iPlanet Trustbase Transaction Manager 3.0.1 Beta Configuration and Installation: Chapter 1 Installation Worksheet

Previous Contents DocHome Index Next

iPlanet Trustbase Transaction Manager 3.0.1 Beta Configuration and Installation

Chapter 1 Installation Worksheet

Installation Worksheet provides the user with a pre-requisite checklist of all the main features to a successful iPlanet Trustbase Transaction Manager installation. It lists software that is included, what isn't included, what must be downloaded and how it should be installed and configured.

iTTM Installation Overview

The iTTM installation has been designed with a number of features in mind

iTTM itself is installed in a number of distinct modules:

The iTTM environmental packages:

ittm contains iTTM jar files and other binary files

ittm-tprl templates and routing rules for iTTM

ittm-sql SQL scripts for iTTM tables

ittm-conf iTTM Configuration files that are located in the directory /opt/ittm/myhost

ittm-stor contains the binaries relating to certificate store

The OCSP responder packages

ittm-ocsb contains OCSP Responder binaries

ittm-ocsp contains the OCSP Responder Configuration options.

This is optional. iTTM supports any other RFC2560 compatible OCSP Responder.

The JMS proxy packages

ittm-jmsb binaries for jmsproxy

ittm-jmsp configuration options for jmsproxy

Any other message Queue that supports JMS can be used here.

The runCertificateOCSPResponderWizard and runCertWizard scripts that have no packages and can also be run using the command line interface tool runTokenKeyTool

Reinstallation is possible

Installing a similar installation on other machines is facilitated by editing a file that contains a list of settings.

Seamless upgrades and patches for future distributions are now also possible.

iTTM Installation Procedure

The following steps need to be carried out:

Check/download/install/meet software pre-requisites

Solaris 8

JDK 1.3.1

Oracle 8.1.7

nCipher KeySafe 1.0

Identrus Compliant Certificate Authority

Optionally, a third party Identrus compliant Validation Authority can be used in place of the provided local OCSP Responder.

Create a <username>e.g. tbase <group> e.g. iplanet using the Unix command admintool.

Install from root iPlanet Web Server v6.0 SP2

Install from root iPlanet Application Server v6.5

Gather appropriate information in order to assist a silent iTTM 3.0.1 install

To ask for command line answers and place the answers to questions in the directory /outputdir that can then be edited and used to do installs on other machines.
./cdrom/cdrom0/ittm/setup -k /outputdir

To gather settings from existing packages and place the answers to questions in the directory /outputdir that can then be edited and used to do installs on other machines.
./cdrom/cdrom0/ittm/setup -m /outputdir

Perform the actual iTTM 3.0.1 Installation using one of the following procedures

To perform a complete graphic install on the entire product
./cdrom/cdrom0/ittm/setup -g

To perform a complete command line install on the entire product entering answers to questions at the terminal
./cdrom/cdrom0/ittm/setup -c

To perform a complete command line install from a file created in /outputdir and read from /inputdir. The output will also be sent to a log file
./cdrom/cdrom0/ittm/setup -k /outputdir
./cdrom/cdrom0/ittm/setup -s /inputdir logfilename

To perform a complete command line install from existing package settings in order to perform a new install on a different machine created in /outputdir and read from /inputdir. The output will be sent to a log file.
./cdrom/cdrom0/ittm/setup -m /outputdir
./cdrom/cdrom0/ittm/setup -s /inputdir logfilename

Install Oracle SQL Script
/opt/ittm/current/Config/sql/tbaseNew.sql

Setup nFast Hardware and configure iPlanet Trustbase Transaction Manager to use it. There are four scripts to do this

modutil PKCS11 generic hardware install

ncipherP11install ncipher PKCS11 install

ncipherupgrade ncipher iTTM2.2.1 to 3.0.1 upgrade

installP11Library software PKCS11 install

Configure iWS LDAPS Security patch (Optional)

Configure iWS URL rewrites

Install and Configure certificates from the username you defined using the unix command line tool admintool
./runCertWizard or ./runtokenkeytool
./runOCSPResponderCertWizard or ./runtokenkeytool

Configure secure.properties

Setup site specific Identrus settings from identrus.properties

Start iPlanet Trustbase Transaction Manager

View, if necessary, Identrus Certificates and Keys using TokenKeyTool using the script
/opt/ittm/Scripts/runtokenkeytool

Uninstall/Backup/Restore/Patching

To Uninstall an installed package. From user: root
./cdrom/cdrom0/ittm/setup -u

To backup your install settings. From user: tbase

./cdrom/cdrom0/ittm/setup -m /dir

cp /opt/ittm/myhost/*.properties /temp

From the iTTM configuration screen select <config><export>

cp /opt/ittm/myhost/xmlconfig /temp

Make sure your DBA backs up your Oracle database

To restore a similar installation. From user:tbase

./cdrom/cdrom0/ittm/setup -u

./cdrom/cdrom0/ittm/setup -s /dir

cp /temp/*.properties /opt/ittm/myhost

cp -r /temp/store/* /opt/ittm/store

cp -r /temp/xmlconfig /opt/ittm/myhost

From the iTTM configuration screen select <config><import>

To Add/Patch a package (For future use only). This will patch all packages it finds in the distribution directory. From user: root
./cdrom/cdrom0/ittm/setup -p

SW pre-requisites

The following software should be installed prior to running iPlanet Trustbase Transaction Manager.
Figure 1-1    Third Party Library jar files

Pre-requisites

Microsoft's Browser: Internet Explorer 4.0 or above for Web configuration or Netscape 4.0 and higher.

Oracle 8.1.7.

The iPlanet Trustbase Transaction Manager 3.0.1 requires the Solaris 8 Operating Environment system.

The iPlanet Trustbase Transaction Manager 3.0.1 requires the use of JDK 1.3.1 environment. This can be obtained from the Sun Microsystems Web site
http://java.sun.com/j2se/1.3/

Java^TM Servlet supporting WebServer

iPlanet Web Server 6.0 SP2
http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html

Application Server

iPlanet Application Server 6.5
http://wwws.sun.com/software/products/appsrvr_ee/home_appsrvr_ee6_5.html

Optionally, a third party Identrus compliant Validation Authority can be used in place of the provided local OCSP Responder.

An Identrus Compliant Certificate Authority

Hardware Security Module

nCipher KeySafe 1.0
http://www.ncipher.com

Packages included

The following packages are included with iPlanet Trustbase Transaction Manager:

iPlanet Application Server 6.5
http://wwws.sun.com/software/products/appsrvr_ee/home_appsrvr_ee6_5.html

iPlanet Web Server 6.0 SP2
http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html

Java^TM API for XML Processing
http://java.sun.com/xml

Packages not included

The following software must be downloaded before Installation:

JDBC^TM -Thin / 100% Java API for JDK^TM 1.1.x
http://technet.oracle.com/software/content.html

The Solaris 8 operating system environment incorporating the JDK^TM 1.3.1 environment that can be downloaded from http://java.sun.com/j2se/1.3/

Certificate Prerequisites

Before you install iPlanet Trustbase Transaction Manager, you will need to know the location of your level 1 Certificate Authority PEM encoded CA certificate. This certificate is referred to from this point forward as the L1CA certificate.

System Resources

Determine hostname

hostname
domainname

Verify disk space to be greater than 1GB.

df -k

Verify sufficient memory is not less than 256MB and preferably the recommended 1GB

prtconf | grep Mem

Check Solaris version is 8

uname -a

Check Java Version is 1.3.1

java -version

iTTM prerequisite installations

Before iPlanet Trustbase Transaction Manager can be installed, a working web server and application server must be available.

iPlanet Web Server v6.0 Installation

Before starting the webserver installation you may need to use the Unix tool
Admintool

to create a new user. During the default installation we use
User: tbase
Group ID: iplanet

Logon as root, locate the 'setup' script depending on distribution

Start the installation using the 'setup' script.

Select a directory <install_directory>. The default is /opt/iws6. Make a note of this directory as you will need this for the iPlanet Application Server installation later.

# cd /cdrom/cdrom0
# cd iws6
#./setup

Install all elements of the web server and select the option that changes their ownership/group to 'nobody'. Select the option that runs the webserver as 'root'. Do not use an existing Directory service. Select the web server document directory to be the 'docs' subdirectory of your chosen installation location. Make sure you select Yes when asked about which version of JDK you are using.
Figure 1-2    Installing iPlanet Web Server

Would you like to continue with installation? [Yes]: Yes
Do you agree to the license terms? [Yes]: Yes
Choose an installation type [2]: 2
Install location [/usr/iplanet/servers]: /opt/iws6
Specify the components you wish to install [A] A
Specify the components to install [1, 2, 3, 4]: 1,2,3,4
Computer name [myhost.mycompany.com]: myhost.mycompany.com
System User [tbase]: tbase
System Group [iplanet]: iplanet
Run iWS Administration Server as [root]: root
IWS Admin Server User Name [admin]: admin
IWS Admin Server Password:
IWS Admin Server Password (again):
IWS Admin Server Port [8888]: 8888
Web Server Port [80]: 80
Web Server Content Root [/opt/iws6/docs:
Do you want to use your own JDK [No]: Yes
JDK Directory [/usr/Java]: /usr/java1.3

Note You should make a note of these settings. Particularly port numbers since you may need them later.
If you want to set up an SSL within the Web Server you must apply for a certificate in the Web Server. For instance,
http://docs.iplanet.com/docs/manuals/enterprise/50/ag/esecurty.htm#1005553

The following output should appear:
Figure 1-3    iPlanet Web Server Installed

Sun Netscape Alliance
iPlanet Web Server Installation/Uninstallation
------------------------------------------------------------------

Extracting Server Core...
Extracting Java Runtime Environment...
Extracting Java Support...
Extracting SSJS Support...
Extracting SSJS Database Support...
Extracting Web Publishing Support...
Extracting SNMP Support...
Extracting Upgrade Files...

