Previous Contents DocHome Index Next |
iPlanet Trustbase Transaction Manager 3.0 Configuration and Installation |
Chapter 1 Installation Worksheet
Installation Worksheet provides the user with a pre-requisite checklist of all the main features to a successful iPlanet Trustbase Transaction Manager installation. It lists software that is included, what isn't included, what must be downloaded and how it should be installed and configured.
Installation Outline
The following steps need to be carried out:
Check and meet software pre-requisites
Download any software that has not been included with iPlanet Trustbase Transaction Manager
Install iPlanet Web Server v6.0
Install iPlanet Application Server v6.0
Install iPlanet Trustbase Transaction Manager v3.0 with Identrus Extensions by running the following installation wizard scripts:
Setup nFast Hardware and configure iPlanet Trustbase Transaction Manager to use it. There are four scripts to do this
modutil PKCS11 generic hardware install
Setup Oracle 8i database schema using the scriptncipherP11install ncipher PKCS11 install
ncipherupgrade ncipher iTTM2.2.1 to 3.0 upgrade
installP11Library software PKCS11 install
tbase2.sql
Setup site specific Identrus settings
Start iPlanet Trustbase Transaction Manager
Acquire Identrus Certificates and Keys using TokenKeyTool using the script
/opt/TTM/Scripts/TokenKeyTool
SW pre-requisites
The following software should be installed prior to running iPlanet Trustbase Transaction Manager.
Figure 1-1    Third Party Library jar files
![]()
Microsoft's Browser: Internet Explorer 4.0 or above for Web configuration or Netscape 4.0 and higher.
The iPlanet Trustbase Transaction Manager 2.2 requires the Solaris 8 Operating Environment system and the JDK 1.2 environment or the JavaTM Runtime Environment 1.2.
The iPlanet Trustbase Transaction Manager 2.2 requires the use of JDK 1.2 environment. This can be obtained from the Sun Microsystems Web site
http://www.javasoft.comJDBCTM for Oracle 8i
http://www.oracle.com/java/jdbc/html/jdbc.htmlJavaTM Servlet supporting WebServer
iPlanet Web Server 6.0
Application Server
http://www.iplanet.com/products/infrastructure/web_servers/index.html
iPlanet Application Server 6.0
An Identrus Compliant Validation Authority
http://www.iplanet.com/products/infrastructure/app_servers/index.html
An Identrus Compliant Certificate Authority
nCipher KeySafe 1.0
http://www.ncipher.com
Packages included
The following packages are included with iPlanet Trustbase Transaction Manager:
iPlanet Application Server 6.0
http://www.iplanet.com/products/infrastructure/app_servers/index.htmliPlanet Web Server 6.0
http://www.iplanet.com/products/infrastructure/web_servers/index.htmlJavaTM API for XML Parsing
http://java.sun.com/xml
Packages not included
The following software must be downloaded before Installation:
JDBCTM -Thin / 100% Java API for JDKTM 1.1.x
http://technet.oracle.com/software/download.htm oracle-jdbc-815.zip.The Solaris 8 operating system environment incorporating the JDKTM 1.2 environment
Certificate Prerequisites
Before you install iPlanet Trustbase Transaction Manager, you will need to know the location of your level 1 Certificate Authority PEM encoded CA certificate. This certificate is referred to from this point forward as the L1CA certificate.
Note All third party software should be placed in lib3p/10 as illustrated in Figure 1-1.
Determine hostname
hostname
domainnameVerify disk space to be greater than 1GB.
df -k Verify sufficient memory is not less than 256MB and preferably the recommended 1GB
prtconf | grep Mem
Solaris Installation
Before iPlanet Trustbase Transaction Manager can be installed, a working web server and application server must be available.
IPlanet Web Server v6.0 Installation
Logon as root, locate the 'setup' script depending on distribution
Start the installation using the 'setup' script.
Select a directory <install_directory>. The default is /opt/iplanet/iws6. to install the webserver into, this will need to be the same directory you wish to use for the iPlanet Application Server installation later.
# cd /cdrom/cdrom0
# cd iWS
#./setupInstall all elements of the web server and select the option that changes their ownership/group to 'nobody'. Select the option that runs the webserver as 'root'. Do not use an existing Directory service. Select the web server document directory to be the 'docs' subdirectory of your chosen installation location. Do not use your own JDK when prompted.
Figure 1-2    Installing iPlanet Web Server
Note You should make a note of these settings. Particularly port numbers since you may need them later.
Figure 1-3    iPlanet Web Server Installed
Note Please consult your iPlanet Web Server Installation Guide for more information on this. Selecting <return> takes the default.
Starting iPlanet Web Server 6.0
Change into the directory that contains your Web Server instance amd run the start script. This directory takes the form of https-<machine-name>.domain.For instance:
cd /opt/iplanet/iws60/https-rainstorm.uk.sun.com
./start
Note If in doubt you should consult the first chapter of the iPlanet Web Server configuration Guide.
