emCA_Deployment_Document
Introduction
This document provides a guide on the deployment of the following components of emCA (eMudhra’s Certificate Lifecycle Manager) product and other related components
emCA Core
emCA API
OCSP Core
OCSP Responder
TSA Core
TSA Web
LDAP *
* - eMudhra does not supply this component and customer has to install either Open Source or Commercial LDAP solutions which can be integrated with emCA
Overview
emCA is usually configured as a standalone application server on a physical server or virtual machine to enable certificate lifecycle management of a Root CA or Issuing CA. emCA comes with associated components such as validation server i.e OCSP and Timestamping services.
emCA and its associated components can be deployed across any application server such as Tomcat, JBoss, Weblogic and Websphere. It is also compatible with various open source as well as commercial databases such as MySQL, Postgres, DB2, Oracle and MS SQL.
The deployment of the respective Application Servers or Databases is out of scope of this document
Pre-requisites
Summary
The overall deployment summary is highlighted in the table below. This is based on logical partitioning of various services that need to minimally run as part of a Certifying Authority infrastructure. Each of the components in production are recommended to be installed on separate physical servers or VM’s (recommended).
Component | Server Requirement | Configuration |
emCA Core | Physical or Virtual | High Availability – configured to a load balancer |
emCA API | Physical or Virtual | High Availability – configured to a load balancer |
OCSP Core | Physical or Virtual | High Availability – configured to a load balancer |
OCSP Responder Web | Physical or Virtual | High Availability – configured to a load balancer |
Timestamping Authority Core | Physical or Virtual | High Availability – configured to a load balancer |
Timestamping Authority Web | Physical or Virtual | High Availability – configured to a load balancer |
LDAP | Physical or Virtual | High Availability |
RA/Partner Portal | Physical or Virtual | High Availability – configured to a load balancer |
Database for emCA Core | Physical or Virtual | Clustered |
Database for Timestamping Authority | Physical or Virtual | Clustered |
Database for Partner Portal | Physical or Virtual | Clustered |
Hardware Requirements
The hardware requirements given below are minimum recommended requirements, please refer the performance benchmarking guide to understand performance of the product under specified hardware configuration. The product may function at lower configurations for test or PoC environments, but the performance and user experience may not be guaranteed in application usage, and there could be slowness in the application or intermittent errors
Application Server
emCA Core and API
No. of Servers | 2 Nos. for High Availability |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
RAM | 8 GB |
Storage | 100 GB |
Hardware Security Module (HSM) (Optional) | Any FIPS Certified Hardware Security Module (HSM) |
OCSP Core & Timestamping Authority Core
No. of Servers | 2 Nos. for High Availability |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
RAM | 8GB |
Storage | 100GB |
Hardware Security Module (HSM) (Optional) | Any FIPS Certified Hardware Security Module (HSM) |
OCSP Web and Timestamping Authority Web
No. of Servers | 2 Nos. for High Availability |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
RAM | 8GB |
Storage | 100GB |
LDAP
No. of Servers | 2 Nos. for High Availability |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
RAM | 8GB |
Storage | 100GB |
Database Server
emCA Core & API
No. of Servers | Depends on configuration (Master – Slave or Clustered architecture *) |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Processor (Intel Xeon Recommended) with 2.6GHz |
RAM | 16GB |
Storage | 250GB |
Timestamping Authority Core
No. of Servers | Depends on configuration (Master – Slave or Clustered architecture *) |
Server Configuration: | Can either by physical server or virtual machines |
Processor | Quad-Core Process (Intel Xeon Recommended) with 2.6GHz |
RAM | 16GB |
Storage | 250GB |
* - please refer client specific hardware specification recommendation document
Software Requirements
Application Servers
emCA, OCSP & Timestamp Authority
Item | Description |
Operating System | Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2016+ |
Application Server | Tomcat v 9+, JBOSS v7+, Websphere v8+, Weblogic v10+ |