Server Core installed successfully.
Java Runtime Environment installed successfully.
Java Support installed successfully.
SSJS Support installed successfully.
SSJS Database Support installed successfully.
Web Publishing Support installed successfully.
SNMP Support installed successfully.

Press Return to continue...

Go to /opt/iws6 and type startconsole to begin
Managing your servers.

Note Please consult your iPlanet Web Server Installation Guide for more information on this. Selecting <return> takes the default.

Starting iPlanet Web Server 6.0

Change into the directory that contains your Web Server instance and run the start script. This directory takes the form of https-myhost.mycompany.com.
For instance:

cd /opt/iws6/https-myhost.mycompany.com
./start

Note If in doubt you should consult the first chapter of the iPlanet Web Server configuration Guide.

Verifying iPlanet Web Server 6.0

Check iPlanet Web Server is working by opening a browser window to http://localhost. If its working, you'll see the main page as illustrated below:
Figure 1-4    iPlanet Web Server, Enterprise Edition

Or alternatively going straight to the Administration Server console as follows:
cd /opt/iws6
./startconsole
Figure 1-5    iPlanet Web Server Administration Server

iWS Checklist

The following table summarises typical operational commands for the iPlanet Web Server.

Information Type

Example Set-up Value for iWS6.0

Install directory

/opt/iws6

Administration logon

Username: iwsadmin, Password: identrus

Operational ports

Server: 80, Admin: 8888

To start server

/opt/iws6/https-myhost.mycompany.com/start

To stop server

/opt/iws6/https-myhost.mycompany.com/stop

To start admin server

/opt/iws6/https-admin/start

To stop admin server

/opt/iws6/https-admin/stop

Processes grep

ps -ef | grep iws

Process list

nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iws6/https-myhost.mycompany.com/config
nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iws6/https-myhost.mycompany.com/config
also /opt/iws6/https-admin/config if the admin is running

Install logs

/opt/iws6/setup/WebServer/

Log directory

/opt/iws6/https-myhost.mycompany.com/logs

Document root

/opt/iws6/docs

Installation and Configuration Documents

http://docs.sun.com/db/prod/s1.websrv60
http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm
http://docs.iplanet.com/docs/manuals/enterprise/50/ag/contents.htm

iPlanet Application Server v6.5 Installation

Ensure that the iPlanet Web Server is running before you follow this procedure.

Logon as root, locate the 'setup' script depending on distribution (e.g. unzip the tar file and the 'setup' file should be in the top directory)

# cd /cdrom/cdrom0
# cd ias6
# ./setup

Warning the iAS 6.5 installation may require patches to your Solaris installation as such you should consult

http://docs.sun.com/source/816-6373-10/index.html

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

Start the installation using the 'setup' script. The default installation should be set to /opt/ias6. Answer the questions as follows:
Figure 1-6    Example iPlanet Application Server Script

Would you like to continue with installation? [Yes]: Yes
Do you agree to the license terms? [No]: Yes
Select the component you want to install [1]: 1
Choose an installation type [2]: 2
Install location [/usr/iplanet/ias6]: /opt/ias6
iPlanet Server Products components: Specify the components to install [All]: All
iPlanet Server Family Core: Specify the components to install [1, 2, 3]: 1,2,3
iPlanet Directory Suite components: Specify the components to install [1, 2]: 1,2
Administration Services components: Specify the components to install [1, 2]: 1,2
iPlanet Application Server Suite components: Specify the components you wish to install [1, 2, 3, 4,5]: 1,2,3,4,5
Computer name [myhost.mycompany.com]: myhost.mycompany.com
System User [tbase]: tbase
System Group [iplanet]: iplanet
Netscape configuration directory server? [No]: No
Do you want to use another directory to store your data? [No]: No
Directory server network port [389]: 389
Directory server identifier [myhost]: myhost
administrator ID [admin]: admin
Password:
Password (again):
Suffix [dc=uk,dc=sun,dc=com]: dc=uk,dc=sun,dc=com
Directory Manager DN [cn=Directory Manager]: cn=Directory Manager
Password:
Password (again):
Admin Domain [iplanet.com]: iplanet.com
Administration port [12816]: 12816
Run Administration Server as [root]: root
Product Key: 1111111111-3333333333
Enter the location of your webserver: /opt/iws6/https myhost.mycompany.com
Do you want to enable the user to access the registry and plugin libraries? [y] y
Do you want to continue with the iAS installation? [y] y
Username [admin]: admin
Password:
Password (again):
Do you want to enable I18N support for iAS? [No]: No
Username does not match [No]: Yes
Do you want to change ownership pf iasfiles to tbase: [tbase]?

Note Please consult your iPlanet Application Server Installation Guide for more information on this. You should also make a note of these settings since you may need them later. Selecting <return> takes the default.

Post iPlanet Web Server and iPlanet Application Server Installation Steps

To check that the Application Server installation has been successful, use a browser to contact the following URL: http://myhost.mycompany.com/GXApp
Select the 'Java Fortune' application, if the reply indicates that the servlet 'Greets You' then the web server and application server are functioning correctly. You should also consult your iPlanet Application Server Installation Documentation. This is now illustrated below:
Figure 1-7    Verifying iPlanet Application Server

Having completed the installation, all processes must be shutdown:

Logon as root

Application Server Shutdown <install_directory>/ias/bin/KIVAes.sh stop

# cd /opt/ias6/ias/bin
# ./KIVAes.sh stop
# ps -ef | grep k.s

Note Immediately after installation, if this script fails to work, use 'ps -ef | grep k.s' to show all iPlanet Application Server processes and then 'kill -9 <pid>' to stop all of them.

Directory Server Shutdown

# cd /opt/ias6/slapd-myhost
# ./stop-slapd
# ps -ef | grep slap

Web Server Shutdown

# ./opt/iws6/https-myhost.mycompany.com/stop
# ./opt/iws6/https-admserv/stop

Once all the above scripts have been run check that all processes have been terminated using 'ps -ef | grep /opt/iws6'. Use 'kill -9 <pid>' on all remaining processes.

iAS Checklist

The following table summarises typical operational commands for the iPlanet Web Server.

Information Type

Example Set-up Value for iAS6.5

Install directory

/opt/ias6

Administration logon

Username: admin, Password: password

Operational ports

Directory Admin: 20000, kas admin:10817, Directory server: 389

To start server

/opt/ittm/Scripts/startias

To stop server

/opt/ittm/Scripts/stopias

Installation logs

/opt/ias6/setup/setup.log

Processes grep

ps -ef | grep ias
To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef | grep k.s

Process list

root 10066 10064 0 14:33:21 0:03 /opt/ias6/ias/bin/.kjs -cset CCS0
root 10059 9504 0 14:33:16 pts/6 0:00 /opt/ias6/ias/bin/.kas
root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/ias6/ias/bin/kas
root 10070 1 0 14:33:25 0:00 /bin/sh /opt/ias6/ias/bin/kcs -cse t CCS0 -eng 2
root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/ias6/ias/bin/kjs -cset CCS0 -eng 1
root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/ias6/ias/bin/kxs -cset CCS0 -eng 0
root 10072 10070 0 14:33:25 ? 0:00 /opt/ias6/ias/bin/.kcs -cset CCS0 -eng 2
root 10062 10061 0 14:33:19 ? 0:01 /opt/ias6/ias/bin/.kxs -cset CCS0 -eng 0
nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/ias6/slapd-unix
d02/config/slapd.conf -i /opt/ias6/slapd-myhost.mycompany.com

Logged processes

kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop
kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.

Installation Document

http://docs.sun.com/source/816-5788-10/index.html

iTTM Installation Process

Now that iPlanet Web Server and iPlanet Application Server are installed the iPlanet Trustbase Transaction Manager installation can proceed.
The installation is provided on the CDROM. The installation program is designed for Unix Solaris 8. iPlanet Trustbase Transaction Manager currently requires JDK 1.3.1 to be installed on your machine to operate correctly. To ensure iPlanet Trustbase Transaction Manager is installed correctly it is advised that you install JDK 1.3.1 before iPlanet Trustbase Transaction Manager. Allow 100MB of Disc space for JDK 1.3.1 and iPlanet Trustbase Transaction Manager.

Logon as root

Make sure the directory server for iPlanet Application Server is running before you install Trustbase. For example,

cd /opt/ias6/slapd-myhost
./start-slapd

iTTM setup script

The iTTM setup script has the following options:

-g Performs a complete graphic install

-s Operates on Command line answers silently

-c Performs complete command line install interactively

-k Asks for command line answers

-m Gathers settings from installed packages

-p Reinstalls, adds or patches a package

-u Uninstalls an installed package
Before running the setup script in silent mode you will need to:

Make a change to silent installer default setting in
/var/sadm/install/admin/default

Make sure the following setting is set.
"action" ="nocheck"

Make sure any /outputdir is empty otherwise when you use it for an inputdir it will select the previous settings as well.

All Admin settings can be found in the same directory as your setup script by typing the following command:
ls -a /cdrom/cdrom0/ittm/*

Setting retrieval wont function if secure.properties settings have been made as such you should undo the settings you made with secure.properties.

When using silent install and editing your save settings (using the -m option), the following rules apply:

(a) When reinstalling from a previous installation on the same machine you cannot edit and change the settings you saved.

(b) The settings you use within the silent install option -s must also be persistently correct.

(c) You can however edit the settings you saved (with the -m option) when silent installing (with the -s option) on a new machine.

Silent iTTM setup script

Silent installs are possible using combinations of these commands.

To gather appropriate information in order to assist a silent iTTM 3.0.1 install

To ask for command line answers and place the answers to questions in the directory /outputdir that can then be edited and used to do installs on other machines.
./cdrom/cdrom0/ittm/setup -k /outputdir

If you desire to use non-default values for the install directory and or username and groupname, you must alter the files that are generated from your answers. Files with your answers stored in them are located underneath the directory you nominated when using the setup -k option. There is one directory for each of the components you are installing. You must check the contents of all the files located within these directories, making sure that the values for BASEDIR, Owner and Group are what you wish them to be. Where "BASEDIR" is the value for the install directory, "Owner" is the value of the user you wish to run the component that you are installing, and "Group" is the value of that users group.

