INSTALLATION AND CONFIGURATION DOCUMENT · 2017-10-03 · - Verify TL signature. The Download TL...
Transcript of INSTALLATION AND CONFIGURATION DOCUMENT · 2017-10-03 · - Verify TL signature. The Download TL...
Commission européenne, B-1049 Bruxelles / Europese Commissie, B-1049 Brussel - Belgium. Telephone: (32-2) 299 11 11. Office: 05/45. Telephone: direct line (32-2) 2999659. Commission Européenne, L-2920 Luxembourg. Telephone: (352) 43 01-1.
DIGIT Unit A3
INSTALLATION AND CONFIGURATION DOCUMENT
TLMANAGER 5.0
Date: 14/06/2016 Doc. Version: v1.00
PM² Template v2.1.0 (Oct.2013)
TLMANAGER 5.0
Date: 14/06/2016 2 / 13 Doc. Version: v1.00
Document Control Information
Settings Value
Document Title: INSTALLATION AND CONFIGURATION DOCUMENT
Project Title: TLMANAGER 5.0
Document Author: Mr. Nicolas Pirard
Project Owners: Mr. Andrea Servida, DG CNECT
Project Manager: Mr. Philippe Schneider, DIGIT
Doc. Version: v1.00
Sensitivity: High
Date: 14/06/2016
Document Approver(s) and Reviewer(s):
NOTE: All Approvers are required. Records of each approver must be maintained. All
Reviewers in the list are considered required unless explicitly listed as Optional.
Name DG Role Action Date
Mr. Philippe Schneider DIGIT.B.1 Information Systems Architect
Mr. Pierre Damas DIGIT.B.1 Head of Sector
Mr. Tom Vekemans DIGIT.B.1 Head of Unit DIGI T.B.1
Mr. Andrea Servida CNECT Head of eIDAS Task Force
Document history:
The Document Author is authorized to make the following types of changes to the document
without requiring that the document be re-approved:
Editorial, formatting, and spelling
Clarification
To request a change to this document, contact the Document Author or Owner.
Changes to this document are summarized in the following table in reverse chronological order
(latest version first).
Revision Date Created by Short Description of Changes
V0.6 14/06/2016 Nicolas Pirard Add “How to sign a TL” part
Configuration Management: Document Location
The latest version of this controlled document is stored in:
Abbreviations and Acronyms:
Code Description
BB Building Block (CEF)
CAdES CMS Advanced Electronic Signature
CD Commission Decision
CEF Connecting Europe Facility
CSP Core Service Platform (CEF)
DSI Digital Service Infrastructure (CEF)
EC European Commission
TLMANAGER 5.0
Date: 14/06/2016 3 / 13 Doc. Version: v1.00
EUGO European network of the national Points of Single Contact
FAT Factory Acceptance Testing
GS Generic Service (CEF)
HR Human Readable
IA Implementing Act
LOTL European Commission List of pointers to Member States’ Trusted Lists
LSP Large Scale Pilot
MP Machine Processable
MS / EUMS Member State
OJ Official Journal
PAO Project and Architecture Office (CEF)
PAdES PDF Advanced Electronic Signature
PoSC / PSC Point of Single Contact
SCA Signature Creation Application
SCD Signature Creation Device
SD Services Directive
SME Subject Matter Expert
SMO Stakeholder Management Office (CEF)
STF Specialist Task Force
SVA Signature Validation Application
TL Trusted List
UAT User Acceptance Testing
WP Work Package
XAdES XML Advanced Electronic Signature
Reference documents:
Reference Document Date Version
TLMANAGER 5.0
Date: 14/06/2016 4 / 13 Doc. Version: v1.00
TABLE OF CONTENTS
1 INTRODUCTION ................................................................................................................... 6
2 TLMANAGER INSTALLATION AND CONFIGURATION ............................................................ 7
2.1 PREREQUISITE .................................................................................................................. 7
2.2 DEPLOYMENT ................................................................................................................... 7
2.3 MYSQL DATABASE CONFIGURATION ............................................................................... 7
2.4 TOMCAT CONFIGURATION .............................................................................................. 8
2.5 TLMANAGER INSTALLATION ............................................................................................ 9
3 HOW TO ............................................................................................................................ 10
3.1 HOW TO START AND STOP THE APPLICATION ............................................................... 10
3.2 HOW TO CONFIGURE MONITORING JOBS ..................................................................... 10
3.3 HOW TO USE YOUR OWN CAS SERVER AND USER LOGIN ............................................. 11
