Previous Contents DocHome Index Next |
iPlanet Trustbase Transaction Manager 2.2.1 Installation and Configuration Guide |
Chapter 1 Installation Worksheet
Installation Worksheet provides the user with a pre-requisite checklist of all the main features to a successful iPlanet Trustbase Transaction Manager installation. It lists software that is included, what isn't included, what must be downloaded and how it should be installed and configured.
Installation Outline
The following steps need to be carried out:
Check and meet software pre-requisites
Download any software that has not been included with iPlanet Trustbase Transaction Manager
Install iPlanet Web Server v4.1
Install iPlanet Application Server v6.0
Install iPlanet Trustbase Transaction Manager v2.2 with Identrus Extensions
Setup nFast Hardware and configure iPlanet Trustbase Transaction Manager to use it
Setup Oracle 8i database schema
Setup site specific Identrus settings
SW pre-requisites
The following software should be installed prior to running iPlanet Trustbase Transaction Manager.
Figure 1-1    Third Party Library jar files
![]()
Microsoft's Browser: Internet Explorer 4.0 or above for Web configuration or Netscape 4.0 and higher.
The iPlanet Trustbase Transaction Manager 2.2 requires the Solaris 8 Operating Environment system and the JDK 1.2 environment or the JavaTM Runtime Environment 1.2.
The iPlanet Trustbase Transaction Manager 2.2 requires the use of JDK 1.2 environment. This can be obtained from the Sun Microsystems Web site
http://www.javasoft.comJDBCTM for Oracle 8i
http://www.oracle.com/java/jdbc/html/jdbc.htmlJavaTM Servlet supporting WebServer
iPlanet Web Server 4.1
Application Server
http://www.iplanet.com/products/infrastructure/web_servers/index.html
iPlanet Application Server 6.0
An Identrus Compliant Validation Authority
http://www.iplanet.com/products/infrastructure/app_servers/index.html
An Identrus Compliant Certificate Authority
nCipher KeySafe 1.0
http://www.ncipher.com
Packages included
The following packages are included with iPlanet Trustbase Transaction Manager:
iPlanet Application Server 6.0
http://www.iplanet.com/products/infrastructure/app_servers/index.htmliPlanet Web Server 4.1
http://www.iplanet.com/products/infrastructure/web_servers/index.htmlJavaTM API for XML Parsing
http://java.sun.com/xml
Packages not included
The following software must be downloaded before Installation:
JDBCTM -Thin / 100% Java API for JDKTM 1.1.x
http://technet.oracle.com/software/download.htm oracle-jdbc-815.zip.The Solaris 8 operating system environment incorporating the JDKTM 1.2 environment
Certificate Prerequisites
Before you install iPlanet Trustbase Transaction Manager, you will need to know the location of your level 1 Certificate Authority PEM encoded CA certificate. This certificate is referred to from this point forward as the L1CA certificate.
Note All third party software should be placed in lib3p/10 as illustrated in Figure 1-1.
Determine hostname
hostname
domainnameVerify disk space to be greater than 1GB.
df -k Verify sufficient memory is not less than 256MB and preferably the recommended 1GB
prtconf | grep Mem
Solaris Installation
Before iPlanet Trustbase Transaction Manager can be installed, a working web server and application server must be available.
IPlanet Web Server v4.1 Installation
Logon as root, locate the 'setup' script depending on distribution
Start the installation using the 'setup' script.
Select a directory <install_directory> to install the webserver into, this will need to be the same directory you wish to use for the iPlanet Application Server installation later.
# cd /cdrom/cdrom0
# cd iWS
#./setupInstall all elements of the web server and select the option that changes their ownership/group to 'nobody'. Select the option that runs the webserver as 'root'. Do not use an existing Directory service. Select the web server document directory to be the 'docs' subdirectory of your chosen installation location. Do not use your own JDK when prompted.