To gather settings from existing packages and place the answers to questions in the directory /outputdir that can then be edited and used to do installs on other machines.
./cdrom/cdrom0/ittm/setup -m /outputdir

Perform the actual iTTM 3.0.1 Installation using one of the following procedures

To perform a complete graphic install on the entire product
./cdrom/cdrom0/ittm/setup -g

To perform a complete command line install on the entire product entering answers to questions at the terminal
./cdrom/cdrom0/ittm/setup -c

To perform a complete command line install from a file created in /outputdir and read from /inputdir. The output will also be sent to a log file
./cdrom/cdrom0/ittm/setup -k /outputdir
./cdrom/cdrom0/ittm/setup -s /inputdir logfilename

To perform a complete command line install from existing package settings in order to perform a new install on a different machine created in /outputdir and read from /inputdir. The output will be sent to a log file.
./cdrom/cdrom0/ittm/setup -m /outputdir

./cdrom/cdrom0/ittm/setup -s /inputdir logfilename

Before continuing you will need to create an Oracle user and as such you should follow the instructions on how to create a user described in "Oracle Database Configuration".
We now illustrate a complete graphic install type, logged in under root, the following command

# ./cdrom/cdrom0/ittm/setup -g

The installer will then provide you with a summary of your installation components. Select ittm.

ittm

JMS proxy settings

OCSP Responder settings
First time this will ask you for the TokenKeyStore password. Enter any password to protect your TokenKeyStore.
Figure 1-8    Welcome Screen

Enter data and select <next>
Define a user and group account to run iTTM from. This is the same as System User and System group you entered when installing iWS and iAS.
Figure 1-9    License Agreement

Figure 1-10    User Group and account

Figure 1-11    Install Location

By selecting <next> you may be asked whether the system can create the iTTM install directory.Enter data and select <next>
Figure 1-12    3rd Party Software Location

The Installer will then check to see whether your Application Server is running. Enter data and select <next>

Figure 1-13    TokenKeyStore password

The following parameters must be defined:

Oracle login name (User defined)

Oracle login password (User defined|)

Oracle hostname The machine I.D> of where your Oracle installation is located

Oracle port number This is normally set to 1521

Oracle SID This is normally orcl but can be defined when you configure your own Oracle installation

Oracle Driver Location
Before continuing you will need to create an Oracle user and as such you should follow the instructions on how to create a user described in "Oracle Database Configuration"

Figure 1-14    Database Settings

The <skip settings> option allows advanced users to skip these settings and return to them at a later date. Under normal circumstances this should not be used.
Enter data and Select <next>
Figure 1-15    Database Username and Password

Enter data and select <next>
Figure 1-16    Oracle Driver Location

Enter data and select <next>
This completes your Oracle settings.

Make sure AIAs are set correctly within your PKI software.
Figure 1-17    Identrus Settings

The URL of the OCSP Responder tells you where you can get authoritative responses to CSC checks.When running the environment wizard, the URL location of the OCSP responder is requested. In order for OCSP requests to be delivered to the iTTM responder, enter the following URL
http://myresponder.mycompany.com/NASApp/OCSPResponder/OCSPResponder Servlet

Since the OCSP Responder is local to the iTTM application the protocol HTTP is used instead of HTTPS to maximise performance. If an external OCSP responder is used the following address is typically used:

https://myocspresponder.com

The AIA Access Information Authority is the field within a certificate that is used to determine whether or not the TC (or iTTM installation) has authority over that particular certificate. In the case where a particular certificate's AIA matches the TC's choice of AIA instance we can act on this certificate in an authoritative way. In the case where the certificate's AIA is not the same as your TC's (or iTTM installation) AIA no authoritative action can be performed on this certificate. The default value is the host name that a customer or other TC connects to for information. This is normally the same as the iTTM host name.
https://myhost.mycompany.com

As before, the <skip settings> option allows advanced users to skip these settings and return to them at a later date. Under normal circumstances this should not be used.
Figure 1-18    Installation Summary

The system then concludes this part of the iTTM installation.

OCSP Responder

TTM 3.0.1 provides its own OCSP responder which can be utilised as part of the certificate status check process or any other services that require certificate status checking. The OCSP Responder creates directories for the LDAP CRL list and as such its best to publish your CRL list within your CA after you have run the OCSP Responder installation procedure. If not you must make sure the location of the CRL list is the same for runOCSPResponderWizard as the one you use with CA.
Run the following script, logged in under root and Select Option (2) OCSP Responder
./cdrom/cdrom0/ittm/setup -g
Figure 1-19    OCSP Responder Wizard Welcome Page

Click next to process the wizard.

The database settings screen allows configuration of the LDAP directory database that will contain information about revoked certificates. A CA can publish CRLs (certificate revocation lists) to this directory which the OCSP responder will use to provide its responses.

The iAS provided with Trustbase, includes a directory server which it uses for its own configuration. This directory server can also be used for the OCSP responder. Ensure the directory server is running before continuing this wizard.

To use the iAS directory, enter the details of the directory server chosen when installing iAS. A default iAS install will normally place the directory server on port 389 and the Bind DN as "cn=Directory Manager". The Base DN can be set to any valid distinguished name or left as the wizard defaults. The password is the LDAP password you used in the iAS 6.5 install.

Figure 1-20    OCSP Database Settings

Clicking next to configure the OCSP responder with the entered LDAP directory settings.

JMS Proxy Setup

iTTM supports any JMS Message queue system and requires

A Host Name of the machine where the JMS broker is listening. The default is myhost.mycompany.com

A Port Number on which the JMS broker is running. The default is set to 7676

A Queue Name to indicate where iTTM receives messages. The default is set to backend_to_itps

These settings can be changed, only when you have installed iTTM, in the following properties file:
/opt/ittm/myhost/jmsproxy.properties

iTTM also requires a JMQ driver location. You will be asked for this location while you are installing iTTM.
Details of the JMS specification can be found in
http://docs.sun.com/db/doc/816-5904-10
Select option (3) JMS Proxy, logged in under root, after typing
./cdrom/cdrom0/ittm/setup -g
The following screen should appear:
Figure 1-21    Web Server Host

Figure 1-22    JMQ Driver location

Figure 1-23    Queue Server Name

iTTM Configuration issues

The following needs to be configured before starting iTTM

OCSP Responder with CA

iTTM and OCSP Responses

URL rewrites with iWS

Configuring the Trustbase OCSP Responder with the Certificate Authority

In order for the OCSP responder to give the appropriate certificate status check results, it will be necessary to configure the CA to publish the revocation list to the same directory server configured for this responder.
This procedure will vary with different Certificate Authority software, but the following guidelines should be employed.
Publish the CRL to the same LDAP directory chosen in the OCSP installation wizard.
Publish the CRL under the same Base DN chosen in the installation wizard
The CA certificate that the OCSP responder provides responses for should be Published with the attribute "cacertificate;binary"
The CRL should be published to the OCSP responder with the attribute "certificaterevocationlist;binary"

Configuring Trustbase to validate the OCSP responses

By default Trustbase does not check the signature on the OCSP responses. This can be enabled by editing the "identrus.properties" file as documented in "Identrus Configuration".
When a message is sent to any node a response comes back. That response needs to be verified in such a way that the sender of the response is who they say they are. This is an optional feature in that it can be assumed that responses are trusted. OCSP Responders that are used locally are unlikely to require this signing validation process as their communication can be considered secure. However OCSP Responders on non-local or insecure lines should have this feature configured.
When an RP bank communicates with an IP that does not have an iPlanet Trustbase Transaction Manager Transaction Coordinator and fails it will need an OCSP Responder. This is sometimes referred to as OCSP fallback.
In order to verify an OCSP response we need to input the signing Certificate into the iTTM TokenKeyStore. Normally the OCSP responder certificate is directly descended from the Identrus Root. If this is the case, there is no need to perform any further configuration for response signature checking.
If a specific certificate is required to validate OCSP responses, the token key tool will need to be used to import the certificate. It then needs to have the alias of "L1OCSP" added to this certificate. For details on how to do this, see the appendix at the end of this guide.
Once the OCSP signing Certificate has been successfully imported into the iPlanet Trustbase Transaction Manager token key store, a change needs to be made to the identrus.properties file. This file can be found in /opt/ittm/myhost. Change the entry OCSPResponderSigningCertificateRole as follows:-
OCSPResponderSigningCertificateRole=L1OCSP

Figure 1-24    OCSP Responders

Configuring the AIA for the OCSP responder

Identrus compliant certificates contain two AIAs. One refers to the address of the TC. The second refers to the address of the Responder. This should be set to the following address.
http://myhost.mycompany.com/NASApp/OCSPResponder/OCSPResponderServl et
Since the OCSP Responder is local to the iTTM application the protocol HTTP is used instead of HTTPS to maximise performance. If an external OCSP responder is used the following address is typically used:
https://myocspresponder.com
iPlanet Trustbase Transaction Manager is now installed. Some further configuration is now required to establish the local settings and Identrus setup - see the following sections.

Configuring the iWS for URL rewriting and SSL Decryption

The URL's presented in the Certificate AIA's are typically a human readable form of the URL's required by the Trustbase application server. These must therefore be converted.The Web Server is configured to perform this task.
The following diagram illustrates how URL rewrites that take place between iTTM, iWS and iAS.
Figure 1-25    Configuring URL rewrites within iWS

iTTM AIA's

All deployed TC's will require the following translation to occur:
To map a URL such as http://myhost.mycompany.com, https://myhost.mycompany.com or https://myhost.mycompany.com /TC to
http://myhost.mycompany.com/NASApp/NASAdapter/TbaseNASAdapter.
The short URL is typically issued in the Certificate AIA's of the L1 PKI.
Two steps are required:

If your TC responds to HTTPS then we need to decrypt the SSL session and forward the request to the web server HTTP port.

