithms and key lengths you will use before creating your CA. Most applications of PKI only support a limited number of possible algorithm/signature combinations. You should know the certificate details (extensions) you will use, as well. Defining the Certificate Profile and End Entity Profile first forces you to have these details defined before committing to CA creation.
Deciding on an Algorithm Choosing a public key encryption algorithm is a "touchy subject" for people lately, with opinions usually boiling down to either: "The NSA is an essential tool of the forces of good to gather realtime intelligence on the actions of evildoers." or: "The NSA is an essential tool of the forces of evil to steal secrets and destroy the privacy of the good people of the world." Regardless of where you fall on the political spectrum, our choice of public key encryption algorithm is limited to either RSA or Elliptic Curve DSA. With RSA, the only variable is the length of your key modulus, with current options being 2048, 4096, and 8192 bits. With ECDSA, you have a dizzying number of variants to choose from. I summarize a few of them here, with thanks to the SECG and Fabio Pietrosanti. Focusing first on the SECG convention on ECDSA curve naming: "sec" simply denotes the specification name: "Standards for Efficient Cryptography".
p " " or "t" refer to two variants of the elliptic curve algorithm. The " p" stands for "prime". The next three numbers refer to the length (in bits) of the modulus of the curve. "r" or "k" refers to the family of curves used by the equation ‐ "Random" or "Koblitz". The last number refers to a "sequence number", referring to yet another mathematical variant. The table column titles stand for:
SECG NAME ‐ SECG "nickname" of the elliptic curve variant SIZE ‐ length in bits of the field order RSA EQ ‐ approximate size of an RSA modulus at comparable strength. CURVE ‐ indicates whether the curve is Koblitz or random NIST ‐ name of the equivalent NIST standard for the curve
+-----------+------+--------+---------+-------+ | SECG NAME | SIZE | RSA EQ | CURVE | NIST | +-----------+------+--------+---------+-------+ | sect163k1 | 163 | | Koblitz | K-163 | | sect163r1 | 163 | | Random | | | sect163r2 | 163 | | Random | B-163 | | sect193r1 | 193 | | Random | | | sect193r2 | 193 | | Random | | | sect233k1 | 233 | | Koblitz | K-233 | | sect233r1 | 233 | | Random | B-233 | http://ejbcacentos.blogspot.co.id/
36/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
| sect239k1 | 239 | | Koblitz | | | sect283k1 | 283 | | Koblitz | K-283 | | sect283r1 | 283 | | Random | B-283 | | sect409k1 | 409 | | Koblitz | K-409 | | sect409r1 | 409 | | Random | B-409 | | sect571k1 | 571 | | Koblitz | K-571 | | sect571r1 | 571 | | Random | B-571 | | secp160k1 | 160 | 1024 | Koblitz | | | secp160r1 | 160 | 1024 | Random | | | secp160r2 | 160 | 1024 | Random | | | secp192k1 | 192 | 1536 | Koblitz | | | secp192r1 | 192 | 1536 | Random | P-192 | | secp224k1 | 224 | 2048 | Koblitz | | | secp224r1 | 224 | 2048 | Random | P-224 | | secp256k1 | 256 | 3072 | Koblitz | | | secp256r1 | 256 | 3072 | Random | P-256 | | secp384r1 | 384 | 7680 | Random | P-384 | | secp521r1 | 521 | 15360 | Random | P-521 | +-----------+------+--------+---------+-------+
It is worthwhile to compare the equivalent strength of Koblitz and Random (ECC) curves when tested more rigorously: (in bits)
+---------+-------+--------------+ | Koblitz | ECC | DH/DSA/RSA | +---------+-------+--------------+ | 163 | 192 | 1024 | | 283 | 256 | 3072 | | 409 | 384 | 7680 | | 571 | 521 | 15360 | +---------+-------+--------------+
My takeaway from the information in these tables is: Elliptic Curve equations are far more efficient than the RSA equations. Elliptic Curve equations using Koblitz curves are slightly (10% or so) less efficient than those using "random" curves. When choosing an EC equation, it is a good idea to choose a variant that is supported by multiple organizations (SECG, NIST, etc) f or compatibility purposes. Currently, the best supported variant is prime256v1 (aka secp256r1 , NIST P‐256) Extremely briefly, most worries about Elliptic Curve center on the nature of the "random" curves, and whether or not they are truly "random". If you are worried about the NSA having a "backdoor" in EC, my suggestion is to use a Koblitz curve variant, like Bitcoin does. However, this will cost you about 10% of your efficiency, and Koblitz‐based algorithms are not as widely accepted as those based on the "random" curves. Ultimately, there is no guarantee that the NSA won't be able to break your encryption regardless of the algorithm you choose. As of now, the world is moving towards Elliptic Curve cryptography. Once ejbca gets its implementation straight, it will be the best algorithm to use for your CAs and certificates. My opinion is that for interoperability reasons, you're best off using the de facto standard for TLS on the Internet: 2048‐ bit RSA, but with a SHA‐256 key. When creating a Certificate Authority in ejbca, 2048‐bit RSA is the default algorithm.
Defining the Certificate Fields The X.509 specification allows a dizzying number of potential information fields to be included in a certificate. Thankfully, most of these fields are ignored by the average PKI implementation. To illustrate this, I downloaded a certificate used by Google to secure Gmail, and viewed its properties using the Firefox certificate http://ejbcacentos.blogspot.co.id/
37/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
viewer:
Gmail TLS Certificate
In the Firefox viewer, the full set of included fields can be viewed in the "Details" tab:
Gmail Certificate Details
Google uses the following fields in this certificate:
Version: 3 Serial Number : 07:29:38:9A:3E:F9:9C:B1 Certificate Signature Algorithm : SHA‐1 with RSA Issuer : CN=Google Internet Authority G2,O=Google Inc, C=US Validity : Not After 7‐21‐2014 Subject: (the DN) CN=mail.google.com, O=Google Inc, L=Mountain View, ST=California,C=US Algorithm Identifier : Elliptic Curve Public Key Algorithm Parameters : ANSI X9.62 ell iptic curve prime256v1 (aka secp256r1, NIST P‐256) Extended Key Usage : TLS Web Server Authentication, TLS Web Client Authentication Certificate Subject Alt Name: DNS Name=mail.google.com Certificate Key Usage : Signing Authority Information Access : CA Issuers: URI: http://pki.google.com/GIAG2.crt OCSP: URI http://clients1.google.com/ocsp
Certificate Subject Key ID : (160 bit number) http://ejbcacentos.blogspot.co.id/
38/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Certificate Basic Constraints : Is not a Certificate Authority Certificate Authority Identifier : (160 bit number) Certificate Policies : 1.3.6.1.4.1.11129.2.5.1 CRL Distribution Points : URI: http://pki.google.com/GIAG2.crl Certificate Signature Value : ( 2048‐bit number) This set of fields is a good starting point when defining what your own certificates will contain. By way of comparison, here is the certificate for the Root CA that validates Gmail's certificate:
Geotrust Root CA Certificate
The Root CA uses fewer fields than the Gmail certificate, and uses 2048‐bit RSA encryption:
Version: 3 Serial Number : 02:34:56 (this is not a typo) Certificate Signature Algorithm : SHA‐1 with RSA Issuer : CN=GeoTrust Global CA, O=GeoTrust, Inc.,C=US Validity : Not After 5/20/2022 Subject: CN=GeoTrust Global CA,O=GeoTrust, Inc.,C=US Subject Public Key Algorithm : RSA Encryption Subject's Public Key : (2048‐bit number) Certificate Basic Constraints : Is a Certificate Authority, Unlimited Intermediate CAs Certificate Subject Key ID : (160‐bit number) Certificate Authority Key ID : (the same 160‐bit number) Certificate Signature Value : ( 2048‐bit number) These certificates will be used as templates for defining the fields in our initial Profiles, CAs, and certificates.
