Transcript
Page 1: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and java-7.However, during transition it is advisable to change just one parameter at the time.Application Used at training More recent

Ejbca Ejbca-3.10.1 Ejbca-3.11.5Ejbca-4.0.12Ejbca-4.0.16Ejbca-6.0.3

Application-server jboss-4.2.3.GA-jdk6 jboss-5.1.0.GA-jdk6jboss-as-distribution-6.0.0.Finaljboss-as-distribution-6.1.0.Finaljboss-as-7.0.2.Final, jboss-as-7.1.1.Final

Java development kit jdk-6u20-linux-i586 jdk-6u38-ea-bin-b04-linux-amd64-31_oct_2012.binjdk-6u38-ea-bin-b04-linux-i586-31_oct_2012.binjava-1_6_0-ibm-1.6.0_sr12.0-0.5.1java-1_6_0-openjdk-1.6.0.0_b24.1.11.5-2.1java-1_7_0-openjdk, java-1_7_0-openjdk-devel

Java crypto env jce_policy-6

Mysql connector mysql-connector-java-5.1.13 mysql-connector-java-5.1.22

Java-dev-tool apache-ant-1.8.1-bin apache-ant-1.8.4-binant-1.8.2-11.1.1.noarch

Fedora or OpenSUSE are great for developping and testing, but production should be either on RedHat-ES or Suse Linux Enterprise Server (SLES11sp3)

First, building of virtual machine.→ lvcreate -L 5GB -n vm0017 mainorion:/etc/xen/vm # lvcreate -L 5GB -n vm0017 main Logical volume "vm0017" created

→ time dd if=/dev/main/sles11sp3 of=/dev/mapper/main-vm0017 bs=1Morion:/etc/xen/vm # time dd if=/dev/main/sles11sp3 of=/dev/mapper/main-vm0017 bs=1M5120+0 records in5120+0 records out5368709120 bytes (5.4 GB) copied, 151.741 s, 35.4 MB/s

real 2m31.760suser 0m0.004ssys 0m9.573s

Create vm startup file:→ cp -v sles11sp3 vm0017orion:/etc/xen/vm # cp -v sles11sp3 vm0017‘sles11sp3’ -> ‘vm0017’

Change: name, description, disk-ID, disk and MAC-address→ vi vm0017

Check differences→ diff sles11sp3 vm0017 orion:/etc/xen/vm # diff sles11sp3 vm0017 1,3c1,2< name="sles11sp3"< description="template"< uuid="a552dd33-b0c2-b07f-d9a6-753f7a232c71"

Page 2: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

---> name="vm0017"> description="vm0017-ejbca-4.0.16"8c7< on_reboot="destroy"---> on_reboot="restart"13,18c12,16< #kernel="/tmp/kernel.nGFrL9"< #ramdisk="/tmp/install-initrd.SIREem"< extra="xencons=tty install=hd:/dev/xvdb "< disk=[ 'phy:/dev/mapper/main-sles11sp3,xvda,w', 'file:/root/DEPOT/SLES-11-SP3-DVD-x86_64-GM-DVD1.iso,xvdb:cdrom,r', ]< vif=[ 'mac=00:16:3e:51:b4:8a,bridge=br0', ]< ---> bootloader="/usr/bin/pygrub"> bootargs=""> extra=" "> disk=[ 'phy:/dev/mapper/main-vm0017,xvda,w' ]> vif=[ 'mac=00:16:3e:00:16:00,bridge=br0', ]

Show resultorion:/etc/xen/vm # cat vm0017name="vm0017"description="vm0017-ejbca-6.0.3"memory=1024maxmem=2048vcpus=1on_poweroff="destroy"on_reboot="restart"on_crash="destroy"localtime=0keymap="en-us"builder="linux"bootloader="/usr/bin/pygrub"bootargs=""extra=" "disk=[ 'phy:/dev/mapper/main-vm0017,xvda,w' ]vif=[ 'mac=00:16:3e:00:17:00,bridge=br0', ]nographic=1vfb=['type=vnc,vncunused=1']

Modify config on dhcp and dns server, machine will get unique name&addressDon't forget kicking dhcp and dns server process...

Start new machine→ xm create -c vm0017 pyGRUB version 0.6 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Xen -- SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Use the ^ and � keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, 'a' to modify the kernel arguments before booting, or 'c' for a command line.

Page 3: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

Will boot selected entry in 1 seconds

Started domain vm0017 (id=8) [ 0.000000] Initializing cgroup subsys cpuset[ 0.000000] Initializing cgroup subsys cpu[ 0.000000] Linux version 3.0.76-0.11-xen (geeko@buildhost) (gcc version 4.3.4 [gcc-4_3-branch revision 152973] (SUSE Linux) ) #1 SMP Fri Jun 14 08:21:43 UTC 2013 (ccab990)[ 0.000000] Command line: root=/dev/xvda3 xencons=tty resume=/dev/xvda2 splash=silent crashkernel=256M-:128M showopts [ 0.000000] Xen-provided physical RAM map:[ 0.000000] Xen: 0000000000000000 - 0000000080800000 (usable)…Starting smartd unusedMaster Resource Control: runlevel 3 has been reachedSkipped services in runlevel 3: microcode.ctl nfs irq_balancer smartd

Welcome to SUSE Linux Enterprise Server 11 SP3 (x86_64) - Kernel 3.0.76-0.11-xen (tty1).

vm0017 login:

Networking: check own addresses (ifconfig is depreciated) → ip addr show dev eth0vm0017 login: rootPassword: Last login: Wed Nov 27 23:21:30 CET 2013 from orion on pts/0vm0017:~ # ip addr show dev eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:16:3e:00:17:00 brd ff:ff:ff:ff:ff:ff inet 192.168.0.137/24 brd 192.168.0.255 scope global eth0 inet6 2001:470:1f01:3785:216:3eff:fe00:1700/64 scope global dynamic valid_lft 2591992sec preferred_lft 604792sec inet6 fe80::216:3eff:fe00:1700/64 scope link valid_lft forever preferred_lft forevervm0017:~ #

Test if sshd is properly working, and the address→ ssh vm0017orion:~ # ssh vm0017The authenticity of host 'vm0017 (192.168.0.137)' can't be established.ECDSA key fingerprint is df:b6:3c:d9:c5:d6:f8:37:e7:70:b1:bb:ed:a8:eb:df.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'vm0017,192.168.0.137' (ECDSA) to the list of known hosts.Password: Last login: Sun Jan 5 13:16:34 2014vm0017:~ #

Seems OK.

Check mount point repositories→ zypper lr -uvm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------+------+---------+---------+---------------------------------------------1 | oss | oss | Yes | No | http://suse.minoss.nl/sles11sp3/install/oss/2 | update | oss | Yes | Yes | http://suse.minoss.nl/sles11sp3/update/ vm0017:~ #

→ echo "192.168.0.2 storage" >> /etc/hostsvm0017:~ # echo "192.168.0.2 storage" >> /etc/hostsvm0017:~ #

Page 4: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

→ mkdir -p /data/software/distro/suse/sles11sp3vm0017:~ # mkdir -p /data/software/distro/suse/sles11sp3vm0017:~ #

→ mount -o nolock storage:/data/software/distro/suse/sles11sp3 /data/software/distro/suse/sles11sp3Not done: using local online repository

→ zypper addrepo --refresh --check -n "update" dir:/data/software/distro/suse/sles11sp3 updatenot needed, done in template

→ zypper lr -uvm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------------------------------------------------+--------------------------------------------------+---------+---------+-------------------------------------------1 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | Yes | Yes | hd:///?device=/dev/xvdb&filesystem=auto 2 | update | update | Yes | Yes | dir:///data/software/distro/suse/sles11sp2

Refresh repositories→ zypper refvm0017:~ # zypper refRepository 'oss' is up to date.Retrieving repository 'oss' metadata [\]File 'repomd.xml' from repository 'oss' is unsigned, continue? [yes/no] (no): yesRetrieving repository 'oss' metadata [done]Building repository 'oss' cache [done]All repositories have been refreshed.