Figure 1-2    Installing iPlanet Web Server
Note You should make a note of these settings. Particularly port numbers since you may need them later.
Figure 1-3    iPlanet Web Server Installed
Note Please consult your iPlanet Web Server Installation Guide for more information on this. Selecting <return> takes the default.
Starting iPlanet Web Server 4.1
Change into the directory that contains your Web Server instance amd run the start script. This directory takes the form of https-<machine-name>.domain.For instance:
cd /app/iws41/https-whelk.jcp.co.uk
./start
Note If in doubt you should consult the first chapter of the iPlanet Web Server configuration Guide.
Verifying iPlanet Web Server 4.1
Check iPlanet Web Server is working by opening a browser window to http://localhost. If its working you'll see the main page as illustrated below:
Figure 1-4    iPlanet Web Server, Enterprise Edition 4.1
![]()
Or alternatively going straight to the Administration Server console:
Figure 1-5    iPlanet Web Server Administration Server
![]()
iPlanet Application Server v6.0 Installation
Ensure that the iPlanet Web Server is running before you follow this procedure.
Logon as root, locate the 'setup' script depending on distribution (e.g. unzip the tar file and the 'setup' file should be in the top directory)
# cd /cdrom/cdrom0
# cd iAS
# ./setupStart the installation using the 'setup' script. And answer the questions as follows:
Figure 1-6    Example iPlanet Application Server Script
Post iPlanet Web Server and iPlanet Application Server Installation Steps
To check that the Application Server installation has been successful, use a browser to contact the following URL: http://machine_name/GXApp
Select the 'Java Fortune' application, if the reply indicates that the servlet 'Greets You' then the web server and application server are functioning correctly. You should also consult your iPlanet Application Server Installation Documentation. This is now illustrated below:Figure 1-7    Verifying iPlanet Application Server
![]()
Having completed the installation, all processes must be shutdown:
Application Server Shutdown <install_directory>/ias/bin/KIVAes.sh stop
# cd /app/ias6/ias/bin
# ./KIVAes.sh stop
# ps -ef | grep k.s
Note Immediately after installation, if this script fails to work, use 'ps -ef | grep k.s' to show all iPlanet Application Server processes and then 'kill -9 <pid>' to stop all of them.
Directory Server Shutdown <install_directory>/slapd-<machine_name>/stop-slapd
# cd /app/ias6/slapd-<hostname>
# ./stop-slapd
# ps -ef | grep slap
<install_directory>/https-<machine_name>/stop
Once all the above scripts have been run check that all processes have been terminated using 'ps -ef | grep <install_directory>'. Use 'kill -9 <pid>' on all remaining processes.and: <install_directory>/https-admserv/stop
# ./app/iws41/https-<machine_name>/stop
# ./app/iws41/https-admserv/stop
Enabling SSL Connection logging
In order for iPlanet Trustbase Transaction Manager to fully log an SSL Connection, the following procedure needs to be adopted:
Start kregedit
..../ias6/ias/bin/kregedit Select the following node:
SOFTWARE\iPlanet\Application Server\6.0\CCS0\HTTPAPI\INPUTNSAPI Use the Edit menu to "Add Value" with the following attributes (Case Sensitive):
Name=HTTP_PROXYCONNECTIONIDENTIFIER
Value=1
Type=StringFigure 1-8    Kregedit and ConnectionId
![]()
Exit kregedit.
This will not take effect until iPlanet Web Server and the iPlanet Application Server have been restarted. If you are following through these installation procedures this will be done in the "Restart procedure"
iPlanet Trustbase Transaction Manager Installation Process
Now that iPlanet Web Server and iPlanet Application Server are installed the iPlanet Trustbase Transaction Manager installation can proceed.The installation is provided as a "compress"-ed tar file. The installation program is designed for Unix Solaris 8. iPlanet Trustbase Transaction Manager currently requires JDK 1.2 to be installed on your machine to operate correctly. To ensure iPlanet Trustbase Transaction Manager is installed correctly it is advised that you install JDK 1.2 before iPlanet Trustbase Transaction Manager. Allow 100MB of Disc space for JDK 1.2 and iPlanet Trustbase Transaction Manager.