JAVA Environment | JDK 17 |
Database Server
emCA & Timestamp Authority
Item | Description |
Operating System | Support for RHEL 7+, Ubuntu v18+, CentOS v7+, Windows Server Edition 2016+ |
Database Server | MySQL v 8+, Postgres v 9+, Oracle v 12c+, MS SQL v 14+ |
Other Pre-requisites
Network Specifications
Domain Names
Record Type | Name | Function | Value | Weight | Visibility |
A | emca.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
A | Ocspcore.example.com | This is required for accessing OCSP Responder internally | IP Address | NA | Trusted Zone |
A | TSAcore.example.com | This is required for accessing TSA application internally | IP Address | NA | Trusted Zone |
A | emcaapi.example.com | This is required for accessing emCA web application internally | IP address | NA | Trusted Zone |
A | Ocsp.example.com | This is required for accessing OCSP Responder externally (Internet/Intranet) | IP Address | NA | DMZ |
A | TSA.example.com | This is required for accessing TSA application externally (Internet/Intranet) | IP Address | NA | DMZ |
Firewall Policies
Source | Destination | Port | Protocol | Action | Comment |
emCA Core App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
emCA API App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
OCSP Core App Server | emCA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
TSA Core App Server | TSA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
OCSP Responder App Server | OCSP Core APP Server | 9093 | TCP | Add | Access from app to app server |
TSA Web App Server | TSA Core App Server | 9093 | TCP | Add | Access from app to app server |
TSA Web App Server | TSA Core DB Server | 3306 & 6446 (MySQL) | TCP | Add | Access from app to db server |
emCA App Server | LDAP Server | 389/636 | TCP | Add | For updating Certificates & CRLs |
Console | emCA Servers | 3389 | RDP | Add | To access emCA servers remotely – Internal RDP within the Enterprise network. |
User Machines | TSA, emCA and OCSP webpages | 443 | HTTP, HTTPS | Add | For accessing TSA, OCSP and emCA webpages of emsigner from user’s machine |
Internet Users | TSA | 443/80 | HTTP, HTTPS | Add | External users accessing internet application |
Internet User | OCSP | 80 | HTTP | Add | For external users |
Websocket installed on user machine (Client-side application) | For emCA application | 1646 | TCP | Add | This port needs to be opened on the machine where emCA application will be accessed. The reason being, web based emCA application invokes and makes connection with the websocket (client-side application) on this port for token based signing and login authentication. |
HSM Client installed on the server | HSM | 9000/9004 | TCP | Add | This is required to access and manage HSM |
Database Requirement
Following application requires databases, so it is mandatory that the database is installed before proceeding for deployment of applications. These applications include:
emCA Core
emCA API [Uses the database installed for emCA Core so separate installation of database is not required]
TSA Core
TSA Web [Uses the database installed for TSA Core so separate installation of database is not required]
emCA uses hibernate framework for cross database support so it is compatible with any open source as well as off the shelf (OTS) commercially available database and supported versions are mentioned in section 4.3.2.
LDAP Requirement
emCA application requires LDAP for publishing certificates and CRLs. The emCA application supports Active Directory. Active Directory can be installed from the server manager from the Windows server operating system.
emCA
Configuration
Note – all actions required for setting up and configuring emCA should be done using administrator privileges
Environment Variables
For Java
In order to deploy emCA war, java environment has to be set. Please follow the below procedure. If it is already configured, then please ignore this step.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
Fig 2
For emCA.properties
In emCA application deployment, the configuration of properties file is done through environment variables. In this case, the user has to place the emCA.properties file on the server and make a note of the location of properties file. The same path needs to be provided during environment variables configuration. This file is used to configure database, logs and truststore.
Following is the procedure for configuring emCA.properties file in environment variables. The same Variable Name which is defined below has to be used during configuration.
