# Prerequisites
The following table summarizes the overall deployment recommendations for emCA components. These recommendations are based on a logical partitioning of the various services that must run to support a minimum Certifying Authority infrastructure.
For production environments, it is recommended to install each component on a separate physical server or virtual machine.
| ***Component*** | **Server Requirement** | **Configuration** |
| ------------------------------------- | ---------------------- | ------------------------------------------------- |
| *emCA Core* | Physical or Virtual | High Availability – configured to a load balancer |
| *emCA API* | Physical or Virtual | High Availability – configured to a load balancer |
| *OCSP Core* | Physical or Virtual | High Availability – configured to a load balancer |
| *OCSP Responder Web* | Physical or Virtual | High Availability – configured to a load balancer |
| *Timestamping Authority Core* | Physical or Virtual | High Availability – configured to a load balancer |
| *Timestamping Authority Web* | Physical or Virtual | High Availability – configured to a load balancer |
| *LDAP* | Physical or Virtual | High Availability |
| *Database for emCA Core* | Physical or Virtual | Clustered |
| *Database for Timestamping Authority* | Physical or Virtual | Clustered |
### Hardware Requirements
The hardware requirements listed below are the minimum recommended requirements.
The product may function at lower configurations for test or proof-of-concept (PoC) environments, but the performance and user experience may not be guaranteed, and there could be slowness or intermittent errors.
#### Application Server
**emCA Core and API**
| ***No. of Servers*** | **2 Nos. for High Availability** |
| ------------------------------------------- | -------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 8 GB |
| *Storage* | 100 GB |
| *Hardware Security Module (HSM) (Optional)* | Any FIPS Certified Hardware Security Module (HSM) |
**OCSP Core & Time Stamping Authority Core**
| ***No. of Servers*** | **2 Nos. for High Availability** |
| ------------------------------------------- | -------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 8GB |
| *Storage* | 100GB |
| *Hardware Security Module (HSM) (Optional)* | Any FIPS Certified Hardware Security Module (HSM) |
**OCSP Web and Time Stamping Authority Web**
| ***No. of Servers*** | **2 Nos. for High Availability** |
| ----------------------- | -------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 8GB |
| *Storage* | 100GB |
**LDAP**
| ***No. of Servers*** | **2 Nos. for High Availability** |
| ----------------------- | -------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 8GB |
| *Storage* | 100GB |
#### Database Server
**emCA Core & API**
| ***No. of Servers*** | **Depends on configuration (Master – Slave or Clustered architecture \*)** |
| ----------------------- | -------------------------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 16GB |
| *Storage* | 250GB |
**Time stamping Authority Core**
| ***No. of Servers*** | **Depends on configuration (Master – Slave or Clustered architecture \*)** |
| ----------------------- | -------------------------------------------------------------------------- |
| *Server Configuration:* | Can either by physical server or virtual machines |
| *Processor* | Quad-Core Process (Intel Xeon Recommended) with 2.6GHz |
| *RAM* | 16GB |
| *Storage* | 250GB |
\* Please refer to the client-specific hardware specification recommendation document
### Software Requirements
**Application Servers**
**emCA, OCSP & Timestamping Authority**
| ***Item*** | **Description** |
| -------------------- | -------------------------------------------------------------------------- |
| *Operating System* | Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2016+ |
| *Application Server* | Tomcat v 11+, JBOSS v7+, Websphere v8+, Weblogic v10+ |
| *JAVA Environment* | JDK 21 |
#### Database Server
**emCA & Timestamping Authority**
| *Item* | Description |
| ------------------ | -------------------------------------------------------------------------- |
| *Operating System* | Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2019+ |
| *Database Server* | MySQL v 8+ |
### Network Specifications
#### Domain Names
| ***Record Type*** | **Name** | **Function** | **Value** | **Weight** | **Visibility** |
| ----------------- | -------------------- | ----------------------------------------------------------------------------- | ---------- | ---------- | -------------- |
| *A* | emca.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