→ zypper upvm0017:~ # zypper upLoading repository data...Reading installed packages...

The following NEW package is going to be installed: libtevent0

The following packages are going to be upgraded: apache2 apache2-doc apache2-example-pages apache2-prefork apache2-utils apparmor-docs apparmor-parser apparmor-utils bash bash-doc bind-libs bind-libs-32bit bind-utils binutils coreutils coreutils-lang cups-client cups-libs cups-libs-32bit curl elilo ethtool facter fastjar glib2 glib2-lang gpg2 gpg2-lang grub gvfs gvfs-backends gvfs-fuse gvfs-lang hal hal-32bit ipmitool iproute2 irqbalance kdump kernel-firmware kernel-xen kernel-xen-base kpartx krb5 krb5-32bit ksh lcms libapparmor1 libcurl4 libcurl4-32bit libfprint0 libgcrypt11 libgcrypt11-32bit libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgnutls26 libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgvfscommon0 liblcms1 liblcms1-32bit libpixman-1-0 libpixman-1-0-32bit libpython2_6-1_0 libreadline5 libsmbclient0 libsnmp15 libtalloc2 libtdb1 libtiff3 libtiff3-32bit libudev0 libudev0-32bit libwbclient0 libxslt libxslt-32bit libzypp mcelog microcode_ctl mkinitrd multipath-tools mysql mysql-client perl-Bootloader perl-apparmor postfix puppet python python-base python-xml readline-doc release-notes-sles rsh ruby sblim-sfcb snmp-mibs supportutils suseRegister timezone udev xen-libs xen-tools-domU xorg-x11-libX11 xorg-x11-libX11-32bit xorg-x11-libXext xorg-x11-libXext-32bit xorg-x11-libXfixes xorg-x11-libXfixes-32bit xorg-x11-libXp xorg-x11-libXp-32bit xorg-x11-libXrender xorg-x11-libXrender-32bit xorg-x11-libXt xorg-x11-libXt-32bit xorg-x11-libXv xorg-x11-libXv-32bit xorg-x11-libs xorg-x11-libs-32bit yast2 yast2-ldap-client zypper zypper-log

The following packages are not supported by their vendor: apache2 apache2-doc apache2-example-pages apache2-prefork apache2-utils apparmor-docs apparmor-parser apparmor-utils bash bash-doc bind-libs bind-libs-32bit bind-utils binutils coreutils coreutils-lang cups-client cups-libs cups-libs-32bit curl elilo ethtool facter fastjar glib2 glib2-lang gpg2 gpg2-lang grub gvfs gvfs-backends gvfs-fuse gvfs-lang hal hal-32bit ipmitool iproute2 irqbalance kdump kernel-firmware kernel-xen kernel-xen-base kpartx krb5 krb5-32bit ksh lcms libapparmor1 libcurl4 libcurl4-32bit libfprint0 libgcrypt11 libgcrypt11-32bit libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgnutls26 libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgvfscommon0 liblcms1 liblcms1-32bit libpixman-1-0 libpixman-1-0-32bit libpython2_6-1_0 libreadline5 libsmbclient0 libsnmp15 libtalloc2 libtdb1 libtevent0 libtiff3 libtiff3-32bit libudev0

Page 5: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

libudev0-32bit libwbclient0 libxslt libxslt-32bit libzypp mcelog microcode_ctl mkinitrd multipath-tools mysql mysql-client perl-Bootloader perl-apparmor postfix puppet python python-base python-xml readline-doc release-notes-sles rsh ruby sblim-sfcb snmp-mibs supportutils suseRegister timezone udev xen-libs xen-tools-domU xorg-x11-libX11 xorg-x11-libX11-32bit xorg-x11-libXext xorg-x11-libXext-32bit xorg-x11-libXfixes xorg-x11-libXfixes-32bit xorg-x11-libXp xorg-x11-libXp-32bit xorg-x11-libXrender xorg-x11-libXrender-32bit xorg-x11-libXt xorg-x11-libXt-32bit xorg-x11-libXv xorg-x11-libXv-32bit xorg-x11-libs xorg-x11-libs-32bit yast2 yast2-ldap-client zypper zypper-log

127 packages to upgrade, 1 new.Overall download size: 114.6 MiB. After the operation, additional 891.0 KiB will be used.Continue? [y/n/?] (y): che2-doc-2.2.12-1.40.1.x86_64 (1/128), 1.7 MiB (10.3 MiB unpacked)Retrieving: apache2-doc-2.2.12-1.40.1.x86_64.rpm [done]Retrieving package apache2-example-pages-2.2.12-1.40.1.x86_64 (2/128), 64.0 KiB (11.0 KiB unpacked)Retrieving: apache2-example-pages-2.2.12-1.40.1.x86_64.rpm [done]Retrieving package apparmor-docs-2.5.1.r1445-55.64.1.x86_64 (3/128), 183.0 KiB (318.0 KiB unpacked)Retrieving: apparmor-docs-2.5.1.r1445-55.64.1.x86_64.rpm [done]…Installing: gpg2-lang-2.0.9-25.33.37.1 [error]Installation of gpg2-lang-2.0.9-25.33.37.1 failed:(with --nodeps --force) Error: Subprocess failed. Error: RPM failed: error: unpacking of archive failed on file /usr/share/locale/zh_TW/LC_MESSAGES/gnupg2.mo;52c94ed0: cpio: read failed - Bad file descriptorAbort, retry, ignore? [a/r/i] (a): i…Installing: gvfs-fuse-1.4.3-0.17.19.1 [done]Installing: gvfs-backends-1.4.3-0.17.19.1 [done]Update notifications were received from the following packages:puppet-2.6.18-0.8.1.x86_64 (/var/adm/update-messages/puppet-2.6.18-0.8.1-CVE-2011-3872.msg.txt)View the notifications now? [y/n] (n): nThere are some running programs that use files deleted by recent upgrade. You may wish to restart some of them. Run 'zypper ps' to list these programs.vm0017:~ #

Sometimes due to kernel patch reboot is required.

Check if critical parts were updated, requiring an reboot:vm0017:~ # zypper psThe following running processes use deleted files:

PID | PPID | UID | Login | Command | Service | Files -----+------+-----+-------+--------------------+---------+-----------------------------------------------1132 | 1 | 0 | root | console-kit-daemon | | /usr/lib64/libgobject-2.0.so.0.2200.5;52c94f95 | | | | | | /usr/lib64/libgthread-2.0.so.0.2200.5;52c94f95 | | | | | | /usr/lib64/libglib-2.0.so.0.2200.5;52c94f70 3067 | 1 | 0 | root | sshd | sshd | /usr/lib64/libkrb5support.so.0.1 | | | | | | /usr/lib64/libkrb5.so.3.3 | | | | | | /usr/lib64/libk5crypto.so.3.1 | | | | | | /usr/lib64/libgssapi_krb5.so.2.2 3334 | 3210 | 0 | root | bash | | /lib64/libreadline.so.5.2 | | | | | | /bin/bash (deleted) 3366 | 3067 | 0 | root | sshd | sshd | /usr/lib64/libkrb5support.so.0.1 | | | | | | /usr/lib64/libkrb5.so.3.3 | | | | | | /usr/lib64/libk5crypto.so.3.1 | | | | | | /usr/lib64/libgssapi_krb5.so.2.2 3369 | 3366 | 0 | root | bash | | /lib64/libreadline.so.5.2 | | | | | | /bin/bash (deleted)

You may wish to restart these processes.See 'man zypper' for information about the meaning of values in the above table.

