Previous Contents DocHome Index Next |
iPlanet Trustbase Payment Services 1.0 Installation and Configuration Guide |
Chapter 2 Installation
The following chapter outlines the installation procedures for the various components.
Installation Overview
The diagram below illustrates how the various components are related to each other, and the message paths between each component. In order to have a fully functional system all of these components require installation and configuration.
Figure 2-1    Installation Overview
![]()
Although it is not necessary to install the components on individual machines the figure above shows the recommended configuration to avoid unnecessary confusion.
There are a number of main steps that need to be applied appropriately to the four machines labeled Machine A - Machine D in the figure.
Install the pre-requisite third party software
An Oracle database must be installed and available for use by all of the machines running in the iTPS installation. An Oracle database may be installed on each node in the system, a single node in the system, or an independent node that is accessed by each of the machines.
Install the base components for the Buyer and Seller's banksInstall an Identrus compliant PKI. This must include an appropriate Validation Authority component and be capable of supporting the Identrus Certificate Status Check protocol.
Install an nCipher HSM on each machine in order to perform cryptographic operations
Install the iTTM 2.2.1 on both Machines.
Install the components that make up the Payments Services productInstall the iMQ and its patch on both Machines.
Install the iWS 6.0 for the Bank in a Box administration tools on both machines.
Install the iTPS 1.0
Install the Buyer and seller web site componentsInstall the Bank in a Box (BiaB) back office simulator
Install the Bank in a Box (BiaB) administrator tool
Install the iWS 6.0 on both machines
Optionally install the CPI library for use in developing applicationsInstall the Buyers Bank Website (BFI)
Install the Sellers Bank Website (Tooledup demonstrator)
Third Party Pre-requisites
Availability
The CD supplied with the product contains all of the required components to install the system EXCEPT:These will need to be acquired from the appropriate vendor, installed and configured, prior to installing any of the iPlanet Payments Services components.
Oracle requirements
Your Oracle installation must be configured with a user capable of :When installing Oracle you will need to allocate sufficient space to the user. We would recommend the following:
You will be required to provide the details of the Oracle installation at various points during the installation. The information required will be:
The Oracle instance must be available during the installation of the product as most components require the capability to log into the database using SqlPlus and populating tables from information supplied in SQL scripts.
PKI Requirements
Your software must be configured as PKI compliant with Identrus (See Identrus Document IT-PKI http://www.identrus.com ) including all Transaction Coordinator profiles.It is expected that the RA, CA, and VA components are running during the installation as certain components require certificates to be issued.
nCipher requirements
The nCipher components are generally stand alone and little information is required about the nCipher components. It is however useful to know the port that the nCipher Hardserver is running on (Default is 9000) as this is required at some points during installation.
Buyer and Seller Bank base components
iTTM 2.2.1
Each Bank machine will need to have an iTTM installed and configured.In order to install these components you will need to follow the instructions in the iTTM 2.2.1 installation guide. See, for instance
http://docs.iplanet.com/docs/manuals/trustbase/221/install/contents.htm
The instructions in chapter 1 Pages 13-62 provide information on how to install the following:
It also provides information on how to configure and check that the components are operational.
NOTE: All of the software for the above installation is included on the iTPS CD.
iPlanet Message Queue for Java 2.0
The iPlanet message Queue (iMQ) component provides a means for the iTPS and the Bank in a Box components to communicate with each other. This means that an iMQ installation must be performed on both the Buyers and Sellers bank machines.iPlanet Message Queue for Java is shipped with iTPS and may be found in the iMQ2.0 sub directory on the CD.
Installation
The iMQ installation uses the Solaris package mechanisms to install the software on the machine. Assuming that the supplied CD has been mounted on /cdrom then the following commands will install the software:cd /cdrom/cdrom0/iTPS/iMQ2.0/imq2_0-pkgs
You will be asked a question during the installation. Unless you have specific installation requirements then by using the defaults provided you will install all of the iMQ packages. These settings will fulfill the iTPS iMQ requirements.
If you require further information then details of how to install iMQ 2.0 can be found in point 7 within the following document that requires vi or Adobe acroreader to read:
http://docs.iplanet.com/docs/manuals/javamq/20/install.pdf
Example installation and Configuration
bash-2.03# uncompress imq2_0-dev-solsparc.tar.Zbash-2.03# tar -xvf imq2_0-dev-solsparc.tar
bash-2.03# pkgadd -d imq2_0-pkgs
Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:
Once the iMQ is installed, install the SP1 patch. This process is documented in the file:
/cdrom/cdrom0/iTPS/iMQ2.0/SP1/111858-01/install.pdf
NOTE: The file although containing a .pdf extension is a test file and may be read using the vi editor. Once the software has been installed on either the buyer or seller machine, perform the second installation before progressing to patch the iAS installation.
