Other Prerequisites

Network Specifications

Domain Names

Record Type

Name

Function

Value

Weight

Visibility

A

emca.example.com

This is required for accessing emCA web application internally

IP address

NA

Trusted Zone

A

Ocspcore.example.com

This is required for accessing OCSP Responder internally

IP Address

NA

Trusted Zone

A

TSAcore.example.com

This is required for accessing TSA application internally

IP Address

NA

Trusted Zone

A

emcaapi.example.com

This is required for accessing emCA web application internally

IP address

NA

Trusted Zone

A

Ocsp.example.com

This is required for accessing OCSP Responder externally (Internet/Intranet)

IP Address

NA

DMZ

A

TSA.example.com

This is required for accessing TSA application externally (Internet/Intranet)

IP Address

NA

DMZ

Firewall Policies

Source

Destination

Port

Protocol

Action

Comment

emCA Core App Server

emCA Core DB Server

3306 & 6446 (MySQL)

TCP

Add

Access from app to db server

emCA API App Server

emCA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

OCSP Core App Server

emCA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

TSA Core App Server

TSA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

OCSP Responder App Server

OCSP Core APP Server

9093

TCP

Add

Access from app to app server

TSA Web App Server

TSA Core App Server

9093

TCP

Add

Access from app to app server

TSA Web App Server

TSA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

emCA App Server

LDAP Server

389/636

TCP

Add

For updating Certificates & CRLs

Console

emCA Servers

3389

RDP

Add

To access emCA servers remotely – Internal RDP within the Enterprise network.

User Machines

TSA, emCA and OCSP webpages

443

HTTP, HTTPS

Add

For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine

Internet Users

TSA

443/80

HTTP, HTTPS

Add

External users accessing internet application

Internet User

OCSP

80

HTTP

Add

For external users

Websocket installed on user machine (Client-side application)

For emCA application

1646

TCP

Add

This port needs to be opened on the machine where emCA application will be accessed. The reason being, web based emCA application invokes and makes connection with the websocket (client-side application) on this port for token based signing and login authentication.

HSM Client installed on the server

HSM

9000/9004

TCP

Add

This is required to access and manage HSM

IP Address Requirements

In case the Enterprise intend to deploy applications in HA mode then additional servers and load balancers as mentioned below are required

Server/Application

IP Address - Internal

emCA core and API Application Server 1

emCA core and API Application Server 2

Software/Hardware Load Balancer for emCA core and API applications

emCA core and API Database Server 1

emCA core and API Database Server 2

OCSP core and TSA Core Application Server 1

OCSP core and TSA Core Application Server 2

Software/Hardware Load Balancer for OCSP core and TSA Core applications

TSA Core Database Server 1

TSA Core Database Server 2

OCSP Responder and TSA Web Application Server 1

OCSP Responder and TSA Web Application Server 2

Software/Hardware Load Balancer for OCSP Web and TSA Web applications

LDAP Server

Database Requirement

The following applications require database. So, it is mandatory that the database is installed before proceeding with the deployment of applications. The solution is Database agnostic. It is compatible with all the commercially available and open-source databases.

  • emCA Core

  • emCA API [Uses the database installed for emCA Core. So separate installation of the database is not required]

  • TSA Core

  • TSA Web [Uses the database installed for TSA Core. So separate installation of the database is not required]

  • emCA uses a hibernate framework for cross-database support. As a result, it is compatible with any open source as well as The Shelf (OTS) databases.

LDAP Requirement

This is an optional requirement. Mainly used for publishing certificates and CRLs and generation of LDIF files. The emCA application supports Active Directory and Open LDAP. The administrator can download LDAP from respective vendors’ website and then install the same.

Following link can be used to download OpenLDAP:

https://www.openldap.org/software/download/

For installation and configuration of OpenLDAP, documentation can be downloaded from below link:

https://www.openldap.org/doc/

Download and installation of LDAP is out of scope and should be done by the customer.

PreviousPrerequisitesNextemCA

Last updated