![]() |
iPlanet Trustbase Payment Services 2.0 Beta Developer and Integration Guide |
Chapter 3 Installing your CPI
The followibng chapter illustrates how to install and run an example that shows how to deploy the CPI.
TThe CPI component contains several directories and files that are detailed below:
/opt/itps-cpi/bin : contains scripts that will set your classpath and help you run the tools you will need. The scripts are all written for use with bourne shell.
/opt/itps-cpi/lib : contains all the binaries that the CPI will need to run - this includes shared objects and jarfiles.
/opt/itps-cpi/store : This directory will be used to store your TokenKeyStore.
/opt/itps-cpi/doc : API documentation and TokenKeyTool detailed documentation.
/opt/itps-cpi/example: Source Code.
It does not matter whether iTTM and iTPS are running during installation. However they, and all their associated components such as iAS and iWS, should be running if you need to run this component
An external JDK 1.3.1 needs to be downloaded either from http://www.javasoft.com to /usr/java1.3
You are now ready to install CPI. From the root, run the UNIX install script and answer the questions. For example
/cdrom/cdrom0/itps-cpi/setup -c
This will automatically install to
/opt/itps-cpi
You are now required to use TokenKeyTool. A description of this can be found, either within your iTTM manual or in
/opt/itps-cpi/doc/TokenKeyTool.html
By typing help when running TokenKeyTool you can obtain details of how this should be used. To run this script type:
Before you can proceed you will need some trusted certificates. These certificates are in files that you have access to and each of the certificate files contain a single PEM format certificate. The certificates required are.
C1 : The IRCA certificate (In the example below this is called e.g. IRCA.crt) This is referred to as the verification certificate.
C2 : The L1CA Certificate.(In the example below this is called L1CA.crt)
Finally you will need to issue a request for a Seller signing certificate and Buyer signing certificate, then import the generated Certificate Chains into your CertStore.
C3 : The Seller's Signing Certificate e.g. Seller SC
C4 : The Buyer's Signing Certificate e.g. Buyer SC
The following distinguished names should be used:
C1: "IRCA" certificate e.g. "CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US"
C2: "L1CA" certificate e.g. "CN=L1 Bank CA,OU=L1 Bank,O=L1,C=GB"
C3: "SellerSC" certificate e.g. "CN=Seller SC, OU=L1 Bank, O=L1"
C4: "BuyerSC" certificate e.g. "CN=Buyer SC, OU=L1 Bank, O=L1"
In order to create your store the following steps need to be performed:
Run the tok.sh script that starts the tokenkeytool.
Type help to obtain details of useage
Create A Trust Domain using openstoremanager command eg openstoremanager -domainspace "file:///opt/itps-cpi/store" -manager local.
Create a TokenKeyStore using the createstore command e.g. createstore -store identrus (you will be prompted to give a password - please record this password).
Import your trusted IRCA (C1) and L1CA (C2) Certificates files using the command importtrustedcerts, e.g.:
importtrustedcerts -file "IRCA.crt"
importtrustedcerts -file "L1CA.crt"
Generate a holding key pair for your Seller and Buyer Signing Certificates using the command genkey, e.g.:
genkey -dname "CN=SellerSC,OU=L1 Bank,O=L1"
genkey -dname "CN=BuyerSC,OU=L1 Bank,O=L1"
View the keys to acquire the generated aliases for them using the command listkeys e.g. listkeys.
Generate PKCS7 certificate requests to be processed by your L1CA using the command certreq, e.g.:
certreq -alias <generated_key_alias> -dname "CN=SellerSC,OU=L1 Bank,O=L1" -file "sellercertrequest"
certreq -alias <generated_key_alias> -dname "CN=BuyerSC,OU=L1 Bank,O=L1" -file "buyercertrequest"
Paste the generated certificate requests into your L1CA and get the CA generated Base64 encoded certificate chains. Store them in files called "sellercertresponse" and "buyercertresponse"
Import the certificates into the certificate store using the command importkeychain, e.g.:
importkeychain -file "sellercertresponse"
importkeychain -file "buyercertresponse"
Quit the TokenKeyTool using the command quit.