Verifying iPlanet Web Server 6.0
Check iPlanet Web Server is working by opening a browser window to http://localhost.If its working you'll see the main page as illustrated below:
Figure 1-4    iPlanet Web Server, Enterprise Edition
![]()
Or alternatively going straight to the Administration Server console:
Figure 1-5    iPlanet Web Server Administration Server
![]()
Information Type
Example Set-up Value for iWS6.0
Install directory
/opt/iplanet/iws6
Administration logon
Username: iwsadmin, Password: identrus
Operational ports
Server: 80, Admin: 8888
To start server
/opt/iplanet/iws6/https-<Host-Name>/start
To stop server
/opt/iplanet/iws6/https-<Host-Name>/stop
To start admin server
/opt/iplanet/iws6/https-admin/start
To stop admin server
/opt/iplanet/iws6/https-admin/stop
Processes grep
ps -ef | grep iws
Process list
nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iplanet/iws6/https-<Host-Name>/config nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iplanet/iws6/https-<Host-Name>/config
also /opt/iplanet/iws6/https-admin/config if the admin is running
Install logs
/opt/iplanet/iws6/setup/WebServer/
Log directory
/opt/iplanet/iws6/https-<Host-Name>/logs
Document root
/opt/iplanet/iws6/docs
Installation and Configuration Documents
http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm http://docs.iplanet.com/docs/manuals/enterprise/50/ag/esgstart.htm#1003083
">
iWS Checklist
Information Type
Example Set-up Value for iWS6.0
Install directory
/opt/iplanet/iws6
Administration logon
Username: iwsadmin, Password: identrus
Operational ports
Server: 80, Admin: 8888
To start server
/opt/iplanet/iws6/https-<Host-Name>/start
To stop server
/opt/iplanet/iws6/https-<Host-Name>/stop
To start admin server
/opt/iplanet/iws6/https-admin/start
To stop admin server
/opt/iplanet/iws6/https-admin/stop
Processes grep
ps -ef | grep iws
Process list
nobody 9876 1 0 12:52:08 0:00 ./uxwdog -d /opt/iplanet/iws6/https-<Host-Name>/config nobody 9877 9876 0 12:52:08 0:01 ns-httpd -d /opt/iplanet/iws6/https-<Host-Name>/config
also /opt/iplanet/iws6/https-admin/config if the admin is running
Install logs
/opt/iplanet/iws6/setup/WebServer/
Log directory
/opt/iplanet/iws6/https-<Host-Name>/logs
Document root
/opt/iplanet/iws6/docs
Installation and Configuration Documents
http://docs.iplanet.com/docs/manuals/enterprise/50/ig/contents.htm http://docs.iplanet.com/docs/manuals/enterprise/50/ag/esgstart.htm#1003083
iPlanet Application Server v6.0 Installation
Ensure that the iPlanet Web Server is running before you follow this procedure.
Logon as root, locate the 'setup' script depending on distribution (e.g. unzip the tar file and the 'setup' file should be in the top directory)
# cd /cdrom/cdrom0
# cd iAS
# ./setupStart the installation using the 'setup' script. The default installation should be set to /opt/iplanet/ias6. Answer the questions as follows:
Figure 1-6    Example iPlanet Application Server Script
Post iPlanet Web Server and iPlanet Application Server Installation Steps
To check that the Application Server installation has been successful, use a browser to contact the following URL: http://machine_name/GXApp
Select the 'Java Fortune' application, if the reply indicates that the servlet 'Greets You' then the web server and application server are functioning correctly. You should also consult your iPlanet Application Server Installation Documentation. This is now illustrated below:Figure 1-7    Verifying iPlanet Application Server
![]()
Having completed the installation, all processes must be shutdown:
Application Server Shutdown <install_directory>/ias/bin/KIVAes.sh stop
# cd /opt/iplanet/ias6/ias/bin
# ./KIVAes.sh stop
# ps -ef | grep k.s
Note Immediately after installation, if this script fails to work, use 'ps -ef | grep k.s' to show all iPlanet Application Server processes and then 'kill -9 <pid>' to stop all of them.
Directory Server Shutdown <install_directory>/slapd-<machine_name>/stop-slapd
# cd /opt/iplanet/ias6/slapd-<hostname>
# ./stop-slapd
# ps -ef | grep slap
<install_directory>/https-<machine_name>/stop
Once all the above scripts have been run check that all processes have been terminated using 'ps -ef | grep <install_directory>'. Use 'kill -9 <pid>' on all remaining processes.and: <install_directory>/https-admserv/stop
# ./opt/iplanet/iws6/https-<machine_name>/stop
# ./opt/iplanet/iws6/https-admserv/stop
Information Type
Example Set-up Value for iAS6.0
Install directory
/opt/iplanet/ias6
Administration logon
Username: admin, Password: password
Operational ports
Directory Admin: 20000, kas admin:10817, Directory server: 389
To start server
/opt/TTM/Scripts/startias
To stop server
/opt/TTM/Scripts/stopias
Installation logs
/opt/iplanet/ias6/setup/
Processes grep
ps -ef | grep ias To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef | grep k.s
Process list
root 10066 10064 0 14:33:21 0:03 /opt/iplanet/ias6/ias/bin/.kjs -cset CCS0 root 10059 9504 0 14:33:16 pts/6 0:00 /opt/iplanet/ias6/ias/bin/.kas
root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kas
root 10070 1 0 14:33:25 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kcs -cse t CCS0 -eng 2
root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kjs -cset CCS0 -eng 1
root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kxs -cset CCS0 -eng 0
root 10072 10070 0 14:33:25 ? 0:00 /opt/iplanet/ias6/ias/bin/.kcs -cset CCS0 -eng 2
root 10062 10061 0 14:33:19 ? 0:01 /opt/iplanet/ias6/ias/bin/.kxs -cset CCS0 -eng 0
nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/iplanet/ias6/slapd-unix
d02/config/slapd.conf -i /opt/iplanet/ias6/slapd-<Machine-name>
Logged processes
kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.
