Previous     Contents     DocHome     Index     Next     
iPlanet Trustbase Transaction Manager 2.2.1 Installation and Configuration Guide



Chapter 1   Installation Worksheet


Installation Worksheet provides the user with a pre-requisite checklist of all the main features to a successful iPlanet Trustbase Transaction Manager installation. It lists software that is included, what isn't included, what must be downloaded and how it should be installed and configured.


Installation Outline


The following steps need to be carried out:

  • Check and meet software pre-requisites

  • Download any software that has not been included with iPlanet Trustbase Transaction Manager

  • Install iPlanet Web Server v4.1

  • Install iPlanet Application Server v6.0

  • Install iPlanet Trustbase Transaction Manager v2.2 with Identrus Extensions

  • Setup nFast Hardware and configure iPlanet Trustbase Transaction Manager to use it

  • Setup Oracle 8i database schema

  • Setup site specific Identrus settings

  • Start iPlanet Trustbase Transaction Manager

  • Acquire Identrus Certificates and Keys using CertManager


SW pre-requisites

The following software should be installed prior to running iPlanet Trustbase Transaction Manager.

Figure 1-1    Third Party Library jar files


Pre-requisites


Packages included

The following packages are included with iPlanet Trustbase Transaction Manager:


Packages not included

The following software must be downloaded before Installation:


Certificate Prerequisites

Before you install iPlanet Trustbase Transaction Manager, you will need to know the location of your level 1 Certificate Authority PEM encoded CA certificate. This certificate is referred to from this point forward as the L1CA certificate.


Note All third party software should be placed in lib3p/10 as illustrated in Figure 1-1.



System Resources

  • Determine hostname
    hostname
    domainname

  • Verify disk space to be greater than 1GB.
    df -k

  • Verify sufficient memory is not less than 256MB and preferably the recommended 1GB
    prtconf | grep Mem

  • Check Solaris version is 8
    uname -a

  • Check Java Version is 1.2
    java -version


Solaris Installation

Before iPlanet Trustbase Transaction Manager can be installed, a working web server and application server must be available.


IPlanet Web Server v4.1 Installation

  • Logon as root, locate the 'setup' script depending on distribution

  • Start the installation using the 'setup' script.

  • Select a directory <install_directory> to install the webserver into, this will need to be the same directory you wish to use for the iPlanet Application Server installation later.
    # cd /cdrom/cdrom0
    # cd iWS
    #./setup

  • Install all elements of the web server and select the option that changes their ownership/group to 'nobody'. Select the option that runs the webserver as 'root'. Do not use an existing Directory service. Select the web server document directory to be the 'docs' subdirectory of your chosen installation location. Do not use your own JDK when prompted.

Figure 1-2    Installing iPlanet Web Server
Would you like to continue with installation? [Yes]: Yes
Do you agree to the license terms? [Yes]: Yes
Choose an installation type [2]: 2
Install location [/usr/netscape/server4]: /app/iws41
Specify the components you wish to install [A] A
Specify the components to install [1, 2, 3, 4, 5, 6, 8]: 1,2,3,4,5,6,8
Computer name [rainstorm.jcp.co.uk]: rainstorm.jcp.co.uk
System User [nobody]: nobody
System Group [nobody]: nobody
Run iWS Administration Server as [root]: root
IWS Admin Server User Name [admin]: admin
IWS Admin Server Password:
IWS Admin Server Password (again):
IWS Admin Server Port [8888]: 8888
Web Server Port [80]: 80
Do you want to register this with an existing Directory Server [No]: No
Web Server Content Root [/app/iws41/docs]:
Do you want to use your own JDK [No]: No


Note You should make a note of these settings. Particularly port numbers since you may need them later.


  • The following output should appear:

Figure 1-3    iPlanet Web Server Installed
Sun Netscape Alliance
iPlanet Web Server Installation/Uninstallation
------------------------------------------------------------------


Extracting Server Core...
Extracting Java Runtime Environment...
Extracting Java Support...
Extracting SSJS Support...
Extracting SSJS Database Support...
Extracting Web Publishing Support...
Extracting SNMP Support...
Extracting Upgrade Files...