Although nothing critical here, found out previously that a fresh reboot avoid “funny” situations...

(on console)→ init 0vm0017:~ # init 0INIT: Switching to runlevel: 0INIT: Sending processes the TERM signalINIT: Sending processes the KILL signalblogd: can not set console device to /dev/pts/1: Device or resource busyMaster Resource Control: previous runlevel: 3, switching to runlevel: 0Shutting down CRON daemon doneShutting down irqbalance doneShutting down java.binfmt_misc doneShutting down Name Service Cache Daemon doneShutting down smartd doneShutting down SSH daemon *with all active connections* doneShutting down auditd doneShutting down haveged daemon doneShutting down service MySQL doneShutting down (remotefs) network interfaces:Shutting down service (remotefs) network . . . . . . . . . doneShutting down mail service (Postfix) done

Page 6: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

Shutting down HAL daemon doneSaving random seed doneShutting down NFS client services: doneShutting down rpcbind doneShutting down syslog services doneShutting down (localfs) network interfaces: eth0 name: Virtual Ethernet Card 0 doneShutting down service (localfs) network . . . . . . . . . doneShutting down D-Bus daemon doneRunning /etc/init.d/halt.local doneUnmounting fuse control filesystem doneNot unloading kdump during runlevel changes skipped doneTurning off quota done doneTurning off swap filesUnloading AppArmor profiles doneUnmounting file systems/dev/xvda1 has been unmounted doneStopping udevd: doneSending all processes the TERM signal... doneSending all processes the KILL signal... doneThe system will be halted immediately.[ 7738.880427] System halted.

If needed, restart with new kernel→ xm create -c vm0017 orion:/etc/xen/vm # xm create -c vm0017Starting CRON daemon doneStarting smartd unusedMaster Resource Control: runlevel 3 has been reachedSkipped services in runlevel 3: microcode.ctl nfs irq_balancer smartd

Welcome to SUSE Linux Enterprise Server 11 SP3 (x86_64) - Kernel 3.0.101-0.8-xen (tty1).

vm0017 login: If restarted, check if different kernel.

Login again(thru ssh) instead of virtual consoleorion:~ # ssh vm0017

Check FQDN:→ hostname -fvm0017:~ # hostname -fvm0017.minoss.nl

If needed, just for documentation purposese adjust the prompt:→ hostname vm0017.minoss.nl#not needed

Pre-installation tests /actionsArchitecture test: → uname -avm0017:~ # uname -aLinux vm0017 3.0.101-0.8-xen #1 SMP Fri Nov 1 12:51:09 UTC 2013 (2417eb9) x86_64 x86_64 x86_64 GNU/Linux

OS:

Page 7: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

→ lsb_release -d; echo; cat /etc/SuSE-releasevm0017:~ # lsb_release -d; echo; cat /etc/SuSE-releaseDescription: SUSE Linux Enterprise Server 11 (x86_64)

SUSE Linux Enterprise Server 11 (x86_64)VERSION = 11PATCHLEVEL = 3

Available diskspace: → df -hvm0017:~ # df -hFilesystem Size Used Avail Use% Mounted on/dev/xvda3 3.5G 1.5G 1.8G 46% /udev 521M 76K 520M 1% /devtmpfs 521M 0 521M 0% /dev/shm/dev/xvda1 493M 29M 439M 7% /boot

check memory → freevm0017:~ # free total used free shared buffers cachedMem: 1065100 220772 844328 0 5308 65024-/+ buffers/cache: 150440 914660Swap: 1051644 0 1051644

Slightly more mem available, compared to openSUSE.

networking: fqdnPermanent change: → echo "vm0017.minoss.nl" > /etc/HOSTNAME# not needed anymore

(prove would require reboot)

Make fqdn locally known: → vi /etc/hostsnot needed

add: #192.168.0.137 vm0017.minoss.nl vm0017 #

(Note: do not add the name to 127.0.0.1 !!!!!!)

Check: → hostname --fqdnvm0017:~ # hostname --fqdnvm0017.minoss.nl

Networking: local ping to self (needed for db connection) → ping -c2 `hostname --fqdn`vm0017:~ # ping -c2 `hostname --fqdn`PING vm0017.minoss.nl (192.168.0.137) 56(84) bytes of data.64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=1 ttl=64 time=0.020 ms64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=2 ttl=64 time=0.033 ms

--- vm0017.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 0.020/0.026/0.033/0.008 ms

Note the correct IP address (not 127.0.0.1)

networking: remote ping to self (needed for browser connection) → ping -c2 vm0017.minoss.nlorion:~ # ping -c2 vm0017.minoss.nl

Page 8: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

PING vm0017.minoss.nl (192.168.0.137) 56(84) bytes of data.64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=1 ttl=64 time=0.125 ms64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=2 ttl=64 time=0.097 ms

--- vm0017.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.097/0.111/0.125/0.014 ms

If not present, add on host that will launch the browser lines in /etc/hosts/

Networking: firewall (if firewall too active db-connection or browser-connection might fail) → iptables -L -n -v ; echo; ip6tables -L -n -vvm0017:~ # iptables -L -n -v ; echo; ip6tables -L -n -vChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

In case of “fatal error” is a reboot requred

If some rules exists, adjust manually.

Aditional users (needed for unprivileged ownership of files and deamon) → egrep "ejbca|jboss" /etc/passwdvm0017:~ # egrep "ejbca|jboss" /etc/passwdejbca:x:1002:100:ejbca:/home/ejbca:/bin/bashjboss:x:1001:100:jboss:/home/jboss:/bin/bashDone in template, if not create them now...

Expected software (mysql server and client are needed, and product relies on openssl)→ rpm -qa | egrep "ssh|ssl|mysql" |sortvm0017:~ # rpm -qa | egrep "ssh|ssl|mysql" |sortlibopenssl0_9_8-0.9.8j-0.50.1libopenssl0_9_8-32bit-0.9.8j-0.50.1libssh2-1-1.2.9-4.2.2.1mysql-5.5.33-0.11.1mysql-client-5.5.33-0.11.1openssh-6.2p2-0.9.1openssl-0.9.8j-0.50.1openssl-certs-1.85-0.6.1yast2-sshd-2.17.2-1.21

Slightly older libopenssl, mysql-server, mysql-client and openssh

Gathering of unbundeled software, on depot-host:→ cd ejbca→ sftp ejbca@vm0017 → mkdir log→ mkdir DEPOT→ cd DEPOT

Page 9: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

→ pwdorion:~/ejbca # sftp ejbca@vm0017 Password: Connected to vm0017.sftp> mkdir logsftp> mkdir DEPOTsftp> cd DEPOTsftp> pwdRemote working directory: /home/ejbca/DEPOTsftp>

→ put ejbca_ce_6_0_3.zipsftp> put ejbca_ce_6_0_3.zipUploading ejbca_ce_6_0_3.zip to /home/ejbca/DEPOT/ejbca_ce_6_0_3.zipejbca_ce_6_0_3.zip 100% 35MB 35.0MB/s 00:01 sftp>

→ put jboss-as-distribution-6.1.0.Final.zip sftp> put jboss-as-distribution-6.1.0.Final.zip Uploading jboss-as-distribution-6.1.0.Final.zip to /home/ejbca/DEPOT/jboss-as-distribution-6.1.0.Final.zipjboss-as-distribution-6.1.0.Final.zip 100% 174MB 34.9MB/s 00:05 sftp>

Sles11sp3 version of ANT is way to old!!