Creating A Certificate Profile Ejbca uses Certificate Profiles to store commonly used sets of certificate extension field data. It is mandatory to use a Certificate Profile when creating a certificate. By default, ejbca has five predefined Profiles that contain minimal information, and cannot be altered or deleted.
http://ejbcacentos.blogspot.co.id/
39/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Certificate Profiles Page
In this example, I am creating a new Profile named " Default TLS Certificate Profile ", basing it on the default " SERVER " Profile. As you might guess, the SERVER Profile is intended to issue certificates to servers supporting TLS. Below are the field data I used in the Profile. Note that some fields were pre‐populated with data from the SERVER Profile:
Available Bit Lengths : 192, 256, 384, 512, 2048, 4096, 8192 When a certificate is requested using this Profile, only requests using algorithms with these key lengths will be fulfilled. Ejbca does not differentiate between algorithm types in this field, so it is a good idea to allow both 192‐512 bit lengths to support EC requests, and 2048‐8192 lengths for RSA requests.
Signature Algorithm : "Inherit" or "SHA256 with RSA" All certificates are "signed" by the issuing CA using a particular hash algorithm. While SHA‐1 is still the de‐facto Internet standard for signing, it is a good idea to migrate to SHA256 or SHA512. Note that choosing RSA or ECDSA in this field does not affect the primary public key algorithm used in in the issued certificates. However, you should use the appropriate value for the algorithm you will be using. Choosing "Inherit" in this field causes all certificates issued using this Profile to inherit the signature algorithm of the issuing CA.
Validity : 3652d This is the length of time that the certificate will be valid. The "d" stands for "days". This value corresponds to 10 years.
Overrides : Do not allow overrides You have the option of allowing values specified in a Certificate Signing Request (CSR) to "override" values specified in the Profile. While there may be good reasons to do this, we will not allow this when using this Profile. This is an important option with significant ramifications, which we will discuss again later.
Key Usage: Digital Signature, Key encipherment These values specify the uses that are "allowed" by the certificate. The word "allowed" is misleading in this context, as the Key Use field cannot prevent the certificate owner from using the certificate for whatever purpose it wishes.
Extended Key Usage : Server Auth, Client Auth Much like Key Usage, this field is specified in the certificate, but enforcement is up to the application using the certificate.
Subject Alt Name : Enabled The default naming convention for identifying a certificate owner is the X.500 standard. However, most certificates are used by devices that use DNS for identification. This field will typically contain the FQDN of the certificate owner if it is a device, or an email address if the owner is a human being.
Use CRL Distribution Point : Enabled This option enables a field in the Certificate Profile that will hold a URL/URI to define the network location of a CRL. Enabling this field means that the CA that will use this Certificate Profile must support Validation Authority functionality, and maintain an up‐to‐ date CRL.
Use CA defined Distribution Point : Enabled We will inherit the URL defining the location of the CRL from the issuing CA. If this option is not selected, a URL for the CRL must be defined manually. This could be a "http://" address, or an "ldap://" address. HTTP is the standard for Internet use, while Microsoft active directory certificates use both HTTP and LDAP. There is an exception to this addressing rule, which will be http://ejbcacentos.blogspot.co.id/
40/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
discussed later. FreshestCRL Extension : Disabled This option enables the use of differential (or "delta") CRLs. CRLs can become quite long, and the use of "delta" CRLs allows subsets of the full CRL to be distributed. We will not be using this function. If this option is enabled, the same type of address values used for the primary CRL must be defined as well.
Certificate Policies : Disabled Certificate Policies are RFC‐defined options used for administrative purposes. We will not use them.
Authority Information Access : Enabled, Use CA defined OCSP locator This Profile will include information regarding the URI target to use to reach the OCSP service of the issuing CA, but will inherit the details of this from the issuing CA.
Subset of Subject Alt Name : Restrict to "DNS Name" only As we will only use the Certificates generated with this demonstration Profile for device‐based TLS, we will only use DNS‐based Alternative Names.
Available CAs: Any CA We will allow this Profile to be used by any CA on our ejbca server.
Creating the End Entity Profile Ejbca requires "End Entities" to be defined before any certificates can be issued. An "End Entity" can be considered equivalent to a "user account". However, it is important to understand that while certificates are often issued to human beings, most certificates are issued to devices. Therefore, the more generic term, "End Entity", is used. "End Entity" accounts are identified using a username, regardless of whether that name is "Jose Manolo Enrique Hernandez‐Gonzales" or "yourserver.yourcompany.net". Each End Entity can be issued 1‐5 certificates , but each certificate must be requested by the Entity via the Public Ejbca Webpage before it is issued. To simplify the process of creating similar End Entities, "End Entity Profiles" can be used as templates.
End Entity Profiles Page
In this example, I am c reating a Profile call ed " Default TLS Device Entity Profile ". This Profile will contain information that is tuned for use by TLS‐capable devices. The only predefined End Entity Profile is " EMPTY", which contains no information. While you are forced to choose an End Entity Profile when creating an End Entity, you always have the option of choosing the " EMPTY" Profile. Here are the fields I defined in the Profile:
http://ejbcacentos.blogspot.co.id/
41/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Username: (Leave Blank) Password : (Leave Blank) If you want to use the same password for multiple End Entities, you can set it here. On the "Create Certificate from CSR" webpage, this password is called the "Enrollment Code".
Minimum password strength : 48 (in bits) This ensures that passwords are at least eight characters long.
End Entity Email : yourcompany.net (Use, Required and Modifiable) This entry is intended to contain the email domain name only, without the "@" sign. You will be allowed to enter the user‐specific portion of the address when creating the Entity.
Subject DN Attributes : CN (Required, Modifiable, but blank) O (Required, no modify): Your Company L (Required, no modify):Your City ST (Required, no modify):Your State C (Required, no modify): Your Country
Subject Alternative Name : DNS Name: .yourcompany.net When using this Profile to create an entity, you will complete this entry with the entity's hostname. If the entity will be a person, you will use the "RFC 822 Name (email address)" for the Subject Alternatve Name instead of the DNS Name.
