Chapter 1   Installation Worksheet


Installation Worksheet provides the user with a pre-requisite checklist of all the main features to a successful iPlanet Trustbase Transaction Manager installation. It lists software that is included, what isn't included, what must be downloaded and how it should be installed and configured.

Installation Outline

---

The following steps need to be carried out:

• Check and meet software pre-requisites

• Download any software that has not been included with iPlanet Trustbase Transaction Manager

• Install iPlanet Web Server v6.0

• Install iPlanet Application Server v6.0

• Install iPlanet Trustbase Transaction Manager v3.0 with Identrus Extensions by running the following installation wizard scripts:
  • setup

  • EnvWizard

  • CertWIzard

  • runOCSPResponderWizard

• Setup nFast Hardware and configure iPlanet Trustbase Transaction Manager to use it. There are four scripts to do this
  • modutil PKCS11 generic hardware install

  • ncipherP11install ncipher PKCS11 install

  • ncipherupgrade ncipher iTTM2.2.1 to 3.0 upgrade

  • installP11Library software PKCS11 install

• Setup Oracle 8i database schema using the script
  • tbase2.sql

• Setup site specific Identrus settings

• Start iPlanet Trustbase Transaction Manager

• Acquire Identrus Certificates and Keys using TokenKeyTool using the script
  • /opt/TTM/Scripts/TokenKeyTool

SW pre-requisites

---

The following software should be installed prior to running iPlanet Trustbase Transaction Manager.

Figure 1-1    Third Party Library jar files

Pre-requisites

• Microsoft's Browser: Internet Explorer 4.0 or above for Web configuration or Netscape 4.0 and higher.

• Oracle 8i.

• The iPlanet Trustbase Transaction Manager 2.2 requires the Solaris 8 Operating Environment system and the JDK 1.2 environment or the Java^TM Runtime Environment 1.2.

• The iPlanet Trustbase Transaction Manager 2.2 requires the use of JDK 1.2 environment. This can be obtained from the Sun Microsystems Web site
  http://www.javasoft.com

• JDBC^TM for Oracle 8i
  http://www.oracle.com/java/jdbc/html/jdbc.html

• Java^TM Servlet supporting WebServer
  • iPlanet Web Server 6.0
    http://www.iplanet.com/products/infrastructure/web_servers/index.html

• Application Server
  • iPlanet Application Server 6.0
    http://www.iplanet.com/products/infrastructure/app_servers/index.html

• An Identrus Compliant Validation Authority

• An Identrus Compliant Certificate Authority

• Hardware Security Module
  • nCipher KeySafe 1.0
    http://www.ncipher.com

Packages included

The following packages are included with iPlanet Trustbase Transaction Manager:

• iPlanet Application Server 6.0
  http://www.iplanet.com/products/infrastructure/app_servers/index.html

• iPlanet Web Server 6.0
  http://www.iplanet.com/products/infrastructure/web_servers/index.html

• Java^TM API for XML Parsing
  http://java.sun.com/xml

Packages not included

The following software must be downloaded before Installation:

• JDBC^TM -Thin / 100% Java API for JDK^TM 1.1.x
  http://technet.oracle.com/software/download.htm oracle-jdbc-815.zip.

• The Solaris 8 operating system environment incorporating the JDK^TM 1.2 environment

Certificate Prerequisites

Before you install iPlanet Trustbase Transaction Manager, you will need to know the location of your level 1 Certificate Authority PEM encoded CA certificate. This certificate is referred to from this point forward as the L1CA certificate.

---

Note	All third party software should be placed in lib3p/10 as illustrated in Figure 1-1.

---

System Resources

• Determine hostname

  hostname domainname

• Verify disk space to be greater than 1GB.

  df -k

• Verify sufficient memory is not less than 256MB and preferably the recommended 1GB

  prtconf | grep Mem

• Check Solaris version is 8

  uname -a

• Check Java Version is 1.2

  java -version

Solaris Installation

---

Before iPlanet Trustbase Transaction Manager can be installed, a working web server and application server must be available.

IPlanet Web Server v6.0 Installation

• Logon as root, locate the 'setup' script depending on distribution

• Start the installation using the 'setup' script.

• Select a directory <install_directory>. The default is /opt/iplanet/iws6. to install the webserver into, this will need to be the same directory you wish to use for the iPlanet Application Server installation later.

  # cd /cdrom/cdrom0 # cd iWS #./setup

• Install all elements of the web server and select the option that changes their ownership/group to 'nobody'. Select the option that runs the webserver as 'root'. Do not use an existing Directory service. Select the web server document directory to be the 'docs' subdirectory of your chosen installation location. Do not use your own JDK when prompted.

Figure 1-2    Installing iPlanet Web Server

Would you like to continue with installation? [Yes]: Yes Do you agree to the license terms? [Yes]: Yes Choose an installation type [2]: 2 Install location [/usr/iplanet/servers]: /opt/iplanet/iws6 Specify the components you wish to install [A] A Specify the components to install [1, 2, 3, 4, 5, 6, 8]: 1,2,3,4,5,6,8 Computer name [rainstorm.uk.sun.com]: rainstorm.uk.sun.com System User [nobody]: nobody System Group [nobody]: nobody Run iWS Administration Server as [root]: root IWS Admin Server User Name [admin]: admin IWS Admin Server Password: IWS Admin Server Password (again): IWS Admin Server Port [8888]: 8888 Web Server Port [80]: 80 Do you want to register this with an existing Directory Server [No]: No Web Server Content Root [/opt/iplanet/iws6/docs: Do you want to use your own JDK [No]: No

---

Note	You should make a note of these settings. Particularly port numbers since you may need them later.

---

• The following output should appear:

Figure 1-3    iPlanet Web Server Installed

Sun Netscape Alliance iPlanet Web Server Installation/Uninstallation ------------------------------------------------------------------ Extracting Server Core... Extracting Java Runtime Environment... Extracting Java Support... Extracting SSJS Support... Extracting SSJS Database Support... Extracting Web Publishing Support... Extracting SNMP Support... Extracting Upgrade Files... Server Core installed successfully. Java Runtime Environment installed successfully. Java Support installed successfully. SSJS Support installed successfully. SSJS Database Support installed successfully. Web Publishing Support installed successfully. SNMP Support installed successfully. Press Return to continue... Go to /opt/iplanet/iws6 and type startconsole to begin Managing your servers.

---

Note	Please consult your iPlanet Web Server Installation Guide for more information on this. Selecting <return> takes the default.

---

Starting iPlanet Web Server 6.0

Change into the directory that contains your Web Server instance amd run the start script. This directory takes the form of https-<machine-name>.domain.

For instance:

cd /opt/iplanet/iws60/https-rainstorm.uk.sun.com ./start

---

Note	If in doubt you should consult the first chapter of the iPlanet Web Server configuration Guide.

