Installing EJBCA 6.1.1 and Jboss on CentOS 6

4/25/2016Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 2   More    Next Blog» [email protected]   Dashboard   Sign Out Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 A thorough, detailed, and impartial guide to installing the EJBCA Certificate Authority 6.1.1 on CentOS 6.5 using Jboss 7.1.1. Included is a review of elliptic curve encryption and openssl certificate generation. Su n d a y,  A p r i l   2 7 ,   2 0 1 4 How to Install EJBCA 6.1.1 on CentOS 6.5 Introduction Hello, and welcome to this blog. I've needed a CA in my lab for quite some time, and I decided to try ejbca for the following reasons: 1. It's linux‐based. 2. It has a native web interface. 3. It's written on a reasonably mature middleware platform. 4. It seems fairly full‐featured. I'm writing this because installing ejbca is harder than it should be. I have never been impressed by "documentation" that destroys time rather than saving it. I believe that software is only as good as a user's ability to use it. So I am documenting each step of my installation for use as a "cookbook" by others. But before I begin: it's a little‐known fact that all material published on Blogger is automatically copyrighted. Not a GPL copyleft, but a full‐blown Unites States of America copyright. This blog and its content are copyrighted in 2014 by VES Group Incorporated and all rights are reserved. After (too) much thought, I've decided that the best license to provide this document under is: "Creative Commons Attribution‐ NonCommercial‐ShareAlike International 4.0". The license details are included at the end of the document. Preparation I have tried to write this how‐to in the form of a teaching document. Ideally, even a novice linux user should be able to follow these instructions and have a functional, stable, and secure ejbca installation at the end. And, honestly, even the most knowledgeable sysadmin has days where they feel like a complete beginner. So hopefully both ends of the experience spectrum will get something out of reading this. Installation requires a significant amount of planning. Here are a few things I'd like to point out. The product can be built on distributed platforms for HA and load‐spreading purposes. This guide assumes a single server for test purposes only. Storage and memory: assume that the CA will take 512MB of RAM, as a rule of thumb. The code itself is ~200MB or so, so give yourself at least a few gigs of space for logs, etc. Software versions: there are several pieces of software that ejbca depends on. Each has its own version dependencies. This can be challenging. How you will configure your CAs, what encryption packages to use, etc, will be detailed later in this guide. None of those specifics really matter until you have the product fully installed. The reader should have a working knowledge of directory services and their formats. At a minimum, you should thoroughly understand: The difference between a DNS hostname and a FQDN. The basics of PKI, at least to the point of knowing how root chain validation works. http://ejbcacentos.blogspot.co.id/ 1/64 4/25/2016 Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 A minimum of X.500 notation: CN = Common Name, usually is the FQDN of your CA DN = Distinguished Name, which is the CN followed by information about the organization that owns the CA O = Organization, usually is your company name, and can include spaces C = Country, in ISO 3166‐1 alpha‐2 format (US, CA, SE, MX, etc) You are not required to have an expert understanding of java and jboss, but some knowledge is helpful. At the least, you should understand: What a .jar file is What an .ear file is The rudiments of XML (about 10 minutes of study is enough) The notion of "deploying" an application to a platform like Jboss Passwords You will need to create a fairly large (10+) number of unique passwords just to install ejbca. So get the passwordsafe utility from Sourceforge. Originally co‐written by Bruce Schneier, it is the only password repository I trust. I'll keep a running tally of the passwords we create, and have included a list of them at the end of this document. I cannot emphasize the importance of using strong passwords enough. All of our other security steps are meaningless without strong passwords. Use passwords of at least 24 characters. Use upper and lower cases, numbers, and punctuation. I suggest using a pseudorandom password generator (such as the one in PasswordSafe) to create them. Ejbca's Terminology The terminology ejbca uses is very confusing, even to someone experienced. Describing each term fully is more than I can do in this document, but hopefully a brief description of the basics will be helpful: Authentication Code ‐ Each Crypto Token has an associated Authentication Code that is used to encrypt the contents of that particular Crypto Token. Certificate ‐ A data structure (usually) in X.509 format that typically contains: A Public Key Information about the owner of the key (in X.500 format) "Certificate Extensions" defining how the certificate is meant to be used The CA certificates that validate the certificate we are examining Certificate Extension ‐ Data field in a Certificate that "suggests" how a certificate is meant to be used. Certificate Signing Request (CSR) ‐ A file containing a Public Key, as well as optional Certificate Extension information that a CA *may* use when generating a Certificate. Crypto Token ‐ The logical unit that stores all the public/private keypairs owned by a particular CA. By default, they are held in ejbca's database. Enrollment Code ‐ The password (or other "Token") used to validate a certificate request. HSM ‐ Hardware Security Module. A physical device used to generate and/or store Keys. JKS ‐ Java Key Store. An unencrypted, file‐based method of storing encryptions keys. Key ‐ What ejbca refers to as a "Key" is actually a "Keypair": a Public key and its matching Private key. Key Algorithm ‐ The asymmetric cryptographic algorithm used to perform public key encryption. Usually RSA or Elliptic Curve. One must be specified in every certificate. Key Alias ‐ A "friendly" name for a Key(pair) that is used for a particular purpose. Ejbca uses the following Key Aliases to refer to the Keys every ejbca CA must have for basic functionality: defaultKey: The key used by default (Required). certSignKey: The key used for certificate signing. It must comply with the Signature Algorithm defined for the CA using the key. crlSignKey: The key used for CRL signing. The use of this key is deprecated ‐ the certSignKey will always be used for this purpose. keyEncryptKey: The key used for key recovery when reversible encryption is enabled. It must use the RSA http://ejbcacentos.blogspot.co.id/ 2/64 4/25/2016 Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 algorithm. testKey: The key used by the healthcheck process to verify that a Crypto Token is usable. A 1024‐bit RSA key is recommended to reduce computation time. Key Specification ‐The length of the modulus used by the Key Algorithm. For RSA, it is usually 2048 or 4096 bits long. For Elliptic Curve, it is usually 192, 256, 384, or 512 bits long. Keystore ‐ A file used to store certificate information outside of the database. Normally only holds the certificates for ejbca's web interface. See: JKS Private Key ‐ Half of a Keypair generated for use with asymmetric encryption. This is the half that is kept private, and not shared. Public Key ‐ The other half of a Keypair, which is shared with anyone/anything you wish to establish secure communications with. Signature Algorithm ‐The cryptographic hash algorithm used by a CA to guarantee a certificate's validity. Soft Token ‐ A Token (Crypto, or otherwise) held in the database, rather than in a different format like a JKS or HSM. Token ‐ A generic term for a secret key. This could be anything from an 8‐character ASCII password to an 8192‐bit RSA modulus. In the context of an "end entity", ejbca specifically uses this word to refer to the key used to encrypt a certificate issued to that "end entity". Final Advice A final word of advice before we begin: You are building a device that will be the source of all trust in your environment. Details matter. Accuracy matters ‐ even more than usual. And if it isn't right, it's wrong. Go fix it. CentOS Installation I use CentOS in my lab, generally speaking. This is because the vast majority of actual enterprise linux installations run on Red Hat/Fedora. Debian/Ubuntu is prolific in software development environments, but that's really the only place I find it. I'm performing this installation using 64‐bit CentOS 6.5 on a vm. There is a single root partition for storage, a two‐core CPU, 2 GB of RAM (which is more than it needs), and a single ethernet network interface. Required Software I am using ejbca version 6.1.1, community edition. It is written in java, and runs on the jboss platform. It uses ant for jboss management, and requires a database (I use mysql) for storage. Java: DO NOT waste time trying to get java 1.7 to work with this app at present. It can be done, but the payoff compared to the work involved makes it undesirable. Running 1.6 has ramifications for Elliptic Curve support, but the way that ejbca uses java makes them largely irrelevant. Just use the openjdk version of java 1.6 that is distributed by the standard CentOS online repos. If you install java 1.7, then the "java" command will invoke 1.7 by virtue of alternatives. Theoretically, alternatives should take care of redirecting all java‐related executable paths to the correct executables. However, what I found is that the the 1.7 implementation from openjdk is incomplete, and ejbca will end up needing to use portions of version 1.6. This inevitably ends up with a non‐working ejbca install. If you truly must use 1.7, you'll need to manually compile and install updated versions of gcc, gcj, and Oracle Java. This may be necessary in a fully‐certified production environment, but I will stay with 1.6 until everything becomes part of the standard CentOS code stream. Jboss: I'm using 7.1.1 Final. It actually is the least painful thing to deal with in this setup. Previous versions of jboss are built with the idea of multiple application deployments on a single platform ‐ the current 7.1.1 download installs with a single standalone deployment. Ant: You'll need to download and install a current version of ant ‐ the one from CentOS is too old. I'm using ant‐1.9.3‐ 2.fc21.noarch.rpm from the Fedora repository. Mysql: I'm using the standard mysql version 5.1.73‐3.el6_5 from the CentOS repos. The version really doesn't matter, other than the various inevitable security problems you have with mysql. Java Mysql Connector: I'm using the mysql‐connector‐java.noarch from Oracle, version 5.1.30. There is a configuration tweak in jboss that is necessary in order to use this version. Older versions do not have this problem (but may have others). http://ejbcacentos.blogspot.co.id/ 3/64 This how‐to only covers a standalone installation. You may not issue many certs. As evidence of this: WhatsApp runs over two million connections per server. so here it is. This becomes important later. This seems like a simple decision.1 and Jboss on CentOS 6. Set the timezone.  http://ejbcacentos. Distributed "validation" and "registration" authorities can handle the validation work and registration work while the core services are offline.1.com In this how‐to. Set your hostname in /etc/hosts ‐ it should look something like: 127.localdomain4 ::1           localhost localhost. Beginning the Installation To begin: I suggest using a "Minimal Desktop" CentOS installation in order to have gnome and a web browser.co. the application essentially has seven distinct components: A Database Java and its database connector Jboss The ejbca Certificate Authority The ejbca Registration Authority The ejbca Validation Authority Ejbca's OCSP code No Internet "howto" is complete without at least one goofy ASCII diagram.. But you can build ejbca as a set of distributed servers if you wish.. or any of the CentOS distro PKI apps.yourcompany.1     localhost localhost. If I were building a production server. This build will be on a single server. My opinion is that most "distributed" applications are written by insecure devs to show how awesome they are.34 rootca rootca.localdomain localhost6 localhost6.id/ 4/64 .localdomain6 192. But I'll try to point out the distributed stuff as I go along. and treat it as part of the "Certificate Authority".com" to represent the server. We will install and configure ejbca in essentially left‐to‐right order: mysql ­­> java­sql­connector ­­> jboss ­­> ejbca CA ­­> ejbca VA ­­> OCSP                     ^               ^                     |               |                    ­­­­­­ java ­­­­­ We will ignore the "Registration Authority" for now. their load can become significant. but there are several things to keep in mind when choosing your hostname: In a production environment. and this level of complexity is beyond the scope of this how‐to. and want to take the core CA offline for security reasons. But when answering CRL/OCSP queries.blogspot. you could potentially have multiple ejbca instances configured on a single jboss installation.4/25/2016 Installing EJBCA 6. I will always use the FQDN of "rootca. I would use the "Basic Server" CentOS installation.0. as there are administrative sites and tools in Jboss and ejbca that are only reachable from localhost.168.5 You do not need: tomcat/httpd. This would have ramifications for hostname resolution.12. hazy. and it earned those guys $19 Billion. But the usefulness of distributing out every little portion of an app can get a little . phpmyadmin. so all of these functions will be performed on one box. etc. and needlessly complicate things. There are some sensible reasons for this: CAs aren't very loaded when only issuing certs.0.yourcompany. Application Logical Layout Adding more detail to the internals of ejbca itself.localdomain localhost4 localhost4. No need to set up user accounts for now ‐ just use root. there is an additional "very important thing" to understand about how the naming of the server relates to the certificates created by the Management CA for web administration purposes. The Production CA will issue a "Server Certificate" that will replace the one issued by the Management CA. and will also use "rootca. it can be very confusing to keep track of the various certificates used by a CA for different functions. A Word on CA Naming and Certificates For someone who is not familiar with Certificate Authorities.yourcompany. You would be able to get away with this by virtue of your lab's isolation from public DNS resolution. Replacing this initial certificate with one issued by the Production CA creates a situation that can be quite confusing to a beginner. The Management CA is purely an internal CA that will never be resolved via DNS.1 and Jboss on CentOS 6. we will replace this certificate with one issued by a "Production" CA. However. To try and keep this clear. these are two separate certificates used for two distinct purposes. the Management CA cert does not use an FQDN for the CN.. Define a full FQDN for your server that would be compatible with public DNS. it is important to understand that by the end of our install: There will be two certificates They are used for separate purposes (Root Certificate vs. This implies that there will always be at least two CA instances on an ejbca server: The Management CA used to generate certificates for the administration of ejbca The Production CA that will be used to issue certificates for external users and devices Each CA will have unique X. Here are the basics as they relate to ejbca: First. Set up resolv.500 CN field information. I will always use the phrases "Root CA Certificate" and "Server Certificate" to denote these certs. and cannot be removed. etc)‐ correct time is mandatory.net" for the CN. http://ejbcacentos.net) for its CN. When accessing the web interface of your ejbca server.5 When running ejbca in a lab environment. a TLS certificate is used to encrypt the HTTPS connections to the web service hosting the interface. Set up NTP and make sure it works (ntpdate.yourcompany.co. ejbca uses a "Management CA" instance to generate certificates used both internally by the application. so I will set the CN of the management CA to be "mgmtca". PTR records are also a good idea. The "Root Certificate" used by the Production CA to identify itself and sign new certificates will use the FQDN of the server (rootca. The "Management CA" is automatically created during installation. we will configure only a single "Production CA" in order to try to keep it simple. Also. you must understand that it is possible to host multiple production CA instances on a single ejbca installation. All this being said.1. This replacement certificate will permanently secure connections to the web administration pages (at https://rootca. Despite having the same CN.net exists on the configured  DNS servers. and continue with your build as if this were true. We do this to ensure that the server itself participates in the PKI that we establish with our "Production" CA. Trust me ‐ Don't do this. as well as to issue certificates used to secure initial access to ejbca's web administration pages.yourcompany. and will be configured separately. toward the end of this how‐to. To have a healthy and sane experience when building an ejbca server.id/ 5/64 . In this example. it is tempting to disregard the full FQDN and only use the hostname when identifying your CAs.net). Web Administration TLS) They are both issued by the same Production CA They use the same CN Continuing the Installation. The Production CA will use the actual FQDN of your server for its CN. Set up ssh/vnc access as you see fit. The initial version of this certificate will be a "self‐signed" one issued by the Management CA and created during installation.yourcompany..conf and make sure an A record for rootca.4/25/2016 Installing EJBCA 6. However.blogspot. which breaks all kinds of browser functionality. Everything else is internal (3306 for sql. it's a good idea to back up the firewall config: http://ejbcacentos. so you can't set the ports to anything <1024 ‐ don't bother trying to change them in the application itself. protocol tcp Add port forward 442 ‐‐> local 8442.4/25/2016 Installing EJBCA 6. then set up iptables to do port forwarding. 9990 for jboss admin web interface. and 8443 for CA services. protocol tcp Add port forward 443 ‐‐> local 8443.1 and Jboss on CentOS 6. protocol tcp Once finished. *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] ­A PREROUTING ­i eth0 ­p tcp ­­dport 80 ­j MARK ­­set­mark 0x64 ­A PREROUTING ­i eth0 ­p tcp ­­dport 442 ­j MARK ­­set­mark 0x65 ­A PREROUTING ­i eth0 ­p tcp ­­dport 443 ­j MARK ­­set­mark 0x66 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] ­A PREROUTING ­i eth0 ­p tcp ­­dport 80 ­m mark ­­mark 0x64 ­j DNAT ­­to­destination :8080 ­A PREROUTING ­i eth0 ­p tcp ­­dport 442 ­m mark ­­mark 0x65 ­j DNAT ­­to­destination :8442 ­A PREROUTING ­i eth0 ­p tcp ­­dport 443 ­m mark ­­mark 0x66 ­j DNAT ­­to­destination :8443 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ­A INPUT ­m state ­­state ESTABLISHED. If you want to use the standard web ports. I'd manually edit /etc/sysconfig/iptables . then reload the firewall: service iptables reload Regardless of how you do it.blogspot. The application doesn't run as root.1.RELATED ­j ACCEPT ­A INPUT ­p icmp ­j ACCEPT ­A INPUT ­i lo ­j ACCEPT ­A INPUT ­i eth0 ­m state ­­state NEW ­m tcp ­p tcp ­­dport 8080 ­m mark ­­mark 0x64 ­j ACCEPT ­A INPUT ­i eth0 ­m state ­­state NEW ­m tcp ­p tcp ­­dport 8442 ­m mark ­­mark 0x65 ­j ACCEPT ­A INPUT ­i eth0 ­m state ­­state NEW ­m tcp ­p tcp ­­dport 8443 ­m mark ­­mark 0x66 ­j ACCEPT ­A INPUT ­m state ­­state NEW ­m tcp ­p tcp ­­dport 443 ­j ACCEPT ­A INPUT ­m state ­­state NEW ­m tcp ­p tcp ­­dport 22 ­j ACCEPT ­A INPUT ­m state ­­state NEW ­m tcp ­p tcp ­­dport 80 ­j ACCEPT ­A INPUT ­m state ­­state NEW ­m tcp ­p tcp ­­dport 442 ­j ACCEPT ­A INPUT ­j REJECT ­­reject­with icmp­host­prohibited ­A FORWARD ­j REJECT ­­reject­with icmp­host­prohibited COMMIT ### End iptables ### If you are only working in the cli. it's a good idea to verify your /etc/sysconfig/iptables file: vi /etc/sysconfig/iptables  ### Start iptables ### # Firewall configuration written by system­config­firewall # Manual customization of this file is not recommended.co. You can do this from the gnome firewall management app: Add port forward 80 ‐‐> local 8080. etc).id/ 6/64 . 