Default Certifiate Profile : Default TLS Certificate Profile Default CA : Use "mgmtca" (f or now) Choose the name of your new root CA (in this how‐to: "rootca.yourcompany.net") once it is created.
Available CAs: Set to Any CA Default Token: User Generated Available Tokens : All Number of Allowed Requests : 2 Usually, it is desirable to ensure that only a single Certificate is issued to an End Entity. Here we allow two, in case we make a mistake in our first certificate request.
Send Notification : Use default and required Sender:
[email protected] Notification Recipient:
[email protected] Notification Events: All Subject and message: Hey, ejbca did something!
Now add the notification, then save the Profile.
Creating the Certificate Authority As descibed in the beginning of the how‐to, a Crypto Token is the logical structure that a CA's keys are held in. As we are only using "soft" Crypto Tokens, you can think of them as being tables in our database. As you might expect, this fact makes the security of our database a greater concern than it might otherwise be. We have two options for defining the Crypto Token used by any CA we create: Make the Crypto Token first, then associate the new CA with it Or: Allow ejbca to create the Crypto Token automatically There is a consequence to allowing ejbca to generate the Crypto Token: it uses a 2048‐bit RSA key in the CA certificate, and does not give us an option to choose otherwise. Once a CA certificate is issued, it cannot easily be updated with a new, stronger key. In fact, just assume for now that it can't be done. So if you wish to use a stronger key for your CA, you should manually create your Crypto Token. Creating a Crypto Token is simple enough. First enter the Crypto Token interface:
http://ejbcacentos.blogspot.co.id/
42/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Crypto Token Page
Then, select "Create New", which will take you to the New Token page:
New Crypto Token Page
The "Authentication Code" is a password used to encrypt the Crypto Token itself. You will need this code when renewing the CA that uses this Crypto Token. "Auto‐activation" should also be enabled. The Crypto Token must be populated with a basic set of keys before we can use it:
Basic CA Keys
http://ejbcacentos.blogspot.co.id/
43/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
In this example, I have added the essentials:
certSignKey ‐ Used for Certificate signing defaultKey ‐ Used f or everything else testKey ‐ Used for internal health checks only In the example, you will see a key named "crlSignKey". This key is deprecated, and is no longer needed. I have also added a key called "ec256p1Key" for testing purposes, to show that EC keys can be generated and used by a CA with a RSA defaultKey. When finished, we will see that our Crypto Token is labeled as "Active", but not "Used". Once we associate the Token with a CA,its state will change to "Used". Now that we have keys defined with the desired strength, we can create the new CA.
Certification Authorities Page
Note that on this page, we do not have the option of using an existing CA as a template. Here are the settings I used for " rootca.yourcompany.net":
Type of CA : X509 This is the standard for Internet communications.
Signing Algorithm : Sha256WithRSA I chose this algorithm because it is the next step up in complexity from the current standard of SHA‐1.
Crypto Token: YourTokenName Select the name of the Crypto Token that you created in the previous step. Below are the names of the keys (from our Crypto Token) to be used for standard purposes: defaultKey : defaultKey certSignKey : certSignkey keyEncryptKey: ‐ Use default key hardTokenEncrypt: ‐ Use default key testKey: testKey Extended Services Key Specification : RSA 2048
Enforce Unique Serial Number : Enabled As we will (probably) not be generating a huge number of certificates in a lab environment, we assume that we will not run out of valid serial numbers.
Use Certificate Request History : Enabled This is essentially "detailed auditing" for requests.
Validity : 3652d This value is the length of time that the CA's own certificate will be valid.
Subject DN: CN=rootca.yourcompany.net,O=Your Company,C=US This is the DN that you wish to be included in the CA's own certificate . It includes the CN by default, but it is common to add O http://ejbcacentos.blogspot.co.id/
44/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
and C val ues.
Signed by: Self Signed Because this will be a new Root CA, it will sign its own initial certificate.
Subject Alternative Name : dNSName=rootca.yourcompany.net As discussed, this is the FQDN of the CA. However, note that in this field, the FQDN must be prefixed by " dNSName= ". As far as I can tell, this is the only area in ejbca where you must specify this prefix. " dNSName" is defined in the RFC4985 specification for X.509 Subject Alternative Names.
Use Issuing Distribution Point on CRLs : Enabled This enables a field to hold the URL for retrieval of this CA's CRL in the CA's own certificate .
Generate Default CRL Distribution Point : Generated, but remove ":8080" from the URL, and change the protocol from "http://" to "https://" We do this because of our firewall port translation rules, which force all requests to use HTTPS.
Generate Default CRL Issuer : Generated Do not edit this string. It should be your DN.
CA Defined FreshestCRL Extension : Not Generated We are not using "Delta CRLs" with our CA, so this field is not included.
CA Issuer URI: Empty This is an optional field that can be ignored.
Default OCSP Service Locator : Generated, Remove ":8080", and change "http://" to "https://". We do this because of our firewall port translation rules. Now, create the CA. If for whatever reason creation fails, just "go back" in your browser, and all of your settings will be preserved. Correct what was wrong, and try again. Once our CA is made, we have one final step to take before it is fully functional. We must activate the internal health check on the CA Activation page:
CA Activation Page
This is simple enough to do: just check the "HealthCheck" box next to your CA and hit "Apply". The Health Check process is an automatic check of CA status whereby a HTTPS session is periodically established and dropped to each CA. Access to the healthcheck URL is limited to localhost, and by default, the URL always returns the string "ALLOK" (as defined in the ejbca.properties file). The URLs for OCSP are also health‐checked, as defined in va.properties.
Creating an End Entity Now that our CA and Profiles are defined, we can create our first End Entity. After entering the "Add Entity" page, select the name of the End Entity Profile you created earlier. This will populate the fields with information from that Profile: http://ejbcacentos.blogspot.co.id/
45/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Add End Entity Page
Assuming you are using the " Default TLS Device Entity Profile " we created earlier, only the following information will be needed before creating the Entity:
End Entity Profile : Default TLS Device Entity Profile Username: yourdevice.yourcompany.net The FQDN of the device that will request a certificate
Email Address :
[email protected] In this example, the Entity is a device, so any administrative email can be entered
CN: yourdevice.yourcompany.net The FQDN of the device
DNS Name: yourdevice.yourcompany.net The FQDN of the device
Certificate Profile : Default TLS Certificate Profile The name of the Device‐specific Certificate Profile created earler
CA: rootca.yourcompany.net The name of the CA you created in the previous step.
Token: User Generated In this example, we assume that our Entity will use a password passed to it by the End Entity Profile. You can also have the Token pulled from other sources (like a JKS file), or enter it manually on this page.
Select "Add" to create the Entity . Once the Entity is added, you will see the new Entity listed at the bottom of the webpage.