---

Verifying iPlanet Web Server 6.0

Check iPlanet Web Server is working by opening a browser window to http://localhost.If its working you'll see the main page as illustrated below:

Figure 1-4    iPlanet Web Server, Enterprise Edition

Or alternatively going straight to the Administration Server console:

Figure 1-5    iPlanet Web Server Administration Server

Information Type

  Example Set-up Value for iWS6.0

  Install directory

  /opt/iplanet/iws6

  Administration logon

  Username: iwsadmin, Password: identrus

  Operational ports

  Server: 80, Admin: 8888

  To start server

  /opt/iplanet/iws6/https-<Host-Name>/start

  To stop server

  /opt/iplanet/iws6/https-<Host-Name>/stop

  To start admin server

  /opt/iplanet/iws6/https-admin/start

  To stop admin server

  /opt/iplanet/iws6/https-admin/stop

  Processes grep

  ps -ef | grep iws

  Process list

  nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iplanet/iws6/https-<Host-Name>/config

nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iplanet/iws6/https-<Host-Name>/config

also /opt/iplanet/iws6/https-admin/config if the admin is running

  Install logs

  /opt/iplanet/iws6/setup/WebServer/

  Log directory

  /opt/iplanet/iws6/https-<Host-Name>/logs

  Document root

  /opt/iplanet/iws6/docs

  Installation and Configuration Documents

  http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm

http://docs.iplanet.com/docs/manuals/enterprise/50/ag/esgstart.htm#1003083

 

"> iWS Checklist

Information Type	Example Set-up Value for iWS6.0
Install directory	/opt/iplanet/iws6
Administration logon	Username: iwsadmin, Password: identrus
Operational ports	Server: 80, Admin: 8888
To start server	/opt/iplanet/iws6/https-<Host-Name>/start
To stop server	/opt/iplanet/iws6/https-<Host-Name>/stop
To start admin server	/opt/iplanet/iws6/https-admin/start
To stop admin server	/opt/iplanet/iws6/https-admin/stop
Processes grep	ps -ef | grep iws
Process list	nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iplanet/iws6/https-<Host-Name>/config nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iplanet/iws6/https-<Host-Name>/config also /opt/iplanet/iws6/https-admin/config if the admin is running
Install logs	/opt/iplanet/iws6/setup/WebServer/
Log directory	/opt/iplanet/iws6/https-<Host-Name>/logs
Document root	/opt/iplanet/iws6/docs
Installation and Configuration Documents	http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm http://docs.iplanet.com/docs/manuals/enterprise/50/ag/esgstart.htm#1003083

iPlanet Application Server v6.0 Installation

• Ensure that the iPlanet Web Server is running before you follow this procedure.

• Logon as root, locate the 'setup' script depending on distribution (e.g. unzip the tar file and the 'setup' file should be in the top directory)

  # cd /cdrom/cdrom0 # cd iAS # ./setup

• Start the installation using the 'setup' script. The default installation should be set to /opt/iplanet/ias6. Answer the questions as follows:

Figure 1-6    Example iPlanet Application Server Script

Would you like to continue with installation? [Yes]: Yes Do you agree to the license terms? [No]: Yes Select the component you want to install [1]: 1 Choose an installation type [2]: 2 Install location [/usr/iplanet/ias6]: /opt/iplanet/ias6 iPlanet Server Products components: Specify the components to install [All]: All iPlanet Server Family Core: Specify the components to install [1, 2, 3]: 1,2,3 iPlanet Directory Suite components: Specify the components to install [1, 2]: 1,2 Administration Services components: Specify the components to install [1, 2]: 1,2 iPlanet Application Server Suite components: Specify the components you wish to install [1, 2, 3, 4]: 1,2,3,4 Computer name [rainstorm.uk.sun.com]: rainstorm.uk.sun.com System User [nobody]: nobody System Group [nobody]: nobody Netscape configuration directory server? [No]: No Do you want to use another directory to store your data? [No]: No Directory server network port [389]: 389 Directory server identifier [rainstorm]: rainstorm administrator ID [admin]: admin Password: Password (again): Suffix [o=co.uk]: o=iplanet.com Directory Manager DN [cn=Directory Manager]: cn=Directory Manager Password: Password (again): Admin Domain [iplanet.com]: iplanet.com Administration port [12816]: 12816 Run Administration Server as [root]: root Product Key: 1111111111-3333333333 Enter the location of your webserver: /opt/iplanet/iws6/https rainstorm.uk.sun.com Do you want to enable the user to access the registry and plugin libraries? [y] y Do you want to continue with the iAS installation? [y] y Username [admin]: admin Password: Password (again): Do you want to enable I18N support for iAS? [No]: No Username does not match [No]: Yes

---

Note	Please consult your iPlanet Application Server Installation Guide for more information on this. You should also make a note of these settings since you may need them later. Selecting <return> takes the default.

---

Post iPlanet Web Server and iPlanet Application Server Installation Steps

• To check that the Application Server installation has been successful, use a browser to contact the following URL: http://machine_name/GXApp
  Select the 'Java Fortune' application, if the reply indicates that the servlet 'Greets You' then the web server and application server are functioning correctly. You should also consult your iPlanet Application Server Installation Documentation. This is now illustrated below:

Figure 1-7    Verifying iPlanet Application Server

• Having completed the installation, all processes must be shutdown:

• Logon as root

• Application Server Shutdown <install_directory>/ias/bin/KIVAes.sh stop

  # cd /opt/iplanet/ias6/ias/bin # ./KIVAes.sh stop # ps -ef | grep k.s

  
  

  ---

  Note	Immediately after installation, if this script fails to work, use 'ps -ef | grep k.s' to show all iPlanet Application Server processes and then 'kill -9 <pid>' to stop all of them.

  ---

  
  

• Directory Server Shutdown <install_directory>/slapd-<machine_name>/stop-slapd

  # cd /opt/iplanet/ias6/slapd-<hostname> # ./stop-slapd # ps -ef | grep slap

• Web Server Shutdown
  • <install_directory>/https-<machine_name>/stop

  • and: <install_directory>/https-admserv/stop

    # ./opt/iplanet/iws6/https-<machine_name>/stop # ./opt/iplanet/iws6/https-admserv/stop

• Once all the above scripts have been run check that all processes have been terminated using 'ps -ef | grep <install_directory>'. Use 'kill -9 <pid>' on all remaining processes.

Information Type

  Example Set-up Value for iAS6.0

  Install directory

  /opt/iplanet/ias6

  Administration logon

  Username: admin, Password: password

  Operational ports

  Directory Admin: 20000, kas admin:10817, Directory server: 389

  To start server

  /opt/TTM/Scripts/startias

  To stop server

  /opt/TTM/Scripts/stopias

  Installation logs

  /opt/iplanet/ias6/setup/

  Processes grep

  ps -ef | grep ias

To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef | grep k.s

  Process list

  root 10066 10064 0 14:33:21 0:03 /opt/iplanet/ias6/ias/bin/.kjs -cset CCS0

root 10059 9504 0 14:33:16 pts/6 0:00 /opt/iplanet/ias6/ias/bin/.kas

root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kas

root 10070 1 0 14:33:25 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kcs -cse t CCS0 -eng 2

root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kjs -cset CCS0 -eng 1

root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kxs -cset CCS0 -eng 0

root 10072 10070 0 14:33:25 ? 0:00 /opt/iplanet/ias6/ias/bin/.kcs -cset CCS0 -eng 2

root 10062 10061 0 14:33:19 ? 0:01 /opt/iplanet/ias6/ias/bin/.kxs -cset CCS0 -eng 0

nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/iplanet/ias6/slapd-unix

d02/config/slapd.conf -i /opt/iplanet/ias6/slapd-<Machine-name>

  Logged processes

  kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop

kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.