Configuring with iAS
The next step is to configure the iAS installed as part of the iTTM 2.2.1 installation to use the appropriate iMQ installation. This operation will need to be performed on both of the Buyer and Seller machines. Before performing this operation it is important to ensure that the iAS has been shut down. This can be performed by executing the following scripts:<iTTM install directory>/TTM/Scripts/stoptbase
<iTTM install directory>/TTM/Scripts/stoptias
If the iTTM had been installed in `/opt/TTM' the commands would be:
To configure iAS for use with iMQ, execute jmssetup. This must be performed as the root user. You will be asked several questions, now illustrated below:
bash-2.03# cd /opt/iplanet/ias6/ias/jms/bin
iAS install directory is /opt/iplanet/ias6/ias
Are you using IBM MQ v5.1 as message provider [Y] :n
Enter the dynamic library run path (LD_LIBRARY_PATH) for your JMS message provider. When finished, hit return only) :
Will append to LD_LIBRARY_PATH? Is this correct? [Y] :
Enter the elmements (absolute path) for the JMS provider CLASSPATH
When finished, hit return only. :/opt/SUNWjmq/lib/jmq.jar
Enter the elmements (absolute path) for the JMS provider CLASSPATH
When finished, hit return only. :/opt/SUNWjmq/lib/jmqadmin.jar
Enter the elmements (absolute path) for the JMS provider CLASSPATH
When finished, hit return only. :
Will append :/opt/SUNWjmq/lib/jmq.jar:/opt/SUNWjmq/lib/jmqadmin.jar to CLASSPATH?
Once configured on one machine, configure the second machine before progressing to installing the iTPS components.
At this point there is no need to start the iMQ services. Instructions for starting the iMQ service are shown in Chapter 4.
Installing the iWS 6.0 for BiaB administration
In order to be able to install the Bank in a Box administrator component, a web Server needs to be available. The iTPS CD contains a iWS 6.0 package that is shipped for this use.Run the iWS6.0 setup tool located in
Selecting the default values for the installation may cause the iWS 6.0 installation to clash with the iWS 4.1 installed for the iTTM 2.2.1. In order to avoid this ensure that the Administration server port and the Web server port are set to values other than 8888 and 80 respectively.
When installing the iWS 6.0 make sure that you select the option that specifies an external JDK 1.2 i.e. /usr/java as the JDK included does not support the BiaB administration tools.
Ensure that a web server is installed on both the Buyer and Seller bank machines prior to moving on to the installation of the iTPS components.
Installing iTPS Components
The iTPS components reside on both the Buyer and Seller bank machines. The following sections describe the installation of these components.
Payments Services installation
Make sure you have installed and configured iPlanet Trustbase Transaction Manager 2.2.1 and iPlanet Message Queue for Java 2.0
Make a security back up of your Trustbase directory structure:
This is required because the iTPS install cannot be un-installed, and installing the iTPS more than once on a iTTM installation will not work. If an installation of the iTPS fails for any reason you are advised to restore the backup and start again.cp -R <Trustbase_install_directory>/Trustbase \ <Trustbase_install_directory>trustbase.bak
Remove the configuration database already installed during the iTTM installation:
At this point the iAS and iTTM components should not be running. Unless they have been started since configuring the iAS for use with iMQ then they will not current be running.
Run the iPlanet Trustbase Payment Services Installation java classEmpty the contents of the configuration table CONFIG from your database. Type the following commands on the machine on which Oracle is installed:
Figure 2-2    iPlanet Trustbase Payment Services Installation Welcome Screen
![]()
Figure 2-3    Locale Selection
![]()
Figure 2-4    iPlanet Trustbase Transaction Manager Installation Directory
![]()
Figure 2-5    Database Settings
![]()
The Oracle database being supplied needs to be the database used by the iPlanet Trustbase Transaction Manager software on which iPlanet Trustbase Payment Services plug-in is being installed. The following information is required:
Figure 2-6    iPlanet Message Queue For Java Settings
![]()
Notes: The JMS Broker port default is 7676 unless a non-default installation of iMQ was performed.
The Outbound Queue name is the queue going from the iTPS to BiaB and will need to be recorded for later use. SELLER_QUEUE is a suitable name for this.
The Queue pool group id will need to be recorded for later use. seller is a suitable id for this.
The other defaults provided should be suitable for a standard installation.
Figure 2-7    Payments Mail Settings
Next enter the following as illustrated above.
SMTP host. This is the host where customer email acknowledgements are sent.
From field. This is the From field of the customer acknowledgement email
Figure 2-8    iPlanet Trustbase Payment Server Verification Panel
![]()
The screen displays the user's choices in order to aid the correct installation. You will need to make a note of the information in this screen as the information is required to install other components later in the process.
Figure 2-9    Component Selection
![]()
On entering the screen the size of iPlanet Trustbase Payment Services software application is displayed. In order to install this software the user needs to select the checkbox.
Figure 2-10    Ready to Install
![]()
This screen indicates the amount of space that is required to install iPlanet Trustbase Payment Services software. It also indicates the location of the iPlanet Trustbase Transaction Manager system that the iPlanet Trustbase Payment Services plug-in will be installed into.
You should make a note of these locations as they will be required later in the installation process.
Figure 2-11    Updating iPlanet Trustbase Transaction Manager
![]()
Figure 2-12    Installation Summary
![]()
Pressing the details button will display the software installed on the system and alterations to the existing configurations of iPlanet Trustbase Transaction Manager.
Configuring the iTPS database tables
The iTPS Transaction Recovery Process needs to access the subjectDN field of the cert_data table during certificate chain retrieval. The standard install of iTTM 2.2.1 does not store the subjectDN information. A update script is provided with the iTPS that converts the iTTM cert_data table into the necessary format while retaining all the stored certificate information.This is implemented in the shell script is located in:
<iTTM_install_directory>/TTM/Scripts/updateCertDataTable
Following the installation of the iTPS.
This script needs to be run once before iTPS is run. It creates a backup of the original cert_data table as cert_data_backup_<timestamp>, adds the subjectDN to the cert_data table and populates it.