Server Core installed successfully.
Java Runtime Environment installed successfully.
Java Support installed successfully.
SSJS Support installed successfully.
SSJS Database Support installed successfully.
Web Publishing Support installed successfully.
SNMP Support installed successfully.

Press Return to continue...

Go to /app/iws41 and type startconsole to begin
Managing your servers.


Note Please consult your iPlanet Web Server Installation Guide for more information on this. Selecting <return> takes the default.



Starting iPlanet Web Server 4.1

Change into the directory that contains your Web Server instance amd run the start script. This directory takes the form of https-<machine-name>.domain.

For instance:
cd /app/iws41/https-whelk.jcp.co.uk
./start


Note If in doubt you should consult the first chapter of the iPlanet Web Server configuration Guide.



Verifying iPlanet Web Server 4.1

Check iPlanet Web Server is working by opening a browser window to http://localhost. If its working you'll see the main page as illustrated below:

Figure 1-4    iPlanet Web Server, Enterprise Edition 4.1

Or alternatively going straight to the Administration Server console:

Figure 1-5    iPlanet Web Server Administration Server


iPlanet Application Server v6.0 Installation

  • Ensure that the iPlanet Web Server is running before you follow this procedure.

  • Logon as root, locate the 'setup' script depending on distribution (e.g. unzip the tar file and the 'setup' file should be in the top directory)
    # cd /cdrom/cdrom0
    # cd iAS
    # ./setup

  • Start the installation using the 'setup' script. And answer the questions as follows:

Figure 1-6    Example iPlanet Application Server Script
Would you like to continue with installation? [Yes]: Yes
Do you agree to the license terms? [No]: Yes
Select the component you want to install [1]: 1
Choose an installation type [2]: 2
Install location [/usr/iplanet/ias6]: /app/ias6
iPlanet Server Products components: Specify the components to install [All]: All
iPlanet Server Family Core: Specify the components to install [1, 2, 3]: 1,2,3
iPlanet Directory Suite components: Specify the components to install [1, 2]: 1,2
Administration Services components: Specify the components to install [1, 2]: 1,2
iPlanet Application Server Suite components: Specify the components you wish to install [1, 2, 3, 4]: 1,2,3,4
Computer name [rainstorm.jcp.co.uk]: rainstorm.jcp.co.uk
System User [nobody]: nobody
System Group [nobody]: nobody
Netscape configuration directory server? [No]: No
Do you want to use another directory to store your data? [No]: No
Directory server network port [389]: 389
Directory server identifier [rainstorm]: rainstorm
administrator ID [admin]: admin
Password:
Password (again):
Suffix [o=co.uk]: o=iplanet.com
Directory Manager DN [cn=Directory Manager]: cn=Directory Manager
Password:
Password (again):
Admin Domain [iplanet.com]: iplanet.com
Administration port [12816]: 12816
Run Administration Server as [root]: root
Product Key: 1111111111-3333333333
Enter the location of your webserver: /app/iws41/https rainstorm.jcp.co.uk
Do you want to enable the user to access the registry and plugin libraries? [y] y
Do you want to continue with the iAS installation? [y] y
Username [admin]: admin
Password:
Password (again):
Do you want to enable I18N support for iAS? [No]: No
Username does not match [No]: Yes


Note Please consult your iPlanet Application Server Installation Guide for more information on this. You should also make a note of these settings since you may need them later. Selecting <return> takes the default.



Post iPlanet Web Server and iPlanet Application Server Installation Steps

  • To check that the Application Server installation has been successful, use a browser to contact the following URL: http://machine_name/GXApp
    Select the 'Java Fortune' application, if the reply indicates that the servlet 'Greets You' then the web server and application server are functioning correctly. You should also consult your iPlanet Application Server Installation Documentation. This is now illustrated below:

Figure 1-7    Verifying iPlanet Application Server

  • Having completed the installation, all processes must be shutdown:

  • Logon as root

  • Application Server Shutdown <install_directory>/ias/bin/KIVAes.sh stop
    # cd /app/ias6/ias/bin
    # ./KIVAes.sh stop
    # ps -ef | grep k.s


    Note Immediately after installation, if this script fails to work, use 'ps -ef | grep k.s' to show all iPlanet Application Server processes and then 'kill -9 <pid>' to stop all of them.