  Installation Document

  http://www.iplanet.com/products/infrastructure/app_servers/index.html

 

"> iAS Checklist

Information Type	Example Set-up Value for iAS6.0
Install directory	/opt/iplanet/ias6
Administration logon	Username: admin, Password: password
Operational ports	Directory Admin: 20000, kas admin:10817, Directory server: 389
To start server	/opt/TTM/Scripts/startias
To stop server	/opt/TTM/Scripts/stopias
Installation logs	/opt/iplanet/ias6/setup/
Processes grep	ps -ef | grep ias To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef | grep k.s
Process list	root 10066 10064 0 14:33:21 0:03 /opt/iplanet/ias6/ias/bin/.kjs -cset CCS0 root 10059 9504 0 14:33:16 pts/6 0:00 /opt/iplanet/ias6/ias/bin/.kas root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kas root 10070 1 0 14:33:25 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kcs -cse t CCS0 -eng 2 root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kjs -cset CCS0 -eng 1 root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kxs -cset CCS0 -eng 0 root 10072 10070 0 14:33:25 ? 0:00 /opt/iplanet/ias6/ias/bin/.kcs -cset CCS0 -eng 2 root 10062 10061 0 14:33:19 ? 0:01 /opt/iplanet/ias6/ias/bin/.kxs -cset CCS0 -eng 0 nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/iplanet/ias6/slapd-unix d02/config/slapd.conf -i /opt/iplanet/ias6/slapd-<Machine-name>
Logged processes	kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.
Installation Document	http://www.iplanet.com/products/infrastructure/app_servers/index.html

iPlanet Trustbase Transaction Manager Installation Process

Now that iPlanet Web Server and iPlanet Application Server are installed the iPlanet Trustbase Transaction Manager installation can proceed.

The installation is provided as a "compress"-ed tar file. The installation program is designed for Unix Solaris 8. iPlanet Trustbase Transaction Manager currently requires JDK 1.2 to be installed on your machine to operate correctly. To ensure iPlanet Trustbase Transaction Manager is installed correctly it is advised that you install JDK 1.2 before iPlanet Trustbase Transaction Manager. Allow 100MB of Disc space for JDK 1.2 and iPlanet Trustbase Transaction Manager.

• Logon as root

• Make sure the directory server for iPlanet Application Server is running before you install Trustbase. For example,

  cd /opt/iplanet/ias6/slapd-<machine-name> ./start-slapd

• Create a temporary directory /temp to run the iTTM install wizard and type

  # cd temp # cp /cdrom/cdrom0/iTTM/* . # ./setup

The following screens define the installation locations for

• iTTM (default /opt/TTM)

• iAS (default /opt/iplanet/ias6)

• iWS (defalt /opt/iplanet/iws6

Figure 1-8    Welcome Screen

Figure 1-9    License Agreement

Figure 1-10    Install Location

Figure 1-11    3rd Party Software Location

Figure 1-12    Installation Summary

2. Before you run the Environmental Wizard make sure an Oracle driver is available in the file system.

   cd /opt/TTM/Scripts

   ./runEnvWizard

Figure 1-13    iTTM Environment Settings

The following parameters must be defined:

• Oracle login name (User defined)

• Oracle login password (User defined|)

• Oracle hostname The machine I.D> of where your Oracle installation is located

• Oracle port number This is normally set to 1521

• Oracle SID This is normally orcl but can be defined when you configure your own Oracle installation

Figure 1-14    Database Settings

Eneter data and Select <next>

Figure 1-15    Database Username and Password

Figure 1-16    Oracle Driver Location

Enter data and select <next>

Figure 1-17    Restart Wizard

This completes your Oracle settings.

• Exit and restart wizard by typing

  ./runEnvWizard

Figure 1-18    Identrus Settings

• The URL of the OCSP Responder tells you where you can get authoritative responses to CSC checks.When running the environment wizard, the URL location of the OCSP responder is requested. In order for OCSP requests to be delivered to the iTTM responder, enter the following URL. (You can re-run the environment wizard if you entered it incorrectly previously).

  http://<yourappserver>/NASApp/OCSPResponder/OCSPResponderServlet

• The AIA Access Information Authority is the field within a certificate that is used to determine whether or not the TC (or iTTM installation ) has authority over that particular certificate. In the case where a particular certificate's AIA matches the TC's choice of AIA instance we can act on this certificate in an authoritative way. In the case where the certificate's AIA is not the same as your TC's (or iTTM installation) AIA no authoritative action can be performed on this certificate. The default value is the host name that a customer or other TC connects to for information. This is normally the same as the iTTM host name.

  https://<machine_name>

Figure 1-19    iTTM Environmental Settings

This now completes the Environmental settings.

3. To run Certificate Wizard type

   ./runCertWizard

Figure 1-20    iTTM Certificate Wizard Welcome screen

You will need to collect your Identrus root certificate.

Figure 1-21    Import Identrus Root Certificate

Next you will need to supply the certificate of your L1 CA.

Figure 1-22    Import iTTM CA Certificate

Next you will need to make three requests for signing certificates. This is a two stage process involving pasting data that you have generated from the wizard into the website of the certificate authority that generates a response. The Three certicates you need are:

• The End Entity Signing Certificate allows you to sign messages to your customer.

• The Participant Signing Certificate allows you to sign messages that will be sent from one TC to another

• The SSL Signing Certificate allows you to negotiate an SSL connection at the transport level.

Figure 1-23    Request End Entity

Signing certificate

Figure 1-24    End Entity Location

Figure 1-25    Request SSL Signing Certificate

• This can be any valid distinguished name. Normally this is comprised of:
  • Common Name. Name to give the certificate

  • Organisation Unit. Represents the department or subsidiary of the organisation to which the user/entity belongs.

  • Organisation. Represents the organisation to which the entity/user creating the certificate belongs.

Figure 1-26    SSL Location

Figure 1-27    Request Participant

Signing certificate

Figure 1-28    Participant Location

• Go to your CA and submit your PKCS10 request. Collect the response. Save the corresponding response in a file madeavailable to the install wizard.

Figure 1-29    Import End Entity

Signing Certificate

Figure 1-30    Import SSL

Signing Certificate

Figure 1-31    Import Participant

Signing Certificate

Figure 1-32    Certificate Summary

4. ITTM 3.0 provides its own OCSP responder which can be utilised as part of the certificate status check process or any other services that require certificate status checking.

   ./runOCSPResponderWizard

Figure 1-33    OCSP Responder Wizard Welcome Page

• Click next to process with the wizard.

  The database settings screen allows configuration of the LDAP directory database that will contain information about revoked certificates. A CA can publish CRLs (certificate revocation lists) to this directory which the OCSP responder will use to provide its responses.

  The iAS provided with Trustbase, includes a directory server which it uses for its own configuration. This directory server can also be used for the OCSP responder. Ensure the directory server is running before continuing this wizard.

  To use the iAS directory, enter the details of the directory server chosen when installing iAS. A default iAS install will normally place the directory server on port 389 and the Bind DN as "cn=Directory Manager". The Base DN can be set to any valid distinguished name or left as the wizard defaults.

Figure 1-34    OCSP Database Settings

Clicking next to configure the OCSP responder with the entered LDAP directory settings.

