VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise,...
Transcript of VM0017: current enterprise, next gen ejbcaejbca.minoss.nl/vm0017.pdf · VM0017: current enterprise,...
VM0017: current enterprise, next gen ejbca Note: This next gen ejbca is capable of running under jbos-7 and java-7.However, during transition it is advisable to change just one parameter at the time.Application Used at training More recent
Ejbca Ejbca-3.10.1 Ejbca-3.11.5Ejbca-4.0.12Ejbca-4.0.16Ejbca-6.0.3
Application-server jboss-4.2.3.GA-jdk6 jboss-5.1.0.GA-jdk6jboss-as-distribution-6.0.0.Finaljboss-as-distribution-6.1.0.Finaljboss-as-7.0.2.Final, jboss-as-7.1.1.Final
Java development kit jdk-6u20-linux-i586 jdk-6u38-ea-bin-b04-linux-amd64-31_oct_2012.binjdk-6u38-ea-bin-b04-linux-i586-31_oct_2012.binjava-1_6_0-ibm-1.6.0_sr12.0-0.5.1java-1_6_0-openjdk-1.6.0.0_b24.1.11.5-2.1java-1_7_0-openjdk, java-1_7_0-openjdk-devel
Java crypto env jce_policy-6
Mysql connector mysql-connector-java-5.1.13 mysql-connector-java-5.1.22
Java-dev-tool apache-ant-1.8.1-bin apache-ant-1.8.4-binant-1.8.2-11.1.1.noarch
Fedora or OpenSUSE are great for developping and testing, but production should be either on RedHat-ES or Suse Linux Enterprise Server (SLES11sp3)
First, building of virtual machine.→ lvcreate -L 5GB -n vm0017 mainorion:/etc/xen/vm # lvcreate -L 5GB -n vm0017 main Logical volume "vm0017" created
→ time dd if=/dev/main/sles11sp3 of=/dev/mapper/main-vm0017 bs=1Morion:/etc/xen/vm # time dd if=/dev/main/sles11sp3 of=/dev/mapper/main-vm0017 bs=1M5120+0 records in5120+0 records out5368709120 bytes (5.4 GB) copied, 151.741 s, 35.4 MB/s
real 2m31.760suser 0m0.004ssys 0m9.573s
Create vm startup file:→ cp -v sles11sp3 vm0017orion:/etc/xen/vm # cp -v sles11sp3 vm0017‘sles11sp3’ -> ‘vm0017’
Change: name, description, disk-ID, disk and MAC-address→ vi vm0017
Check differences→ diff sles11sp3 vm0017 orion:/etc/xen/vm # diff sles11sp3 vm0017 1,3c1,2< name="sles11sp3"< description="template"< uuid="a552dd33-b0c2-b07f-d9a6-753f7a232c71"
---> name="vm0017"> description="vm0017-ejbca-4.0.16"8c7< on_reboot="destroy"---> on_reboot="restart"13,18c12,16< #kernel="/tmp/kernel.nGFrL9"< #ramdisk="/tmp/install-initrd.SIREem"< extra="xencons=tty install=hd:/dev/xvdb "< disk=[ 'phy:/dev/mapper/main-sles11sp3,xvda,w', 'file:/root/DEPOT/SLES-11-SP3-DVD-x86_64-GM-DVD1.iso,xvdb:cdrom,r', ]< vif=[ 'mac=00:16:3e:51:b4:8a,bridge=br0', ]< ---> bootloader="/usr/bin/pygrub"> bootargs=""> extra=" "> disk=[ 'phy:/dev/mapper/main-vm0017,xvda,w' ]> vif=[ 'mac=00:16:3e:00:16:00,bridge=br0', ]
Show resultorion:/etc/xen/vm # cat vm0017name="vm0017"description="vm0017-ejbca-6.0.3"memory=1024maxmem=2048vcpus=1on_poweroff="destroy"on_reboot="restart"on_crash="destroy"localtime=0keymap="en-us"builder="linux"bootloader="/usr/bin/pygrub"bootargs=""extra=" "disk=[ 'phy:/dev/mapper/main-vm0017,xvda,w' ]vif=[ 'mac=00:16:3e:00:17:00,bridge=br0', ]nographic=1vfb=['type=vnc,vncunused=1']
Modify config on dhcp and dns server, machine will get unique name&addressDon't forget kicking dhcp and dns server process...
Start new machine→ xm create -c vm0017 pyGRUB version 0.6 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Xen -- SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Use the ^ and � keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, 'a' to modify the kernel arguments before booting, or 'c' for a command line.
Will boot selected entry in 1 seconds
Started domain vm0017 (id=8) [ 0.000000] Initializing cgroup subsys cpuset[ 0.000000] Initializing cgroup subsys cpu[ 0.000000] Linux version 3.0.76-0.11-xen (geeko@buildhost) (gcc version 4.3.4 [gcc-4_3-branch revision 152973] (SUSE Linux) ) #1 SMP Fri Jun 14 08:21:43 UTC 2013 (ccab990)[ 0.000000] Command line: root=/dev/xvda3 xencons=tty resume=/dev/xvda2 splash=silent crashkernel=256M-:128M showopts [ 0.000000] Xen-provided physical RAM map:[ 0.000000] Xen: 0000000000000000 - 0000000080800000 (usable)…Starting smartd unusedMaster Resource Control: runlevel 3 has been reachedSkipped services in runlevel 3: microcode.ctl nfs irq_balancer smartd
Welcome to SUSE Linux Enterprise Server 11 SP3 (x86_64) - Kernel 3.0.76-0.11-xen (tty1).
vm0017 login:
Networking: check own addresses (ifconfig is depreciated) → ip addr show dev eth0vm0017 login: rootPassword: Last login: Wed Nov 27 23:21:30 CET 2013 from orion on pts/0vm0017:~ # ip addr show dev eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:16:3e:00:17:00 brd ff:ff:ff:ff:ff:ff inet 192.168.0.137/24 brd 192.168.0.255 scope global eth0 inet6 2001:470:1f01:3785:216:3eff:fe00:1700/64 scope global dynamic valid_lft 2591992sec preferred_lft 604792sec inet6 fe80::216:3eff:fe00:1700/64 scope link valid_lft forever preferred_lft forevervm0017:~ #
Test if sshd is properly working, and the address→ ssh vm0017orion:~ # ssh vm0017The authenticity of host 'vm0017 (192.168.0.137)' can't be established.ECDSA key fingerprint is df:b6:3c:d9:c5:d6:f8:37:e7:70:b1:bb:ed:a8:eb:df.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'vm0017,192.168.0.137' (ECDSA) to the list of known hosts.Password: Last login: Sun Jan 5 13:16:34 2014vm0017:~ #
Seems OK.
Check mount point repositories→ zypper lr -uvm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------+------+---------+---------+---------------------------------------------1 | oss | oss | Yes | No | http://suse.minoss.nl/sles11sp3/install/oss/2 | update | oss | Yes | Yes | http://suse.minoss.nl/sles11sp3/update/ vm0017:~ #
→ echo "192.168.0.2 storage" >> /etc/hostsvm0017:~ # echo "192.168.0.2 storage" >> /etc/hostsvm0017:~ #
→ mkdir -p /data/software/distro/suse/sles11sp3vm0017:~ # mkdir -p /data/software/distro/suse/sles11sp3vm0017:~ #
→ mount -o nolock storage:/data/software/distro/suse/sles11sp3 /data/software/distro/suse/sles11sp3Not done: using local online repository
→ zypper addrepo --refresh --check -n "update" dir:/data/software/distro/suse/sles11sp3 updatenot needed, done in template
→ zypper lr -uvm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------------------------------------------------+--------------------------------------------------+---------+---------+-------------------------------------------1 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | Yes | Yes | hd:///?device=/dev/xvdb&filesystem=auto 2 | update | update | Yes | Yes | dir:///data/software/distro/suse/sles11sp2
Refresh repositories→ zypper refvm0017:~ # zypper refRepository 'oss' is up to date.Retrieving repository 'oss' metadata [\]File 'repomd.xml' from repository 'oss' is unsigned, continue? [yes/no] (no): yesRetrieving repository 'oss' metadata [done]Building repository 'oss' cache [done]All repositories have been refreshed.