  • Directory Server Shutdown <install_directory>/slapd-<machine_name>/stop-slapd
    # cd /app/ias6/slapd-<hostname>
    # ./stop-slapd
    # ps -ef | grep slap

  • Web Server Shutdown

    • <install_directory>/https-<machine_name>/stop

    • and: <install_directory>/https-admserv/stop
      # ./app/iws41/https-<machine_name>/stop
      # ./app/iws41/https-admserv/stop

  • Once all the above scripts have been run check that all processes have been terminated using 'ps -ef | grep <install_directory>'. Use 'kill -9 <pid>' on all remaining processes.


Enabling SSL Connection logging

In order for iPlanet Trustbase Transaction Manager to fully log an SSL Connection, the following procedure needs to be adopted:

  • Start kregedit
    ..../ias6/ias/bin/kregedit

  • Select the following node:
    SOFTWARE\iPlanet\Application Server\6.0\CCS0\HTTPAPI\INPUTNSAPI

  • Use the Edit menu to "Add Value" with the following attributes (Case Sensitive):
    Name=HTTP_PROXYCONNECTIONIDENTIFIER
    Value=1
    Type=String

Figure 1-8    Kregedit and ConnectionId

  • Exit kregedit.

  • This will not take effect until iPlanet Web Server and the iPlanet Application Server have been restarted. If you are following through these installation procedures this will be done in the "Restart procedure"


iPlanet Trustbase Transaction Manager Installation Process

Now that iPlanet Web Server and iPlanet Application Server are installed the iPlanet Trustbase Transaction Manager installation can proceed.

The installation is provided as a "compress"-ed tar file. The installation program is designed for Unix Solaris 8. iPlanet Trustbase Transaction Manager currently requires JDK 1.2 to be installed on your machine to operate correctly. To ensure iPlanet Trustbase Transaction Manager is installed correctly it is advised that you install JDK 1.2 before iPlanet Trustbase Transaction Manager. Allow 100MB of Disc space for JDK 1.2 and iPlanet Trustbase Transaction Manager.

  • Logon as root

  • Change directory to a location where the iPlanet Trustbase Transaction Manager hierarchy is to be created

  • Extract the compressed tar file to the current directory.
    zcat iTTM-2.2.tar.Z | tar -xvpf -
    cd Trustbase/scripts

Figure 1-9    Finding the install script

  • Make sure the directory server for iPlanet Application Server is running before you install Trustbase. For example,
    cd /app/ias6/slapd-<machine-name>
    ./start-slapd

  • run 'install' and follow the instructions - when prompted for the iPlanet Application Server location - enter the directory used above <install_directory> In the example above this is /app/Trustbase/scriptszcat iTTM-2.2.tar.Z | tar -xvpf -
    ./install

Figure 1-10 illustrates how to install iPlanet Trustbase Transaction Manager:

Figure 1-10    Installing iPlanet Trustbase Transaction Manager
zcat iTTM-2.2.tar.Z | tar -xvpf -'
cd Trustbase/scripts
./install

Copyright (C) 2000 Sun Microsystems, Inc. All rights reserved. Use of this product is subject to license terms. Federal Acquisitions: Commercial Software
--- Goverment Users Subject to Standard License Terms and Conditions.

Sun Microsystems, The Sun Logo, iPlanet Trustbase and Java are trademarks or registered trademarks of Sun Microsystems, Inc. In The United States and other countries.