Figure 1-35    OCSP Certificate request

The OCSP responder signs all of its responses with a private key associated with a certificate. This provides additional security when the OCSP responder is separated from the Trustbase installation.

To generate a certificate with private key for OCSP responses, a certificate request needs to be generated. Enter the distinguished name desired for this certificate and select "Next"

Figure 1-36    Save the Request as a file

Select a location to store the certificate request file and select "Next"

It will now be necessary to provide this request to the CA. Typically this will be the Identrus Root CA.

Once a certificate has been generated by the CA in response to the request, the certificate should be placed into a file available to the OCSP responder wizard.

Figure 1-37    OCSP Certificate Response

Enter the file location of the certificate response and select "Next

Figure 1-38    OCSP Install Complete

If the certificate is successfully imported, the wizard will complete successfully. If there are any problems then using the "back" button will step through previous screens so they can be re-attempted.

Configuring the Trustbase OCSP Responder with the Certificate Authority

In order for the OCSP responder to give the appropriate certificate status check results, it will be necessary to configure the CA to publish the revocation list to the same directory server configured for this responder.

This procedure will vary with different Certificate Authority software, but the following guidelines should be employed.

Publish the CRL to the same LDAP directory chosen in the OCSP installation wizard.

Publish the CRL under the same Base DN chosen in the installation wizard

The CA certificate that the OCSP responder provides responses for should be Published with the attribute "cacertificate;binary"

The CRL should be published to the OCSP responder with the attribute "certificaterevocationlist;binary"

Configuring Trustbase to validate the OCSP responses

By default Trustbase does not check the signature on the OCSP responses. This can be enabled by editing the "identrus.properties" file as documented in "Identrus Configuration".

When a message is sent to any node a response comes back. That response needs to be verified in such a way that the sender of the response is who they say they are. This is an optional feature in that it can be assumed that responses are trusted. OCSP Responders that are used locally are unlikely to require this signing validation process as their communication can be considered secure. However OCSP Responders on non-local or insecure lines should have this feature configured.

When an RP bank communicates with an IP that does not have an iPlanet Trustbase Transaction Manager Transaction Coordinator and fails it will need an OCSP Responder. This is sometimes referred to as OCSP fallback.

In order to verify an OCSP response we need to input the signing Certificate into the iTTM TokenKeyStore. Normally the OCSP responder certificate is directly descended from the Identrus Root. If this is the case, there is no need to perform any further configuration for response signature checking.

If a specific certificate is required to validate OCSP responses, the token key tool will need to be used to import the certificate. It then needs to have the alias of "L1OCSP" added to this certificate. For details on how to do this, see the appendix at the end of this guide.

Once the OCSP signing Certificate has been successfully imported into the iPlanet Trustbase Transaction Manager token key store, a change needs to be made to the identrus.properties file. This file can be found in /opt/TTM/<machine_name>. Change the entry OCSPResponderSigningCertificateRole as follows:-

OCSPResponderSigningCertificateRole=L1OCSP

Figure 1-39    OCSP Responders

Configuring the AIA for the OCSP responder

Identrus compliant certificates contain two AIAs. One refers to the address of the TC. The second refers to the address of the Responder. This should be set to the following address.

http://<yourappserver>/NASApp/OCSPResponder/OCSPResponderServlet

iPlanet Trustbase Transaction Manager is now installed. Some further configuration is now required to establish the local settings and Identrus setup - see the following sections.

Installation Structure

Once the installation has completed the following directory structure and support files will exist:

• iPlanet Trustbase Transaction Manager

Figure 1-40    iPlanet Trustbase Transaction Manager Directory Overview

• TTM
  iPlanet Trustbase Transaction Manager contains all configuration and Library files, the SQL directory containing various database setup scripts.

Figure 1-41    iPlanet Trustbase Transaction Manager Overview Directory

• Scripts
  This directory contains all of the scripts needed to start and stop iPlanet Trustbase Transaction Manager

Figure 1-42    iPlanet Trustbase Transaction Manager Commonly Used Scripts

• <machine_name>
  This directory contains all of the configuration files for this installation. i.e. tbase.properties, nFast.properties, identrus.properties and proxy.ini These files should not be modified directly but can be accessed via the configuration screens in this manual.

Figure 1-43    iPlanet Trustbase Transaction Manager Initialisation Files

• V3.0
  This directory contains all of the TTM binaries and support files

All other directories are not needed.

Information Type

  Example Set-up Value for iTTM 3.0

  Install directory

  /opt/TTM

  Administration logon via web

  Username: administrator, Password: administrator

  TokenKeyTool

  /opt/TTM/Scripts/runtokenkeytool

  Operational ports

  Admin via web: 80 (http://<myhost>.<domain>/NASAdapter/logon.html)

  To start server

  /opt/TTM/Scripts/startias ; /opt/TTM/Scripts/starttbase

  To stop server

  /opt/TTM/Scripts/stopias ; /opt/TTM/Scripts/stoptbase

  Property file location

  /opt/TTM/<Host-Name>/

  Processes grep

  ps -ef | grep java

  Process list

  root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbas

  Installation Document

  http://docs.iplanet.com/docs/manuals/trustbase.html

 

"> iTTM Checklist

Information Type	Example Set-up Value for iTTM 3.0
Install directory	/opt/TTM
Administration logon via web	Username: administrator, Password: administrator
TokenKeyTool	/opt/TTM/Scripts/runtokenkeytool
Operational ports	Admin via web: 80 (http://<myhost>.<domain>/NASAdapter/logon.html)
To start server	/opt/TTM/Scripts/startias ; /opt/TTM/Scripts/starttbase
To stop server	/opt/TTM/Scripts/stopias ; /opt/TTM/Scripts/stoptbase
Property file location	/opt/TTM/<Host-Name>/
Processes grep	ps -ef | grep java
Process list	root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbas
Installation Document	http://docs.iplanet.com/docs/manuals/trustbase.html

Post Installation Steps

Before starting iPlanet Trustbase Transaction Manager for the first time it is necessary to do some further configuration steps, in each of the following configuration steps refer to the Installation Structure section above to locate the necessary files:

• nCipher Security setup - see section "Cryptographic Services Configuration"

• Oracle Database setup - see section "Oracle Database Configuration"

• Identrus site specific setup - see section "Identrus Configuration"

Cryptographic Services Configuration

---

Cryptographic operations are an integral part of iTTM function. iTTM can make use of several different cryptographic service providers. A cryptographic service provider offers key and certificate management, digital signature, encryption and ssl functions. The choice of which service provider to use is dependent on the nature of the iTTM installation. Two service providers are supplied in an iTTM installation, the PKCS#11 cryptographic service provider and the nCipher native cryptographic service provider.

Cryptographic Installation Scenarios

You must select one of the following scenarios that come packaged with a provider:

1. Software PKCS11 for iTTM 3.0
   • PKCS11 provider with software token

2. Generic Hardware PKCS11 for iTTM 3.0
   • PKCS11 provider with hardware token

3. nCipher Hardware PKCS11 for iTTM 3.0
   • PKCS11 provider with hardware token

4. nCipher Upgrade from iTTM 2.2.1 to iTTM 3.0
   • nCipher native provider

We now describe each of the providers that are associated with each installation Scenario

Cryptographic Providers

1. PKCS#11 cryptographic service provider [ also known as the "JSS" service provider ]. PKCS#11 is an industry standard interface to cryptographic services devices, known as Tokens. iTTM supports several different PKCS#11 Tokens
   1. Software PKCS#11 Token

   The software Token is not suitable for a production environment: it is only appropriate for test and development installations. While private keys are protected by password based encryption, the password is freely available, so private key material is not secure.