3.4 HOW TO MANAGE USERS .............................................................................................. 11
3.5 HOW TO MANAGE LOTL SIGNING CERTIFICATES .......................................................... 11
3.6 HOW TO SIGN A TL......................................................................................................... 12
TLMANAGER 5.0
Date: 14/06/2016 5 / 13 Doc. Version: v1.00
TABLE OF FIGURES
Figure 1: MySQL Administration ................................................................................................... 8
Figure 2: MySQL Script Execution ................................................................................................. 8
Figure 3: Tomcat folder ................................................................................................................. 8
Figure 4: LOTL Signing Certificates menu .................................................................................... 11
Figure 5: Annex of Official Journal on 25/04/2016 ..................................................................... 12
Figure 6: Add Base 64 Encoded Certificate ................................................................................. 12
Figure 7: Copy paste of Base 64 Encoded Certificate ................................................................. 12
Figure 8: Signature popup when NexU is not running on the computer .................................... 12
Figure 9: NexU icon in the system tray ....................................................................................... 13
TLMANAGER 5.0
Date: 14/06/2016 6 / 13 Doc. Version: v1.00
1 INTRODUCTION
The aim of this document is to provide information on the installation and the configuration of
the TLManager application in version 5.
TLMANAGER 5.0
Date: 14/06/2016 7 / 13 Doc. Version: v1.00
2 TLMANAGER INSTALLATION AND CONFIGURATION
TLManager 5.0 is a web application for browsing, editing and monitoring Trusted Lists. Here
below are presented prerequisites for the installation of the application and information on how
to configure the web environment.
2.1 PREREQUISITE
As a web application, TL Manager needs the following software as a prerequesite:
- A Web Server (preferably Tomcat), for deploying TLManager;
- A SQL Database (preferably MySQL), for storing data of the application;
- A Central Authentication Service (CAS), for managing registered access.
- Java 8 as minimum JDK.
An existing Tomcat-MySQL-CAS environment can be reused or a new one can be installed. As
this application is a standard JEE application Please note that, with minor adjustements, other
Web Servers, SQL Databases or CAS-based identity providers might be used as well.
TLManager has been tested successfully with the following configuration:
Environment 1 Environment 2 Environment 3
Operating System Windows 7 x64 Professional
Linux 3.13.0-57-generic x86_64
Linux (unknown) 2.6.32-
573.7.1.el6.x86_64
Java Oracle JDK 8u66 Oracle JRE 1.8.0_92-b14
Oracle JRE 1.8.0 66-b17
Apache Tomcat 8.0.32 8.0.33 8.0.28
Mysql 5.6 5.5.49 5.6.24
2.2 DEPLOYMENT
When the environment is available, the installation starts by downloading the latest release on
joinup : https://joinup.ec.europa.eu/software/tlmanager/release/all
The zip file contains 3 folders, which will be used in the remainder of the document:
- TLMInstallation\warFiles
- TLMInstallation\dbScript
- TLMInstallation\properties
The following sections detail the deployment in 3 main steps:
- The Database is first created;
- The Web Server is configured;
- TLManager is installed on the Web Server.
2.3 MYSQL DATABASE CONFIGURATION
Connect to the MySQL administration and create a new database, with parameters “tsl” and
“utf8_general_ci” by using the following sql
CREATE DATABASE tsl DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
or by using phpMyAdmin interface as shown below:
TLMANAGER 5.0
Date: 14/06/2016 8 / 13 Doc. Version: v1.00
Figure 1: MySQL Administration
Then execute the SQL script “dbInit.sql” found in the folder “TLMInstallation\dbScript” of the
release.
Please note that the script is for a MySQL instance and should be adapted for other databases.
Figure 2: MySQL Script Execution
2.4 TOMCAT CONFIGURATION
Create a folder “tsl” in the tomcat folder at the same level as the “webapps” folder.
Figure 3: Tomcat folder
Copy paste the “keystore.jks” file found in the “TLMInstallation” folder in the tomcat folder. (At
the same level that the tsl folder).