OpenSSL Review ‐ Introduction Ejbca requires us to submit a Certificate Signing Request before issuing a Certificate, but it does not include an interface to create one. The simplest way to generate a CSR is using the OpenSSL utility, which has the ability to generate CSRs using the RSA or EC algorithms. I think it's a good idea to include a short review of OpenSSL's use. Despite the recent "HeartBleed" bug, OpenSSL is and shall remain the once and future king of open source encryption. It is a complicated tool, and the majority of its functionality is beyond the scope of this how‐to. I will focus solely on OpenSSL's CSR‐ related functions. When starting to write this review, I checked the version of OpenSSL on my ejbca server to determine if it was affected by "HeartBleed", and found that it was:
openssl version http://ejbcacentos.blogspot.co.id/
46/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
OpenSSL 1.0.1e-fips 11 Feb 2013 Versions of OpenSSL from 1.0.1 through 1.0.1f are vulnerable. As of May 7th, 2014, TrevorH from CentOS states that they are waiting for RedHat to "backport a fix" to version 1.0.1e (whatever that means). In the meantime, the version of OpenSSL on our server remains vulnerable. If you intend to use OpenSSL to protect anything on a CentOS‐based server, you really, really need to manually update OpenSSL instead of waiting for the CentOS patch to arrive via yum .
OpenSSL Review ‐ Creating a RSA CSR We are assuming that EC encryption may not be implemented by some or all the devices in your network, so our first CSR will be for a certificate that uses 2048‐bit RSA encryption and a SHA‐256 signing algorithm. The command below will create a new Private Key, and include it in a new Certificate Signing Request:
openssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr The syntax is composed of these elements:
req ‐ Defines that this command will relate to a certificate request -newkey rsa:2048 ‐ A new Private Key will be created using the 2048‐bit RSA algorithm, along with a new CSR -nodes ‐ The Private Key created by this command will be unencrypted -sha256 ‐ The Certificate requested in the CSR will use the SHA‐256 signing algorithm -keyout server.key ‐ The new Private Key will be saved in the file: server.key -out server.csr ‐The new CSR will be saved in the file: server.csr cat server.key -----BEGIN RSA PRIVATE KEY---- MIIEpAIBAAKCAQEA3RFeM/052S+Nf7yVipoLwpvA7uidm/bQ0Qm2DIBz0zjngJG7 mqchOzodugkY0jZQ+8zFkHm+iJd9pjDGNFDoPE3r270GtrholbsNVpspI+VvTVQ+ UiBvccZGB6VGeNJ6Ts5qHbsFWjiU9smhaUd6fnAP6vBWmmYiBz79iLhXRPwUljSb dLUao1RZqTXq57ttL7xM6a1n4HkyYmXSQ/k26tsqoff1DYFVe6SWljL/2WL3zoLp uqDtt5XhVGHu3sk3UYEpC85bZXf6NPGR2b1Ha+IvixMmzTd2eVo1W1tzlYVqRJG+ DQ4kSew6oag8XfvCQ+6x9XCEjWCW2y04TNx8twIDAQABAoIBAQCubG60fH8xMsjl WWlwM31F7lh66ES68zHtTUk7cfpxVPurwNCSBH4+2ershxLzgXHCSt4y0SwZX9X+ 04r/ajrioeSPuwRaFQRH549tnv0F2phIHkkRyY/E6FkG3UvONtvT5B9sF8zwU6aN VaeqhoBK1KZqi3j5V85Pg07Nmg0ZWohgzRnfu4URcQ6kOYk03nrgzo4E5Wt1pE7f dtfWQExjAKiCwVo7C7RyP6xwX8BMeM62mNsZB6Q5+wTeexS9pHi6Mf4aFqspVbhl 4faTiqbuck5zGlx2j+mvIIv55HEfU7omknbmMQrJENr3UDGMMzTxeNJRhdK81PoR BD0667m5AoGBAPTQLal6CgSoRkNq6bwOK5ptru/+vk33QDHwWfvf3+6GDZyly1gq g+6Snr1R3Pul1Kvs5ESlr3vAFZtYoHcJlzMCTeTR3ilzACm8AOp3po6o2ciSRrPM AERO5N3MQIkk5CysX0wMuI/fsx12F4+QV77E5o/FCc6W8FbyrxWU4DvtAoGBAOcr arH4qUoqxSG6TxEylpyvJJzZkcWyqoueOTW7ks51nts3GB3eEGujcuvCA/+Yl0Qt CDtQWU+zCRWDRhQio7CeOJjW+Sef7yJsuECT4fGs8PX2mfabWLEVexMT3kI7u0Jx 3rhl7z4DarxIVBF3MPtFBQkP6JVX+an/nwrQxi6zAoGAVZ8NqU12fYSA9olI8C2g kGU2HtfgpRIJkK24OwBkqF6YGiZeRRqxg9ohzKL5/8VS6UJz35J3Gnfm1qsbjCZ9 jCiNJ69C3QpMj0wiod5xEUn6yUxnj/CUU0+oee46z/xoFTvAJK/6SM97LJ2lxd88 4QqqfLP0Jx3hNvevxoOIHU0CgYByaXahJuUCpDB1BPTlGhiY68Y/Kx+OrWLjPygp g/Cg5m39KUNyZNnTrE3QiXHZKviS8YbFdHr/iyjP0Oz6Qjqpy2VPn/Youmtsqkp3 C7okFugblDWXbEN1QaBsTMUQGugPdrQ4p5rFIoPNNC8HhepkMkDPv2PppmUW0kEw 5StxKQKBgQDO0d5n1hVLvwaU8R5UAr2SD0J2P9lqjv080g8qdx39cR+ObN9h2XYk DYGbVu+Ck8yW25SkpoiLYsrD3Wmvf4yMsXLq2IuQ6Lgi8VTmly5Q8KJDxjUrdc6y wU8GmrUsbCpYHv6VI7K27UW4vnvQrlk+X9eSppH/5M/2jG+f1cfR2Q== -----END RSA PRIVATE KEY-----
cat server.csr -----BEGIN CERTIFICATE REQUEST---- MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN0RXjP9OdkvjX+8lYqaC8KbwO7onZv20NEJtgyA c9M454CRu5qnITs6HboJGNI2UPvMxZB5voiXfaYwxjRQ6DxN69u9Bra4aJW7DVab
http://ejbcacentos.blogspot.co.id/
47/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
KSPlb01UPlIgb3HGRgelRnjSek7Oah27BVo4lPbJoWlHen5wD+rwVppmIgc+/Yi4 V0T8FJY0m3S1GqNUWak16ue7bS+8TOmtZ+B5MmJl0kP5NurbKqH39Q2BVXuklpYy /9li986C6bqg7beV4VRh7t7JN1GBKQvOW2V3+jTxkdm9R2viL4sTJs03dnlaNVtb c5WFakSRvg0OJEnsOqGoPF37wkPusfVwhI1gltstOEzcfLcCAwEAAaAAMA0GCSqG SIb3DQEBCwUAA4IBAQACLnWAJ4z9RPl/24+ChshX6rEoqX4hDPvfdCGs2e1ez5Y/ J1OVBm7V1rYQh4X763NPa2hhh83y5oe9h4YFn3W07yBWuY0adGCAe0Ci7X0yoNs2 w6AoJ171nzBbiFEkH5mgDqqOBQAo6I+rUzQJKHsZpBYoWsfdnGDHyBE2sClw7kuW bqFHHZ116b+eQickR6bydYfo6H56vUx1LQHMCv0kOaxG8cFMNvrr1IY6EFbP15Lh UpwXn02nAzkoYgnLAxfjoLPEPK/RSDKkBNvefTu1mJHPTPcIzqDg9BK7V6HQvqh4 LEUVLVvE3kE2/f8oXPVq63xNg5pFR7W+/9/NcLle -----END CERTIFICATE REQUEST-----
I have not shown the prompts where OpenSSL asks for the field data to be included in the CSR. Most of these fields will be disregarded by ejbca during certificate creation as we have disabled "Overrides" in our Certificate Profile. However, you should still complete these fields with the correct information.