8442.5 Run yum update Firewall Configuration Ejbca uses 8080. 3.5 cp /etc/sysconfig/iptables /etc/sysconfig iptables.11.5 gjc installed ‐ It's used for compilation of the java packages.6.1.ipv6. and executes the expected version regardless of path: /usr/lib/jvm/java/bin/java ­version java version "1. and alternatives prevents it from affecting anything.conf .13.org/FAQ/CentOS6 Installing Software Packages Now we install our CentOS software packages.d/ipv6_disabled.conf .initial Disabling IPv6 There really is no point in having IPv6.d/blacklist. change/create these entries:      NETWORKING_IPV6=no      IPV6INIT=no In /etc/modprobe.el6.conf. mixed mode) http://ejbcacentos.UTF­8 rhgb quiet crashkernel=auto ipv6.all.default. you may have noticed that there's a version 1.25­b01.conf To be extra EXTRA awesome.conf.ipv6.6. follow the "extra notes" on disabling IPv6 located at:      http://wiki. change/create these entries:      blacklist net­pf­10      blacklist ipv6 Disable iptables for IPv6:      service ip6tables stop      chkconfig ip6tables off To be extra awesome.disable=1 It will look something like: kernel /vmlinuz­2.conf .rpm  yum install mysql­server yum install mysql­connector­java It's a pretty good idea to verify our java version with java ­version .disable=1 In /etc/sysctl.13.4/25/2016 Installing EJBCA 6.6.conf : /usr/lib/jvm/java/bin/java ­version .co.0_30" OpenJDK Runtime Environment (IcedTea6 1.1. edit the boot kernel line to include:      ipv6. you can be sure that java works.32­431.disable_ipv6 = 1 In /etc/sysconfig/network .el6_5­x86_64) OpenJDK 64­Bit Server VM (build 23.1 and Jboss on CentOS 6.3) (rhel­5.disable_ipv6 = 1      net. so I remove it: In /boot/grub/grub.centos. When reviewing your installation.2.blogspot. yum install java­1. It can't be removed without causing problems. change/create these entries:      net.x86_64 ro root=/dev/mapper/vg_rootca­lv_root rd_NO_LUKS rd_LVM_LV=vg_rootca/lv_root rd_NO_MD SYSFONT=latarcyrheb­sun16 rd_LVM_LV=vg_rootca/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM LANG=en_US. Once this is done. Just ignore it. both with the implicit path and the full path you will define as JAVA_HOME in standalone.0­openjdk yum install /path/to/your/ant­noarch.id/ 7/64 . make sure that IPv6 driver loads will always silently fail:      echo "install ipv6 /bin/true" > /etc/modprobe. 4/25/2016 Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 Configuring Mysql This is a basic mysql setup that isn't particularly tuned for security, but is secure enough for lab purposes. Be sure to create the mysql directories and update /etc/my.cnf before starting the service for the first time, as you can't easily change the binary log location once it has been created. This config also forces utf‐8 encoding, which is a requirement of ejbca. Some of the utf‐8 config can throw errors on startup (depending on your version of mysql), so it is commented out. I enable binary logging in order to make database recovery as bulletproof as I can. But there's no substitute for a regular mysqldump. Ejbca includes a sample backup script for this purpose. mkdir ­p /var/log/mysql/bin chown ­R mysql:mysql /var/log/mysql vi /etc/my.cnf ### Start my.cnf ### datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Disabling symbolic­links is recommended to prevent assorted security risks symbolic­links=0 #UTF­8 character­set­server=utf8 collation­server=utf8_unicode_ci init­connect='SET NAMES utf8' #character­set­client = utf8 # Logging Config # Binary logging log­bin server­id              = 1 log_bin                = /var/log/mysql/mysql­bin.log expire_logs_days       = 10 max_binlog_size        = 100M #log #log­error #log­slow­queries [mysqld_safe] log­error=/var/log/mysql/mysqld.log pid­file=/var/run/mysqld/mysqld.pid # Custom config #[client] #default­character­set=utf8 ### End my.cnf ### To make a point about the mysql user continuing to own everything mysql‐related: chown mysql:mysql /etc/my.cnf Now, run the "secure installation" script (take the default actions), log in to mysql, and create the database and user account for ejbca: service mysqld start http://ejbcacentos.blogspot.co.id/ 8/64 4/25/2016 Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 mysql_secure_installation mysql ­u root ­p create database ejbcadb; grant all privileges on ejbcadb.* to 'ejbcadbuser'@'localhost' identified by 'password'; flush privileges; exit Verify that you can log in to mysql as ejbcadbuser and test your access: mysql ­u ejbcadbuser ­p  use ejbcadb; show grants for ejbcadbuser@localhost; exit  Later, we will change the permissions on the ejbcadb database to make ejbcadbuser@localhost's access a little more limited. Finalize the mysql installation by performing a service mysqld restart and checking the log at /var/log/mysql/mysqld.log. Creating the Directory Structure Now we're going to set up the directory structure for the app itself. I prefer to put my apps in /opt. By default, all the ejbca documentation assumes that you install it in the service user's homedir. I like to use links to generic paths so that upgrading code is easier. This method also works well with Atlassian products. The /opt/default directory is used to hold vanilla versions of code so you can easily wipe things out and start over. mkdir /opt/default cd /opt/default wget http://download.jboss.org/jbossas/7.1/jboss­as­7.1.1.Final/jboss­as­7.1.1.Final.zip wget http://downloads.sourceforge.net/project/ejbca/ejbca6/ejbca_6_1_1/ejbca_ce_6_1_1.zip unzip *.zip cd .. ln ­s /opt/ejbca_ca_6_1_1 ejbca ln ­s /opt/jboss­as­7.1.1.Final jboss cp ­rp default/jboss­as­7.1.1.Final . cp ­rp default/ejbca_ce_6_1_1 . Creating the OS User Accounts Now we set up our service accounts. I made two ‐ a system account named jboss, and an ejbca account for administrative use after the server is built. It is important that jboss has /bin/bash for a shell and a /opt/jboss as a homedir. useradd ­s /bin/bash ­r ­d /opt/jboss ­M ­U jboss useradd ­m ­U ­G jboss,wheel ejbca Creating the Console Log Directory Now that our service user has been created, we can create the directory that will hold our jboss console logs: mkdir ­p /var/log/ejbca chown jboss:jboss /var/log/ejbca At this point, the server is built, mysql is running, and we're ready to start with installing jboss. It's a good time to take a vm snapshot. http://ejbcacentos.blogspot.co.id/ 9/64 4/25/2016 Installing EJBCA 6.1.1 and Jboss on CentOS 6.5 Installing Jboss It's time to install jboss. We will not configure every detail (no mail, default logging), but we will do enough to get the platform running and tweaked the way ejbca needs for installation. Configuring the Standalone Jboss Instance We begin by configuring the jboss instance that ejbca will use. It's named "standalone", and exists by default in version 7.1.1. The /opt/jboss/bin directory contains a script named standalone.sh that is the primary start point for jboss. This script references a configuration file in the same directory named standalone.conf. We will not need to modify the startup script, but we will need to modify the configuration file. First, we make a backup of the default config: cd /opt/jboss/bin cp standalone.conf standalone.conf.orig The config file also contains a set of jvm options that I tweak a little bit. This is not a mandatory change, but it does allocate more memory to the jvm. I always seem to be increasing this variable for my jvms, so I'm simply doing this ahead of when I actually need to. Important: The bits below are only the parts I modified ‐ don't delete the rest of the files! I've added some commented entries that you might need to use if you're troubleshooting, but really the only things that matter are JAVA_HOME and JAVA_OPTS. Just add the comments to the top of the file and replace the default JAVA_HOME and JAVA_OPTS. ### Start standalone.conf Delta ### #ejbca config # #javaHome=/usr/lib/jvm/java #jbossHome=/opt/jboss #jbossClasspath=/usr/share/java/mysql.jar JAVA_HOME="/usr/lib/jvm/java" JAVA_OPTS="­Xms128m ­Xmx512m ­XX:PermSize=128m ­XX:MaxPermSize=256m ­Djava.net.preferIPv4Stack=true ­ Dorg.jboss.resolver.warning=true ­Dsun.rmi.dgc.client.gcInterval=3600000 ­Dsun.rmi.dgc.server.gcInterval=3600000" ### End standalone.conf Delta ### Creating the Jboss Init Service The /opt/jboss/bin/standalone.sh script can always be used to start and stop jboss manually. However, we need to configure a service instance named "ejbca" to handle the startup and shutdown of jboss (and subsequently, ejbca). Thankfully, the jboss folks give us an example script to use. I know it is confusing to name the jboss service "ejbca", but I am assuming that this jboss instance will only run the ejbca application and not be used for any other purpose. The init script itself contains a very important variable: the path of the jboss home directory. First, we copy the examples to their proper locations: cp /opt/jboss/bin/init.d/jboss­as­standalone.sh /etc/init.d/ejbca mkdir /etc/ejbca cp /opt/jboss/bin/init.d/jboss­as.conf /etc/ejbca/ejbca­init.conf Then, we modify both files to be appropriate for our installation. Below are my examples. Again, these are only the changes that must be made to the default file content. http://ejbcacentos.blogspot.co.id/ 10/64 # The username who should own the process. and have set a start order value in the chkconfig portion of the init http://ejbcacentos. we use chkconfig to add our services to the rc hierarchy and set the runlevels: chkconfig ­­add ejbca chkconfig ­­level 345 mysqld on chkconfig ­­level 345 ejbca on  The init files should remain owned by root:root.co.conf file has two very important variables in it: the jboss process username.blogspot.conf ### # General configuration for the init.id/ 11/64 . and the logfile name. with the default permissions.pid # config: /etc/ejbca/ejbca­init. vi /etc/ejbca/ejbca­init.d Delta ### ### BEGIN INIT INFO # chkconfig ­ 345 97 17 # Provides:          ejbca # Required­Start:    $remote_fs $syslog $network mysqld # Required­Stop:     $remote_fs $syslog $network # Short­Description: ejbca jboss instance # Description:       ejbca jboss instance # Default­Start:     3 4 5 # Default­Stop:      0 1 2 6 ### END INIT INFO # # processname: ejbca # pidfile: /var/run/jboss­standalone.1 and Jboss on CentOS 6.conf JBOSS_CONF="/etc/ejbca/ejbca­init.conf" JBOSS_HOME=/opt/jboss prog='ejbca jboss instance' ### End ejbca init.conf ### Start ejbca­init. # not necessarily for JBoss AS itself.d scripts.conf ### Lastly.4/25/2016 Installing EJBCA 6.d/ejbca ### Start ejbca init. Setting the Service Order Although we have added the ejbca service with chkconfig.5 vi /etc/init.d Delta ### The ejbca­init.1.log ### End ejbca­init. # JBOSS_USER=jboss # The amount of time to wait for startup # # STARTUP_WAIT=10 # The amount of time to wait for shutdown # # SHUTDOWN_WAIT=10 # Location to keep the console log # JBOSS_CONSOLE_LOG=/var/log/ejbca/console. well./init. You can assume all versions of the connector from 5. and then deal with updating it. As mentioned.5 script header./init. In my case. Theoretically. This puts it before the local service.xml Add the following entries to the to system export paths: Do not include the hashed start and end comments.d/mysqld lrwxrwxrwx. as it requires an additional config variable that jboss doesn't expect. 1 root root 15 Apr 25 22:24 S97ejbca ­> . which is version 5.30. Instead of attacking this problem immediately. and a kill of 36.xml Delta ###             <path name="sun/security/x509"/>             <path name="sun/security/pkcs11"/>             <path name="sun/security/pkcs11/wrapper"/>             <path name="sun/security/action"/> ### End module. there was a missing start entry for mysqld.d/ejbca ls ­al|grep mysqld lrwxrwxrwx.1. ### Start module.  In the example below. 1 root root 16 May 1 13:32 S64mysqld ­> . However.d. 1 root root 15 May 1 13:30 K17ejbca ­> .. and the example init script for ejbca will wait for mysqld to start. I am using the latest Oracle version. This version breaks jboss./init.1. rc4.d/mysqld S64mysqld  ls ­al|grep mysqld lrwxrwxrwx.d ls ­al|grep ejbca lrwxrwxrwx.d/ejbca lrwxrwxrwx. 1 root root 16 Apr 25 22:24 K36mysqld ­> . the mysqld service is configured to wait for the the network service to initialize before starting./init. we still need to review the service order during startup and shutdown. and a kill integer of 17. install the CentOS‐distributed version: yum install mysql­connector­java http://ejbcacentos. By default. The mysqld is set with a start of 64./init. ensure that we have a working jboss installation. cd /etc/rc.. I noted that while ejbca was added correctly.1. cd /opt/jboss/modules/sun/jdk/main vi module.d) and create/modify the needed links to manage mysqld and ejbca .xml Delta ### Installing the Mysql Connector Adding the java mysql connector to jboss is a little convoluted.1 and Jboss on CentOS 6.30 onward will have this problem (at least until jboss fixes their side of the code)..d/mysqld ln ­s ../init.. things just don't work out that way.d. 1 root root 16 Apr 25 22:24 K36mysqld ­> . rc5.4/25/2016 Installing EJBCA 6. we will proceed with the CentOS‐distributed version of the connector.d/rc3. First.id/ 12/64 . I have the ejbca service set with a start integer of 97. you still must read the contents of each runlevel init directory (rc3. But sometimes. but after everything else. We'll start by enabling certain security functions that ejbca requires.d/mysqld Adding Jboss Class Exports We are now ready to begin tweaking the jboss configuration in earnest.blogspot. chkconfig and yum are supposed to build these links for us automatically.co.. blogspot.as. It's a good idea to keep a running console session open from now on.http11.0.690 INFO  [org.log You should see something like this at the end of the file: 22:51:40.1 on http­­127.scanner] (MSC service thread 1­3) JBAS015012: Started FileSystemDeploymentService for directory /opt/jboss/standalone/deployments 22:51:40.as.Final Now.api"/>         </dependencies>     </module> ### End module. as XML does not recognize "#" as denoting a comment. Don't run "chown ­R root:root /opt/jboss" ‐ we want root to remain the owner of the symbolic link. we must first make the jboss user the owner of the jboss directory tree.0. so you should install Firefox in your gnome session http://ejbcacentos.xml ### Start module.remoting] (MSC service thread 1­2) JBAS017100: Listening on /127.1:9999 22:51:40.jar .699 INFO  [org.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.jar"/>         </resources>         <dependencies>             <module name="javax.1 and Jboss on CentOS 6.4/25/2016 Installing EJBCA 6.0.0" encoding="UTF­8"?>     <module xmlns="urn:jboss:module:1.688 INFO  [org.api"/>             <module name="javax.482 INFO [org.deployment.xml ### Starting Jboss Our next set of tweaks must be made after jboss has been started. build the module.as] (Controller Boot Thread) JBAS015874: JBoss AS 7.1­8080 22:51:40.5 Now.0.0. do not include the triple‐hashed lines in this file.1. Because our actions until now have been performed as root.jboss.1.Http11Protocol] (MSC service thread 1­2) Starting Coyote HTTP/1. chown ­R jboss:jboss /opt/jboss­as­7.774 INFO [org.jar Now.0" name="com.jar mysql­connector­java.server.0.id/ 13/64 .jboss.jboss. tail ­f /var/log/ejbca/console. vi module. we test how well our init scripting works: service ejbca start Now that we've (hopefully!) started the service.transaction. Again. we can check the console log (as it has just been created).co.1.remoting] (MSC service thread 1­3) JBAS017100: Listening on /127.1.coyote.1.apache. create the directory that will hold jboss' link to mysql­connector­java.0.mysql">         <resources>             <resource­root path="mysql­connector­java.jboss.Final "Brontes" started in 1528ms ­ Started 130 of 204 services (74 services are passive or on­demand) This tells you several important things: The jboss admin webpage is only available to localhost by default.xml file that describes the connector.jboss.xml ### <?xml version="1. and the link itself: mkdir ­p /opt/jboss/modules/com/mysql/main/ cd /opt/jboss/modules/com/mysql/main ln ­s /usr/share/java/mysql­connector­java.0.1:4447 22:51:40.773 INFO [org.1:9990 22:51:40.as. MysqlXADataSource)     :reload     exit This cli action defines our mysql driver in /opt/jboss/standalone/configuration/standalone. and we will be working with it several times during installation.mysql">    <xa­datasource­class>com.jboss. jboss has finished loading: "7.jdbc.mysql.1.datasources] (ServerService Thread Pool ­­ 27) JBAS010404: Deploying non­JDBC­compliant driver class com.1 and Jboss on CentOS 6.co. vi standalone.xml Delta ### Remove the following:               <datasource jndi­name="java:jboss/datasources/ExampleDS" pool­name="ExampleDS" enabled="true" use­ java­context="true">                     <connection­url>jdbc:h2:mem:test;DB_CLOSE_DELAY=­1</connection­url> http://ejbcacentos.jdbc.mysql.5 if you don't already have it.jdbc.1. so we modify standalone. we should see the following message appear in the console log when restarting jboss: 22:46:29.mysql.xml ### Start standalone.MysqlXADataSource</xa­datasource­class> </driver> ### End standalone. However. it does not normally need to be changed once our installation is complete.as.4/25/2016 Installing EJBCA 6.xml Snip ### The standalone.connector.mysql.jdbc.1) Removing the Default h2 Datasource and Driver By default.jdbc2.optional. we can enable our mysql connector.xml to disable it.optional.xml Snip ### <driver name="com.sh     connect     /subsystem=datasources/jdbc­driver=com. The default URL for the admin webpage is something like: http://localhost:9990/console/App.jdbc.xml. But before we make the change.Driver.jdbc.driver­xa­datasource­class­name=com.jdbc.jdbc.xml standalone.html#server­ overview When you see this in the log.subsystems.initial Now.Driver:add(driver­name=com. If left unchanged. the standalone instance is defined with an h2/hsqldb database connector. we run a registration command from the jboss CLI (the small text is a single line):     cd /opt/jboss/bin     sh jboss­cli.mysql. ejbca is preconfigured to use it for example purposes.Driver" module="com.Final "Brontes" started in xxxx ms" Enabling the Mysql Connector Now that the jboss service is running.580 INFO [org. and an example database.blogspot.mysql.Driver (version 5. If we have been successful with our changes. then reloads jboss.1. which will update the configuration of the standalone instance.xml file is the primary configuration file in jboss.xml. The actual definition is: ### Start standalone.id/ 14/64 .jdbc2. we will first back up the configuration: cd /opt/jboss/standalone/configuration cp standalone.mysql. We will not use it.driver­module­ name=com. We will do this using the jboss command line interface. datasources] (ServerService Thread Pool ­­ 27) JBAS010403: Deploying JDBC­compliant driver class org.1. has to do things its own way.xml to update the driver stanza: http://ejbcacentos.msc.JdbcDataSource</xa­datasource­class>                 </driver> ### End standalone.DuplicateServiceException: Service jboss.580 INFO  [org.jboss.30­bin.h2database.30­bin. as shown in the console log: 01:16:31.5                     <driver>h2</driver>                     <security>                         <user­name>sa</user­name>                         <password>sa</password>                     </security>                 </datasource> Also remove:                 <driver name="h2" module="com.jar mysql­connector­java.1.com_mysql_jdbc_Driver is already registered The fix for this is quite simple: add a single line to standalone.jar ­rw­r­­r­­.as.570 INFO  [org.1.1.zip file that you downloaded.datasources] (ServerService Thread Pool ­­ 27) JBAS010404: Deploying non­JDBC­compliant driver class com.Driver (version 5.  jboss will fail to load the connector at startup.jdbc.30­bin.30).jdbc. delete and recreate the link "mysql­connector­java.jboss.connector.   