→ zypper upvm0017:~ # zypper upLoading repository data...Reading installed packages...
The following NEW package is going to be installed: libtevent0
The following packages are going to be upgraded: apache2 apache2-doc apache2-example-pages apache2-prefork apache2-utils apparmor-docs apparmor-parser apparmor-utils bash bash-doc bind-libs bind-libs-32bit bind-utils binutils coreutils coreutils-lang cups-client cups-libs cups-libs-32bit curl elilo ethtool facter fastjar glib2 glib2-lang gpg2 gpg2-lang grub gvfs gvfs-backends gvfs-fuse gvfs-lang hal hal-32bit ipmitool iproute2 irqbalance kdump kernel-firmware kernel-xen kernel-xen-base kpartx krb5 krb5-32bit ksh lcms libapparmor1 libcurl4 libcurl4-32bit libfprint0 libgcrypt11 libgcrypt11-32bit libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgnutls26 libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgvfscommon0 liblcms1 liblcms1-32bit libpixman-1-0 libpixman-1-0-32bit libpython2_6-1_0 libreadline5 libsmbclient0 libsnmp15 libtalloc2 libtdb1 libtiff3 libtiff3-32bit libudev0 libudev0-32bit libwbclient0 libxslt libxslt-32bit libzypp mcelog microcode_ctl mkinitrd multipath-tools mysql mysql-client perl-Bootloader perl-apparmor postfix puppet python python-base python-xml readline-doc release-notes-sles rsh ruby sblim-sfcb snmp-mibs supportutils suseRegister timezone udev xen-libs xen-tools-domU xorg-x11-libX11 xorg-x11-libX11-32bit xorg-x11-libXext xorg-x11-libXext-32bit xorg-x11-libXfixes xorg-x11-libXfixes-32bit xorg-x11-libXp xorg-x11-libXp-32bit xorg-x11-libXrender xorg-x11-libXrender-32bit xorg-x11-libXt xorg-x11-libXt-32bit xorg-x11-libXv xorg-x11-libXv-32bit xorg-x11-libs xorg-x11-libs-32bit yast2 yast2-ldap-client zypper zypper-log
The following packages are not supported by their vendor: apache2 apache2-doc apache2-example-pages apache2-prefork apache2-utils apparmor-docs apparmor-parser apparmor-utils bash bash-doc bind-libs bind-libs-32bit bind-utils binutils coreutils coreutils-lang cups-client cups-libs cups-libs-32bit curl elilo ethtool facter fastjar glib2 glib2-lang gpg2 gpg2-lang grub gvfs gvfs-backends gvfs-fuse gvfs-lang hal hal-32bit ipmitool iproute2 irqbalance kdump kernel-firmware kernel-xen kernel-xen-base kpartx krb5 krb5-32bit ksh lcms libapparmor1 libcurl4 libcurl4-32bit libfprint0 libgcrypt11 libgcrypt11-32bit libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgnutls26 libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgvfscommon0 liblcms1 liblcms1-32bit libpixman-1-0 libpixman-1-0-32bit libpython2_6-1_0 libreadline5 libsmbclient0 libsnmp15 libtalloc2 libtdb1 libtevent0 libtiff3 libtiff3-32bit libudev0
libudev0-32bit libwbclient0 libxslt libxslt-32bit libzypp mcelog microcode_ctl mkinitrd multipath-tools mysql mysql-client perl-Bootloader perl-apparmor postfix puppet python python-base python-xml readline-doc release-notes-sles rsh ruby sblim-sfcb snmp-mibs supportutils suseRegister timezone udev xen-libs xen-tools-domU xorg-x11-libX11 xorg-x11-libX11-32bit xorg-x11-libXext xorg-x11-libXext-32bit xorg-x11-libXfixes xorg-x11-libXfixes-32bit xorg-x11-libXp xorg-x11-libXp-32bit xorg-x11-libXrender xorg-x11-libXrender-32bit xorg-x11-libXt xorg-x11-libXt-32bit xorg-x11-libXv xorg-x11-libXv-32bit xorg-x11-libs xorg-x11-libs-32bit yast2 yast2-ldap-client zypper zypper-log
127 packages to upgrade, 1 new.Overall download size: 114.6 MiB. After the operation, additional 891.0 KiB will be used.Continue? [y/n/?] (y): che2-doc-2.2.12-1.40.1.x86_64 (1/128), 1.7 MiB (10.3 MiB unpacked)Retrieving: apache2-doc-2.2.12-1.40.1.x86_64.rpm [done]Retrieving package apache2-example-pages-2.2.12-1.40.1.x86_64 (2/128), 64.0 KiB (11.0 KiB unpacked)Retrieving: apache2-example-pages-2.2.12-1.40.1.x86_64.rpm [done]Retrieving package apparmor-docs-2.5.1.r1445-55.64.1.x86_64 (3/128), 183.0 KiB (318.0 KiB unpacked)Retrieving: apparmor-docs-2.5.1.r1445-55.64.1.x86_64.rpm [done]…Installing: gpg2-lang-2.0.9-25.33.37.1 [error]Installation of gpg2-lang-2.0.9-25.33.37.1 failed:(with --nodeps --force) Error: Subprocess failed. Error: RPM failed: error: unpacking of archive failed on file /usr/share/locale/zh_TW/LC_MESSAGES/gnupg2.mo;52c94ed0: cpio: read failed - Bad file descriptorAbort, retry, ignore? [a/r/i] (a): i…Installing: gvfs-fuse-1.4.3-0.17.19.1 [done]Installing: gvfs-backends-1.4.3-0.17.19.1 [done]Update notifications were received from the following packages:puppet-2.6.18-0.8.1.x86_64 (/var/adm/update-messages/puppet-2.6.18-0.8.1-CVE-2011-3872.msg.txt)View the notifications now? [y/n] (n): nThere are some running programs that use files deleted by recent upgrade. You may wish to restart some of them. Run 'zypper ps' to list these programs.vm0017:~ #
Sometimes due to kernel patch reboot is required.
Check if critical parts were updated, requiring an reboot:vm0017:~ # zypper psThe following running processes use deleted files:
PID | PPID | UID | Login | Command | Service | Files -----+------+-----+-------+--------------------+---------+-----------------------------------------------1132 | 1 | 0 | root | console-kit-daemon | | /usr/lib64/libgobject-2.0.so.0.2200.5;52c94f95 | | | | | | /usr/lib64/libgthread-2.0.so.0.2200.5;52c94f95 | | | | | | /usr/lib64/libglib-2.0.so.0.2200.5;52c94f70 3067 | 1 | 0 | root | sshd | sshd | /usr/lib64/libkrb5support.so.0.1 | | | | | | /usr/lib64/libkrb5.so.3.3 | | | | | | /usr/lib64/libk5crypto.so.3.1 | | | | | | /usr/lib64/libgssapi_krb5.so.2.2 3334 | 3210 | 0 | root | bash | | /lib64/libreadline.so.5.2 | | | | | | /bin/bash (deleted) 3366 | 3067 | 0 | root | sshd | sshd | /usr/lib64/libkrb5support.so.0.1 | | | | | | /usr/lib64/libkrb5.so.3.3 | | | | | | /usr/lib64/libk5crypto.so.3.1 | | | | | | /usr/lib64/libgssapi_krb5.so.2.2 3369 | 3366 | 0 | root | bash | | /lib64/libreadline.so.5.2 | | | | | | /bin/bash (deleted)
You may wish to restart these processes.See 'man zypper' for information about the meaning of values in the above table.