Logon as root
Change directory to a location where the iPlanet Trustbase Transaction Manager hierarchy is to be created
Extract the compressed tar file to the current directory.
zcat iTTM-2.2.tar.Z | tar -xvpf -
cd Trustbase/scriptsFigure 1-9    Finding the install script
![]()
Make sure the directory server for iPlanet Application Server is running before you install Trustbase. For example,
Figure 1-10 illustrates how to install iPlanet Trustbase Transaction Manager:
cd /app/ias6/slapd-<machine-name>
./start-slapdrun 'install' and follow the instructions - when prompted for the iPlanet Application Server location - enter the directory used above <install_directory> In the example above this is /app/Trustbase/scriptszcat iTTM-2.2.tar.Z | tar -xvpf -
./install
Figure 1-10    Installing iPlanet Trustbase Transaction Manager
Note If you are installing the Proxy on a separate machine the AIA of this TC should point to the hostname of the Proxy and not the TC. See also the Section about "Configuring the SSLproxy Separately".
iPlanet Trustbase Transaction Manager is now installed. Some further configuration is now required to establish the local settings and Identrus setup - see the following sections.
Note Select <Enter> to include the default. You should make a note of these settings you have selected since you may need them later.
Installation Structure
Once the installation has completed the following directory structure and support files will exist:
Figure 1-11    iPlanet Trustbase Transaction Manager Directory Overview
![]()
TTM
iPlanet Trustbase Transaction Manager contains all configuration and Library files, the SQL directory containing various database setup scripts.Figure 1-12    iPlanet Trustbase Transaction Manager Overview Directory
![]()
Scripts
This directory contains all of the scripts needed to start and stop iPlanet Trustbase Transaction ManagerFigure 1-13    iPlanet Trustbase Transaction Manager Commonly Used Scripts
![]()
<machine_name>
This directory contains all of the configuration files for this installation. i.e. tbase.properties, nFast.properties, identrus.properties and proxy.ini These files should not be modified directly but can be accessed via the configuration screens in this manual.Figure 1-14    iPlanet Trustbase Transaction Manager Initialisation Files
![]()
All other directories are not needed.
Post Installation Steps
Before starting iPlanet Trustbase Transaction Manager for the first time it is necessary to do some further configuration steps, in each of the following configuration steps refer to the Installation Structure section above to locate the necessary files:
nCipher Security setup - see section "HSM Configuration"
Oracle Database setup - see section "Oracle Database Configuration"
Identrus site specific setup - see section "Identrus Configuration"
HSM Configuration
This is an optional feature since alternative cryptographic mechanisms are in place if you wish to configure iPlanet Trustbase Transaction Manager without a Hardware Security Module. This is mandatory for Identrus compliant sites.
Pre-requisite
Make sure, when installing iPlanet Trustbase Transaction Manager, you answer the following question:
What Cryptographic provider do you want to use: NCIPHER or JCP? NCIPHER When the iPlanet Trustbase Transaction Manager installation is complete check that nfast.properties is located in the directory <install_directory>/Trustbase/TTM/<machine_name> as illustrated below:
Figure 1-15    Locating nfast.properties
![]()
nCipher Initialisation
For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.
Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).
The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same hardware drive used to run the TC.
Create a "Security World" on one module, using the nCipher KeySafe tool.
Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.
The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.
Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
/app/nfast/sbin/init.d-nfast stop
/app/nfast/sbin/init.d-nfast start
nCipher module setup and usage
Once the Security world is installed, the following points should be noted:
The nFast stub and the NCIPHER JCE provider both read certain settings from a properties file "nFast.properties". This should contain the following values:
AServerAddress. The ServerAddress property should be set to the local host. If set to other values the server may refuse connection attempts on unix systems. On NT systems, the server will accept connections from clients elsewhere than "localhost". The default value is 127.0.0.1
StandardPort. The StandardPort property contains the number of the port on which the server is listening for standard connections. By default this value is 9000.