1 root root   954041 May  1 01:22 mysql­connector­java­5.500 ERROR [org. and refers to the connector as "Connector/J". Oracle.connector.30­bin.jar" such that it points to the new file: cd /usr/share/java rm mysql­connector­java.jar file to /usr/share/java: cp /your/download/location/mysql­connector­java­5.1.management­operation] (management­handler­thread ­ 17) JBAS014612: Operation ("add") failed ­ address: ([     ("subsystem" => "datasources").     ("jdbc­driver" => "com. and copy the mysql­connector­java­5.mysql.jdbc­driver.controller.blogspot.subsystems.3) But you should continue to see: 22:46:29.Driver") ]): org.mysql.jar ln ­s mysql­connector­java­5.jar /usr/share/java Verify its permissions: ls ­al /usr/share/java/mysql­connector­java­5.h2.   Now expand the .30­bin.h2">                      <xa­datasource­class>org. of course.jboss.tar or . you should no longer see: 22:46:29.co.as. let's break it! First. if you watch the console log when restarting jboss.as.jboss.jar Once this is done.subsystems.xml Delta ### Now.jdbcx. download the latest platform‐independent version of the connector from Oracle (I assume this will be version 5.1 and Jboss on CentOS 6.jar Next.h2.1.4/25/2016 Installing EJBCA 6.1) Updating the Mysql Connector Now that we have a functioning mysql connector.1.Driver (version 1.service.id/ 15/64 . At this time.5 ### Start standalone. you should know that ejbca's initial configuration can be divided into a few specific parts: The . The mysql database will be auto‐populated when we first deploy ejbca. Configuring the Jboss Web Admin User Our last jboss installation step is to create the account used to access the jboss admin webpage.jdbc.properties' Added user 'jadmin' to file '/opt/jboss­as­7.sh  What type of user do you wish to add?   a) Management User (mgmt­users. This is a jboss‐specific user account not used anywhere else in our build. but only in response to changes made to our .properties' You should now be able to reach the jboss web console interface and view/change various config items.properties files.mysql. you do not need to change anything.xml Delta ### Restart the service.mysql">                         <driver­class>com.MysqlXADataSource</xa­datasource­ class>                    </driver>                 </drivers>             </datasources> ### End standalone. Installing Ejbca Before we proceed. and the updated connector now loads properly.Final/standalone/configuration/mgmt­users.jdbc2. Portions of standalone.1.mysql.Driver" module="com. and that only the ejbca.blogspot.mysql.1.jdbc. assume that nothing in the configuration will be changed during deployment.1. Realm (ManagementRealm) :  Username : jadmin Password :  Re­enter Password :  About to add user 'jadmin' for realm 'ManagementRealm' Is this correct yes/no? yes Added user 'jadmin' to file '/opt/jboss­as­7. The database does not store any configuration data. even if the files exist.xml Delta ###             <datasources>                 <drivers>                    <driver name="com.1 and Jboss on CentOS 6.jdbc.Driver</driver­class>                         <xa­datasource­class>com.optional.4/25/2016 Installing EJBCA 6.  This is a good time to take a vm snapshot. but will not otherwise be touched by any of the ant scripts. We use a specific script for this: sh /opt/jboss/bin/add­user.co.id/ 16/64 .Final/domain/configuration/mgmt­users.properties files in the /opt/ejbca/conf directory The initial keystore files in /opt/ejbca/p12 The jboss config in standalone.1. but it can be affected by every configuration change you make.xml You should also know these general rules for working with ejbca's configuration: First. http://ejbcacentos.jdbc.properties)   b) Application User (application­users.properties) (a): a Enter the details of the new user to add. The ant install command tries to create the keystore files each time it is run.1.xml can be changed by both ant build and ant install.ear file is touched by this action. properties     ‐  Defines the CRL store variables database.properties     ‐  Defines the core security engine variables crlstore. However.properties.properties cp sample/database. Initially.properties         ‐  Defines how OCSP itself will function va. and generally are not referenced by the running application. It's the best way to learn all of the variables. and X. http://ejbcacentos.properties file is only referenced when running ant install. we create a new directory called: /opt/ejbca/conf/sample. then test our installation before proceeding. and can be ignored.properties" files for its primary configuration. and a file called extendedkeyusage.properties      ‐  Used by "ant install" during installation mail.properties         ‐  Defines how the ejbca SMTP connector will function ocsp.4/25/2016 Installing EJBCA 6. With only these files defined. logdevices and plugins.properties cp sample/web.properties cp sample/cesecore.id/ 17/64 .properties.sample files to it for clarity and backup purposes: cd /opt/ejbca/conf mkdir sample mv *.1 and Jboss on CentOS 6. There are also two directories.properties.properties cp sample/mail. These files are referenced when compiling ejbca.sample database.sample ejbca.sample certstore. here are simplified configurations that I am using for each file. There are a great number of variables to set.properties cp sample/ejbca.properties. ant will not change standalone. ejbca will be operate without validation functionality.properties file.* files.1.blogspot.properties    ‐  Defines the certificate store variables cesecore.properties          ‐  Defines variables for ejbca's web interface There are multiple jndi.properties        ‐  Defines the basic variables for ejbca itself install. They are required.5 Once our initial installation is complete.properties. The ones that are required by our build are: certstore.properties cp sample/crlstore.sample cesecore. First.ear with ant.properties     ‐  Defines how ejbca will access the db ejbca. Each file is a complete working config. The Start and End comments are not needed in each config. but will not be configured further.properties We will configure these files.properties           ‐  Defines how the validation authority will function va­publisher. It's a very good idea to take the configs I give here and use them as a reference for your own configuration rather than cutting and pasting. but this functionality is disabled by default.properties cp sample/install. I have stripped out most of the default comments and added some of my own. FQDNs. and is not referenced by ant deploy. Some files actually contain parameters to allow runtime parsing of variables in the properties files. that can also be ignored. You must enter your own email addresses.sample mail. passwords.sample install. Ejbca Properties Files Ejbca uses flat text ".sample web.properties in the conf directory as well. ejbca has sample versions of all properties files in the /opt/ejbca/conf directory.500 CN / DN values.properties.properties.sample crlstore.co.sample sample Now we copy a specific subset of files back to the main directory: cp sample/certstore. and I will not go into detail on each one.properties ‐  Defines how the validation authority will access the db web. and move all . The install.xml unless we have changed a .properties. 1.impl.AuditExporterDummy (default) #securityeventsaudit.doPermitExtractablePrivateKeys=true #forbidden.audit.implementation.X=org.cesecore.5 certstore.audit.exporter.Log4jDevice securityeventsaudit.implementation.log4j.export.X=org.n=883423532389192164791648750360308884807550341691627752275345424702807307 http://ejbcacentos.exporter.audit.4/25/2016 Installing EJBCA 6.audit.properties ### cesecore.1=null #securityeventsaudit.log4j.b=6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a #ecdsa.implicitlyca.integrityprotected.configuration=false # You do not need to configure this password! #ca.implementation.key.1.audit.contextroot=/ejbca/publicweb/certificates ### End certstore.implementation.audit.enabled=true  # This is the web directory that the web interface for the cert store will use.impl.implementation.cesecore.subkey=value # More log config below  securityeventsaudit.1=org.1.0=null #securityeventsaudit.secondarylanguage=SE #These variables will enable explicit logging.implicitlyca.implicitlyca.implementation.deviceproperty.impl.implicitlyca.exporter.impl.impl.integrityprotected.cesecore.AuditExportCsv #securityeventsaudit.dir=/tmp/ #securityeventsaudit.rngalgorithm=SHA1PRNG #ca.keystorepass=!secret! #ca.properties ### #allow.cesecore.characters = \n\r;!\u0000%`?$~ #intresources.impl.toolateexpiredate=2038­01­19 03:14:08+00:00 #ca.a=7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc #ecdsa.properties ### Start certstore.export.cesecore.deviceproperty.preferredlanguage=EN #intresources.validate.co.1 and Jboss on CentOS 6.0=org.X.impl.audit.g=020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf #ecdsa.cesecore.implicitlyca.contextroot=/certificates # This is an unused alternate location #certstore.  # It is not the full path! certstore.1.id/ 18/64 .1=org.cesecore.X=org.fetchsize=1000 #securityeventsaudit.AuditExporterXml #securityeventsaudit.deviceproperty.Log4jDevice securityeventsaudit. You can turn them off later securityeventsaudit.q=883423532389192164791648750360308885314476597252960362792450860609699839 #ecdsa.deviceproperty.audit.cesecore.toolateexpiredate=80000000 #ca.impl.X=org.AuditExporterXml #securityeventsaudit.IntegrityProtectedDevice securityeventsaudit.blogspot.fetchsize=1000 #ecdsa.exporter.external­dynamic.X=org.serialnumberoctetsize=8 ca.properties ### Start cesecore.IntegrityProtectedDevice #securityeventsaudit.properties ### # ­­­­­­­­­­­­ RFC 4387 Certificate store configuration ­­­­­­­­­­­­­­­­­­­­­ certstore. id/ 19/64 .defaultapprovalvalidity=28800 #approval.4/25/2016 Installing EJBCA 6.properties ### Start database.ejbca.ejbca.cmskeystorepass= approval. we change # this to true.properties ### database..enabled=true crlstore.ejbca.password=pumpkin ### End database.extra..defaultrequestvalidity=28800 approval.blogspot.home=/opt/jboss appserver.Driver database.0.1.type=jboss # Initially.properties ### # ­­­­­­­­­­­­­ Database configuration ­­­­­­­­­­­­­­­­­­­­­­­­ #This variable is used in our standalone.properties ### Start ejbca.productionmode=false        #allow.properties ### ejbca. appserver.contextroot=/ejbca/publicweb/crls ### End crlstore.core.cmp.jndi­name=EjbcaDS # This is the TYPE of db.5 ### End cesecore.jdbc.core.protocol.excludedClasses= http://ejbcacentos.excludedClasses=org.RevocationMessageHandler #approval.caservice.name=mysql    # Be sure to use utf­8  database.external­dynamic.url=jdbc:mysql://127.excludedClasses=org.1 and Jboss on CentOS 6.properties # ­­­­­­­­­­­­ RFC 4387 CRL store configuration ­­­­­­­­­­­­­­­­­­­­­ crlstore. Once the install is complete.mysql.0.configuration=false # Don't set these! #ca.driver=com. not the NAME OF the db  database.properties ### Start crlstore.properties ### # The next two variables are very important.xkmskeystorepass= #ca.username=ejbcadbuser # Change this to your mysql user password:  database.1:3306/ejbcadb?characterEncoding=UTF­8   database. # But DO NOT set it to "ca"! #ejbca.CmpMessageDispatcherSessionBean #approval.ExtRACAServiceWorker #approval.co. we will set this to false.cmp.excludedClasses=org.properties ### crlstore.productionmode=true ejbca.contextroot=/crls #crlstore.xml <datasource> stanza datasource.protocol.properties ### # This is all very similar to certstore. customerrormessage=EJBCANOTOK # It's important to change this to 8: ejbca. Oracle. ca.tokentype=soft ca. # Also.properties ### Start install.  # SHA1WithRSA.properties ### install.5 healthcheck.1.properties # THIS IS IMPORTANT # You can assume that ejbca cannot use EC algorithms for the management CA. rain man) http://ejbcacentos. 2048.  # You can use EC later with the actual production CAs you define. but will not be communicated  # with. 8192). 4096.properties ### # In every case that "CA" is mentioned in this file. # This will be the initial name of the management CA instance # ejbca will use this for administration purpose.1 healthcheck.  ca.signaturealgorithm=SHA256WithRSA # I set a CA validity of 10 years (including the leap years. # The reason for this limitation is that the various EC algorithms are # not equally supported by the various java flavors that could be used.catokensigntest=true healthcheck.0.authorizedips=127. not your production CAs  # Note that the CN given here is NOT the FQDN of your CA! # Why does this matter? This certificate will be temporarily installed  # on your browser as a trusted root CA.tokenpassword=null # This is the path to a "catoken.keytype=RSA # Even though SHA1 is still largely in use as a certificate hashing # algorithm.maintenancefile=~/maintenance. # More importantly.C=US ca.amountfreemem=32 healthcheck.1 and Jboss on CentOS 6.sendservererror=true #healthcheck.dbquery=Select 1 From CertificateData where fingerprint='XX' healthcheck.publisherconnections=true #healthcheck.properties" file that will be created when 'ant # install' is run.  # You will not edit this properties file yourself. SHA1withECDSA.blogspot.dn=CN=mgmtca. It will contain encryption parameters used by the mgmt CA. I strongly suggest that you go with SHA256WithRSA.tokenproperties=/opt/ejbca/conf/catoken.name=mgmtca ca. please note that the "with/With" in the hash names is indeed # case­sensitive. so just avoid EC.4/25/2016 Installing EJBCA 6.id/ 20/64 . # Choosing an unsupported algorithm here leads to a corrupt installation.co. # This does not mean that ejbca cannot issue certificates that use EC. Stay classy.properties #healthcheck. SHA256WithRSA.passwordlogrounds=8 ### End ejbca.O=Your Company.okmessage=ALLOK healthcheck. ECDSA or DSA ca. # This can waste a great amount of time. # Keyspec for RSA keys is size of RSA keys (1024. ejbca does not include any sort of logic to identify # the version of java you are using to limit or correct your options. ca. SHA256withECDSA. can be RSA.maintenancepropertyname=DOWN_FOR_MAINTENANCE healthcheck. ca. it refers to the "management" CA ONLY. # It just means that the management CA will use RSA for internal purposes.keyspec=4096 # The keytype for the administrative CA.0.  not the jboss mailer.4/25/2016 Installing EJBCA 6.properties ### Start mail.jndi­name=java:/EjbcaMail mail.validity=3652 ca.policy=null ca.  http://ejbcacentos. But that certificate # is not used for session TLS.trustpassword=changeit superadmin.properties ### # The key to this portion of the config is understanding that this file affects # the certificate used by the ejbca admin webpage. For now. we just point to the local mail server in order to # prevent errors in the console log.auth=false #mail.O=Your Company.password=ejbca superadmin.port=25 #mail. httpserver.certificateprofile=ROOTCA ### End install.blogspot.dn=CN=${httpsserver.smtp.yourdomain. # web.properties.1 and Jboss on CentOS 6.password=serverpwd httpsserver.1. we # defined variables for the management CA root certificate.contentencoding=UTF­8 ### End mail.cn}[email protected]=honeybunny mail.properties ### Start web. The management CA issues a separate "server # certificate" for that purpose that is defined here.nosslconfigure=true # You do not need to set this password! #java.batch=true # You do not need to set this password! #httpsserver.noconfigure=true # Can not be set to false.dn=CN=${superadmin.properties ### # This config is for the ejbca application mailer.smtp.cn=superadmin superadmin. #web. # # ­­­­­­­­­­­­ Web GUI configuration ­­­­­­­­­­­­­­­­­­­­­ # Can not be set to false.5 ca. In install. We will # set that up later.id/ 21/64 .pubhttp=8080 # This is the port that will host the encrypted Ejbca Public Web page.smtp.user=ejbca mail.smtp. commented away means that web will be configured.net httpsserver.hostname}.starttls.properties ### mail.enable=false mail.properties ### web.O=Your Company.net #mail.host=localhost mail. mail.debug=false mail. commented away means that web will be configured.hostname=rootca.co.C=US # This is the port that will host the unencrypted Ejbca Public Web page.C=US # You do not need to set this password! #superadmin. 1.availablelanguages=EN.0.description=User certificate web.privhttps=8443 #httpserver.enableproxiedauth=true web.ejbca.properties ### Initial Deployment Now that we have a basic set of properties files. Accessing content hosted on # this port requires client certificate authentication.log.certtypes.0 #httpsserver. httpserver.docbaseuri=internal #web.adminforwardedip=true ### End web. Before running our initial deployment.bindaddress.docbaseuri=http://www. it's a requirement to ensure that this is the true.JA.blogspot.selfreg.1.pubhttps=8442 # This is the port that will host the encrypted Ejbca Public Web page.BS web.co.1.external.selfreg. regardless of any # port redirection you may be using.id/ 22/64 .errorpage.bindaddress.org #web.FR.reqcertindb=true web.errorpage.PT.hostname} #httpsserver.stacktrace=true #web.1 and Jboss on CentOS 6.1.0 #httpsserver.fqdn= #httpserver.certtypes.certprofile=ENDUSER #web.SE.bindaddress.fqdn=${httpsserver.log  The jboss user must be the owner of both the jboss directory tree and the ejbca directory tree. httpserver.defaultcerttype=1 web.selfreg.privhttps=443 #Don't set these up unless you use an apache proxy for port translation #httpserver.0.usernamemapping=CN web.privhttps=0.diplaysensitiveinfo=true #web. web.DE.selfreg.certtypes.1.selfreg.Final chown ­R jboss:jboss /opt/ejbca_ce_6_1_1 service ejbca start http://ejbcacentos.1. we can do our initial deployment of ejbca to jboss.notification=An exception has occurred.0.0. service ejbca stop chown ­R jboss:jboss /opt/jboss­as­7.ES.log. # Note that the Ejbca Public Web page link to the administration # page will try to include this port in the URL.enabled=false web. Open a terminal session to solely monitor the jboss console file: tail ­f /var/log/ejbca/console.pubhttp=0.1.0 web.docbaseuri=disabled #web.ZH.manualclasspathsenabled=true web.0.0.pubhttps=0. This will fixed at the end of # the how­to.selfreg.external.5 # without client certificate authentication.IT.contentencoding=UTF­8 #hardtoken.eeprofile=SOMEPROFILE web.4/25/2016 Installing EJBCA 6.external. # as well as the Administration page.certtypes.renewalenabled=false #web.adminremoteip=true #web.UA. blogspot.version             = 1.password            = ***      [echo] mail.name            = mysql      [echo] database.from                = [email protected] =       [echo] web.xml Adds our ejbca datasource information to standalone.jdbc.host           = localhost      [echo] mail.url             = jdbc:mysql://127. you'll see new messages quickly arrive in the console log.yourcompany.external.debug               = false      [echo] httpserver. The following errors can be ignored ‐ they're bugs in jboss: http://ejbcacentos.type           = jboss      [echo] appserver. You could use a path variable when executing ant .sql = select 1      [echo] mail.enabled                    = false      [echo] xkms.jndi­name     = EjbcaDS      [echo] datasource.C=US      [echo] ocsp.co.1 (working copy) CONFIGURATION PROPERTIES ­­­­­­­­­­      [echo] appserver. Lastly.external.username        = ejbcadbuser      [echo] database. Because this is our first deployment.port           = 25      [echo] mail.5 cd /opt/ejbca sudo ­u jboss ant deploy Always execute ant as the jboss user.id/ 23/64 .password     = ***      [echo] httpserver.smtp.user                = ejbca      [echo] mail.1 and Jboss on CentOS 6.auth           = false      [echo] mail.6.net      [echo] httpsserver. the files it creates will be owned by root.portno                  = 829      [echo] cmp.ear file.signaturealgorithm  = SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA      [echo] datasource. but you can usually spot a nice summary section that is given before the actual compilation of ejbca. then prompts jboss to deploy it./log      [echo] cmp.useSeparateCertificateTable = false      [echo] database.tcp.enabled                 = false      [echo] cmp.net      [echo] mail.conffile                =       [echo] xkms.xml Populates the database with the initial schema While all this is happening. uses that information to compile an ejbca.jndi­name           = java:/EjbcaMail      [echo] mail.4/25/2016 Installing EJBCA 6.privhttps = 8443      [echo] httpsserver.tcp. and you'll have 99 problems.connection.0.pubhttp         = 8080      [echo] httpserver.net.enabled          = true      [echo] cmp.valid.tcp.driver          = com.1.home           = /opt/jboss      [echo] java.defaultresponder    = CN=rootca.Driver      [echo] database.yourcompany.jndi­name­prefix = java:/      [echo] database. jboss must be running when you run ant.smtp. you must always execute ant from the /opt/ejbca directory.subtype        = jboss7      [echo] appserver. but I find that just changing directory to /opt/ejbca is easier.O=Your Company.renewalenabled       = false      [echo] ejbcaws.privhttps     = 8443      [echo] httpserver.1. Also.mysql.0_30      [echo] ocsp. The deployment process itself pulls information from our config data.logdir                  = . as that is where build.hostname     = rootca. ant also does the following: Adds our ejbca mail configuration to standalone.1:3306/ejbcadb?characterEncoding=UTF­8      [echo] database.xml is located.smtp.ear begins: display­properties:      [echo]       [echo] ­­­­­­­­­­ EJBCA 6.password        = ***      [echo] database.pubhttps         = 8442      [echo] httpserver. Otherwise.0.serviceport                = 8080 Deployment Error Messages You'll also see various log messages showing errors on compilation.tcp.contentencoding      = UTF­8      [echo] web. server] (DeploymentScanner­threads ­ 2) JBAS018559: Deployed "ejbca.cesecore. It is worth taking the time to describe what the various ant command scripts do in slightly greater detail. compiles the ejbca.1.0'.ErrorLogger] (MSC service thread 1­4) HHH000196: Error parsing XML (21) : cvc­complex­type. They are very useful when fixing with troublesome installations. The ant install script takes your configuration files. The build process can be called directly using ant build.util. and a full deployment must be performed manually once installation is complete.jboss. As you know. you may need to use a deprecated command: ant bootstrap. note that you will see tons of the following messages returned directly by ant during every operation: appserver.jboss.jsf. Then ant uses the jboss jee.1 and Jboss on CentOS 6.id/ 24/64 .as. Various changes to jboss are also made by this script.error.ear file must exist before the install script can execute.4/25/2016 Installing EJBCA 6.resource.5 06:05:16.jsf.  