   1. Hardware PKCS#11 Token

   This is the normal service provider to use in a production environment. Private key material is stored securely, either on a hardware token, or wraped with a symmetric key stored on a hardware token.The iTTM PKCS#11interface is tested with nCipher hardware Token.

2. nCipher native cryptographic service provider [ also known as the "TTM-NCIPHER" service provider ]. The nCipher native provider communicates directly with nCipher hardware security modules, using an nCipher proprietary protocol. In previous versions of iTTM, the only support for hardware security modules was provided in this manner.

   If keys created under an iTTM 2.2.1 installation are to be used with an iTTM 3.0 installation, this service provider must be used. Private key material is stored on disk or in a directory, securely wrapped with a secret key persistently stored on an nCipher HSM. This provider is suitable for use in a production environment

We now discuss the four Installation Scenarios possible

PKCs11 provider with software token

The PKCS#11 cryptographic service provider always has an active software Token, which is selected as the default Token in a standard iTTM installation. No action is required beyond the normal iTTM installation if the soft PKCS#11 Token is the only Token to be used

PKCs11 provider with generic hardware token

The vendor of the hardware Token supplies a PKCS#11 library, through which iTTM interacts with the module.Before the PKCS#11 service provider can use a hardware Token, the hardware must be correctly configured and initialised [ consult vendor documentation. For nCipher hardware see also the section entitled "nCipher Module Installation" below ]. If you are configuring an nCipher hardware security module for use with iTTM, then scripts are available to install the vendor PKCS#11 library for you. See the section "nCipher PKCS#11 Token configuration" which follows on from nCipher Module Installaton. Otherwise, follow the instructions presented here.

There are two steps to be taken in configuring the PKCS#11 cryptographic service provider for use with a hardware Token.

1.    Identifying the HSM vendor's PKCS#11 library to the Plug-in PKCS#11 cryptographic services

1. You will need

• the location of the hardware security module vendor's PKCS#11 library

• a module name [ can be anything, so long as it's not already in use ]

1. Scripts are included in the iTTTM distribution to assist the installation of PKCS#11 libraries

2.    Change directory to the iTTM Scripts directory

   cd <iTTM_install_directory>/Scripts

3.    run the installPllLibrary script

   ./installP11Library -module <moduleName> -libfile <vendorLibrary>

   For example

   ./installP11Library -module ncipher -libfile

4.    Check the installation using the modutil script

   ./modutil -nocertdb -list

   For example

   ./modutil -nocertdb -list

5.    The output should look something like this

   Using database directory ....

   Listing of PKCS #11 Modules

   Listing of PKCS #11 Modules

   -----------------------------------------------------------

   1.<moduleName>

   library name: <vendorPKCS#11Library>

   slots: # slots attached

   status: loaded

   slot: ####-####-####-#

   token: <tokenName>

   slot: ####-####-####-#

   token: <anotherTokenName>

   ...

   2. Netscape Internal PKCS #11 Module

   slots: 2 slots attached

   status: loaded

   slot: Communicator Internal Cryptographic Services Version 4.0

   token: Communicator Generic Crypto Svcs

   slot: Communicator User Private Key and Certificate Services

   token: Communicator Certificate DB

   ----------------------------------------------------------

1.    Configuring the default Token
   1.    Once a vendor PKCS#11 library has been installed, iTTM can use keys and certificates stored on Tokens provided by that library. New cryptographic Objects will, however, still be created on the default Token, which is the software Token in a standard install

   2.    Change directory to the iTTM host specific configuration directory

      cd <iTTM_install_directory>/<host_name>

   3.    edit the JssConfig.xml file

      vi JssConfig.xml

   4.    Change the defaultToken attribute of the JssConfig element to be the desired default token name [ as reported by modutil in the previous section ]. An empty string defaultToken attribute value refers to the software PKCS#11 Token

      <JssConfig

      defaultToken="tokenName">

      <!-- pathnames are processed in the following ways

      pattern ~ at the start of the path is replaced with the System property "user.home"

      pattern $JSSCONFIGDIR at the start of the path is replaced with the directory this

      file is loaded from, if it was loaded from a file, rather than a jarred resource

      or directory

      pattern $HOSTNAME : the first occurence is replaced with the hostname -->

      <JssDbConfig

      configDir="$JSSCONFIGDIR"

      moduleDb="secmod.db"

      keyDbPrefix=""

      certDbPrefix=""

      readOnly="false"/>

      <JssSslConfig

      cacheMaxEntries="10000"

      cacheSsl2Timeout="100"

      cacheSsl3Timeout="100"

      cacheDirectory=".">

      SSL3_RSA_WITH_RC4_128_SHA

      SSL3_RSA_WITH_RC4_128_MD5

      SSL3_RSA_WITH_3DES_EDE_CBC_SHA

      </JssSslConfig>

      </JssConfig>

   5.    Save the file, leaving other lines untouched

Restart the iTTM, which is now configured to use the PKCS#11 Token with the given name for key generation and storage operations

Example Generic PKCS11 Checklist

Information Type	Example Set-up Value generic PKCS11
Adding PKCS11 Library	cd /opt/TTM/Scripts ./installP11Library -module ncipher -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so
Verifying addition of PKCS11 Library	cd /opt/TTM/Scripts ./modutil -nocertdb -list
Configuring default token	cd /opt/TTM/<machine_name> vi JssConfig.xml

PKCs11 provider with nCipher token

There are two steps

1. nCipher module installation

For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.

1.    Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).

2.    The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.

3.    Create a "Security World" on one module, using the nCipher KeySafe tool.

4.    Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.

5.    The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet^TM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet^TM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.

6.    Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:

   /opt/nfast/sbin/init.d-nfast stop

   /opt/nfast/sbin/init.d-nfast start

Tip

Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0" or "nCipher PKCS#11 Token configuration"

2. nCipher PKCS#11 Token configuration

If the nCipher hardware security module is to be used with the PKCS#11 cryptographic services provider, rather than the nCipher native cryptographic services provider follow this procedure, which installs the nCipher PKCS#11 library and marks the nCipher Token as the default for iTTM.

Once the nCipher modules have been initialised into a security world, some operator cards must be created for use with the nCipher PKCS#11 interface. An operator card must be inserted into the nCipher module while it is being used through the PKCS#11 interface.