Variable name: EMCA_CONFIGURATION_PATH
Variable value: location of property files (emCA.properties)
For Windows
Go to Advanced System Settings -> Click on Environment Variables -> Click on New; Then Enter the following as shown in Figure 3 below
Variable name: EMCA_CONFIGURATION_PATH
Variable value: location of property files (emCA.properties)
Fig 3
It is recommended to restart the system after setting the environment variables
Snapshot
Please find below is the emCA.properties file snapshot along with description of properties:
#MySQL PROPERTIES [This property is meant for configuring MySQL database connection]
#########################################################
## General information ##
#########################################################
## Boolean values = "yes" or "no" ##
## String values = base64 encoded ##
## Passwords = encrypted with PasswordSecure.jar ##
## Time intervals = in days if not specified otherwise ##
## Paths = always absolute paths ##
## Optionals = set to empty if not needed ##
#########################################################
#######################################
## MySQL Properties ##
#######################################
hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://databaseip:/dbname
jdbc.dbName=dbname
jdbc.username=databaseusername
jdbc.password=encrypted password==
jdbc.dbHost=databaseip
jdbc.dbPort=Portnumber
#######################################
## MySQL Backup ##
#######################################
#to enable automatic backup
EnableAutomaticBackUp = true
#MySql Config(Backup)
dBValue = C:/Program Files/MySQL/MySQL Server 8.0/bin/mysqldump
#######################################
## emCA Paths ##
#######################################
#Base location where have trust store, PKCS12, and zlint folders
BaseLocation = E:/emCAv4/emCA.properties
#SCTConnectorURL where SCTConnector deployed
SCTConnectorURL=http://127.0.0.1:80/sctConnector/getSCT
emca.ldap.containerName=emCA
#######################################
## emCA Application properties ##
#######################################
# Max Validity for certificates
certificateprofilevalidity=36135
# External Application Validity
ExternalAppValidity = 3650
# Threshold for certificates to be marked as soon to expire for dashboard
NoOfDaysToExpirySoon = 31
# Enabling Cross Certification
enableCrossCertification = yes
# Enabling Enhanced Key Usage
enableCustomizedEnhancedKeyUsage = yes
# Enabling Key deletion on HSM through application
enableKeyDeletion = yes
# Type of tokens that can be generated. Options are HardAndSoftToken, HardToken, SoftToken
typeOfLogin = HardAndSoftToken
#######################################
## emCA Password Security Policy ##
#######################################
# Base64 encoded regular expression
# ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#!$%]).{8,}$
softTokenPasswordPattern=Xig/PS4qXGQpKD89LipbYS16XSkoPz0uKltBLVpdKSg/PS4qW0AjISQlXSkuezgsfSQ=
# Information message to display
softTokenPasswordPolicy=Password must contains atleast 1 UpperCase, 1 LowerCase, 1Digit, 1 Special Character(@,#,%,$) and must be 8 Character long.
#######################################
## Automatic PFX generation ##
#######################################
emca.url=http://localhost:80/emCA/login.htm
emca.pfx_password_length=8
#######################################
## Server OS Configuration ##
#######################################
#Server OS Configuration(Windows/Linux)
ServerOS=Windows
#server.error.whitelabel.enabled=false
#######################################
## AD Authentaction Details ##
#######################################
emca.ldap.ad.url=ldap://127.0.0.1:389
emca.ldap.ad.base=dc=ldaptesting,dc=local
emca.ldap.ad.container-name=OU=emca
emca.ldap.ad.role.attribute=title
emca.ldap.ad.administrator.value=Administrator
emca.ldap.ad.officer.value=officer
emca.ldap.ad.auditor.value=auditor
emca.ldap.ad.operator.value=operator
Database
Open emCA.properties file and based on the type of database used; the corresponding values need to be updated. Please find below sample Database configuration provided for MySQL database.