→ put apache-ant-1.8.4-bin.zipsftp> put apache-ant-1.8.4-bin.zipUploading apache-ant-1.8.4-bin.zip to /home/ejbca/DEPOT/apache-ant-1.8.4-bin.zipapache-ant-1.8.4-bin.zip 100% 7855KB 7.7MB/s 00:01 sftp>

→ put mysql-connector-java-5.1.22.zipsftp> put mysql-connector-java-5.1.22.zipUploading mysql-connector-java-5.1.22.zip to /home/ejbca/DEPOT/mysql-connector-java-5.1.22.zipmysql-connector-java-5.1.22.zip 100% 4170KB 4.1MB/s 00:00 sftp> sftp> quit

Java options:→ zypper search java-vm0017:~ # zypper search java-Loading repository data...Reading installed packages...

S | Name | Summary | Type --+-----------------------+--------------------------------------------+----------- | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package | java-1_7_0-ibm | Java(TM) 7 Runtime Environment | package | java-1_7_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_7_0-ibm-alsa | ALSA support for java-1_7_0-ibm | package | java-1_7_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1_7_0-ibm | package | java-1_7_0-ibm-plugin | Browser plugin files for java-1_7_0-ibm | package

It __MIGHT__ be possible /advisable to use “IBM” JAVA instead of openjdk: YMMVOR:→ mkdir -p /data/software/obs/Java:/#not done, using online OBS-repo

→ mount -o nolock storage:/data/software/obs/Java:/ /data/software/obs/Java:/# not done, using online repo

→ zypper addrepo --refresh --check -n "java hack" http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2 javavm0017:~ # zypper addrepo --refresh --check -n "java hack" http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2 javaAdding repository 'java hack' [done]Repository 'java hack' successfully addedEnabled: YesAutorefresh: YesGPG check: YesURI: http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2

Page 10: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

vm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------+-----------+---------+---------+--------------------------------------------------------1 | java | java hack | Yes | Yes | http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP22 | oss | oss | Yes | No | http://suse.minoss.nl/sles11sp3/install/oss/ 3 | update | oss | Yes | Yes | http://suse.minoss.nl/sles11sp3/update/

NOTE: i'm using the sles11SP2 repo, the sles11SP3 repo does not contain openjdk6

→ zypper search java-vm0017:~ # zypper search java-Retrieving repository 'java hack' metadata [\]

New repository or package signing key received:Key ID: E38C29BC4276E0B9Key Name: Java OBS Project <[email protected]>Key Fingerprint: 9711921972E27C87BBC1BA89E38C29BC4276E0B9Key Created: Wed Dec 7 09:43:54 2011Key Expires: Fri Feb 14 09:43:54 2014 (expires in 39 days)Repository: java hack

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): aRetrieving repository 'java hack' metadata [done]Building repository 'java hack' cache [done]Loading repository data...Reading installed packages...

S | Name | Summary | Type --+--------------------------------+-----------------------------------------------------------+----------- | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | srcpackage | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk-debuginfo | Debug information for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-debugsource | Debug sources for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-demo | Sources for building demo applications with OpenJDK 6 | package | java-1_6_0-openjdk-devel | Java SDK based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk-javadoc | Documentation of the Java API of OpenJDK 6 | package | java-1_6_0-openjdk-src | OpenJDK 6 Java class sources for developers | package | java-1_7_0-ibm | Java(TM) 7 Runtime Environment | package | java-1_7_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_7_0-ibm-alsa | ALSA support for java-1_7_0-ibm | package | java-1_7_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1_7_0-ibm | package | java-1_7_0-ibm-plugin | Browser plugin files for java-1_7_0-ibm | package

Either: → zypper install java-1_6_0-openjdk java-1_6_0-openjdk-develOr → zypper install java-1_6_0-ibmvm0017:~ # zypper install java-1_6_0-openjdk java-1_6_0-openjdk-develLoading repository data...Reading installed packages...Resolving package dependencies...

The following NEW packages are going to be installed: giflib java-1_6_0-openjdk java-1_6_0-openjdk-devel libasound2 timezone-java

The following packages are not supported by their vendor: java-1_6_0-openjdk java-1_6_0-openjdk-devel timezone-java

5 new packages to install.Overall download size: 39.0 MiB. After the operation, additional 142.7 MiB will be used.Continue? [y/n/?] (y): yRetrieving package giflib-4.1.6-11.10.x86_64 (1/5), 22.0 KiB (41.0 KiB unpacked)Retrieving: giflib-4.1.6-11.10.x86_64.rpm [done]Retrieving package libasound2-1.0.18-16.24.1.x86_64 (2/5), 311.0 KiB (995.0 KiB unpacked)Retrieving: libasound2-1.0.18-16.24.1.x86_64.rpm [done]Retrieving package timezone-java-2013h-0.7.1.noarch (3/5), 125.0 KiB (272.0 KiB unpacked)Retrieving: timezone-java-2013h-0.7.1.noarch.rpm [done]

Page 11: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

Retrieving package java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1.x86_64 (4/5), 30.0 MiB (107.3 MiB unpacked)Retrieving: java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1.x86_64.rpm [done (7.4 MiB/s)]Retrieving package java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1.x86_64 (5/5), 8.5 MiB (34.2 MiB unpacked)Retrieving: java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1.x86_64.rpm [done]Installing: giflib-4.1.6-11.10 [done]Installing: libasound2-1.0.18-16.24.1 [done]Installing: timezone-java-2013h-0.7.1 [done]Installing: java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1 [done]Installing: java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1 [done]

Check: (create empty file)→ > /etc/profile.localvm0017:~ # > /etc/profile.local

→ echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.localvm0017:~ # echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.local

→ echo export EIL=/home/ejbca/log/ >> /etc/profile.localvm0017:~ # echo export EIL=/home/ejbca/log/ >> /etc/profile.local

re-read env's and use them:→ source /etc/profile ; ll $DEPOTvm0017:~ # source /etc/profile ; ll $DEPOTtotal 226552-rw-r--r-- 1 ejbca users 8043520 Jan 5 15:36 apache-ant-1.8.4-bin.zip-rw-r--r-- 1 ejbca users 36658854 Jan 5 15:36 ejbca_ce_6_0_3.zip-rw-r--r-- 1 ejbca users 182762510 Jan 5 15:36 jboss-as-distribution-6.1.0.Final.zip-rw-r--r-- 1 ejbca users 4270471 Jan 5 15:38 mysql-connector-java-5.1.22.zip

Database status: default status after reboot→ chkconfig mysqlvm0017:~ # chkconfig mysqlmysql on

still should have been set in the template, if not do:vm0017:~ # chkconfig mysql onvm0017:~ # chkconfig mysqlmysql on

Database status: current status, use system-V method → /etc/rc.d/mysql statusvm0017:~ # /etc/rc.d/mysql statusChecking for service MySQL: runningvm0017:~ #

If not running, start it:→ /etc/rc.d/mysql start# done in template now

database ip-port: (used in the config files)→ lsof -i -Pvm0017:~ # lsof -i -PCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2388 root 6u IPv4 5655 0t0 UDP *:111 rpcbind 2388 root 7u IPv4 5659 0t0 UDP *:867 rpcbind 2388 root 8u IPv4 5660 0t0 TCP *:111 (LISTEN)rpcbind 2388 root 9u IPv6 5662 0t0 UDP *:111 rpcbind 2388 root 10u IPv6 5664 0t0 UDP *:867 rpcbind 2388 root 11u IPv6 5665 0t0 TCP *:111 (LISTEN)mysqld 2877 mysql 10u IPv4 6037 0t0 TCP *:3306 (LISTEN)sshd 3199 root 3u IPv4 6337 0t0 TCP *:22 (LISTEN)sshd 3199 root 4u IPv6 6339 0t0 TCP *:22 (LISTEN)master 3304 root 12u IPv4 7054 0t0 TCP localhost:25 (LISTEN)master 3304 root 13u IPv6 7056 0t0 TCP localhost:25 (LISTEN)sshd 3475 root 3r IPv4 7733 0t0 TCP vm0017.minoss.nl:22->orion:35607 (ESTABLISHED)

check if re-startable?