Installation Document
http://www.iplanet.com/products/infrastructure/app_servers/index.html
">
iAS Checklist
Information Type
Example Set-up Value for iAS6.0
Install directory
/opt/iplanet/ias6
Administration logon
Username: admin, Password: password
Operational ports
Directory Admin: 20000, kas admin:10817, Directory server: 389
To start server
/opt/TTM/Scripts/startias
To stop server
/opt/TTM/Scripts/stopias
Installation logs
/opt/iplanet/ias6/setup/
Processes grep
ps -ef | grep ias To get just the 'kiva' processes (the ones that do the jvm work) do a ps -ef | grep k.s
Process list
root 10066 10064 0 14:33:21 0:03 /opt/iplanet/ias6/ias/bin/.kjs -cset CCS0 root 10059 9504 0 14:33:16 pts/6 0:00 /opt/iplanet/ias6/ias/bin/.kas
root 9504 1 0 12:47:38 pts/6 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kas
root 10070 1 0 14:33:25 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kcs -cse t CCS0 -eng 2
root 10064 1 0 14:33:21 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kjs -cset CCS0 -eng 1
root 10061 1 0 14:33:19 ? 0:00 /bin/sh /opt/iplanet/ias6/ias/bin/kxs -cset CCS0 -eng 0
root 10072 10070 0 14:33:25 ? 0:00 /opt/iplanet/ias6/ias/bin/.kcs -cset CCS0 -eng 2
root 10062 10061 0 14:33:19 ? 0:01 /opt/iplanet/ias6/ias/bin/.kxs -cset CCS0 -eng 0
nobody 8174 1 0 12:45:04 ? 0:04 ./ns-slapd -f /opt/iplanet/ias6/slapd-unix
d02/config/slapd.conf -i /opt/iplanet/ias6/slapd-<Machine-name>
Logged processes
kxs_0_CCS0: Contains information about the incoming message and the plugin start and stop kjs_0_CCS0: Contains the standard out from any running java process - can contain some debug information.
Installation Document
http://www.iplanet.com/products/infrastructure/app_servers/index.html
iPlanet Trustbase Transaction Manager Installation Process
Now that iPlanet Web Server and iPlanet Application Server are installed the iPlanet Trustbase Transaction Manager installation can proceed.The installation is provided as a "compress"-ed tar file. The installation program is designed for Unix Solaris 8. iPlanet Trustbase Transaction Manager currently requires JDK 1.2 to be installed on your machine to operate correctly. To ensure iPlanet Trustbase Transaction Manager is installed correctly it is advised that you install JDK 1.2 before iPlanet Trustbase Transaction Manager. Allow 100MB of Disc space for JDK 1.2 and iPlanet Trustbase Transaction Manager.
Logon as root
The following screens define the installation locations forMake sure the directory server for iPlanet Application Server is running before you install Trustbase. For example,
cd /opt/iplanet/ias6/slapd-<machine-name>
./start-slapdCreate a temporary directory /temp to run the iTTM install wizard and type
Figure 1-8    Welcome Screen
![]()
Figure 1-9    License Agreement
![]()
Figure 1-10    Install Location
![]()
Figure 1-11    3rd Party Software Location
![]()
Figure 1-12    Installation Summary
![]()
Figure 1-13    iTTM Environment Settings
![]()
The following parameters must be defined:
Oracle login name (User defined)
Oracle login password (User defined|)
Oracle hostname The machine I.D> of where your Oracle installation is located
Oracle port number This is normally set to 1521
Oracle SID This is normally orcl but can be defined when you configure your own Oracle installation
Figure 1-14    Database Settings
![]()
Figure 1-15    Database Username and Password
![]()
Figure 1-16    Oracle Driver Location
![]()
Figure 1-17    Restart Wizard
![]()
This completes your Oracle settings.
Figure 1-18    Identrus Settings
![]()
The URL of the OCSP Responder tells you where you can get authoritative responses to CSC checks.When running the environment wizard, the URL location of the OCSP responder is requested. In order for OCSP requests to be delivered to the iTTM responder, enter the following URL. (You can re-run the environment wizard if you entered it incorrectly previously).
http://<yourappserver>/NASApp/OCSPResponder/OCSPResponderServlet
The AIA Access Information Authority is the field within a certificate that is used to determine whether or not the TC (or iTTM installation ) has authority over that particular certificate. In the case where a particular certificate's AIA matches the TC's choice of AIA instance we can act on this certificate in an authoritative way. In the case where the certificate's AIA is not the same as your TC's (or iTTM installation) AIA no authoritative action can be performed on this certificate. The default value is the host name that a customer or other TC connects to for information. This is normally the same as the iTTM host name.
Figure 1-19    iTTM Environmental Settings
![]()
This now completes the Environmental settings.
Figure 1-20    iTTM Certificate Wizard Welcome screen
![]()
You will need to collect your Identrus root certificate.
Figure 1-21    Import Identrus Root Certificate
![]()
Next you will need to supply the certificate of your L1 CA.
Figure 1-22    Import iTTM CA Certificate
![]()
Next you will need to make three requests for signing certificates. This is a two stage process involving pasting data that you have generated from the wizard into the website of the certificate authority that generates a response. The Three certicates you need are:
The End Entity Signing Certificate allows you to sign messages to your customer.
The Participant Signing Certificate allows you to sign messages that will be sent from one TC to another
The SSL Signing Certificate allows you to negotiate an SSL connection at the transport level.
Figure 1-23    Request End Entity
![]()
Signing certificate
Figure 1-24    End Entity Location
![]()
Figure 1-25    Request SSL Signing Certificate
![]()
Figure 1-26    SSL Location
![]()
Figure 1-27    Request Participant
![]()
Signing certificate
Figure 1-28    Participant Location
![]()
Go to your CA and submit your PKCS10 request. Collect the response. Save the corresponding response in a file madeavailable to the install wizard.
Figure 1-29    Import End Entity
![]()
Signing Certificate
Figure 1-30    Import SSL
![]()
Signing Certificate
Figure 1-31    Import Participant
![]()
Signing Certificate
Figure 1-32    Certificate Summary
![]()
ITTM 3.0 provides its own OCSP responder which can be utilised as part of the certificate status check process or any other services that require certificate status checking.
Figure 1-33    OCSP Responder Wizard Welcome Page
![]()
Click next to process with the wizard.
- The database settings screen allows configuration of the LDAP directory database that will contain information about revoked certificates. A CA can publish CRLs (certificate revocation lists) to this directory which the OCSP responder will use to provide its responses.
- The iAS provided with Trustbase, includes a directory server which it uses for its own configuration. This directory server can also be used for the OCSP responder. Ensure the directory server is running before continuing this wizard.
