Chapter 2   Installation


The following chapter outlines the installation procedures for the various components.

Installation Overview

The diagram below illustrates how the various components are related to each other, and the message paths between each component. In order to have a fully functional system all of these components require installation and configuration.

Figure 2-1    Installation Overview

Installation Script

---

.

Product Components	?	Considerations
iTTM separated from iAS	Not Possible	If iAS and iWS are installed on separate machines make sure iTTM is installed with iAS
iWS separated from iAS	Yes	See Section on Configurator Plug-in http://docs.iplanet.com/docs/manuals/ias.html and also the section on webless installs http://docs.sun.com/source/816-5788-10/app1.htm#13421 The webserver's documents directory must be made accessible by the iTTM installer. This accessibility only needs to be present when the installer is functioning ( ie it will need to be re-instated during upgrade or silent installs ).
Oracle separated from iTTM	Yes	See iTTM Installation manual http://docs.sun.com/source/816-6283-10/index.html
HSM separate from iTTM	No	We do not support HSM's with iTPS components on separate machines
SSL Proxy separated from iTTM	Yes	See iTTM Installation manual http://docs.sun.com/source/816-6283-10/index.html
SMTP Proxy separated from iTTM	Yes	See iTTM Installation manual http://docs.sun.com/source/816-6283-10/index.html
iAS with other Web Servers	No	Not supported
iTPS components separate from iTTM	Yes
iTTM separate from iTPS	No	Not possible
iTPS components using different Oracle Users	Yes	Different Usernames are allowed for each component. However, you may need to copy all SQL scripts to the local machine and install to each new username.
iTPS components using the same iWS Web Server Instance	No	New Web Server instances must be created for each iTPS component that is installed on the same machine.

The following table summarises the kind of installations that are possible. For instance, although it is not necessary to install the components on individual machines the "Installation Overview" however can be used for testing purposes. Other configurations may be possible

For instance, each machine acting as both a buyer and sellers bank. There are a number of main steps that need to be applied appropriately to the four machines labeled Machine A - Machine D in the figure "Installation Overview". It is recommended that the page is copied or detached to assist you install and cross-reference the install sections.

1. Install Sun Software
   1. The Solaris 8 Operating System that should have already been supplied to you by separate CDROM

   2. The JDK 1.3.1 java programming language should be downloaded from http://www.javasoft.com

   3. The iPlanet Certificate Management System or any other third party PKI identrus compliant software. For instance,

      http://www.iplanet.com/products/iplanet_certificate/home_certificate.html

   4. The iPlanet Messaging Server or any other Corporate Mail Server. For instance,

      http://www.iplanet.com/products/iplanet_messaging/home_iplanet_messaging.html

2. Install the pre-requisite third party software
   1. An Oracle 8.1.7 database must be installed and available for use by all of the machines running in the iTPS installation. An Oracle database may be installed on each node in the system, a single node in the system, or an independent node that is accessed by each of the machines.

   2. Install an Identrus compliant PKI. This must include an appropriate Validation Authority component and be capable of supporting the Identrus Certificate Status Check protocol.

   3. Install an nCipher HSM on each machine in order to perform cryptographic operations

3. Install the base components for the Buyer and Seller's banks
   1. Install the iTTM 3.0.1 on all Machines.

   2. Install, if you have not already installed with iTTM, the iMQ for Java 2.0 and its patch on all Machines.

   3. Install the iWS 6.0 SP2 for the Bank in a Box administration tools on all machines.

   4. Mail Server availability

4. Install the components that make up the Payments Services product
   1. Install the iTPS 2.0

   2. Configure JMSProxy that was installed with iTTM

   3. Install the Bank in a Box (BiaB) back office simulator

   4. Install the Bank in a Box (BiaB) administrator tool

   5. Condition Management Website

   6. Obligation Management Website

5. Install the Buyer and seller web site components
   1. Install the iWS 6.0 SP2 on both machines

   2. Install the Buyers Bank Website (BFI)

   3. Install the Sellers Bank Website (Tooledup demonstrator)

6. Optionally install the CPI library for use in developing applications (See the iPlanet Trustbase Payment Services Developer Guide for details on how to install this).

Assumptions

---

1. The `\' is used to indicate a line continuation

2. The following default installation locations will be used
   1. iws6: /opt/iws6

   2. ias6: /opt/ias6

3. Before using the install scripts, ensure your terminal type is set to vt100 or vt220. For example:

   TERM=vt100;export TERM

4. The documentation assumes four machines for the install. You may however use less. Typically sellers and buyers banks appear on the same machine. In the examples illustrated in the next sections it is assumed that all sellers, buyers, sellers bank and buyers bank operate from one machine and the oracle host is on another as indicated below:
   1. Oracle host name mydatabase.mycompany.com

   2. iTPS machine name myhost.mycompany.com

5. You should be logged in as root to perform these installs

6. GemSAFE IS 1.1 for Identrus System 16000 Smartcards are configured on Buyer PC for use with Tooledup Seller Website.

7. When installing the iWS 6.0 SP2 make sure that you select the option that specifies an external JDK 1.3.1 that needs to either be downloaded from http://www.javasoft.com to /usr/java1.3

Third Party Pre-requisites

---

Availability

The CD supplied with the product contains all of the required components to install the system EXCEPT:

1. Oracle 8.1.7

2. An appropriate Certificate Authority

3. An appropriate OCSP responder

4. nCipher software

These will need to be acquired from the appropriate vendor, installed and configured, prior to installing any of the iPlanet Payments Services components.

Oracle 8.17 requirements (step 1a)

Your Oracle 8.17 installation must be configured with a user capable of:

1. Creating tables

2. Updating tables

3. Dropping tables

4. Running SQL scripts to populate the database

When installing Oracle you will need to allocate sufficient space to the user. We would recommend the following:

• For every 1000 expected messages you will need a minimum of 20Mb of table space.

• The default block size should set to a minimum of 8k

You will be required to provide the details of the Oracle installation at various points during the installation. The information required will be:

1. Hostname - As appropriate

2. Port number - Default 1521

3. SID - Default ORCL

The Oracle instance must be available during the installation of the product as most components require the capability to log into the database using SqlPlus and populating tables from information supplied in SQL scripts.