1.    Change directory to the nFast binarys directory                  

   cd /opt/nfast/bin

2.    Use the createocs or createoc-simple commands to create an operator card or cardset [ see nCipher documentation ] . The name of the card of cardset is required but the installPllLibrary script used below. The simplest configuration creates a single operator card

   ./createoc-simple [ --fips <AUTHSLOT> ] [ --overwrite ]

   <MODULE> <SLOT> <NAME> 1 0

   For example

   ./createoc-simple 1 0 operator 1 0

3.    Change directory to the iTTM Scripts directory

   cd <iTTM_install)directory>/Scripts

4.    run the installPllLibrary script

   ./ncipherP11Install [ -libfile <ncipherLibrary> ]

   <NAME>

   For example

   ./ncipherP11Install operator

The nCipher PKCS#11 Token is now installed as the default provider for iTTM cryptographic services

nCipher Example PKCS11 Checklist

Information Type	Example Set-up Value nCipher
Install directory	/opt/nfast
Operational ports	9000
To start server	/etc/init.d/nfast start
To stop server	/etc/init.d/nfast stop
Processes grep	ps -ef | grep hard
Process list	nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Creating nCipher operator card	cd /opt/nfast/bin ./createoc-simple 1 0 operator 1 0
Installing nCipher PKCS11 module	cd /opt/TTM/Scripts ./ncipherP11Install operator
Documentation	nCipher KeySafe 1.0 http://www.ncipher.com

nCipher native provider upgrade: ittm2.2.1 to 3.0

There are two steps

1. nCipher module installation

For each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.

1.    Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).

2.    The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.

3.    Create a "Security World" on one module, using the nCipher KeySafe tool.

4.    Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.

5.    The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanet^TM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanet^TM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.

6.    Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:

   /opt/nfast/sbin/init.d-nfast stop

   /opt/nfast/sbin/init.d-nfast start

Tip

Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0" or "nCipher PKCS#11 Token configuration"

2. Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0

If you have cryptographic keys that were created using an iTTM 2.2.1 installation, these keys can be used by iTTM 3.0 through the nCipher native cryptographic services provider. This upgrade procedure must be followed to migrate the keys from the Oracle database [ where they were stored for iTTM 2.2.1 ] to the XML based storage used by iTTM 3.0

The upgrade procedure changes the cryptographic service provider used by TTM, from the JSS provider [ supporting PKCS#11 interaction with HSMs ] to the native nCipher provider. It is not possible to use both providers simultaneously, so if private keys generated with a TTM 2.2.1 installation are to be used with a TTM 3.0 installation, the TTM 3.0 installation must use the nCipher cryptographic services provider

There are two steps to this upgrade step

1. nCipher module setup for the nCipher native provider.

Once the Security world is installed, the following points should be noted:

•    The nFast cryptographic services provider read certain settings from a properties file "nFast.properties". This file is read from the iTTM installation directory, and is only required if any of the nCipher configuration parameters differ from the default values described below. An installation which uses only the default values requires no nFast.properties file

•    If created, nFast.properties should be located in the iTTM host specific installation directory

  <iTTM_install_directory>/<host_name>/nFast.properties

•    nFast.properties should contain the following values:

     AServerAddress. The ServerAddress property should be set to the local host. If set to other values the server may refuse connection attempts on unix systems. On NT systems, the server will accept connections from clients elsewhere than "localhost". The default value is 127.0.0.1

     StandardPort. The StandardPort property contains the number of the port on which the server is listening for standard connections. By default this value is 9000.

•    StandardConnections. The StandardConnections property contains the number of standard connections that will be maintained with the nFast module. Low values for this property will not allow the module to make best use of its parallel processing capabilities. By default, this value is obtained from the module itself.

•    module.key. The module.key property contains the identifying number of the module key to be used for encrypting keys for storage outside the box. If the standard install procedure has been followed, and the Security World has been correctly set up, the module keys installed on the box are:

      KM0 - the randomly generated module key that is never exported in any form. If this key is used as the default, archived keys may only ever be used on that specific module. If the module is replaced for any reason, all the keys must be regenerated.

      KM1 - a well known module key used for bootstrapping of the recovery keys. This module key should NOT be used.

      KM2 - the security world key. This is the module key that should be used, and is the default value assumed if no nFast.properties file is present

ServerAddress = localhost ServerPort = 9000 StandardConnections = 10 PrivilegedConnections = 0 module.key = 2

1. Importing iTTM 2.2.1 keys and certificates to iTTM 3.0
   1. During this procedure you will need: Details of the oracle database containing the cryptographic keys used with TTM 2.2.1at a minimum, the hostname, username and password are required. additional information will be required in the following cases

2. -      the Oracle listener port, if it is not 1521

3. -      the database SID, if it is not ORCL

4. -      the PBE password for the KeyStore, if it is not the same as the database password
   1. You will also need the name of the TrustDomain into which the nCipher keys are to be imported [ if it is not identrus ]. If this TrustDomain already exists, it must be associated with Token type TTM-NCIPHER [ if not, then the import will fail ]

   2.    Change directory to the iTTM Scripts directory

      cd <iTTM_install_directory>/Scripts

   3.    Run the ncipherupgrade script

      ./ncipherupgrade [ -pbe <pbdepassword:<password>> ]

      [ -port <oracle_port:1521> ]

      [ -sid <oracle_sid:ORCL> ]

      [ -domain <trustdomain:identrus> ]

      <oracle_host> <oracle_user>

      <oracle_password>

1. This script extracts keys and certificates from the TTM 2.2.1 key store in the oracle database, and imports them into the given TrustDomain. Purpose identifiers in the TTM 2.2.1 key store are converted into aliases in the TrustDomain. A TTM 2.2.1 Identrus key store imported in this manner will function as a TTm 3.0 Identrus key store

The import procedure is now complete, and iTTM 3.0 is configured to used the iTTM 2.2.1 keys and certificates.

Note: The import procedure works only for nCipher keys in a TTM 2.2.1 KeyStore. The import of soft keys is not supported [ since soft keys are not to be used in a production environment ]

nCipher Example Upgrade Checklist

Information Type	Example Set-up Value nCipher
Install directory	/opt/nfast
Operational ports	9000
To start server	/etc/init.d/nfast start
To stop server	/etc/init.d/nfast stop
Processes grep	ps -ef | grep hard
Process list	nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Importing iTTM2.2.1 keys	cd /opt/TTM/Scripts ./ncipherupgrade k9 tbase tbase36
Documentation	nCipher KeySafe 1.0 http://www.ncipher.com

Oracle Database Configuration

---

Both TTM and the Identrus Extensions require access to a database with a pre-configured schema. The installation comes with SQL scripts that must be executed in the database user's tablespace that was specified at installation time. The following sections explain how to create the user and generate the correct schema for that user.

• The generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. Only one Certstore is utilised for each Trustbase Installation. The following parameters must be defined: Oracle login name, Oracle login password, PBEPassword set the same as Oracle login password, Oracle hostname, Oracle port number and Oracle SID.

Running the iPlanet Trustbase Transaction Manager SQL Scripts

• You may need to ask your DBA to create your username and password. The following procedure should be followed.

• Switch to the Oracle user and run server manager:

  myhost> su - oracle Password: myhost> cd ../opt/TTM/current/Config/sql myhost> svrmgrl Oracle Server Manager Release 3.1.5.0.0 - Production (c) Copyright 1997, Oracle Corporation. All Rights Reserved. Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production With the Partitioning and Java options PL/SQL Release 8.1.5.0.0 - Production SVRMGR> connect internal Connected.

• The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.

  SVRMGR> SHUTDOWN; SVRMGR> STARTUP MOUNT; SVRMGR> ALTER SYSTEM ENABLE RESTRICED SESSION; SVRMGR> ALTER SYSTEM SET JOB_QUEUE_PROCESSES=0; SVRMGR> ALTER DATABASE OPEN; SVRMGR> ALTER DATABASE CHARACTER SET UTF8; SVRMGR> SHUTDOWN; SVRMGR> STARTUP;

• Create a iPlanet Trustbase Transaction Manager user - you may need to change the username, password and default tablespaces depending on site policy:

  SVRMGR> CREATE USER tbase IDENTIFIED BY tbase DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP; Statement processed. SVRMGR> GRANT CONNECT TO tbase; Statement processed. SVRMGR> GRANT RESOURCE TO tbase; Statement processed. SVRMGR> ALTER USER tbase QUOTA UNLIMITED ON USERS; Statement processed. SVRMGR> quit Server Manager complete.