To rewrite the URL to /NASApp/NASAdapter/TbaseNASAdapter

OCSP AIA's

If you are using the Trustbase OCSP Responder you will need to map the URL http://myresponder.mycompany.com/ocsp or
https://myresponder.mycompany.com/ocsp to http://myresponder.mycompany.com/NASApp/OCSPResponder/OCSPResponderServlet
The short URL is typically issued in the Certificate AIA's of the L1 PKI.
Two steps are required:

.If your OCSP Responder responds to HTTPS then we need to decrypt the SSL session and forward the request to the web server HTTP port.

To rewrite the URL to /NASApp/OCSPResponder/OCSPresponderServlet.

Configuring the Web Server for SSL

The web server performs SSL decryption
The web server is configured to respond to port 80 by default. In addition to this port we need to add a new port listener on 443 (SSL) or any other desired SSL port.
Port 80, HTTP, must be maintained as it will be used for internal non-SSL login to Trustbase and accessed via the JMSPROXY, which does not support SSL, used for asynchronous messaging.
Note: if required in your installation you will need to install the PKCS#11 hardware security module into this web server. This is documented in the ncipher Security Module's install guide.

Installing the SSL Server Certificate

Go to the Web Server administration port, typically

http://myhost.mycompany.com:8888

Select your <Manage Servers>. Your Server instance will be selected by default. Note: you won't be adding SSL to your administration server, only the instance configured for HTTP port 80.

Select <Security > <Create Database>

Request a Certificate. CA URL should be 'none'. Complete all other fields as appropriate but use a relevant name for the Common Name such as the fully qualified hostname of the iTTM host.

Sign this with your Root CA using the SSL Server profile.

Install Certificate. Certificate is for 'This Server' and Certificate Name should be left blank, which will then default to 'Server-Cert'.

Paste the certificate response and press OK. Don't restart the Server at this time.

Configuring an Additional Listener on Port 443

Go to the Web Server administration port, typically

http://myhost.mycompany.com:8888

Select your <Manage Servers>.

Select <Preferences> <Add Listen Socket>

The following values should be used:

ID: SSL_Proxy

IP: 0.0.0.0

Port: 443

Servername: myhost.mycompany.com

Security: On

Select the default VS

Select <ok>

All other settings should be left untouched.

Just to be sure, select <Edit Listen Sockets>

Ensure Security is ON for SSL_Proxy socket

Select Attributes for SSL_Proxy socket:

Make sure that Server-Cert is selected

Press <ok>
You may now restart the server by selecting <Apply Changes>. Port 80 (HTTP) & 443 (HTTPS) should now be able to access the web server home page.

Configuring NSAPI in the Web Server to rewrite URL's

Sometimes it is necessary to rewrite a URL, using Netscape SSL proxy, such that the URL seen by the outside world differs from that used internally by the application server. To perform such rewrites in iWS, the following steps must be taken.

From the root account, Stop the Web Server Instance that you are making this change to.

Locate the tb_url_rewrite.so in your distribution, typically
/opt/ittm/current/Config/WebserverSetup/JWS/plugins/tb_url_rewri te.so

If you are installing iAS and iWS on separate machines you should also consult "URL Rewrites with iAS and iWS on separate machines"

Edit adding two new lines
/opt/iws6/https-myhost.mycompany.com/config/magnus.conf
Init fn="load-modules" \
shlib="/opt/iws6/plugins/lib/tb_url_rewrite.so" \
funcs="basic_rewrite,basic_rewrite_init"
Init fn="basic_rewrite_init"
iWS maintains an archive of previous modifications to this file in case there is a need to revert back

Configuring the URL Rewrites. These translations must appear immediately after the line beginning <Object name=default> or they will not function. Edit
/opt/iws6/https-myhost.mycompany.com/config/obj.conf

adding the following line for each rewrite
NameTrans fn="basic_rewrite" from ="from_path" to="to_path"

For example to forward: https://myhost.mycompany.com/TC add the line:
NameTrans fn="basic_rewrite" from="/TC" \
to="/NASApp/NASAdapter/TbaseNASAdapter"
iWS maintains an archive of previous modifications to this file in case there is a need to revert back

Installing the NSAPI Library.
cp /opt/ittm/current/Config/WebserverSetup/JWS/plugins/tb_url_rewri te.so /opt/iws6/plugins/lib

Restart the Webserver instance. This asks for iWS 6.0 cert database password.

Other Suggested rewrites

The following rewrites might be required for Identrus compliance. When using rewrites, remember that all URL configuration entries should refer to the external URL. For example the Local OCSP Responder should be directed to
http://myhost.mycompany.com/OCSP
Edit
/opt/iws6/https-myhost.mycompany.com/config/obj.conf
<Object name="default">
adding the following line to each rewrite
NameTrans fn="basic_rewrite" from="/ocsp" \
to="/NASApp/OCSPResponder/OCSPResponderServlet"
This rewrite rule is optional but will allow access to the logon screen with a short URL: https://myhost.mycompany.com/ocsp
To achieve a rewrite of a base URL such as http://mycompany.com, it is necessary to utilise the browsers internal rewrite rules by placing "/index.html" in the from field. For example,
NameTrans fn="basic_rewrite" from="/logon" \
to="/NASAdapter/LogonFrame.html"
NameTrans fn=basic_rewrite from="/index.html" \
to="/NASApp/NASAdapter/TbaseNASAdapter"
It must be noted that this will rewrite all URL's ending in "/"

Installation Structure

Once the installation has completed the following directory structure and support files will exist:

iPlanet Trustbase Transaction Manager
Figure 1-26    iPlanet Trustbase Transaction Manager Directory Overview

ittm
iPlanet Trustbase Transaction Manager contains all configuration and Library files, the SQL directory containing various database setup scripts.
Figure 1-27    iPlanet Trustbase Transaction Manager Overview Directory

Scripts
This directory contains all of the scripts needed to start and stop iPlanet Trustbase Transaction Manager
Figure 1-28    iPlanet Trustbase Transaction Manager Commonly Used Scripts

myhost
This directory contains all of the configuration files for this installation. i.e. /opt/ittm/myhost/tbase.properties, nFast.properties, identrus.properties These files should not be modified directly but can be accessed via the configuration screens in this manual.
Figure 1-29    iPlanet Trustbase Transaction Manager Initialisation Files

current
This directory contains all of the TTM binaries and support files

apidocs
Javadocs

samples
Developer Examples

store
Certificate store

iTTM Checklist

The following operational commands are often used while running iTTM:

Information Type

Example Set-up Value for iTTM 3.0.1

Install directory

/opt/ittm

Administration logon via web

Username: administrator, Password: administrator

TokenKeyTool

/opt/ittm/Scripts/runtokenkeytool

Operational ports

Admin via web: 80 (http://myhost.mycompany.com/NASAdapter/logon.html)

To start server

/opt/ittm/Scripts/startias

To stop server

/opt/ittm/Scripts/stopias

Property file location

/opt/ittm/myhost

Processes grep

ps -ef | grep java

Process list

root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbase

Installation Document

http://docs.sun.com/?p=prod/s1.iptbtranm

Post Installation Steps

Before starting iPlanet Trustbase Transaction Manager for the first time it is necessary to do some further configuration steps, in each of the following configuration steps refer to the Installation Structure section above to locate the necessary files:

nCipher Security setup - see section "Oracle Database Configuration"

Oracle Database setup - see section "Oracle Database Configuration"

Identrus site specific setup - see section "Identrus Configuration"

Oracle Database Configuration

Both TTM and the Identrus Extensions require access to a database with a pre-configured schema. The installation comes with SQL scripts that must be executed in the database user's tablespace that was specified at installation time. The following sections explain how to create the user and generate the correct schema for that user.

Oracle Database Setup pre-requisites

iTTM requires that the Oracle instance have the following minimum configuration values, these are defined in the init file for the Oracle instance:

The generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. There needs to be a minimum of 100MB of free space in the 'default' tablespace for each iTTM database user, this comfortably allows for a basic installation and testing volumes.

Advise DBA that the database block size (db_block_size) for the instance must be at least 8192 to accommodate the indexing requirements of the iTTM schema. It should also be noted that this parameter has no effect until the underlying database files are recreated with the new block size.

Advise DBA that processes should be at least 200, this is sufficient to support 2 concurrent iTTM instances, increase this figure to accommodate additional instances.

Advise DBA that open_cursors should be at least 300
From a running SQL session, logged on as system user the following query will show the current values of the settings:
select name, value from v$parameter where name in
('processes','open_cursors','db_block_size');

Running the iPlanet Trustbase Transaction Manager SQL Scripts

You may need to ask your DBA to create your username and password. The following procedure should be followed.

Switch to the Oracle user and run server manager:

myhost> su - oracle
Password:
myhost> cd ../opt/ittm/current/Config/sql
myhost> svrmgrl

Oracle Server Manager Release 3.1.5.0.0 - Production

(c) Copyright 1997, Oracle Corporation. All Rights Reserved.

Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning and Java options
PL/SQL Release 8.1.7.0.0 - Production

SVRMGR> connect internal
Connected.

The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.

SVRMGR> SHUTDOWN;
SVRMGR> STARTUP MOUNT;
SVRMGR> ALTER SYSTEM ENABLE RESTRICED SESSION;
SVRMGR> ALTER SYSTEM SET JOB_QUEUE_PROCESSES=0;
SVRMGR> ALTER DATABASE OPEN;
SVRMGR> ALTER DATABASE CHARACTER SET UTF8;
SVRMGR> SHUTDOWN;
SVRMGR> STARTUP;

Create a iPlanet Trustbase Transaction Manager user - you may need to change the username, password and default tablespaces depending on site policy:

SVRMGR> CREATE USER tbase IDENTIFIED BY tbase DEFAULT TABLESPACE USERS
TEMPORARY
TABLESPACE TEMP;
SVRMGR> GRANT CONNECT TO tbase;
SVRMGR> GRANT RESOURCE TO tbase;
SVRMGR> ALTER USER tbase QUOTA UNLIMITED ON USERS;
SVRMGR> quit
Server Manager complete.