The User should also be familiar with the chapter on Configuration Recovery in the iTTM Installation and Configuration manual

http://docs.sun.com/source/816-6283-10/index.html

or in

/cdrom/cdrom0

and also the datamodel described in the Systems Administration Guide

PKI Requirements (step 1b)

Your software must be configured as PKI compliant with Identrus (See Identrus Document IT-PKI http://www.identrus.com ) including all Transaction Coordinator profiles.

It is expected that the RA, CA, and VA components are available during the installation as certain components require certificates to be issued.

You must have Identrus Compliant Certificates with the appropriate email extensions for email acknowledgements to work.

nCipher requirements (step 1c)

The nCipher components are generally stand alone and little information is required about the nCipher components. It is however useful to know the port that the nCipher Hardserver is running on (Default is 9000) as this is required at some points during installation.

If using a native provider you do not need an Operator card, if however you are using a PKCS11 provider you do. It also requires the admin card to be present for the first Crypto operation and can then be removed. A three corner test would provide this first Crypto operation.

You should consult the iTTM Installation and Configuration Guide for details on this

Smart Cards and Browsers (step 1d)

• A SmartCard, such as a credit card, which will be issued to you by a thirty party vendor. An Identrus compatible SmartCard is a mandatory requirement. iPlanet Trustbase Payment Services is currently compatible with the GemPlus SmartCards GemSAFE IS 16000. See http://www.gemplus.com/app/banking/gemsafe_is_mkt.htm

• A SmartCard Reader with browser plug-in, which will be issued to you by a third party vendor. An Identrus compatible SmartCard Reader is a mandatory requirement. iPlanet Trustbase Payment Services is currently compatible with the GemPlus Card Readers GemPC430 and GemPC410 see http://www.gemplus.com/products/hardware/index.htm

• GEMSafe Enterprise Workstation 1.0 software is compatible with iPlanet Trustbase Payment Services see http://www.gemplus.com/products/software/gemsafe/index.html

• The Netscape Navigator v4.75 and Internet Explorer 5.0. These should be configured automatically with the software that comes with your SmartCard and SmartCard Reader.

• The supported email client for asynchronous support for SMIME acknowledgements is Netscape Messenger 4.7 for Solaris.

• The Client browser is compatible with GemPlus SmartCard and iPlanet Trustbase Payment Services as such the following operating systems are supported: Windows NT 4.0 Service Pack 5 see http://www.microsoft.com/ntserver/nts/downloads/recommended/sp5/allsp5.asp or alternatively Windows 98 see http://www.microsoft.com/Windows98/

  or Solaris 8

Buyer and Seller Bank base components

---

iTTM 3.0.1 (step 2a)

Each Bank machine will need to have an iTTM installed and configured.

In order to install these components you will need to follow the instructions in the iTTM 3.0 SP1 installation guide found in

/cdrom/cdrom0

or

http://docs.sun.com/source/816-6283-10/index.html

The instructions in chapter 1 Pages 13-62 provide information on how to install the following:

1. iWS 6.0 SP2

2. iAS 6.5

3. iTTM 3.0.1

Chapter 4 provides information on how to configure and check that the components are operational.

We assume that this is installed on

/opt/ittm

NOTE: All of the software for the above installation is included on the iTPS CD.

iPlanet Message Queue for Java 2.0 (step 2b)

If you did not already do so when you installed iTTM, you will need to install iMQ for Java 2.0.

The iPlanet message Queue (iMQ) component provides a means for the iTPS and the Bank in a Box components to communicate with each other. This means that an iMQ installation must be performed on both the Buyers and Sellers bank machines.

iPlanet Message Queue for Java is shipped with iTPS and may be found in the iMQ2.0 sub directory on the CD.

/cdrom/cdrom0/imq2.0

Installation

The iMQ installation uses the Solaris package mechanisms to install the software on the machine. Assuming that the supplied CD has been mounted on /cdrom then the following commands will install the software:

pkgadd -d /cdrom/cdrom0/imq2.0/imq2_0-pkgs

This will automatically install to

/opt/SUNWjmq

You will be asked a question during the installation. Unless you have specific installation requirements then by using the defaults provided you will install all of the iMQ packages.

These settings will fulfill all the iTPS iMQ requirements.

If you require further information then details of how to install iMQ 2.0 can be found in point 7 within the following document that requires vi or a text document to read:

http://docs.sun.com/db/prod/s1.ipmsgquj

http://docs.iplanet.com/docs/manuals/javamq/20/install.pdf

Example installation and Configuration

bash-2.03# pkgadd -d /cdrom/cdrom0/imq2.0/imq2_0-pkgs

Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:

do you wish to run the jmqbroker so that jmqbroker will start automatically at boot time? ? [y,n] y

Installing iMQ for Java SP1 Patch

Once the iMQ is installed, install the SP1 patch. This process is documented in the file using a text editor, e.g:

vi /cdrom/cdrom0/imq2.0/SP1/111858-01/install.pdf

NOTE: The file has a .pdf extension but is a text file and may be read using the vi editor. Once the software has been installed on either the buyer or seller machine, perform the second installation before progressing to patch the iAS installation.

The command to install the patch is:

cd /cdrom/cdrom0/imq2.0/SP1/111858-01

./installpatch .

Running iMQ for Java

After install, make sure jmq is run for the first time. Subsequent reboots will start the application automatically

/etc/init.d/jmq start

or if already running, it will tell you:

Starting /opt/SUNWjmq/bin/jmqbroker -bgnd -silent ... jmqbroker is already running.

and to stop:

/etc/init.d/jmq stop

If it becomes necessary to clear out the contents of the queue then start the broker in the following way

/etc/init.d/jmq stop

/opt/SUNWjmq/bin/jmqbroker -reset store

Configuring with iAS

The next step is to configure the iTTM/iAS instance to use the appropriate iMQ installation. This operation will need to be performed on both of the Buyer and Seller machines. Before performing this operation it is important to ensure that the iAS has been shut down., but slapd should still be running.