Although nothing critical here, found out previously that a fresh reboot avoid “funny” situations...
(on console)→ init 0vm0017:~ # init 0INIT: Switching to runlevel: 0INIT: Sending processes the TERM signalINIT: Sending processes the KILL signalblogd: can not set console device to /dev/pts/1: Device or resource busyMaster Resource Control: previous runlevel: 3, switching to runlevel: 0Shutting down CRON daemon doneShutting down irqbalance doneShutting down java.binfmt_misc doneShutting down Name Service Cache Daemon doneShutting down smartd doneShutting down SSH daemon *with all active connections* doneShutting down auditd doneShutting down haveged daemon doneShutting down service MySQL doneShutting down (remotefs) network interfaces:Shutting down service (remotefs) network . . . . . . . . . doneShutting down mail service (Postfix) done
Shutting down HAL daemon doneSaving random seed doneShutting down NFS client services: doneShutting down rpcbind doneShutting down syslog services doneShutting down (localfs) network interfaces: eth0 name: Virtual Ethernet Card 0 doneShutting down service (localfs) network . . . . . . . . . doneShutting down D-Bus daemon doneRunning /etc/init.d/halt.local doneUnmounting fuse control filesystem doneNot unloading kdump during runlevel changes skipped doneTurning off quota done doneTurning off swap filesUnloading AppArmor profiles doneUnmounting file systems/dev/xvda1 has been unmounted doneStopping udevd: doneSending all processes the TERM signal... doneSending all processes the KILL signal... doneThe system will be halted immediately.[ 7738.880427] System halted.
If needed, restart with new kernel→ xm create -c vm0017 orion:/etc/xen/vm # xm create -c vm0017Starting CRON daemon doneStarting smartd unusedMaster Resource Control: runlevel 3 has been reachedSkipped services in runlevel 3: microcode.ctl nfs irq_balancer smartd
Welcome to SUSE Linux Enterprise Server 11 SP3 (x86_64) - Kernel 3.0.101-0.8-xen (tty1).
vm0017 login: If restarted, check if different kernel.
Login again(thru ssh) instead of virtual consoleorion:~ # ssh vm0017
Check FQDN:→ hostname -fvm0017:~ # hostname -fvm0017.minoss.nl
If needed, just for documentation purposese adjust the prompt:→ hostname vm0017.minoss.nl#not needed
Pre-installation tests /actionsArchitecture test: → uname -avm0017:~ # uname -aLinux vm0017 3.0.101-0.8-xen #1 SMP Fri Nov 1 12:51:09 UTC 2013 (2417eb9) x86_64 x86_64 x86_64 GNU/Linux
OS:
→ lsb_release -d; echo; cat /etc/SuSE-releasevm0017:~ # lsb_release -d; echo; cat /etc/SuSE-releaseDescription: SUSE Linux Enterprise Server 11 (x86_64)
SUSE Linux Enterprise Server 11 (x86_64)VERSION = 11PATCHLEVEL = 3
Available diskspace: → df -hvm0017:~ # df -hFilesystem Size Used Avail Use% Mounted on/dev/xvda3 3.5G 1.5G 1.8G 46% /udev 521M 76K 520M 1% /devtmpfs 521M 0 521M 0% /dev/shm/dev/xvda1 493M 29M 439M 7% /boot
check memory → freevm0017:~ # free total used free shared buffers cachedMem: 1065100 220772 844328 0 5308 65024-/+ buffers/cache: 150440 914660Swap: 1051644 0 1051644
Slightly more mem available, compared to openSUSE.
networking: fqdnPermanent change: → echo "vm0017.minoss.nl" > /etc/HOSTNAME# not needed anymore
(prove would require reboot)
Make fqdn locally known: → vi /etc/hostsnot needed
add: #192.168.0.137 vm0017.minoss.nl vm0017 #
(Note: do not add the name to 127.0.0.1 !!!!!!)
Check: → hostname --fqdnvm0017:~ # hostname --fqdnvm0017.minoss.nl
Networking: local ping to self (needed for db connection) → ping -c2 `hostname --fqdn`vm0017:~ # ping -c2 `hostname --fqdn`PING vm0017.minoss.nl (192.168.0.137) 56(84) bytes of data.64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=1 ttl=64 time=0.020 ms64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=2 ttl=64 time=0.033 ms
--- vm0017.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 0.020/0.026/0.033/0.008 ms
Note the correct IP address (not 127.0.0.1)
networking: remote ping to self (needed for browser connection) → ping -c2 vm0017.minoss.nlorion:~ # ping -c2 vm0017.minoss.nl
PING vm0017.minoss.nl (192.168.0.137) 56(84) bytes of data.64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=1 ttl=64 time=0.125 ms64 bytes from vm0017.minoss.nl (192.168.0.137): icmp_seq=2 ttl=64 time=0.097 ms
--- vm0017.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.097/0.111/0.125/0.014 ms
If not present, add on host that will launch the browser lines in /etc/hosts/
Networking: firewall (if firewall too active db-connection or browser-connection might fail) → iptables -L -n -v ; echo; ip6tables -L -n -vvm0017:~ # iptables -L -n -v ; echo; ip6tables -L -n -vChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
In case of “fatal error” is a reboot requred
If some rules exists, adjust manually.
Aditional users (needed for unprivileged ownership of files and deamon) → egrep "ejbca|jboss" /etc/passwdvm0017:~ # egrep "ejbca|jboss" /etc/passwdejbca:x:1002:100:ejbca:/home/ejbca:/bin/bashjboss:x:1001:100:jboss:/home/jboss:/bin/bashDone in template, if not create them now...
Expected software (mysql server and client are needed, and product relies on openssl)→ rpm -qa | egrep "ssh|ssl|mysql" |sortvm0017:~ # rpm -qa | egrep "ssh|ssl|mysql" |sortlibopenssl0_9_8-0.9.8j-0.50.1libopenssl0_9_8-32bit-0.9.8j-0.50.1libssh2-1-1.2.9-4.2.2.1mysql-5.5.33-0.11.1mysql-client-5.5.33-0.11.1openssh-6.2p2-0.9.1openssl-0.9.8j-0.50.1openssl-certs-1.85-0.6.1yast2-sshd-2.17.2-1.21
Slightly older libopenssl, mysql-server, mysql-client and openssh
Gathering of unbundeled software, on depot-host:→ cd ejbca→ sftp ejbca@vm0017 → mkdir log→ mkdir DEPOT→ cd DEPOT
→ pwdorion:~/ejbca # sftp ejbca@vm0017 Password: Connected to vm0017.sftp> mkdir logsftp> mkdir DEPOTsftp> cd DEPOTsftp> pwdRemote working directory: /home/ejbca/DEPOTsftp>
→ put ejbca_ce_6_0_3.zipsftp> put ejbca_ce_6_0_3.zipUploading ejbca_ce_6_0_3.zip to /home/ejbca/DEPOT/ejbca_ce_6_0_3.zipejbca_ce_6_0_3.zip 100% 35MB 35.0MB/s 00:01 sftp>
→ put jboss-as-distribution-6.1.0.Final.zip sftp> put jboss-as-distribution-6.1.0.Final.zip Uploading jboss-as-distribution-6.1.0.Final.zip to /home/ejbca/DEPOT/jboss-as-distribution-6.1.0.Final.zipjboss-as-distribution-6.1.0.Final.zip 100% 174MB 34.9MB/s 00:05 sftp>
Sles11sp3 version of ANT is way to old!!
→ put apache-ant-1.8.4-bin.zipsftp> put apache-ant-1.8.4-bin.zipUploading apache-ant-1.8.4-bin.zip to /home/ejbca/DEPOT/apache-ant-1.8.4-bin.zipapache-ant-1.8.4-bin.zip 100% 7855KB 7.7MB/s 00:01 sftp>
→ put mysql-connector-java-5.1.22.zipsftp> put mysql-connector-java-5.1.22.zipUploading mysql-connector-java-5.1.22.zip to /home/ejbca/DEPOT/mysql-connector-java-5.1.22.zipmysql-connector-java-5.1.22.zip 100% 4170KB 4.1MB/s 00:00 sftp> sftp> quit
Java options:→ zypper search java-vm0017:~ # zypper search java-Loading repository data...Reading installed packages...