Prior to running the script you will need the following information:
Oracle database username and password
The following command runs the script:Database driver class (Usually oracle.jdbc.driver.OracleDriver)
An example of this is shown below:
Enter database connection string (e.g. jdbc:oracle:thin:user/user@host:1521:orcl):
jdbc:oracle:thin:rainstorm/rainstorm@k9:1521:k9utf8
Enter database driver class (e.g. oracle.jdbc.driver.OracleDriver):
oracle.jdbc.driver.OracleDriver
----------------------------------------------------------------
Creating backup of cert_data --> cert_data_backup_997350025767
Cert: C=GB,O=Identrus,OU=Identrus Root,CN=Identrus Root CA, serial: 1, subject: C=GB,O=Identrus,OU=Identrus Root,CN=Identrus Root CA
Note: If this is a new installation and the iTTM has not been used as a Transaction coordinator then there will be a cert count of 0 and the operation will complete almost instantly. The operation will have been successful as the database table columns will have been updated.
This operation needs to be performed on both the Buyer and Seller banks iTTM installation.
You will now need to run oracle scripts. If Oracle is not installed on the same machine as the iTPS installation then you either have to copy the ./TTM/V2.2/Config/sql directory to the database server or install the Oracle client on the machine.
This will need to be executed on the database(s) used by both the Buyer and Seller banks iTPS installations.Assuming the sql directory has been copied to the DB server, log on to the database server, su - oracle
<iTTM_install_directory>/TTM/V2.2/Config/sql
Run SQLPlus and enter the username and password
JMS Proxy Installation
The JMS Proxy provides a mechanism for the iTTM to receive inbound messages from an iMQ queue. Messages are taken from the queue and forwarded to iTTM over HTTP. You will need to install a JMS Proxy on both the Buyer and Seller bank machines.
Figure 2-13    Configuring JMS Proxy
![]()
Note: This queue is used to send asynchronous response messages from the Bank in a Box to iTPS via the JMS Proxy. The queue name is set as TCQueue/sendName in biabconf.xml and as queue.name in jmsproxy.properties. In order for the JMS Proxy to receive messages on this queue, the queue names used here needs to match.
The JMS proxy is supplied as a compressed archive
/cdrom/cdrom0/iTPS/jmsproxy/jmsproxy.tar
Extract this file in a suitable location e.g.
cp /cdrom/cdrom0/iTPS/jmsproxy/jmsproxy.tar /opt/iplanet
JMS Proxy Configuration
To configure the server you will need to modify a number of files using the settings mentioned in the previous section.
If you have iMQ on your system in the standard location (/opt/SUNWjmq) you will not need to modify the JMQ_DRIVER setting. If the iMQ is not located in the standard location then:
Note: Make sure the destination URL is the server host name of the appropriate Buyer or Seller bank iTTM installation. Make a note of this URL as you will need this it again when configuring the Bank in a Box components.
Modify the following lines in the jmsproxy /config/jmsproxy.properties:
- Modify the script jmsproxy/scripts/jmsproxy such that the JMQ_DRIVER environment variable is pointing to the correct location for the JMQ driver. e.g. /apps/SUNWjmq
Destination is the URL to which message content will be forwarded (See figure Figure 2-13)
destination=http://hostname/NASApp/NASAdapter/TbaseNASAdapter?Fo rwarded-by:JMSProxy
You will need to change just the hostname component as to an appropriate value e.g.
http://porsche.UK.Sun.COM/NASApp/NASAdapter/TbaseNASAdapter?Forw arded-by:JMSProxy
queue.host is the hostname of the machine where the JMS broker is listening.
queue.port The port on which the JMS broker is running by default this will be 7676 unless it was changed during the iMQ installation.
queue.name The name of the queue on which to receive messages. This is the asynchronous send queue as specified in the Bank in a Box configuration
Installing Bank in a Box back office simulator
The Bank in a Box (BiaB) back office simulator is designed to create responses to messages received by the iTPS from the buyer and seller web sites. The BiaB must be installed on both the Buyer and Seller Banks servers.It is not imperative that the iTTM and iTPS are running during installation, and if they have been started following the iMQ proxy installation it is preferable that they are shut down.
In order to install the BiaB on each machine follow the instructions below:
Extract a copy the BiaB files from your cdrom to a suitable location e.g.
The actual configuration settings and their use are described in the table below:cp /cdrom/cdrom0/biab/biab.tar /iplanet
To configure the server you will need to modify two files to set certain parameters and run the SQL on the appropriate Oracle database. In order to configure the BiaB follow the instructions below.
Run the biab.sql SQL script on the payments database server. This may involve copying the SQL script to the appropriate machine if Oracle is remotely located.
Edit the BiaB script so that the environment variables are correct
Modify the script such that the ORACLE_DRIVER and JMQ_DRIVER environment variables are pointing to the correct locations for the oracle driver and JMQ driver respectively.
The Biabconf.xml file now needs to be modified. The table below identifies the parameters that require modification. The following text is an example illustrating the configuration settings
If you have iMQ on your system in the standard location (/opt/SUNWjmq) you will not need to modify the JMQ_DRIVER setting.
- Note: You will already have a copy of the ORACLE_DRIVER in the ittm sub-directory e.g. <iTTM_install_directory>/TTM/V2.2/Lib3p/10/classes12_01.zip
- Pointing the ORACLE_DRIVER environment variable to this location is an acceptable solution.
<BiabConfig responseProcessor="com.iplanet.trustbase.payments.biab.test.Test ResponseGenerator" threads="10">
connectionFactory="com.sun.messaging.QueueConnectionFactory"/>
connectionFactory="com.sun.messaging.QueueConnectionFactory"/>
connectURL="jdbc:oracle:thin:jon/jon@k9:1521:k9"
driverClass="oracle.jdbc.driver.OracleDriver"
Having installed the BiaB on either the Buyer or Seller Bank machines, install the BiaB on the other machine before moving on to the BiaB administration tool.