If the iTTM had been installed in `/opt/ittm' the commands would be:

/opt/ittm/Scripts/stoptbase

/opt/ittm/Scripts/stopias

/opt/ias6/slapd-myhost/stop-slapd

/opt/ias6/slapd-myhost/start-slapd

To configure iAS for use with iMQ, execute jmssetup. This must be performed as the root user. You will be asked several questions, now illustrated below:

bash-2.03# cd /opt/ias6/ias/jms/bin

bash-2.03# ./jmssetup

iAS install directory is /opt/ias6/ias

Are you using IBM MQ v5.1 as message provider [Y] :n

Enter the dynamic library run path (LD_LIBRARY_PATH) for your JMS message provider. When finished, hit return only) :

Will append to LD_LIBRARY_PATH? Is this correct? [Y] :

Enter the elements (absolute path) for the JMS provider CLASSPATH

When finished, hit return only. :/opt/SUNWjmq/lib/jmq.jar

Enter the elmements (absolute path) for the JMS provider CLASSPATH

When finished, hit return only. :/opt/SUNWjmq/lib/jmqadmin.jar

Enter the elmements (absolute path) for the JMS provider CLASSPATH

When finished, hit return only. :

Will append :/opt/SUNWjmq/lib/jmq.jar:/opt/SUNWjmq/lib/jmqadmin.jar to CLASSPATH?

Is this correct? [Y] :y

Connected to LDAP server on myhost.mycompany.com port 388

Once configured on one machine, configure the second machine before progressing to installing the iTPS components.

At this point there is no need to start the iMQ services. Instructions for starting the iMQ service are shown in Chapter 4.

Installing iWS 6.0 for iTPS components(step 2c)

In order to be able to install the Bank in a Box administrator component, a web Server needs to be available. The iTPS CD contains a iWS 6.0 package that is shipped for this use. Run the iWS6.0 setup tool located in

/cdrom/cdrom0/iws6

Selecting the default values for the installation may cause the iWS 6.0 installation to clash with the iWS 6.0 SP2 installed for the iTTM 3.0.1. In order to avoid this, ensure that the Administration server port and the Web server port are set to values other than 8888 and 80 respectively. We recommend using 8890 and 90 respectively. If in doubt about which ports the webserver for iTTM was using, restart the webserver and the admin server:

./opt/iws6/https-myhost.mycompany.com/stop

./opt/iws6/https-admserv/stop

./opt/iws6/https-myhost.mycompany.com/start

./opt/iws6/https-admserv/start

When installing the iWS 6.0 make sure that you select the option that specifies an external JDK 1.3.1downloaded from http://www.javasoft.com into /usr/java1.3

Ensure that a web server is installed on both the Buyer and Seller bank machines prior to moving on to the installation of the iTPS components.

If you make a mistake while installing your webserver, remove the web server either in its entirety as illustrated below

cd /opt/iws6

./uninstall

rm -rf /opt/iws6

or removing an individual instance from the console using the < remove server> option. You should also stop the webserver first.

If you are installing an iTPS component on the same machine you will need to create a new web server instance for each component.

1. Go to the Web Server Admin:

2. For instance, http://myhost.mycompany.com:8888

3. Select <Add Server>

4. The following naming convention should be used for each Web Server Instance:

5. Web server host https-myhost.mycompany.com

6. iTPS instance https-itps.mycompany.com

7. BFI instance https-itps-bfi.mycompany.com

8. Biab instance https-itps-biab.mycompany.com

9. TooledUp instance https-itps-tdup.mycompany.com

10. Conditional Management instance https-itps-cond.mycompany.com

11. Obligation Management instance https-itps-om.mycompany.com

However for the purpose of this document we are assuming that the webserver instance is always set to https-myhost.mycompany.com

Mail Server (step 2d)

The mail server is used for asynchronous payment messages and can be provided by your corporate mail server or an installation of a new mail server such as iPlanet Messaging Server installed on an available machine. To check you have a mail Server type

telnet mymailhost 25

A mail user will be required by the iTPS install script in step 3a. You should make a note of this. For example if the mail server is on the same machine as the iTPS installation then this would be

myhost.mycompany.com:25

Installing iTPS Components

---

The iTPS components reside on both the Buyer and Seller bank machines. The following sections describe the installation of these components.

Payments Services installation (step 3a)

Make sure you have installed and configured iPlanet Trustbase Transaction Manager 3.0.1 and iPlanet Message Queue for Java 2.0

1. Make a security back up of your Trustbase directory structure:

   cp -r /opt/ittm /opt/trustbase.bak

This is required because the iTPS install cannot be un-installed, and installing the iTPS more than once on a iTTM installation will not work. If an installation of the iTPS fails for any reason you are advised to restore the backup and start again.

2. Make sure your slapd is running. From the root account, run the UNIX install script and answer the questions. Select the appropriate menu option for itps from

   ./cdrom/cdrom0/itps/setup -g

the following options are available for Silent Install:

1. -g Performs a complete graphic install

2. -s Operates on Command line answers silently

3. -c Performs complete command line install interactively

4. -k Asks for command line answers

5. -m Gathers settings from installed packages

6. -p Reinstalls, adds or patches a package

7. -u Uninstalls an installed package

You should consult the iTTM Installation and Configuration Guide for more information on this

Figure 2-2    iPlanet Trustbase Payment Services Installation Welcome Screen

Figure 2-3    Locale Selection

Database Settings

Figure 2-4    iPlanet Message Queue For Java Settings

Notes: This Outbound Queue name is the queue going from the iTPS to BiaB and will need to be recorded for later use. itps_to_backend is a suitable name for this.

3. Please reference your company mail server

Figure 2-5    Payments Mail Settings

Next enter the following as illustrated above.

• SMTP host. This is the host where customer email acknowledgements are sent.

• From field. This is the From field of the customer acknowledgement email

Figure 2-6    iPlanet Trustbase Payment Server Verification Panel

The screen displays the user's choices in order to aid the correct installation. You will need to make a note of the information in this screen as the information is required to install other components later in the process.

Figure 2-7    Component Selection

On entering the screen the size of iPlanet Trustbase Payment Services software application is displayed. In order to install this software the user needs to select the checkbox.