S | Name | Summary | Type --+-----------------------+--------------------------------------------+----------- | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package | java-1_7_0-ibm | Java(TM) 7 Runtime Environment | package | java-1_7_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_7_0-ibm-alsa | ALSA support for java-1_7_0-ibm | package | java-1_7_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1_7_0-ibm | package | java-1_7_0-ibm-plugin | Browser plugin files for java-1_7_0-ibm | package
It __MIGHT__ be possible /advisable to use “IBM” JAVA instead of openjdk: YMMVOR:→ mkdir -p /data/software/obs/Java:/#not done, using online OBS-repo
→ mount -o nolock storage:/data/software/obs/Java:/ /data/software/obs/Java:/# not done, using online repo
→ zypper addrepo --refresh --check -n "java hack" http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2 javavm0017:~ # zypper addrepo --refresh --check -n "java hack" http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2 javaAdding repository 'java hack' [done]Repository 'java hack' successfully addedEnabled: YesAutorefresh: YesGPG check: YesURI: http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP2
vm0017:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------+-----------+---------+---------+--------------------------------------------------------1 | java | java hack | Yes | Yes | http://obs.minoss.nl/Java:/openjdk6:/Factory/SLE_11_SP22 | oss | oss | Yes | No | http://suse.minoss.nl/sles11sp3/install/oss/ 3 | update | oss | Yes | Yes | http://suse.minoss.nl/sles11sp3/update/
NOTE: i'm using the sles11SP2 repo, the sles11SP3 repo does not contain openjdk6
→ zypper search java-vm0017:~ # zypper search java-Retrieving repository 'java hack' metadata [\]
New repository or package signing key received:Key ID: E38C29BC4276E0B9Key Name: Java OBS Project <[email protected]>Key Fingerprint: 9711921972E27C87BBC1BA89E38C29BC4276E0B9Key Created: Wed Dec 7 09:43:54 2011Key Expires: Fri Feb 14 09:43:54 2014 (expires in 39 days)Repository: java hack
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): aRetrieving repository 'java hack' metadata [done]Building repository 'java hack' cache [done]Loading repository data...Reading installed packages...
S | Name | Summary | Type --+--------------------------------+-----------------------------------------------------------+----------- | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | srcpackage | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk-debuginfo | Debug information for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-debugsource | Debug sources for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-demo | Sources for building demo applications with OpenJDK 6 | package | java-1_6_0-openjdk-devel | Java SDK based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk-javadoc | Documentation of the Java API of OpenJDK 6 | package | java-1_6_0-openjdk-src | OpenJDK 6 Java class sources for developers | package | java-1_7_0-ibm | Java(TM) 7 Runtime Environment | package | java-1_7_0-ibm | Java(TM) 6 Runtime Environment | srcpackage | java-1_7_0-ibm-alsa | ALSA support for java-1_7_0-ibm | package | java-1_7_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1_7_0-ibm | package | java-1_7_0-ibm-plugin | Browser plugin files for java-1_7_0-ibm | package
Either: → zypper install java-1_6_0-openjdk java-1_6_0-openjdk-develOr → zypper install java-1_6_0-ibmvm0017:~ # zypper install java-1_6_0-openjdk java-1_6_0-openjdk-develLoading repository data...Reading installed packages...Resolving package dependencies...
The following NEW packages are going to be installed: giflib java-1_6_0-openjdk java-1_6_0-openjdk-devel libasound2 timezone-java
The following packages are not supported by their vendor: java-1_6_0-openjdk java-1_6_0-openjdk-devel timezone-java
5 new packages to install.Overall download size: 39.0 MiB. After the operation, additional 142.7 MiB will be used.Continue? [y/n/?] (y): yRetrieving package giflib-4.1.6-11.10.x86_64 (1/5), 22.0 KiB (41.0 KiB unpacked)Retrieving: giflib-4.1.6-11.10.x86_64.rpm [done]Retrieving package libasound2-1.0.18-16.24.1.x86_64 (2/5), 311.0 KiB (995.0 KiB unpacked)Retrieving: libasound2-1.0.18-16.24.1.x86_64.rpm [done]Retrieving package timezone-java-2013h-0.7.1.noarch (3/5), 125.0 KiB (272.0 KiB unpacked)Retrieving: timezone-java-2013h-0.7.1.noarch.rpm [done]
Retrieving package java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1.x86_64 (4/5), 30.0 MiB (107.3 MiB unpacked)Retrieving: java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1.x86_64.rpm [done (7.4 MiB/s)]Retrieving package java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1.x86_64 (5/5), 8.5 MiB (34.2 MiB unpacked)Retrieving: java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1.x86_64.rpm [done]Installing: giflib-4.1.6-11.10 [done]Installing: libasound2-1.0.18-16.24.1 [done]Installing: timezone-java-2013h-0.7.1 [done]Installing: java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-1.1 [done]Installing: java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.7-1.1 [done]
Check: (create empty file)→ > /etc/profile.localvm0017:~ # > /etc/profile.local
→ echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.localvm0017:~ # echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.local
→ echo export EIL=/home/ejbca/log/ >> /etc/profile.localvm0017:~ # echo export EIL=/home/ejbca/log/ >> /etc/profile.local
re-read env's and use them:→ source /etc/profile ; ll $DEPOTvm0017:~ # source /etc/profile ; ll $DEPOTtotal 226552-rw-r--r-- 1 ejbca users 8043520 Jan 5 15:36 apache-ant-1.8.4-bin.zip-rw-r--r-- 1 ejbca users 36658854 Jan 5 15:36 ejbca_ce_6_0_3.zip-rw-r--r-- 1 ejbca users 182762510 Jan 5 15:36 jboss-as-distribution-6.1.0.Final.zip-rw-r--r-- 1 ejbca users 4270471 Jan 5 15:38 mysql-connector-java-5.1.22.zip
Database status: default status after reboot→ chkconfig mysqlvm0017:~ # chkconfig mysqlmysql on
still should have been set in the template, if not do:vm0017:~ # chkconfig mysql onvm0017:~ # chkconfig mysqlmysql on
Database status: current status, use system-V method → /etc/rc.d/mysql statusvm0017:~ # /etc/rc.d/mysql statusChecking for service MySQL: runningvm0017:~ #
If not running, start it:→ /etc/rc.d/mysql start# done in template now
database ip-port: (used in the config files)→ lsof -i -Pvm0017:~ # lsof -i -PCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2388 root 6u IPv4 5655 0t0 UDP *:111 rpcbind 2388 root 7u IPv4 5659 0t0 UDP *:867 rpcbind 2388 root 8u IPv4 5660 0t0 TCP *:111 (LISTEN)rpcbind 2388 root 9u IPv6 5662 0t0 UDP *:111 rpcbind 2388 root 10u IPv6 5664 0t0 UDP *:867 rpcbind 2388 root 11u IPv6 5665 0t0 TCP *:111 (LISTEN)mysqld 2877 mysql 10u IPv4 6037 0t0 TCP *:3306 (LISTEN)sshd 3199 root 3u IPv4 6337 0t0 TCP *:22 (LISTEN)sshd 3199 root 4u IPv6 6339 0t0 TCP *:22 (LISTEN)master 3304 root 12u IPv4 7054 0t0 TCP localhost:25 (LISTEN)master 3304 root 13u IPv6 7056 0t0 TCP localhost:25 (LISTEN)sshd 3475 root 3r IPv4 7733 0t0 TCP vm0017.minoss.nl:22->orion:35607 (ESTABLISHED)
check if re-startable?