OpenSSL Review ‐ Creating an EC CSR OpenSSL now supports Ell iptic Curve key algorithms, although the supported v ariants can, um, vary with the version of OpenSSL you are using. You can list the available curves in your implementation with this command:
openssl ecparam -list-curves secp384r1 : NIST/SECG curve over a 384 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field
The above output was retrieved using the OpenSSL version (1.0.1.e) currently distributed by CentOS. Interestingly, a FreeBSD box running an older branch of OpenSSL supports a greater number of curves:
[root@bsdbox] ~# openssl version OpenSSL 0.9.8y 5 Feb 2013
[root@bsdbox] ~# openssl ecparam -list_curves secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field secp128r1 : SECG curve over a 128 bit prime field secp128r2 : SECG curve over a 128 bit prime field secp160k1 : SECG curve over a 160 bit prime field secp160r1 : SECG curve over a 160 bit prime field secp160r2 : SECG/WTLS curve over a 160 bit prime field secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field prime192v2: X9.62 curve over a 192 bit prime field prime192v3: X9.62 curve over a 192 bit prime field prime239v1: X9.62 curve over a 239 bit prime field prime239v2: X9.62 curve over a 239 bit prime field prime239v3: X9.62 curve over a 239 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field sect113r1 : SECG curve over a 113 bit binary field sect113r2 : SECG curve over a 113 bit binary field sect131r1 : SECG/WTLS curve over a 131 bit binary field sect131r2 : SECG curve over a 131 bit binary field sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field sect163r1 : SECG curve over a 163 bit binary field sect163r2 : NIST/SECG curve over a 163 bit binary field sect193r1 : SECG curve over a 193 bit binary field sect193r2 : SECG curve over a 193 bit binary field sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
http://ejbcacentos.blogspot.co.id/
48/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 sect239k1 : SECG curve over a 239 bit binary field sect283k1 : NIST/SECG curve over a 283 bit binary field sect283r1 : NIST/SECG curve over a 283 bit binary field sect409k1 : NIST/SECG curve over a 409 bit binary field sect409r1 : NIST/SECG curve over a 409 bit binary field sect571k1 : NIST/SECG curve over a 571 bit binary field sect571r1 : NIST/SECG curve over a 571 bit binary field c2pnb163v1: X9.62 curve over a 163 bit binary field c2pnb163v2: X9.62 curve over a 163 bit binary field c2pnb163v3: X9.62 curve over a 163 bit binary field c2pnb176v1: X9.62 curve over a 176 bit binary field c2tnb191v1: X9.62 curve over a 191 bit binary field c2tnb191v2: X9.62 curve over a 191 bit binary field c2tnb191v3: X9.62 curve over a 191 bit binary field c2pnb208w1: X9.62 curve over a 208 bit binary field c2tnb239v1: X9.62 curve over a 239 bit binary field c2tnb239v2: X9.62 curve over a 239 bit binary field c2tnb239v3: X9.62 curve over a 239 bit binary field c2pnb272w1: X9.62 curve over a 272 bit binary field c2pnb304w1: X9.62 curve over a 304 bit binary field c2tnb359v1: X9.62 curve over a 359 bit binary field c2pnb368w1: X9.62 curve over a 368 bit binary field c2tnb431r1: X9.62 curve over a 431 bit binary field wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field
Oakley-EC2N-3: IPSec/IKE/Oakley curve #3 over a 155 bit binary field. Not suitable for ECDSA. Questionable extension field! Oakley-EC2N-4: IPSec/IKE/Oakley curve #4 over a 185 bit binary field. Not suitable for ECDSA. Questionable extension field!
This supports the old adage that "newer is not always better", especially when considering that the 0.9.8 branch is not affected by HeartBleed. Unlike a RSA CSR, the process to create an EC CSR requires two separate OpenSSL commands. We will make our request using the prime256v1 curve, as it is the most commonly‐implemented in EC cryptography. The first command creates the Private Key:
openssl ecparam -out eckey.key -name prime256v1 -genkey The second command reads the Private Key and creates the CSR. Note that the syntax differs from RSA version of the command in that "newkey" is split into two different options:
openssl req -new -key eckey.key -nodes -sha256 -outform pem -out ecreq.csr The new command options are:
-new ‐ A new CSR will be created -key eckey.key ‐ The new CSR will be derived from the Private Key in eckey.key -outform pem ‐ The new CSR will be written in PEM format Examining the output, we see that both the EC key and CSR are much smaller in size than their RSA equivalents: http://ejbcacentos.blogspot.co.id/
49/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
cat eckey.key -----BEGIN EC PARAMETERS----BggqhkjOPQMBBw== -----END EC PARAMETERS---------BEGIN EC PRIVATE KEY---- MHcCAQEEIDtrKu6BbwPabNV0SkbYqdLiRImoyzQ94VR8KdzqgfoGoAoGCCqGSM49 AwEHoUQDQgAECGwMJiYQA15H2zuM9Xfdxsmyi72vMVHV6+rzWyLYqsH4IyvHGKqh ik1BPEQlwd280mmIFtE3ZkCHSRirP+O9eQ== -----END EC PRIVATE KEY-----
cat ecreq.csr -----BEGIN CERTIFICATE REQUEST---- MIH+MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEw HwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq hkjOPQMBBwNCAAQIbAwmJhADXkfbO4z1d93GybKLva8xUdXr6vNbItiqwfgjK8cY qqGKTUE8RCXB3bzSaYgW0TdmQIdJGKs/4715oAAwCQYHKoZIzj0EAQNHADBEAiAN s+Hm0+XEfKB6kTPbYFSjenSm/0CV2acUfVBm7LCPDgIgCzFr6KSFZM/VR4SIFkWU NHSDfhzPXgjv+VC3HJTF1KE= -----END CERTIFICATE REQUEST-----
Issuing our First Certificate We can now take one of our newly‐generated CSRs and generate a Certificate with it. First, we navigate to the public ejbca webpage:
Public Ejbca Page
From here, we can navigate to the "Inspect Certificate/CSR" page to verify the CSR's contents:
http://ejbcacentos.blogspot.co.id/
50/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
CSR Inspection Page
If you are satisfied with what you see, navigate to the "Create Certificate from CSR" page and enter the CSR. Be sure to select "PEM ‐ Full Certificate Chain" to have the CA certificate included in the output:
Certificate Enrollment Page
Note that I am requesting an Elliptic Curve Certificate in this example. Once the CA has validated the request and generated the Certificate, you will be prompted to download it:
http://ejbcacentos.blogspot.co.id/
51/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Certificate Download
Congratulations! You've issued your first certificate from ejbca!