This message refers to the fact that the community version of ejbca does not support database integrity protection: 06:06:13.properties.co.as. and copies these new files to their proper locations.477 ERROR [org. Attribute 'version' has a fixed value of '2.769 INFO  [org. If you continue to receive errors during deployment after trying ant clean.ear file.   http://ejbcacentos.ProtectedData] (MSC service thread 1­4) No database integrity protection available in this version of EJBCA. But ant deploy always runs both targets. and then prompts jboss to deploy it.xml.dbprotection.915 SEVERE [javax. A separate script for installation is required to segregate one‐time actions (like generating the keystores) from the repetitive actions of deployment. You'll always see these errors no matter what you do.management­operation] (management­handler­thread ­ 1) JBAS014612: Operation ("composite") failed ­ address: ([]): java.JsfInjectionProvider' does not extend DiscoverableInjectionProvider. uses their information to create further configuration (such as the keystore files).1: Value '1.application] (MSC service thread 1­2) JSF1051: Service entry 'org.ear" Finally. Theoretically.file: /opt/ejbca_ce_6_1_1/conf/jndi.1.hibernate.IllegalArgumentException 06:05:39. all of its functions are now performed by ant deploy.3.848 ERROR [org. and to learn a few new ones. ant runs the build target that performs the preparation and compilation.web. it becomes much more difficult to fix configuration mistakes.175 INFO  [org.enterprise. Once installation is complete.1.as. Running ant deploy while reading the logs gives us a chance to fix mistakes before proceeding.  Entry will be ignored.as] (MSC service thread 1­1) JBAS015874: JBoss AS 7.Final "Brontes" started in 7761ms ­ Started 2855 of 2968 services (111 services are passive or on­demand) 01:38:38.controller. Any other errors and failures should be dealt with before trying to proceed to an installation. the ejbca.deployment.jboss.jboss7 These messages can be safely ignored.0' of attribute 'version' of element 'entity­mappings' is not valid with respect to the corresponding attribute use. 15:29:58.ear file is successfully compiled from what we have built so far.deploy target to perform the actual transfer to jboss.724 INFO  [org.internal. Deleting them can help resolve deployment errors that may arise.lang. More Detail on Ant Why did we do an ant deploy before an ant install? There are two reasons: To test that the ejbca. But eventually you'll see something like these messages if the deployment is successful: 01:38:38.ear.blogspot.jboss. More importantly. You do not need to rebuild everything each time you deploy! The ant clean command will clear temporary files created by prior deployments that may accidentally persist. the ant deploy script creates temporary files used to compile ejbca.webcontainer.properties.message:      [echo] jndi. It is worth mentioning that there are two distinct functions ("targets") being called: First. webcontainer. 06:31:43. they have an important role in cross‐server authentication. The targets used by ejbca to respond to certificate requests will be able to generate EC certificates just fine. try the new ant commands given above.jks ‐ Holds the actual certificate (and its signing chain) used by jboss to secure the ejbca web portals with TLS. The java tool used to manage the keystores is called keytool. and tomcat. It is a good idea to restart jboss. This avoids out‐of‐memory errors that jboss can occasionally throw.1.jboss.web. as I have done in the examples. Note that keytool is only used to manage keystore files. http://ejbcacentos.connector. If this does not resolve the errors.jsf.web. but they have little relevance to the actual "Certificate Authority" functions of ejbca. just "kill ­9" the jboss process and do a service ejbca restart.connector. service ejbca restart cd /opt/ejbca sudo ­u jboss ant install The Initial Keystores I've mentioned the keystore files several times. Entry will be ignored. It is not copied to the jboss directory with the other keystores.jks ‐ Stores a copy of the root CA key that issued the TLS certificate (initially this is the management CA).httpspriv: org. but I will not discuss this further.msc.6.deployment.0­openjdk.id/ 25/64 . Through alternatives. In a distributed installation.jboss.connector.811 INFO [org.jks in the new directory.web.jks is renamed keystore. it will perform various operations until it must prompt you for the passwords to be used for your keystore files. This tool seems to be the primary source of my problems with Elliptic Curve support ‐ the 1.jboss. You are welcome to play with your setup to try and find a working EC config. all of these commands must be executed as the jboss user.jboss. If you do happen to lock up jboss with an out‐of‐memory condition. we can proceed with our installation. The superadmin.6 version isn't fully‐functioned for EC algorithms.co.5 As you might expect. this link points to /usr/lib/jvm/jre­1.blogspot. They are not used to store keys and certificates generated by ejbca once the application is in production ‐ that information is (usually) held in the database. and ejbca isn't smart enough to parse EC keystore requests and prevent unsupported ones from being passed to the tool.httpspub: org. but haven't fully described what they are. Again. and are: tomcat.httpspub:  JBAS018007: Error starting web connector service jboss.StartException in service jboss. jboss uses the keystores in the /opt/jboss/standalone/configuration/keystore directory for TLS.480 SEVERE [javax. Also note that the ejbca configuration files for the keystores refer to EC support in various places.enterprise. Their prominence during installation makes them seem very important.x86_64/bin/keytool. then perform the install.jsf.web.service.controller] (Controller Boot Thread) JBAS014774: Service status report JBAS014777:   Services which failed to start: service jboss.httpspriv:  JBAS018007: Error starting web connector Assuming that we are not seeing these (or any other) errors.p12 file that contains the client certificate used to authenticate the default administrator account is also located in /opt/ejbca/p12.StartException in service jboss. You should then be able to perform your ant command successfully.service.msc. The easiest way to deal with this problem is to simply use RSA encryption for our keystores.resource. It is critical to understand that while ant creates the keystores in /opt/ejbca/p12.as.connector. After creation. the keystore files are located in /opt/ejbca/p12. The keystores hold the certificates used by ejbca to secure its web portal. and (in our installation) is called by a link in /usr/bin/. If this is not done.1 and Jboss on CentOS 6.web. you'll likely see these errors upon service start or deployment: 06:31:45.4/25/2016 Installing EJBCA 6. truststore. these files are copied by the install script to /opt/jboss/standalone/configuration/keystore. When the install script runs.application] (MSC service thread 1­4) JSF1051: Service entry 'org.JsfInjectionProvider' does not extend DiscoverableInjectionProvider. nothing more.as. dn                  : CN=mgmtca.O=Your Company.validity            : 3650      [echo] ca..ejbca.1.dn         : CN=rootca. ejbca would only store these passwords in hashed form.home         : /opt/jboss      [echo]          If the keystore creation fails due to an invalid encryption configuration (like trying to use EC).SHA256WithRSAAndMGF1.tokenproperties     : /opt/ejbca/conf/catoken. While keystore creation is taking place.SHA256withECDSA.jks file.SHA1WithDSA.C=US      [echo] ca.dn          : CN=superadmin. Ideally.C=US      [echo] superadmin.SHA512WithRSA. You can include these passwords in the . SHA1withECDSA.certificates.O=Your Company. ant install generates the initial copies of the keystores based on the configuration in install.C=US      [echo] superadmin.batch       : true      [echo] appserver. Unfortunately. However. but there is nothing we can do about this at the moment. ant install will return messages like these:  [echo] Initializing CA with 'mgmtCA' 'CN=mgmtca.tokentype           : soft      [echo] ca. Depending on how thoroughly you configured these files.keyspec             : 4096      [echo] ca.1 and Jboss on CentOS 6.signaturealgorithm  : SHA256WithRSA      [echo] ca. ejbca keeps clear copies of the keystore passwords in standalone.SHA384WithRSA.yourcompany. ant install may prompt you for a good deal of information required to create the initial certificates.properties.ca.C=US' 'soft' <ca. you will see another summary stanza describing the management CA being created:      [echo]       [echo] ­­­­­­­­­­­­­­­­­­­ CA Properties ­­­­­­­­­­­­­­­­      [echo] ca. GOST3411withECGOST3410.InvalidAlgorithmException: Signature algorithm SHA384withRSA is not one of the allowed signature algorithms.co.properties  ­superadmincn 'SuperAdmin'.cli.properties      [echo] httpsserver. you should only be prompted for the three passwords that will be used to authenticate the keystores: Please enter the password of the truststore with the CA certificate for https? [changeit]     Please enter the password of the keystore with the TLS key for https [serverpwd] (and later) Please enter the superadmin password (default: ejbca) ? [ejbca] To clarify what each password is for: The "truststore with the CA certificate for https" is the truststore. http://ejbcacentos..ui. and not be prompted for them.tokenpassword hidden> '4096' 'RSA' '3650' 'null' 'SHA384withRSA' /home/ejbca/conf/catoken.ErrorAdminCommandException: org.SHA224withECDSA.5 As mentioned. But if you have stayed close to the examples. The "keystore with the TLS key for https" is the tomcat.O=Your Company.xml.net      [echo] httpsserver.4/25/2016 Installing EJBCA 6.SHA384withECDSA.SHA256WithRSA. my personal feeling is that you should never have passwords stored in clear text.hostname   : rootca.properties and web. ant install will return a message like:  [java] org.GOST3411withDSTU4145}.O=Your Company. short of rewriting the install script.yourcompany.net.properties files. Available algorithms: {SHA1WithRSA.name                : mgmtca      [echo] ca.cesecore.keytype             : RSA      [echo] ca.cn          : superadmin      [echo] superadmin.p12 file.id/ 26/64 .policy              : null      [echo] ca. After this.blogspot.jks file. The "superadmin password" is the password for the superadmin. and verify that you no longer receive unexpected errors in your console log before proceeding.wsdl If you see these contexts being successfully registered.web] (MSC service thread 1­1) JBAS018210: Registering web context: /ejbca/doc WSDL published to: file:/opt/jboss­as­7.1. But the best way to get a feeling for how your installation is proceeding is to look for the following messages spread through the output: 06:20:59. In the log file.521 INFO  [org.tomcat.484 INFO  [org. But note that most of these contexts are dynamic in nature. Finalizing the Installation Aside from keystore creation.jboss.jboss. and security information.1.141 INFO  [org.521 INFO  [org.jboss.http11.Final/standalone/data/wsdl/ejbca.util.jboss.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/clearcache 06:20:59.576 INFO  [org.jar/EjbcaWSService.Http11Protocol] (MSC service thread 1­2) Error initializing endpoint: java.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/publicweb/apply 06:20:59.as] (Controller Boot Thread) JBAS015875: JBoss AS 7.web] (MSC service thread 1­4) JBAS018210: Registering web context: /ejbca 06:20:59.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/publicweb/healthcheck 06:20:59.jks (No such file or directory) 06:21:15.jboss.blogspot. Also.JSSESocketFactory] (MSC service thread 1­2) Failed to load keystore type JKS with path /opt/jboss/standalone/configuration/keystore/keystore.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/publicweb/webdist 06:20:59. and usually cannot be browsed to check their function ‐ you must create your own CAs first.io.jks (No such file or directory) Troubleshooting keystore creation boils down to interpreting the errors in both ant output and the console log. some services. If you did not (or could not) make a vm snapshot immediately prior to running ant install.web] (MSC service thread 1­3) JBAS018210: Registering web context: /${app. you can feel assured that the various functions of ejbca are being successfully built.571 INFO  [org. the install script also does the following: Builds the actual management CA instance in the database Updates standalone.FileNotFoundException: /opt/jboss/standalone/configuration/keystore/keystore.728 INFO  [org.net. like the healthcheck. all hope is not lost! Perform these steps.184 ERROR [org.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/ejbcaws 06:20:59.jboss.web] (MSC service thread 1­1) JBAS018210: Registering web context: /crls 06:20:59.482 INFO  [org.516 INFO  [org.co. http://ejbcacentos.1.491 INFO  [org.jks (No such file or directory): java.FileNotFoundException: /opt/jboss/standalone/configuration/keystore/keystore.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/adminweb 06:21:16.web] (MSC service thread 1­2) JBAS018210: Registering web context: /certificates 06:21:00.name}/publicweb/status 06:20:59.jboss.727 INFO  [org.io.jboss.Final "Brontes" started (with errors) in 162ms ­ Started 135 of 218 services (2 services failed or missing dependencies.jboss. primarily relating to encryption functions for the keystore files.xml with keystore.jboss.188 ERROR [org.5 and the console log will include messages like: 06:21:15.jboss.506 INFO  [org.1 and Jboss on CentOS 6. 80 services are passive or on­demand) Recovering from a Failed Install Chances are that you will discover mistakes after your first installation attempt. The installation will likely end with an error message that will go away once we manually perform a deployment (although ant will report the installation as "BUILD SUCCESSFUL"): 06:31:43.apache.1.jboss.812 ERROR [org.4/25/2016 Installing EJBCA 6.1. You can infer this syntax from the messages given in the ant console output. If you just can't shake weird errors in the log.apache.ear/ejbca­ws­ ejb.jboss. you really have no other choice than to completely start over. you will see many new messages.coyote.jsse.jks due to /opt/jboss/standalone/configuration/keystore/keystore.id/ 27/64 . But problems usually stem from the keytool command syntax that ant install puts together.web] (MSC service thread 1­3) JBAS018210: Registering web context: /ejbca/publicweb 06:20:59. web session. are only available from localhost (as shown in the properties files). 1 and Jboss on CentOS 6.xml Delta ### Remove:  <subsystem xmlns="urn:jboss:domain:web:1. We will check both the ejbca and the jboss copies: cd /opt/ejbca/p12 keytool ­list ­v ­keystore tomcat.jks/keystore. but also that the passwords associated with the files are the ones we expect. it is quite important to check the contents of the keystore files prior to continuing with the build.id/ 28/64 .xml Delta ### service ejbca start sudo ­u jboss ant clean  sudo ­u jboss ant deploy sudo ­u jboss ant install Checking the Keystores Regardless of whether or not we had problems with their creation. This ensures not only that the contents are correct.jks should initially be: The root CA certificate used to identify your management CA.jks keytool ­list ­v ­keystore truststore.jks" verify­client="true" ca­certificate­ file="/opt/jboss/standalone/configuration/keystore/truststore.jks cd /opt/jboss/standalone/configuration/keystore keytool ­list ­v ­keystore keystore. The TLS certificate for your server. the contents of tomcat.net" password="blah blah blah" certificate­key­ file="/opt/jboss/standalone/configuration/keystore/keystore.net" password="blah blah blah" certificate­key­ file="/opt/jboss/standalone/configuration/keystore/keystore.1" scheme="https" socket­binding="httpspriv" secure="true">                 <ssl key­alias="rootca.1" default­virtual­server="default­host" native="false">             <connector name="http" protocol="HTTP/1.com"/>             </virtual­server>         </subsystem> ### End standalone. An additional copy of the management CA certificate chained to the TLS certificate as the signing authority.xml ### Start standalone.yourcompany. http://ejbcacentos.jks rm /opt/jboss/standalone/configuration/keystore/truststore.5 service ejbca stop mysql ­u root ­p drop database ejbcadb; create database ejbcadb; exit rm /opt/ejbca/p12/tomcat.jks rm /opt/ejbca/p12/superadmin.jks"/>             </connector>             <virtual­server name="default­host" enable­welcome­root="true">                 <alias name="localhost"/>                 <alias name="example.co.jks vi /opt/jboss/standalone/configuration/standalone.jks" ca­certificate­password="blah blah blah"/>             </connector>             <connector name="httpspub" protocol="HTTP/1.4/25/2016 Installing EJBCA 6.jks rm /opt/ejbca/p12/truststore.yourcompany.jks keytool ­list ­v ­keystore truststore.1" scheme="http" socket­binding="http" redirect­port="8443"/>             <connector name="httpspriv" protocol="HTTP/1.p12  rm /opt/jboss/standalone/configuration/keystore/keystore.1" scheme="https" socket­binding="httpspub" secure="true">                 <ssl key­alias="rootca.blogspot. which will be issued to the FQDN of your server.1.jks Again. ear. CN=mgmtca Serial number: 1e1369e62435a307 Valid from: Sat Apr 26 06:20:16 GMT­08:00 2014 until: Tue Apr 23 06:20:16 GMT­08:00 2024 Certificate fingerprints:      MD5:  CB:04:B3:2A:5A:AA:AA:AA:54:BB:C1:3E:72:A2:F1:62      SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A      Signature algorithm name: SHA256withRSA      Version: 3 Extensions:  #1: ObjectId: 2. O=Your Company.5.15 Criticality=true KeyUsage [   DigitalSignature   Key_CertSign   Crl_Sign ] .apache.1 and Jboss on CentOS 6.1.net Creation date: Apr 26. or password was incorrect Returning to our own tests of the keystores. 