CtrlK

emCA Certificate Manager
Key Components
Architecture
Algorithm Support
Post-Quantum Cryptography (PQC)
Security
Getting Started
Manage emCA
Advanced Capabilities
- Managing EMV Certificates
  - Manage EMV Certificate
  - Manage EMV CRL
Integrating emCA
Previous Release Versions

Powered by GitBook

On this page

Hardware Requirements
Software Requirements
Network Specifications
Firewall Policies
Database Requirement
LDAP Requirement

Getting Started
Installation Guide

Prerequisites

The following table summarizes the overall deployment recommendations for emCA components. These recommendations are based on a logical partitioning of the various services that must run to support a minimum Certifying Authority infrastructure.

For production environments, it is recommended to install each component on a separate physical server or virtual machine.

Component

Server Requirement

Configuration

emCA Core

Physical or Virtual

High Availability – configured to a load balancer

emCA API

Physical or Virtual

High Availability – configured to a load balancer

OCSP Core

Physical or Virtual

High Availability – configured to a load balancer

OCSP Responder Web

Physical or Virtual

High Availability – configured to a load balancer

Timestamping Authority Core

Physical or Virtual

High Availability – configured to a load balancer

Timestamping Authority Web

Physical or Virtual

High Availability – configured to a load balancer

LDAP

Physical or Virtual

High Availability

RA/Partner Portal

Physical or Virtual

High Availability – configured to a load balancer

Database for emCA Core

Physical or Virtual

Clustered

Database for Timestamping Authority

Physical or Virtual

Clustered

Database for Partner Portal

Physical or Virtual

Clustered

Hardware Requirements

The hardware requirements listed below are the minimum recommended requirements.

The product may function at lower configurations for test or proof-of-concept (PoC) environments, but the performance and user experience may not be guaranteed, and there could be slowness or intermittent errors.

Application Server

emCA Core and API

No. of Servers

2 Nos. for High Availability

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz

RAM

8 GB

Storage

100 GB

Hardware Security Module (HSM) (Optional)

Any FIPS Certified Hardware Security Module (HSM)

OCSP Core & Time Stamping Authority Core

No. of Servers

2 Nos. for High Availability

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz

RAM

8GB

Storage

100GB

Hardware Security Module (HSM) (Optional)

Any FIPS Certified Hardware Security Module (HSM)

OCSP Web and Time Stamping Authority Web

No. of Servers

2 Nos. for High Availability

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz

RAM

8GB

Storage

100GB

LDAP

No. of Servers

2 Nos. for High Availability

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz

RAM

8GB

Storage

100GB

Database Server

emCA Core & API

No. of Servers

Depends on configuration (Master – Slave or Clustered architecture *)

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz

RAM

16GB

Storage

250GB

Time stamping Authority Core

No. of Servers

Depends on configuration (Master – Slave or Clustered architecture *)

Server Configuration:

Can either by physical server or virtual machines

Processor

Quad-Core Process (Intel Xeon Recommended) with 2.6GHz

RAM

16GB

Storage

250GB

* Please refer to the client-specific hardware specification recommendation document

Software Requirements

Application Servers

emCA, OCSP & Timestamping Authority

Item

Description

Operating System

Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2016+

Application Server

Tomcat v 9+, JBOSS v7+, Websphere v8+, Weblogic v10+

JAVA Environment

JDK 1.8+

Database Server

emCA & Timestamping Authority

Item

Description

Operating System

Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2016+

Database Server

MySQL v 8+, Postgres v 9+, Oracle v 12c+, MS SQL v 14+

Network Specifications

Domain Names

Record Type

Name

Function

Value

Weight

Visibility

A

emca.example.com

This is required for accessing emCA web application internally

IP address

NA

Trusted Zone

A

Ocspcore.example.com

This is required for accessing OCSP Responder internally

IP Address

NA

Trusted Zone

A

TSAcore.example.com

This is required for accessing TSA application internally

IP Address

NA

Trusted Zone

A

emcaapi.example.com

This is required for accessing emCA web application internally

IP address

NA

Trusted Zone

A

Ocsp.example.com

This is required for accessing OCSP Responder externally (Internet/Intranet)

IP Address

NA

DMZ

A

TSA.example.com

This is required for accessing TSA application externally (Internet/Intranet)

IP Address

NA

DMZ

Firewall Policies

Source

Destination

Port

Protocol

Action

Comment

emCA Core App Server

emCA Core DB Server

3306 & 6446 (MySQL)

TCP

Add

Access from app to db server

emCA API App Server

emCA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

OCSP Core App Server

emCA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

TSA Core App Server

TSA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

OCSP Responder App Server

OCSP Core APP Server

9093

TCP

Add

Access from app to app server

TSA Web App Server

TSA Core App Server

9093

TCP

Add

Access from app to app server

TSA Web App Server

TSA Core DB Server

3306 & 6446

(MySQL)

TCP

Add

Access from app to db server

emCA App Server

LDAP Server

389/636

TCP

Add

For updating Certificates & CRLs

Console

emCA Servers

3389

RDP

Add

To access emCA servers remotely – Internal RDP within the Enterprise network.

User Machines

TSA, emCA and OCSP webpages

443

HTTP, HTTPS

Add

For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine

Internet Users

TSA

443/80

HTTP, HTTPS

Add

External users accessing internet application

Internet User

OCSP

80

HTTP

Add

For external users

Websocket installed on user machine (Client-side application)

For emCA application

1646

TCP

Add

This port needs to be opened on the machine where emCA application will be accessed. The reason being, web based emCA application invokes and makes connection with the websocket (client-side application) on this port for token based signing and login authentication.

HSM Client installed on the server

HSM

9000/9004

TCP

Add

This is required to access and manage HSM

IP Address Requirements

In case the Enterprise intend to deploy applications in HA mode then additional servers and load balancers as mentioned below are required

Server/Application

IP Address - Internal

emCA core and API Application Server 1

emCA core and API Application Server 2

Software/Hardware Load Balancer for emCA core and API applications

emCA core and API Database Server 1

emCA core and API Database Server 2

OCSP core and TSA Core Application Server 1

OCSP core and TSA Core Application Server 2

Software/Hardware Load Balancer for OCSP core and TSA Core applications

TSA Core Database Server 1

TSA Core Database Server 2

OCSP Responder and TSA Web Application Server 1

OCSP Responder and TSA Web Application Server 2

Software/Hardware Load Balancer for OCSP Web and TSA Web applications

LDAP Server

Database Requirement

The following applications require database. So, it is mandatory that the database is installed before proceeding with the deployment of applications. The solution is Database agnostic. It is compatible with all the commercially available and open-source databases.

emCA Core
emCA API [Uses the database installed for emCA Core. So separate installation of the database is not required]
TSA Core
TSA Web [Uses the database installed for TSA Core. So separate installation of the database is not required]
emCA uses a hibernate framework for cross-database support. As a result, it is compatible with any open source as well as The Shelf (OTS) databases.

LDAP Requirement

This is an optional requirement. Mainly used for publishing certificates and CRLs and generation of LDIF files. The emCA application supports Active Directory and Open LDAP. The administrator can download LDAP from respective vendors’ website and then install the same.

Following link can be used to download OpenLDAP:

https://www.openldap.org/software/download/

For installation and configuration of OpenLDAP, documentation can be downloaded from below link:

https://www.openldap.org/doc/

Download and installation of LDAP is out of scope and should be done by the customer.

PreviousInstallation Guide NextDeploying Build Files

Last updated 15 days ago