• Connect as the iPlanet Trustbase Transaction Manager user and run the scripts:

  sunstorm% su - oracle sunstorm% cd /opt/TTM/current/Config/sql sunstorm% sqlplus SQL*Plus: Release 8.1.5.0.0 - Production on Fri Sep 22 12:07:11 2000 (c) Copyright 1999 Oracle Corporation. All rights reserved. Enter user-name: tbase Enter password: Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected to: Oracle8i Enterprise Edition Release 8.1.5.0.0 - Production With the Partitioning and Java options PL/SQL Release 8.1.5.0.0 - Production SQL> @tbase2.sql

Information Type

  Example Set-up Value for Oracle 8i

  Install directory

  Oracle program files: /opt/oracle/app/product/8.1.7/bin Oracle data files: /identrusdb/orcl

  Oracle user login

  Username: oracle, Password: oracle

  Sqlplus - dba admin

  Username: sys, Password: change_on_install

  Sqlplus - tbase user

  Username: tbase, Password: tbase

  Operational ports

  Oracle ports: 1521

  SID

  orcl

  To start server

  As oracle user: svrmgrl; Connect internal; startup; exit

lsnrctl; start; exit

  To stop server

  As oracle user: lsnrctl; stop; exit

svrmgrl; connect internal; shutdown; exit

  Processes grep

  ps -ef | grep oracle

  Process list - there will be an oracle orcl for each application connection.

  oracle 9862 1 0 12:48:10 ? 0:00 orcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))

oracle 764 1 0 Mar 07 ? 0:01 /opt/oracle/bin/tnslsnr LISTENER -inherit

oracle 751 1 0 Mar 07 ? 0:00 ora_pmon_orcl

oracle 753 1 0 Mar 07 ? 0:00 ora_dbw0_orcl

oracle 755 1 0 Mar 07 ? 0:00 ora_lgwr_orcl

oracle 757 1 0 Mar 07 ? 0:22 ora_ckpt_orcl

oracle 759 1 0 Mar 07 ? 0:02 ora_smon_orcl

oracle 761 1 0 Mar 07 ? 0:00 ora_reco_orcl

oracle 9771 1 0 12:47:58 ? 0:00 oracleorcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))

  Logs of interest

  Auditdata: Contains internal audit information and indicates what the TC has processed.

Error: Shows unexpected errors e.g. cannot communicate with Certificate Authority

Error_support: Shows any java stack trace associated with the error table.

 

"> Oracle Example Checklist

Information Type	Example Set-up Value for Oracle 8i
Install directory	Oracle program files: /opt/oracle/app/product/8.1.7/bin Oracle data files: /identrusdb/orcl
Oracle user login	Username: oracle, Password: oracle
Sqlplus - dba admin	Username: sys, Password: change_on_install
Sqlplus - tbase user	Username: tbase, Password: tbase
Operational ports	Oracle ports: 1521
SID	orcl
To start server	As oracle user: svrmgrl; Connect internal; startup; exit lsnrctl; start; exit
To stop server	As oracle user: lsnrctl; stop; exit svrmgrl; connect internal; shutdown; exit
Processes grep	ps -ef | grep oracle
Process list - there will be an oracle orcl for each application connection.	oracle 9862 1 0 12:48:10 ? 0:00 orcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ))) oracle 764 1 0 Mar 07 ? 0:01 /opt/oracle/bin/tnslsnr LISTENER -inherit oracle 751 1 0 Mar 07 ? 0:00 ora_pmon_orcl oracle 753 1 0 Mar 07 ? 0:00 ora_dbw0_orcl oracle 755 1 0 Mar 07 ? 0:00 ora_lgwr_orcl oracle 757 1 0 Mar 07 ? 0:22 ora_ckpt_orcl oracle 759 1 0 Mar 07 ? 0:02 ora_smon_orcl oracle 761 1 0 Mar 07 ? 0:00 ora_reco_orcl oracle 9771 1 0 12:47:58 ? 0:00 oracleorcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))
Logs of interest	Auditdata: Contains internal audit information and indicates what the TC has processed. Error: Shows unexpected errors e.g. cannot communicate with Certificate Authority Error_support: Shows any java stack trace associated with the error table.

Identrus Configuration

---

A Transaction Coordinator (TC) comprises of all Identrus Services that have been deployed within the iPlanet Trustbase Transaction Manager. The file identrus.properties needs to be edited to change settings appropriately. It can be found in <install_directory>/TTM/<machine_name>as illustrated below:

Figure 1-44    identrus.properties file location

• Normally, only the locations of OurAIA and LocalOCSPResponderLocation need to change. For instance:

  OurAIA = https://rp LocalOCSPResponderLocation = http://rp:8080

• The following illustrates an example identrus.properties file.

Figure 1-45    Example Identrus.properties

[CSC] ; OID's for OCSP and TC TCOID=1.2.840.114021.4.1 OCSPResponderOID=1.3.6.1.5.5.7.48.1 ;CaCertificateRole= ;EndEntityCertificateRole= ;SigningCertificateRole= ;RootCertificateRole= ; Local OCSP Responder Communication SignLocalOCSPRequests=false OCSPResponderSigningCertificateRole=L1OCSP LocalOCSPResponderLocation = identrus_local_resp_url OurAIA = identrus_our_aia DNOfAuthority= ; Response Cache Parameters ApprovedResponseMaxAge=60 ApprovedResponseMaxKeep=60 DebugMode=true ;OCSPRequestorName=CN=KENCO

Other settings can be modified:

• OID's
  • TCOID: This is ASN object ID for the "authority info access" attribute for Identrus Transaction Coordinator 's (default acceptable). All Identrus Certificates will have this and are supplied by Identrus with the ID of 1.2.840.114021.4.1.

  • OCSPOID: This is ASN object ID for the "authority info access" attribute for OCSP responder's (default acceptable).

• Certificate Role's
  • CaCertificateRole: This is the certificate attribute used for the Transaction Coordinator CA certificate. (Default is acceptable).

  • EndEntityCertificateRole: This is the certificate attribute used for the Transaction Coordinator end entity signing certificate (default acceptable).

  • SigningCertificateRole: This is the certificate attribute used for the Transaction Coordinator inter participant signing certificate (default acceptable).

  • RootCertificateRole: This is the certificate attribute used as by the Identrus Transaction Coordinator to identify the Identrus root (default acceptable).

• Local OCSP Responder Communication
  • SignLocalOCSPRequests: boolean - unsigned Local OCSP requests have a parameter set to "no" and signed Local OCSP requests have this parameter set to "yes".

  • OCSPResponderSigningCertificateRole: This is the certificate used to verify OCSP responses (only used if signLocalOCSPrequests is true).

  • LocalOCSPResponderLocation: The URL for the local OCSP responder.

• Misc settings
  • OurAIA: The Access Information Authority (AIA) of this Identrus Transaction Coordinator.