2014 Entry type: trustedCertEntry Owner: C=US.JSSESocketFactory] (MSC service thread 1­4) Failed to load keystore type JKS with path /opt/jboss/standalone/configuration/keystore/keystore.io. storing them in the standalone.. or password was incorrect: java.yourcompany.xml stanzas mentioned in the previous section.IOException: Keystore was tampered with.tomcat. you will see the following stanza at the top of the list output: *****************  WARNING WARNING WARNING  ***************** * The integrity of the information stored in your keystore  * * has NOT been verified!  In order to verify its integrity. Ejbca. the output of a list operation (with the proper password) will look something like this (some of the extensions are omitted for brevity): ### Start keystore. However. takes the passwords that are entered during installation and uses them as the authentication codes for the keystores. for its part.blogspot. the service will eventually start.29.                  * *****************  WARNING WARNING WARNING  ***************** This functionality is by design. and will report the following message in the console log: 20:45:43.5 A "key" thing to note regarding keytool: when running the list commands above.util. 2014 Entry type: PrivateKeyEntry Certificate chain length: 2 http://ejbcacentos.xml at start time.jks ### Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entriesAlias name: cacert Creation date: Apr 26. CN=mgmtca Issuer: C=US.. O=Your Company.566 ERROR [org.co.net. you may notice that the keys will be successfully listed regardless of the password (or lack of one) that you enter.jks due to Keystore was tampered with.id/ 29/64 . but will fail to start ejbca.jsse. If jboss cannot validate the keystores with the passwords stored in standalone. ] ******************************************* ******************************************* Alias name: rootca. * * you must provide your keystore password.4/25/2016 Installing EJBCA 6.  O=Your Company. ] ******************************************* ******************************************* ### End keystore.jks ### The truststore.net Issuer: C=US. 2014 Entry type: trustedCertEntry http://ejbcacentos. CN=mgmtca Serial number: 5a797a3381345da2 Valid from: Sat Apr 26 06:10:21 GMT­08:00 2014 until: Mon Apr 25 06:10:21 GMT­08:00 2016 Certificate fingerprints:      MD5:  AF:C1:26:10:24:9D:FE:08:45:F0:45:CA:57:33:BB:FE      SHA1: 11:5F:8F:A2:AC:E6:D2:3C:1E:CC:6A:A8:3B:9F:57:8D:4E:D6:59:3C      Signature algorithm name: SHA256withRSA      Version: 3 Extensions:  #1: ObjectId: 2.jks ### Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: mgmtca Creation date: Apr 26. CN=MgmtCA Serial number: 1e1369ef834ea307 Valid from: Sat Apr 26 06:20:16 GMT­08:00 2014 until: Tue Apr 23 06:20:16 GMT­08:00 2024 Certificate fingerprints:      MD5:  CB:04:B3:2A:5A:7B:40:72:54:BB:C1:3E:72:A2:F1:62      SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A      Signature algorithm name: SHA256withRSA      Version: 3 Extensions:  #1: ObjectId: 2. ] Certificate[2]: Owner: C=US.id/ 30/64 ..1.. O=Your Company..co. O=Your Company. which initially is only the management CA: ### Start truststore.5.blogspot.5 Certificate[1]: Owner: C=US.yourcompany. CN=rootca..5.29. O=Your Company.jks file contains the keys of all authorities trusted by jboss.15 Criticality=true KeyUsage [   DigitalSignature   Key_CertSign   Crl_Sign ] .15 Criticality=true KeyUsage [   DigitalSignature   Key_Encipherment ] . CN=MgmtCA Issuer: C=US.1 and Jboss on CentOS 6.4/25/2016 Installing EJBCA 6.29. which is only available to localhost and uses the jadmin account we created earlier. Nearly all of our production configuration is performed from this page. to make sure that ejbca restarts successfully: service ejbca restart service ejbca restart service ejbca restart  Assuming there are no errors. It refers to an "Administration Console". but we will change this once ejbca is fully functional.net/ejbca ‐ This is the encrypted version of the page above. CN=mgmtca Issuer: C=US.15 Criticality=true KeyUsage [   DigitalSignature   Key_CertSign   Crl_Sign ] .4/25/2016 Installing EJBCA 6. It requires the superadmin.p12 certificate as well. it doesn't interact with ejbca.29. http://rootca.net ‐ This is the unencrypted default webpage for Jboss.yourcompany. This is where vm snapshots become very handy.5. https://rootca. the superadmin certificate is installed by opening: Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates http://ejbcacentos.yourcompany.1. The superadmin certificate only grants our browser the ability to log in to the administration interface of the ejbca application‐ not the jboss web console.co. you must have the superadmin.net/ejbca ‐ This is the public ejbca webpage. In Firefox. O=Your Company. Production Deployment and Test Now we can perform our first true deployment that should give us a functional ejbca server: sudo ­u jboss ant deploy It's a good idea to restart jboss a few times following this step. There are a few of them: http://rootca.id/ 31/64 .. At present.5 Owner: C=US. ] ******************************************* ******************************************* ### End truststore. CN=mgmtca Serial number: 1e1369ef834ea307 Valid from: Sat Apr 26 06:20:16 GMT­08:00 2014 until: Tue Apr 23 06:20:16 GMT­08:00 2024 Certificate fingerprints:      MD5:  CB:04:B3:2A:5A:7B:40:72:54:BB:C1:3E:72:A2:F1:62      SHA1: 07:89:0F:48:97:35:FF:AA:B5:69:35:97:69:8B:B1:40:D8:2A:02:2A      Signature algorithm name: SHA256withRSA      Version: 3 Extensions:  #1: ObjectId: 2. It is a good idea to test access to each of these pages individually.yourcompany. The primary functions of ejbca are accessed from here. O=Your Company. But we need to open an scp session to our server and retrieve the superadmin.1 and Jboss on CentOS 6.p12 certificate before we can access the ejbca administration webpage.jks ### If your outputs vary wildly from what is shown above.p12 certificate installed in your browser to reach this page. Otherwise. you will need to go back and revalidate your properties files.net/ejbca/adminweb ‐ This is the primary administration webpage for ejbca. then reinstall your server..blogspot. http://rootca. using a fresh browser session each time.yourcompany. the ejbca web portals are now active. It is worth noting how Primekey uses the term "publisher". this connection is to the same database (ejbcadb) that the Certificate Authority uses.properties file defines OCSP protocol functionality.properties ### Start ocsp. but we still need the "publisher" to be defined in va­publisher. However. But certificate validation is a core function of PKI.properties.properties ### # ­­­­­­­­­­­­ OCSP responder configuration ­­­­­­­­­­­­­­­­­­­­­ ocsp. such as its healthcheck function. Like the CA datasource. the VA datasource configuration will be added to standalone.contextroot=/ejbca/publicweb/status #ocsp. The first step towards enabling the Validation Authority is to create the validation‐related properties files in the /opt/ejbca/conf directory: cp sample/ocsp.properties cp sample/va. CRL distribution) as being the "Validation Authority".4/25/2016 Installing EJBCA 6. It is important to note that you can legitimately have a CA without validation ability. in our standalone environment. Adding the Validation Authority Now that we are reasonably sure that the management CA is functional. The ocsp.properties file defines general operation of the Validation Authority.sample va. and skip this entire section of the how‐to. we can add validation functions to our server. our standalone server is only "publishing" to its own Validation Authority service.properties cp sample/va­publisher.properties.p12.id/ 32/64 .properties files are created). OCSP.properties Like the examples above. here are files I am using: ocsp. so I suggest you add it now.net/ejbca/adminweb and arrive at the administration webpage after being prompted for the certificate. Once we have installed superadmin.co.sample va­publisher.properties. Defining the VA's datasource is the purpose of the va­publisher. In our case.contextroot=/status # This is the DN of the CA that will respond to requests for unknown certs http://ejbcacentos.enabled=true #ocsp.properties.xml during deployment (once the VA‐specific .properties file.sample ocsp.1.enabled=false # This is the path for the OCSP URL ocsp. Primekey refers to the processes that perform certificate validation (CMP.yourcompany.blogspot. It describes the notion of a particular ejbca component "publishing" information (from a datasource) to a separate server in a distributed ejbca installation. You will need to enter the superadmin password you entered during ant install to decrypt the file. The va.5 and selecting "Import" from the "Your Certificates" tab.1 and Jboss on CentOS 6. we can browse to: https://rootca. Referring back to our ASCII logical layout diagram: mysql ­­> java­sql­connector ­­> jboss ­­> ejbca CA ­­> ejbca VA ­­> OCSP                    ^               ^                     |               |                    ­­­­­­ java ­­­­­ What this diagram does not show is that the Validation Authority has its own Jboss datasource that is discrete from the one used by the Certificate Authority. extensionclass= #ocsp.trx­log­order = ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN _SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${PROCESS_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_ NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS} ocsp.nonexistingisgood=false #ocsp.margin.maxAge = 100 #ocsp.extensionoid= #ocsp.update.nonexistingisgood.uri.4/25/2016 Installing EJBCA 6.blogspot.unidtrustdir= #ocsp.1.wsurl = https://milton:8443/ejbca/ejbcaws/ejbcaws #ocsp.seconds= #ocsp.maxAge = 30 #ocsp.time.includecertchain=true ocsp.retentionperiod = ­1 ocsp.*/thisEndingIsGood$ #ocsp.properties ### Start va.+?)\\} #ocsp.trigging.nonexistingisrevoked.signaturealgorithm=SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA ocsp.hosts= # Default: false ocsp.expiredcert.nonexistingisgood.rekeying.1=.safety.id/ 33/64 .*/thisEndingIsBad$ #ocsp.nonexistingisrevoked=false #ocsp.seconds= #ocsp.log­timezone = GMT #ocsp.nonexistingisrevoked.2=^http://revoked.myhost.revoked.audit­log = true #ocsp.* #ocsp.in.maxAge = 100 ocsp.expiredcert.retentionperiod = 31536000 #ocsp.C=US   ocsp.in.uri.rekeying.O=Your Company.5 ocsp.password= #ocsp.1=.rekeying.responderidtype=keyhash ocsp.co.revoked.maxAge = 30 #ocsp.999.rekeying.revoked.warningBeforeExpirationTime=10000 ocsp.* ocsp.unidcacert= #ocsp.uri.includesignercert=true ocsp.* ocsp.1=.nu:8080/.trigging.uri.999.nonexistingisbad.trx­log­pattern = \\$\\{(.nu:8080/.audit­log­pattern = \\$\\{(.untilNextUpdate = 0 #ocsp.audit­log­order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";REPLY TIME:${REPLY_TIME};\nTIME TO PROCESS:${PROCESS_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS} #ocsp.untilNextUpdate = 50 ocsp.properties ### http://ejbcacentos.untilNextUpdate = 0 #ocsp.signingCertsValidTime=300 ocsp.2=^http://bad.revoked.nu:8080/.log­safer = true ### End ocsp.rekeying.properties ### va.2=^http://good.uri.untilNextUpdate = 50 ocsp.defaultresponder=CN=defaultca.999.log­date = yyyy­MM­dd:HH:mm:ss:z #ocsp.999.uniddatsource= #ocsp.*/thisEndingIsRevoked$ #ocsp.trx­log = true ocsp.myhost.signaturerequired=false #ocsp.myhost.uri.1 and Jboss on CentOS 6.nonexistingisbad.+?)\\} #ocsp. # # In "PrimeKeyese": Configure these options if you are configuring EJBCA that will publish  # certificates to a VA. but I think that's a poor idea. # The downloaded file will use the alias for the name.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI&delta= is the same as http://myhost.cgi and paste it in the config file and restart the application server.Final chown ­R jboss:jboss /opt/ejbca_ce_6_1_1 service ejbca start cd /opt/ejbca sudo ­u jboss ant deploy Note that in ocsp.username=ejbcadbuser # Set your database user password here ocsp­database.yourcompany.com:8080/crls/search.signtest=true ocsphealthcheck.1.properties.1.com:8080/certificates/search.checkSigningCertificateValidity=true # The example below defines the alias 'root' for 'O4RdnGNf3WPioslAQsX71aR1/MI' and then: # http://myhost.cgi?alias=root&delta= # Copy the sKIDHash from http://myhost. we perform the same set of commands we ran before our initial deployment: service ejbca stop chown ­R jboss:jboss /opt/jboss­as­7.1:3306/ejbcadb?characterEncoding=UTF­8 ocsp­database.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI is the same as http://myhost.0. # Here is the example: #va.defaultresponder".root=O4RdnGNf3WPioslAQsX71aR1/MI ### End va.co. I use an empty "default" CA solely for this purpose.mysql.com:8080/certificates/search.1 and Jboss on CentOS 6. ocsp­datasource. This is the DN of the CA that will answer OCSP requests for unknown CAs.blogspot.com:8080/crls/search.cgi?alias=root # http://myhost. For now.password=pumpkin ### End va­publisher. we define the "ocsp.url=jdbc:mysql://127.Driver ocsp­database.sKIDHash.com:8080/crls/search.*" properties are used to configure the VA connection to the database.properties.4/25/2016 Installing EJBCA 6.properties ### Start va­publisher.jdbc.alias.5 #­­­­­­­­­­­­­­­­­­­ Validation Authority (VA) Healthcheck settings ­­­­­­­­­­­­­ ocsphealthcheck.com:8080/crls/search.net defaultca We will create the defaultca near the end of the how‐to.properties ### va‐publisher.cgi?alias=root # http://myhost.com:8080/certificates/search.properties ### To enable the VA.0.driver=com.cgi or http://myhost.cgi?sKIDHash=O4RdnGNf3WPioslAQsX71aR1/MI is the same as http://myhost.com:8080/crls/search. This brings the total number of certificate authorities in our initial installation to three: mgmtca rootca.jndi­name=OcspDS ocsp­database. Primekey recommends that you use the management CA for this. Until the defaultca is created.properties ### #­­­­­­­­­­­­­­ Validation Authority(VA) publisher db configuration­­­­­­­­­­­­­­­­­­­­­­­­­ # All the "ocsp­database.1.id/ 34/64 . just remember this entry in ocsp. you will repetitively see the following message in the console log: http://ejbcacentos. Supervisor Functions ‐ This section is to view ejbca logs and approve requests.NoSuchProviderException: no such provider: BC "BC" is the default bouncycastle (the OCSP java module) instance name. so the http://ejbcacentos.blogspot. the RA can be distributed to a separate ejbca installation used only for registration.5 06:06:13.core. here is a brief description of the interface: CA Functions ‐ This section is to configure the Certificate Authority functions of ejbca.cache. Here. it was installed with the core CA functions. if for whatever reason you have problems with your va­publisher. It also answers queries about certificates that have already been issued. Building the Initial Production CA Administration Overview We are now at the point where we create our first CA.cesecore.379 INFO  [org. In ejbca.1. although this function is distinct from the Validation Authority.  Lastly.security.id/ 35/64 . and general preferences/configuration. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error). some administration functions.OCSPException: problem creating ID: java. the RA is functionality that manages requests for new certificates. This is accomplished via the web admin interface: Administration Homepage Before we start configuring.bouncycastle.protocol.ocsp. It regulates the user accounts associated with each CA and the types of certificates a user is allowed to request. System Functions ‐ This section has some validation functions. In terms of our build.certificatestore. This is another good point to take a vm snapshot. I really like the name "bouncycastle". CA Creation Workflow We will assume that most of the certificates to be issued by our CA will be for standard HTTPS connections using TLS.OcspSigningCache] (MSC service thread 1­4) Default OCSP responder with subject 'CN=defaultca' was not found.1 and Jboss on CentOS 6.632 WARN  [org.CertificateCache] (MSC service thread 1­2) org. RA Functions ‐ This section is to configure the Registration Authority functions of ejbca. However.ocsp.co. you may see the following warning: 06:31:45. we revisit the idea of the "Registration Authority".ejbca.properties file.4/25/2016 Installing EJBCA 6. and is not configured separately.certificates. 4/25/2016 Installing EJBCA 6. Deciding on an Algorithm Choosing a public key encryption algorithm is a "touchy subject" for people lately. "p" or "t" refer to two variants of the elliptic curve algorithm. Focusing first on the SECG convention on ECDSA curve naming: "sec" simply denotes the specification name: "Standards for Efficient Cryptography". as well. Most applications of PKI only support a limited number of possible algorithm/signature combinations. With RSA.id/ 36/64 . Defining the Certificate Profile and End Entity Profile first forces you to have these details defined before committing to CA creation. with opinions usually boiling down to either: "The NSA is an essential tool of the forces of good to gather realtime intelligence on the actions of evildoers. It is useful to have a written workflow for creating CAs in ejbca.co. I summarize a few of them here. The "p" stands for "prime". "r" or "k" refers to the family of curves used by the equation ‐ "Random" or "Koblitz". we should have a certificate that we can install on any standard Apache server.5 example configuration will be geared towards this purpose. and 8192 bits.1." or: "The NSA is an essential tool of the forces of evil to steal secrets and destroy the privacy of the good people of the world. 