| *A* | Ocspcore.example.com | This is required for accessing OCSP Responder internally | IP Address | NA | Trusted Zone |
| *A* | TSAcore.example.com | This is required for accessing TSA application internally | IP Address | NA | Trusted Zone |
| *A* | emcaapi.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
| *A* | Ocsp.example.com | This is required for accessing OCSP Responder externally (Internet/Intranet) | IP Address | NA | DMZ |
| *A* | TSA.example.com | This is required for accessing TSA application externally (Internet/Intranet) | IP Address | NA | DMZ |
### Firewall Policies
| ***Source*** | **Destination** | **Port** | **Protocol** | **Action** | **Comment** |
| -------------------------------------------------------------- | --------------------------- | -------------------------------- | ------------ | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| *emCA Core App Server* | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
| *emCA API App Server* | emCA Core DB Server | 3306 & 6446
(MySQL)
| TCP | Add | Access from app to db server |
| *OCSP Core App Server* | emCA Core DB Server | 3306 & 6446
(MySQL)
| TCP | Add | Access from app to db server |
| *TSA Core App Server* | TSA Core DB Server | 3306 & 6446
(MySQL)
| TCP | Add | Access from app to db server |
| *OCSP Responder App Server* | OCSP Core APP Server | 8080/443/80 | TCP | Add | Access from app-to-app server |
| *TSA Web App Server* | TSA Core App Server | 8080/443/80 | TCP | Add | Access from app-to-app server |
| *TSA Web App Server* | TSA Core DB Server | 3306 & 6446
(MySQL)
| TCP | Add | Access from app to db server |
| *emCA App Server* | LDAP Server | 389/636 | TCP | Add | For updating Certificates & CRLs |
| *Console* | emCA Servers | 3389 | RDP | Add | To access emCA servers remotely – Internal RDP within the Enterprise network. |
| *User Machines* | TSA, emCA and OCSP webpages | 443/80 | HTTP, HTTPS | Add | For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine |
| *Internet Users* | TSA | 443/80 | HTTP, HTTPS | Add | External users accessing internet application |
| *Internet User* | OCSP | 80 | HTTP | Add | For external users |
| emBridge - installed on User machine (Client-side application) | For emCA application | 26769 & 26770 | TCP | Add | This port needs to be opened on the machine where emCA application will be accessed. The reason being web based emCA application invokes and makes connection with the emBridge (client-side application). |
| *HSM Client installed on the server* | HSM | 9000/9004 | TCP | Add | This is required to access and manage HSM |
#### IP Address Requirements
In case the Enterprise intend to deploy applications in HA mode then additional servers and load balancers as mentioned below are required
| ***Server/Application*** | **IP Address - Internal** |
| ------------------------------------------------------------------------- | ------------------------- |
| *emCA core and API Application Server 1* | |
| *emCA core and API Application Server 2* | |
| *Software/Hardware Load Balancer for emCA core and API applications* | |
| *emCA core and API Database Server 1* | |
| *emCA core and API Database Server 2* | |
| *OCSP core and TSA Core Application Server 1* | |
| *OCSP core and TSA Core Application Server 2* | |
| *Software/Hardware Load Balancer for OCSP core and TSA Core applications* | |
| *TSA Core Database Server 1* | |
| *TSA Core Database Server 2* | |
| *OCSP Responder and TSA Web Application Server 1* | |
| *OCSP Responder and TSA Web Application Server 2* | |
| *Software/Hardware Load Balancer for OCSP Web and TSA Web applications* | |
| *LDAP Server* | |
### Database Requirement
The following applications require database. So, it is mandatory that the database is installed before proceeding with the deployment of applications.
* emCA Core
* emCA API *\[Uses the database installed for emCA Core. So separate installation of the database is not required]*
* TSA Core
* TSA Web *\[Uses the database installed for TSA Core. So separate installation of the database is not required]*
emCA uses a hibernate framework for cross-database support. As a result, it is compatible with any open source as well as Off The Shelf (OTS) databases.
### LDAP Requirement
This is an optional requirement. Mainly used for publishing certificates and CRLs and generation of LDIF files.
The emCA application supports Active Directory and Open LDAP. The administrator can download LDAP from respective vendors’ website and then install the same.
Following link can be used to download OpenLDAP:
For installation and configuration of OpenLDAP, documentation can be downloaded from below link:
Download and installation of LDAP is out of scope and should be done by the customer.