- To use the iAS directory, enter the details of the directory server chosen when installing iAS. A default iAS install will normally place the directory server on port 389 and the Bind DN as "cn=Directory Manager". The Base DN can be set to any valid distinguished name or left as the wizard defaults.
Figure 1-34    OCSP Database Settings
![]()
Clicking next to configure the OCSP responder with the entered LDAP directory settings.
Figure 1-35    OCSP Certificate request
![]()
- The OCSP responder signs all of its responses with a private key associated with a certificate. This provides additional security when the OCSP responder is separated from the Trustbase installation.
- To generate a certificate with private key for OCSP responses, a certificate request needs to be generated. Enter the distinguished name desired for this certificate and select "Next"
Figure 1-36    Save the Request as a file
![]()
- Select a location to store the certificate request file and select "Next"
- It will now be necessary to provide this request to the CA. Typically this will be the Identrus Root CA.
- Once a certificate has been generated by the CA in response to the request, the certificate should be placed into a file available to the OCSP responder wizard.
Figure 1-37    OCSP Certificate Response
![]()
Enter the file location of the certificate response and select "Next
Figure 1-38    OCSP Install Complete
![]()
If the certificate is successfully imported, the wizard will complete successfully. If there are any problems then using the "back" button will step through previous screens so they can be re-attempted.
Configuring the Trustbase OCSP Responder with the Certificate Authority
In order for the OCSP responder to give the appropriate certificate status check results, it will be necessary to configure the CA to publish the revocation list to the same directory server configured for this responder.This procedure will vary with different Certificate Authority software, but the following guidelines should be employed.
Publish the CRL to the same LDAP directory chosen in the OCSP installation wizard.
Publish the CRL under the same Base DN chosen in the installation wizard
The CA certificate that the OCSP responder provides responses for should be Published with the attribute "cacertificate;binary"
The CRL should be published to the OCSP responder with the attribute "certificaterevocationlist;binary"
Configuring Trustbase to validate the OCSP responses
By default Trustbase does not check the signature on the OCSP responses. This can be enabled by editing the "identrus.properties" file as documented in "Identrus Configuration".When a message is sent to any node a response comes back. That response needs to be verified in such a way that the sender of the response is who they say they are. This is an optional feature in that it can be assumed that responses are trusted. OCSP Responders that are used locally are unlikely to require this signing validation process as their communication can be considered secure. However OCSP Responders on non-local or insecure lines should have this feature configured.
When an RP bank communicates with an IP that does not have an iPlanet Trustbase Transaction Manager Transaction Coordinator and fails it will need an OCSP Responder. This is sometimes referred to as OCSP fallback.
In order to verify an OCSP response we need to input the signing Certificate into the iTTM TokenKeyStore. Normally the OCSP responder certificate is directly descended from the Identrus Root. If this is the case, there is no need to perform any further configuration for response signature checking.
If a specific certificate is required to validate OCSP responses, the token key tool will need to be used to import the certificate. It then needs to have the alias of "L1OCSP" added to this certificate. For details on how to do this, see the appendix at the end of this guide.
Once the OCSP signing Certificate has been successfully imported into the iPlanet Trustbase Transaction Manager token key store, a change needs to be made to the identrus.properties file. This file can be found in /opt/TTM/<machine_name>. Change the entry OCSPResponderSigningCertificateRole as follows:-
OCSPResponderSigningCertificateRole=L1OCSP
Figure 1-39    OCSP Responders
![]()
Configuring the AIA for the OCSP responder
Identrus compliant certificates contain two AIAs. One refers to the address of the TC. The second refers to the address of the Responder. This should be set to the following address.http://<yourappserver>/NASApp/OCSPResponder/OCSPResponderServlet
iPlanet Trustbase Transaction Manager is now installed. Some further configuration is now required to establish the local settings and Identrus setup - see the following sections.
Installation Structure
Once the installation has completed the following directory structure and support files will exist:
Figure 1-40    iPlanet Trustbase Transaction Manager Directory Overview
![]()
TTM
iPlanet Trustbase Transaction Manager contains all configuration and Library files, the SQL directory containing various database setup scripts.Figure 1-41    iPlanet Trustbase Transaction Manager Overview Directory
![]()
Scripts
This directory contains all of the scripts needed to start and stop iPlanet Trustbase Transaction ManagerFigure 1-42    iPlanet Trustbase Transaction Manager Commonly Used Scripts
![]()
<machine_name>
This directory contains all of the configuration files for this installation. i.e. tbase.properties, nFast.properties, identrus.properties and proxy.ini These files should not be modified directly but can be accessed via the configuration screens in this manual.Figure 1-43    iPlanet Trustbase Transaction Manager Initialisation Files
![]()
All other directories are not needed.
Information Type
Example Set-up Value for iTTM 3.0
Install directory
/opt/TTM
Administration logon via web
Username: administrator, Password: administrator
TokenKeyTool
/opt/TTM/Scripts/runtokenkeytool
Operational ports
Admin via web: 80 (http://<myhost>.<domain>/NASAdapter/logon.html)
To start server
/opt/TTM/Scripts/startias ; /opt/TTM/Scripts/starttbase
To stop server
/opt/TTM/Scripts/stopias ; /opt/TTM/Scripts/stoptbase
Property file location
/opt/TTM/<Host-Name>/
Processes grep
ps -ef | grep java
Process list
root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbas
Installation Document
http://docs.iplanet.com/docs/manuals/trustbase.html
">
iTTM Checklist
Information Type
Example Set-up Value for iTTM 3.0
Install directory
/opt/TTM
Administration logon via web
Username: administrator, Password: administrator
TokenKeyTool
/opt/TTM/Scripts/runtokenkeytool
Operational ports
Admin via web: 80 (http://<myhost>.<domain>/NASAdapter/logon.html)
To start server
/opt/TTM/Scripts/startias ; /opt/TTM/Scripts/starttbase
To stop server
/opt/TTM/Scripts/stopias ; /opt/TTM/Scripts/stoptbase
Property file location
/opt/TTM/<Host-Name>/
Processes grep
ps -ef | grep java
Process list
root 9713 1 0 12:47:53 pts/6 0:08 /usr/bin/../java/bin/../jre/bin/../bin/sparc/native_threads/java uk.co.jcp.tbas
Installation Document
http://docs.iplanet.com/docs/manuals/trustbase.html
Post Installation Steps
Before starting iPlanet Trustbase Transaction Manager for the first time it is necessary to do some further configuration steps, in each of the following configuration steps refer to the Installation Structure section above to locate the necessary files:
nCipher Security setup - see section "Cryptographic Services Configuration"
Oracle Database setup - see section "Oracle Database Configuration"
Identrus site specific setup - see section "Identrus Configuration"
Cryptographic Services Configuration
Cryptographic operations are an integral part of iTTM function. iTTM can make use of several different cryptographic service providers. A cryptographic service provider offers key and certificate management, digital signature, encryption and ssl functions. The choice of which service provider to use is dependent on the nature of the iTTM installation. Two service providers are supplied in an iTTM installation, the PKCS#11 cryptographic service provider and the nCipher native cryptographic service provider.