Connect as the iPlanet Trustbase Transaction Manager user and run the scripts:

mydatabase% su - oracle
mydatabase% cd /opt/ittm/current/Config/sql
mydatabase% sqlplus
SQL*Plus: Release 8.1.7.0.0 - Production on Fri Feb 15 12:07:11 2002
(c) Copyright 1999 Oracle Corporation. All rights reserved.
Enter user-name: tbase
Enter password:
Connected to:
Oracle 8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning and Java options
PL/SQL Release 8.1.7.0.0 - Production

SQL>spool myoutput.txt
SQL>set echo on
SQL>@tbaseNew.sql

Existing users may upgrade from iTTM.2.2.1 to iTTM3.0.1 using the script
/opt/ittm/current/Config/sql/tbaseUpgrade3_0.sql

Uninstalling may be achieved by deleting all user scheme objects using
/opt/ittm/current/Config/sql/Drop_tbaseAll.sql

You should check the output file to ensure that all SQL tables were created successfully.
/opt/ittm/current/Config/sql/myoutput.txt

Oracle Example Checklist

The following provides typical operational commands available within Oracle.

Information Type

Example Set-up Value for Oracle 8.1.7

Install directory

Oracle program files: /opt/oracle/app/product/8.1.7/bin Oracle data files: /identrusdb/orcl

Oracle user login

Username: oracle, Password: oracle

Sqlplus - dba admin

Username: sys, Password: change_on_install

Sqlplus - tbase user

Username: tbase, Password: tbase

Operational ports

Oracle ports: 1521

SID

orcl

To start server

As oracle user: svrmgrl; Connect internal; startup; exit
lsnrctl; start; exit

To stop server

As oracle user: lsnrctl; stop; exit
svrmgrl; connect internal; shutdown; exit

Processes grep

ps -ef | grep oracle

Logs of interest

Auditdata: Contains internal audit information & indicates what the TC processed.
Error: Shows unexpected errors e.g. cannot communicate with Certificate Authority
Error_support: Shows any java stack trace associated with the error table.

Cryptographic Services Configuration

Cryptographic operations are an integral part of iTTM function. iTTM can make use of several different cryptographic service providers. A cryptographic service provider offers key and certificate management, digital signature, encryption and ssl functions. The choice of which service provider to use is dependent on the nature of the iTTM installation. Two service providers are supplied in an iTTM installation, the PKCS#11 cryptographic service provider and the nCipher native cryptographic service provider.

Cryptographic Installation Scenarios

You must select one of the following scenarios that come packaged with a provider:

Software PKCS11 for iTTM 3.0.1

PKCS11 provider with software token

Generic Hardware PKCS11 for iTTM 3.0.1

PKCS11 provider with hardware token

nCipher Hardware PKCS11 for iTTM 3.0.1

PKCS11 provider with hardware token

nCipher Upgrade from iTTM 2.2.1 to iTTM 3.0.1

nCipher native provider

We now describe each of the providers that are associated with each installation Scenario

Cryptographic Providers

PKCS#11 cryptographic service provider [ also known as the "JSS" service provider ]. PKCS#11 is an industry standard interface to cryptographic services devices, known as Tokens. iTTM supports several different PKCS#11 Tokens

Software PKCS#11 Token

The software Token is not suitable for a production environment: it is only appropriate for test and development installations. While private keys are protected by password based encryption, the password is freely available, so private key material is not secure.

Hardware PKCS#11 Token

This is the normal service provider to use in a production environment. Private key material is stored securely, either on a hardware token, or wrapped with a symmetric key stored on a hardware token.The iTTM PKCS#11interface is tested with nCipher hardware Token.

nCipher native cryptographic service provider [ also known as the "TTM-NCIPHER" service provider ]. The nCipher native provider communicates directly with nCipher hardware security modules, using an nCipher proprietary protocol. In previous versions of iTTM, the only support for hardware security modules was provided in this manner.

If keys created under an iTTM 2.2.1 installation are to be used with an iTTM 3.0.1 installation, this service provider must be used. Private key material is stored on disk or in a directory, securely wrapped with a secret key persistently stored on an nCipher HSM. This provider is suitable for use in a production environment

In order to run the scripts from iTTM, log in under your username e.g. tbase. We now discuss the four Installation Scenarios possible.

PKCs11 provider with software token

The PKCS#11 cryptographic service provider always has an active software Token, which is selected as the default Token in a standard iTTM installation. No action is required beyond the normal iTTM installation if the soft PKCS#11 Token is the only Token to be used

PKCs11 provider with generic hardware token

The vendor of the hardware Token supplies a PKCS#11 library, through which iTTM interacts with the module.Before the PKCS#11 service provider can use a hardware Token, the hardware must be correctly configured and initialised [ consult vendor documentation. For nCipher hardware see also the section entitled "nCipher Module Installation" below ]. If you are configuring an nCipher hardware security module for use with iTTM, then scripts are available to install the vendor PKCS#11 library for you. See the section "nCipher PKCS#11 Token configuration" which follows on from nCipher Module Installaton. Otherwise, follow the instructions presented here.

There are two steps to be taken in configuring the PKCS#11 cryptographic service provider for use with a hardware Token.

   Identifying the HSM vendor's PKCS#11 library to the Plug-in PKCS#11 cryptographic services

You will need

the location of the hardware security module vendor's PKCS#11 library

a module name [ can be anything, so long as it's not already in use ]

Scripts are included in the iTTM distribution to assist the installation of PKCS#11 libraries

   Change directory to the iTTM Scripts directory
cd /opt/ittm/Scripts

   run the installPllLibrary script
./installP11Library -module <moduleName> -libfile <vendorLibrary>

For example
./installP11Library -module ncipher -libfile

   Check the installation using the modutil script
./modutil -nocertdb -list

For example
./modutil -nocertdb -list

   The output should look something like this
Using database directory ....
Listing of PKCS #11 Modules
Listing of PKCS #11 Modules
-----------------------------------------------------------
1.<moduleName>
library name: <vendorPKCS#11Library>
slots: # slots attached
status: loaded
slot: ####-####-####-#
token: <tokenName>
slot: ####-####-####-#
token: <anotherTokenName>
...
2. Netscape Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
----------------------------------------------------------

   Configuring the default Token

   Once a vendor PKCS#11 library has been installed, iTTM can use keys and certificates stored on Tokens provided by that library. New cryptographic Objects will, however, still be created on the default Token, which is the software Token in a standard install

   Change directory to the iTTM host specific configuration directory
cd /opt/ittm/myhost

   edit the JssConfig.xml file
vi JssConfig.xml

   Change the defaultToken attribute of the JssConfig element to be the desired default token name [ as reported by modutil in the previous section ]. An empty string defaultToken attribute value refers to the software PKCS#11 Token
<JssConfig
defaultToken="tokenName">

<JssDbConfig
configDir="$JSSCONFIGDIR"
moduleDb="secmod.db"
keyDbPrefix=""
certDbPrefix=""
readOnly="false"/>
<JssSslConfig
cacheMaxEntries="10000"
cacheSsl2Timeout="100"
cacheSsl3Timeout="100"
cacheDirectory=".">
SSL3_RSA_WITH_RC4_128_SHA
SSL3_RSA_WITH_RC4_128_MD5
SSL3_RSA_WITH_3DES_EDE_CBC_SHA
</JssSslConfig>
</JssConfig>

   Save the file, leaving other lines untouched

Example Generic PKCS11 Checklist

Information Type

Example Set-up Value generic PKCS11

Adding PKCS11 Library

cd /opt/ittm/Scripts
./installP11Library -module ncipher -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so

Verifying addition of PKCS11 Library

cd /opt/ittm/Scripts
./modutil -nocertdb -list

Configuring default token

cd /opt/ittm/myhost
vi JssConfig.xml

PKCs11 provider with nCipher token

There are two steps

nCipher module installation
For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.

   Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).

   The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.

   Create a "Security World" on one module, using the nCipher KeySafe tool.

   Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.

   The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet^TM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet^TM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.

   Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
/opt/nfast/sbin/init.d-nfast stop
/opt/nfast/sbin/init.d-nfast start

Tip
Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0.1" or "nCipher PKCS#11 Token configuration"

nCipher PKCS#11 Token configuration
If the nCipher hardware security module is to be used with the PKCS#11 cryptographic services provider, rather than the nCipher native cryptographic services provider follow this procedure, which installs the nCipher PKCS#11 library and marks the nCipher Token as the default for iTTM.
Once the nCipher modules have been initialised into a security world, some operator cards must be created for use with the nCipher PKCS#11 interface. An operator card must be inserted into the nCipher module while it is being used through the PKCS#11 interface.

   Change directory to the nFast binary's directory
cd /opt/nfast/bin

   Use the createocs or createoc-simple commands to create an operator card or cardset [ see nCipher documentation ] . The name of the card of cardset is required but the installPllLibrary script used below. The simplest configuration creates a single operator card
./createoc-simple [ --fips <AUTHSLOT> ] [ --overwrite ]
<MODULE> <SLOT> <NAME> 1 0

For example
./createoc-simple 1 0 operator 1 0

   Change directory to the iTTM Scripts directory
cd /opt/ittm/Scripts

   run the installPllLibrary script
./ncipherP11Install [ -libfile <ncipherLibrary> ]
<NAME>

For example
./ncipherP11Install operator

The nCipher PKCS#11 Token is now installed as the default provider for iTTM cryptographic services

nCipher Example PKCS11 Checklist

Information Type

Example Set-up Value nCipher

Install directory

/opt/nfast

Operational ports

9000

To start server

/etc/init.d/nfast start

To stop server

/etc/init.d/nfast stop

Processes grep

ps -ef | grep hard

Process list

nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile
nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile

Creating nCipher operator card

cd /opt/nfast/bin
./createoc-simple 1 0 operator 1 0

Installing nCipher PKCS11 module

cd /opt/ittm/Scripts
./ncipherP11Install operator

Documentation

nCipher KeySafe 1.0
http://www.ncipher.com

nCipher native provider upgrade: ittm 2.2.1 to 3.0.1

There are two steps

nCipher module installation
For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.

   Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).

   The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.

   Create a "Security World" on one module, using the nCipher KeySafe tool.

   Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.

   The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet^TM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet^TM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.

   Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
/opt/nfast/sbin/init.d-nfast stop
/opt/nfast/sbin/init.d-nfast start

Tip
Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0.1" or "nCipher PKCS#11 Token configuration"

Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0.1
If you have cryptographic keys that were created using an iTTM 2.2.1 installation, these keys can be used by iTTM 3.0.1 through the nCipher native cryptographic services provider. This upgrade procedure must be followed to migrate the keys from the Oracle database [ where they were stored for iTTM 2.2.1 ] to the XML based storage used by iTTM 3.0.1
The upgrade procedure changes the cryptographic service provider used by TTM, from the JSS provider [ supporting PKCS#11 interaction with HSMs ] to the native nCipher provider. It is not possible to use both providers simultaneously, so if private keys generated with a TTM 2.2.1 installation are to be used with a iTTM 3.0.1 installation, the iTTM 3.0.1 installation must use the nCipher cryptographic services provider
There are two steps to this upgrade step

nCipher module setup for the nCipher native provider.

Once the Security world is installed, the following points should be noted:

   The nFast cryptographic services provider read certain settings from a properties file "nFast.properties". This file is read from the iTTM installation directory, and is only required if any of the nCipher configuration parameters differ from the default values described below. An installation which uses only the default values requires no nFast.properties file

   If created, nFast.properties should be located in the iTTM host specific installation directory
/opt/ittm/myhost/nFast.properties

   nFast.properties should contain the following values:

   ServerAddress. The ServerAddress property should be set to the local host. If set to other values the server may refuse connection attempts on unix systems. On NT systems, the server will accept connections from clients elsewhere than "localhost". The default value is 127.0.0.1

   StandardPort. The StandardPort property contains the number of the port on which the server is listening for standard connections. By default this value is 9000.

   StandardConnections. The StandardConnections property contains the number of standard connections that will be maintained with the nFast module. Low values for this property will not allow the module to make best use of its parallel processing capabilities. By default, this value is obtained from the module itself.

   module.key. The module.key property contains the identifying number of the module key to be used for encrypting keys for storage outside the box. If the standard install procedure has been followed, and the Security World has been correctly set up, the module keys installed on the box are:

    KM0 - the randomly generated module key that is never exported in any form. If this key is used as the default, archived keys may only ever be used on that specific module. If the module is replaced for any reason, all the keys must be regenerated.

    KM1 - a well known module key used for bootstrapping of the recovery keys. This module key should NOT be used.

    KM2 - the security world key. This is the module key that should be used, and is the default value assumed if no nFast.properties file is present
ServerAddress = localhost
ServerPort = 9000
StandardConnections = 10
PrivilegedConnections = 0
module.key = 2

Importing iTTM 2.2.1 keys and certificates to iTTM 3.0.1

During this procedure you will need: Details of the oracle database containing the cryptographic keys used with TTM 2.2.1at a minimum, the hostname, username and password are required. additional information will be required in the following cases

-      the Oracle listener port, if it is not 1521

-      the database SID, if it is not ORCL

-      the PBE password for the KeyStore, if it is not the same as the database password

You will also need the name of the TrustDomain into which the nCipher keys are to be imported [ if it is not identrus ]. If this TrustDomain already exists, it must be associated with Token type TTM-NCIPHER [ if not, then the import will fail ]

   Change directory to the iTTM Scripts directory
cd /opt/ittm/Scripts

   Run the ncipherupgrade script
./ncipherupgrade [ -pbe <pbdepassword:<password>> ]
[ -port <oracle_port:1521> ]
[ -sid <oracle_sid:ORCL> ]
[ -domain <trustdomain:identrus> ]
<oracle_host> <oracle_user>
<oracle_password>

This script extracts keys and certificates from the TTM 2.2.1 key store in the oracle database, and imports them into the given TrustDomain. Purpose identifiers in the TTM 2.2.1 key store are converted into aliases in the TrustDomain. A TTM 2.2.1 Identrus key store imported in this manner will function as a iTTM 3.0.1 Identrus key store

The import procedure is now complete, and iTTM 3.0.1 is configured to used the iTTM 2.2.1 keys and certificates.
Note: The import procedure works only for nCipher keys in a TTM 2.2.1 KeyStore. The import of soft keys is not supported [ since soft keys are not to be used in a production environment ]

nCipher Example Upgrade Checklist

Information Type

Example Set-up Value nCipher

Install directory

/opt/nfast

Operational ports

9000

To start server

/etc/init.d/nfast start

To stop server

/etc/init.d/nfast stop

Processes grep

ps -ef | grep hard

Process list

nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile
nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile

Importing iTTM2.2.1 keys

cd /opt/ittm/Scripts
./ncipherupgrade k9 tbase tbase36

Documentation

nCipher KeySafe 1.0
http://www.ncipher.com

LDAPS (Optional)

Please consult the next chapter "iAS and iWS on separate machines" and "LDAPS"

Identrus Configuration

A Transaction Coordinator (TC) comprises of all Identrus Services that have been deployed within the iPlanet Trustbase Transaction Manager. The file identrus.properties needs to be edited to change settings appropriately. Log in under your username e.g. tbase. It can be found in /opt/ittm/myhost as illustrated below:
Figure 1-30    identrus.properties file location

Normally, no changes to Identrus.properties need to be made. However the locations of OurAIA and LocalOCSPResponderLocation can change. For instance:

OurAIA = https://rp
LocalOCSPResponderLocation = http://rp:8080

The following illustrates an example identrus.properties file.
Figure 1-31    Example Identrus.properties

[CSC]
; OID's for OCSP and TC
TCOID=1.2.840.114021.4.1
OCSPResponderOID=1.3.6.1.5.5.7.48.1

;CaCertificateRole=
;EndEntityCertificateRole=
;SigningCertificateRole=
;RootCertificateRole=

; Local OCSP Responder Communication
SignLocalOCSPRequests=false
OCSPResponderSigningCertificateRole=L1OCSP
LocalOCSPResponderLocation = identrus_local_resp_url

OurAIA = identrus_our_aia
DNOfAuthority=

; Response Cache Parameters
ApprovedResponseMaxAge=60
ApprovedResponseMaxKeep=60
DebugMode=true
;OCSPRequestorName=CN=KENCO

Other settings can be modified:

OID's

TCOID: This is ASN object ID for the "authority info access" attribute for Identrus Transaction Coordinator 's (default acceptable). All Identrus Certificates will have this and are supplied by Identrus with the ID of 1.2.840.114021.4.1.

OCSPOID: This is ASN object ID for the "authority info access" attribute for OCSP responder's (default acceptable).

Certificate Roles

CaCertificateRole: This is the certificate attribute used for the Transaction Coordinator CA certificate. (Default is acceptable).

EndEntityCertificateRole: This is the certificate attribute used for the Transaction Coordinator end entity signing certificate (default acceptable).

SigningCertificateRole: This is the certificate attribute used for the Transaction Coordinator inter participant signing certificate (default acceptable).

RootCertificateRole: This is the certificate attribute used as by the Identrus Transaction Coordinator to identify the Identrus root (default acceptable).

Local OCSP Responder Communication

SignLocalOCSPRequests: boolean - unsigned Local OCSP requests have a parameter set to false and signed Local OCSP requests have this parameter set to true.

OCSPResponderSigningCertificateRole: This is the certificate used to verify OCSP responses (only used if signLocalOCSPrequests is true).

LocalOCSPResponderLocation: The URL for the local OCSP responder.

Misc settings

OurAIA: The Access Information Authority (AIA) of this Identrus Transaction Coordinator.

DNOfAuthority: This is the Distinguished Name (DN) of the Identrus root signing certificate. This is for internal use only.

Response Cache Parameters

To avoid repeated calls to the Identrus root, an institution can contact the root about the status of its own certificates and store them for a cached period. Whenever a message is sent to another party, it will include this cached response. It is then up to the other institution to decide whether this cached response is acceptable or if it wants to contact the root itself. If a relying customer wants to ensure that cached responses are not used anywhere in an Identrus transaction then that customer can supply a nonce in the outgoing OCSP requests. This nonce is then used as a signal to the institutions not to use the cached response.

Caching prevents the need for repeated access to the Identrus Root. Each institution holds a value for how long its own cached certificate statuses are kept for. It also holds a maximum acceptable age of received certificate statuses. The following parameters must be defined:

ApprovedResponseMaxAge: number of seconds to allow a cache entry to persist for.

ApprovedResponseMaxKeep: number of seconds that a response provided to use can be acceptable.