Running Installation on sunstorm should I install Trustbase TTM [y/n] y
Trustbase Transaction Manager V2.2 installation script.
Where is your iPlanet Application Server 6.0 installation located?
/app/ias6
Where is your iPlanet Web Server 4.1 documents directory?
/app/iws41/docs
What is the Database User Name which will be used by Trustbase?
tbase
What is the Database Password which will be used by Trustbase?
tbase
On what host is your database stored? sunstorm.jcp.co.uk
On what port is your database running? 1521
On what SID is your database? orcl
What Cryptographic provider do you want to use: NCIPHER or JCP? JCP
On what URL is your local OCSP responder? http://windstorm.jcp.co.uk:8080
What is the AIA of this TC? https://windstorm.jcp.co.uk


Note If you are installing the Proxy on a separate machine the AIA of this TC should point to the hostname of the Proxy and not the TC. See also the Section about "Configuring the SSLproxy Separately".


  • iPlanet Trustbase Transaction Manager is now installed. Some further configuration is now required to establish the local settings and Identrus setup - see the following sections.


    Note Select <Enter> to include the default. You should make a note of these settings you have selected since you may need them later.



Installation Structure

Once the installation has completed the following directory structure and support files will exist:

  • iPlanet Trustbase Transaction Manager

Figure 1-11    iPlanet Trustbase Transaction Manager Directory Overview

  • TTM
    iPlanet Trustbase Transaction Manager contains all configuration and Library files, the SQL directory containing various database setup scripts.

Figure 1-12    iPlanet Trustbase Transaction Manager Overview Directory

  • Scripts
    This directory contains all of the scripts needed to start and stop iPlanet Trustbase Transaction Manager

Figure 1-13    iPlanet Trustbase Transaction Manager Commonly Used Scripts

  • <machine_name>
    This directory contains all of the configuration files for this installation. i.e. tbase.properties, nFast.properties, identrus.properties and proxy.ini These files should not be modified directly but can be accessed via the configuration screens in this manual.

Figure 1-14    iPlanet Trustbase Transaction Manager Initialisation Files

  • V2.2
    This directory contains all of the TTM binaries and support files

All other directories are not needed.


Post Installation Steps

Before starting iPlanet Trustbase Transaction Manager for the first time it is necessary to do some further configuration steps, in each of the following configuration steps refer to the Installation Structure section above to locate the necessary files:


HSM Configuration

This is an optional feature since alternative cryptographic mechanisms are in place if you wish to configure iPlanet Trustbase Transaction Manager without a Hardware Security Module. This is mandatory for Identrus compliant sites.


Pre-requisite

Make sure, when installing iPlanet Trustbase Transaction Manager, you answer the following question:
What Cryptographic provider do you want to use: NCIPHER or JCP? NCIPHER

When the iPlanet Trustbase Transaction Manager installation is complete check that nfast.properties is located in the directory <install_directory>/Trustbase/TTM/<machine_name> as illustrated below:

Figure 1-15    Locating nfast.properties


nCipher Initialisation

For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.

  • Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).

  • The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same hardware drive used to run the TC.

  • Create a "Security World" on one module, using the nCipher KeySafe tool.

  • Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.

  • The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.

  • Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
    /app/nfast/sbin/init.d-nfast stop
    /app/nfast/sbin/init.d-nfast start


    Note If the NFAST_SERVER_PORT value is anything other than 9000, the nFast.properties file in the iPlanet Trustbase Transaction Manager install directory (/app/Trustbase/TTM/<machine name>) must be modified such that the StandardPort property is consistent.



nCipher module setup and usage

Once the Security world is installed, the following points should be noted:

  • The nFast stub and the NCIPHER JCE provider both read certain settings from a properties file "nFast.properties". This should contain the following values:

    • AServerAddress. The ServerAddress property should be set to the local host. If set to other values the server may refuse connection attempts on unix systems. On NT systems, the server will accept connections from clients elsewhere than "localhost". The default value is 127.0.0.1

    • StandardPort. The StandardPort property contains the number of the port on which the server is listening for standard connections. By default this value is 9000.

    • StandardConnections. The StandardConnections property contains the number of standard connections that will be maintained with the nFast module. Low values for this property will not allow the module to make best use of its parallel processing capabilities. By default, this value is obtained from the module itself.