Page 12: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

→ /etc/rc.d/mysql restart; lsof -i -Pvm0017:~ # /etc/rc.d/mysql restart; lsof -i -PRestarting service MySQL Shutting down service MySQL doneStarting service MySQL doneCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2388 root 6u IPv4 5655 0t0 UDP *:111 rpcbind 2388 root 7u IPv4 5659 0t0 UDP *:867 rpcbind 2388 root 8u IPv4 5660 0t0 TCP *:111 (LISTEN)rpcbind 2388 root 9u IPv6 5662 0t0 UDP *:111 rpcbind 2388 root 10u IPv6 5664 0t0 UDP *:867 rpcbind 2388 root 11u IPv6 5665 0t0 TCP *:111 (LISTEN)sshd 3199 root 3u IPv4 6337 0t0 TCP *:22 (LISTEN)sshd 3199 root 4u IPv6 6339 0t0 TCP *:22 (LISTEN)master 3304 root 12u IPv4 7054 0t0 TCP localhost:25 (LISTEN)master 3304 root 13u IPv6 7056 0t0 TCP localhost:25 (LISTEN)sshd 3475 root 3r IPv4 7733 0t0 TCP vm0017.minoss.nl:22->orion:35607 (ESTABLISHED)mysqld 4292 mysql 10u IPv4 9133 0t0 TCP *:3306 (LISTEN)vm0017:~ #

It can properly be restarted (comes up with different PID) and still listens of proper TCP-port.

Java→ java -versionvm0017:~ # java -versionjava version "1.6.0_27"OpenJDK Runtime Environment (IcedTea6 1.12.7) (suse-1.1-x86_64)OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Jboss application server

→ cd /usr/local/ ; unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zipvm0017:~ # cd /usr/local/ ; unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zip….(extracting from archive not shown...)

Symbolic link for version independence:

→ ln -s -v jboss-6.1.0.Final/ jbossvm0017:/usr/local # ln -s -v jboss-6.1.0.Final/ jboss`jboss' -> `jboss-6.1.0.Final/'

Check:→ ll jboss* -dvm0017:/usr/local # ll jboss* -dlrwxrwxrwx 1 root root 18 Jan 5 15:51 jboss -> jboss-6.1.0.Final/drwxrwxr-x 8 root root 4096 Aug 16 2011 jboss-6.1.0.Final

mysql connector

→ cd /usr/local/ ; unzip $DEPOT/mysql-connector-java-5.1.22.zipvm0017:/usr/local # cd /usr/local/ ; unzip $DEPOT/mysql-connector-java-5.1.22.zip(extracting from archive not shown...)

Copy it to the lib-directory:→ cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/vm0017:/usr/local # cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/`mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar' -> `jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar'

Check:→ ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar vm0017:/usr/local # ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar -rw-r--r-- 1 root root 832960 Jan 5 15:53 /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar

Note proper place, date, time.

ANT

Page 13: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

→ rpm -qa |grep antvm0017:/usr/local # rpm -qa |grep antant-1.7.1-20.9.53Installed in template. This is absolutely a problem as in the instalation pages is declared that you need atleast ant-1.7.1However, for sles11_sp2 there is no newer version available in the distro. So you need the version from Apache...

Remove ancient version:→ rpm -e antvm0017:/usr/local # rpm -e ant

vm0017:/usr/local # rpm -qa |grep ant

vm0017:/usr/local #

→ cd /usr/local ; unzip $DEPOT/apache-ant-1.8.4-bin.zipvm0017:/usr/local # cd /usr/local ; unzip $DEPOT/apache-ant-1.8.4-bin.zip(extracting from archive not shown...)

→ ln -v -s apache-ant-1.8.4/ antvm0017:/usr/local # ln -v -s apache-ant-1.8.4/ ant`ant' -> `apache-ant-1.8.4/'

Check:→ ll *ant* -dvm0017:/usr/local # ll *ant* -dlrwxrwxrwx 1 root root 17 Jan 5 16:19 ant -> apache-ant-1.8.4/drwxr-xr-x 6 root root 4096 May 22 2012 apache-ant-1.8.4

Environment variables(used to be in /etc/profile, but that might be overwritten during upgrade)

→ vi /etc/profile.localvm0017:/usr/local # vi /etc/profile.local

add:

############################### env settings for ejbca##############################APPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca#JAVA_OPTS="-Xmx512M -Xms512M -XX:MaxPermSize=512m"ANT_HOME=/usr/local/antPATH=${APPSRV_HOME}/bin:${JAVA_HOME}/bin:${EJBCA_HOME}/bin:${ANT_HOME}/bin:$PATH

export PATH APPSRV_HOME JAVA_HOME JAVA_OPTS EJBCA_HOME ANT_HOME ANT_OPTS

############################### EOF env settings for ejbca##############################

Note ommision of java_home

reread environment:→ source /etc/profilevm0017:/usr/local # source /etc/profile

check:→ env |egrep "JAVA_HOME|JAVA_OPTS|EJBCA_HOME|ANT_HOME|ANT_OPTS|APPSRV_HOME" |sort

Page 14: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

vm0017:/usr/local # env |egrep "JAVA_HOME|JAVA_OPTS|EJBCA_HOME|ANT_HOME|ANT_OPTS|APPSRV_HOME" |sortANT_HOME=/usr/local/antAPPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca

Note the omission of JAVA_HOME (is /usr/bin/java) !

Create database

→ mysqladmin create -u root -p ejbcadbvm0017:/usr/local # mysqladmin create -u root -p ejbcadbEnter password:

Just press the ENTER-key: empty password.

Create user, Set privileges→ mysql -u root -pvm0017:/usr/local # mysql -u root -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2Server version: 5.5.33 SUSE MySQL package

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

→ grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';mysql> grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';Query OK, 0 rows affected (0.00 sec)

mysql>

→ flush privileges;mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)

mysql>

(note: no disclaimers..)Check actions:

→ use mysql;mysql> use mysql;Database changedmysql>

→ select Host,user from user where user='ejbca-user';mysql> select Host,user from user where user='ejbca-user';+-----------+------------+| Host | user |+-----------+------------+| localhost | ejbca-user |+-----------+------------+1 row in set (0.00 sec)

mysql> quitByevm0017:/usr/local #

Page 15: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

Login as DB-user (pwd check)

→ mysql ejbcadb -u ejbca-user -pvm0017:/usr/local # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.5.33 SUSE MySQL package

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Note: user and pwd are correct (later on used in config files) and minor mysql update.

Check DB content:

→ show tables;mysql> show tables;Empty set (0.00 sec)

mysql> quit;Byevm0017:/usr/local #

Note: no left overs (in this case hardly possible)

Installing ejbca software

→ cd /usr/local/ ; unzip $DEPOT/ejbca_ce_6_0_3.zipvm0017:/usr/local # cd /usr/local/ ; unzip $DEPOT/ejbca_ce_6_0_3.zip(extracting from archive not shown...)

Symbolic link for version independence:

→ ln -v -s ejbca_ce_6_0_3/ ejbcavm0017:/usr/local # ln -v -s ejbca_ce_6_0_3/ ejbca`ejbca' -> `ejbca_ce_6_0_3/'

Check:→ ll ejbca* -dvm0017:/usr/local # ll ejbca* -dlrwxrwxrwx 1 root root 15 Jan 5 16:30 ejbca -> ejbca_ce_6_0_3/drwx------ 9 root root 4096 Dec 19 16:26 ejbca_ce_6_0_3

Set file permissions:

→ chown -R ejbca ejbca/vm0017:/usr/local # ll ejbca* -dlrwxrwxrwx 1 root root 15 Jan 5 16:30 ejbca -> ejbca_ce_6_0_3/drwx------ 9 root root 4096 Dec 19 16:26 ejbca_ce_6_0_3(wonder why here, later on done again..)