DebugMode: internal debug on/off

OCSPRequestorName: name to use when talking to an OCSP responder. It should be noted that this must be set to the Distinguished name (DN) of the certificate used to sign OCSP if signing is set to true (i.e. SignLocalOCSPRequests=true). In the example provided, the common name (CN) is used as the distinguished name since the distinguished name is made up of the common name and the organisation unit (OU).

iTTM Certificate Configuration

Log in under your username e.g. tbase
The following certificate scripts must be run
/opt/ittm/Scripts/runCertWizard
/opt/ittm/Scripts/runOCSPResponderCertWizard

runCertWizard

Before continuing with runCertWizard, you will need to install your ncipher and as such you should follow the instructions described in "Cryptographic Installation Scenarios" This will ensure your keys are generated using hardware Cryptography instead of software Cryptography.
To run Certificate Wizard type
cd /opt/ittm/Scripts
./runCertWizard

If you make a mistake while importing certificates you can start again by deleting the following files
/opt/ittm/store/*

Figure 1-32    iTTM Certificate Wizard Welcome screen

You will need to collect your Identrus root certificate by specifying its location.
Figure 1-33    Import Identrus Root Certificate

Next you will need to supply the certificate of your L1 CA by specifying its location.
Figure 1-34    Import iTTM CA Certificate

Once the certificate is in the database and you have exited from CertWizard you can delete this filename
Next you will need to make three requests for signing certificates. This is a two stage process involving pasting data that you have generated from the wizard into the website of the certificate authority that generates a response. The three certificates you need are:

The End Entity Signing Certificate allows you to sign messages to your customer.

The Participant Signing Certificate allows you to sign messages that will be sent from one TC to another

The SSL Signing Certificate allows you to negotiate an SSL connection at the transport level.
Figure 1-35    Request End Entity Signing Certificate

Figure 1-36    End Entity Location

Figure 1-37    Request SSL Signing Certificate

This can be any valid distinguished name. Normally this is comprised of:

Common Name. Name to give the certificate

Organisation Unit. Represents the department or subsidiary of the organisation to which the user/entity belongs.

Organisation. Represents the organisation to which the entity/user creating the certificate belongs.

Figure 1-38    SSL Location

Figure 1-39    Request Participant Signing Certificate

Figure 1-40    Participant Location

Go to your CA and submit your PKCS10 request. Collect the response. Save the corresponding response in a file made available to the install wizard.
Figure 1-41    Import End Entity Signing Certificate

Figure 1-42    Import SSL Signing Certificate

Figure 1-43    Import Participant Signing Certificate

Figure 1-44    Certificate Summary

runOCSPResponderCertWizard

To run OCSP Certificate Wizard type
cd /opt/ittm/Scripts
./runOCSPResponderCertWizard
Figure 1-45    OCSP Certificate request

The OCSP responder signs all of its responses with a private key associated with a certificate. This provides additional security when the OCSP responder is separated from the Trustbase installation.

To generate a certificate with private key for OCSP responses, a certificate request needs to be generated. Enter the distinguished name desired for this certificate and select "Next"

Figure 1-46    Save the Request as a file

Select a location to store the certificate request file and select "Next"

It will now be necessary to provide this request to the CA. Typically this will be the Identrus Root CA.

Once a certificate has been generated by the CA in response to the request, the certificate should be placed into a file available to the OCSP responder wizard.

Figure 1-47    OCSP Certificate Response

Enter the file location of the certificate response and select "Next
Figure 1-48    OCSP Install Complete

If the certificate is successfully imported, the wizard will complete successfully. If there are any problems then using the "back" button will step through previous screens so they can be re-attempted.

Secure properties (Optional)

Users installing iTPS should not attempt to do this until they have completed installing iTPS.
Log in under your username e.g. tbase
Property data is held within one of the following properties files:
/opt/ittm/myhost/tbase.properties
/opt/ittm/myhost/identrus.properties
The information is divided into property sections, and sub-divided into entries (key/value pairs). In order to access the data the system uses a set of utility classes that only provide read only access. The installation script or the systems administrators are the only entities that make modifications to the properties files. Given that the properties files are also used by the systems administrator it is useful (certainly in installation and set up) that the information is human readable.
This allows certain properties to be re-directed to a sub-file. This sub-file
/opt/ittm/myhost/secure.properties
is in a known system location and is encrypted.
The properties utility layer will automatically redirect to the encrypted file when the value of a property in either tbase.properties or identrus.properties starts with a known re-direction string e.g. PROTECTED_. The value of a redirected property will start with the known string and everything after this known string will be taken to be the lookup key in the encrypted file.
All properties files will share a single secure.properties file, this file will be located in the same place as all other properties - which is the machine name specific directory of the iTTM installation. secure.properties is encrypted and decrypted using the same password.
Determining which properties to secure will normally depend on a security audit in your organisation.

Installation Procedure

Go to machine name directory. Mark the properties you want to secure in the properties file as
= PROTECTED_name

as illustrated below:

Figure 1-49    Securing property files

(e.g. tbase.properties)

Create secure.properties and put in name = property, along with the heading in which the property appears in the original file as illustrated below:
Figure 1-50    secure.properties

To facilitate decryption of protected properties in iAS, the KJS script in iAS needs to be modified.
/opt/ias6/ias/bin/kjs

This takes effect when you run ./startias.

The change requires that the opts variable in the kjs script be added to include the '-DSecurePropertyPassword=$SECURE_PASSWORD' as illustrated below:

Figure 1-51    iAS kjs script

Once the redirection to the secure.properties file is complete, the administrator will run the provided utility (protectProperties) to secure the secure.properties file with password based encryption. A similar tool (unprotectProperties) will be run to return the secure.properties file to its plaintext state to allow further changes to the property values. The scripts are as follows:
/opt/ittm/Scripts/protectProperties
/opt/ittm/Scripts/unprotectProperties

The tool will use PKCS#5 to generate an Triple DES key of 168 bits in length from the supplied password. The password can include space characters, to allow a long pass phrase to be selected. Null passwords are not acceptable.

Run the protected property script:
cd /opt/ittm/Scripts
./protectProperties

To unprotect using the same password:
cd/opt/ittm/scripts
./unprotectProperties

If you forget your password or you type in a different password then decryption will fail and the secure properties become unrecoverable.

You might also consider keeping a backup of the text version of secure.properties in case you forget your password.

The startias script
/opt/ittm/Scripts/startias

will be changed to check for the existence of the secure.properties file. If this file exists, then the password will be elicited from the user - null passwords are not acceptable. Start iAS and enter <password>
cd /opt/ittm/Scripts
./startias

Start iTTM and enter <password>
cd /opt/ittm/Scripts
./starttbase

Must delete all copies of silent install answers
rm -r /outputdir

Passwords in package setting directory must be obscured
/var/sadm/pkg

Finally, secure.properties prevents -m and -s setup install options from working.

Start iPlanet Trustbase Transaction Manager

Having completed the installation and configuration iPlanet Trustbase Transaction Manager can be controlled using the scripts available in:

/opt/ittm/Scripts
Figure 1-52    iPlanet Trustbase Transaction Manager Commonly Used Scripts

First Time Start Procedure

The following procedure stops the system.

Log in under your username e.g. tbase

cd /opt/ittm/Scripts
LOGNAME=tbase;export LOGNAME
/opt/ittm/Scripts/stopias
LOGNAME=root;export LOGNAME
/opt/ittm/Scripts/stopias
/opt/ias6/slapd-myhost/start-slapd
/opt/iws6/https-myhost.mycompany.com/start
/opt/iws6/https-admserv/start
./startias
./starttbase

, under a separate window

Restart procedure

Log in under your username e.g. tbase and run the following shell:

/opt/ias6/slapd-myhost/start-slapd
/opt/iws6/https-myhost.mycompany.com/start
/opt/iws6/https-admserv/start
cd /opt/ittm/Scripts
./startias
./starttbase

Logon onto iTTM as follows:
http://myhost.mycompany.com/NASAdapter/logon.html

Error checking

During Installation

If there was a problem during your installation you should check the following error logs

Your iTTM install logs
/opt/ittm/Scripts/*.log

Your iWS error logs
/opt/iws6/https-myhost/logs/errors

The Java iAS log file
/opt/ias6/ias/logs/kjs_1_CCS0

Your Oracle iTTM Error tables
ERRORVIEW

Other logs to look for
/var/sadm/install/logs
/tmp/reg*.output

During Operation

In the first instance you should go to the Trustbase configuration screens and select from the main menu <Logs> <Error Log Query>

Your Oracle iTTM Error tables
ERROR_SUPPORT

Normal Shutdown procedure

iAS, iTTM, Directory Server,Web Admin Server and the Web Server itself, under normal operations can be stopped as follows.
/opt/ittm/Scripts/stopias
/opt/ittm/Scripts/stoptbase
/opt/ias6/slapd-myhost/stop-slapd
/opt/iws6/https-admserv/stop
/opt/iws6/https-myhost.mycompany.com/stop

Note bourne shell (/bin/sh) uses '. ./setcp' and c shell (/bin/csh) uses './setup'

Uninstallation

A complete Uninstall

Stop the system
./opt/ittm/Scripts/stopias
./opt/ias6/slapd-myhost/stop-slapd
./opt/iws6/https-admserv/stop
./opt/iws6/https-myhost.mycompany.com/stop

Uninstalling your Oracle database may be achieved by deleting all user scheme objects using Drop_tbaseAll.sql as illustrated below

mydatabase% su - oracle
mydatabase% cd /opt/ittm/current/Config/sql
mydatabase% sqlplus
SQL*Plus: Release 8.1.7.0.0 - Production on Fri Feb 15 12:07:11 2002
(c) Copyright 1999 Oracle Corporation. All rights reserved.
Enter user-name: tbase
Enter password:
Connected to:
Oracle 8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning and Java options
PL/SQL Release 8.1.7.0.0 - Production
SQL>spool myoutput.txt
SQL>set echo on
SQL>@Drop_tbaseAll.sql

From User:root Uninstall iTTM as follows
./cdrom/cdrom0/ittm/setup -u

Uninstalling iAS and iWS can be achieved by following the instructions in the iAS and iWS install guides. For instance,
cd /opt/iws6
./uninstall
rm -rf /opt/iws6
cd /opt/ias6
./uninstall
rm -rf /opt/iws6

A partial Uninstall

In some instances you prefer to Uninstall but save your certificates, configurations and property files. Static configuration can easily be backed up, from user: tbase account, by copying the

/opt/ittm/myhost/*.properties files

/opt/ittm/store certificate database
to a storage directory. Typically this would involve
mkdir /opt/temp
cd /opt/ittm/store
cp -r * /opt/temp

As mentioned in an earlier section, to export dynamic configuration items for backup use the Config | Export setting in the iTTM admin screens.