    • module.key. The module.key property contains the identifying number of the module key to be used for encrypting keys for storage outside the box. If the standard install procedure has been followed, and the Security World has been correctly set up, the module keys installed on the box are:

      KM0 - the randomly generated module key that is never exported in any form. If this key is used as the default, archived keys may only ever be used on that specific module. If the module is replaced for any reason, all the keys must be regenerated.

      KM1 - a well known module key used for bootstrapping of the recovery keys. This module key should NOT be used.

      KM2 - the security world key. This is the module key that should be used.

      By default, KM0 is used, i.e. a value of 0, as this is the only module Key guaranteed to be present on the module. In any running system this should always be set to '2'.
      ServerAddress = localhost
      ServerPort = 9000
      StandardConnections = 10
      PrivilegedConnections = 0
      module.key = 2


Oracle Database Configuration

Both TTM and the Identrus Extensions require access to a database with a pre-configured schema. The installation comes with SQL scripts that must be executed in the database user's tablespace that was specified at installation time. The following sections explain how to create the user and generate the correct schema for that user.

  • The generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. Only one Certstore is utilised for each Trustbase Installation. The following parameters must be defined: Oracle login name, Oracle login password, PBEPassword set the same as Oracle login password, Oracle hostname, Oracle port number and Oracle SID.


Installation Pre-requisite

cd /app
cp oracle-jdbc-815.zip /app/Trustbase/TTM/current/lib3p/10


Running the iPlanet Trustbase Transaction Manager SQL Scripts

  • You may need to ask your DBA to create your username and password. The following procedure should be followed.

  • Switch to the Oracle user and run server manager:
    myhost> su - oracle
    Password:
    myhost> cd ../Trustbase/TTM/V2.2/Config/sql
    myhost> svrmgrl

    Oracle Server Manager Release 3.1.5.0.0 - Production

    (c) Copyright 1997, Oracle Corporation. All Rights Reserved.

    Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production
    With the Partitioning and Java options
    PL/SQL Release 8.1.5.0.0 - Production

    SVRMGR> connect internal
    Connected.

  • The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.
    SVRMGR> SHUTDOWN;
    SVRMGR> STARTUP MOUNT;
    SVRMGR> ALTER SYSTEM ENABLE RESTRICED SESSION;
    SVRMGR> ALTER SYSTEM SET JOB_QUEUE_PROCESSES=0;
    SVRMGR> ALTER DATABASE OPEN;
    SVRMGR> ALTER DATABASE CHARACTER SET UTF8;
    SVRMGR> SHUTDOWN;
    SVRMGR> STARTUP;

  • Create a iPlanet Trustbase Transaction Manager user - you may need to change the username, password and default tablespaces depending on site policy:
    SVRMGR> CREATE USER tbase IDENTIFIED BY tbase DEFAULT TABLESPACE USERS
    TEMPORARY
    TABLESPACE TEMP;
    Statement processed.
    SVRMGR> GRANT CONNECT TO tbase;
    Statement processed.
    SVRMGR> GRANT RESOURCE TO tbase;
    Statement processed.
    SVRMGR> ALTER USER tbase QUOTA UNLIMITED ON USERS;
    Statement processed.
    SVRMGR> quit
    Server Manager complete.

  • Connect as the iPlanet Trustbase Transaction Manager user and run the scripts:
    sunstorm% su - oracle
    sunstorm% cd /app/Trustbase/TTM/current/Config/sql
    sunstorm% sqlplus
    SQL*Plus: Release 8.1.5.0.0 - Production on Fri Sep 22 12:07:11 2000
    (c) Copyright 1999 Oracle Corporation. All rights reserved.
    Enter user-name: tbase
    Enter password:
    Error accessing PRODUCT_USER_PROFILE
    Warning: Product user profile information not loaded!
    You may need to run PUPBLD.SQL as SYSTEM

    Connected to:
    Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production
    With the Partitioning and Java options
    PL/SQL Release 8.1.5.0.0 - Production

    SQL> @tbase2.sql


Identrus Configuration

A Transaction Coordinator (TC) comprises of all Identrus Services that have been deployed within the iPlanet Trustbase Transaction Manager. The file identrus.properties needs to be edited to change settings appropriately. It can be found in <install_directory>/Trustbase/TTM/<machine_name>as illustrated below:

Figure 1-16    identrus.properties file location

  • Normally, only the locations of OurAIA and LocalOCSPResponderLocation need to change. For instance:
    OurAIA = https://rp
    LocalOCSPResponderLocation = http://rp:8080

  • The following illustrates an example identrus.properties file.