Copy the 2 properties files found in the folder “TLMInstallation\properties” in the “lib” folder
(“\tomcat\lib”) of the Web Server.
- “TLMInstallation/properties/application-tlmanager-custom.properties”
- “TLMInstallation/properties/proxy.properties”
Adapt 2 files to match the targeted environment (If appropriate):
- proxy.properties
proxy.http.host=127.0.0.1 proxy.http.port=8008 proxy.http.user= proxy.http.password=
TLMANAGER 5.0
Date: 14/06/2016 9 / 13 Doc. Version: v1.00
proxy.http.enabled=false proxy.http.exclude= proxy.https.host=127.0.0.1 proxy.https.port=8008 proxy.https.user= proxy.https.password= proxy.https.enabled=false proxy.https.exclude=
- application-tlmanager-custom.properties (xxx.xxx.xxx.xxx should be the server IP address)
tsl.folder = ${catalina.base}/tsl lotl.keystore.file = ${catalina.base}/keystore.jks
casServerUrl=http://xxx.xxx.xxx.xxx:8080/cas-server-webapp-4.0.0/ casServiceUrl=http:// xxx.xxx.xxx.xxx:8080/tl-manager
jdbc.driverClassName=com.mysql.jdbc.Driver jdbc.url=jdbc:mysql://localhost:3306/tsl?UseUnicode=true&characterEncoding=utf8 jdbc.username=root jdbc.password=passw
2.5 TLMANAGER INSTALLATION
Copy the 3 war files found in the folder “TLMInstallation\warFiles” in the “webapps” Tomcat
folder (“\tomcat\webapps”) of the Web Server.
- “TLMInstallation/warFiles/tlmanager.war”
- “TLMInstallation/warFiles/digit-tsl-pretty-print-web.war”
- “TLMInstallation/warFiles/cas-server-webapp-4.0.0.war”. This last war file is the CAS
server, delivered for convenience together with the application. Another CAS server can
be used as an alternative.
Start the Web Server. (See 3.1 HOW TO START AND STOP THE APPLICATION).
The first time the application is started, the monitoring system will download all available
production EU TLs, run conformity checks on them and store data in the databases. This can take
around 30 minutes, depending on the availability of the TLs, and the server infrastructure.
Once started, the application can be accessed via: http://xxx.xxx.xxx.xxx:8080/tl-manager where
xxx.xxx.xxx.xxx is the IP address of the server.
TLMANAGER 5.0
Date: 14/06/2016 10 / 13 Doc. Version: v1.00
3 HOW TO
3.1 HOW TO START AND STOP THE APPLICATION
To start your tomcat webserver,
- Go to the “bin” folder of your tomcat installation (“\tomcat\bin”).
- Execute the startup script.
- Verify in the log file that the server is starting. You should wait for the following line to
appear in log before accessing the TLManager web application.
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in ….. ms
For example, here’s the 3 command line we used to start the server on a Linux environment
(Environment 2) and verify the log file.
cd /opt/tomcat/bin ./startup.sh tail -200f ../logs/catalina.out
To stop your tomcat webserver,
- Go to the “bin” folder of your tomcat installation (“\tomcat\bin”).
- Execute the shutdown script.
- Verify in the log file that the server is stopping. As there’s automatic monitoring job
executed for TLManager on your server, it’s possible that the shutdown script doesn’t kill
all the processes. You need to kill it manually before restarting your server.
For example, on a Linux environment (Environment 2), we used the “ps –ef” command to
verify that there’s no tomcat process running. If there’s one, we used the “kill” command to
kill it.
3.2 HOW TO CONFIGURE MONITORING JOBS
More than a TL editing application, TLManager include browsing and monitoring features. When
TLManager is deployed on the web server, 3 scheduled jobs are installed for scheduled execution:
- Download TL.
- Check TL conformity.
- Verify TL signature.
The Download TL job verifies that TLManager is up to date with all the EU published TL. If a
new TL is published, this job will download the new TL and update your system. By default, this
job runs every 10 minutes.
The Check TL conformity job checks the TL content against specific rules include in the system.
By default, this job runs once a day, at 2am and can take time. (30 minutes).
The Verify TL signature job checks the signature validity by using SD-DSS. By default, this job
runs once a day, at 01.00 am.