4096. each configured differently. With ECDSA. CURVE ‐ indicates whether the curve is Koblitz or random NIST ‐ name of the equivalent NIST standard for the curve +­­­­­­­­­­­+­­­­­­+­­­­­­­­+­­­­­­­­­+­­­­­­­+ | SECG NAME | SIZE | RSA EQ |  CURVE  | NIST  | +­­­­­­­­­­­+­­­­­­+­­­­­­­­+­­­­­­­­­+­­­­­­­+ | sect163k1 | 163  |        | Koblitz | K­163 | | sect163r1 | 163  |        | Random  |       | | sect163r2 | 163  |        | Random  | B­163 | | sect193r1 | 193  |        | Random  |       | | sect193r2 | 193  |        | Random  |       | | sect233k1 | 233  |        | Koblitz | K­233 | | sect233r1 | 233  |        | Random  | B­233 | http://ejbcacentos. our choice of public key encryption algorithm is limited to either RSA or Elliptic Curve DSA. The table column titles stand for: SECG NAME ‐ SECG "nickname" of the elliptic curve variant SIZE ‐ length in bits of the field order RSA EQ ‐ approximate size of an RSA modulus at comparable strength. By the time we finish." Regardless of where you fall on the political spectrum. You should know the certificate details (extensions) you will use. The next three numbers refer to the length (in bits) of the modulus of the curve. referring to yet another mathematical variant. with current options being 2048. as you can have different CAs for different purposes. the only variable is the length of your key modulus. but I specifically use this order to illustrate a few concepts: You should know the algorithms and key lengths you will use before creating your CA. Here is the flow we will follow: 1. with thanks to the SECG and Fabio Pietrosanti.blogspot. you have a dizzying number of variants to choose from. we will create an End Entity and issue it a certificate. We could create the Certificate Authority first. Create a Certificate Profile ‐ Defines set of certificate values to be used as a template 2.1 and Jboss on CentOS 6. Create an End Entity Profile ‐ Essentially the same as a user template 3. Create the Certificate Authority ‐ Creating the actual Certificate Authority Once these steps are complete. The last number refers to a "sequence number". NIST P‐256) Extremely briefly. As of now.509 specification allows a dizzying number of potential information fields to be included in a certificate. most of these fields are ignored by the average PKI implementation. it will be the best algorithm to use for your CAs and certificates. If you are worried about the NSA having a "backdoor" in EC. My opinion is that for interoperability reasons. most worries about Elliptic Curve center on the nature of the "random" curves. like Bitcoin does.co.blogspot. However. but with a SHA‐256 key.4/25/2016 Installing EJBCA 6. and Koblitz‐based algorithms are not as widely accepted as those based on the "random" curves. To illustrate this. Once ejbca gets its implementation straight.5 | sect239k1 | 239  |        | Koblitz |       | | sect283k1 | 283  |        | Koblitz | K­283 | | sect283r1 | 283  |        | Random  | B­283 | | sect409k1 | 409  |        | Koblitz | K­409 | | sect409r1 | 409  |        | Random  | B­409 | | sect571k1 | 571  |        | Koblitz | K­571 | | sect571r1 | 571  |        | Random  | B­571 | | secp160k1 | 160  |  1024  | Koblitz |       | | secp160r1 | 160  |  1024  | Random  |       | | secp160r2 | 160  |  1024  | Random  |       | | secp192k1 | 192  |  1536  | Koblitz |       | | secp192r1 | 192  |  1536  | Random  | P­192 | | secp224k1 | 224  |  2048  | Koblitz |       | | secp224r1 | 224  |  2048  | Random  | P­224 | | secp256k1 | 256  |  3072  | Koblitz |       | | secp256r1 | 256  |  3072  | Random  | P­256 | | secp384r1 | 384  |  7680  | Random  | P­384 | | secp521r1 | 521  | 15360  | Random  | P­521 | +­­­­­­­­­­­+­­­­­­+­­­­­­­­+­­­­­­­­­+­­­­­­­+ It is worthwhile to compare the equivalent strength of Koblitz and Random (ECC) curves when tested more rigorously: (in bits) +­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­+ | Koblitz |  ECC  |  DH/DSA/RSA  | +­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­+ |   163   |  192  |     1024     | |   283   |  256  |     3072     | |   409   |  384  |     7680     | |   571   |  521  |    15360     | +­­­­­­­­­+­­­­­­­+­­­­­­­­­­­­­­+ My takeaway from the information in these tables is: Elliptic Curve equations are far more efficient than the RSA equations.1. it is a good idea to choose a variant that is supported by multiple organizations (SECG. 2048‐bit RSA is the default algorithm. Defining the Certificate Fields The X.id/ 37/64 . there is no guarantee that the NSA won't be able to break your encryption regardless of the algorithm you choose. Currently. my suggestion is to use a Koblitz curve variant. Elliptic Curve equations using Koblitz curves are slightly (10% or so) less efficient than those using "random" curves. Ultimately. this will cost you about 10% of your efficiency. Thankfully. etc) for compatibility purposes. and viewed its properties using the Firefox certificate http://ejbcacentos. NIST. When creating a Certificate Authority in ejbca. I downloaded a certificate used by Google to secure Gmail. the world is moving towards Elliptic Curve cryptography.1 and Jboss on CentOS 6. and whether or not they are truly "random". the best supported variant is prime256v1 (aka secp256r1. you're best off using the de facto standard for TLS on the Internet: 2048‐ bit RSA. When choosing an EC equation. co. TLS Web Client Authentication Certificate Subject Alt Name: DNS Name=mail.O=Google Inc.com/ocsp Certificate Subject Key ID: (160 bit number) http://ejbcacentos.com.com Certificate Key Usage: Signing Authority Information Access:  CA Issuers: URI: http://pki.blogspot.com/GIAG2.1 and Jboss on CentOS 6. ST=California. the full set of included fields can be viewed in the "Details" tab: Gmail Certificate Details Google uses the following fields in this certificate: Version: 3 Serial Number: 07:29:38:9A:3E:F9:9C:B1 Certificate Signature Algorithm: SHA‐1 with RSA Issuer: CN=Google Internet Authority G2.google.1.id/ 38/64 . NIST P‐256) Extended Key Usage: TLS Web Server Authentication.google.62 elliptic curve prime256v1 (aka secp256r1.5 viewer: Gmail TLS Certificate In the Firefox viewer.C=US Algorithm Identifier: Elliptic Curve Public Key Algorithm Parameters: ANSI X9. L=Mountain View. O=Google Inc.google.google.4/25/2016 Installing EJBCA 6. C=US Validity: Not After 7‐21‐2014 Subject: (the DN) CN=mail.crt OCSP: URI http://clients1. com/GIAG2.5 Certificate Basic Constraints: Is not a Certificate Authority Certificate Authority Identifier: (160 bit number) Certificate Policies: 1. By way of comparison.id/ 39/64 .C=US Validity: Not After 5/20/2022 Subject: CN=GeoTrust Global CA.1 and Jboss on CentOS 6.1.4. O=GeoTrust. here is the certificate for the Root CA that validates Gmail's certificate: Geotrust Root CA Certificate The Root CA uses fewer fields than the Gmail certificate.co.google.3.5. and certificates.1 CRL Distribution Points: URI: http://pki. ejbca has five predefined Profiles that contain minimal information. CAs. and cannot be altered or deleted. Creating A Certificate Profile Ejbca uses Certificate Profiles to store commonly used sets of certificate extension field data.11129. http://ejbcacentos. and uses 2048‐bit RSA encryption: Version: 3 Serial Number: 02:34:56 (this is not a typo) Certificate Signature Algorithm: SHA‐1 with RSA Issuer: CN=GeoTrust Global CA.blogspot.2. Inc.6.4/25/2016 Installing EJBCA 6.1.. It is mandatory to use a Certificate Profile when creating a certificate.1..C=US Subject Public Key Algorithm: RSA Encryption Subject's Public Key: (2048‐bit number) Certificate Basic Constraints: Is a Certificate Authority. Inc.crl Certificate Signature Value: (2048‐bit number) This set of fields is a good starting point when defining what your own certificates will contain. Unlimited Intermediate CAs Certificate Subject Key ID: (160‐bit number) Certificate Authority Key ID: (the same 160‐bit number) Certificate Signature Value: (2048‐bit number) These certificates will be used as templates for defining the fields in our initial Profiles. By default.O=GeoTrust. the SERVER Profile is intended to issue certificates to servers supporting TLS. but enforcement is up to the application using the certificate. This value corresponds to 10 years. Note that choosing RSA or ECDSA in this field does not affect the primary public key algorithm used in in the issued certificates. The word "allowed" is misleading in this context. HTTP is the standard for Internet use. and maintain an up‐to‐ date CRL. Validity: 3652d This is the length of time that the certificate will be valid. Client Auth Much like Key Usage. While SHA‐1 is still the de‐facto Internet standard for signing. Key encipherment These values specify the uses that are "allowed" by the certificate. this field is specified in the certificate. Extended Key Usage: Server Auth. If this option is not selected. This could be a "http://" address. or an email address if the owner is a human being. 8192 When a certificate is requested using this Profile.500 standard.5 Certificate Profiles Page In this example. Subject Alt Name: Enabled The default naming convention for identifying a certificate owner is the X. only requests using algorithms with these key lengths will be fulfilled. so it is a good idea to allow both 192‐512 bit lengths to support EC requests.1 and Jboss on CentOS 6. 256.1. while Microsoft active directory certificates use both HTTP and LDAP.blogspot. Use CRL Distribution Point: Enabled This option enables a field in the Certificate Profile that will hold a URL/URI to define the network location of a CRL. However. Below are the field data I used in the Profile.id/ 40/64 . basing it on the default "SERVER" Profile. Note that some fields were pre‐populated with data from the SERVER Profile: Available Bit Lengths: 192. 384. Overrides: Do not allow overrides You have the option of allowing values specified in a Certificate Signing Request (CSR) to "override" values specified in the Profile. you should use the appropriate value for the algorithm you will be using. 512. Signature Algorithm: "Inherit" or "SHA256 with RSA" All certificates are "signed" by the issuing CA using a particular hash algorithm. While there may be good reasons to do this. or an "ldap://" address. which will be http://ejbcacentos. which we will discuss again later. and 2048‐8192 lengths for RSA requests. 4096. Enabling this field means that the CA that will use this Certificate Profile must support Validation Authority functionality.co. 2048. Ejbca does not differentiate between algorithm types in this field.4/25/2016 Installing EJBCA 6. The "d" stands for "days". Use CA defined Distribution Point: Enabled We will inherit the URL defining the location of the CRL from the issuing CA. This is an important option with significant ramifications. As you might guess. I am creating a new Profile named "Default TLS Certificate Profile". This field will typically contain the FQDN of the certificate owner if it is a device. as the Key Use field cannot prevent the certificate owner from using the certificate for whatever purpose it wishes. a URL for the CRL must be defined manually. most certificates are used by devices that use DNS for identification. Key Usage: Digital Signature. However. we will not allow this when using this Profile. Choosing "Inherit" in this field causes all certificates issued using this Profile to inherit the signature algorithm of the issuing CA. it is a good idea to migrate to SHA256 or SHA512. There is an exception to this addressing rule. co. you always have the option of choosing the "EMPTY" Profile. Here are the fields I defined in the Profile: http://ejbcacentos. The only predefined End Entity Profile is "EMPTY". If this option is enabled. An "End Entity" can be considered equivalent to a "user account". While you are forced to choose an End Entity Profile when creating an End Entity.net". CRLs can become quite long. Use CA defined OCSP locator This Profile will include information regarding the URI target to use to reach the OCSP service of the issuing CA. End Entity Profiles Page In this example. "End Entity Profiles" can be used as templates. but will inherit the details of this from the issuing CA. Authority Information Access: Enabled. Creating the End Entity Profile Ejbca requires "End Entities" to be defined before any certificates can be issued.blogspot. To simplify the process of creating similar End Entities.1. the more generic term. "End Entity" accounts are identified using a username. However.id/ 41/64 .5 discussed later. Certificate Policies: Disabled Certificate Policies are RFC‐defined options used for administrative purposes. it is important to understand that while certificates are often issued to human beings. which contains no information. Therefore. FreshestCRL Extension: Disabled This option enables the use of differential (or "delta") CRLs.4/25/2016 Installing EJBCA 6. Subset of Subject Alt Name: Restrict to "DNS Name" only As we will only use the Certificates generated with this demonstration Profile for device‐based TLS.yourcompany. This Profile will contain information that is tuned for use by TLS‐capable devices. regardless of whether that name is "Jose Manolo Enrique Hernandez‐Gonzales" or "yourserver. but each certificate must be requested by the Entity via the Public Ejbca Webpage before it is issued. Each End Entity can be issued 1‐5 certificates. We will not be using this function. we will only use DNS‐based Alternative Names.1 and Jboss on CentOS 6. is used. the same type of address values used for the primary CRL must be defined as well. "End Entity". and the use of "delta" CRLs allows subsets of the full CRL to be distributed. Available CAs: Any CA We will allow this Profile to be used by any CA on our ejbca server. We will not use them. most certificates are issued to devices. I am creating a Profile called "Default TLS Device Entity Profile". Available CAs: Set to Any CA Default Token: User Generated Available Tokens: All Number of Allowed Requests: 2 Usually.1 and Jboss on CentOS 6. in case we make a mistake in our first certificate request. If the entity will be a person. On the "Create Certificate from CSR" webpage.net  (Use. Once a CA certificate is issued. this fact makes the security of our database a greater concern than it might otherwise be.co. Modifiable.net Notification Recipient: [email protected]. no modify): Your Company L (Required. As you might expect. Creating the Certificate Authority As descibed in the beginning of the how‐to. you should manually create your Crypto Token. Here we allow two.net") once it is created. then save the Profile.yourcompany. no modify): Your Country Subject Alternative Name: DNS Name: . Default Certifiate Profile: Default TLS Certificate Profile Default CA: Use "mgmtca" (for now) Choose the name of your new root CA (in this how‐to: "rootca. As we are only using "soft" Crypto Tokens. just assume for now that it can't be done. stronger key. We have two options for defining the Crypto Token used by any CA we create: Make the Crypto Token first.blogspot. Send Notification: Use default and required Sender: ejbca@yourcompany. and does not give us an option to choose otherwise. no modify):Your State C (Required.id/ 42/64 . Required and Modifiable) This entry is intended to contain the email domain name only. then associate the new CA with it Or: Allow ejbca to create the Crypto Token automatically There is a consequence to allowing ejbca to generate the Crypto Token: it uses a 2048‐bit RSA key in the CA certificate. you can set it here. without the "@" sign. a Crypto Token is the logical structure that a CA's keys are held in. First enter the Crypto Token interface: http://ejbcacentos. you will complete this entry with the entity's hostname. End Entity Email: yourcompany.4/25/2016 Installing EJBCA 6. You will be allowed to enter the user‐specific portion of the address when creating the Entity. no modify):Your City ST (Required. you will use the "RFC 822 Name (email address)" for the Subject Alternatve Name instead of the DNS Name.1. this password is called the "Enrollment Code". ejbca did something! Now add the notification.net When using this Profile to create an entity. it cannot easily be updated with a new. Subject DN Attributes: CN (Required.net Notification Events: All Subject and message: Hey. it is desirable to ensure that only a single Certificate is issued to an End Entity.  Creating a Crypto Token is simple enough. In fact. Minimum password strength: 48 (in bits) This ensures that passwords are at least eight characters long. you can think of them as being tables in our database. but blank) O (Required.5 Username: (Leave Blank) Password: (Leave Blank) If you want to use the same password for multiple End Entities. So if you wish to use a stronger key for your CA. which will take you to the New Token page: New Crypto Token Page The "Authentication Code" is a password used to encrypt the Crypto Token itself. You will need this code when renewing the CA that uses this Crypto Token. The Crypto Token must be populated with a basic set of keys before we can use it: Basic CA Keys http://ejbcacentos.1 and Jboss on CentOS 6.blogspot.co. select "Create New". "Auto‐activation" should also be enabled.id/ 43/64 .5 Crypto Token Page Then.1.4/25/2016 Installing EJBCA 6. but not "Used". Certification Authorities Page Note that on this page. Here are the settings I used for "rootca. Subject DN: CN=rootca.  Now that we have keys defined with the desired strength.4/25/2016 Installing EJBCA 6.C=US This is the DN that you wish to be included in the CA's own certificate.net. I have also added a key called "ec256p1Key" for testing purposes.its state will change to "Used". we do not have the option of using an existing CA as a template.yourcompany. Use Certificate Request History: Enabled This is essentially "detailed auditing" for requests. Validity: 3652d This value is the length of time that the CA's own certificate will be valid. to show that EC keys can be generated and used by a CA with a RSA defaultKey.O=Your Company. you will see a key named "crlSignKey".5  In this example.co.yourcompany. we can create the new CA.1 and Jboss on CentOS 6. Signing Algorithm: Sha256WithRSA I chose this algorithm because it is the next step up in complexity from the current standard of SHA‐1.1.net": Type of CA: X509 This is the standard for Internet communications. This key is deprecated. we assume that we will not run out of valid serial numbers. Crypto Token: YourTokenName Select the name of the Crypto Token that you created in the previous step. I have added the essentials: certSignKey ‐ Used for Certificate signing defaultKey ‐ Used for everything else testKey ‐ Used for internal health checks only In the example. but it is common to add O http://ejbcacentos.id/ 44/64 . and is no longer needed.blogspot. Once we associate the Token with a CA. we will see that our Crypto Token is labeled as "Active". When finished. Below are the names of the keys (from our Crypto Token) to be used for standard purposes: defaultKey: defaultKey certSignKey: certSignkey keyEncryptKey: ‐ Use default key hardTokenEncrypt: ‐ Use default key testKey: testKey Extended Services Key Specification: RSA 2048 Enforce Unique Serial Number: Enabled As we will (probably) not be generating a huge number of certificates in a lab environment. It includes the CN by default. we can create our first End Entity. Creating an End Entity Now that our CA and Profiles are defined. The URLs for OCSP are also health‐checked. "dNSName" is defined in the RFC4985 specification for X. this is the only area in ejbca where you must specify this prefix. CA Issuer URI: Empty This is an optional field that can be ignored.yourcompany. and try again.5 and C values. and by default.509 Subject Alternative Names. but remove ":8080" from the URL.properties. it will sign its own initial certificate. We must activate the internal health check on the CA Activation page: CA Activation Page This is simple enough to do: just check the "HealthCheck" box next to your CA and hit "Apply". so this field is not included. just "go back" in your browser. and change the protocol from "http://" to "https://" We do this because of our firewall port translation rules. which force all requests to use HTTPS. After entering the "Add Entity" page. we have one final step to take before it is fully functional. Default OCSP Service Locator: Generated. However. Use Issuing Distribution Point on CRLs: Enabled This enables a field to hold the URL for retrieval of this CA's CRL in the CA's own certificate. Now. If for whatever reason creation fails. note that in this field. select the name of the End Entity Profile you created earlier. Remove ":8080". The Health Check process is an automatic check of CA status whereby a HTTPS session is periodically established and dropped to each CA. CA Defined FreshestCRL Extension: Not Generated We are not using "Delta CRLs" with our CA.net As discussed.id/ 45/64 . this is the FQDN of the CA. and change "http://" to "https://". Generate Default CRL Distribution Point: Generated. As far as I can tell. create the CA. the FQDN must be prefixed by "dNSName=".1. Generate Default CRL Issuer: Generated Do not edit this string.4/25/2016 Installing EJBCA 6. Signed by: Self Signed Because this will be a new Root CA.co. Access to the healthcheck URL is limited to localhost.properties file). It should be your DN.blogspot. Subject Alternative Name: dNSName=rootca.1 and Jboss on CentOS 6. as defined in va. This will populate the fields with information from that Profile: http://ejbcacentos. the URL always returns the string "ALLOK" (as defined in the ejbca. Once our CA is made. Correct what was wrong. and all of your settings will be preserved. We do this because of our firewall port translation rules. the Entity is a device. and found that it was: openssl version http://ejbcacentos. You can also have the Token pulled from other sources (like a JKS file).yourcompany. OpenSSL is and shall remain the once and future king of open source encryption. I think it's a good idea to include a short review of OpenSSL's use. so any administrative email can be entered CN: yourdevice. only the following information will be needed before creating the Entity: End Entity Profile: Default TLS Device Entity Profile Username: yourdevice.1 and Jboss on CentOS 6. When starting to write this review.net In this example.yourcompany. you will see the new Entity listed at the bottom of the webpage. It is a complicated tool. I checked the version of OpenSSL on my ejbca server to determine if it was affected by "HeartBleed". Token: User Generated In this example.net The FQDN of the device Certificate Profile: Default TLS Certificate Profile The name of the Device‐specific Certificate Profile created earler CA: rootca.net The name of the CA you created in the previous step. Despite the recent "HeartBleed" bug. which has the ability to generate CSRs using the RSA or EC algorithms. OpenSSL Review ‐ Introduction Ejbca requires us to submit a Certificate Signing Request before issuing a Certificate. Select "Add" to create the Entity.4/25/2016 Installing EJBCA 6.id/ 46/64 . Once the Entity is added. I will focus solely on OpenSSL's CSR‐ related functions.net The FQDN of the device DNS Name: yourdevice. The simplest way to generate a CSR is using the OpenSSL utility. or enter it manually on this page.blogspot.yourcompany. we assume that our Entity will use a password passed to it by the End Entity Profile. and the majority of its functionality is beyond the scope of this how‐to.net The FQDN of the device that will request a certificate Email Address: [email protected] Add End Entity Page Assuming you are using the "Default TLS Device Entity Profile" we created earlier. but it does not include an interface to create one.co. 5 OpenSSL 1.0.1e­fips 11 Feb 2013 Versions of OpenSSL from 1.id/ 47/64 . really need to manually update OpenSSL instead of waiting for the CentOS patch to arrive via yum. so our first CSR will be for a certificate that uses 2048‐bit RSA encryption and a SHA‐256 signing algorithm.0.key ­out server. TrevorH from CentOS states that they are waiting for RedHat to "backport a fix" to version 1.co.key ‐ The new Private Key will be saved in the file: server.blogspot. As of May 7th.key ­­­­­BEGIN RSA PRIVATE KEY­­­­­ MIIEpAIBAAKCAQEA3RFeM/052S+Nf7yVipoLwpvA7uidm/bQ0Qm2DIBz0zjngJG7 mqchOzodugkY0jZQ+8zFkHm+iJd9pjDGNFDoPE3r270GtrholbsNVpspI+VvTVQ+ UiBvccZGB6VGeNJ6Ts5qHbsFWjiU9smhaUd6fnAP6vBWmmYiBz79iLhXRPwUljSb dLUao1RZqTXq57ttL7xM6a1n4HkyYmXSQ/k26tsqoff1DYFVe6SWljL/2WL3zoLp uqDtt5XhVGHu3sk3UYEpC85bZXf6NPGR2b1Ha+IvixMmzTd2eVo1W1tzlYVqRJG+ DQ4kSew6oag8XfvCQ+6x9XCEjWCW2y04TNx8twIDAQABAoIBAQCubG60fH8xMsjl WWlwM31F7lh66ES68zHtTUk7cfpxVPurwNCSBH4+2ershxLzgXHCSt4y0SwZX9X+ 04r/ajrioeSPuwRaFQRH549tnv0F2phIHkkRyY/E6FkG3UvONtvT5B9sF8zwU6aN VaeqhoBK1KZqi3j5V85Pg07Nmg0ZWohgzRnfu4URcQ6kOYk03nrgzo4E5Wt1pE7f dtfWQExjAKiCwVo7C7RyP6xwX8BMeM62mNsZB6Q5+wTeexS9pHi6Mf4aFqspVbhl 4faTiqbuck5zGlx2j+mvIIv55HEfU7omknbmMQrJENr3UDGMMzTxeNJRhdK81PoR BD0667m5AoGBAPTQLal6CgSoRkNq6bwOK5ptru/+vk33QDHwWfvf3+6GDZyly1gq g+6Snr1R3Pul1Kvs5ESlr3vAFZtYoHcJlzMCTeTR3ilzACm8AOp3po6o2ciSRrPM AERO5N3MQIkk5CysX0wMuI/fsx12F4+QV77E5o/FCc6W8FbyrxWU4DvtAoGBAOcr arH4qUoqxSG6TxEylpyvJJzZkcWyqoueOTW7ks51nts3GB3eEGujcuvCA/+Yl0Qt CDtQWU+zCRWDRhQio7CeOJjW+Sef7yJsuECT4fGs8PX2mfabWLEVexMT3kI7u0Jx 3rhl7z4DarxIVBF3MPtFBQkP6JVX+an/nwrQxi6zAoGAVZ8NqU12fYSA9olI8C2g kGU2HtfgpRIJkK24OwBkqF6YGiZeRRqxg9ohzKL5/8VS6UJz35J3Gnfm1qsbjCZ9 jCiNJ69C3QpMj0wiod5xEUn6yUxnj/CUU0+oee46z/xoFTvAJK/6SM97LJ2lxd88 4QqqfLP0Jx3hNvevxoOIHU0CgYByaXahJuUCpDB1BPTlGhiY68Y/Kx+OrWLjPygp g/Cg5m39KUNyZNnTrE3QiXHZKviS8YbFdHr/iyjP0Oz6Qjqpy2VPn/Youmtsqkp3 C7okFugblDWXbEN1QaBsTMUQGugPdrQ4p5rFIoPNNC8HhepkMkDPv2PppmUW0kEw 5StxKQKBgQDO0d5n1hVLvwaU8R5UAr2SD0J2P9lqjv080g8qdx39cR+ObN9h2XYk DYGbVu+Ck8yW25SkpoiLYsrD3Wmvf4yMsXLq2IuQ6Lgi8VTmly5Q8KJDxjUrdc6y wU8GmrUsbCpYHv6VI7K27UW4vnvQrlk+X9eSppH/5M/2jG+f1cfR2Q== ­­­­­END RSA PRIVATE KEY­­­­­ cat server.1 through 1. 