→ /etc/rc.d/mysql restart; lsof -i -Pvm0017:~ # /etc/rc.d/mysql restart; lsof -i -PRestarting service MySQL Shutting down service MySQL doneStarting service MySQL doneCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2388 root 6u IPv4 5655 0t0 UDP *:111 rpcbind 2388 root 7u IPv4 5659 0t0 UDP *:867 rpcbind 2388 root 8u IPv4 5660 0t0 TCP *:111 (LISTEN)rpcbind 2388 root 9u IPv6 5662 0t0 UDP *:111 rpcbind 2388 root 10u IPv6 5664 0t0 UDP *:867 rpcbind 2388 root 11u IPv6 5665 0t0 TCP *:111 (LISTEN)sshd 3199 root 3u IPv4 6337 0t0 TCP *:22 (LISTEN)sshd 3199 root 4u IPv6 6339 0t0 TCP *:22 (LISTEN)master 3304 root 12u IPv4 7054 0t0 TCP localhost:25 (LISTEN)master 3304 root 13u IPv6 7056 0t0 TCP localhost:25 (LISTEN)sshd 3475 root 3r IPv4 7733 0t0 TCP vm0017.minoss.nl:22->orion:35607 (ESTABLISHED)mysqld 4292 mysql 10u IPv4 9133 0t0 TCP *:3306 (LISTEN)vm0017:~ #
It can properly be restarted (comes up with different PID) and still listens of proper TCP-port.
Java→ java -versionvm0017:~ # java -versionjava version "1.6.0_27"OpenJDK Runtime Environment (IcedTea6 1.12.7) (suse-1.1-x86_64)OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
Jboss application server
→ cd /usr/local/ ; unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zipvm0017:~ # cd /usr/local/ ; unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zip….(extracting from archive not shown...)
Symbolic link for version independence:
→ ln -s -v jboss-6.1.0.Final/ jbossvm0017:/usr/local # ln -s -v jboss-6.1.0.Final/ jboss`jboss' -> `jboss-6.1.0.Final/'
Check:→ ll jboss* -dvm0017:/usr/local # ll jboss* -dlrwxrwxrwx 1 root root 18 Jan 5 15:51 jboss -> jboss-6.1.0.Final/drwxrwxr-x 8 root root 4096 Aug 16 2011 jboss-6.1.0.Final
mysql connector
→ cd /usr/local/ ; unzip $DEPOT/mysql-connector-java-5.1.22.zipvm0017:/usr/local # cd /usr/local/ ; unzip $DEPOT/mysql-connector-java-5.1.22.zip(extracting from archive not shown...)
Copy it to the lib-directory:→ cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/vm0017:/usr/local # cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/`mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar' -> `jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar'
Check:→ ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar vm0017:/usr/local # ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar -rw-r--r-- 1 root root 832960 Jan 5 15:53 /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar
Note proper place, date, time.
ANT
→ rpm -qa |grep antvm0017:/usr/local # rpm -qa |grep antant-1.7.1-20.9.53Installed in template. This is absolutely a problem as in the instalation pages is declared that you need atleast ant-1.7.1However, for sles11_sp2 there is no newer version available in the distro. So you need the version from Apache...
Remove ancient version:→ rpm -e antvm0017:/usr/local # rpm -e ant
vm0017:/usr/local # rpm -qa |grep ant
vm0017:/usr/local #
→ cd /usr/local ; unzip $DEPOT/apache-ant-1.8.4-bin.zipvm0017:/usr/local # cd /usr/local ; unzip $DEPOT/apache-ant-1.8.4-bin.zip(extracting from archive not shown...)
→ ln -v -s apache-ant-1.8.4/ antvm0017:/usr/local # ln -v -s apache-ant-1.8.4/ ant`ant' -> `apache-ant-1.8.4/'
Check:→ ll *ant* -dvm0017:/usr/local # ll *ant* -dlrwxrwxrwx 1 root root 17 Jan 5 16:19 ant -> apache-ant-1.8.4/drwxr-xr-x 6 root root 4096 May 22 2012 apache-ant-1.8.4
Environment variables(used to be in /etc/profile, but that might be overwritten during upgrade)
→ vi /etc/profile.localvm0017:/usr/local # vi /etc/profile.local
add:
############################### env settings for ejbca##############################APPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca#JAVA_OPTS="-Xmx512M -Xms512M -XX:MaxPermSize=512m"ANT_HOME=/usr/local/antPATH=${APPSRV_HOME}/bin:${JAVA_HOME}/bin:${EJBCA_HOME}/bin:${ANT_HOME}/bin:$PATH
export PATH APPSRV_HOME JAVA_HOME JAVA_OPTS EJBCA_HOME ANT_HOME ANT_OPTS
############################### EOF env settings for ejbca##############################
Note ommision of java_home
reread environment:→ source /etc/profilevm0017:/usr/local # source /etc/profile
check:→ env |egrep "JAVA_HOME|JAVA_OPTS|EJBCA_HOME|ANT_HOME|ANT_OPTS|APPSRV_HOME" |sort
vm0017:/usr/local # env |egrep "JAVA_HOME|JAVA_OPTS|EJBCA_HOME|ANT_HOME|ANT_OPTS|APPSRV_HOME" |sortANT_HOME=/usr/local/antAPPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca
Note the omission of JAVA_HOME (is /usr/bin/java) !
Create database
→ mysqladmin create -u root -p ejbcadbvm0017:/usr/local # mysqladmin create -u root -p ejbcadbEnter password:
Just press the ENTER-key: empty password.
Create user, Set privileges→ mysql -u root -pvm0017:/usr/local # mysql -u root -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2Server version: 5.5.33 SUSE MySQL package
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
→ grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';mysql> grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';Query OK, 0 rows affected (0.00 sec)
mysql>
→ flush privileges;mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)
mysql>
(note: no disclaimers..)Check actions:
→ use mysql;mysql> use mysql;Database changedmysql>
→ select Host,user from user where user='ejbca-user';mysql> select Host,user from user where user='ejbca-user';+-----------+------------+| Host | user |+-----------+------------+| localhost | ejbca-user |+-----------+------------+1 row in set (0.00 sec)
mysql> quitByevm0017:/usr/local #
Login as DB-user (pwd check)
→ mysql ejbcadb -u ejbca-user -pvm0017:/usr/local # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.5.33 SUSE MySQL package
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Note: user and pwd are correct (later on used in config files) and minor mysql update.
Check DB content:
→ show tables;mysql> show tables;Empty set (0.00 sec)
mysql> quit;Byevm0017:/usr/local #
Note: no left overs (in this case hardly possible)
Installing ejbca software
→ cd /usr/local/ ; unzip $DEPOT/ejbca_ce_6_0_3.zipvm0017:/usr/local # cd /usr/local/ ; unzip $DEPOT/ejbca_ce_6_0_3.zip(extracting from archive not shown...)
Symbolic link for version independence:
→ ln -v -s ejbca_ce_6_0_3/ ejbcavm0017:/usr/local # ln -v -s ejbca_ce_6_0_3/ ejbca`ejbca' -> `ejbca_ce_6_0_3/'
Check:→ ll ejbca* -dvm0017:/usr/local # ll ejbca* -dlrwxrwxrwx 1 root root 15 Jan 5 16:30 ejbca -> ejbca_ce_6_0_3/drwx------ 9 root root 4096 Dec 19 16:26 ejbca_ce_6_0_3
Set file permissions:
→ chown -R ejbca ejbca/vm0017:/usr/local # ll ejbca* -dlrwxrwxrwx 1 root root 15 Jan 5 16:30 ejbca -> ejbca_ce_6_0_3/drwx------ 9 root root 4096 Dec 19 16:26 ejbca_ce_6_0_3(wonder why here, later on done again..)