Finalizing the Installation We are now down to the nitty‐gritty administrative details of our installation. Take a deep breath, and get ready for the final push...
Defining Services Ejbca includes a set of services that assist in the maintenance of your CAs, but they are not enabled by default. A framework is in place to support these services, as well as any custom services you might need. Navigate to the Services section of the administration webpage:
Services Page
It is a good idea to enable a few of these services, but not all of them are typically needed. The predefined service types are:
CRL Updater ‐ Updates the published CRLs at a particular frequency. Certificate Expir ation Checker ‐ Alerts you to expired certificates User Password Expire Service ‐ Alerts you to expiring user passwords Renew CA Service ‐ Alerts you to expiring CA certificates Publish Queue Process Service ‐ Used by distributed installations of ejbca HSM Keepalive Service ‐ p revents you from being locked out of a HSM http://ejbcacentos.blogspot.co.id/
52/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
To enable a service, you must first create a service instance with a unique name, and then associate that instance with the type of task you wish it to perform. On my server, I am using:
CRL Updater Certificate Expiration Checker Renew CA Service User Password Expire Service Mysql Backup Service ‐ this service runs the script located in /opt/ejbca/bin/backup Note that the services will fill your logs you define them to run too frequently. For example, the manual suggests that the CRL Updater be run every 5 minutes. I find that once an hour (or day) is more than enough for a lab environment.
Creating the Default Certificate Authority Recalling that the Validation Authority needs a CA to respond to unknown OCSP requests, we will now define the "Default CA" for this purpose. The procedure is very similar to the one described for creating rootca.yourcompany.net, but with a few simplifications. First, skip the process of creating a new Crypto Token ‐ we will let ejbca automatically generate it and its keys.
Type of CA : X509 This is the standard for Internet communications.
Signing Algorithm : Sha1WithRSA I chose this to minimize compute time.
Crypto Token: "‐ Create a new soft Crypto Token with recommended key pairs ‐" This will autogenerate the Crypto Token and keys using the default 2048‐bit RSA algorithm.
Enforce Unique Serial Number : Enabled As we will (probably) not be generating a huge number of certificates in a lab environment, we can ensure that certificate serial numbers are not re‐used.
Use Certificate Request History : Enabled This is essentially "detailed auditing" for requests.
Validity : 3652d This value is the length of time that the CA's own certificate will be valid.
Subject DN: CN=defaultca.yourcompany.net,O=Your Company,C=US Signed by: Self Signed Because this will be a Root CA (but not one we will actively use), it will still sign its own initial certificate.
Subject Alternative Name : dNSName=defaultca.yourcompany.net As discussed, this is the FQDN of the CA, with the appropriate prefix.
Use Issuing Distribution Point on CRLs : Enabled This includes a URL for retrieval of this CA's CRL in the CA's own certificate .
Generate Default CRL Distribution Point : Generated, but remove ":8080" from the URL. We do this because of our firewall port translation rules.
Generate Default CRL Issuer : Generated Do not edit this string. It should be your DN.
CA Defined FreshestCRL Extension : Not Generated We are not using "Delta CRLs" with our CA, so this field is not included.
CA Issuer URI: Empty This is an optional field that can be ignored.
Default OCSP Service Locator : Generated, Remove ":8080" We do this because of our firewall port translation rules.
http://ejbcacentos.blogspot.co.id/
53/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Now, create the CA. Again, if creation fails, just "go back" in your browser. Lastly, as before, we must activate the internal health check on the CA Activation page.
Adding the Server to Production PKI ‐ Creating the New Server Cert Now that we have our own CA running on a fully functional server, we can replace the generic TLS certificate created during ejbca installation with one from our own PKI. From now on, I will refer to our own CA (rootca.yourcompany.net) as being the "Production" CA. We do this, of course, to ensure that every element of our network participates in our PKI, including the PKI server itself. There are a few things to be reminded of before we perform this step: When building our Production CA, we created the first of the two identically‐named certificates we discussed at the beginning of this how‐to. Both of these certificates will have the same CN value (rootca.yourcompany.net), but will be used for different purposes. One is the CA certificate, the other is for TLS enciphering and authentication. We created the CA certificate when defining the CA, and we are about to create the TLS certificate. The process for updating this certificate is a little complicated, as it requires that multiple items be replaced simultaneously: The keystore.jks/tomcat.jks file (and the certificates in it) The truststore.jks file that (and the CA certificate in it) The certificate used for administrator access (currently: superadmin.p12)
The need to replace all of these items at the same time means the process requires great care, for we have the potential to lock ourselves out of the administration interface of the server. Begin by defining the End Entity for the server. You must use the same password for this End Entity that we used for the keystore when installing ejbca. This avoids the need to update the (cleartext!) passwords held in standalone.xml. Navigate to the "Add End Entity" page, and enter the following options:
End Entity Profile : Default TLS Entity Profile Username: rootca.yourcompany.net Password : (Enter the password you specified for your tomcat.jks/keystore.jks file) E‐mail address :
[email protected] CN: rootca.yourcompany.net DNS Name: rootca.yourcompany.net Certificate Profile : Default TLS Certificate Profile CA: rootca.yourcompany.net Token: JKS file Now that the Entity exists, we can request the certificate from the server. Because we chose "JKS" for the token format, we do not need to submit a CSR. The server will provide the completed certificate to us in JKS format. Navigate to the " Create Keystore " area of the Public Ejbca Webpage, and enter the Entity information. You will be taken to this page:
http://ejbcacentos.blogspot.co.id/
54/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 Token Enrollment Webpage
Once here, select "2048" or "4096" for the "Key length", and download the JKS file when prompted. You can verify the contents and password of the file using the keytool command provided earlier in the how‐to:
keytool -v -list -keystore tomcat.jks
Adding the Server to PKI ‐ Creating a New User We continue by replacing the "superadmin" account with something a little less, uh, "super". There is an important caveat to be understood here. While a new administrator Entity/certificate will be created in this step, it will not be recognized by the server until the Production TLS certificate has been installed on the server. This is due to the nature of TLS, and how Firefox handles the certificate request from ejbca during session establishment. If the exchange is examined in a packet capture:
Client Certificate Request
We see that the server (ejbca) provides its own DN when requesting the client's certificate. Firefox takes this DN information and examines its store of personal certificates to see if any of them were created by the DN specified in the request. If there are no matches, Firefox returns with "SSL Peer Cannot Verify Your Certificate". In the example above, the server is still using the initial certificate issued by "mgmtca", and so will not recognize new administrator certificates issued by "rootca.yourcompany.net". Proceed by creating a new Certificate Profile named " Default User Certificate Profile ", using the "Default TLS Certificate Profile" as a template. Update the inherited options in the new Profile with the following:
Key Usage: Digital Signature, Non‐repudiation, Key encipherment Extended Key Usage : Client Authentication, Email Protection Subset of Subject Alt Name : RFC 822 Name (e‐mail address)
Next, create a new End Entity Profile named " Default User Entity Profile ", using "Default TLS Entity Profile " as a template. In this new Profile, add/change these options:
Subject DN Attributes: Leave the CN field blank Subject DN Attributes : Add "emailAddress, E‐mail address in DN", Set as Required Other subject attributes : Remove the "DNS Name" entry Other subject attributes : Add "RFC 822 Name (e‐mail address)", Set to "Use entity email field" and "Required" Default and Available Certificate Profile : "Default User Certificate Profile" http://ejbcacentos.blogspot.co.id/
55/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Default and Available CA : "rootca.yourcompany.net" Default and Available token : "P12 file"
Now, add an End Entity with the following details:
End Entity Profile : Default User Entity Profile Username: (as desired) Password : (as desired) E‐mail address :
[email protected] CN: Certificate Profile : Default User Certificate Profile CA: rootca.yourcompany.net Token: P12 file Now navigate to the Public Ejbca Webpage and select " Create Browser Certificate ". You will be prompted for the username and "Enrollment Code" you chose in the previous step. Once validated, you will be given the "EJBCA Token Certificate Enrollment" page:
Token Enrollment Page
Because we are staying with RSA keys in this how‐to, select "2048 bits" from in the "Key length" menu. Click on "Enroll", then save the .p12 file when prompted.