Cryptographic Installation Scenarios
You must select one of the following scenarios that come packaged with a provider:
Software PKCS11 for iTTM 3.0
We now describe each of the providers that are associated with each installation ScenarioGeneric Hardware PKCS11 for iTTM 3.0
nCipher Hardware PKCS11 for iTTM 3.0
nCipher Upgrade from iTTM 2.2.1 to iTTM 3.0
PKCS#11 cryptographic service provider [ also known as the "JSS" service provider ]. PKCS#11 is an industry standard interface to cryptographic services devices, known as Tokens. iTTM supports several different PKCS#11 Tokens
We now discuss the four Installation Scenarios possible
- The software Token is not suitable for a production environment: it is only appropriate for test and development installations. While private keys are protected by password based encryption, the password is freely available, so private key material is not secure.
nCipher native cryptographic service provider [ also known as the "TTM-NCIPHER" service provider ]. The nCipher native provider communicates directly with nCipher hardware security modules, using an nCipher proprietary protocol. In previous versions of iTTM, the only support for hardware security modules was provided in this manner.
- This is the normal service provider to use in a production environment. Private key material is stored securely, either on a hardware token, or wraped with a symmetric key stored on a hardware token.The iTTM PKCS#11interface is tested with nCipher hardware Token.
- If keys created under an iTTM 2.2.1 installation are to be used with an iTTM 3.0 installation, this service provider must be used. Private key material is stored on disk or in a directory, securely wrapped with a secret key persistently stored on an nCipher HSM. This provider is suitable for use in a production environment
PKCs11 provider with software token
The PKCS#11 cryptographic service provider always has an active software Token, which is selected as the default Token in a standard iTTM installation. No action is required beyond the normal iTTM installation if the soft PKCS#11 Token is the only Token to be used
PKCs11 provider with generic hardware token
- The vendor of the hardware Token supplies a PKCS#11 library, through which iTTM interacts with the module.Before the PKCS#11 service provider can use a hardware Token, the hardware must be correctly configured and initialised [ consult vendor documentation. For nCipher hardware see also the section entitled "nCipher Module Installation" below ]. If you are configuring an nCipher hardware security module for use with iTTM, then scripts are available to install the vendor PKCS#11 library for you. See the section "nCipher PKCS#11 Token configuration" which follows on from nCipher Module Installaton. Otherwise, follow the instructions presented here.
- There are two steps to be taken in configuring the PKCS#11 cryptographic service provider for use with a hardware Token.
Scripts are included in the iTTTM distribution to assist the installation of PKCS#11 libraries
Change directory to the iTTM Scripts directory
cd <iTTM_install_directory>/Scripts
run the installPllLibrary script
./installP11Library -module <moduleName> -libfile <vendorLibrary>
Check the installation using the modutil script
The output should look something like this
-----------------------------------------------------------
library name: <vendorPKCS#11Library>
2. Netscape Internal PKCS #11 Module
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
----------------------------------------------------------
Configuring the default Token
Once a vendor PKCS#11 library has been installed, iTTM can use keys and certificates stored on Tokens provided by that library. New cryptographic Objects will, however, still be created on the default Token, which is the software Token in a standard install
Change directory to the iTTM host specific configuration directory
cd <iTTM_install_directory>/<host_name>
Change the defaultToken attribute of the JssConfig element to be the desired default token name [ as reported by modutil in the previous section ]. An empty string defaultToken attribute value refers to the software PKCS#11 Token
<!-- pathnames are processed in the following ways
pattern ~ at the start of the path is replaced with the System property "user.home"
pattern $JSSCONFIGDIR at the start of the path is replaced with the directory this
file is loaded from, if it was loaded from a file, rather than a jarred resource
pattern $HOSTNAME : the first occurence is replaced with the hostname -->
SSL3_RSA_WITH_3DES_EDE_CBC_SHA
Save the file, leaving other lines untouched
Example Generic PKCS11 Checklist
PKCs11 provider with nCipher token
There are two stepsFor each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.
Tip
Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).
The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.
Create a "Security World" on one module, using the nCipher KeySafe tool.
Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.
The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanetTM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanetTM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.
Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
/opt/nfast/sbin/init.d-nfast stop
/opt/nfast/sbin/init.d-nfast start
Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0" or "nCipher PKCS#11 Token configuration"
If the nCipher hardware security module is to be used with the PKCS#11 cryptographic services provider, rather than the nCipher native cryptographic services provider follow this procedure, which installs the nCipher PKCS#11 library and marks the nCipher Token as the default for iTTM.
Once the nCipher modules have been initialised into a security world, some operator cards must be created for use with the nCipher PKCS#11 interface. An operator card must be inserted into the nCipher module while it is being used through the PKCS#11 interface.