If you want to change the default timing, you can add information in your application-tlmanager-
custom.properties file (See 2.4 TOMCAT CONFIGURATION). Here are the 3 lines you need
and the 3 CRON value you have to update.
#Donwload TL - every 10 Minutes cron.loading.job = 0 0/10 * * * ? #Checking TL conformity - every day @ 1AM cron.signature.validation.job = 0 0 1 * * ? #Verify TL signature - every day @ 2AM cron.rules.validation.job = 0 0 2 * * ?
TLMANAGER 5.0
Date: 14/06/2016 11 / 13 Doc. Version: v1.00
3.3 HOW TO USE YOUR OWN CAS SERVER AND USER LOGIN
In the application-tlmanager-custom.properties file (See 2.4 TOMCAT CONFIGURATION),
modify the 2 following properties with your value and restart your webserver.
casServerUrl=https://xxxxxxxxxxxxxxx casServiceUrl=http://xxxxxxxxxxx:8080/tl-manager
3.4 HOW TO MANAGE USERS
- You have a super administrator set in the application.
Log in the application as super administrator (take a look at the Note below), choose
“Users” in the management menu and manage your users.
- You don’t have a super administrator set in the application.
Create a super administrator directly in the “tsl” database by adding a user in the
“TL_USERS” table and give him the super administrator role by using the
“TL_USER_ROLE” table. After this, you will be able to log in as super administrator
and manage users directly in TL-Manager.
Note : All the users created with TL-Manager roles need to have a valid and authorized CAS
account to access application. (Update deployerConfigContext.xml file in the WEB-INF folder of
the CAS project deployed on your tomcat, if you use it. “test” user is already configured with
“password” as password).
3.5 HOW TO MANAGE LOTL SIGNING CERTIFICATES
Log in the application as a user with “Administrator” role. (See 3.4 HOW TO MANAGE
USERS) and choose “LOTL Signing Certificates” menu.
Figure 4: LOTL Signing Certificates menu
Add the authorized signing certificate (eg : found in the Annex of the Official Journal
publication) in TL-Manager system, by copying the PEM value without the -----BEGIN
CERTIFICATE ----- and -----END CERTIFICATE-----
The signing certificate list is used by the check system to validate the LOTL signature and
the TL pointers, especially the certificate provided in.
ie : the 14/05/2016, the URI of the Official Journal was :
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1451901264509&uri=OJ:JOC_2015_435_R_0001
TLMANAGER 5.0
Date: 14/06/2016 12 / 13 Doc. Version: v1.00
Figure 5: Annex of Official Journal on 25/04/2016
Figure 6: Add Base 64 Encoded Certificate
Figure 7: Copy paste of Base 64 Encoded Certificate
3.6 HOW TO SIGN A TL
Prerequisite: NexU is running on the local PC used for signing. If NexU is not running, the
following information popup will be displayed.
Figure 8: Signature popup when NexU is not running on the computer
If NexU is not present on your PC, please download it (version 1.6.1) at:
TLMANAGER 5.0
Date: 14/06/2016 13 / 13 Doc. Version: v1.00
http://lab.nowina.solutions/nexu-releases/nexu-bundle-1.6.1.zip (the same link is provided in the
information popup presented above).
NexU provided here above is currently not the same as NexU-EC used to sign on the central TL
Manager hosted at the Commission. Please note that unlike NexU-EC, NexU is currently provided
without a Windows installer. If you plan to sign both locally and centrally, you will need both
NexU and NexU-EC.
Once downloaded, unzip nexu-bundle-1.6.1.zip and double-click on the NexU-Startup.bat file.
This action will start NexU on your computer (it can take few seconds). When NexU is started,
you should see a new icon in your Windows system tray (in the lower right corner of the screen,
next to the clock).
Note: The first time NexU is started, a certificate is installed in the Windows certificate store.
This is for signing on HTTPS environment.
Figure 9: NexU icon in the system tray
Connect to your local TL Manager and sign your TL.
Note: Restarting your computer will stop NexU. When you will later need to sign again with your
local TL-Manager, you have to make sure that NexU is running. You can either:
- Restart it manually by double-clicking on the NexU-Startup.bat file before signing a TL.
You may create a shortcut to NexU-Startup.bat on your desktop for convenience.
- Add it as a service so that NexU starts automatically at the startup of your PC.