Figure 2-8    Ready to Install

This screen indicates the amount of space that is required to install iPlanet Trustbase Payment Services software. It also indicates the location of the iPlanet Trustbase Transaction Manager system that the iPlanet Trustbase Payment Services plug-in will be installed into.

You should make a note of these locations as they will be required later in the installation process. There are then two screens that update settings within iTTM and iAS.

Figure 2-9    Updating iPlanet Trustbase Transaction Manager

Figure 2-10    Installation Summary

Pressing the details button will display the software installed on the system and alterations to the existing configurations of iPlanet Trustbase Transaction Manager.

Set up iTPS database tables

You will now need to run oracle scripts. If Oracle is not installed on the same machine as the iTPS installation then you either have to copy the /opt/ittm/current/Config/sql directory to the database server or install the Oracle client on the machine. There are two alternative situations here.

1. Oracle on same machine as iTPS. Alternatively this can be an Oracle client.

   mydatabase% su - oracle mydatabase% cd /opt/ittm/current/Config/sql mydatabase% sqlplus tbase/tbase SQL*Plus: Release 8.1.7.0.0 - Production on Fri Feb 15 12:07:11 2002 (c) Copyright 1999 Oracle Corporation. All rights reserved. Enter user-name: tbase Enter password: Connected to: Oracle 8i Enterprise Edition Release 8.1.7.0.0 - Production PL/SQL Release 8.1.7.0.0 - Production SQL>spool myoutput.txt SQL>set echo on SQL>@PaymentsNew.sql

   You should check the output file to ensure that all SQL tables were created successfully.

   /opt/ittm/current/Config/sql/myoutput.txt

2. Oracle on different machine as iTPS. For example:
   1. cd /opt/ittm/current/Config/sql

   2. ftp myhost.mycompany.com <username><password>

      ftp> hash

      ftp> prompt

      ftp> mput *

      ftp> quit

   3. telnet myhost.mycompany.com <username><password>

   4. Follow the instructions in step 1

This will need to be executed on the database(s) used by both the Buyer and Seller banks iTPS installations.

JMS Proxy Configuration (step 3b)

The JMS Proxy provides a mechanism for the iTTM to receive inbound messages from an iMQ queue. Messages are taken from the queue and forwarded to iTTM over HTTP. You will need to configure a JMS Proxy on both the Buyer and Seller bank machines.

Figure 2-11    Configuring JMS Proxy

Normally this section is already done for you. However in some situations you may wish to change some settings.

1. Check the following lines in the jmsproxy /opt/ittm/myhost/jmsproxy.properties:

2. Destination is the URL to which message content will be forwarded (See figure Figure 2-11)

   destination=http://myhost.mycompany.com/NASApp/NASAdapter/Tbase NASAdapter?Forwarded-by:JMSProxy

   You will need to change just the hostname component to an appropriate value e.g.

   http://myhost.mycompany.com/NASApp/NASAdapter/TbaseNASAdapter?Fo rwarded-by:JMSProxy

3. queue.host is the hostname of the machine where the JMS broker is listening. Since this is part of iTTM this should not normally change.

   queue.host=queue_hostname

   e.g. queue.host=myhost.mycompany.com

4. queue.port The port on which the JMS broker is running by default this will be 7676 unless it was changed during the iMQ installation.

   queue.port=queue_port

   e.g. queue.port=7676

5. queue.name The name of the queue on which to receive messages. This is the asynchronous send queue as specified in the Bank in a Box configuration

   queue.name=backend_to_itps

Note: Make sure the destination URL is the server host name of the appropriate Buyer or Seller bank iTTM installation. Make a note of this URL as you will need this again when configuring the Bank in a Box components. If you make any changes you should also stop and start iTTM in order for these changes to take effect:

/opt/ittm/Scripts/stoptbase

/opt/ittm/Scripts/starttbase

BiaB Back End office simulator (step 3c)

The Bank in a Box (BiaB) back office simulator is designed to create responses to messages received by the iTPS from the buyer and seller web sites. The BiaB must be installed on both the Buyer and Seller Banks servers.

It is not imperative that the iTTM and iTPS are running during installation, however they should be running before starting BiaB.

In order to install the BiaB on each machine follow the instructions below:

1. If you are installing an iTPS component on the same machine make sure you install it to a unique Web Server instance.

Figure 2-12    Adding a New iWS Web Server instance

1. Go to the Web Server Admin:

2. http://myhost.mycompany.com:8888

3. Select <Add Server>

4. Select for instance a unique port iD of 82

5. Use the same user, e.g. tbase, as you entered when you installed iWS

6. Define a unique Server id

7. Select <Add>

2. From the root account, run the UNIX install script and answer the questions. Select the appropriate menu option for itps-biab from

   ./cdrom/cdrom0/itps-biab/setup -c

   Not a graphic version is not available is not available for itps components and as such you must select the command line interactive setup option. This will automatically install to

   /opt/itps-biab

3. The following defaults are recommended:

[1] The user that will run BIAB? tbase

[2] The group that this user belongs to? iplanet

[3] The Web Server location is [ /opt/iws6 ]

[4] The Web Server instance is [ myhost.mycompany.com ]

[5] The virtual server id is [ https-myhost.mycompany.com ]

[6] The deployment location [ /opt/iws6/itps-biab-deploy ]

[7] The queue driver location is [ /opt/SUNWjmq/lib/jmq.jar ]

[8] The from itps queue name [ itps_to_backend ]

[9] The to itps queue name [ backend_to_itps ]

[10] The queue server host [ myqueue.mycompany.com ]

[11] The queue server port [ 7676 ]

[12] The database user is [ tbase ]

[13] The database password is [ tbase ]

[14] The database host is [ mydatabase.mycompany.com ]

[15] The database port is [ 1521 ]

[16] The database sid is [ orcl ]

4. Run the biabNew.sql SQL script on the payments database server. This can be found in:

   /opt/itps-biab/config/sql/biabNew.sql

   This may involve copying the SQL script to the appropriate machine if Oracle is remotely located. Also logging onto Oracle. As in the example mentioned in the previous section headed "Set up iTPS database tables":

   mydatabase% su - oracle mydatabase% cd /opt/itps-biab/config/sql/ mydatabase% sqlplus tbase/tbase SQL*Plus: Release 8.1.7.0.0 - Production on Fri Feb 15 12:07:11 2002 (c) Copyright 1999 Oracle Corporation. All rights reserved. Enter user-name: tbase Enter password: Connected to: Oracle 8i Enterprise Edition Release 8.1.7.0.0 - Production PL/SQL Release 8.1.7.0.0 - Production SQL>spool myoutput.txt SQL>set echo on SQL>@biabNew.sql

   You should check the output file to ensure that all SQL tables were created successfully.