We now illustrate this with an example
Script started on Mon 24 Sep 2001 17:01:34 BST
TokenKeyTool> openstoremanager -domainspace "file:///opt/itps-cpi/store" -manager local
TokenKeyTool> createstore -store identrus
Login to JSS token Internal Key Storage Token: password
TokenKeyTool> importtrustedcerts -file "IRCA.crt"
TokenKeyTool> importtrustedcerts -file "L1CA.crt"
TokenKeyTool> genkey -dname "CN=SellerSC,OU=L1 Bank,O=L1"
TokenKeyTool> genkey -dname "CN=BuyerSC,OU=L1 Bank,O=L1"
subject name: CN=SellerSC,OU=L1 Bank,O=L1
issuer name: CN=SellerSC,OU=L1 Bank,O=L1
alias: 7733ad362cc3ecce#CN=SellerSC,OU=L1 Bank,O=L1
subjectName: CN=SellerSC,OU=L1 Bank,O=L1
issuerName: CN=SellerSC,OU=L1 Bank,O=L1
not before: 24-Sep-01 16:03:20
subject name: CN=BuyerSC,OU=L1 Bank,O=L1
issuer name: CN=BuyerSC,OU=L1 Bank,O=L1
alias: 7733ad362cc3eccf#CN=BuyerSC,OU=L1 Bank,O=L1
subjectName: CN=BuyerSC,OU=L1 Bank,O=L1
issuerName: CN=BuyerSC,OU=L1 Bank,O=L1
not before: 24-Sep-01 16:03:20
TokenKeyTool> certreq -alias "7733ad362cc3ecce#CN=SellerSC,OU=L1 Bank,O=L1" -file "sellercertrequest"
TokenKeyTool> certreq -alias "7733ad362cc3eccf#CN=BuyerSC,OU=L1 Bank,O=L1" -file "buyercertrequest"
TokenKeyTool> importkeychain -file "sellercertresponse"
subject name: CN=SellerSC,OU=L1 Bank,O=L1
issuer name: CN=L1CA,OU=L1 Bank,O=L1,C=GB
alias: 10a#CN=L1CA,OU=L1 Bank,O=L1,C=GB
subjectName: CN=SellerSC,OU=L1 Bank,O=L1
issuerName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 19-Sep-01 08:23:24
subjectName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 29-Aug-01 00:00:00
TokenKeyTool> importkeychain -file "buyercertresponse"
subject name: CN=BuyerSC,OU=L1 Bank,O=L1
issuer name: CN=L1CA,OU=L1 Bank,O=L1,C=GB
alias: 10b#CN=L1CA,OU=L1 Bank,O=L1,C=GB
subjectName: CN=BuyerSC,OU=L1 Bank,O=L1
issuerName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 19-Sep-01 08:23:24
subjectName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 29-Aug-01 00:00:00
subject name: CN=SellerSC,OU=L1 Bank,O=L1
issuer name: CN=L1CA,OU=L1 Bank,O=L1,C=GB
alias: 10a#CN=L1CA,OU=L1 Bank,O=L1,C=GB
subjectName: CN=SellerSC,OU=L1 Bank,O=L1
issuerName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 19-Sep-01 08:23:24
subjectName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 29-Aug-01 00:00:00
subject name: CN=BuyerSC,OU=L1 Bank,O=L1
issuer name: CN=L1CA,OU=L1 Bank,O=L1,C=GB
alias: 10a#CN=L1CA,OU=L1 Bank,O=L1,C=GB
subjectName: CN=BuyerSC,OU=L1 Bank,O=L1
issuerName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
not before: 24-Sep-01 16:09:23
subjectName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 19-Sep-01 08:23:24
subjectName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 29-Aug-01 00:00:00
alias: 1#CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
subjectName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 29-Aug-01 00:00:00
alias: 18#CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
subjectName: CN=L1CA,OU=L1 Bank,O=L1,C=GB
issuerName: CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US
not before: 19-Sep-01 08:23:24
script done on Mon 24 Sep 2001 17:12:28 BST
Now you are ready to run the test harness - you must alter the script called test.sh which can be found in the directory:
/opt/itps-cpi/bin
The test.sh script has defaults for all paramters needed. The parameters it expects are as follows.
Payment amount.
Keystore domainspace+store eg file:///opt/itps-cpi/store#identrus
Verification certificate alias (i.e. {IRCAserial number}#{issuerDN})
Seller signing certificate alias (i.e. {SellerSC serial number}#{issuerDN} )
Buyer signing certificate alias ( i.e. {BuyerSC serial number}#{issuerDN})
In order to see the certificate aliases, type the following preparatory commands
openstoremanager -domainspace "file:///opt/itps-cpi/store" -manager local
setdefaultstore -manager local -store identrus
Run the test program and receive a response from your TC. Before running the test script make sure jmqbroker, jmsproxy, slapd, iAS, iWS, iTTM, iTPS and Biab backend are all running or a Doctype error will occur. If the status field in the response message ="success" then the test is successful. It looks something like the example below.