(show that dirs are filled)

→ du -sk * |sort -nvm0017:/usr/local # du -sk * |sort -n0 ant0 ejbca0 jboss4 bin4 games4 include

Page 16: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

4 lib4 lib644 sbin4 share4 src44 man10224 mysql-connector-java-5.1.2238380 apache-ant-1.8.463872 ejbca_ce_6_0_3213940 jboss-6.1.0.FinalNote: links have size 0k, empty dirs are 4k

Configuring ejbca → cd /usr/local/ejbca/conf ; llvm0017:/usr/local # cd /usr/local/ejbca/conf ; lltotal 188-rw------- 1 ejbca root 587 Dec 19 16:26 batchtool.properties.sample-rw------- 1 ejbca root 8267 Dec 19 16:26 cache.properties.sample-rw------- 1 ejbca root 1366 Dec 19 16:26 catoken.properties.sample-rw------- 1 ejbca root 396 Dec 19 16:26 certstore.properties.sample-rw------- 1 ejbca root 8920 Dec 19 16:26 cesecore.properties.sample-rw------- 1 ejbca root 1389 Dec 19 16:26 cmptcp.properties.sample-rw------- 1 ejbca root 362 Dec 19 16:26 crlstore.properties.sample-rw------- 1 ejbca root 100 Dec 19 16:26 custom.properties.sample-rw------- 1 ejbca root 3378 Dec 19 16:26 database.properties.sample-rw------- 1 ejbca root 7408 Dec 19 16:26 ejbca.properties.sample-rw------- 1 ejbca root 6088 Dec 19 16:26 extendedkeyusage.properties-rw------- 1 ejbca root 3555 Dec 19 16:26 externalra-gui.properties.sample-rw------- 1 ejbca root 1725 Dec 19 16:26 externalra.properties.sample-rw------- 1 ejbca root 3094 Dec 19 16:26 install.properties.sample-rw------- 1 ejbca root 2724 Dec 19 16:26 jaxws.properties.sample-rw------- 1 ejbca root 50 Dec 19 16:26 jndi.properties.glassfish-rw------- 1 ejbca root 258 Dec 19 16:26 jndi.properties.jboss-rw------- 1 ejbca root 146 Dec 19 16:26 jndi.properties.jboss7-rw------- 1 ejbca root 146 Dec 19 16:26 jndi.properties.jbosseap6-rw------- 1 ejbca root 217 Dec 19 16:26 jndi.properties.weblogic-rw------- 1 ejbca root 259 Dec 19 16:26 jndi.properties.websphere-rw------- 1 ejbca root 3067 Dec 19 16:26 log4j-glassfish.xml.sample-rw------- 1 ejbca root 3727 Dec 19 16:26 log4j-jboss6.xml.sample-rw------- 1 ejbca root 3158 Dec 19 16:26 log4j-jbosseap6.xml.sample-rw------- 1 ejbca root 3157 Dec 19 16:26 log4j-weblogic.xml.sample-rw------- 1 ejbca root 3538 Dec 19 16:26 log4j-websphere.xml.sampledrwx------ 2 ejbca root 4096 Dec 19 16:26 logdevices-rw------- 1 ejbca root 1724 Dec 19 16:26 mail.properties.sample-rw------- 1 ejbca root 14389 Dec 19 16:26 ocsp.properties.sampledrwx------ 2 ejbca root 4096 Dec 19 16:26 plugins-rw------- 1 ejbca root 6456 Dec 19 16:26 scep.properties.sample-rw------- 1 ejbca root 1832 Dec 19 16:26 va-publisher.properties.sample-rw------- 1 ejbca root 2360 Dec 19 16:26 va.properties.sample-rw------- 1 ejbca root 10995 Dec 19 16:26 web.properties.sample-rw------- 1 ejbca root 2358 Dec 19 16:26 xkms.properties.sample

Basic (installation) settings:→ cp -v install.properties.sample install.propertiesvm0017:/usr/local/ejbca/conf # cp -v install.properties.sample install.properties`install.properties.sample' -> `install.properties'

Check unchanged fields:

→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=ManagementCAca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE

Page 17: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

ca.keyspec=2048ca.keytype=RSAca.signaturealgorithm=SHA1WithRSAca.validity=3650ca.policy=null

Change it very carefully

→ vi install.propertiesvm0017:/usr/local/ejbca/conf # vi install.propertiesCheck important fields:

line 17: ca.name=AdminCAv1line 23: ca.dn=CN=AdminCAv1,O=minoss,C=NLline 53: ca.keyspec=4096line 57: ca.keytype=RSAline 62: ca.signaturealgorithm=SHA256WithRSAline 65: ca.validity=3650line 69: ca.policy=null

Note: line numbers aply only to this release of ejbca!!!

→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=AdminCAv1ca.dn=CN=AdminCAv1,O=minoss,C=NLca.keyspec=4096ca.keytype=RSAca.signaturealgorithm=SHA256WithRSAca.validity=3650ca.policy=null

→ diff install.properties.sample install.properties vm0017:/usr/local/ejbca/conf # diff install.properties.sample install.properties 17c17< ca.name=ManagementCA---> ca.name=AdminCAv123c23< ca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE---> ca.dn=CN=AdminCAv1,O=minoss,C=NL53c53< ca.keyspec=2048---> ca.keyspec=409662c62< ca.signaturealgorithm=SHA1WithRSA---> ca.signaturealgorithm=SHA256WithRSA

Note:

→ cp -v ejbca.properties.sample ejbca.propertiesvm0017:/usr/local/ejbca/conf # cp -v ejbca.properties.sample ejbca.properties`ejbca.properties.sample' -> `ejbca.properties'

Check unchanged fields:

→ egrep "ca.keystorepass=" ejbca.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" ejbca.propertiesvm0017:/usr/local/ejbca/conf #

Note: seems something is changed/moved here, find it...

vm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" *cesecore.properties.sample:#ca.keystorepass=foo123cesecore.properties.sample:#ca.keystorepass=!secret!

Page 18: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

vm0017:/usr/local/ejbca/conf #

→ cp -v cesecore.properties.sample cesecore.propertiesvm0017:/usr/local/ejbca/conf # cp -v cesecore.properties.sample cesecore.properties`cesecore.properties.sample' -> `cesecore.properties'

vm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" cesecore.properties#ca.keystorepass=foo123#ca.keystorepass=!secret!

Change what is needed:→ vi cesecore.propertiesvm0017:/usr/local/ejbca/conf # vi ejbca.properties

line 17: ca.keystorepass=ca123Note: line numbers apply only to this release of ejbca!!!

quick check, grep on the file:

→ egrep "ca.keystorepass=" cesecore.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" cesecore.propertiesca.keystorepass=ca123#ca.keystorepass=!secret!

Differences:

→ diff cesecore.properties.sample cesecore.properties vm0017:/usr/local/ejbca/conf # diff cesecore.properties.sample cesecore.properties17c17< #ca.keystorepass=foo123---> ca.keystorepass=ca123

Note: either way, check what you need to change and what you actually did..

Database definitions / settings

→ cp -v database.properties.sample database.propertiesvm0017:/usr/local/ejbca/conf # cp -v database.properties.sample database.properties`database.properties.sample' -> `database.properties'

Check unchanged fields:→ egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf #

Note that the latest grep did produce any results!