Figure 1-17    Example Identrus.properties
[CSC]
; OID's for OCSP and TC
TCOID=1.2.840.114021.4.1
OCSPResponderOID=1.3.6.1.5.5.7.48.1

;CaCertificateRole=
;EndEntityCertificateRole=
;SigningCertificateRole=
;RootCertificateRole=

; Local OCSP Responder Communication
SignLocalOCSPRequests=false
OCSPResponderSigningCertificateRole=L1_OCSP_SC
LocalOCSPResponderLocation = identrus_local_resp_url

OurAIA = identrus_our_aia
DNOfAuthority=

; Response Cache Parameters
ApprovedResponseMaxAge=60
ApprovedResponseMaxKeep=60
DebugMode=true
;OCSPRequestorName=CN=KENCO

Other settings can be modified:

  • OID's

    • TCOID: This is ASN object ID for the "authority info access" attribute for Identrus Transaction Coordinator 's (default acceptable). All Identrus Certificates will have this and are supplied by Identrus with the ID of 1.2.840.114021.4.1.

    • OCSPOID: This is ASN object ID for the "authority info access" attribute for OCSP responder's (default acceptable).

  • Certificate Role's

    • CaCertificateRole: This is the certificate attribute used for the Transaction Coordinator CA certificate. (Default is acceptable).

    • EndEntityCertificateRole: This is the certificate attribute used for the Transaction Coordinator end entity signing certificate (default acceptable).

    • SigningCertificateRole: This is the certificate attribute used for the Transaction Coordinator inter participant signing certificate (default acceptable).

    • RootCertificateRole: This is the certificate attribute used as by the Identrus Transaction Coordinator to identify the Identrus root (default acceptable).

  • Local OCSP Responder Communication

    • SignLocalOCSPRequests: boolean - unsigned Local OCSP requests have a parameter set to "no" and signed Local OCSP requests have this parameter set to "yes".

    • OCSPResponderSigningCertificateRole: This is the certificate used to verify OCSP responses (only used if signLocalOCSPrequests is true).

    • LocalOCSPResponderLocation: The URL for the local OCSP responder.

  • Misc settings

    • OurAIA: The Access Information Authority (AIA) of this Identrus Transaction Coordinator.

    • DNOfAuthority: This is the Distinguished Name (DN) of the Identrus root signing certificate. This is for internal use only.

  • Response Cache Parameters

    To avoid repeated calls to the Identrus root, an institution can contact the root about the status of its own certificates and store them for a cached period. Whenever a message is sent to another party, it will include this cached response. It is then up to the other institution to decide whether this cached response is acceptable or if it wants to contact the root itself. If a relying customer wants to ensure that cached responses are not used anywhere in an Identrus transaction then that customer can supply a nonce in the outgoing OCSP requests. This nonce is then used as a signal to the institutions not to use the cached response.

    Caching prevents the need for repeated access to the Identrus Root. Each institution holds a value for how long its own cached certificate statuses are kept for. It also holds a maximum acceptable age of received certificate statuses. The following parameters must be defined:

    • ApprovedResponseMaxAge: number of seconds to allow a cache entry to persist for.

    • ApprovedResponseMaxKeep: number of seconds that a response provided to use can be acceptable.

    • DebugMode: internal debug on/off

    • OCSPRequestorName: name to use when talking to an OCSP responder. It should be noted that this must be set to the Distinguised name (DN) of the certificate used to sign OCSP if signing is set to true (i.e. SignLocalOCSPRequests=true). In the example provided, the common name (CN) is used as the distinguished name since the distinguished name is made up of the common name and the organisation unit (OU).


