Other Prerequisites
Network Specifications
Domain Names
Record Type
Name
Function
Value
Weight
Visibility
A
emca.example.com
This is required for accessing emCA web application internally
IP address
NA
Trusted Zone
A
Ocspcore.example.com
This is required for accessing OCSP Responder internally
IP Address
NA
Trusted Zone
A
TSAcore.example.com
This is required for accessing TSA application internally
IP Address
NA
Trusted Zone
A
emcaapi.example.com
This is required for accessing emCA web application internally
IP address
NA
Trusted Zone
A
Ocsp.example.com
This is required for accessing OCSP Responder externally (Internet/Intranet)
IP Address
NA
DMZ
A
TSA.example.com
This is required for accessing TSA application externally (Internet/Intranet)
IP Address
NA
DMZ
Firewall Policies
Source
Destination
Port
Protocol
Action
Comment
emCA Core App Server
emCA Core DB Server
3306 & 6446 (MySQL)
TCP
Add
Access from app to db server
emCA API App Server
emCA Core DB Server
3306 & 6446
(MySQL)
TCP
Add
Access from app to db server
OCSP Core App Server
emCA Core DB Server
3306 & 6446
(MySQL)
TCP
Add
Access from app to db server
TSA Core App Server
TSA Core DB Server
3306 & 6446
(MySQL)
TCP
Add
Access from app to db server
OCSP Responder App Server
OCSP Core APP Server
9093
TCP
Add
Access from app to app server
TSA Web App Server
TSA Core App Server
9093
TCP
Add
Access from app to app server
TSA Web App Server
TSA Core DB Server
3306 & 6446
(MySQL)
TCP
Add
Access from app to db server
emCA App Server
LDAP Server
389/636
TCP
Add
For updating Certificates & CRLs
Console
emCA Servers
3389
RDP
Add
To access emCA servers remotely – Internal RDP within the Enterprise network.
User Machines
TSA, emCA and OCSP webpages
443
HTTP, HTTPS
Add
For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine
Internet Users
TSA
443/80
HTTP, HTTPS
Add
External users accessing internet application
Internet User
OCSP
80
HTTP
Add
For external users
Websocket installed on user machine (Client-side application)
For emCA application
1646
TCP
Add
This port needs to be opened on the machine where emCA application will be accessed. The reason being, web based emCA application invokes and makes connection with the websocket (client-side application) on this port for token based signing and login authentication.
HSM Client installed on the server
HSM
9000/9004
TCP
Add
This is required to access and manage HSM
IP Address Requirements
In case the Enterprise intend to deploy applications in HA mode then additional servers and load balancers as mentioned below are required
Server/Application
IP Address - Internal
emCA core and API Application Server 1
emCA core and API Application Server 2
Software/Hardware Load Balancer for emCA core and API applications
emCA core and API Database Server 1
emCA core and API Database Server 2
OCSP core and TSA Core Application Server 1
OCSP core and TSA Core Application Server 2
Software/Hardware Load Balancer for OCSP core and TSA Core applications
TSA Core Database Server 1
TSA Core Database Server 2
OCSP Responder and TSA Web Application Server 1
OCSP Responder and TSA Web Application Server 2
Software/Hardware Load Balancer for OCSP Web and TSA Web applications
LDAP Server
Database Requirement
The following applications require database. So, it is mandatory that the database is installed before proceeding with the deployment of applications. The solution is Database agnostic. It is compatible with all the commercially available and open-source databases.
emCA Core
emCA API [Uses the database installed for emCA Core. So separate installation of the database is not required]
TSA Core
TSA Web [Uses the database installed for TSA Core. So separate installation of the database is not required]
emCA uses a hibernate framework for cross-database support. As a result, it is compatible with any open source as well as The Shelf (OTS) databases.
LDAP Requirement
This is an optional requirement. Mainly used for publishing certificates and CRLs and generation of LDIF files. The emCA application supports Active Directory and Open LDAP. The administrator can download LDAP from respective vendors’ website and then install the same.
Following link can be used to download OpenLDAP:
For installation and configuration of OpenLDAP, documentation can be downloaded from below link:
Download and installation of LDAP is out of scope and should be done by the customer.
Last updated