StandardConnections. The StandardConnections property contains the number of standard connections that will be maintained with the nFast module. Low values for this property will not allow the module to make best use of its parallel processing capabilities. By default, this value is obtained from the module itself.
module.key. The module.key property contains the identifying number of the module key to be used for encrypting keys for storage outside the box. If the standard install procedure has been followed, and the Security World has been correctly set up, the module keys installed on the box are:
- KM0 - the randomly generated module key that is never exported in any form. If this key is used as the default, archived keys may only ever be used on that specific module. If the module is replaced for any reason, all the keys must be regenerated.
- KM1 - a well known module key used for bootstrapping of the recovery keys. This module key should NOT be used.
- KM2 - the security world key. This is the module key that should be used.
- By default, KM0 is used, i.e. a value of 0, as this is the only module Key guaranteed to be present on the module. In any running system this should always be set to '2'.
ServerAddress = localhost
ServerPort = 9000
StandardConnections = 10
PrivilegedConnections = 0
module.key = 2
Oracle Database Configuration
Both TTM and the Identrus Extensions require access to a database with a pre-configured schema. The installation comes with SQL scripts that must be executed in the database user's tablespace that was specified at installation time. The following sections explain how to create the user and generate the correct schema for that user.
The generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. Only one Certstore is utilised for each Trustbase Installation. The following parameters must be defined: Oracle login name, Oracle login password, PBEPassword set the same as Oracle login password, Oracle hostname, Oracle port number and Oracle SID.
cd /app
cp oracle-jdbc-815.zip /app/Trustbase/TTM/current/lib3p/10
Running the iPlanet Trustbase Transaction Manager SQL Scripts
You may need to ask your DBA to create your username and password. The following procedure should be followed.
Switch to the Oracle user and run server manager:
The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.
Create a iPlanet Trustbase Transaction Manager user - you may need to change the username, password and default tablespaces depending on site policy:
Connect as the iPlanet Trustbase Transaction Manager user and run the scripts:
Identrus Configuration
A Transaction Coordinator (TC) comprises of all Identrus Services that have been deployed within the iPlanet Trustbase Transaction Manager. The file identrus.properties needs to be edited to change settings appropriately. It can be found in <install_directory>/Trustbase/TTM/<machine_name>as illustrated below:
Figure 1-16    identrus.properties file location
![]()
Normally, only the locations of OurAIA and LocalOCSPResponderLocation need to change. For instance:
OurAIA = https://rp
LocalOCSPResponderLocation = http://rp:8080The following illustrates an example identrus.properties file.
Figure 1-17    Example Identrus.properties
Other settings can be modified:
OID's
TCOID: This is ASN object ID for the "authority info access" attribute for Identrus Transaction Coordinator 's (default acceptable). All Identrus Certificates will have this and are supplied by Identrus with the ID of 1.2.840.114021.4.1.
Certificate Role'sOCSPOID: This is ASN object ID for the "authority info access" attribute for OCSP responder's (default acceptable).
CaCertificateRole: This is the certificate attribute used for the Transaction Coordinator CA certificate. (Default is acceptable).
Local OCSP Responder CommunicationEndEntityCertificateRole: This is the certificate attribute used for the Transaction Coordinator end entity signing certificate (default acceptable).
SigningCertificateRole: This is the certificate attribute used for the Transaction Coordinator inter participant signing certificate (default acceptable).
RootCertificateRole: This is the certificate attribute used as by the Identrus Transaction Coordinator to identify the Identrus root (default acceptable).
SignLocalOCSPRequests: boolean - unsigned Local OCSP requests have a parameter set to "no" and signed Local OCSP requests have this parameter set to "yes".