Example: for #MySQL database, use below mentioned values in table:
Parameter | Description | Values to be replaced |
hibernate.dialect | [DialectInfo] refers to Dialect information | org.hibernate.dialect.MySQLDialect |
jdbc.driverClassName | [DriverClassName] refers to Driver class name | com.mysql.jdbc.Driver |
jdbc.url | [URL] refers to Database URL | jdbc:mysql://127.0.0.1:3306/emca |
jdbc.username | [UserName] refers to UserName who has access to this schema | root |
jdbc.password | [Password] refers to Password for the user ( Refer Section 6) | nNh0bStJeJxo3eu3taSY2Q== |
Logs
In the emCA.properites file also configure logs path for capturing events. Provide the log file path to capture logs.
#Configure the log4j.xml path [This property is meant to configure local server path of log4j file]
logFilePath=G:/emCA/BASE/V2.3.0/emCAPropertyFiles/log4j.xml
Note: If java.util.logging.FileHandler is not configured then application logs will not be generated.
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" monitorInterval="30">
<!-- Logging Properties -->
<Properties>
<Property name="LOG_PATTERN">[%d{yyyy-MM-dd HH:mm:ss.SSS}] -- {%pid} [%p] - %m%n</Property>
<Property name="APP_LOG_ROOT">E:\emCAv4\emCAProperties\logs\emca</Property>
</Properties>
<Appenders>
<!-- Console Appender -->
<Console name="Console" target="SYSTEM_OUT" follow="true">
<PatternLayout disableAnsi="false" pattern="${CONSOLE_LOG_PATTERN}" />
</Console>
<RollingFile name="warnLog" fileName="${APP_LOG_ROOT}/emCA-warn.log" filePattern="${APP_LOG_ROOT}/emCA-warn-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="WARN" maxLevel="WARN" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="infoLog" fileName="${APP_LOG_ROOT}/emCA-info.log" filePattern="${APP_LOG_ROOT}/emCA-info-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="INFO" maxLevel="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="errorLog" fileName="${APP_LOG_ROOT}/emCA-error.log" filePattern="${APP_LOG_ROOT}/emCA-error-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="ERROR" maxLevel="ERROR" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="debugLog" fileName="${APP_LOG_ROOT}/emCA-debug.log" filePattern="${APP_LOG_ROOT}/emCA-debug-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="DEBUG" maxLevel="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
</Appenders>
<Loggers>
<AsyncRoot level="debug" includeLocation="false">
<AppenderRef ref="infoLog" />
<AppenderRef ref="errorLog" />
<AppenderRef ref="warnLog" />
<AppenderRef ref="debugLog" />
<AppenderRef ref="Console" />
</AsyncRoot>
</Loggers>
</Configuration>
Deployment
Following components required for deployment:
emCA application (emCA.war file)
emCA application package is provided as a war file which has to be deployed on the application server. Please configure and save all the properties in the file defined in section 6.1.1 i.e. emCA.properties.
Please find below steps to deploy the application:
Copy the emCA.war inside Tomcat->Web apps folder apache-tomcat-9.0.85\webapps
Windows run services.msc
Select the service name Apache Tomcat and Click Start
Quick Check Guide
To verify whether the application has been successfully deployed, please follow the below mentioned procedure.
Once deployment is completed and server is started, open any browser like IE, Google Chrome, Firefox etc. and enter URL-
https://<ip address:port>/emCA/login.htm in enter address field
emCA login page should be displayed as shown in figure 5
Fig 5
After successful deployment of emCA application, also check whether all the Tables have been created in specified schema in database.
Also check for log file generation in the path mentioned (Configuration->Log Properties.)
NOTE:
java.util.logging.FileHandler.pattern = <LogFolderPath>//emca_debug.log
Log file should have been generated in the above-mentioned path.
emCA API
This section provides procedure for emCA API deployment and configuration. emCA API (emcaServices) provides an open API (Application Programming Interface) for integrating certificate services with third-party applications and devices. emCA API supports REST in JSON format. emCA APIs are light weight and flexible.