   /opt/itps-biab/config/sql/myoutput.txt

5. Having installed the BiaB on either the Buyer or Seller Bank machines, install the BiaB on the other machine before moving on to the BiaB administration tool.

BiaB Admin Tool (step 3d)

Biab Admin tool is automatically installed with the biab backend (step3c). The BiaB administration tool is a Web application designed to run on the iWS 6.0 Web server set up earlier. A BiaB administrator tool should be installed on both the Buyer and Seller Bank machines that host the iTPS and BiaB components. The BiaB Admin tool web application is located on the BiaB directory.

In order to start the Web application you must perform the following:

1. From the root account

2. You now need to remember the correct Web Server Instance that you created in "Installing iWS 6.0 for iTPS components(step 2c)" for both itps and biab

3. Once installed, restart the Web server and Admin Server instance. For instance:

   ./opt/iws6/https-admserv/start

   ./opt/iws6/https-myhost.mycompany.com/start

4. From the tbase account, Start the bank in a box back end in a separate window:

   ./opt/itps-biab/scripts/biab

5. Once deployed successfully, the Web Site can be accessed from the browser with the following url.

   http://<hostname>:<port>/<uri_path>/biab.

   The BiaB admin tool deployed using the deploy directory would be accessed using:

   http://myhost.mycompany.com:82/itps-biab/logon.html

   If the server is running and the Web application has deployed successfully the following page will be displayed:

Figure 2-13    Bank in a Box Admin Tool Welcome Screen

Before logging in you need to add a username and password, in order to do this you should consult chapter 3 "Running the System" in the iTPS Systems Administration Guide.

Condition Management Website (step 3e)

Before you can begin to install the Condition Management Website, you will need to create a local Certificate Database inside the Webserver for it to use. This certificate database will contain from 3-5 certificates depending on how many roles you assign the certificates to perform, the roles are as follows.

1.    Root Certificate or Trust Anchor Certificate (e.g. IRCA).

2.    Level One Certificate Authority Certificate. (e.g. L1CA)

3.    End Entity Signing Certificate ( e.g. ClientSC) The AIA field within this certificate is used to determine the destination for the payments message)

4.    SSL Client Transaction Certificate ( e.g. ClientSSL)

5. SSL Server Certificate (This name is forced upon you by the Web Server Server-Cert)

If installing itps components on the same machine, the same certificates may be used, depending on your security requirement.

To create the certificate databases and import the certificate complete the following steps:   

1. You now need to remember the correct Web Server Instance that you created in "Installing iWS 6.0 for iTPS components(step 2c)"

2. If you are installing an iTPS component on the same machine make sure you install it to a unique Web Server instance.
   1. Go to the Web Server Admin:

   2. http://myhost.mycompany.com:8888

   3. Select <Add Server>

   4. Select for instance a unique port iD of 83

   5. Use the same user, e.g. tbase, as you entered when you installed iWS

   6. Define a unique Server id

   7. Select <Add>

3. Create The Webserver Database
   •       Access the iWS6 admin server e.g.:

     ./opt/iws6/startconsole

     This will start a browser and allow you to log into the admin server.

   •       Choose the server to manage and click manage.

   •       Click on the security tab (it defaults to `Initialise Trust Database' screen)

   • Type in a new password for database and click <ok>. This will create a new database that can only be accessed using the password you have just given so ensure that you do not forget the password!

4. Install The Root Certificate (e.g. IRCA).
   •       Click the <Install Certificate> Tab.

   •       Select <Trusted Certificate Authority>, select <message text> and paste in the Base 64 cert from your Identrus Root CA

   •       Click <ok>

   • Click <Add Server Certificate>

5. Install The CA Certificate (e.g. L1CA)- Use the same process as Import The Root Certificate (above)

6.    Create and import an End Entity Signing Certificate (e.g. ClientSC)
   •       Click the <request certificate> tab.

   • Select <CA URL>

   • In the <CA URL> field enter "None"

   • Enter "password"

   •       Fill in the address details part of the form and press <ok>.

   •       Copy and paste the BASE 64 Request into your Seller Banks CA certificate request form.

   •       Retrieve reply from CA and copy the Base 64 cert into the webserver form.

   •       Click <Install Certificate.>

   •       Select <This Server>, input a name for the cert (e.g. ClientSC), make a note of the name as you will need it later, Select Message Text and paste in the base 64 cert from the CA.

   •       Click <ok>

   •       Click <Add Cert>

7.    Request, Generate and Import SSL Client Transaction Certificate - Same as for End Entity Signing Cert, but make sure that the name for the certificate is different (e.g. ClientSSL), and keep a note of the name as you will need it later.

8. Request, Generate and Import SSL Server Certificate - Same as for End Entity Signing Cert except - do not give this certificate a certificate name as the webserver will assign it `Server-Cert'; use an appropriate type "SSL Server certificate" profile at the CA.