(show that dirs are filled)
→ du -sk * |sort -nvm0017:/usr/local # du -sk * |sort -n0 ant0 ejbca0 jboss4 bin4 games4 include
4 lib4 lib644 sbin4 share4 src44 man10224 mysql-connector-java-5.1.2238380 apache-ant-1.8.463872 ejbca_ce_6_0_3213940 jboss-6.1.0.FinalNote: links have size 0k, empty dirs are 4k
Configuring ejbca → cd /usr/local/ejbca/conf ; llvm0017:/usr/local # cd /usr/local/ejbca/conf ; lltotal 188-rw------- 1 ejbca root 587 Dec 19 16:26 batchtool.properties.sample-rw------- 1 ejbca root 8267 Dec 19 16:26 cache.properties.sample-rw------- 1 ejbca root 1366 Dec 19 16:26 catoken.properties.sample-rw------- 1 ejbca root 396 Dec 19 16:26 certstore.properties.sample-rw------- 1 ejbca root 8920 Dec 19 16:26 cesecore.properties.sample-rw------- 1 ejbca root 1389 Dec 19 16:26 cmptcp.properties.sample-rw------- 1 ejbca root 362 Dec 19 16:26 crlstore.properties.sample-rw------- 1 ejbca root 100 Dec 19 16:26 custom.properties.sample-rw------- 1 ejbca root 3378 Dec 19 16:26 database.properties.sample-rw------- 1 ejbca root 7408 Dec 19 16:26 ejbca.properties.sample-rw------- 1 ejbca root 6088 Dec 19 16:26 extendedkeyusage.properties-rw------- 1 ejbca root 3555 Dec 19 16:26 externalra-gui.properties.sample-rw------- 1 ejbca root 1725 Dec 19 16:26 externalra.properties.sample-rw------- 1 ejbca root 3094 Dec 19 16:26 install.properties.sample-rw------- 1 ejbca root 2724 Dec 19 16:26 jaxws.properties.sample-rw------- 1 ejbca root 50 Dec 19 16:26 jndi.properties.glassfish-rw------- 1 ejbca root 258 Dec 19 16:26 jndi.properties.jboss-rw------- 1 ejbca root 146 Dec 19 16:26 jndi.properties.jboss7-rw------- 1 ejbca root 146 Dec 19 16:26 jndi.properties.jbosseap6-rw------- 1 ejbca root 217 Dec 19 16:26 jndi.properties.weblogic-rw------- 1 ejbca root 259 Dec 19 16:26 jndi.properties.websphere-rw------- 1 ejbca root 3067 Dec 19 16:26 log4j-glassfish.xml.sample-rw------- 1 ejbca root 3727 Dec 19 16:26 log4j-jboss6.xml.sample-rw------- 1 ejbca root 3158 Dec 19 16:26 log4j-jbosseap6.xml.sample-rw------- 1 ejbca root 3157 Dec 19 16:26 log4j-weblogic.xml.sample-rw------- 1 ejbca root 3538 Dec 19 16:26 log4j-websphere.xml.sampledrwx------ 2 ejbca root 4096 Dec 19 16:26 logdevices-rw------- 1 ejbca root 1724 Dec 19 16:26 mail.properties.sample-rw------- 1 ejbca root 14389 Dec 19 16:26 ocsp.properties.sampledrwx------ 2 ejbca root 4096 Dec 19 16:26 plugins-rw------- 1 ejbca root 6456 Dec 19 16:26 scep.properties.sample-rw------- 1 ejbca root 1832 Dec 19 16:26 va-publisher.properties.sample-rw------- 1 ejbca root 2360 Dec 19 16:26 va.properties.sample-rw------- 1 ejbca root 10995 Dec 19 16:26 web.properties.sample-rw------- 1 ejbca root 2358 Dec 19 16:26 xkms.properties.sample
Basic (installation) settings:→ cp -v install.properties.sample install.propertiesvm0017:/usr/local/ejbca/conf # cp -v install.properties.sample install.properties`install.properties.sample' -> `install.properties'
Check unchanged fields:
→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=ManagementCAca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE
ca.keyspec=2048ca.keytype=RSAca.signaturealgorithm=SHA1WithRSAca.validity=3650ca.policy=null
Change it very carefully
→ vi install.propertiesvm0017:/usr/local/ejbca/conf # vi install.propertiesCheck important fields:
line 17: ca.name=AdminCAv1line 23: ca.dn=CN=AdminCAv1,O=minoss,C=NLline 53: ca.keyspec=4096line 57: ca.keytype=RSAline 62: ca.signaturealgorithm=SHA256WithRSAline 65: ca.validity=3650line 69: ca.policy=null
Note: line numbers aply only to this release of ejbca!!!
→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=AdminCAv1ca.dn=CN=AdminCAv1,O=minoss,C=NLca.keyspec=4096ca.keytype=RSAca.signaturealgorithm=SHA256WithRSAca.validity=3650ca.policy=null
→ diff install.properties.sample install.properties vm0017:/usr/local/ejbca/conf # diff install.properties.sample install.properties 17c17< ca.name=ManagementCA---> ca.name=AdminCAv123c23< ca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE---> ca.dn=CN=AdminCAv1,O=minoss,C=NL53c53< ca.keyspec=2048---> ca.keyspec=409662c62< ca.signaturealgorithm=SHA1WithRSA---> ca.signaturealgorithm=SHA256WithRSA
Note:
→ cp -v ejbca.properties.sample ejbca.propertiesvm0017:/usr/local/ejbca/conf # cp -v ejbca.properties.sample ejbca.properties`ejbca.properties.sample' -> `ejbca.properties'
Check unchanged fields:
→ egrep "ca.keystorepass=" ejbca.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" ejbca.propertiesvm0017:/usr/local/ejbca/conf #
Note: seems something is changed/moved here, find it...
vm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" *cesecore.properties.sample:#ca.keystorepass=foo123cesecore.properties.sample:#ca.keystorepass=!secret!
vm0017:/usr/local/ejbca/conf #
→ cp -v cesecore.properties.sample cesecore.propertiesvm0017:/usr/local/ejbca/conf # cp -v cesecore.properties.sample cesecore.properties`cesecore.properties.sample' -> `cesecore.properties'
vm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" cesecore.properties#ca.keystorepass=foo123#ca.keystorepass=!secret!
Change what is needed:→ vi cesecore.propertiesvm0017:/usr/local/ejbca/conf # vi ejbca.properties
line 17: ca.keystorepass=ca123Note: line numbers apply only to this release of ejbca!!!
quick check, grep on the file:
→ egrep "ca.keystorepass=" cesecore.propertiesvm0017:/usr/local/ejbca/conf # egrep "ca.keystorepass=" cesecore.propertiesca.keystorepass=ca123#ca.keystorepass=!secret!
Differences:
→ diff cesecore.properties.sample cesecore.properties vm0017:/usr/local/ejbca/conf # diff cesecore.properties.sample cesecore.properties17c17< #ca.keystorepass=foo123---> ca.keystorepass=ca123
Note: either way, check what you need to change and what you actually did..
Database definitions / settings
→ cp -v database.properties.sample database.propertiesvm0017:/usr/local/ejbca/conf # cp -v database.properties.sample database.properties`database.properties.sample' -> `database.properties'
Check unchanged fields:→ egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf #
Note that the latest grep did produce any results!