Script started on Mon 24 Sep 2001 17:30:38 BST
Init Seller [ password ] [ file:///opt/itps-cpi/store#identrus ] [ 10a#CN=L1CA,OU=L1 Bank,O=L1,C=GB] [ 1#CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US]
Init Buyer [ password ] [ file:///opt/itps-cpi/store#identrus ] [ 10b#CN=L1CA,OU=L1 Bank,O=L1,C=GB] [ 1#CN=Identrus Root,OU=Identrus Root,O=Identrus,C=US]
---------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Acknowledgement PUBLIC "-//IDENTRUS//ELEANOR ACKNOWLEDGEMENT DTD//en" "file:///bankInterface.dtd"><Acknowledgement><NIB id="NIB_9F6B3D9AFBDEEAA7AB9C8DC84EB532DAB6606008_1"><ContextInfo msggrpid="32C2BC35A480C2D8F1FA34AFA4E34979D211504B" msgid="SFI01"/><StartTime><LocalTime id="LocalTime_9F6B3D9AFBDEEAA7AB9C8DC84EB532DAB6606008_1" time="20020522135601Z"/></StartTime><MsgTime><LocalTime id="LocalTime_9F6B3D9AFBDEEAA7AB9C8DC84EB532DAB6606008_2" time="20020522135605Z"/></MsgTime></NIB><Signature><SignedInfo><Can onicalizationMethod Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/><SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#rsa-sha1"/><Reference URI="#NIB_9F6B3D9AFBDEEAA7AB9C8DC84EB532DAB6606008_1"><Transforms>< Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/><DigestValue>ja 8Ls8YcPn/jNDTxaeMRf0aKUaA=</DigestValue></Reference><Reference URI="#ContentAcknowledgement_623FD0E43DD72CAB72DCC1F79C94A7746A6AF5 42_1"><Transforms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/><DigestValue>MJ 2Ls4HHn3QeuntpjvEYMUksdzw=</DigestValue></Reference><Reference URI="#Response_623FD0E43DD72CAB72DCC1F79C94A7746A6AF542_1"><Transfo rms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/><DigestValue>Jh AXLM+2OKrVQCeNoUg23mO/UaM=</DigestValue></Reference></SignedInfo><S ignatureValue>AHhfU3zHMEVWl9ZB9hu6xW8UN7Go81j30LOXG+dhDM9CpnDUtjEXP CDufOYHGtLu
zupK1g2k0llFQG9wv1PmIXCasIPaZDFhsxjE16msfH8KjTdqDXWh9YuK5r0A90J2
84fgTGQ0tOKbfklWKIF2kgjsQTL/xm+b09FFVpUl8Dw=</SignatureValue><KeyIn fo><X509Data><X509IssuerSerial><X509IssuerName>CN=Identrus Root Certificate Manager,OU=Identrus Root,O=Identrus,C=US</X509IssuerName><X509SerialNumber>266</X509Ser ialNumber></X509IssuerSerial></X509Data></KeyInfo></Signature><Cert Bundle><X509Data><X509IssuerSerial><X509IssuerName>CN=Identrus Root Certificate Manager,OU=Identrus Root,O=Identrus,C=US</X509IssuerName><X509SerialNumber>266</X509Ser ialNumber></X509IssuerSerial><X509Certificate>MIIDYzCCAkugAwIBAgIBG TANBgkqhkiG9w0BAQQFADBkMQswCQYDVQQGEwJVUzER
...........................................................
GDFDpV46exYYgbclRMs37kyLPn/tARFeknc09aXEbZrYaMRUy0Q5kfCb71F2</X509C ertificate></X509Data></CertBundle><ContentAcknowledgement id="ContentAcknowledgement_623FD0E43DD72CAB72DCC1F79C94A7746A6AF542 _1"><Header xml:lang="EN"><Product>xPx</Product><DocumentType>Acknowledgement</ DocumentType><Version>1.1</Version></Header><References><EleanorTra nsactionReference>73aa07ed-f876-6d18-8000-2120448280a1</EleanorTran sactionReference></References><AcknowledgementData><Acknowledgement Type>PayInst</AcknowledgementType><Status>SUCCESS</Status><R easonCode>00SP00</ReasonCode><ReasonText>Message validated</ReasonText></AcknowledgementData></ContentAcknowledgemen t><Response id="Response_623FD0E43DD72CAB72DCC1F79C94A7746A6AF542_1"><ResponseD ata>MIIIiAoBAKCCCIEwggh9BgkrBgEFBQcwAQEEgghuMIIIajCBpqFAMD4xEDAOBgN V
...........................................................