9. You are now ready to install the Condition management Component. From the root, run the UNIX install script and answer the questions. Select the appropriate menu option for itps-cond from

   ./cdrom/cdrom0/itps-cond/setup -c

   Not a graphic version is not available is not available for itps components and as such you must select the command line interactive setup option. This will automatically install to

   /opt/itps-cond

10. The following default settings should be used:

[1] The user that will run Condition Website? tbase

[2] The group that this user belongs to? iplanet

[3] The Web server location is [ /opt/iws6 ]

[4] The Web server instance is [ myhost.mycompany.com ]

[5] The virtual server id is [ https-myhost.mycompany.com ]

[6] The deployment location [ /opt/iws6/itps-cond-deploy ]

[7] The keystore password is [ password ]

[8] The signing certificate alias [ ClientSC ]

[9] The SSL client certificate alias [ ClientSSL ]

[10] The trusted verification certificate alias [ IRCA ]

[11] The absolute path of the temporary directory for file downloads [/temp]

11. Restart the Webserver

/opt/iws6/https-myhost.mycompany.com/stop

/opt/iws6/https-myhost.mycompany.com/start

12. Go to the Condition Management website

http://myhost.mycompany.com:83/itps-cond/logon.html

Before accessing the website or sending Conditional Payment requests, the Condition Registry needs to be configured to accept the Buyer of the payment The seller of the payment and the Conditional Discharge Party. You should consult your System's Administration Guide for details on how to configure the Condition Registry.

Obligation Management Website (step 3f)

Before you can begin to install BFI you will need to create a local Certificate Database inside the Webserver for it to use. This certificate database will contain from 3-5 certificates depending on how many roles you assign the certificates to perform, the roles are as follows.

1.    Root Certificate or Trust Anchor Certificate (e.g. IRCA).

2.    Level One Certificate Authority Certificate. (e.g. L1CA)

3.    End Entity Signing Certificate ( e.g. ClientSC) The AIA field within this certificate is used to determine the destination for the payments message)

4.    SSL Client Transaction Certificate ( e.g. ClientSSL)

5. SSL Server Certificate (This name is forced upon you by the Web Server Server-Cert)

If installing itps components on the same machine, the same certificates may be used, depending on your security requirement.

To create the certificate databases and import the certificate complete the following steps:   

1. You now need to remember the correct Web Server Instance that you created in "Installing iWS 6.0 for iTPS components(step 2c)"

2. If you are installing an iTPS component on the same machine make sure you install it to a unique Web Server instance.
   1. Go to the Web Server Admin:

   2. http://myhost.mycompany.com:8888

   3. Select <Add Server>

   4. Select for instance a unique port iD of 84

   5. Use the same user, e.g. tbase, as you entered when you installed iWS

   6. Define a unique Server id

   7. Select <Add>

3. Create The Webserver Database
   •       Access the iWS6 admin server e.g.:

     ./opt/iws6/startconsole

     This will start a browser and allow you to log into the admin server.

   •       Choose the server to manage and click manage.

   •       Click on the security tab (it defaults to `Initialise Trust Database' screen)

   • Type in a new password for database and click <ok>. This will create a new database that can only be accessed using the password you have just given so ensure that you do not forget the password!

4. Install The Root Certificate (e.g. IRCA).
   •       Click the <Install Certificate> Tab.

   •       Select <Trusted Certificate Authority>, select <message text> and paste in the Base 64 cert from your Identrus Root CA

   •       Click <ok>

   • Click <Add Certificate>

5. Install The CA Certificate (e.g. L1CA)- Use the same process as install The Root Certificate (above)

6.    Create and import an End Entity Signing Certificate (e.g. ClientSC)
   •       Click the <request certificate> tab.

   • Select <CA URL>

   • In the <CA URL> field enter "None"

   • Enter "password"

   •       Fill in the address details part of the form and press <ok>.

   •       Copy and paste the BASE 64 Request into your Seller Banks CA certificate request form.

   •       Retrieve reply from CA and copy the Base 64 cert into the webserver form.

   •       Click <Install Certificate.>

   •       Select <This Server>, input a name for the cert (e.g. ClientSC), make a note of the name as you will need it later, Select Message Text and paste in the base 64 cert from the CA.

   •       Click <ok>

   •       Click <Add Cert>

7.    Request, Generate and Import SSL Client Transaction Certificate - Same as for End Entity Signing Cert, but make sure that the name for the certificate is different (e.g. ClientSSL), and keep a note of the name as you will need it later.

8. Request, Generate and Import SSL Server Certificate - Same as for End Entity Signing Cert except - do not give this certificate a <certificate name> as the webserver will assign it `Server-Cert'.

9. From the root, run the UNIX install script and answer the questions. Select the appropriate menu option for itps-om from

   ./cdrom/cdrom0/itps-om/setup -c

   Not a graphic version is not available is not available for itps components and as such you must select the command line interactive setup option. This will automatically install to

   /opt/itps-om

10. The following default settings should be used

[1] The user that will run Obligation Website? tbase

[2] The group that this user belongs to? iplanet

[3] The Web server location is [ /opt/iws6 ]

[4] The Web server instance is [ myhost.mycompany.com ]

[5] The virtual server id is [ https-myhost.mycompany.com ]

[6] The deployment location [ /opt/iws6/itps-om-deploy ]

[7] The keystore password is [ password ]

[8] The signing certificate alias [ ClientSC ]

[9] The SSL client certificate alias [ ClientSSL ]

[10] The trusted verification certificate alias [ IRCA ]

11. Restart the Webserver

/opt/iws6/https-myhost.mycompany.com/stop

/opt/iws6/https-myhost.mycompany.com/start

12. Go to the Obligation Management website

http://myhost.mycompany.com:84/itps-om/logon.html

Before accessing the website or sending Obligation Payment requests, the relevant users needs to be configured to accept, for example to allow The seller of the payment to transfer an obligation. You should consult your System's Administration Guide for details on how to add a users using userdbtool.

Installing the Buyer and Seller websites

---

The following sections describe how to install the components required to run the Buyer and Seller web sites. These web sites will be used to interact with the Buyer and Seller iTPS components installed previously.

Installing the iWS 6.0 (step 4a)

In order to run the web applications that make up the buyer and sellers web sites, a web Server needs to be available on each machine. The iTPS CD contains an iWS 6.0 package that is shipped for this use.

Run the iWS6.0 setup tool located in

/cdrom/cdrom0/iws6

Selecting the default values for the installation of the iWS 6.0 should be sufficient for most installations. The only non-standard option you will need to specify is the option that specifies an external JDK 1.3.1 either downloaded from http://www.javasoft.com to /usr/java1.3

This is because the JDK included does not support the buyer and seller web site functionality tools.