Misc settingsOCSPResponderSigningCertificateRole: This is the certificate used to verify OCSP responses (only used if signLocalOCSPrequests is true).
LocalOCSPResponderLocation: The URL for the local OCSP responder.
OurAIA: The Access Information Authority (AIA) of this Identrus Transaction Coordinator.
Response Cache ParametersDNOfAuthority: This is the Distinguished Name (DN) of the Identrus root signing certificate. This is for internal use only.
- To avoid repeated calls to the Identrus root, an institution can contact the root about the status of its own certificates and store them for a cached period. Whenever a message is sent to another party, it will include this cached response. It is then up to the other institution to decide whether this cached response is acceptable or if it wants to contact the root itself. If a relying customer wants to ensure that cached responses are not used anywhere in an Identrus transaction then that customer can supply a nonce in the outgoing OCSP requests. This nonce is then used as a signal to the institutions not to use the cached response.
- Caching prevents the need for repeated access to the Identrus Root. Each institution holds a value for how long its own cached certificate statuses are kept for. It also holds a maximum acceptable age of received certificate statuses. The following parameters must be defined:
ApprovedResponseMaxAge: number of seconds to allow a cache entry to persist for.
ApprovedResponseMaxKeep: number of seconds that a response provided to use can be acceptable.
DebugMode: internal debug on/off
OCSPRequestorName: name to use when talking to an OCSP responder. It should be noted that this must be set to the Distinguised name (DN) of the certificate used to sign OCSP if signing is set to true (i.e. SignLocalOCSPRequests=true). In the example provided, the common name (CN) is used as the distinguished name since the distinguished name is made up of the common name and the organisation unit (OU).
Start iPlanet Trustbase Transaction Manager
Having completed the installation and configuration iPlanet Trustbase Transaction Manager can be controlled using the scripts available in:
Figure 1-18    iPlanet Trustbase Transaction Manager Commonly Used Scripts
![]()
The main scripts used to stop and start iPlanet Application Server and TTM components, that need to be executed as 'root' inside the Scripts directory:
./startias
Other useful scripts in this directory are:
Starts the iPlanet Application Server./starttbase
This script starts the iPlanet Trustbase Configuration Manager, SSL Proxy and SMTP Proxy
./setcp
If this script is executed as follows, then the CLASSPATH environment variable is set to be that required for TTM execution. Execute it using '. ./setcp' as 'root' in the Scripts directory../runcertmanager
to configure your certificates./runcheckintegrit
used for verifying the integrity of the log (see "Archiving for Raw Data and Init Table")
Note bourne shell (/bin/sh) uses '. ./setcp' and c shell (/bin/csh) uses './setup'
ShutDown procedure
The following procedure stops the system.
Logon as root
Restart procedure
The following procedure restarts the system:
logon as root and run the following shell:
Reinstallation
If the responses given during the execution of the Trustbase installation script were incorrect you can rerun the install script without damaging any other changes you have made. When re-executing the install scripts the installer will remember the responses you entered previously and offer them as defaults.
sunstorm% cd /app/Trustbase/scripts
sunstorm% ./installPlease consult the iPlanet Application Server Installation, iplanet Web Server, Oracle and nCipher documentation for procedures on how to reinstall.
Certificate Management
Before installing certificates, you must have a CA set up with its CA certificate created and signed by the appropriate Identrus Certificate Authority. You then need to place your CA Certificate into the appropriate positions within the iPlanet Trustbase Transaction Manager CertStore using the Certmanager utility.
Figure 1-19    Setting CA certificates
![]()
Figure 1-20    Open Certificate Store
![]()
Figure 1-21    Identrus PKI hierarchy
![]()
This is a two stage process involving pasting data that you have generated from CertManager into the website of the certificate authority that generates a response:
Figure 1-22    Generating PKCS10 requests
![]()
Note More details about how to use CertManager can be found in the Utility Guide.