The nCipher PKCS#11 Token is now installed as the default provider for iTTM cryptographic services
Change directory to the nFast binarys directory
Use the createocs or createoc-simple commands to create an operator card or cardset [ see nCipher documentation ] . The name of the card of cardset is required but the installPllLibrary script used below. The simplest configuration creates a single operator card
./createoc-simple [ --fips <AUTHSLOT> ] [ --overwrite ]
Change directory to the iTTM Scripts directory
cd <iTTM_install)directory>/Scripts
run the installPllLibrary script
./ncipherP11Install [ -libfile <ncipherLibrary> ]
nCipher Example PKCS11 Checklist
Information Type
Example Set-up Value nCipher
Install directory
/opt/nfast
Operational ports
9000
To start server
/etc/init.d/nfast start
To stop server
/etc/init.d/nfast stop
Processes grep
ps -ef | grep hard
Process list
nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Creating nCipher operator card
cd /opt/nfast/bin ./createoc-simple 1 0 operator 1 0
Installing nCipher PKCS11 module
cd /opt/TTM/Scripts
Documentation
nCipher KeySafe 1.0
http://www.ncipher.com
nCipher native provider upgrade: ittm2.2.1 to 3.0
There are two stepsFor each group of nCipher modules that will be sharing a common key database, the following setup procedure must be adopted.
Install the nCipher hardware as described in the supplied documentation, making sure that each unit is set to be in pre-initialisation mode. The nCipher documentation describes the process of installing and setting up the "Security World" on a module (See nCiphers: KeySafe user guide).
The nFast module will only accept connections from the local host. Therefore the nFast module must be located on the same host computer used to run the TC.
Create a "Security World" on one module, using the nCipher KeySafe tool.
Copy this "Security World" to the other modules, and install this world using the "restore" function in KeySafe.
The nfast startup script must be modified to ensure the nFast server can communicate with the iPlanetTM Trustbase Transaction Manager nFast stub via TCP. To do this, the environment variable NFAST_SERVER_PORT must be defined and exported in /etc/init.d/nfast. The iPlanetTM Trustbase Transaction Manager stub has a default value for this port of 9000, but it can be set to any available port.
Once these settings have been made, the server should be restarted. If the nCipher software has been installed in the default location the commands to do this are:
/opt/nfast/sbin/init.d-nfast stop
/opt/nfast/sbin/init.d-nfast start
Once the nCipher modules have been initialised into a security world follow one of the two procedures outlined below "Upgrading an iTTM 2.2.1 nCipher key store to iTTM 3.0" or "nCipher PKCS#11 Token configuration"
If you have cryptographic keys that were created using an iTTM 2.2.1 installation, these keys can be used by iTTM 3.0 through the nCipher native cryptographic services provider. This upgrade procedure must be followed to migrate the keys from the Oracle database [ where they were stored for iTTM 2.2.1 ] to the XML based storage used by iTTM 3.0
The upgrade procedure changes the cryptographic service provider used by TTM, from the JSS provider [ supporting PKCS#11 interaction with HSMs ] to the native nCipher provider. It is not possible to use both providers simultaneously, so if private keys generated with a TTM 2.2.1 installation are to be used with a TTM 3.0 installation, the TTM 3.0 installation must use the nCipher cryptographic services provider
There are two steps to this upgrade step
Once the Security world is installed, the following points should be noted:
The nFast cryptographic services provider read certain settings from a properties file "nFast.properties". This file is read from the iTTM installation directory, and is only required if any of the nCipher configuration parameters differ from the default values described below. An installation which uses only the default values requires no nFast.properties file
If created, nFast.properties should be located in the iTTM host specific installation directory
<iTTM_install_directory>/<host_name>/nFast.properties
nFast.properties should contain the following values:
StandardConnections. The StandardConnections property contains the number of standard connections that will be maintained with the nFast module. Low values for this property will not allow the module to make best use of its parallel processing capabilities. By default, this value is obtained from the module itself.
- AServerAddress. The ServerAddress property should be set to the local host. If set to other values the server may refuse connection attempts on unix systems. On NT systems, the server will accept connections from clients elsewhere than "localhost". The default value is 127.0.0.1
- StandardPort. The StandardPort property contains the number of the port on which the server is listening for standard connections. By default this value is 9000.
module.key. The module.key property contains the identifying number of the module key to be used for encrypting keys for storage outside the box. If the standard install procedure has been followed, and the Security World has been correctly set up, the module keys installed on the box are:
- KM0 - the randomly generated module key that is never exported in any form. If this key is used as the default, archived keys may only ever be used on that specific module. If the module is replaced for any reason, all the keys must be regenerated.
- KM1 - a well known module key used for bootstrapping of the recovery keys. This module key should NOT be used.
- KM2 - the security world key. This is the module key that should be used, and is the default value assumed if no nFast.properties file is present
ServerAddress = localhost
Importing iTTM 2.2.1 keys and certificates to iTTM 3.0
During this procedure you will need: Details of the oracle database containing the cryptographic keys used with TTM 2.2.1at a minimum, the hostname, username and password are required. additional information will be required in the following cases
- the Oracle listener port, if it is not 1521
- the database SID, if it is not ORCL
- the PBE password for the KeyStore, if it is not the same as the database password
You will also need the name of the TrustDomain into which the nCipher keys are to be imported [ if it is not identrus ]. If this TrustDomain already exists, it must be associated with Token type TTM-NCIPHER [ if not, then the import will fail ]
Change directory to the iTTM Scripts directory
cd <iTTM_install_directory>/Scripts
./ncipherupgrade [ -pbe <pbdepassword:<password>> ]
[ -domain <trustdomain:identrus> ]
This script extracts keys and certificates from the TTM 2.2.1 key store in the oracle database, and imports them into the given TrustDomain. Purpose identifiers in the TTM 2.2.1 key store are converted into aliases in the TrustDomain. A TTM 2.2.1 Identrus key store imported in this manner will function as a TTm 3.0 Identrus key store
The import procedure is now complete, and iTTM 3.0 is configured to used the iTTM 2.2.1 keys and certificates.
