EJBCA installation (based on Ubuntu 16.04 LTS + wildfly8 + ejbca6.3.11 + jdk7)

A period of time before the PKI, with EJBCA built a CA in the Research institute intranet, is currently available to the mobile phone (Android and iOS) to the server side (Nginx + Java application) to do a secure connection (client and server-side authentication)

Because EJBCA official installation documentation is too unreliable, according to the official documents to do, will encounter various pits, so record my installation process. I hope I can give a little help to the people I use.

Here's the official document. Address: https://www.ejbca.org/docs/installation.html

Environment and dependent packages: Ubuntu 16.04 LTS, ORACLE JDK7, ant,ejbca_ce_6.3.11,wildfly8,postgresql9.4

The installation process is probably divided into several steps (the installation of the JDK and the Ant,postgresql database is skipped)

1. Installing and starting the Wildfly server

2. Create a new database in PostgreSQL

3. Configure the Wildfly data source

4. Execute some initialization commands in the command line interface of Wildfly (clean SSL, set log level, etc.)

5. Modify the default settings for EJBCA

6. Use the ant command to compile and deploy the EJBCA, and copy the server-side certificate to the correct location

7. Configure HTTPS in the command line interface of the Wildfly

The following is a specific command, assuming that the location after EJBCA decompression is after the/opt/pki/ejbca_ce_6_3_1_1,wildfly decompression position is:/opt/pki/wildfly-8.0.0.final

Installing and starting the Wildfly server

After unpacking the Wildfly installation package, progress the bin directory and start the Wildfly:nohup in standalone mode./standalone.sh > Jboss.log 2>&1 &

Create a new database named EJBCA

Configuring the Wildfly Data source

First put the PostgreSQL driver package into the Wildfly deploy directory for deployment

Then go to jboss command-line interface ( executed in the bin directory of wildfly./jboss-cli.sh-c command entry, and some of the subsequent operations are performed in this command-line interface )

To perform an operation that increases the data source:

Data-source Add--name=ejbcads--driver-name="Postgresql-9.3.jar"--connection-url="JDBC:POSTGRESQL://192.168.171.129:5432/EJBCA"--jndi-name="java:/ejbcads"--use-ccm=true--driver-class="Org.postgresql.Driver"--user-name="Postgres"--password="${your Password}"--validate-on-match=true--background-validation=false--prepared-statements-cache-size= ---share-prepared-statements=true--min-pool-size=5--max-pool-size= Max--pool-prefill=true--transaction-isolation=transaction_read_committed--check-valid-connection-sql="Select 1;"

Perform some initialization commands in the command line interface of Wildfly (clean SSL, set log level, etc.)

/socket-binding-group=standard-sockets/socket-binding=remoting:remove/subsystem=undertow/server=default-server /http-listener=remoting:remove/subsystem=remoting/http-connector=http-remoting-connector:remove/subsystem= Remoting/http-connector=http-remoting-connector:add (connector-ref= "Remoting", security-realm= "ApplicationRealm" )/socket-binding-group=standard-sockets/socket-binding=remoting:add (port= "4447")/subsystem=undertow/server= Default-server/http-listener=remoting:add (socket-binding=remoting): RELOAD/SUBSYSTEM=LOGGING/LOGGER=ORG.EJBCA: Add/subsystem=logging/logger=org.ejbca:write-attribute (Name=level, Value=debug)/subsystem=logging/logger= Org.cesecore:add/subsystem=logging/logger=org.cesecore:write-attribute (Name=level, Value=DEBUG)/core-service= management/security-realm=sslrealm/authentication=truststore:remove/core-service=management/security-realm= sslrealm/server-identity=ssl:remove/core-service=management/security-realm=sslrealm:remove/ Socket-binding-group=standard-sockets/socket-binding=httpspub:remove/subsystem=undertow/server=default-server/https-listener=httpspub:remove/ Socket-binding-group=standard-sockets/socket-binding=httpspriv:remove/subsystem=undertow/server=default-server /https-listener=httpspriv:remove/socket-binding-group=standard-sockets/socket-binding=http:remove/subsystem= undertow/server=default-server/http-listener=http:remove/subsystem=undertow/server=default-server/ Http-listener=default:remove/system-property=org.apache.catalina.connector.uri_encoding:remove/system-property =org.apache.catalina.connector.use_body_encoding_for_query_string:remove/interfaces=/interface=http:remove/ Interfaces=/interface=httpspub:remove/interfaces=/interface=httpspriv:remove:reload

　　