Ensure that a web server is installed on both the Buyer and Seller machines prior to moving on to the installation of the Buyer and Seller web applications.

Installing Buyers Bank Website (step 4b)

It does not matter whether iTTM and iTPS are running during installation. However they, and all their associated components such as iAS and iWS, should be running if you need to run this component

Before you can begin to install the Buyers Bank Website (BFI) you will need to create a local Certificate Database inside the Webserver for it to use. This certificate database will contain from 3-5 certificates depending on how many roles you assign the certificates to perform, the roles are as follows.

1.    Root Certificate or Trust Anchor Certificate (e.g. IRCA).

2.    Level One Certificate Authority Certificate. (e.g. L1CA)

3.    End Entity Signing Certificate ( e.g. ClientSC) The AIA field within this certificate is used to determine the destination for the payments message)

4.    SSL Client Transaction Certificate ( e.g. ClientSSL)

5. SSL Server Certificate (This name is forced upon you by the Web Server Server-Cert)

If installing itps components on the same machine, the same certificates may be used, depending on your security requirement.

To create the certificate databases and import the certificate complete the following steps:   

1. If you are installing an iTPS component on the same machine make sure you install it to a unique Web Server instance.
   1. Go to the Web Server Admin:

   2. http://myhost.mycompany.com:8888

   3. Select <Add Server>

   4. Select for instance a unique port iD of 85

   5. Use the same user, e.g. tbase, as you entered when you installed iWS

   6. Define a unique Server id

2. Create The Webserver Database
   •       Access the iWS6 admin server e.g.:

     ./opt/iws6/startconsole

     This will start a browser and allow you to log into the admin server.

   •       Choose the server to manage and click manage.

   •       Click on the security tab (it defaults to `Initialise Trust Database' screen)

   • Type in a new password for database and click <ok>. This will create a new database that can only be accessed using the password you have just given so ensure that you do not forget the password!

3. Install The Root Certificate (e.g. IRCA).
   •       Click the <Install Certificate> Tab.

   •       Select <Trusted Certificate Authority>, select <message text> and paste in the Base 64 cert from your Identrus Root CA

   •       Click <ok>

   • Click <Add Certificate>

4. Install The CA Certificate (e.g. L1CA)- Use the same process as Import The Root Certificate (above)

5.    Create and import an End Entity Signing Certificate (e.g. ClientSC)
   •       Click the <request certificate> tab.

   • Select <CA URL>

   • In the <CA URL> field enter "None"

   • Enter "password"

   •       Fill in the address details part of the form and press <ok>.

   •       Copy and paste the BASE 64 Request into your Seller Banks CA certificate request form.

   •       Retrieve reply from CA and copy the Base 64 cert into the webserver form.

   •       Click <Install Certificate.>

   •       Select <This Server>, input a name for the cert (e.g. ClientSC), make a note of the name as you will need it later, Select Message Text and paste in the base 64 cert from the CA.

   •       Click <ok>

   •       Click <Add Cert>

6.    Request, Generate and Import SSL Client Transaction Certificate - Same as for End Entity Signing Cert, but make sure that the name for the certificate is different (e.g. ClientSSL), and keep a note of the name as you will need it later.

7. Request, Generate and Import SSL Server Certificate - Same as for End Entity Signing Cert except - do not give this certificate a certificate name as the webserver will assign it `Server-Cert'.

8. You are now ready to install BFI Website From the root, run the UNIX install script and answer the questions. Select the appropriate menu option for itps-bfi from

   ./cdrom/cdrom0/itps-bfi/setup -c

   Not a graphic version is not available is not available for itps components and as such you must select the command line interactive setup option. This will automatically install to

   /opt/itps-bfi

9. The following default settings are recommended:

[1] The user that will run BFI? tbase

[2] The group that this user belongs to? iplanet

[3] The Web server location is [ /opt/iws6 ]

[4] The Web server instance is [ myhost.mycompany.com ]

[5] The virtual server id is [ https-myhost.mycompany.com ]

[6] The deployment location [ /opt/iws6/itps-bfi-deploy ]

[7] The keystore password is [ password ]

[8] The signing certificate alias [ ClientSC ]

[9] The SSL client certificate alias [ ClientSSL ]

[10] The trusted verification certificate alias [ IRCA ]

[11] The database user is [ tbase ]

[12] The database password is [ tbase ]

[13] The database host is [ mydatabase.mycompany.com ]

[14] The database port is [ 1521 ]

[15] The database sid is [ orcl ]

10. After you have finished your changes, you will need to re-start the web server for those changes to take effect. To verify the installation:
    1. Remove all existing Web Server processes using

       ps -ef| grep iws

       kill -9 <process_number>

    2. Alternatively use the script supplied with iWS to do this for you:

       ./opt/iws6/https-myhost.mycompany.com/stop

    3. ./opt/iws6/https-admserv/start

       ./opt/iws6/https-myhost.mycompany.com/start

    4. If you are using a netscape browser you'll need to apply for a certificate from your L1CA. Finally, you'll need to enable your browser as follows: Select <netscape Security><certificate signers> locate the level 1 CA certificate and make sure the following settings are made as illustrated in the diagram below:

Figure 2-14    Netscape browser certificate settings

1. From your browser

   http://<hostname>:<webserver Port ID>/itps-bfi/logon.html

   For instance

   http://myhost.mycompany.com:85/itps-bfi/logon.html

   The BFI login screen should now appear

Seller's Website TooledUp (step 4c)

The Sellers Website (Tooledup demonstration) is delivered in the form of a tar file called merchant.tar.

Before you can begin to install the Sellers Website (Tooled Up) you will need to create a local Certificate Database inside the Webserver for it to use. This certificate database will contain from 3-5 certificates depending on how many roles you assign the certificates to perform, the roles are as follows.

1.    Root Certificate or Trust Anchor Certificate (e.g. IRCA).

2.    Level One Certificate Authority Certificate. (e.g. L1CA)

3.    End Entity Signing Certificate ( e.g. ClientSC) The AIA field within this certificate is used to determine the destination for the payments message)

4.    SSL Client Transaction Certificate ( e.g. ClientSSL)

5. SSL Server Certificate (This name is forced upon you by the Web Server Server-Cert)

If installing itps components on the same machine, the same certificates may be used, depending on your security requirement.