Installing Bank in a Box Admin Tool
The BiaB administration tool is a Web application designed to run on the iWS 6.0 Web server set up earlier. A BiaB administrator tool should be installed on both the Buyer and Seller Bank machines that host the iTPS and BiaB components. The BiaB Admin tool web application is located on the BiaB directory.In order to deploy the Web application you must perform the following:
Make sure the IWS_SERVER_HOME environment variable is set to your <server_root> directory. A typical example of this might be
IWS_SERVER_HOME=/opt/iws6;export IWS_SERVER_HOME
Make sure that the <server_root>/bin/https/httpadmin/bin directory is in your path.
PATH = $PATH:$IWS_SERVER_HOME/bin/https/httpadmin/bin;export PATH
Deploy Bank in a Box using the iWS 6.0 web application deployment tool wdeploy. The deployment tool takes a number of parameters:
Once the application is deployed, modify
- <uri_path> The URI prefix for the web application. This must be a unique name for the web application for the server it is being deployed to e.g. BiaBAdmin
- <instance> The server instance name e.g. porsche.UK.Sun.COM.
- <vs_id> The virtual server ID e.g. https-porsche.UK.Sun.COM.
<biab_install_directory> The directory to which the application is deployed. If it doesn't already exist it will be automatically created during deployment. If the directory does exist it needs to be empty.
wdeploy deploy -u <uri_path> -i <instance> -v <vs_id>
-d <biab_install_directory> biab-servlet.war
- For example,
wdeploy deploy -u /BiaBAdmin -i porsche.UK.Sun.COM -v https-porsche.UK.Sun.COM -d /web/biab biab-servlet.war
- will deploy the servlet on the porsche.UK.Sun.COM server instance, and will unpack the war file under the directory /web/biab.
<biab_install_directory>/WEB_INF/classes/queue.properties
Copy /opt/SUNWjmq/lib/jmq.jar of the JMS provider into <biab_install_directory>/WEB-INF/lib directory
Once the classpath is correct and the queue properties are set, restart the server instance.
- in the case of iMQ these files can be found in the host iTPS machine under the following directory
<iMQ_install_path>/SUNWjmq/lib
Once deployed successfully, the Web Site can be accessed from the browser with the following url.
http://<hostname>:<port>/<uri_path>/Biab
Figure 2-14    Bank in a Box Admin Tool Welcome Screen
![]()
Installing the Buyer and Seller websites
The following sections describe how to install the components required to run the Buyer and Seller web sites. These web sites will be used to interact with the Buyer and Seller iTPS components installed previously.
Installing the iWS 6.0
In order to run the web applications that make up the buyer and sellers web sites, a web Server needs to be available on each machine. The iTPS CD contains a iWS 6.0 package that is shipped for this use.Run the iWS6.0 setup tool located in
Selecting the default values for the installation of the iWS 6.0 should be sufficient for most installations. The only non-standard option you will need to specify is the option that specifies an external JDK 1.2 i.e. /usr/java. This is because the JDK included does not support the buyer and seller web site functionality tools.
Ensure that a web server is installed on both the Buyer and Seller machines prior to moving on to the installation of the Buyer and Seller web applications.
Installing Buyers Bank Website
The bank's web site is archived in to a war file. To install the web site, this war file needs to be deployed on the web server. It can be found on your cdrom as illustrated belowIt does not matter whether iTTM and iTPS are running during installation. However they, and all their associated components such as iAS and iWS, should be running if you need to run this component
Make sure the IWS_SERVER_HOME environment variable is set to your <server_root> directory. A typical example of this might be
IWS_SERVER_HOME=/opt/iws6;export IWS_SERVER_HOME
Before you can deploy a web application manually, make sure that the <server_root>/bin/https/httpadmin/bin directory is in your path.
PATH = $PATH:$IWS_SERVER_HOME/bin/https/httpadmin/bin;export PATH
Deploy the war file using following command wdeploy command where:
An Oracle JDBC driver needs to be installed in the WEB-INF/lib directory. This will be the same Oracle Driver installed in the Buyer and Seller banks iTTM installations in the lib3p/10 directory. The filename used might be oracle-jdbc-815.zip or classes12_01.zip depending on the version of Oracle you are using. Copy this driver into the WEB-INF/lib directory on the Buyers website machine.
- <uri_path> is the path name specified while deploying the application.
- <uri_path> The URI prefix for the web application.
- <instance> The server instance name.
- <vs_id> The virtual server ID.
- <bfi_install_directory> The directory to which the application is deployed. This directory will be automatically created during deployment, if it doesnt already exist. After deployment, the application will get extracted in this directory. If the directory does exist it needs to be empty.
wdeploy deploy -u /<uri_path> -i <instance> -v <vs_id>
-d <bfi_install_directory> /cdrom/cdrom0/bfi/bfi.war
<bfi_install_directory>/WEB-INF/classes.
driver=oracle.jdbc.driver.OracleDriver
connection=jdbc:oracle:thin:tbase_dbase_user/ \
tbase_dbase_password@tbase_dbase_host:tbase_dbase_port \
<bfi_install_directory>/WEB-INF/classes/config.properties
- The connection string represents the database, where buyer bank's "Bank In a Box" is writing its log. Change the string <bfi_install_directory> with the actual directory name.