You must change some fields:→ vi database.propertiesvm0017:/usr/local/ejbca/conf # vi database.properties
line 18: database.name=mysqlline 32: database.url=jdbc:mysql://127.0.0.1:3306/ejbcadbline 50: database.driver=com.mysql.jdbc.Driverline 64: database.username=ejbca-userline 69: database.password=mysql123
Note: that line numbers are ejbca-release specific, there are here NO defaults.Note2: the deviation from default db-name and passwords!Note3: In version 4.X “datasource.mapping=mySQL” is not needed anymore.
quick check:→ egrep "^database.name=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0017:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.properties
database.name=mysqldatabase.url=jdbc:mysql://127.0.0.1:3306/ejbcadbdatabase.driver=com.mysql.jdbc.Driverdatabase.username=ejbca-userdatabase.password=mysql123
→ diff database.properties.sample database.propertiesvm0017:/usr/local/ejbca/conf # diff database.properties.sample database.properties18c18< #database.name=mysql---> database.name=mysql32c32< #database.url=jdbc:mysql://127.0.0.1:3306/ejbca---> database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb50c50< #database.driver=com.mysql.jdbc.Driver---> database.driver=com.mysql.jdbc.Driver64c64< #database.username=ejbca---> database.username=ejbca-user69c69< #database.password=ejbca---> database.password=mysql123
Web-page settings:
→ cp -v web.properties.sample web.propertiesvm0017:/usr/local/ejbca/conf # cp -v web.properties.sample web.properties`web.properties.sample' -> `web.properties'Orginal settings
→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesvm0017:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=changeitsuperadmin.password=ejbcahttpsserver.password=serverpwdhttpsserver.hostname=localhosthttpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
Change it carefully:→ vi web.propertiesvm0017:/usr/local/ejbca/conf # vi web.properties
line 25: java.trustpassword=java123line 36: superadmin.password=superadmin123line 47: httpsserver.password=serverpwd123line 50: httpsserver.hostname=vm0017.minoss.nlline 54: httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL
Note, again lines are ejbca release specific!New settings:→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesvm0017:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=java123superadmin.password=superadmin123httpsserver.password=serverpwd123httpsserver.hostname=vm0017.minoss.nlhttpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL
Quick check:
→ diff web.properties.sample web.propertiesvm0017:/usr/local/ejbca/conf # diff web.properties.sample web.properties
25c25< java.trustpassword=changeit---> java.trustpassword=java12336c36< superadmin.password=ejbca---> superadmin.password=superadmin12347c47< httpsserver.password=serverpwd---> httpsserver.password=serverpwd12350c50< httpsserver.hostname=localhost---> httpsserver.hostname=v,0017.minoss.nl54c54< httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE---> httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL
Note, jot down the superadmin pwd, you need it later on.Note2 here it is important that the hostname in properly set and resolvable!
Stopping JBossCheck if it is running:
→ ps -ef |grep -v grep | grep -c jbossvm0017:/usr/local/ejbca/conf # ps -ef |grep -v grep | grep -c jboss0Zero instances, so not running!
Change ownership of files, again
→ cd /usr/local ; chown -R ejbca ejbca/ ; chown -R ejbca jboss/vm0017:/usr/local/ejbca/conf # cd /usr/local ; chown -R ejbca ejbca/ ; chown -R ejbca jboss/vm0017:/usr/local #
Note: don't omit the trailing slash
==> return to this point if something goes wrong <==
(if needed, drop any remaining tables)
Cleaning
→ cd /usr/local/ejbca ; time ant clean > $EIL/ant_clean.logm0017:/usr/local/jboss # cd /usr/local/ejbca ; time ant clean > $EIL/ant_clean.log
real 0m8.410suser 0m7.384ssys 0m0.392s
Note the redirection of all default output, so you can read it later on.
Check result:
→ tail -3 $EIL/ant_clean.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_clean.log
BUILD SUCCESSFULTotal time: 8 seconds
→ grep -ic warning $EIL/ant_clean.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_clean.log0
Bootstrap → cd /usr/local/ejbca ; time ant bootstrap > $EIL/ant_bootstrap.log
vm0017:/usr/local/ejbca # cd /usr/local/ejbca ; time ant bootstrap > $EIL/ant_bootstrap.log
real 1m34.922suser 1m3.460ssys 0m5.120s
Check result:
→ tail -3 $EIL/ant_bootstrap.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_bootstrap.log
BUILD SUCCESSFULTotal time: 1 minute 34 seconds
→ grep -ic warning $EIL/ant_bootstrap.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_bootstrap.log0
Check results:Some files should be created:
→ ll /usr/local/jboss/server/default/deploy/ejbca*vm0017:/usr/local/ejbca # ll /usr/local/jboss/server/default/deploy/ejbca*-rw------- 1 root root 3347 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca-ds.xml-rw------- 1 root root 2333 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca-mail-service.xml-rw-r--r-- 1 ejbca root 15169524 Jan 5 18:13 /usr/local/jboss/server/default/deploy/ejbca.ear
Seems ok...
Jboss starting for the first time
→ cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_first_run.logvm0017:/usr/local/ejbca # cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_first_run.log
From other console, first couple of lines (showing proper opts)
→ head -22 $EIL/JBoss_first_run.logvm0017:/usr/local/ejbca/conf # head -22 $EIL/JBoss_first_run.log=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /usr/local/jboss
JAVA: java
JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64
CLASSPATH: /usr/local/jboss/bin/run.jar
=========================================================================
17:56:21,411 INFO [AbstractJBossASServerBase] Server Configuration:
JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/ Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xml Common Base: $JBOSS_HOME/common/ Common Library: $JBOSS_HOME/common/lib/ Server Name: default Server Base: $JBOSS_HOME/server/
Note the use of different ENV's!Note the other position of “JAVA”
Last couple of lines:
→ tail -5 $EIL/JBoss_first_run.log18:16:36,245 INFO [HornetQServerImpl] trying to deploy queue jms.queue.ExpiryQueue18:16:36,318 INFO [service] Removing bootstrap log handlers18:16:36,510 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-127.0.0.1-808018:16:36,517 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800918:16:36,517 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 1m:24s:142ms
The first run should have created DB-tables, Checking if DB has been
initialized:
→ mysql ejbcadb -u ejbca-user -pvm0017:~ # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 9Server version: 5.5.33 SUSE MySQL package
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
→ show tables;mysql> show tables;+-----------------------------+| Tables_in_ejbcadb |+-----------------------------+| AccessRulesData || AdminEntityData || AdminGroupData || AdminPreferencesData || ApprovalData || AuditRecordData || AuthorizationTreeUpdateData || Base64CertData || CAData || CRLData || CertReqHistoryData || CertificateData || CertificateProfileData || CryptoTokenData || EndEntityProfileData || GlobalConfigurationData || HardTokenCertificateMap || HardTokenData || HardTokenIssuerData || HardTokenProfileData || HardTokenPropertyData || InternalKeyBindingData || KeyRecoveryData || PublisherData || PublisherQueueData || ServiceData || UserData || UserDataSourceData |+-----------------------------+28 rows in set (0.00 sec)
mysql> exit;Bye
So the database can be reached and filled!