2014.0. and include it in a new Certificate Signing Request: openssl req ­newkey rsa:2048 ­nodes ­sha256 ­keyout server. the version of OpenSSL on our server remains vulnerable.csr ‐The new CSR will be saved in the file: server. In the meantime. you really. OpenSSL Review ‐ Creating a RSA CSR We are assuming that EC encryption may not be implemented by some or all the devices in your network.1e (whatever that means).csr cat server.1. The command below will create a new Private Key. along with a new CSR ­nodes ‐ The Private Key created by this command will be unencrypted ­sha256 ‐ The Certificate requested in the CSR will use the SHA‐256 signing algorithm ­keyout server.1f are vulnerable.csr ­­­­­BEGIN CERTIFICATE REQUEST­­­­­ MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN0RXjP9OdkvjX+8lYqaC8KbwO7onZv20NEJtgyA c9M454CRu5qnITs6HboJGNI2UPvMxZB5voiXfaYwxjRQ6DxN69u9Bra4aJW7DVab http://ejbcacentos. If you intend to use OpenSSL to protect anything on a CentOS‐based server.4/25/2016 Installing EJBCA 6.csr The syntax is composed of these elements: req ‐ Defines that this command will relate to a certificate request ­newkey rsa:2048 ‐ A new Private Key will be created using the 2048‐bit RSA algorithm.key ­out server.0.1 and Jboss on CentOS 6. you should still complete these fields with the correct information. a FreeBSD box running an older branch of OpenSSL supports a greater number of curves: [root@bsdbox] ~# openssl version OpenSSL 0.62 curve over a 239 bit prime field   prime239v3: X9.9. You can list the available curves in your implementation with this command: openssl ecparam ­list­curves secp384r1 : NIST/SECG curve over a 384 bit prime field prime256v1: X9.62 curve over a 192 bit prime field   prime239v1: X9. although the supported variants can.62/SECG curve over a 256 bit prime field The above output was retrieved using the OpenSSL version (1.  vary with the version of OpenSSL you are using. Most of these fields will be disregarded by ejbca during certificate creation as we have disabled "Overrides" in our Certificate Profile.62/SECG curve over a 192 bit prime field   prime192v2: X9.5 KSPlb01UPlIgb3HGRgelRnjSek7Oah27BVo4lPbJoWlHen5wD+rwVppmIgc+/Yi4 V0T8FJY0m3S1GqNUWak16ue7bS+8TOmtZ+B5MmJl0kP5NurbKqH39Q2BVXuklpYy /9li986C6bqg7beV4VRh7t7JN1GBKQvOW2V3+jTxkdm9R2viL4sTJs03dnlaNVtb c5WFakSRvg0OJEnsOqGoPF37wkPusfVwhI1gltstOEzcfLcCAwEAAaAAMA0GCSqG SIb3DQEBCwUAA4IBAQACLnWAJ4z9RPl/24+ChshX6rEoqX4hDPvfdCGs2e1ez5Y/ J1OVBm7V1rYQh4X763NPa2hhh83y5oe9h4YFn3W07yBWuY0adGCAe0Ci7X0yoNs2 w6AoJ171nzBbiFEkH5mgDqqOBQAo6I+rUzQJKHsZpBYoWsfdnGDHyBE2sClw7kuW bqFHHZ116b+eQickR6bydYfo6H56vUx1LQHMCv0kOaxG8cFMNvrr1IY6EFbP15Lh UpwXn02nAzkoYgnLAxfjoLPEPK/RSDKkBNvefTu1mJHPTPcIzqDg9BK7V6HQvqh4 LEUVLVvE3kE2/f8oXPVq63xNg5pFR7W+/9/NcLle ­­­­­END CERTIFICATE REQUEST­­­­­ I have not shown the prompts where OpenSSL asks for the field data to be included in the CSR.e) currently distributed by CentOS. um.62 curve over a 239 bit prime field   prime239v2: X9. Interestingly.62 curve over a 239 bit prime field   prime256v1: X9.62 curve over a 192 bit prime field   prime192v3: X9.1 and Jboss on CentOS 6.blogspot.0.co. OpenSSL Review ‐ Creating an EC CSR OpenSSL now supports Elliptic Curve key algorithms.id/ 48/64 .62/SECG curve over a 256 bit prime field   sect113r1 : SECG curve over a 113 bit binary field   sect113r2 : SECG curve over a 113 bit binary field   sect131r1 : SECG/WTLS curve over a 131 bit binary field   sect131r2 : SECG curve over a 131 bit binary field   sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field   sect163r1 : SECG curve over a 163 bit binary field   sect163r2 : NIST/SECG curve over a 163 bit binary field   sect193r1 : SECG curve over a 193 bit binary field   sect193r2 : SECG curve over a 193 bit binary field   sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field   sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field http://ejbcacentos.4/25/2016 Installing EJBCA 6. However.1.8y 5 Feb 2013 [root@bsdbox] ~# openssl ecparam ­list_curves   secp112r1 : SECG/WTLS curve over a 112 bit prime field   secp112r2 : SECG curve over a 112 bit prime field   secp128r1 : SECG curve over a 128 bit prime field   secp128r2 : SECG curve over a 128 bit prime field   secp160k1 : SECG curve over a 160 bit prime field   secp160r1 : SECG curve over a 160 bit prime field   secp160r2 : SECG/WTLS curve over a 160 bit prime field   secp192k1 : SECG curve over a 192 bit prime field   secp224k1 : SECG curve over a 224 bit prime field   secp224r1 : NIST/SECG curve over a 224 bit prime field   secp256k1 : SECG curve over a 256 bit prime field   secp384r1 : NIST/SECG curve over a 384 bit prime field   secp521r1 : NIST/SECG curve over a 521 bit prime field   prime192v1: NIST/X9.1. 62 curve over a 239 bit binary field   c2pnb272w1: X9.62 curve over a 163 bit binary field   c2pnb163v3: X9.         Questionable extension field! This supports the old adage that "newer is not always better". especially when considering that the 0.62 curve over a 191 bit binary field   c2pnb208w1: X9.1.62 curve over a 239 bit binary field   c2tnb239v2: X9. Note that the syntax differs from RSA version of the command in that "newkey" is split into two different options: openssl req ­new ­key eckey.62 curve over a 239 bit binary field   c2tnb239v3: X9.62 curve over a 359 bit binary field   c2pnb368w1: X9. the process to create an EC CSR requires two separate OpenSSL commands.4/25/2016 Installing EJBCA 6.9. as it is the most commonly‐implemented in EC cryptography.id/ 49/64 .62 curve over a 272 bit binary field   c2pnb304w1: X9. Unlike a RSA CSR.         Not suitable for ECDSA.         Questionable extension field!   Oakley­EC2N­4:         IPSec/IKE/Oakley curve #4 over a 185 bit binary field.co.1 and Jboss on CentOS 6.key ‐ The new CSR will be derived from the Private Key in eckey.key ­outform pem ‐ The new CSR will be written in PEM format Examining the output.62 curve over a 191 bit binary field   c2tnb191v3: X9.62 curve over a 431 bit binary field   wap­wsg­idm­ecid­wtls1: WTLS curve over a 113 bit binary field   wap­wsg­idm­ecid­wtls3: NIST/SECG/WTLS curve over a 163 bit binary field   wap­wsg­idm­ecid­wtls4: SECG curve over a 113 bit binary field   wap­wsg­idm­ecid­wtls5: X9.62 curve over a 368 bit binary field   c2tnb431r1: X9.key ­nodes ­sha256 ­outform pem ­out ecreq.5   sect239k1 : SECG curve over a 239 bit binary field   sect283k1 : NIST/SECG curve over a 283 bit binary field   sect283r1 : NIST/SECG curve over a 283 bit binary field   sect409k1 : NIST/SECG curve over a 409 bit binary field   sect409r1 : NIST/SECG curve over a 409 bit binary field   sect571k1 : NIST/SECG curve over a 571 bit binary field   sect571r1 : NIST/SECG curve over a 571 bit binary field   c2pnb163v1: X9.62 curve over a 208 bit binary field   c2tnb239v1: X9.62 curve over a 163 bit binary field   c2pnb176v1: X9.62 curve over a 304 bit binary field   c2tnb359v1: X9. we see that both the EC key and CSR are much smaller in size than their RSA equivalents: http://ejbcacentos.62 curve over a 163 bit binary field   wap­wsg­idm­ecid­wtls6: SECG/WTLS curve over a 112 bit prime field   wap­wsg­idm­ecid­wtls7: SECG/WTLS curve over a 160 bit prime field   wap­wsg­idm­ecid­wtls8: WTLS curve over a 112 bit prime field   wap­wsg­idm­ecid­wtls9: WTLS curve over a 160 bit prime field   wap­wsg­idm­ecid­wtls10: NIST/SECG/WTLS curve over a 233 bit binary field   wap­wsg­idm­ecid­wtls11: NIST/SECG/WTLS curve over a 233 bit binary field   wap­wsg­idm­ecid­wtls12: WTLS curvs over a 224 bit prime field   Oakley­EC2N­3:         IPSec/IKE/Oakley curve #3 over a 155 bit binary field. We will make our request using the prime256v1 curve.8 branch is not affected by HeartBleed.         Not suitable for ECDSA.blogspot.csr The new command options are: ­new ‐ A new CSR will be created  ­key eckey.62 curve over a 191 bit binary field   c2tnb191v2: X9. The first command creates the Private Key: openssl ecparam ­out eckey.62 curve over a 163 bit binary field   c2pnb163v2: X9.key ­name prime256v1 ­genkey The second command reads the Private Key and creates the CSR.62 curve over a 176 bit binary field   c2tnb191v1: X9. 1 and Jboss on CentOS 6. we can navigate to the "Inspect Certificate/CSR" page to verify the CSR's contents: http://ejbcacentos. First.key ­­­­­BEGIN EC PARAMETERS­­­­­ BggqhkjOPQMBBw== ­­­­­END EC PARAMETERS­­­­­ ­­­­­BEGIN EC PRIVATE KEY­­­­­ MHcCAQEEIDtrKu6BbwPabNV0SkbYqdLiRImoyzQ94VR8KdzqgfoGoAoGCCqGSM49 AwEHoUQDQgAECGwMJiYQA15H2zuM9Xfdxsmyi72vMVHV6+rzWyLYqsH4IyvHGKqh ik1BPEQlwd280mmIFtE3ZkCHSRirP+O9eQ== ­­­­­END EC PRIVATE KEY­­­­­ cat ecreq.co.blogspot.5 cat eckey.id/ 50/64 .1.4/25/2016 Installing EJBCA 6. we navigate to the public ejbca webpage: Public Ejbca Page From here.csr ­­­­­BEGIN CERTIFICATE REQUEST­­­­­ MIH+MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEw HwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq hkjOPQMBBwNCAAQIbAwmJhADXkfbO4z1d93GybKLva8xUdXr6vNbItiqwfgjK8cY qqGKTUE8RCXB3bzSaYgW0TdmQIdJGKs/4715oAAwCQYHKoZIzj0EAQNHADBEAiAN s+Hm0+XEfKB6kTPbYFSjenSm/0CV2acUfVBm7LCPDgIgCzFr6KSFZM/VR4SIFkWU NHSDfhzPXgjv+VC3HJTF1KE= ­­­­­END CERTIFICATE REQUEST­­­­­ Issuing our First Certificate We can now take one of our newly‐generated CSRs and generate a Certificate with it. blogspot.1 and Jboss on CentOS 6.1. navigate to the "Create Certificate from CSR" page and enter the CSR.5 CSR Inspection Page If you are satisfied with what you see.id/ 51/64 . Once the CA has validated the request and generated the Certificate. Be sure to select "PEM ‐ Full Certificate Chain" to have the CA certificate included in the output: Certificate Enrollment Page Note that I am requesting an Elliptic Curve Certificate in this example. you will be prompted to download it: http://ejbcacentos.4/25/2016 Installing EJBCA 6.co. . Certificate Expiration Checker ‐ Alerts you to expired certificates User Password Expire Service ‐ Alerts you to expiring user passwords Renew CA Service ‐ Alerts you to expiring CA certificates Publish Queue Process Service ‐ Used by distributed installations of ejbca HSM Keepalive Service ‐ prevents you from being locked out of a HSM http://ejbcacentos.5 Certificate Download Congratulations! You've issued your first certificate from ejbca! Finalizing the Installation We are now down to the nitty‐gritty administrative details of our installation.4/25/2016 Installing EJBCA 6.1.co. Take a deep breath..id/ 52/64 . but they are not enabled by default.1 and Jboss on CentOS 6. Defining Services Ejbca includes a set of services that assist in the maintenance of your CAs. The predefined service types are: CRL Updater ‐ Updates the published CRLs at a particular frequency. as well as any custom services you might need. and get ready for the final push. A framework is in place to support these services. but not all of them are typically needed.blogspot. Navigate to the Services section of the administration webpage: Services Page It is a good idea to enable a few of these services. We do this because of our firewall port translation rules. so this field is not included. I am using: CRL Updater  Certificate Expiration Checker  Renew CA Service  User Password Expire Service Mysql Backup Service ‐ this service runs the script located in /opt/ejbca/bin/backup Note that the services will fill your logs you define them to run too frequently. we can ensure that certificate serial numbers are not re‐used. CA Defined FreshestCRL Extension: Not Generated We are not using "Delta CRLs" with our CA. but remove ":8080" from the URL. Default OCSP Service Locator: Generated. For example. Enforce Unique Serial Number: Enabled As we will (probably) not be generating a huge number of certificates in a lab environment. Use Certificate Request History: Enabled This is essentially "detailed auditing" for requests.O=Your Company.net. Type of CA: X509 This is the standard for Internet communications. CA Issuer URI: Empty This is an optional field that can be ignored. the manual suggests that the CRL Updater be run every 5 minutes. First. http://ejbcacentos. skip the process of creating a new Crypto Token ‐ we will let ejbca automatically generate it and its keys. with the appropriate prefix.co. Signing Algorithm: Sha1WithRSA I chose this to minimize compute time. Subject DN: CN=defaultca. Subject Alternative Name: dNSName=defaultca. this is the FQDN of the CA.blogspot.C=US Signed by: Self Signed Because this will be a Root CA (but not one we will actively use). The procedure is very similar to the one described for creating rootca. and then associate that instance with the type of task you wish it to perform.yourcompany.1. Remove ":8080" We do this because of our firewall port translation rules. you must first create a service instance with a unique name. we will now define the "Default CA" for this purpose. Generate Default CRL Issuer: Generated Do not edit this string. It should be your DN. but with a few simplifications. Creating the Default Certificate Authority Recalling that the Validation Authority needs a CA to respond to unknown OCSP requests. On my server.yourcompany. Use Issuing Distribution Point on CRLs: Enabled This includes a URL for retrieval of this CA's CRL in the CA's own certificate. it will still sign its own initial certificate.4/25/2016 Installing EJBCA 6.net As discussed. I find that once an hour (or day) is more than enough for a lab environment. Validity: 3652d This value is the length of time that the CA's own certificate will be valid.yourcompany. Crypto Token: "‐ Create a new soft Crypto Token with recommended key pairs ‐" This will autogenerate the Crypto Token and keys using the default 2048‐bit RSA algorithm.1 and Jboss on CentOS 6. Generate Default CRL Distribution Point: Generated.5 To enable a service.net.id/ 53/64 . One is the CA certificate.net). There are a few things to be reminded of before we perform this step: When building our Production CA. Again. if creation fails. and enter the following options: End Entity Profile: Default TLS Entity Profile Username: rootca. we must activate the internal health check on the CA Activation page. including the PKI server itself. The process for updating this certificate is a little complicated. and enter the Entity information. but will be used for different purposes. as it requires that multiple items be replaced simultaneously: The keystore. Lastly.yourcompany. Navigate to the "Create Keystore" area of the Public Ejbca Webpage.yourcompany.yourcompany.5 Now.4/25/2016 Installing EJBCA 6. Because we chose "JKS" for the token format. we do not need to submit a CSR.1 and Jboss on CentOS 6. We created the CA certificate when defining the CA. as before. create the CA. we can replace the generic TLS certificate created during ejbca installation with one from our own PKI.jks/keystore.net Token: JKS file Now that the Entity exists. Adding the Server to Production PKI ‐ Creating the New Server Cert Now that we have our own CA running on a fully functional server. the other is for TLS enciphering and authentication. to ensure that every element of our network participates in our PKI. I will refer to our own CA (rootca. You must use the same password for this End Entity that we used for the keystore when installing ejbca. Navigate to the "Add End Entity" page.  We do this.yourcompany.co. for we have the potential to lock ourselves out of the administration interface of the server. Begin by defining the End Entity for the server.yourcompany. The server will provide the completed certificate to us in JKS format.net Certificate Profile: Default TLS Certificate Profile CA: rootca.1. just "go back" in your browser.net Password: (Enter the password you specified for your tomcat. Both of these certificates will have the same CN value (rootca. and we are about to create the TLS certificate.xml.yourcompany.net DNS Name: rootca.blogspot.net CN: rootca.net) as being the "Production" CA.id/ 54/64 .jks/tomcat.jks file that (and the CA certificate in it) The certificate used for administrator access (currently: superadmin. From now on. we created the first of the two identically‐named certificates we discussed at the beginning of this how‐to. we can request the certificate from the server.jks file) E‐mail address: [email protected]) The need to replace all of these items at the same time means the process requires great care. This avoids the need to update the (cleartext!) passwords held in standalone. You will be taken to this page: http://ejbcacentos. of course.jks file (and the certificates in it) The truststore. 