iz5/7QERXpJ3NPWlxG2a2GjEVMtEOZHwm+9Rdg==</ResponseData><CSCResponse ><NIB id="NIB_917C8CEF242EA78F011F593F342981DA537F7673_1"><ContextInfo msggrpid="AA6DEEF8DCBA3322287AF42D55C1DC711C91FF72" msgid="1022065168495"/><StartTime><LocalTime id="LocalTime_917C8CEF242EA78F011F593F342981DA537F7673_1" time="20020522105903Z"/></StartTime><MsgTime><LocalTime id="LocalTime_917C8CEF242EA78F011F593F342981DA537F7673_2" time="20020522105928Z"/></MsgTime></NIB><Signature><SignedInfo><Can onicalizationMethod Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/><SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#rsa-sha1"/><Reference URI="#NIB_917C8CEF242EA78F011F593F342981DA537F7673_1"><Transforms>< Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/><DigestValue>Og eKIIySzLyZuaCfS3bcBsRTiMQ=</DigestValue></Reference><Reference URI="#Response_353017FFA82146F17316CEBFA48B9EC12C974186_1"><Transfo rms><Transform Algorithm="http://search.ietf.org/internet-drafts/draft-ietf-trade- hiroshi-dom-hash-03.txt"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/><DigestValue>i+ UtlGeGfWYNAJeM+b3VrEYneRQ=</DigestValue></Reference></SignedInfo><S ignatureValue>J1/h3RfMhG6NYtn6UKvx168DWy1WBQGaM1PSPUMK8Ap94difqX3Dz wDk5bibr7wI
WjJt9D/62wOlIX4ZGDQXMdJ1CWW5Wlq/CiotH5VdHjnp7709fbI8CTmMOQEaZ7TI
tBMVYxjLK8HvosJuy4lPesu88hMuY4PbztuKQk0k18k=</SignatureValue><KeyIn fo><X509Data><X509IssuerSerial><X509IssuerName>CN=Identrus Root Certificate Manager,OU=Identrus Root,O=Identrus,C=US</X509IssuerName><X509SerialNumber>7</X509Seria lNumber></X509IssuerSerial></X509Data></KeyInfo></Signature><CertBu ndle><X509Data><X509IssuerSerial><X509IssuerName>CN=Identrus Root Certificate Manager,OU=Identrus Root,O=Identrus,C=US</X509IssuerName><X509SerialNumber>7</X509Seria lNumber></X509IssuerSerial><X509Certificate>MIIDajCCAlKgAwIBAgIBBzA NBgkqhkiG9w0BAQQFADBkMQswCQYDVQQGEwJVUzER
...........................................................
GDFDpV46exYYgbclRMs37kyLPn/tARFeknc09aXEbZrYaMRUy0Q5kfCb71F2</X509C ertificate></X509Data></CertBundle><Response id="Response_353017FFA82146F17316CEBFA48B9EC12C974186_1"><ResponseD ata>MIIIiAoBAKCCCIEwggh9BgkrBgEFBQcwAQEEgghuMIIIajCBpqFAMD4xEDAOBgN V
...........................................................
cyNUjoMo+uJXI4S4WcaflNUpadLeTat7FKLgtbVpbRgxQ6VeOnsWGIG3JUTLN+5M
iz5/7QERXpJ3NPWlxG2a2GjEVMtEOZHwm+9Rdg==</ResponseData></Response>< /CSCResponse></Response></Acknowledgement>
----------------------------------------------------------------
script done on Mon 24 Sep 2001 17:31:20 BST
Sending Payment Message to host other than AIA in the Certificate
It is possible to override the default destination of the payment message used in the Test.java example. This is done by adding two properties to the ConfigAdapter for the Seller in getConfigSeller() as follows:
props.put ( PropertyCodes.INITIATOR_LOCATION_FORCE_DEFAULT, "true" );
props.put ( PropertyCodes.INITIATOR_LOCATION_DEFAULT, "http://{target hostname}/NASApp/NASAdapter/TbaseNASAdapter" );
Now recompile the example, e.g.
javac ../example/com/example/example1.Test.java
Then you MUST add the new classfile into the classpath by adding the following line to cp.sh (Just before the export statements):
CLASSPATH=/opt/itps-cpi/example:$CLASSPATH
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated October 22, 2002