To create the certificate databases and import the certificate complete the following steps:   

1. If you are installing an iTPS component on the same machine make sure you install it to a unique Web Server instance.
   1. Go to the Web Server Admin:

   2. http://myhost.mycompany.com:8888

   3. Select <Add Server>

   4. Select for instance a unique port iD of 86

   5. Use the same user, e.g. tbase, as you entered when you installed iWS

   6. Define a unique Server id

2. Create the Webserver Database
   •       Access the iWS6 admin server e.g.:

     ./opt/iws6/startconsole

     This will start a browser and allow you to log into the admin server.

   •       Choose the server to manage and click manage.

   •       Click on the security tab (it defaults to `Initialise Trust Database' screen)

   • Type in a new password for database and click <ok>. This will create a new database that can only be accessed using the password you have just given so ensure that you do not forget the password!

3. Install The Root Certificate (e.g. IRCA).
   •       Click the <Install Certificate> Tab.

   •       Select <Trusted Certificate Authority>, select <message text> and paste in the Base 64 cert from your Identrus Root CA

   •       Click <ok>

   • Click <Add Certificate>

4. Install The CA Certificate (e.g. L1CA)- Use the same process as Import The Root Certificate (above)

5.    Create and import an End Entity Signing Certificate (e.g. ClientSC)
   •       Click the <request certificate> tab.

   • Select <CA URL>

   • In the <CA URL> field enter "None"

   • Enter "password"

   •       Fill in the address details part of the form and press <ok>.

   •       Copy and paste the BASE 64 Request into your Seller Banks CA certificate request form.

   •       Retrieve reply from CA and copy the Base 64 cert into the webserver form.

   •       Click <Install Certificate.>

   •       Select <This Server>, input a name for the cert (e.g. ClientSC), make a note of the name as you will need it later, Select Message Text and paste in the base 64 cert from the CA.

   •       Click <ok>

   •       Click <Add Cert>

6.    Request, Generate and Import SSL Client Transaction Certificate - Same as for End Entity Signing Cert, but make sure that the name for the certificate is different (e.g. ClientSSL), and keep a note of the name as you will need it later.

7. Request, Generate and Import SSL Server Certificate - Same as for End Entity Signing Cert except - do not give this certificate a certificate name as the webserver will assign it `Server-Cert'.

8. You are now ready to install the Tooled Up Website. From the root, run the UNIX install script and answer the questions. Select the appropriate menu option for itps-tdup from

   ./cdrom/cdrom0/itps-tdup/setup -c

   Not a graphic version is not available is not available for itps components and as such you must select the command line interactive setup option. This will automatically install to

   /opt/itps-tdup

9.    If the webserver is not running you will get an error saying "Reconfigure Failed" this can be ignored at this stage.The following defaults are recommended:

[0] Installation Location /opt/itps-tdup

[1] The user that will run TooledUp? tbase

[2] The group that this user belongs to? iplanet

[3] The Web server location is [ /opt/iws6 ]

[4] The Web server instance is [ myhost.mycompany.com ]

[5] The virtual server id is [ https-myhost.mycompany.com ]

[6] The deployment location [ /opt/iws6/itps-tdup-deploy ]

[7] The keystore password is [ password ]

[8] The signing certificate alias [ ClientSC ]

[9] The SSL client certificate alias [ ClientSSL ]

[10] The trusted verification certificate alias [ IRCA ]

[11] The database user is [ tbase ]

[12] The database password is [ tbase ]

[13] The database host is [ mydatabase.mycompany.com ]

[14] The database port is [ 1521 ]

[15] The database sid is [ orcl ]

10.    Log onto your oracle account and run the script /opt/itps-tdup/SQLscripts/install_merchant_oraUpgradeNew.sql

11. Oracle on same machine as iTPS. Alternatively this can be an Oracle client.
    1. Assuming the sql directory has been copied to the DB server, log on to the database server, su - oracle

    2. Change to directory e.g.

       cd /opt/itps-tdup/SQLscripts

    3. Run SQLPlus and enter the username and password

    4. Execute the script e.g. sqlplus>@install_merchant_oraUpgradeNew.sql;

    5. Exit SQLPlus & the Oracle user.

12. Oracle on different machine as iTPS. For example:
    1. cd /opt/itps-tdup/SQLscripts

    2. ftp mydatabase.mycompany.com <username><password>

       ftp> hash

       ftp> prompt

       ftp> mput *

       ftp> quit

    3. telnet mydatabase.mycompany.com <username><password>

    4. sqlplus tbase/tbase

    5. @install_merchant_oraUpgradeNew.sql;

This installation area now contains several directories and files that are detailed below:

• /opt/itps-tdup/scripts : This directory contains the install scripts and any data they need.

• /opt/itps-tdup/SQLscripts : This directory contains the SQL database creation scripts that will create the tables that tooledup needs to run.

• /opt/itps-tdup/bin : This directory contains the binaries ( shared-objects ) that tooledup needs to run.

In order to use the Tooled up sellers application you will need a SmartCard that will be issued to you by a third party vendor that contains an end entity signing certificate that has been issued by the Sellers Bank CA.

13. Restart the iws6 to be able to access the newly installed web application.You are now ready to run tooledup, access the url tooledup url e.g. http://myhost.mycompany.com:86/itps-tdup/logon.html

    The following screen appears:

Figure 2-15    Sellers Website Tooled Up Welcome Screen

Make sure the server publishes the pages in the same language as the browser. For example

cp /opt/itps-tdup/jsp/en /opt/itps-tdup/<locale>

where <locale> is the language you are using.

Error checking

If there was a problem you should check the following error logs

/opt/ittm/Scripts/*.log

/opt/iws6/https-myhost/logs/errors

/opt/ias6/ias/logs

/var/sadm/install/logs

/opt/ittm/Scripts/regservlet.output

In order to test that a complete iTPS, and all its associated components, are installed and configured successfully you should attempt to make a payment through tooledup. Consult the Administrators guide for more details on this.