You must change some fields:→ vi database.propertiesvm0017:/usr/local/ejbca/conf # vi database.properties

line 18: database.name=mysqlline 32: database.url=jdbc:mysql://127.0.0.1:3306/ejbcadbline 50: database.driver=com.mysql.jdbc.Driverline 64: database.username=ejbca-userline 69: database.password=mysql123

Note: that line numbers are ejbca-release specific, there are here NO defaults.Note2: the deviation from default db-name and passwords!Note3: In version 4.X “datasource.mapping=mySQL” is not needed anymore.

quick check:→ egrep "^database.name=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.properties

Page 19: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

database.name=mysqldatabase.url=jdbc:mysql://127.0.0.1:3306/ejbcadbdatabase.driver=com.mysql.jdbc.Driverdatabase.username=ejbca-userdatabase.password=mysql123

→ diff database.properties.sample database.propertiesvm0017:/usr/local/ejbca/conf # diff database.properties.sample database.properties18c18< #database.name=mysql---> database.name=mysql32c32< #database.url=jdbc:mysql://127.0.0.1:3306/ejbca---> database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb50c50< #database.driver=com.mysql.jdbc.Driver---> database.driver=com.mysql.jdbc.Driver64c64< #database.username=ejbca---> database.username=ejbca-user69c69< #database.password=ejbca---> database.password=mysql123

Web-page settings:

→ cp -v web.properties.sample web.propertiesvm0017:/usr/local/ejbca/conf # cp -v web.properties.sample web.properties`web.properties.sample' -> `web.properties'Orginal settings

→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesvm0017:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=changeitsuperadmin.password=ejbcahttpsserver.password=serverpwdhttpsserver.hostname=localhosthttpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE

Change it carefully:→ vi web.propertiesvm0017:/usr/local/ejbca/conf # vi web.properties

line 25: java.trustpassword=java123line 36: superadmin.password=superadmin123line 47: httpsserver.password=serverpwd123line 50: httpsserver.hostname=vm0017.minoss.nlline 54: httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Note, again lines are ejbca release specific!New settings:→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesvm0017:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=java123superadmin.password=superadmin123httpsserver.password=serverpwd123httpsserver.hostname=vm0017.minoss.nlhttpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Quick check:

→ diff web.properties.sample web.propertiesvm0017:/usr/local/ejbca/conf # diff web.properties.sample web.properties

Page 20: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

25c25< java.trustpassword=changeit---> java.trustpassword=java12336c36< superadmin.password=ejbca---> superadmin.password=superadmin12347c47< httpsserver.password=serverpwd---> httpsserver.password=serverpwd12350c50< httpsserver.hostname=localhost---> httpsserver.hostname=v,0017.minoss.nl54c54< httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE---> httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Note, jot down the superadmin pwd, you need it later on.Note2 here it is important that the hostname in properly set and resolvable!

Stopping JBossCheck if it is running:

→ ps -ef |grep -v grep | grep -c jbossvm0017:/usr/local/ejbca/conf # ps -ef |grep -v grep | grep -c jboss0Zero instances, so not running!

Change ownership of files, again

→ cd /usr/local ; chown -R ejbca ejbca/ ; chown -R ejbca jboss/vm0017:/usr/local/ejbca/conf # cd /usr/local ; chown -R ejbca ejbca/ ; chown -R ejbca jboss/vm0017:/usr/local #

Note: don't omit the trailing slash

==> return to this point if something goes wrong <==

(if needed, drop any remaining tables)

Cleaning

→ cd /usr/local/ejbca ; time ant clean > $EIL/ant_clean.logm0017:/usr/local/jboss # cd /usr/local/ejbca ; time ant clean > $EIL/ant_clean.log

real 0m8.410suser 0m7.384ssys 0m0.392s

Note the redirection of all default output, so you can read it later on.

Check result:

→ tail -3 $EIL/ant_clean.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_clean.log

BUILD SUCCESSFULTotal time: 8 seconds

→ grep -ic warning $EIL/ant_clean.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_clean.log0

Bootstrap → cd /usr/local/ejbca ; time ant bootstrap > $EIL/ant_bootstrap.log

Page 21: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

vm0017:/usr/local/ejbca # cd /usr/local/ejbca ; time ant bootstrap > $EIL/ant_bootstrap.log

real 1m34.922suser 1m3.460ssys 0m5.120s

Check result:

→ tail -3 $EIL/ant_bootstrap.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_bootstrap.log

BUILD SUCCESSFULTotal time: 1 minute 34 seconds

→ grep -ic warning $EIL/ant_bootstrap.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_bootstrap.log0

Check results:Some files should be created:

→ ll /usr/local/jboss/server/default/deploy/ejbca*vm0017:/usr/local/ejbca # ll /usr/local/jboss/server/default/deploy/ejbca*-rw------- 1 root root 3347 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca-ds.xml-rw------- 1 root root 2333 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca-mail-service.xml-rw-r--r-- 1 ejbca root 15169524 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca.ear

Seems ok...

Jboss starting for the first time

→ cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_first_run.logvm0017:/usr/local/ejbca # cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_first_run.log

From other console, first couple of lines (showing proper opts)

→ head -22 $EIL/JBoss_first_run.logvm0017:/usr/local/ejbca/conf # head -22 $EIL/JBoss_first_run.log=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /usr/local/jboss

JAVA: java

JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64

CLASSPATH: /usr/local/jboss/bin/run.jar

=========================================================================

17:56:21,411 INFO [AbstractJBossASServerBase] Server Configuration:

JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/ Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xml Common Base: $JBOSS_HOME/common/ Common Library: $JBOSS_HOME/common/lib/ Server Name: default Server Base: $JBOSS_HOME/server/

Note the use of different ENV's!Note the other position of “JAVA”

Last couple of lines:

→ tail -5 $EIL/JBoss_first_run.log18:16:36,245 INFO [HornetQServerImpl] trying to deploy queue jms.queue.ExpiryQueue18:16:36,318 INFO [service] Removing bootstrap log handlers18:16:36,510 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-127.0.0.1-808018:16:36,517 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800918:16:36,517 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 1m:24s:142ms

The first run should have created DB-tables, Checking if DB has been

Page 22: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

initialized:

→ mysql ejbcadb -u ejbca-user -pvm0017:~ # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 9Server version: 5.5.33 SUSE MySQL package

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

→ show tables;mysql> show tables;+-----------------------------+| Tables_in_ejbcadb |+-----------------------------+| AccessRulesData || AdminEntityData || AdminGroupData || AdminPreferencesData || ApprovalData || AuditRecordData || AuthorizationTreeUpdateData || Base64CertData || CAData || CRLData || CertReqHistoryData || CertificateData || CertificateProfileData || CryptoTokenData || EndEntityProfileData || GlobalConfigurationData || HardTokenCertificateMap || HardTokenData || HardTokenIssuerData || HardTokenProfileData || HardTokenPropertyData || InternalKeyBindingData || KeyRecoveryData || PublisherData || PublisherQueueData || ServiceData || UserData || UserDataSourceData |+-----------------------------+28 rows in set (0.00 sec)

mysql> exit;Bye

So the database can be reached and filled!