The Buyers Website needs to communicate with the Buyers Bank. Edit the config.properties file to change the URL to the Buyers Bank iTPS installation.
http://<Buyer_Bank_HostName>/NASApp/NASAdapter/TbaseNASAdapter
This Buyers Bank application needs a signing certificate chain. This chain must be issued by buyer's bank Certificate Authority in IE5 format.
After you have finished your changes, you will need to re-start the web server for those changes to take effect.
- The easiest way to create these certificates is to use the Certificate Manager utility supplied with the iTTM 2.2.1 product and described in the iTTM 2.2.1 installation guide. You will need to create a PKCS#10 request for an Identrus compliant End Entity Signing Certificate (Relying Customer Certificate), submit this to the CA that acts for the Buyers Bank, and import the resultant Base64 encoded result. Once you have the certificate, follow the instructions in the utility guide to export the certificate chain in IE5 format.
- Now change <Your_certificate.pfx> with the certificate name.
<bfi_install_directory>/WEB-INF/classes/<Your_certificate.pfx>
dummySellerCertPassword=password
- This signing certificate <Your_certificate.pfx> used should also be imported into the browser that will be used to access this website
Installing the Seller's Website TooledUp
The Sellers Website (Tooledup demonstration) is delivered in the form of a tar file called merchant.tar.Before you can begin to install TooledUp you will need to create a local Certificate Database inside the Webserver for it to use. This certificate database will contain from 3-5 certificates depending on how many roles you assign the certificates to perform, the roles are as follows.
To create the certificate databases and import the certificate complete the following steps:
Root Certificate or Trust Anchor Certificate (e.g. Identrus Root).
Level One Certificate Authority Certificate. (e.g. RP Bank CA)
End Entity Signing Certificate ( e.g. Signing Certificate e.g. SC from IP Cert) The AIA field within this certificate is used to determine the destination for the payments message)
SSL Client Transaction Certificate ( e.g. SSL Client Signing Certificate)
SSL Server Certificate (e.g. Server-Cert)
Create The Webserver Database
Now you are ready to install tooledup. You will need several pieces of information which the install script will ask you:
Access the iWS6 admin server e.g.:
Import The Root Certificate../<iws6_install_directory>/startconsole
Choose the server to manage and click manage.
Click on the security tab (it defaults to `Initialise Trust Database' screen)
Type in a new password for database and click <ok>. This will create a new database that can only be accessed using the password you have just given so ensure that you do not forget the password!
Click the <Install Certificate> Tab.
Import The CA Certificate - Use the same process as Import The Root Certificate (above)Select <Trusted Certificate Authority>, select <message text> and paste in the Base 64 cert from your Root CA
Create and import an End Entity Signing Certificate
Click the <request certificate> tab.
Request, Generate and Import SSL Client Transaction Certificate - Same as for End Entity Signing Cert, but make sure that the name for the certificate is different (e.g. SSL Client Transaction Certificate), and keep a note of the name as you will need it later.Fill in the address details part of the form and press ok.
Copy and paste the BASE 64 Request into your Seller Banks CA certificate request form.
Retrieve reply from CA and copy the Base 64 cert into the webserver form.
Select <This Server>, input a name for the cert (e.g. EE Signing Certificate), make a note of the name as you will need it later, Select Message Text and paste in the base 64 cert from the CA.
Request, Generate and Import SSL Server Certificate - Same as for End Entity Signing Cert except - do not give this certificate a name as the webserver will assign it `Server-Cert'.
Once you have prepared this information you are ready to perform the installation.
The Webserver's install directory - this is by default /usr/iplanet/servers.
The instance name of the webserver you want to install tooledup into. e.g. porsche.UK.Sun.Com
The virtual server name of the virtual server you want to install into e.g porsche.UK.Sun.Com
The certificate database password.
The directory you want to install to.
The name of the Signing certificate ( the end entity signing certificate - View from the Manage Certificates option in the iws6 Admin Server screen).
The name of the SSL Client certificate (view as for Signing Cert).
The name of the trust anchor (view as for Signing Cert).
The Oracle Database Username (For account where tooledup customer/order details will be stored).
Follow the steps below and answer the questions to install the tooledup Seller's Application.
umpack the following
<tooledup_install_directory>/merchant/scripts.
Type ./install to run the install script
Answer the questions that are asked by the install script.
If the webserver is not running you will get an error saying "Reconfigure Failed" this can be ignored at this stage.
Copy the oracle drivers into the directory deployment_dir/WEB-INF/lib
Log onto your oracle account and run the script install_merchant_ora.sql
An Oracle JDBC driver needs to be installed in the WEB-INF/lib directory. This will be the same Oracle Driver installed in the Buyer and Seller banks iTTM installations in the lib3p/10 directory. The filename used might be oracle-jdbc-815.zip or classes12_01.zip depending on the version of Oracle you are using. Copy this driver into the WEB-INF/lib directory on the Buyers website machine.
The following is an example transcript console of installing Tooledup
----Truncated text output from the tar command----
Where is your iPlanet WebServer installation located?
What is the name of the instance your WebServer instance ?
What is the instance's virtual server called ? [ default ]
What is the full path to the directory you wish to deploy the application to ? [ /usr/iplanet/servers/iws6/deploy ]
What is your keystore password ?
What is the nick name of the certificate you wish to sign requests with? [ Server-Cert ]
What is the nick name of the certificate you wish to use in SSL Client transactions ? [ Server-Cert ]
What is the nick name of the certificate you wish to verify responses with ?