Following are the methods that are supported by emCA API. This includes:
createX509Certificate( )
createSoftTokenCert( )
getX509Certificate( )
revokeX509Cert( )
isSignatureValid( )
suspendCert()
reinstateCert()
rekey()
Configuration
Note – all actions required for setting up and configuring emCA should be done using administrator privileges
Environment Variables
For Java
In order to deploy emCA war, java environment has to be set. Please follow the below procedure. If it is already configured, then please ignore this step.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Fig 6
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
Fig 7
The variable value should point out to the physical path of the JDK 17. And click ok.
For Application.properties
This file is used to configure database related properties like dialect, driver class name, URL, Username, password (database user should have full privilege to the schema created for emCA application) as well as logs.
For Windows
Configure the property file path in environment variables as shown below in figure 8.
Fig 8
Variable name: EMCA_SERVICES_CONFIGURATION_PATH
Variable value: location of property files (application.properties)
Snapshot
Please find below is the application.properties file snapshot for reference:
#######################################
## MySQL Connection ##
#######################################
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
spring.datasource.url=jdbc:mysql://database:/dbname
spring.datasource.username=dbname
spring.datasource.password=encrypted password==
#######################################
## SOAP Properties ##
#######################################
soap.wsdlPath = http://localhost:80/emCAServices/service
#######################################
## Server Properties ##
#######################################
spring.mvc.view.prefix= /WEB-INF/jsps/
spring.mvc.view.suffix= .jsp
server.tomcat.uri-encoding=UTF-8
server.error.whitelabel.enabled=false
server.path = emCAServices
spring.http.encoding.charset=UTF-8
spring.http.encoding.enabled=true
spring.http.encoding.force=true
#######################################
## emCA API Properties ##
#######################################
#Base location where have trustStore, PKCS12 and zlint folders
BaseLocation = E:/emCAv4/emCAProperties
# Path to Log4j configuration
logFilePath=E:/emCAv4/emCAProperties/API/log4j.xml
# Signed Certificate Timestamp (SCT) only required for Public PKIs for Certificate Transparency (CT)
sct_url=http://localhost:80/sctConnector/getSCT
#######################################
## MySQL Properties ##
#######################################
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.type=com.zaxxer.hikari.HikariDataSource
# maximum number of milliseconds that a client will wait for a connection
spring.datasource.hikari.connection-timeout = 300000
# minimum number of idle connections maintained by HikariCP in a connection pool
spring.datasource.hikari.minimum-idle= 10
# maximum pool size
spring.datasource.hikari.maximum-pool-size= 60
# maximum idle time for connection
spring.datasource.hikari.idle-timeout=1000
# maximum lifetime in milliseconds of a connection in the pool after it is closed.
spring.datasource.hikari.max-lifetime= 100
# default auto-commit behavior.
spring.datasource.hikari.auto-commit =true
spring.datasource.hikari.leakDetectionThreshold=20000
#spring.datasource.hikari.connectionTimeout=30000
#spring.datasource.hikari.idleTimeout=600000
#spring.datasource.hikari.maxLifetime=1800000
# Allows Hibernate to generate SQL optimized for a particular DBMS
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
spring.jpa.properties.hibernate.current_session_context_class=org.springframework.orm.hibernate5.SpringSessionContext
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
## Naming strategy
#spring.jpa.hibernate.naming-strategy = org.hibernate.cfg.ImprovedNamingStrategy
license.polling.default.interval=0 0/30 * * * *
soap.wsdlPath = http://localhost:8249/emCAServices/service
#for local
sct_url=http://10.80.106.87:8383/sctConnector/getSCT
license.polling.default.interval = 0 0/2 * * * *
##############################################
##### EST #######
##############################################
EST_Profile_Id = 3
Registered_External_App_AES_Key=nDbREG019VGfNTyoHYugTzGCbZoRBOT7UfJ5V4VyfXw=
CA_Certificate_Serial_Number= 6d3ef5d4da176353eec9d342f6aa31c4
##############################################
##### SCEP #######
##############################################
SCEP_CERTIFICATE_PROFILE_ID=3
CA_CERTIFICATE_LOCATION=C:/Users/21521/Downloads/SubCa1.cer
SCEP_CHALLENGE_PASSWORD=12345
##############################################
##### CMP #######
##############################################
CMPCertificateProfileID=3
CMPAuthenticationCode=secret
##CertCreation Details
validity = 00:00:00:30
validFrom = 06:06:2022 12:00:00
requestID = 492525243101863144
subscriberId = 12345
applicationID = 243523523645
ClientTransactionID=7472616e73616374696f6e496433333338393936303130333431343037383936
Database
Open application.properties file and based on the type of database used; the corresponding values need to be updated. Please find below sample Database configuration provided for MySQL database.