Start iPlanet Trustbase Transaction Manager

Having completed the installation and configuration iPlanet Trustbase Transaction Manager can be controlled using the scripts available in:

  • /app/Trustbase/TTM/Scripts

Figure 1-18    iPlanet Trustbase Transaction Manager Commonly Used Scripts

The main scripts used to stop and start iPlanet Application Server and TTM components, that need to be executed as 'root' inside the Scripts directory:

  • ./startias
    Starts the iPlanet Application Server

  • ./starttbase
    This script starts the iPlanet Trustbase Configuration Manager, SSL Proxy and SMTP Proxy

  • ./stopias

  • ./stoptbase

Other useful scripts in this directory are:

  • ./setcp
    If this script is executed as follows, then the CLASSPATH environment variable is set to be that required for TTM execution. Execute it using '. ./setcp' as 'root' in the Scripts directory.

  • ./runcertmanager
    to configure your certificates

  • ./runcheckintegrit
    used for verifying the integrity of the log (see "Archiving for Raw Data and Init Table")


    Note bourne shell (/bin/sh) uses '. ./setcp' and c shell (/bin/csh) uses './setup'



ShutDown procedure

The following procedure stops the system.

  • Logon as root
    #!/bin/sh
    cd /app/Trustbase/TTM/Scripts
    /app/Trustbase/TTM/Scripts/stopias
    /app/Trustbase/TTM/Scripts/stoptbase
    /app/ias6/slapd-hailstorm/stop-slapd
    /app/iws41/https-hailstorm.uk.sun.com/stop
    /app/iws41/https-admserv/stop


Restart procedure

The following procedure restarts the system:

  • logon as root and run the following shell:
    #!/bin/sh
    /app/ias6/slapd-hailstorm/start-slapd
    /app/iws41/https-hailstorm.uk.sun.com/start
    /app/iws41/https-admserv/start

    cd /app/Trustbase/TTM/Scripts
    /app/Trustbase/TTM/Scripts/startias
    /app/Trustbase/TTM/Scripts/starttbase


Reinstallation

If the responses given during the execution of the Trustbase installation script were incorrect you can rerun the install script without damaging any other changes you have made. When re-executing the install scripts the installer will remember the responses you entered previously and offer them as defaults.
sunstorm% cd /app/Trustbase/scripts
sunstorm% ./install

Please consult the iPlanet Application Server Installation, iplanet Web Server, Oracle and nCipher documentation for procedures on how to reinstall.


Certificate Management


Before installing certificates, you must have a CA set up with its CA certificate created and signed by the appropriate Identrus Certificate Authority. You then need to place your CA Certificate into the appropriate positions within the iPlanet Trustbase Transaction Manager CertStore using the Certmanager utility.

Figure 1-19    Setting CA certificates


Running Certmanager

  • Run CertManager
    # cd /app/Trustbase/TTM/Scripts
    # ./runcertmanager

  • Open the Store, as illustrated below

Figure 1-20    Open Certificate Store


Generating PKCS10 requests

  • Create The Identrus PKI hierarchy as illustrated below

Figure 1-21    Identrus PKI hierarchy

  • This is a two stage process involving pasting data that you have generated from CertManager into the website of the certificate authority that generates a response:

    • "Generate PKCS10 certificate Request (CSR)" for generating PKCS-10 certificate requests

    • "Add Requested Certificate Response" collects the corresponding response from the certificate Authority (sometimes referred to as a PEM Response).

Figure 1-22    Generating PKCS10 requests


Note More details about how to use CertManager can be found in the Utility Guide.



Assigning Attributes to Certificates

In order that iPlanet Trustbase Transaction Manager can recognise these certificates, they must be assigned an attribute view from within CertManager. The following Attribute view/ purpose ID/ purpose attributes must be defined:

Figure 1-23    Purpose Attribute views and the Identrus PKI hierarchy

  • the purpose attribute L1CA should be assigned to the certificate RPCA-CMS since in this case the relying particpant is the Level 1 CA. L1CA is the purpose ID for CA certificates.