What is the username of your oracle instance ? [ tooledup ]
What is the password for that user of your oracle instance ? [ tooledup ]
What is the hostname of your oracle instance ? [ goblin ]
What is the network port of your oracle instance ? [ 1521 ]
What is the SID of your oracle instance ? [ ORCL ]
These are the parameters that you input
[1] The server location is [ /usr/iplanet/servers/iws6 ]
[2] The server instance is [ goblin.uk.sun.com ]
[3] The virtual server id is [ https-goblin.uk.sun.com ]
[4] The deployment directory [ /usr/iplanet/servers/iws6/deploy ]
[5] The keystore password is [ password ]
[6] The signing certificate nick name is [ End Entity Signing Cert ]
[7] The SSL signing certificate nick name is [ SSL Client Cert ]
[8] The verification certificate nick name is [ Identrus Root CA - Identrus ]
[9] The oracle user is [ gadgets ]
[10] The oracle password is [ ****** ]
[11] The oracle host is [ windstorm ]
[12] The oracle port is [ 1521 ]
[13] The oracle sid is [ ORCL ]
if these are acceptable hit [0] otherwise hit the number of the parameter you wish to change or hit [e] to leave the installation
----------------------------------------------
The directory /usr/iplanet/servers/iws6/deploy does not exist
----------------------------------------------
-------------------------------
/usr/iplanet/servers/iws6/deploy
-------------------------------
Reconfigure failure: server not running
Web application deploy successful
This installation area now contains several directories and files that are detailed below:
In order to use the Tooled up sellers application you will need a SmartCard that will be issued to you by a third party vendor that contains an end entity signing certificate that has been issued by the Sellers Bank CA.
scripts : This directory contains the install scripts and any data they need.
SQLscripts : This directory contains the SQL database creation scripts that will create the tables that tooledup needs to run.
bin : This directory contains the binaries ( shared-objects ) that tooledup needs to run.
merchant.war : This is the WAR file that contains the jarfiles and configuration that represent tooledup as an application. This WAR will automatically be deployed by the install script.
Restart the iws6 to be able to access the newly installed web application.You are now ready to run tooledup, access the url tooledup url e.g. http://porsche.UK.Sun.COM/merchant/tooledup
Figure 2-15    Sellers Website Tooled Up Welcome Screen
![]()
The CPI API is delivered in the form of a tar file commonly called
This contains several directories and files that are detailed below:
<cpi_install_dir>/bin : contains scripts that will set your classpath and help you run the tools you will need. The scripts are all written for use with bourne shell.
It does not matter whether iTTM and iTPS are running during installation. However they, and all their associated components such as iAS and iWS, should be running if you need to run this component<cpi_install_dir>/lib : contains all the binaries that the CPI will need to run - this includes shared objects and jarfiles.
<cpi_install_dir>/store : This directory will be used to store your TokenKeyStore.
<cpi_install_dir>/doc : API documentation and TokenKeyTool detailed documentation.
Java 2 Enterpise Edition 1.2 or higher needs to be installed
You are now required to use TokenKeyTool. A description of this can be found in
<cpi_install_dir>/docs/TokenKeyTool.html
Before you can proceed you will need some trusted certificates. These certificates are in files that you have access to and each of the certificate files contain a single PEM format certificate. The certificates that you need will be.
- By typing help when running TokenKeyTool you can obtain details of how this should be used. To run this script type:
- <cpi_install_directory>/bin/tok.sh
C1 : The Identrus Root certificate (In the example below this is called PaymentsRootDevelopment.crt) This is referred to as the verification certificate.
C2 : The Buyer CA Certificate.(In the example below this is called StanTheMan.crt)
In order to create your store the following steps need to be performed:
- Finally you will need to issue a request for a signing certificate and import the appropriate response into your CertStore. In the example provided the Buyer and Seller signing Certificates are the same
Run the tok.sh script that starts the tokenkeytool.
We now illustrate this with an exampleType help to obtain details of useage
Create A Trust Domain using openstoremanager command eg openstoremanager -domainspace "file:///install_dir/store" -manager local.
Create a TokenKeyStore using the createstore command eg createstore -store identrus ( you will be prompted to give a password - please remember this password ).
Import your trusted CA Certificate file using the command importtrustedcerts eg importtrustedcerts -file "filename" ( Note the quoting ).
Generate a holding key pair for your SellerCertificate using the command genkey eg genkey -dname "CN=CPI Test Cert" ( Note the quoting ).
View the key to acquire the generated alias for it using the command listkeys eg listkeys.
Request a certificate from your Seller CA using the command certreq eg certreq -alias <generated_key_alias> -dname "CN=CPI Test Cert" -file "/tmp/certrequest" ( Note the quoting ).
paste the generated Certreq into your CA and get the CA generated Base64 Certificate chain. Store it in a file called "certresponse"
Import the certificate into the database using the command importkeychain -file "/tmp/certresponse" ( Note The quoting ).
Quit the TokenKeyTool using the command quit.