1. Email Protection Subset of Subject Alt Name: RFC 822 Name (e‐mail address) Next. it will not be recognized by the server until the Production TLS certificate has been installed on the server. While a new administrator Entity/certificate will be created in this step. In this new Profile. "super". You can verify the contents and password of the file using the keytool command provided earlier in the how‐to: keytool ­v ­list ­keystore tomcat. Set to "Use entity email field" and "Required" Default and Available Certificate Profile: "Default User Certificate Profile" http://ejbcacentos.4/25/2016 Installing EJBCA 6.id/ 55/64 . Firefox returns with "SSL Peer Cannot Verify Your Certificate".jks Adding the Server to PKI ‐ Creating a New User We continue by replacing the "superadmin" account with something a little less. Non‐repudiation. create a new End Entity Profile named "Default User Entity Profile". There is an important caveat to be understood here. using "Default TLS Entity Profile" as a template. E‐mail address in DN". This is due to the nature of TLS. the server is still using the initial certificate issued by "mgmtca".net". Firefox takes this DN information and examines its store of personal certificates to see if any of them were created by the DN specified in the request.1 and Jboss on CentOS 6. using the "Default TLS Certificate Profile" as a template. select "2048" or "4096" for the "Key length".5 Token Enrollment Webpage Once here. and how Firefox handles the certificate request from ejbca during session establishment.yourcompany. Update the inherited options in the new Profile with the following: Key Usage: Digital Signature. Proceed by creating a new Certificate Profile named "Default User Certificate Profile". Set as Required Other subject attributes: Remove the "DNS Name" entry Other subject attributes: Add "RFC 822 Name (e‐mail address)".co. If there are no matches.blogspot. uh. and so will not recognize new administrator certificates issued by "rootca. If the exchange is examined in a packet capture: Client Certificate Request We see that the server (ejbca) provides its own DN when requesting the client's certificate. add/change these options: Subject DN Attributes: Leave the CN field blank Subject DN Attributes: Add "emailAddress. Key encipherment Extended Key Usage: Client Authentication. In the example above. and download the JKS file when prompted. http://ejbcacentos.blogspot. install the new . so extract it from Firefox's "Authorities" store: Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates and selecting "Export" from the "Authorities" tab. Adding the Server to PKI ‐ Installing the User Certificate Now. Do not delete the superadmin certificate at this time! Again. When the certificate is added to your browser. add an End Entity with the following details: End Entity Profile: Default User Entity Profile Username: (as desired) Password: (as desired) E‐mail address: [email protected] file in the same way that "superadmin.p12" was installed earlier in the how‐to.p12 file when prompted.id/ 56/64 . You will be prompted for the password you chose during the creation of the End Entity.5 Default and Available CA: "rootca.1 and Jboss on CentOS 6. Once validated. you will be given the "EJBCA Token Certificate Enrollment" page: Token Enrollment Page Because we are staying with RSA keys in this how‐to.net CN: <First Name> <Last Name> Certificate Profile: Default User Certificate Profile CA: rootca. Click on "Enroll". select "2048 bits" from in the "Key length" menu.yourcompany.yourcompany. You will be prompted for the username and "Enrollment Code" you chose in the previous step.4/25/2016 Installing EJBCA 6.1. then save the .yourcompany.co.net" Default and Available token: "P12 file" Now. two actions are actually taken (using Firefox as an example): The "personal" certificate of the End Entity is added to the "Your Certificates" store The CA certificate for the issuing CA (rootca.net Token: P12 file Now navigate to the Public Ejbca Webpage and select "Create Browser Certificate". using Firefox as an example: Tools ==> Options ==> Advanced ==> Certificates ==> View Certificates and selecting "Import" from the "Your Certificates" tab.net) is added to the "Authorities" store We will need a copy of the CA certificate in a future step of the how‐to. blogspot.1. we must grant it administrative privileges in ejbca.net" Match with: X. *. as "rootca. Now is a good time to make a backup of your "superadmin" certificate. but ejbca does not allow them.509 Certificate PEM (*. C.id/ 57/64 . http://ejbcacentos.net".yourcompany.5 The certificate should be listed under the heading of "Your Company".crt.pem)".E. Adding the Server to PKI ‐ Granting Admin Rights Before we can use our new user certificate for administration. case sens.  In the "Save File" display.R. Once on the "Edit Administrators" page. stay with the default format of "X.yourcompany.M. if you don't have one.509 Certificate Serial Number (recommended) Match type: Equal. Navigate to the "Administrator Roles" page on the ejbca administration site: Administrator Roles Now select "Administrators". Remove them before committing the change.4/25/2016 Installing EJBCA 6. select the following and add a new entry: CA: "rootca. Match value: (enter the serial number of your new administrator certificate)  Note that Firefox will insert colons (:) in the serial number of the certificate.A.co. next to the "Super Administrator Role" heading.1 and Jboss on CentOS 6. co.orig Copy the new keystore file containing our server certificate to /opt/ejbca/P12. back up the existing keystore files: cd /opt/ejbca/P12  mv tomcat.jks truststore.crt".id/ 58/64 . It is required that the new truststore use the same password as the existing one. stop ejbca: service ejbca stop Next.net".jks keytool ­v ­list ­keystore truststore.crt ­keystore truststore.jks /opt/jboss/standalone/configuration/keystore/keystore. First. cd /opt/ejbca/P12 keytool ­importcert ­alias rootca.jks tomcat. Copy the CA certificate for "rootca. start ejbca: service ejbca start http://ejbcacentos. downright misleading. and name it "truststore.blogspot.orig mv truststore. and name it "tomcat.net ­file truststore.yourcompany.5 Adding the Server to PKI ‐ Installing the Keystores Primekey's instructions for updating the Jboss keystores are convoluted at best.jks cp truststore. and avoid this command line silliness altogether.4/25/2016 Installing EJBCA 6.jks".1.jks keystore.orig cd /opt/jboss/standalone/configuration/keystore mv keystore. They should be very similar to the examples provided earlier in the how‐to: keytool ­v ­list ­keystore tomcat.yourcompany.1 and Jboss on CentOS 6.jks Now copy the new keystores to the jboss directory: cp tomcat. Now we will create a new truststore file that will include the CA certificate for "rootca. They assume two things: That you will use the "batch certificate creation" tool to make your keystores That you will use the ejbca "command line" to execute the batch tool My problem with both the "ejbca command line" and the batch creation tools (there are both command line and gui versions) is that they have achieved the trifecta of non‐usability: Obscure Undocumented Unreliable We will use keytool to manage our keystore files. and at worst.jks Be sure to validate the contents and passwords of the new keystores.jks truststore.  This is the truststore password you entered during installation.1­Final chown ­R jboss:jboss /opt/ejbca_ce_6_1_1 And finally.yourcompany.net" to /opt/ejbca/P12 as well.1.orig mv truststore.jks /opt/jboss/standalone/configuration/keystore Reset the ownership on the directories: chown ­R jboss:jboss /opt/jboss­as­7. which was issued by the CA "rootca.4/25/2016 Installing EJBCA 6. Adding the Server to PKI ‐ Finalizing the Move To test the new certificate.co. Be sure to add the proper "Revocation Reason" in the menu at the bottom of the screen. then forwarded to the administration site.5 You should not see any unexpected messages in the console log.net". You should now be prompted for the new administrator certificate (instead of the superadmin certificate).net" Revoking a certificate is quite easy to do in ejbca.id/ 59/64 . When viewing the TLS values for the browser. then start it and browse to the administration website.1. then "Revoke and Delete" it. use "Search End Entities" to find the Entity you wish to revoke: Search End Entities Select the entity to be revoked. Assuming that you are not running a Service that will automatically update the CRL for the CA that issued the revoked certificate.1 and Jboss on CentOS 6. shut down your browser completely.blogspot. Navigate to the "CA Structure & CRLs" page: http://ejbcacentos.net". you should now see that the administration page is protected by a certificate belonging to "rootca.yourcompany.yourcompany.yourcompany. Our final steps are to clean up the items relating to installation admin access: Delete the superadmin certificate from your browser's "Your Certificates" store Delete the "mgmtca" entry from your browser's "Authorities" store Delete "superadmin" from the "Super Administrator Role" in the administration console Revoke the certificate issued by "mgmtca" for "rootca. you will need to update it manually. First. 1 and Jboss on CentOS 6.properties files and on the "Super Administrator Role" page relating to command line (CLI) access. The problem it addresses may not be something you care about. and you are finished. Select "JPA".1. You can add this variable manually to the configuration and temporarily fix the problem.4/25/2016 Installing EJBCA 6.xml Delta ### Update the following lines: <datasource jndi­name="java:/EjbcaDS" pool­name="ejbcads" use­ccm="true"> <datasource jta="false" jndi­name="java:/OcspDS" pool­name="ocspds" use­ccm="true"> to: <datasource jndi­name="java:/EjbcaDS" enabled="false" pool­name="ejbcads" use­ccm="true"> <datasource jta="false" jndi­name="java:/OcspDS" enabled="false" pool­name="ocspds" use­ccm="true"> ### End standalone. The bug itself relates to a missing "enabled" variable in the datasource definitions held in standalone.xml and change the added variables to "true" service ejbca restart (be patient) The datasources will now be shown as "enabled" in the  "Profile" section of Jboss web console. which makes this a cosmetic bug with minor ramifications.5 Update CRLs Select "Create CRL" on the CA you wish to update. Fixing the Jboss Web Console Datasource Stats There is an optional fix to Jboss that can be made once ejbca has been fully installed and deployed. you may notice that the datasource entries for ejbca are shown as "disabled". vi /opt/jboss/standalone/configuration/standalone. there is a good chance that future deployments will "re‐break" this fix. Unfortunately. I am deliberately ignoring permissions relating to the command line.xml. A very final note on permissions: you may have noticed entries in the .xml ### Start standalone. This change subsequently allows you to enable Jboss statistics monitoring: Select the "Runtime" section at the top of the web console. which is why I include it as an afterthought at the end of this how‐to.id/ 60/64 . as I assume that you are using strong ssh and console login controls.co. This is due to a bug in ejbca's ant target responsible for datasource creation. http://ejbcacentos. but are reported as being "enabled" when you attempt to "enable" them. The datasources themselves are working.blogspot.xml Delta ### service ejbca restart (be patient) Reenter standalone. When using the Jboss web console. 5 After selecting "ejbca". just as it does for the datasource configuration. If you wish to have ejbca make connections directly to an outside server. Jboss subsystem metrics are now fully enabled. we finish configuring mail. Ejbca translates the configuration in mail.properties.com" password="your_password"/>             </smtp­server> http://ejbcacentos. You will be asked if you wish to enable OSGI.0">       <mail­session jndi­name="java:jboss/mail/Default" from="ejbcamail@gmail. Finishing the Mail Configuration First.com">             <smtp­server ssl="true" outbound­socket­binding­ref="mail­smtp­gmail">                   <login name="ejbcamail@gmail. Both the ejbca and the default jboss mail relays are defined in the same locations: ### Start standalone. The certificate can then be used (instead of the self‐signed certificate your server is probably using) to protect your mail connections with TLS.0">      <mail­session jndi­name="java:jboss/mail/Default">            <smtp­server outbound­socket­binding­ref="mail­smtp"/>      </mail­session>      <mail­session jndi­name="java:/EjbcaMail" from="ejbca@yourcompany. a good initial step is to issue a unique certificate to your mail server. Below is an example configuration that does the following for both relays: Sets Gmail as the mail recipient Uses encrypted SMTP Uses the encrypted SMTP port number: 465 ### Start standalone.com" password="your_password"/>             </smtp­server>       </mail­session>       <mail­session jndi­name="java:/EjbcaMail" from="[email protected] file.4/25/2016 Installing EJBCA 6. this is sufficient.1.properties to stanzas in standalone.1 and Jboss on CentOS 6.net">            <smtp­server outbound­socket­binding­ref="ejbca­mail­smtp"/>      </mail­session> </subsystem> and: <outbound­socket­binding name="mail­smtp">      <remote­destination host="localhost" port="25"/> </outbound­socket­binding> <outbound­socket­binding name="ejbca­mail­smtp">      <remote­destination host="localhost" port="25"/> </outbound­socket­binding> ### End standalone. Now that we have the ability to generate our own certificates.co. use the "edit" button to open its properties. This "dual setup" can be seen in the Jboss web console. this will not affect the Jboss default mail instance. and one for ejbca. and check the box next to "Metrics Enabled?" Select the "OSGI" section. We have already configured the ejbca mail relay to forward traffic to the local mail daemon in the mail.xml. this configuration will need to be updated. and may not provide all the options you desire.xml Snip ###  While you can update the ejbca mail variables by editing mail. Answer "Yes".xml Snip ### <subsystem xmlns="urn:jboss:domain:mail:1.xml Delta ### <subsystem xmlns="urn:jboss:domain:mail:1.com">             <smtp­server ssl="true" outbound­socket­binding­ref="mail­smtp­gmail">                   <login name="ejbcamail@gmail. If your local mail service is configured to forward to an outside server. and can be checked from the web console.id/ 61/64 .blogspot. Our server actually has two java mail relays: one for jboss. considering that we are cutting and pasting information relating our certificates to the tools on the page.5       </mail­session> </subsystem> <outbound­socket­binding name="mail­smtp­gmail">       <remote­destination host="smtp.properties for something called "Production Mode". we will set this to false.sh sh mysql­privileges. you may wish to force users to perform client certificate authentication before accessing the Public Webpage. vi /opt/ejbca/conf/ejbca.sql You can verify the privilege changes by doing the following: mysql ­u ejbcadbuser ­p  use ejbcadb; show grants for ejbcadbuser@localhost; exit  Securing the Public Web Interface You may not wish to allow unencrypted access to the Ejbca Public Webpage.productionmode=true #ejbca.4/25/2016 Installing EJBCA 6. I know I don't. Additionally. Primekey provides a script to perform these modifications in /opt/ejbca/doc/howto/mysql­privileges.sh.properties ### Start ejbca. we can set this value to "true".properties Delta ### Tightening Mysql Permissions Mysql is fairly notorious for being vulnerable to various attacks.com" port="465"/> </outbound­socket­binding>   ### End standalone.id/ 62/64 . # But DO NOT set it to "ca"! ejbca.blogspot.gmail. The easiest way to disable this access is to simply remove the port forwarding rule for port 80==>8080 that we created at the beginning of the how‐to. export SQLUSER=ejbcadbuser export SQLDATABASE=ejbcadb cd /opt/ejbca/doc/howto/mysql­privileges. we change # this to true. Some risk can be mitigated by tightening the database permissions for the ejbcadbuser account. Once the install is complete. http://ejbcacentos.productionmode=false        ### End ejbca. as disabling both 80 and 442 access has the effect of preventing everyone other than ejbca administrators (with Client Certificates) from accessing the server.properties Delta ### # Initially.xml Delta ### Setting Production Mode You might recall a setting in ejbca.sh <enter mysql root password when prompted> mysql ­u root ­p ejbcadb < mysql­database­privileges. You will need to run the script as shown below.co.1 and Jboss on CentOS 6. but it's probably important enough that we should set it. I'm not entirely sure what this does. You can accomplish this by disabling the forwarder from port 442==>8442.1. But I suggest that you leave the encrypted access on port 442. but taking these steps is certainly better than nothing. Now that we are more‐or‐less finished with our installation. This is by no means a comprehensive guide to securing mysql. then execute the sql commands created by it. Frankly. getServerName(). http://ejbcacentos.getAppNameLower()      +"/adminweb/"); %> To: <% java.getAppNameLower()      +"/adminweb/"); %> ### End header. We can't change the entry in web.net. Now. The URL for this link uses the private HTTPS port that was defined in  web.jsp inspect/header.getServerName().jsp templates/header.URL adminURL = new java.jsp Delta ### Substituting "‐1" has the effect of telling jboss to use the default port number for HTTPS when building the URL (essentially.config. Unfortunately.net.properties.jsp In each case.net. ejbca is doing what it should be doing during deployment.5 A clean way to configure this is to have a forwarding page that redirects HTTP requests on port 80 to HTTPS on port 442. <Insert inspiring port redirect code here.1. but I include it to clarify that from its own point of view.jsp header. we have changed this port to externally be 443.ejbca. On the Ejbca public web page. The links on the Ejbca Public Page and the Administration Page are the only things I have found that would care about the external web ports.co.jsp enrol/header. make the following edit: ### Start header. there is a link to the "Administration" page.URL("https".getExternalPrivateHttpsPort(). redeploy ejbca.URL adminURL = new java.config.      "/"      +org.InternalConfiguration. but it is equally clear that it still has quite a ways to go.blogspot.      "/"      +org.InternalConfiguration. all in the /opt/ejbca/modules/publicweb­gui/resources directory: retrieve/header.4/25/2016 Installing EJBCA 6.URL("https". via the firewall port redirect we configured at the beginning of the how‐to. or the server will fail to start.id/ 63/64 . Edit the following five files.      org.jsp Delta ### Change: <% java. so updating this link is probably the easiest way to fix this.config.      request.      ­1.1 and Jboss on CentOS 6.> Fixing the Administration Page Link There is an additional annoyance that requires a slightly more in‐depth set of changes.net.WebConfiguration. and the link will be correct. by omitting a port number completely). This change is completely optional.ejbca.properties to be 443. which will then be forwarded by the firewall to the goal of port 8442.      request.ejbca. In Closing It's clear that a great amount of work has gone into the creation of ejbca. 5 While I personally like this product. and wish it success in the future.1.1 and Jboss on CentOS 6. Active Directory password for integrated certificate publishing "How to Install EJBCA 6. Based on a work at http://ejbcacentos.net) 10.1 on CentOS 6. and I hope that this guide helps you through a decidedly rough installation process.jks/keystore. Good luck! Password Tally At the beginning of this how‐to. That being said. Ejbca OS password  (ejbca) 5. 1. Publisher passwords for distributed installation 4. but are optional: 1. I would have a hard time presenting it as a viable long‐term solution to one of my own clients. Passwords for OS‐level integrated AAA 5.jks) 7.1.4/25/2016 Installing EJBCA 6.id/ 64/64 . Production administrator certificate password (youradmin. Superadmin certificate password (superadmin. I am amused to note that a minimum of 10 unique passwords are required for a basic ejbca installation. Jboss web console password (jadmin) 6. Powered by Blogger. Mysql ejbca password  (ejbcadbuser@localhost) 4.5" by VES Group.jks) 8. Here it is. Root OS password (root) 2. http://ejbcacentos.com. Posted by Warren V at 4:53 PM 35 comments: +4   Recommend this on Google Home Subscribe to: Posts (Atom) Simple template. Email server password (for SMTP/TLS) 3.p12) 2.p12) 9.yourcompany.blogspot. Incorporated is licensed under a Creative Commons Attribution‐NonCommercial‐ShareAlike 4. Soft token authentication key (rootca.co. Initial truststore password (truststore.blogspot.yourcompany.0 International License. Mysql root password  (root@localhost) 3. I believe that ejbca is perfect for a lab environment.net) This list does not include passwords that are likely to be needed. Initial keystore password (tomcat. End entity password/enrollment codes (yourdevice. I mentioned that I would keep a running tally of the passwords required by the installation.