Note: The import procedure works only for nCipher keys in a TTM 2.2.1 KeyStore. The import of soft keys is not supported [ since soft keys are not to be used in a production environment ]
nCipher Example Upgrade Checklist
Information Type
Example Set-up Value nCipher
Install directory
/opt/nfast
Operational ports
9000
To start server
/etc/init.d/nfast start
To stop server
/etc/init.d/nfast stop
Processes grep
ps -ef | grep hard
Process list
nfast 4241 1 0 Mar 05 ? 0:22 ../sbin/hardserver -llogfile nfast 4246 4241 0 Mar 05 ? 0:10 ../sbin/hardserver -llogfile
Importing iTTM2.2.1 keys
cd /opt/TTM/Scripts ./ncipherupgrade k9 tbase tbase36
Documentation
nCipher KeySafe 1.0
http://www.ncipher.com
Oracle Database Configuration
Both TTM and the Identrus Extensions require access to a database with a pre-configured schema. The installation comes with SQL scripts that must be executed in the database user's tablespace that was specified at installation time. The following sections explain how to create the user and generate the correct schema for that user.
The generation of users and the tablespaces defined may differ for individual sites - contact the site DBA for advice. Only one Certstore is utilised for each Trustbase Installation. The following parameters must be defined: Oracle login name, Oracle login password, PBEPassword set the same as Oracle login password, Oracle hostname, Oracle port number and Oracle SID.
Running the iPlanet Trustbase Transaction Manager SQL Scripts
You may need to ask your DBA to create your username and password. The following procedure should be followed.
Switch to the Oracle user and run server manager:
The database must be enabled to support the UTF8 character set. The following script is an example of how to achieve this.
Create a iPlanet Trustbase Transaction Manager user - you may need to change the username, password and default tablespaces depending on site policy:
Connect as the iPlanet Trustbase Transaction Manager user and run the scripts:
Information Type
Example Set-up Value for Oracle 8i
Install directory
Oracle program files: /opt/oracle/app/product/8.1.7/bin Oracle data files: /identrusdb/orcl
Oracle user login
Username: oracle, Password: oracle
Sqlplus - dba admin
Username: sys, Password: change_on_install
Sqlplus - tbase user
Username: tbase, Password: tbase
Operational ports
Oracle ports: 1521
SID
orcl
To start server
As oracle user: svrmgrl; Connect internal; startup; exit
To stop server
As oracle user: lsnrctl; stop; exit svrmgrl; connect internal; shutdown; exit
Processes grep
ps -ef | grep oracle
Process list - there will be an oracle orcl for each application connection.
oracle 9862 1 0 12:48:10 ? 0:00 orcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ))) oracle 764 1 0 Mar 07 ? 0:01 /opt/oracle/bin/tnslsnr LISTENER -inherit
oracle 751 1 0 Mar 07 ? 0:00 ora_pmon_orcl
oracle 753 1 0 Mar 07 ? 0:00 ora_dbw0_orcl
oracle 755 1 0 Mar 07 ? 0:00 ora_lgwr_orcl
oracle 757 1 0 Mar 07 ? 0:22 ora_ckpt_orcl
oracle 759 1 0 Mar 07 ? 0:02 ora_smon_orcl
oracle 761 1 0 Mar 07 ? 0:00 ora_reco_orcl
oracle 9771 1 0 12:47:58 ? 0:00 oracleorcl (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))
Logs of interest
Auditdata: Contains internal audit information and indicates what the TC has processed. Error: Shows unexpected errors e.g. cannot communicate with Certificate Authority
Error_support: Shows any java stack trace associated with the error table.
">
Oracle Example Checklist
Identrus Configuration
A Transaction Coordinator (TC) comprises of all Identrus Services that have been deployed within the iPlanet Trustbase Transaction Manager. The file identrus.properties needs to be edited to change settings appropriately. It can be found in <install_directory>/TTM/<machine_name>as illustrated below:
Figure 1-44    identrus.properties file location
![]()
Normally, only the locations of OurAIA and LocalOCSPResponderLocation need to change. For instance:
OurAIA = https://rp
LocalOCSPResponderLocation = http://rp:8080The following illustrates an example identrus.properties file.
Figure 1-45    Example Identrus.properties
Other settings can be modified:
OID's
TCOID: This is ASN object ID for the "authority info access" attribute for Identrus Transaction Coordinator 's (default acceptable). All Identrus Certificates will have this and are supplied by Identrus with the ID of 1.2.840.114021.4.1.
Certificate Role'sOCSPOID: This is ASN object ID for the "authority info access" attribute for OCSP responder's (default acceptable).
CaCertificateRole: This is the certificate attribute used for the Transaction Coordinator CA certificate. (Default is acceptable).
Local OCSP Responder CommunicationEndEntityCertificateRole: This is the certificate attribute used for the Transaction Coordinator end entity signing certificate (default acceptable).
SigningCertificateRole: This is the certificate attribute used for the Transaction Coordinator inter participant signing certificate (default acceptable).
RootCertificateRole: This is the certificate attribute used as by the Identrus Transaction Coordinator to identify the Identrus root (default acceptable).
SignLocalOCSPRequests: boolean - unsigned Local OCSP requests have a parameter set to "no" and signed Local OCSP requests have this parameter set to "yes".
Misc settingsOCSPResponderSigningCertificateRole: This is the certificate used to verify OCSP responses (only used if signLocalOCSPrequests is true).
LocalOCSPResponderLocation: The URL for the local OCSP responder.
OurAIA: The Access Information Authority (AIA) of this Identrus Transaction Coordinator.
Response Cache ParametersDNOfAuthority: This is the Distinguished Name (DN) of the Identrus root signing certificate. This is for internal use only.