Script started on Mon 24 Sep 2001 17:01:34 BST
TokenKeyTool> openstoremanager -domainspace "file:///iplanet/CPITest/store" -manager local
TokenKeyTool> createstore -store identrus
Login to JSS token Internal Key Storage Token: password
TokenKeyTool> importtrustedcerts -file "/iplanet/CPITest/store/PaymentsRootDevelopment.crt"TokenKeyTool > importtrustedcerts -file "/iplanet/CPITest/store/StanTheManCA.crt"
TokenKeyTool> genkey -dname "CN=CPI Test Cert"TokenKeyTool> listkeys
subject name: CN=CPI Test Cert
alias: 7733ad362cc3ecce#CN=CPI Test Cert
not before: 24-Sep-01 16:03:20
TokenKeyTool> certreq -alias "7733ad362cc3ecce#CN=CPI Test Cert" -dname "CN=CPI Test Cert" -file "/iplanet/CPITest/store/requestfile"TokenKeyTool> importkeychain -file "/iplanet/CPITest/store/responsefile"
subject name: CN=CPI Test Cert
issuer name: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
alias: 10a#CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
issuerName: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 19-Sep-01 08:23:24
subjectName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 29-Aug-01 00:00:00
subject name: CN=CPI Test Cert
issuer name: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
alias: 10a#CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
issuerName: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 19-Sep-01 08:23:24
subjectName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 29-Aug-01 00:00:00
alias: 1#CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
subjectName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 29-Aug-01 00:00:00
alias: 18#CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
subjectName: CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB
issuerName: CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB
not before: 19-Sep-01 08:23:24
script done on Mon 24 Sep 2001 17:12:28 BST
Now you are ready to run the test harness - you can alter the script called test.sh in the same directory as tok.sh. These can be found in the directory:
- <cpi_install_directory>/cpi/scripts
- The test.sh script has parameters for what certificates need to be used. The parameters it expects are as follows.
Payment amount.
You will need to change the settings for parameters g, h, i and j.Keystore domainspace+store eg file:///<cpi_install_dir>/store#identrus
Verification certificate alias (i.e. The Identrus Root)
Seller signing certificate alias (i.e. The signing certificate)
Buyer signing certificate alias ( i.e. The signing certificate)
Once you have completed that you need to run the test program and receive a response from your TC. It looks something like the example below.
Script started on Mon 24 Sep 2001 17:30:38 BST
Init Seller [ password ] [ file:///iplanet/CPITest/store#identrus ] [ 10a#CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB ] [ 1#CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB ]
Init Buyer [ password ] [ file:///iplanet/CPITest/store#identrus ] [ 10a#CN=StanTheMan L1CA,OU=Trustbase,O=iPlanet,C=GB ] [ 1#CN=Payments Root,OU=Payments Services,O=iPlanet,C=GB ]
*** Hostname: stantheman.uk.sun.com
----------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Acknowledgement PUBLIC "-//IDENTRUS//ELEANOR_ACKNOWLEDGEMENT_DTD//en" "file:///bankInterface.dtd"><Acknowledgement><NIB id="NIB_88A06FA2E96D7490EF266A99F2EAE093A22E788E_1" version="2.0"><ContextInfo msggrpid="0C23BFB09A79CBB61E40E33806AAA787AA8D697A" msgid="SFI01"></ContextInfo><StartTime><LocalTime id="LocalTime_88A06FA2E96D7490EF266A99F2EAE093A22E788E_1" time="20010924163046Z"/></StartTime><MsgTime><LocalTime id="LocalTime_88A06FA2E96D7490EF266A99F2EAE093A22E788E_2" time="20010924162955Z"/></MsgTime></NIB><Signature xmlns="http://www.w3.org/2000/02/xmldsig#"><SignedInfo><Canonicaliz ationMethod Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#rsa-sha1"></SignatureM ethod><Reference URI="#NIB_88A06FA2E96D7490EF266A99F2EAE093A22E788E_1"><Transforms>< Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>< DigestValue>D/BnXyA+JgY60Nq3hn7lxNNJlKE=</DigestValue></Reference>< Reference URI="#ContentAcknowledgement_E9019A7CF47FD5037FC6D43EDE1E08FD202981 D8_1"><Transforms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>< DigestValue>CPCKfLiW7xtPWVJxDTsTm8n0/GI=</DigestValue></Reference>< Reference URI="#Response_E9019A7CF47FD5037FC6D43EDE1E08FD202981D8_1"><Transfo rms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>< DigestValue>lqvTPizMdDfehbLpiHYvgi+KZZg=</DigestValue></Reference>< /SignedInfo><SignatureValue>B9UFdLMEBSBnamK4eq1NZHiG2bUNVTLN0nm6Yw4 h6uMFWRVWp76sIw0QJQcrwegyJZD2SLvmKz3uDaBy+sx+wdieq/UTEIuvOrd4TELph7 355i8hOhV3agWdpstxuqupS2PxqpkjTFGCdu1x0SGyxwvRcOXqFudxxiKDt9xYGGk=< /SignatureValue><KeyInfo><X509Data><X509IssuerSerial><X509IssuerNam e>C=GB,O=iPlanet,OU=Payments Services,CN=Payments Root</X509IssuerName><X509SerialNumber>14</X509SerialNumber></X509I ssuerSerial></X509Data></KeyInfo></Signature><CertBundle><X509Data> <X509IssuerSerial><X509IssuerName>C=GB,O=iPlanet,OU=Payments Services,CN=Payments Root</X509IssuerName><X509SerialNumber>14</X509SerialNumber></X509I ssuerSerial><X509Certificate>MIIDQzCCAqygAwIBAgIBDjANBgkqhkiG9w0BAQ UFADBTMQswCQYDVQQGEwJHQjEQMA4GA1U
3NoQTXAnM/tQSes7vANiPFskDCg1nxDW0m0dlHBTAYlGeDMOU77wxYAxwD7kn8zMrlB /uUwOEqsc=</X509Certificate></X509Data></CertBundle><ContentAcknowl edgement id="ContentAcknowledgement_E9019A7CF47FD5037FC6D43EDE1E08FD202981D8 _1"><Header xml:lang="en"><Product>xPx</Product><DocumentType>Acknowledgement</ DocumentType><Version>1.0</Version></Header><References><EleanorTra nsactionReference>39240ee9250ddcb580002120448471</EleanorTransactio nReference><SFIReference>Unknown</SFIReference></References><Acknow ledgementData><AcknowledgementType>PayInst</AcknowledgementType><St atus>SUCCESS</Status><ReasonCode>00PR00</ReasonCode><ReasonText>Req uest Received</ReasonText></AcknowledgementData></ContentAcknowledgement ><Response id="Response_E9019A7CF47FD5037FC6D43EDE1E08FD202981D8_1"><ResponseD ata>MIIE/QoBAKCCBPYwggTyBgkrBgEFBQcwAQEEggTjMIIE3zCCAQ+hgZUwgZIxCzA JBgNVBAYTAnVrMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEQMA4GA1
..................................