  • DNOfAuthority: This is the Distinguished Name (DN) of the Identrus root signing certificate. This is for internal use only.

• Response Cache Parameters

  To avoid repeated calls to the Identrus root, an institution can contact the root about the status of its own certificates and store them for a cached period. Whenever a message is sent to another party, it will include this cached response. It is then up to the other institution to decide whether this cached response is acceptable or if it wants to contact the root itself. If a relying customer wants to ensure that cached responses are not used anywhere in an Identrus transaction then that customer can supply a nonce in the outgoing OCSP requests. This nonce is then used as a signal to the institutions not to use the cached response.

  Caching prevents the need for repeated access to the Identrus Root. Each institution holds a value for how long its own cached certificate statuses are kept for. It also holds a maximum acceptable age of received certificate statuses. The following parameters must be defined:

  • ApprovedResponseMaxAge: number of seconds to allow a cache entry to persist for.

  • ApprovedResponseMaxKeep: number of seconds that a response provided to use can be acceptable.

  • DebugMode: internal debug on/off

  • OCSPRequestorName: name to use when talking to an OCSP responder. It should be noted that this must be set to the Distinguised name (DN) of the certificate used to sign OCSP if signing is set to true (i.e. SignLocalOCSPRequests=true). In the example provided, the common name (CN) is used as the distinguished name since the distinguished name is made up of the common name and the organisation unit (OU).

Start iPlanet Trustbase Transaction Manager

---

Having completed the installation and configuration iPlanet Trustbase Transaction Manager can be controlled using the scripts available in:

• /opt/TTM/Scripts

Figure 1-46    iPlanet Trustbase Transaction Manager Commonly Used Scripts

iTTM Scripts

The main scripts used to stop and start iPlanet Application Server and TTM components, that need to be executed as 'root' inside the Scripts directory:

• ./startias
  Starts the iPlanet Application Server with iTTM

• ./starttbase
  This script starts the iPlanet Trustbase Configuration Manager, SSL Proxy and SMTP Proxy

• ./stopias

• ./stoptbase

Other useful scripts in this directory are:

• jaxhit Generates java source code from a DTD

• ncipherupgrade Upgrades iTTM2.2.1 PKI to iTTM 3.0

• ncipherP11Install installs PKCS11 provider with nCipher token

• installP11Library installs PKCS11 provider with software token

• modutil installs PKCS11 provider with generic hardware token

• runAddLoggerWizard Allows for multiple logging

• runCertWizard Configures your Identrus four corner model with the correct PKI infrastructure

• runcheckintegrity checks the integrity of the log file

• runDeleteLoggerWizard deletes raw log entry

• runEnvWizard Sets Environmental variables during installation

• runOCSPResponderWizard Configures and Installs your oCSP Responder

• runtokenkeytool Tool to set up your own PKI

• stopjmsproxy Stops the JMS Proxy

• stopsmtpproxy stops SMTP Proxy

  
  

  ---

  Note	bourne shell (/bin/sh) uses '. ./setcp' and c shell (/bin/csh) uses './setup'

  ---

  
  

ShutDown procedure

The following procedure stops the system.

• Logon as root

  #!/bin/sh cd /opt/TTM/Scripts /opt/TTM/Scripts/stopias /opt/TTM/Scripts/stoptbase /opt/iplanet/ias6/slapd-hailstorm/stop-slapd /opt/iplanet/iws6/https-hailstorm.uk.sun.com/stop /opt/iplanet/iws6/https-admserv/stop

Restart procedure

The following procedure restarts the system:

• logon as root and run the following shell:

  #!/bin/sh /opt/iplanet/ias6/slapd-hailstorm/start-slapd /opt/iplanet/iws6/https-hailstorm.uk.sun.com/start /opt/iplanet/iws6/https-admserv/start cd /opt/TTM/Scripts /startias /starttbase

Upgrades

The following provides an outline of how to migrate from iTTM 2.2.1 to iTTM 3.0

1. Upgrading from iTTM 2.2.1 to iTTM 3.0 requires a reinstallation of all iTTM components and configuration with the exception of the PKI See "nCipher native provider upgrade: ittm2.2.1 to 3.0" using the script

   /opt/TTM/ncipherupgrade

2. Archive all database tables. See "What data needs backup?". Note these are not compatible with iTTM 3.0

3. You should remove 2.2.1

4. You should remove iWS 6.0 and iAS 6.0

5. Follow the iTTM install procedure for how to install
   1. iWS6.0 see "IPlanet Web Server v6.0 Installation"

   2. iAS 6.0 see "iPlanet Application Server v6.0 Installation"

   3. iTTM 3.0 see "iPlanet Trustbase Transaction Manager Installation Process"

Reinstallation

If the responses given during the execution of the Trustbase installation script were incorrect you can rerun the install script without damaging any other changes you have made. When re-executing the install scripts the installer will remember the responses you entered previously and offer them as defaults.

sunstorm% cd /opt/TTM/scripts sunstorm% ./setup sunstorm% ./runEnvWizard sunstorm% ./runCertWizard sunstorm% ./runOCSPResponderWizard

Please consult the iPlanet Application Server Installation, iPlanet Web Server, Oracle and nCipher documentation for procedures on how to reinstall.Note under normal circumstances when reinstalling iTTM you should not need to reinstall iWS 6.0 and iAS 6.0.

Identrus Authorisation

---

In order to send Identrus Messages to iPlanet Trustbase Transaction Manager you will need to create an Authorisation for your own customers that allows the sending of Identrus Enabled Messages. These are illustrated in the next three figures.

• The following TokenKeyTool (see appendix at the end of this guide) command will list you your Identrus root certificate

  cd <install_directory>/Scripts

  ./runtokenkeytool

  listcerts -alias IRCA

• You will need the serial number and the Issuer DN

• Select <Authorisation> <Add Certificate>
  
  

• For this example enter the issuer Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 4. Set the Max Depth to 1 and the Role to Identrus. This is illustrated below:

Figure 1-47    Installing a Certificate so as to send Identrus Messages within Trustbase

You will also need to create an additional Authorisation for other banks to send Identrus Enabled messages to you. These are illustrated in the next three figures:

• Select <Authorisation> <Add Certificate>
  
  

• Enter the Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 1. Set the Max Depth to 1 and the Role to Identrus. This is illustrated below:

Figure 1-48    Installing a Certificate within Trustbase for sending Identrus Enabled Messages

Finally you should restart iPlanet Trustbase Transaction Manager for the setting to take effect and you should make sure both certificates are installed within iPlanet Trustbase Transaction Manager as illustrated below:

Figure 1-49    Identrus Enabled Messages installed within Trustbase

TokenKeyTool Checklist

The following checklist provides you with a summary of the kinds of commands available withion TokenKeyTool that is used to help you set up your Identrus Authorisation.

Information Type	Example Set-up Value for TokenKeyTool
To run TokenKeyTool	cd /opt/TTM/Scripts ./runTokenKeyTool
To list Trusted Certificates with an Alias	listcerts -alias IRCA
To list all trusted Certificates	listcerts
To list private keys and their associated Certificate chains	listkeys
To delete private keys and its associated Certificate chains	deletekey -issuer "CN=End Entity" -serial 0x1000
To obtain help	help
Documentation	See the appendix at the end of this guide