  • the purpose attribute L1EESC should be assigned to the certificate RPTC_L1EESC. L1EESC is the purpose ID of Certificate used for bank/RC or bank/SC message signing.

  • the purpose attribute L1EESSL should be assigned to the certificate RPTC_L1EESSL. L1EESSL is the purpose ID of Certificate used for bank/RC or bank/SC SSL connections - as server.

  • the purpose attribute L1IPSC should be assigned to the certificate RPTC_L1IPSC. L1IPSC is the purpose ID of Certificate used for interbank message signing.

  • the purpose attribute IRCA should be assigned to the certificate IRCA_CMS. IRCA is the certificate for the Identrus root.

This is illustrated within iPlanet Trustbase Transaction Manager's CertManager Utility in Figure 1-24 below.

Figure 1-24    Purpose Attributes


Note Consult your Utility guide on how to create Attribute views for certificates. When viewed on the screen through CertManager this is referred to as an attribute view. When deployed within iPlanet Trustbase Transaction Manager as a transaction processing requirement, this is referred to as a purpose attribute or purpose ID. See, for instance, the Utility Guide section headed "Certificate View," on page 25.



Identrus Authorisation

In order to send Identrus Messages to iPlanet Trustbase Transaction Manager you will need to create an Authorisation for your own customers that allows the sending of Identrus Enabled Messages. These are illustrated in the next three figures:

Figure 1-25    A Certificate that enables you to send Identrus Messages

  • Select <Authorisation> <Add Certificate>

  • For this example enter the issuer Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 4. Set the Max Depth to 1 and the Role to Identrus (see "Adding a Certificate" for more information on this). This is illustrated below:

Figure 1-26    Installing a Certificate so as to send Identrus Messages within Trustbase

You will also need to create an additional Authorisation for other banks to send Identrus Enabled messages to you. These are illustrated in the next three figures:

Figure 1-27    A certificate that enables you to send Identrus Messages to other banks

  • Select <Authorisation> <Add Certificate>

  • Enter the Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 1. Set the Max Depth to 1 and the Role to Identrus (see "Adding a Certificate" for more information on this). This is illustrated below:

Figure 1-28    Installing a Certificate within Trustbase for sending Identrus Enabled Messages

Finally you should restart iPlanet Trustbase Transaction Manager for the setting to take effect and you should make sure both certificates are installed within iPlanet Trustbase Transaction Manager as illustrated below:

Figure 1-29    Identrus Enabled Messages installed within Trustbase


OCSP Responders and Validating signed OCSP Responses

When a message is sent to any node a response comes back. That response needs to be verified in such a way that the sender of the response is who they say they are. This is an optional feature in that it can be assumed that responses are trusted. OCSP Responders that are used locally are unlikely to require this signing validation process as their communication can be considered secure. However OCSP Responders on non-local or insecure lines should have this feature configured.

When an RP bank communicates with an IP that does not have an iPlanet Trustbase Transaction Manager Transaction Coordinator and fails it will need an OCSP Responder. This is sometimes referred to as OCSP fallback.

In order to verify an OCSP response we need to input the signing Certificate into the iPlanet Trustbase Transaction Manager certificate store. Once the OCSP signing Certificate has been successfully imported into the iPlanet Trustbase Transaction Manager Oracle Certificate Store, a purpose attribute needs to be defined as follows:

  • L1OCSP

iPlanet Trustbase Transaction Manager will use the Certificate with this attribute value to verify the digital signature when it receives a signed OCSP response.

There are a number of ways to obtain this certificate:

  • Use the certificate with IRCA purpose attribute. However this can only be used if the Validating Authority certificate was issued by the IRCA certificate.

  • Get it from your OCSP Responder e.g. Valicert or any other Validation Authority that is Identrus compliant.

Figure 1-30    OCSP Responders


Previous     Contents     DocHome     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 18, 2001