HbkMNVTiHWS6gxcBlWMo0blCXuvF571gioA4nkRsIk+aGcrSF7BJg+6hESu/sU2vTqi tSNEmtqwYvuTKaPl5XVMYRlH4zpiU838+48IzvAtUS4CyQxKfGvYHzo7cDfcQqNqy1G XQl+ldtzNVKyGf5UBPmJsJxH16X8zSX5TvxCI</ResponseData><CSCResponse><N IB id="NIB_F8C3B821A28E70139D1CC437F8340E23B42CE885_1" version="2.0"><ContextInfo msggrpid="2BAD252ABFCF8A2B3931516F0F0BC462CC92EDFE" msgid="1001349411141"></ContextInfo><StartTime><LocalTime id="LocalTime_F8C3B821A28E70139D1CC437F8340E23B42CE885_1" time="20010924162955Z"/></StartTime><MsgTime><LocalTime id="LocalTime_F8C3B821A28E70139D1CC437F8340E23B42CE885_2" time="20010924163651Z"/></MsgTime></NIB><Signature xmlns="http://www.w3.org/2000/02/xmldsig#"><SignedInfo><Canonicaliz ationMethod Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#rsa-sha1"></SignatureM ethod><Reference URI="#NIB_F8C3B821A28E70139D1CC437F8340E23B42CE885_1"><Transforms>< Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>< DigestValue>Ou6H7IQ2U95LvkfwjW0i6DtfUE8=</DigestValue></Reference>< Reference URI="#Response_D85200FD60A1AEC4FCD7293EADA68B1D05E8DA13_1"><Transfo rms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>< DigestValue>GUrLs/8UEnjBJENkoyY/cCUkFW0=</DigestValue></Reference>< /SignedInfo><SignatureValue>HOxQsKKycayWJYhXeyNdc52eWFHv3Y1Nz9CcigO JQHz+bKV9ewkeKoOSzbngYdufk1hyB8OloYprYIcpVXwKKFeQ7hP+7yC6ODQI1uv1LS Pi41PUlJH2Q5B7yMHZjyAbxpsudoxThHtOQ+i09KZVJSkO5+Xn1J0QDt8OOMSwtdM=< /SignatureValue><KeyInfo><X509Data><X509IssuerSerial><X509IssuerNam e>C=GB,O=iPlanet,OU=Payments Services,CN=Payments Root</X509IssuerName><X509SerialNumber>9</X509SerialNumber></X509Is suerSerial></X509Data></KeyInfo></Signature><CertBundle><X509Data>< X509IssuerSerial><X509IssuerName>C=GB,O=iPlanet,OU=Payments Services,CN=Payments Root</X509IssuerName><X509SerialNumber>9</X509SerialNumber></X509Is suerSerial><X509Certificate>MIIDNjCCAp+gAwIBAgIBCTANBgkqhkiG9w0BAQU FADBTMQswCQYDVQQGEwJHQjEQMA4GA1U
.....................................
nJRKnCCsg==</X509Certificate></X509Data><X509Data><X509IssuerSerial ><X509IssuerName>C=GB,O=iPlanet,OU=Payments Services,CN=Payments Root</X509IssuerName><X509SerialNumber>1</X509SerialNumber></X509Is suerSerial><X509Certificate>MIICkjCCAfugAwIBAgIBATANBgkqhkiG9w0BAQU FADBTMQswCQYDVQQGEwJHQjEQMA4GA1UEC
......................................
s7vANiPFskDCg1nxDW0m0dlHBTAYlGeDMOU77wxYAxwD7kn8zMrlB/uUwOEqsc=</X5 09Certificate></X509Data></CertBundle><Response id="Response_D85200FD60A1AEC4FCD7293EADA68B1D05E8DA13_1"><ResponseD ata>MIIE/QoBAKCCBPYwggTyBgkrBgEFBQcwAQEEggTjMIIE3zCCAQ+hgZUwgZIxCzA JBgNVBAYTAnVrMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEQMA4GA1
.................................
U2vTqitSNEmtqwYvuTKaPl5XVMYRlH4zpiU838+48IzvAtUS4CyQxKfGvYHzo7cDfcQ qNqy1GXQl+ldtzNVKyGf5UBPmJsJxH16X8zSX5TvxCI</ResponseData></Respons e></CSCResponse></Response></Acknowledgement>
----------------------------------------------------------------
iTPS Reinstallation
iWS 4.1 ReinstallFor those versions of software placed on an iWS 4.1
iWS 6.0 Reinstall
iTPS Backup
Make a backup copy of the iTPS installation and all its associated database tables.A list of tables can be found as follows:
select TABLE_NAME from ALL_TABLES;
To see what other tables need to be backed up please refer to "Database Check Points"
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated October 15, 2001