Adding the Server to PKI ‐ Installing the User Certificate Now, install the new .p12 file in the same way that " superadmin.p12" was installed earlier in the how‐to. You will be prompted for the password you chose during the creation of the End Entity.
Do not delete the superadmin certificate at this time! Again, using Firefox as an example:
Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates and selecting "Import" from the "Your Certificates " tab. When the certificate is added to your browser, two actions are actually taken (using Firefox as an example): The "personal" certificate of the End Entity is added to the "Your Certificates" store The CA certificate for the issuing CA (rootca.yourcompany.net) is added to the "Authorities" store We will need a copy of the CA certificate in a future step of the how‐to, so extract it from Firefox's "Authorities" store:
Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates and selecting "Export" from the "Authorities " tab. http://ejbcacentos.blogspot.co.id/
56/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
The certificate should be listed under the heading of "Your Company", as "rootca.yourcompany.net". In the "Save File" display, stay with the default format of "X.509 Certificate PEM (* .crt, * .pem)". Now is a good time to make a backup of your "superadmin" certificate, if you don't have one.
Adding the Server to PKI ‐ Granting Admin Rights Before we can use our new user certificate for administration, we must grant it administrative privileges in ejbca. Navigate to the "Administrator Roles" page on the ejbca administration site:
Administrator Roles
Now select "Administrators", next to the "Super Administrator Role" heading.
C.R.E.A.M.
Once on the "Edit Administrators" page, select the following and add a new entry:
CA: "rootca.yourcompany.net" Match with: X.509 Certificate Serial Number (recommended) Match type: Equal, case sens. Match value : (enter the serial number of your new administrator certificate) Note that Firefox will insert colons (:) in the serial number of the certificate, but ejbca does not allow them. Remove them before committing the change.
http://ejbcacentos.blogspot.co.id/
57/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Adding the Server to PKI ‐ Installing the Keystores Primekey's instructions for updating the Jboss keystores are convoluted at best, and at worst, downright misleading. They assume two things: That you will use the "batch certificate creation" tool to make your keystores That you will use the ejbca "command line" to execute the batch tool My problem with both the "ejbca command line" and the batch creation tools (there are both command line and gui versions) is that they have achieved the trifecta of non‐usability: Obscure Undocumented Unreliable We will use keytool to manage our keystore files, and avoid this command line silliness altogether. First, stop ejbca:
service ejbca stop
Next, back up the existing keystore files:
cd /opt/ejbca/P12 mv tomcat.jks tomcat.orig mv truststore.jks truststore.orig cd /opt/jboss/standalone/configuration/keystore mv keystore.jks keystore.orig mv truststore.jks truststore.orig
Copy the new keystore file containing our server certificate to /opt/ejbca/P12, and name it " tomcat.jks". Copy the CA certificate f or "rootca.yourcompany.net" to /opt/ejbca/P12 as well, and name it " truststore.crt". Now we will create a new truststore file that will include the CA certificate for "rootca.yourcompany.net". It is required that the new truststore use the same password as the existing one. This is the truststore password you entered during installation.
cd /opt/ejbca/P12 keytool -importcert -alias rootca.yourcompany.net -file truststore.crt -keystore truststore.jks
Be sure to validate the contents and passwords of the new keystores. They should be very similar to the examples provided earlier in the how‐to:
keytool -v -list -keystore tomcat.jks keytool -v -list -keystore truststore.jks
Now copy the new keystores to the jboss directory:
cp tomcat.jks /opt/jboss/standalone/configuration/keystore/keystore.jks cp truststore.jks /opt/jboss/standalone/configuration/keystore
Reset the ownership on the directories:
chown -R jboss:jboss /opt/jboss-as-7.1.1-Final chown -R jboss:jboss /opt/ejbca_ce_6_1_1
And finally, start ejbca:
service ejbca start http://ejbcacentos.blogspot.co.id/
58/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
You should not see any unexpected messages in the console log.
Adding the Server to PKI ‐ Finalizing the Move To test the new certificate, shut down your browser completely, then start it and browse to the administration website. You should now be prompted for the new administrator certificate (instead of the superadmin certificate), then forwarded to the administration site. When viewing the TLS values for the browser, you should now see that the administration page is protected by a certificate belonging to "rootca.yourcompany.net", which was issued by the CA "rootca.yourcompany.net". Our final steps are to clean up the items relating to installation admin access: Delete the superadmin certificate from your browser's "Your Certificates" store Delete the "mgmtca" entry from your browser's "Authorities" store Delete "superadmin" from the "Super Administrator Role" in the administration console Revoke the certificate issued by "mgmtca" f or "rootca.yourcompany.net"
Revoking a certificate is quite easy to do in ejbca. First, use " Search End Entities " to find the Entity you wish to revoke:
Search End Entities
Select the entity to be revoked, then "Revoke and Delete" it. Be sure to add the proper "Revocation Reason" in the menu at the bottom of the screen. Assuming that you are not running a Service that will automatically update the CRL for the CA that issued the revoked certificate, you will need to update it manually. Navigate to the " CA Structure & CRLs " page:
http://ejbcacentos.blogspot.co.id/
59/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
Update CRLs
Select "Create CRL" on the CA you wish to update, and you are finished. A very final note on permissions: you may have noticed entries in the .properties files and on the " Super
Administrator Role " page relating to command line (CLI) access. I am deliberately ignoring permissions relating to the command line, as I assume that you are using strong ssh and console login controls.