EJBCA ant install

→ cd /usr/local/ejbca ; time ant install > $EIL/ant_install.logvm0017:/usr/local/ejbca # cd /usr/local/ejbca ; time ant install > $EIL/ant_install.log

real 1m15.114suser 0m35.490ssys 0m3.056sCheck on log file:

→ tail -3 $EIL/ant_install.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_install.log

BUILD SUCCESSFULTotal time: 1 minute 14 seconds

→ grep -ic warning $EIL/ant_install.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_install.log

Page 23: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

0

Stopping JBossCheck if it is running:

→ ps -ef |grep -v grep | grep -c jbossvm0017:/usr/local/ejbca # ps -ef |grep -v grep | grep -c jboss1

Stop it nicely:→ cd /usr/local/jboss ; ./bin/shutdown.sh -Svm0017:/usr/local/ejbca # cd /usr/local/jboss ; ./bin/shutdown.sh -SShutdown message has been posted to the server.Server shutdown may take a while - check logfiles for completion

last lines from logfile:→ tail -5 $EIL/JBoss_first_run.logvm0017:/usr/local/jboss # tail -5 $EIL/JBoss_first_run.log19:57:42,487 INFO [HornetQServerImpl] HornetQ Server version 2.2.5.Final (HQ_2_2_5_FINAL_AS7, 121) [c38462cb-7624-11e3-a307-00163e001700] stopped19:57:42,652 INFO [MailService] Mail service 'java:/Mail' removed from JNDI19:57:42,667 INFO [JMXConnector] JMXConnector stopped19:57:42,879 INFO [MailService] Mail service 'java:/EjbcaMail' removed from JNDI19:57:45,424 INFO [AbstractServer] Stopped: JBossAS [6.1.0.Final "Neo"] in 5s:856ms

Ejbca deploy

→ cd /usr/local/ejbca ; time ant deploy > $EIL/ant_deploy.logvm0017:/usr/local/jboss # cd /usr/local/ejbca ; time ant deploy > $EIL/ant_deploy.log

real 1m8.726suser 0m55.559ssys 0m4.744s

Last lines from log file:→ tail -3 $EIL/ant_deploy.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_deploy.log

BUILD SUCCESSFULTotal time: 1 minute 8 seconds

→ grep -ic warning $EIL/ant_deploy.log vm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_deploy.log 0

Further checks:

→ ls -l /usr/local/jboss/server/default/conf/keystore/vm0017:/usr/local/ejbca # ls -l /usr/local/jboss/server/default/conf/keystore/total 12-rw------- 1 root root 5243 Jan 5 18:18 keystore.jks-rw------- 1 root root 1423 Jan 5 18:18 truststore.jks

Observe date & time of the files...

Restart Jboss.

→ cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_second_run.logvm0017:/usr/local/jboss # cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_second_run.log

Again, first lines:

→ head -22 $EIL/JBoss_second_run.logvm0017:/usr/local/ejbca # head -22 $EIL/JBoss_second_run.log=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /usr/local/jboss

Page 24: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

JAVA: java

JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64

CLASSPATH: /usr/local/jboss/bin/run.jar

=========================================================================

20:03:06,137 INFO [AbstractJBossASServerBase] Server Configuration:

JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/ Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xml Common Base: $JBOSS_HOME/common/ Common Library: $JBOSS_HOME/common/lib/ Server Name: default Server Base: $JBOSS_HOME/server/

Equally important: Last lines→ tail -22 $EIL/JBoss_second_run.logvm0017:/usr/local/ejbca # tail -22 $EIL/JBoss_second_run.log20:04:29,932 INFO [STDOUT] Roles or CAs exist, not intializing Super Administrator Role20:04:30,061 INFO [STDOUT] Custom certificate serial number not allowed since there is no unique index on (issuerDN,serialNumber) on the 'CertificateData' table.20:04:30,081 INFO [STDOUT] No OcspKeyBindings found. Processing ocsp.properties to see if we need to perform conversion.20:04:30,136 INFO [STDOUT] Activated Crypto Token with id -606009209.20:04:30,145 INFO [STDOUT] Default OCSP responder with subject 'CN=ManagementCA,O=EJBCA Sample,C=SE' was not found. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error).20:04:30,145 INFO [STDOUT] No default OCSP responder has been configured. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error).20:04:30,184 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/clearcache20:04:30,206 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb20:04:30,226 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/doc20:04:30,242 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/healthcheck20:04:30,257 INFO [TomcatDeployment] deploy, ctxPath=/ejbca20:04:30,276 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/apply20:04:30,292 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/status20:04:30,341 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/webdist20:04:30,362 INFO [HornetQServerImpl] trying to deploy queue jms.queue.DLQ20:04:30,520 INFO [HornetQServerImpl] trying to deploy queue jms.queue.ExpiryQueue20:04:30,558 INFO [service] Removing bootstrap log handlers20:04:30,650 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-808020:04:30,651 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844220:04:30,652 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844320:04:30,655 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800920:04:30,656 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 1m:24s:513ms

Check on tcp-ports:

→ lsof -i -P |egrep "8080|844"vm0017:/usr/local/ejbca # lsof -i -P |egrep "8080|844"java 7264 root 501u IPv4 18137 0t0 TCP *:8080 (LISTEN)java 7264 root 503u IPv4 18140 0t0 TCP *:8442 (LISTEN)java 7264 root 504u IPv4 18143 0t0 TCP *:8443 (LISTEN)

Check results in DB:

→ mysql ejbcadb -u ejbca-user -p→ select * from AdminEntityData;vm0017:/usr/local/ejbca # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 113Server version: 5.5.33 SUSE MySQL package

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select * from AdminEntityData;+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+| pK | cAId | matchType | matchValue | matchWith | rowProtection | rowVersion | tokenType | AdminGroupData_adminEntities |+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+| 88089314 | 0 | 1000 | ejbca | 0 | NULL | 0 | CliAuthenticationToken | 1 || 715646759 | 749716675 | 1000 | SuperAdmin | 8 | NULL | 0 | CertificateAuthenticationToken |

Page 25: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

1 |+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+2 rows in set (0.02 sec)

mysql> exit;Byevm0017:/usr/local/ejbca #

test transfer super end entity user

→ ll /usr/local/ejbca/p12vm0017:/usr/local/ejbca # ll /usr/local/ejbca/p12total 20-rw-r--r-- 1 root root 4254 Jan 5 18:18 superadmin.p12-rw-r--r-- 1 root root 5243 Jan 5 18:18 tomcat.jks-rw-r--r-- 1 root root 1423 Jan 5 18:18 truststore.jks

Store them on local machine with browser.=> mkdir -p /root/ejbca/vm0017=> cd /root/ejbca/vm0017=> sftp vm0017 => cd /usr/local/ejbca/p12=> get superadmin.p12=> cd /usr/local/ejbca/conf=> get *.properties=> quitorion:~/ejbca/vm0017 # sftp vm0017 Password: Connected to vm0017.sftp> cd /usr/local/ejbca/p12sftp> get superadmin.p12Fetching /usr/local/ejbca_ce_6_0_3/p12/superadmin.p12 to superadmin.p12/usr/local/ejbca_ce_6_0_3/p12/superadmin.p12 100% 4254 4.2KB/s 00:00 sftp> cd /usr/local/ejbca/confsftp> get *.propertiesFetching /usr/local/ejbca_ce_6_0_3/conf/cesecore.properties to cesecore.properties/usr/local/ejbca_ce_6_0_3/conf/cesecore.properties 100% 8918 8.7KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/database.properties to database.properties/usr/local/ejbca_ce_6_0_3/conf/database.properties 100% 3383 3.3KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/ejbca.properties to ejbca.properties/usr/local/ejbca_ce_6_0_3/conf/ejbca.properties 100% 7408 7.2KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/extendedkeyusage.properties to extendedkeyusage.properties/usr/local/ejbca_ce_6_0_3/conf/extendedkeyusage.properties 100% 6088 6.0KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/install.properties to install.properties/usr/local/ejbca_ce_6_0_3/conf/install.properties 100% 3084 3.0KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/web.properties to web.properties/usr/local/ejbca_ce_6_0_3/conf/web.properties 100% 11KB 10.8KB/s 00:00 sftp> quitorion:~/ejbca/vm0017 #

Start firefoxTab “edit” � tab “preferences” � tab “Advanced” � tab “Certificates” � tab “view certificates” � tab “delete” if any precious crt's still aroundtab “import � tab “your certificates” � tab “import” �tab “root” �folder “root” �folder “ejbca” �

Page 26: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

folder “vm0017” � file “superadmin.p12”

Page 27: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

browse to: https://vm0017.minoss.nl:8443/ejbca/

The CA has a selfsigned certificate and is hence untrusted.Confirm exception and accept.

Page 28: VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and

browse to: https://vm0017.minoss.nl:8442/ejbca/


Recommended