Modify the default configuration for EJBCA

Unzip the EJBCA installation package and enter the folder after decompression (/opt/pki/ejbca_ce_6_3_1_1)

The Conf directory is a EJBCA configuration file that reads some of the settings in this file when build and the CA is generated, and the configuration files in the. Sample end, and if we want to modify the default configuration, we need to rename the file that needs to be modified. Sample removed

We need to modify several files:

Ejbca.properties (MV Ejbca.properties.sample ejbca.properties)

Set the value of the Appserver.home (the installation location of the application server, which is/opt/pki/wildfly-8.0.0.final for us)

Web.properties (MV Web.properties.sample web.properties)

This file sets the CA's Super Administrator's certificate password, as well as the server-side certificate generated by the application server certificate password, and the CA's truststory password, and so on, these password settings we can set as needed, or to maintain the default configuration, Note that the httpsserver.hostname, which corresponds to the alias behind, my IP address is 192.168.171.129, we set it to 192.168.171.129

Database.properties (MV Database.properties.sample database.properties)

Set the database type, driver, url, user name and password, etc.

Install.properties (MV Install.properties.sample install.properties)

Set the name of the CA, how to encrypt it, etc.

Use the ant command to compile and deploy the EJBCA, and copy the server-side certificate to the correct location

To the EJBCA directory (/opt/pki/ejbca_ce_6_3_1_1 for us), execute the following command in turn:

Ant Clean deployear

Ant Runinstall

Ant Deploy-keystore

Superadmin.p12,truststroe.jks are generated under the EJBCA directory, and Tomcat.jks

SUPERADMIN.P12 is the certificate of the Super Administrator, we access the EJBCA Web Management page and call the EJBCA provided by the RA interface back to use this certificate

Truststore.jks is provided to the client to authenticate the server side (the server-side Authentication Client certificate is more commonly used, to do two-way authentication will use the client server-side authentication)

Tomcat.jks is a server-side certificate deployed on Wildfly to enable SSL on the server side

Configuring HTTPS in the command line interface of Wildfly

/interfaces=/interface=http:add (inet-address="0.0.0.0")/interfaces=/interface=httpspub:add (inet-address="0.0.0.0")/interfaces=/interface=httpspriv:add (inet-address="0.0.0.0")/socket-binding-group=standard-sockets/socket-binding=http:add (port="8080", interface="http")/subsystem=undertow/server=default-server/http-listener=http:add (socket-binding=http)/subsystem=undertow/server=default-server/http-listener=http:Write-attribute (Name=redirect-socket, value="Httpspriv")--Reload is required on official documents, but do not execute reload/core-service=management/security-realm= at this timeSslrealm:add ()/core-service=management/security-realm=sslrealm/server-identity=ssl:add (keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="192.168.171.129")/core-service=management/security-realm=sslrealm/authentication=truststore:add (keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="Changeit")/socket-binding-group=standard-sockets/socket-binding=httpspriv:add (port="8443", interface="Httpspriv")/subsystem=undertow/server=default-server/https-listener=httpspriv:add (Socket-binding=httpspriv, Security-realm ="Sslrealm", verify-client=REQUIRED)/socket-binding-group=standard-sockets/socket-binding=httpspub:add (port="8442", interface="httpspub")/subsystem=undertow/server=default-server/https-listener=httpspub:add (Socket-binding=httpspub, security-realm="Sslrealm")--The frustration document says Relaod is needed at this time, but don't reload/system-property=org.apache.tomcat.util.buf.udecoder.allow_encoded_slash:add (value=true)/system-property=org.apache.catalina.connector.coyoteadapter.allow_backslash:add (value=true)/system-property=org.apache.catalina.connector.uri_encoding:add (value="UTF-8")/system-property=org.apache.catalina.connector.use_body_encoding_for_query_string:add (value=true)/subsystem=webservices:Write-attribute (Name=wsdl-host, value=jbossws.undefined.host)/subsystem=webservices:Write-attribute (name=modify-wsdl-address, value=true)---Prevent JSF errors/subsystem=weld:Write-attribute (name=require-bean-descriptor,value=true)
--Enable AJP:

/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add (SOCKET-BINDING=AJP, Scheme=https, Enabled=true)

: Reload

At this point, the Super Administrator's certificate is imported into the browser to access the Web Administrator page provided by EJBCA (for us, this address is https://192.168.171.129:8443/ejbca/adminweb)

If we can access it successfully, our installation will succeed.

EJBCA installation (based on Ubuntu 16.04 LTS + wildfly8 + ejbca6.3.11 + jdk7)