Fixing the Jboss Web Console Datasource Stats There is an optional fix to Jboss that can be made once ejbca has been fully installed and deployed. The problem it addresses may not be something you care about, which is why I include it as an afterthought at the end of this how‐to. When using the Jboss web console, you may notice that the datasource entries for ejbca are shown as "disabled", but are reported as being "enabled" when you attempt to "enable" them. This is due to a bug in ejbca's ant target responsible for datasource creation. The datasources themselves are working, which makes this a cosmetic bug with minor ramifications. The bug itself relates to a missing "enabled" variable in the datasource definitions held in standalone.xml. You can add this variable manually to the configuration and temporarily fix the problem. Unfortunately, there is a good chance that future deployments will "re‐break" this fix.
vi /opt/jboss/standalone/configuration/standalone.xml ### Start standalone.xml Delta ###
Update the following lines:
to: ### End standalone.xml Delta ###
service ejbca restart (be patient) Reenter standalone.xml and change the added variables to " true" service ejbca restart (be patient) The datasources will now be shown as "enabled" in the "Profile" section of Jboss web console. This change subsequently allows you to enable Jboss statistics monitoring: Select the "Runtime" section at the top of the web console. Select "JPA". http://ejbcacentos.blogspot.co.id/
60/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
After selecting "ejbca", use the "edit" button to open its properties, and check the box next to "Metrics Enabled?" Select the "OSGI" section. You will be asked if you wish to enable OSGI. Answer "Yes". Jboss subsystem metrics are now fully enabled, and can be checked from the web console.
Finishing the Mail Configuration First, we finish configuring mail. Our server actually has two java mail relays: one for jboss, and one for ejbca. This "dual setup" can be seen in the Jboss web console. Now that we have the ability to generate our own certificates, a good initial step is to issue a unique certificate to your mail server. The certificate can then be used (instead of the self‐signed certificate your server is probably using) to protect your mail connections with TLS. We have already configured the ejbca mail relay to forward traffic to the local mail daemon in the mail.properties file. If your local mail service is configured to forward to an outside server, this is sufficient. If you wish to have ejbca make connections directly to an outside server, this configuration will need to be updated. Ejbca translates the configuration in mail.properties to stanzas in standalone.xml, just as it does for the datasource configuration. Both the ejbca and the default jboss mail relays are defined in the same locations: ### Start standalone.xml Snip ###
and: ### End standalone.xml Snip ###
While you can update the ejbca mail variables by editing mail.properties, this will not affect the Jboss default mail instance, and may not provide all the options you desire. Below is an example configuration that does the following for both relays: Sets Gmail as the mail recipient Uses encrypted SMTP Uses the encrypted SMTP port number: 465 ### Start standalone.xml Delta ###
http://ejbcacentos.blogspot.co.id/
61/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
### End standalone.xml Delta ###
Setting Production Mode You might recall a setting in ejbca.properties for something called "Production Mode". Now that we are more‐or‐less finished with our installation, we can set this value to " true". Frankly, I'm not entirely sure what this does, but it's probably important enough that we should set it.
vi /opt/ejbca/conf/ejbca.properties ### Start ejbca.properties Delta ### # Initially, we will set this to false. Once the install is complete, we change # this to true. # But DO NOT set it to "ca"! ejbca.productionmode=true #ejbca.productionmode=false ### End ejbca.properties Delta ###
Tightening Mysql Permissions Mysql is fairly notorious for being vulnerable to various attacks. Some risk can be mitigated by tightening the database permissions for the ejbcadbuser account. Primekey provides a script to perform these modifications in /opt/ejbca/doc/howto/mysql-privileges.sh . You will need to run the script as shown below, then execute the sql commands created by it. This is by no means a comprehensive guide to securing mysql, but taking these steps is certainly better than nothing. export SQLUSER=ejbcadbuser export SQLDATABASE=ejbcadb cd /opt/ejbca/doc/howto/mysql-privileges.sh sh mysql-privileges.sh
mysql -u root -p ejbcadb < mysql-database-privileges.sql You can verify the privilege changes by doing the following:
mysql -u ejbcadbuser -p use ejbcadb; show grants for ejbcadbuser@localhost; exit
Securing the Public Web Interface You may not wish to allow unencrypted access to the Ejbca Public Webpage. I know I don't, considering that we are cutting and pasting information relating our certificates to the tools on the page. The easiest way to disable this access is to simply remove the port forwarding rule for port 80==>8080 that we created at the beginning of the how‐to. Additionally, you may wish to force users to perform client certificate authentication before accessing the Public Webpage. You can accomplish this by disabling the forwarder from port 442==>8442. But I suggest that you leave the encrypted access on port 442, as disabling both 80 and 442 access has the effect of preventing everyone other than ejbca administrators (with Client Certificates) from accessing the server. http://ejbcacentos.blogspot.co.id/
62/64
4/25/2016
Installing EJBCA 6.1.1 and Jboss on CentOS 6.5
A clean way to configure this is to have a forwarding page that redirects HTTP requests on port 80 to HTTPS on port 442, which will then be forwarded by the firewall to the goal of port 8442.
Fixing the Administration Page Link There is an additional annoyance that requires a slightly more in‐depth set of changes. This change is completely optional, but I include it to clarify that from its own point of view, ejbca is doing what it should be doing during deployment. On the Ejbca public web page, there is a link to the "Administration" page. The URL for this link uses the private HTTPS port that was defined in web.properties. Unfortunately, we have changed this port to externally be 443, via the firewall port redirect we configured at the beginning of the how‐to. We can't change the entry in web.properties to be 443, or the server will fail to start. The links on the Ejbca Public Page and the Administration Page are the only things I have found that would care about the external web ports, so updating this link is probably the easiest way to fix this. Edit the following five files, all in the /opt/ejbca/modules/publicweb-gui/resources directory:
retrieve/header.jsp templates/header.jsp inspect/header.jsp enrol/header.jsp header.jsp In each case, make the following edit:
### Start header.jsp Delta ###
Change:
To:
### End header.jsp Delta ###
Substituting "‐1" has the effect of telling jboss to use the default port number for HTTPS when building the URL (essentially, by omitting a port number completely). Now, redeploy ejbca, and the link will be c orrect.
In Closing It's clear that a great amount of work has gone into the creation of ejbca, but it is equally clear that it still has quite a ways to go. http://ejbcacentos.blogspot.co.id/
63/64