EJBCA ant install
→ cd /usr/local/ejbca ; time ant install > $EIL/ant_install.logvm0017:/usr/local/ejbca # cd /usr/local/ejbca ; time ant install > $EIL/ant_install.log
real 1m15.114suser 0m35.490ssys 0m3.056sCheck on log file:
→ tail -3 $EIL/ant_install.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_install.log
BUILD SUCCESSFULTotal time: 1 minute 14 seconds
→ grep -ic warning $EIL/ant_install.logvm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_install.log
0
Stopping JBossCheck if it is running:
→ ps -ef |grep -v grep | grep -c jbossvm0017:/usr/local/ejbca # ps -ef |grep -v grep | grep -c jboss1
Stop it nicely:→ cd /usr/local/jboss ; ./bin/shutdown.sh -Svm0017:/usr/local/ejbca # cd /usr/local/jboss ; ./bin/shutdown.sh -SShutdown message has been posted to the server.Server shutdown may take a while - check logfiles for completion
last lines from logfile:→ tail -5 $EIL/JBoss_first_run.logvm0017:/usr/local/jboss # tail -5 $EIL/JBoss_first_run.log19:57:42,487 INFO [HornetQServerImpl] HornetQ Server version 2.2.5.Final (HQ_2_2_5_FINAL_AS7, 121) [c38462cb-7624-11e3-a307-00163e001700] stopped19:57:42,652 INFO [MailService] Mail service 'java:/Mail' removed from JNDI19:57:42,667 INFO [JMXConnector] JMXConnector stopped19:57:42,879 INFO [MailService] Mail service 'java:/EjbcaMail' removed from JNDI19:57:45,424 INFO [AbstractServer] Stopped: JBossAS [6.1.0.Final "Neo"] in 5s:856ms
Ejbca deploy
→ cd /usr/local/ejbca ; time ant deploy > $EIL/ant_deploy.logvm0017:/usr/local/jboss # cd /usr/local/ejbca ; time ant deploy > $EIL/ant_deploy.log
real 1m8.726suser 0m55.559ssys 0m4.744s
Last lines from log file:→ tail -3 $EIL/ant_deploy.logvm0017:/usr/local/ejbca # tail -3 $EIL/ant_deploy.log
BUILD SUCCESSFULTotal time: 1 minute 8 seconds
→ grep -ic warning $EIL/ant_deploy.log vm0017:/usr/local/ejbca # grep -ic warning $EIL/ant_deploy.log 0
Further checks:
→ ls -l /usr/local/jboss/server/default/conf/keystore/vm0017:/usr/local/ejbca # ls -l /usr/local/jboss/server/default/conf/keystore/total 12-rw------- 1 root root 5243 Jan 5 18:18 keystore.jks-rw------- 1 root root 1423 Jan 5 18:18 truststore.jks
Observe date & time of the files...
Restart Jboss.
→ cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_second_run.logvm0017:/usr/local/jboss # cd /usr/local/jboss ; ./bin/run.sh > $EIL/JBoss_second_run.log
Again, first lines:
→ head -22 $EIL/JBoss_second_run.logvm0017:/usr/local/ejbca # head -22 $EIL/JBoss_second_run.log=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /usr/local/jboss
JAVA: java
JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64
CLASSPATH: /usr/local/jboss/bin/run.jar
=========================================================================
20:03:06,137 INFO [AbstractJBossASServerBase] Server Configuration:
JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/ Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xml Common Base: $JBOSS_HOME/common/ Common Library: $JBOSS_HOME/common/lib/ Server Name: default Server Base: $JBOSS_HOME/server/
Equally important: Last lines→ tail -22 $EIL/JBoss_second_run.logvm0017:/usr/local/ejbca # tail -22 $EIL/JBoss_second_run.log20:04:29,932 INFO [STDOUT] Roles or CAs exist, not intializing Super Administrator Role20:04:30,061 INFO [STDOUT] Custom certificate serial number not allowed since there is no unique index on (issuerDN,serialNumber) on the 'CertificateData' table.20:04:30,081 INFO [STDOUT] No OcspKeyBindings found. Processing ocsp.properties to see if we need to perform conversion.20:04:30,136 INFO [STDOUT] Activated Crypto Token with id -606009209.20:04:30,145 INFO [STDOUT] Default OCSP responder with subject 'CN=ManagementCA,O=EJBCA Sample,C=SE' was not found. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error).20:04:30,145 INFO [STDOUT] No default OCSP responder has been configured. OCSP requests for certificates issued by unknown CAs will fail with response code 2 (internal error).20:04:30,184 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/clearcache20:04:30,206 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb20:04:30,226 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/doc20:04:30,242 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/healthcheck20:04:30,257 INFO [TomcatDeployment] deploy, ctxPath=/ejbca20:04:30,276 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/apply20:04:30,292 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/status20:04:30,341 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/webdist20:04:30,362 INFO [HornetQServerImpl] trying to deploy queue jms.queue.DLQ20:04:30,520 INFO [HornetQServerImpl] trying to deploy queue jms.queue.ExpiryQueue20:04:30,558 INFO [service] Removing bootstrap log handlers20:04:30,650 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-808020:04:30,651 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844220:04:30,652 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844320:04:30,655 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800920:04:30,656 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 1m:24s:513ms
Check on tcp-ports:
→ lsof -i -P |egrep "8080|844"vm0017:/usr/local/ejbca # lsof -i -P |egrep "8080|844"java 7264 root 501u IPv4 18137 0t0 TCP *:8080 (LISTEN)java 7264 root 503u IPv4 18140 0t0 TCP *:8442 (LISTEN)java 7264 root 504u IPv4 18143 0t0 TCP *:8443 (LISTEN)
Check results in DB:
→ mysql ejbcadb -u ejbca-user -p→ select * from AdminEntityData;vm0017:/usr/local/ejbca # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 113Server version: 5.5.33 SUSE MySQL package
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select * from AdminEntityData;+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+| pK | cAId | matchType | matchValue | matchWith | rowProtection | rowVersion | tokenType | AdminGroupData_adminEntities |+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+| 88089314 | 0 | 1000 | ejbca | 0 | NULL | 0 | CliAuthenticationToken | 1 || 715646759 | 749716675 | 1000 | SuperAdmin | 8 | NULL | 0 | CertificateAuthenticationToken |
1 |+-----------+-----------+-----------+------------+-----------+---------------+------------+--------------------------------+------------------------------+2 rows in set (0.02 sec)
mysql> exit;Byevm0017:/usr/local/ejbca #
test transfer super end entity user
→ ll /usr/local/ejbca/p12vm0017:/usr/local/ejbca # ll /usr/local/ejbca/p12total 20-rw-r--r-- 1 root root 4254 Jan 5 18:18 superadmin.p12-rw-r--r-- 1 root root 5243 Jan 5 18:18 tomcat.jks-rw-r--r-- 1 root root 1423 Jan 5 18:18 truststore.jks
Store them on local machine with browser.=> mkdir -p /root/ejbca/vm0017=> cd /root/ejbca/vm0017=> sftp vm0017 => cd /usr/local/ejbca/p12=> get superadmin.p12=> cd /usr/local/ejbca/conf=> get *.properties=> quitorion:~/ejbca/vm0017 # sftp vm0017 Password: Connected to vm0017.sftp> cd /usr/local/ejbca/p12sftp> get superadmin.p12Fetching /usr/local/ejbca_ce_6_0_3/p12/superadmin.p12 to superadmin.p12/usr/local/ejbca_ce_6_0_3/p12/superadmin.p12 100% 4254 4.2KB/s 00:00 sftp> cd /usr/local/ejbca/confsftp> get *.propertiesFetching /usr/local/ejbca_ce_6_0_3/conf/cesecore.properties to cesecore.properties/usr/local/ejbca_ce_6_0_3/conf/cesecore.properties 100% 8918 8.7KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/database.properties to database.properties/usr/local/ejbca_ce_6_0_3/conf/database.properties 100% 3383 3.3KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/ejbca.properties to ejbca.properties/usr/local/ejbca_ce_6_0_3/conf/ejbca.properties 100% 7408 7.2KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/extendedkeyusage.properties to extendedkeyusage.properties/usr/local/ejbca_ce_6_0_3/conf/extendedkeyusage.properties 100% 6088 6.0KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/install.properties to install.properties/usr/local/ejbca_ce_6_0_3/conf/install.properties 100% 3084 3.0KB/s 00:00 Fetching /usr/local/ejbca_ce_6_0_3/conf/web.properties to web.properties/usr/local/ejbca_ce_6_0_3/conf/web.properties 100% 11KB 10.8KB/s 00:00 sftp> quitorion:~/ejbca/vm0017 #
Start firefoxTab “edit” � tab “preferences” � tab “Advanced” � tab “Certificates” � tab “view certificates” � tab “delete” if any precious crt's still aroundtab “import � tab “your certificates” � tab “import” �tab “root” �folder “root” �folder “ejbca” �
folder “vm0017” � file “superadmin.p12”
browse to: https://vm0017.minoss.nl:8443/ejbca/
The CA has a selfsigned certificate and is hence untrusted.Confirm exception and accept.
browse to: https://vm0017.minoss.nl:8442/ejbca/