Example: for #MySQL database, use below mentioned values in table:
#Hibernate properties:
Parameter | Description | Values to be replaced |
spring.jpa.properties.hibernate.dialect | [DialectInfo] refers to Dialect information | org.hibernate.dialect.MySQL5Dialect |
spring.datasource.driver-class-name | [DriverClassName] refers to Driver class name | com.mysql.jdbc.Driver |
spring.datasource.url | [URL] refers to Database URL | jdbc:mysql://127.0.0.1:3306/emca |
spring.datasource.username | [UserName] refers to UserName who has access to this schema | Root |
spring.datasource.password | [Password] refers to Password for the user ( Refer Section 6) | nNh0bStJeJxo3eu3taSY2Q== |
Ex:
#MySQL
DialectInfo= “org.hibernate.dialect.MySQLDialect”
DriverClassName=” com.mysql.jdbc.Driver”
URL= “jdbc:mysql://<127.0.0.1:3306>/ emca”
UserName=”root”
Password=”root”
Note: Same schema which is used for emCA application should be used for the emCA API as well
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in application.properties file which is set in the environment variables [please refer section 6.2.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" monitorInterval="30">
<!-- Logging Properties -->
<Properties>
<Property name="LOG_PATTERN">[%d{yyyy-MM-dd HH:mm:ss.SSS}] -- {%pid} [%p] - %m%n</Property>
<Property name="APP_LOG_ROOT">E:\emCAv4\emCAProperties\logs\api</Property>
</Properties>
<Appenders>
<!-- Console Appender -->
<Console name="Console" target="SYSTEM_OUT" follow="true">
<PatternLayout disableAnsi="false" pattern="${CONSOLE_LOG_PATTERN}" />
</Console>
<RollingFile name="debugLog" fileName="${APP_LOG_ROOT}/emCA_API-debug.log" filePattern="${APP_LOG_ROOT}/emCA_API-debug-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="DEBUG" maxLevel="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="warnLog" fileName="${APP_LOG_ROOT}/emCA_API-warn.log" filePattern="${APP_LOG_ROOT}/emCA_API-warn-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="WARN" maxLevel="WARN" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="infoLog" fileName="${APP_LOG_ROOT}/emCA_API-info.log" filePattern="${APP_LOG_ROOT}/emCA_API-info-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="INFO" maxLevel="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="errorLog" fileName="${APP_LOG_ROOT}/emCA_API-error.log" filePattern="${APP_LOG_ROOT}/emCA_API-error-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="ERROR" maxLevel="ERROR" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
</Appenders>
<Loggers>
<AsyncRoot level="debug" includeLocation="false">
<AppenderRef ref="infoLog"/>
<AppenderRef ref="errorLog"/>
<AppenderRef ref="warnLog"/>
<AppenderRef ref="debugLog"/>
<AppenderRef ref="Console" />
</AsyncRoot>
</Loggers>
</Configuration>
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
emCAServices.war
emCAServices comes as a war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.2.1 then deploy the configured emCAServices war file.
Please find below steps to deploy the application:
Copy the emcaServices war inside Tomcat ->Web apps folder apache-tomcat-7.0.37\webapps
Windows run services.msc
Select service Apache Tomcat and click start
Quick Check Guide
Once deployment is completed and server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- https:/www.example.com/emcaServices
Example: https://<ip address:port>/emCAServices in enter address field
Following message will be displayed as shown in Figure 10
Fig 10
OCSP Core
This section provides step by step guide for installation, configuration and usage of OCSP Core. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'.