This will return a file for download. Some browsers may display this file rather than saving - in this case use View Source to generate a text document containing the exported configuration and save to the desired location.

Save your previous install settings ./cdrom/cdrom0/ittm/setup -m /dir

repeat previous section on Clean Uninstall

Reinstallation

A complete Reinstall

From user: root

Follow the instructions for a complete Uninstall

Follow the instructions for a standard install

A Partial reinstall

Follow the procedure for a partial uninstall in previous section

From user: tbase

./cdrom/cdrom0/ittm/setup -m /dir

./cdrom/cdrom0/ittm/setup -u

./cdrom/cdrom0/ittm/setup -s /dir

cp /temp/*.properties /opt/ittm/myhost

cp -r /temp/store/* /opt/ittm/store

cp -r /temp/xmlconfig

From the iTTM configuration screen select <config><import>

Note Please consult the iPlanet Application Server Installation, iPlanet Web Server, Oracle and nCipher documentation for procedures on how to reinstall.Note under normal circumstances when reinstalling iTTM you should not need to reinstall iWS 6.0 and iAS 6.5.

Identrus Authorisation

In order to send Identrus Messages to iPlanet Trustbase Transaction Manager you will need to create an Authorisation for your own customers that allows the sending of Identrus Enabled Messages. These are illustrated in the next three figures.

The following TokenKeyTool (see appendix at the end of this guide) command will list you your Identrus root certificate
cd /opt/ittm/Scripts
./runtokenkeytool
listcerts -alias IRCA

You will need the serial number and the Issuer DN for two certificates that need to be added to iTTM

A IRCA certificate

A L1CA certificate

Login to iTTM as Administrator

Select <Authorisation> <Add Certificate>

Note Remember that the serial number shown in tokenkeytool is in Hexidecimal. For example, to convert 0x1000, copy and paste the entire hexidecimal into the iTTM screen and iTTM will convert it automatically for you.
If you just use IRCA certificate with depth 2, any customer from any bank can send messages to the Trustbase. If you use IRCA with depth 1, and L1CA with depth 1, only customers of your bank and other bank TC's can communicate with the Trustbase. This is a normal and correct deployment.

For this example enter the issuer Distinguished Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 4. Set the Max Depth to 1 and the Role to Identrus. Note, see also "Adding a Certificate" on how to set the MAx depth and what the checkbox access is for. This is illustrated below:
Figure 1-53    Installing a Certificate so as to send Identrus Messages within Trustbase

If the Access checkbox is not ticked then this user would not be allowed to access iTTM.

You will also need to create an additional Authorisation for other banks to send Identrus Enabled messages to you. These are illustrated in the next three figures:

Select <Authorisation> <Add Certificate>

Enter the Distinguished Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 1. Set the Max Depth to 1 and the Role to Identrus. Note, see also "Adding a Certificate" on how to set the MAx depth and what the checkbox access is for. This is illustrated below:
Figure 1-54    Installing a Certificate within Trustbase for sending Identrus Enabled Messages

Note the DN used is the Issuer DN and therefore it is the same for both L1CA and IRCA (L1CA issued by IRCA, IRCA issued by itself). Only the serial number is different.
Finally you should restart iPlanet Trustbase Transaction Manager for the setting to take effect and you should make sure both certificates are installed within iPlanet Trustbase Transaction Manager as illustrated below:
Figure 1-55    Identrus Enabled Messages installed within Trustbase

TokenKeyTool Checklist

The following checklist provides you with a summary of the kinds of commands available within TokenKeyTool that is used to help you set up your Identrus Authorisation.

Information Type

Example Set-up Value for TokenKeyTool

To run TokenKeyTool

cd /opt/ittm/Scripts
./runTokenKeyTool

To list Trusted Certificates with an Alias

listcerts -alias IRCA

To list all trusted Certificates

listcerts

To list private keys and their associated Certificate chains

listkeys

To delete private keys and its associated Certificate chains

deletekey -issuer "CN=End Entity" -serial 0x1000

To obtain help

help

Documentation

See the appendix at the end of this guide

Information Type	Example Set-up Value for iWS6.0
Install directory	/opt/iws6
Administration logon	Username: iwsadmin, Password: identrus
Operational ports	Server: 80, Admin: 8888
To start server	/opt/iws6/https-myhost.mycompany.com/start
To stop server	/opt/iws6/https-myhost.mycompany.com/stop
To start admin server	/opt/iws6/https-admin/start
To stop admin server	/opt/iws6/https-admin/stop
Processes grep	ps -ef \| grep iws
Process list	nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iws6/https-myhost.mycompany.com/config nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iws6/https-myhost.mycompany.com/config also /opt/iws6/https-admin/config if the admin is running
Install logs	/opt/iws6/setup/WebServer/
Log directory	/opt/iws6/https-myhost.mycompany.com/logs
Document root	/opt/iws6/docs
Installation and Configuration Documents	http://docs.sun.com/db/prod/s1.websrv60 http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm http://docs.iplanet.com/docs/manuals/enterprise/50/ag/contents.htm

Information Type	Example Set-up Value for iAS6.5
Install directory	/opt/ias6
Administration logon	Username: admin, Password: password
Operational ports	Directory Admin: 20000, kas admin:10817, Directory server: 389
To start server	/opt/ittm/Scripts/startias
To stop server	/opt/ittm/Scripts/stopias
Installation logs	/opt/ias6/setup/setup.log
Processes grep	ps -ef \| grep ias To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef \| grep k.s
Process list	root 10066 10064 0 14:33:21 0:03 /opt/ias6/ias/bin/.kjs -cset CCS0 root 10059 9504 0 14:33:16 pts/6 0:00 /opt/ias6/ias/bin/.kas root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/ias6/ias/bin/kas root 10070 1 0 14:33:25 0:00 /bin/sh /opt/ias6/ias/bin/kcs -cse t CCS0 -eng 2 root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/ias6/ias/bin/kjs -cset CCS0 -eng 1 root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/ias6/ias/bin/kxs -cset CCS0 -eng 0 root 10072 10070 0 14:33:25 ? 0:00 /opt/ias6/ias/bin/.kcs -cset CCS0 -eng 2 root 10062 10061 0 14:33:19 ? 0:01 /opt/ias6/ias/bin/.kxs -cset CCS0 -eng 0 nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/ias6/slapd-unix d02/config/slapd.conf -i /opt/ias6/slapd-myhost.mycompany.com
Logged processes	kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.
Installation Document	http://docs.sun.com/source/816-5788-10/index.html

Information Type	Example Set-up Value for iTTM 3.0.1
Install directory	/opt/ittm
Administration logon via web	Username: administrator, Password: administrator
TokenKeyTool	/opt/ittm/Scripts/runtokenkeytool
Operational ports	Admin via web: 80 (http://myhost.mycompany.com/NASAdapter/logon.html)
To start server	/opt/ittm/Scripts/startias
To stop server	/opt/ittm/Scripts/stopias
Property file location	/opt/ittm/myhost
Processes grep	ps -ef \| grep java
Process list	root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbase
Installation Document	http://docs.sun.com/?p=prod/s1.iptbtranm

Information Type	Example Set-up Value for Oracle 8.1.7
Install directory	Oracle program files: /opt/oracle/app/product/8.1.7/bin Oracle data files: /identrusdb/orcl
Oracle user login	Username: oracle, Password: oracle
Sqlplus - dba admin	Username: sys, Password: change_on_install
Sqlplus - tbase user	Username: tbase, Password: tbase
Operational ports	Oracle ports: 1521
SID	orcl
To start server	As oracle user: svrmgrl; Connect internal; startup; exit lsnrctl; start; exit
To stop server	As oracle user: lsnrctl; stop; exit svrmgrl; connect internal; shutdown; exit
Processes grep	ps -ef \| grep oracle
Logs of interest	Auditdata: Contains internal audit information & indicates what the TC processed. Error: Shows unexpected errors e.g. cannot communicate with Certificate Authority Error_support: Shows any java stack trace associated with the error table.

Information Type	Example Set-up Value generic PKCS11
Adding PKCS11 Library	cd /opt/ittm/Scripts ./installP11Library -module ncipher -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so
Verifying addition of PKCS11 Library	cd /opt/ittm/Scripts ./modutil -nocertdb -list
Configuring default token	cd /opt/ittm/myhost vi JssConfig.xml

Information Type	Example Set-up Value nCipher
Install directory	/opt/nfast
Operational ports	9000
To start server	/etc/init.d/nfast start
To stop server	/etc/init.d/nfast stop
Processes grep	ps -ef \| grep hard
Process list	nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Creating nCipher operator card	cd /opt/nfast/bin ./createoc-simple 1 0 operator 1 0
Installing nCipher PKCS11 module	cd /opt/ittm/Scripts ./ncipherP11Install operator
Documentation	nCipher KeySafe 1.0 http://www.ncipher.com

Information Type	Example Set-up Value nCipher
Install directory	/opt/nfast
Operational ports	9000
To start server	/etc/init.d/nfast start
To stop server	/etc/init.d/nfast stop
Processes grep	ps -ef \| grep hard
Process list	nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Importing iTTM2.2.1 keys	cd /opt/ittm/Scripts ./ncipherupgrade k9 tbase tbase36
Documentation	nCipher KeySafe 1.0 http://www.ncipher.com

Information Type	Example Set-up Value for TokenKeyTool
To run TokenKeyTool	cd /opt/ittm/Scripts ./runTokenKeyTool
To list Trusted Certificates with an Alias	listcerts -alias IRCA
To list all trusted Certificates	listcerts
To list private keys and their associated Certificate chains	listkeys
To delete private keys and its associated Certificate chains	deletekey -issuer "CN=End Entity" -serial 0x1000
To obtain help	help
Documentation	See the appendix at the end of this guide

Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated October 31, 2002