- To avoid repeated calls to the Identrus root, an institution can contact the root about the status of its own certificates and store them for a cached period. Whenever a message is sent to another party, it will include this cached response. It is then up to the other institution to decide whether this cached response is acceptable or if it wants to contact the root itself. If a relying customer wants to ensure that cached responses are not used anywhere in an Identrus transaction then that customer can supply a nonce in the outgoing OCSP requests. This nonce is then used as a signal to the institutions not to use the cached response.
- Caching prevents the need for repeated access to the Identrus Root. Each institution holds a value for how long its own cached certificate statuses are kept for. It also holds a maximum acceptable age of received certificate statuses. The following parameters must be defined:
ApprovedResponseMaxAge: number of seconds to allow a cache entry to persist for.
ApprovedResponseMaxKeep: number of seconds that a response provided to use can be acceptable.
DebugMode: internal debug on/off
OCSPRequestorName: name to use when talking to an OCSP responder. It should be noted that this must be set to the Distinguised name (DN) of the certificate used to sign OCSP if signing is set to true (i.e. SignLocalOCSPRequests=true). In the example provided, the common name (CN) is used as the distinguished name since the distinguished name is made up of the common name and the organisation unit (OU).
Start iPlanet Trustbase Transaction Manager
Having completed the installation and configuration iPlanet Trustbase Transaction Manager can be controlled using the scripts available in:
Figure 1-46    iPlanet Trustbase Transaction Manager Commonly Used Scripts
![]()
iTTM Scripts
The main scripts used to stop and start iPlanet Application Server and TTM components, that need to be executed as 'root' inside the Scripts directory:
./startias
Other useful scripts in this directory are:
Starts the iPlanet Application Server with iTTM./starttbase
This script starts the iPlanet Trustbase Configuration Manager, SSL Proxy and SMTP Proxy
jaxhit Generates java source code from a DTD
ncipherupgrade Upgrades iTTM2.2.1 PKI to iTTM 3.0
ncipherP11Install installs PKCS11 provider with nCipher token
installP11Library installs PKCS11 provider with software token
modutil installs PKCS11 provider with generic hardware token
runAddLoggerWizard Allows for multiple logging
runCertWizard Configures your Identrus four corner model with the correct PKI infrastructure
runcheckintegrity checks the integrity of the log file
runDeleteLoggerWizard deletes raw log entry
runEnvWizard Sets Environmental variables during installation
runOCSPResponderWizard Configures and Installs your oCSP Responder
runtokenkeytool Tool to set up your own PKI
stopjmsproxy Stops the JMS Proxy
stopsmtpproxy stops SMTP Proxy
Note bourne shell (/bin/sh) uses '. ./setcp' and c shell (/bin/csh) uses './setup'
ShutDown procedure
The following procedure stops the system.
Logon as root
Restart procedure
The following procedure restarts the system:
logon as root and run the following shell:
#!/bin/sh
/opt/iplanet/ias6/slapd-hailstorm/start-slapd
/opt/iplanet/iws6/https-hailstorm.uk.sun.com/start
/opt/iplanet/iws6/https-admserv/start
cd /opt/TTM/Scripts
/startias
/starttbase
Upgrades
The following provides an outline of how to migrate from iTTM 2.2.1 to iTTM 3.0
Upgrading from iTTM 2.2.1 to iTTM 3.0 requires a reinstallation of all iTTM components and configuration with the exception of the PKI See "nCipher native provider upgrade: ittm2.2.1 to 3.0" using the script
Archive all database tables. See "What data needs backup?". Note these are not compatible with iTTM 3.0
You should remove iWS 6.0 and iAS 6.0
Follow the iTTM install procedure for how to install
iWS6.0 see "IPlanet Web Server v6.0 Installation"
iAS 6.0 see "iPlanet Application Server v6.0 Installation"
iTTM 3.0 see "iPlanet Trustbase Transaction Manager Installation Process"
Reinstallation
If the responses given during the execution of the Trustbase installation script were incorrect you can rerun the install script without damaging any other changes you have made. When re-executing the install scripts the installer will remember the responses you entered previously and offer them as defaults.
sunstorm% cd /opt/TTM/scripts
sunstorm% ./setup
sunstorm% ./runEnvWizard
sunstorm% ./runCertWizard
sunstorm% ./runOCSPResponderWizardPlease consult the iPlanet Application Server Installation, iPlanet Web Server, Oracle and nCipher documentation for procedures on how to reinstall.Note under normal circumstances when reinstalling iTTM you should not need to reinstall iWS 6.0 and iAS 6.0.
Identrus Authorisation
In order to send Identrus Messages to iPlanet Trustbase Transaction Manager you will need to create an Authorisation for your own customers that allows the sending of Identrus Enabled Messages. These are illustrated in the next three figures.
The following TokenKeyTool (see appendix at the end of this guide) command will list you your Identrus root certificate
cd <install_directory>/Scripts
You will need the serial number and the Issuer DN
Select <Authorisation> <Add Certificate>
![]()
For this example enter the issuer Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 4. Set the Max Depth to 1 and the Role to Identrus. This is illustrated below:
Figure 1-47    Installing a Certificate so as to send Identrus Messages within Trustbase
![]()
Select <Authorisation> <Add Certificate>
![]()
Enter the Distinguised Name "CN=Identrus Root CA;OU=Identrus Root;O=Identrus;C=GB" and the serial number of the RP Bank CA which is 1. Set the Max Depth to 1 and the Role to Identrus. This is illustrated below:
Figure 1-48    Installing a Certificate within Trustbase for sending Identrus Enabled Messages
![]()
Finally you should restart iPlanet Trustbase Transaction Manager for the setting to take effect and you should make sure both certificates are installed within iPlanet Trustbase Transaction Manager as illustrated below:
Figure 1-49    Identrus Enabled Messages installed within Trustbase
TokenKeyTool Checklist
The following checklist provides you with a summary of the kinds of commands available withion TokenKeyTool that is used to help you set up your Identrus Authorisation.
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated November 21, 2001