Assigning Attributes to Certificates
In order that iPlanet Trustbase Transaction Manager can recognise these certificates, they must be assigned an attribute view from within CertManager. The following Attribute view/ purpose ID/ purpose attributes must be defined:
Figure 1-23    Purpose Attribute views and the Identrus PKI hierarchy
![]()
the purpose attribute L1CA should be assigned to the certificate RPCA-CMS since in this case the relying particpant is the Level 1 CA. L1CA is the purpose ID for CA certificates.
This is illustrated within iPlanet Trustbase Transaction Manager's CertManager Utility in Figure 1-24 below.the purpose attribute L1EESC should be assigned to the certificate RPTC_L1EESC. L1EESC is the purpose ID of Certificate used for bank/RC or bank/SC message signing.
the purpose attribute L1EESSL should be assigned to the certificate RPTC_L1EESSL. L1EESSL is the purpose ID of Certificate used for bank/RC or bank/SC SSL connections - as server.
the purpose attribute L1IPSC should be assigned to the certificate RPTC_L1IPSC. L1IPSC is the purpose ID of Certificate used for interbank message signing.
the purpose attribute IRCA should be assigned to the certificate IRCA_CMS. IRCA is the certificate for the Identrus root.
Figure 1-24    Purpose Attributes
![]()
Identrus Authorisation
In order to send Identrus Messages to iPlanet Trustbase Transaction Manager you will need to create an Authorisation for your own customers that allows the sending of Identrus Enabled Messages. These are illustrated in the next three figures:
Figure 1-25    A Certificate that enables you to send Identrus Messages
![]()
Select <Authorisation> <Add Certificate>
![]()
For this example enter the issuer Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 4. Set the Max Depth to 1 and the Role to Identrus (see "Adding a Certificate" for more information on this). This is illustrated below:
Figure 1-26    Installing a Certificate so as to send Identrus Messages within Trustbase
![]()
Figure 1-27    A certificate that enables you to send Identrus Messages to other banks
![]()
Select <Authorisation> <Add Certificate>
![]()
Enter the Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 1. Set the Max Depth to 1 and the Role to Identrus (see "Adding a Certificate" for more information on this). This is illustrated below:
Figure 1-28    Installing a Certificate within Trustbase for sending Identrus Enabled Messages
![]()
Finally you should restart iPlanet Trustbase Transaction Manager for the setting to take effect and you should make sure both certificates are installed within iPlanet Trustbase Transaction Manager as illustrated below:
Figure 1-29    Identrus Enabled Messages installed within Trustbase
![]()
OCSP Responders and Validating signed OCSP Responses
When a message is sent to any node a response comes back. That response needs to be verified in such a way that the sender of the response is who they say they are. This is an optional feature in that it can be assumed that responses are trusted. OCSP Responders that are used locally are unlikely to require this signing validation process as their communication can be considered secure. However OCSP Responders on non-local or insecure lines should have this feature configured.When an RP bank communicates with an IP that does not have an iPlanet Trustbase Transaction Manager Transaction Coordinator and fails it will need an OCSP Responder. This is sometimes referred to as OCSP fallback.
In order to verify an OCSP response we need to input the signing Certificate into the iPlanet Trustbase Transaction Manager certificate store. Once the OCSP signing Certificate has been successfully imported into the iPlanet Trustbase Transaction Manager Oracle Certificate Store, a purpose attribute needs to be defined as follows:
iPlanet Trustbase Transaction Manager will use the Certificate with this attribute value to verify the digital signature when it receives a signed OCSP response.
There are a number of ways to obtain this certificate:
Use the certificate with IRCA purpose attribute. However this can only be used if the Validating Authority certificate was issued by the IRCA certificate.
Get it from your OCSP Responder e.g. Valicert or any other Validation Authority that is Identrus compliant.
Figure 1-30    OCSP Responders
![]()
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated April 18, 2001