Other Prerequisites
Network Specifications
Domain Names
Record Type | Name | Function | Value | Weight | Visibility |
A | emca.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
A | Ocspcore.example.com | This is required for accessing OCSP Responder internally | IP Address | NA | Trusted Zone |
A | TSAcore.example.com | This is required for accessing TSA application internally | IP Address | NA | Trusted Zone |
A | emcaapi.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
A | Ocsp.example.com | This is required for accessing OCSP Responder externally (Internet/Intranet) | IP Address | NA | DMZ |
A | TSA.example.com | This is required for accessing TSA application externally (Internet/Intranet) | IP Address | NA | DMZ |
Firewall Policies
Source | Destination | Port | Protocol | Action | Comment |
emCA Core App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
emCA API App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
OCSP Core App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
TSA Core App Server | TSA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
OCSP Responder App Server | OCSP Core APP Server | 9093 | TCP | Add | Access from app to app server |
TSA Web App Server | TSA Core App Server | 9093 | TCP | Add | Access from app to app server |
TSA Web App Server | TSA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
emCA App Server | LDAP Server | 389/636 | TCP | Add | For updating Certificates & CRLs |
Console | emCA Servers | 3389 | RDP | Add | To access emCA servers remotely – Internal RDP within the Enterprise network. |
User Machines | TSA, emCA and OCSP webpages | 443 | HTTP, HTTPS | Add | For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine |
Internet Users | TSA | 443/80 | HTTP, HTTPS | Add | External users accessing internet application |
Internet User | OCSP | 80 | HTTP | Add | For external users |
Websocket installed on user machine (Client-side application) | For emCA application | 1646 | TCP | Add | This port needs to be opened on the machine where emCA application will be accessed. The reason being, web based emCA application invokes and makes connection with the websocket (client-side application) on this port for token based signing and login authentication. |
HSM Client installed on the server | HSM | 9000/9004 | TCP | Add | This is required to access and manage HSM |
IP Address Requirements
In case the Enterprise intend to deploy applications in HA mode then additional servers and load balancers as mentioned below are required
Server/Application | IP Address - Internal |
emCA core and API Application Server 1 |
|
emCA core and API Application Server 2 |
|
Software/Hardware Load Balancer for emCA core and API applications |
|
emCA core and API Database Server 1 |
|
emCA core and API Database Server 2 |
|
OCSP core and TSA Core Application Server 1 |
|
OCSP core and TSA Core Application Server 2 |
|
Software/Hardware Load Balancer for OCSP core and TSA Core applications |
|
TSA Core Database Server 1 |
|
TSA Core Database Server 2 |
|
OCSP Responder and TSA Web Application Server 1 |
|
OCSP Responder and TSA Web Application Server 2 |
|
Software/Hardware Load Balancer for OCSP Web and TSA Web applications |
|
LDAP Server |
|
Database Requirement
The following applications require database. So, it is mandatory that the database is installed before proceeding with the deployment of applications. The solution is Database agnostic. It is compatible with all the commercially available and open-source databases.
emCA Core
emCA API [Uses the database installed for emCA Core. So separate installation of the database is not required]
TSA Core
TSA Web [Uses the database installed for TSA Core. So separate installation of the database is not required]
emCA uses a hibernate framework for cross-database support. As a result, it is compatible with any open source as well as The Shelf (OTS) databases.
LDAP Requirement
This is an optional requirement. Mainly used for publishing certificates and CRLs and generation of LDIF files. The emCA application supports Active Directory and Open LDAP. The administrator can download LDAP from respective vendors’ website and then install the same.
Following link can be used to download OpenLDAP:
https://www.openldap.org/software/download/
For installation and configuration of OpenLDAP, documentation can be downloaded from below link:
Download and installation of LDAP is out of scope and should be done by the customer.
Last updated