Configuration
Note – all actions required for setting up and configuring OCSP Core should be done using administrator privileges
Environment Variables
For Java
In order to deploy ocsprespondercore.war, java environment has to be set. Please follow the below procedure. If this is already configured, then please ignore this section.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Fig 11
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
Fig 12
For ocspcore.properties
This file is used to configure database related properties like dialect, driver class name, URL, Username, password (database user should have full privilege to the schema created for emCA application) as well as logs.
For Windows
Configure the property file path in environment variables as shown below in figure 13.
Fig 13
Variable name: OCSPCORE_CONFIGURATION_PATH
Variable value: location of property files (ocspcore.properties)
Snapshot
Please find below is the ocspcore.properties file snapshot for reference:
#local
hibernate.dialect=org.hibernate.dialect.MySQLDialect
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://127.0.0.1:3306/emcanew
jdbc.username=root
jdbc.password= nNh0bStJeJxo3eu3taSY2Q==
#MSSQL JDBC PROPERTIES
#hibernate.dialect=org.hibernate.dialect.SQLServerDialect
#jdbc.url=jdbc:sqlserver://cpu206:1433;databaseName=emca
#jdbc.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
#jdbc.username=emcatestuser
#jdbc.password=test@123
logFilePath=G:/emCA/BASE/2.3.0/PropertyFiles/ocsp/core/log4j.xml
Database
ocspcore.properties file is used to configure database related properties where we can configure database properties like dialect, driver class name, URL, Username, password (database user should have full privilege to the schema created for OCSP).
Open ocspcore.properties file and change the below DB configuration:
Parameter | Description |
hibernate.dialect | [DialectInfo] refers to Dialect information |
jdbc.driverClassName | [DriverClassName] refers to Driver class name |
jdbc.url | [URL] refers to Database URL |
jdbc.username | [UserName] refers to UserName who has access to this schema |
jdbc.password | [Password] refers to Password for the user ( Refer Section 6) |
Note: Default values in the configuration file will be used if it’s not changed as per the requirement. Please configure as per your requirement.
OCSP Responder will connect with the same schema which is connected to the emCA Application.
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in ocspcore.properties file which is set in the environment variables [please refer section 6.3.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd" >
<log4j:configuration>
<appender name="file" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader.log" /> -->
<param name="File" value="[Local Server Path]/ocspresponder.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="servicefile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_service.log" /> -->
<param name="File" value="[Local Server Path]/ocspresponder_service.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="daofile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_mgr.log" /> -->
<param name="File" value="[Local Server Path]/ocspresponder_mgr.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="debugfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_debug.log" /> -->
<param name="File" value="[Local Server Path]/ocspresponder_debug.log" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
<filter class="org.apache.log4j.varia.LevelRangeFilter">
<param name="LevelMin" value="debug" />
<param name="LevelMax" value="fatal" />
</filter>
</appender>
<appender name="errorfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/emas_error.log" /> -->
<param name="File" value="[Local Server Path]/ocspresponder_error.log" />
<param name="threshold" value="error" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<category name="com.emudhra.LogicImpl.CrlLogicImpl">
<appender-ref ref="servicefile" />
</category>
<category name="com.emudhra.DaoImpl.crlDaoImpl">
<appender-ref ref="daofile" />
</category>
<root>
<priority value="debug"></priority>
<appender-ref ref="errorfile" />
<appender-ref ref="debugfile" />
<appender-ref ref="file" />
</root>
</log4j:configuration >
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
OCSP CORE(ocsprespondercore.war file)
OCSPCORE comes as a war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.3.1 then deploy the configured OCSP Core war file.
Please find below steps to deploy the application:
Copy the ocsprespondercore.war inside Tomcat ->Web apps folder apache-tomcat\webapps
Windows run services.msc
Select Apache Tomcat and click Start
Quick Check Guide
Once deployment is successfully done and the server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- as mentioned below
https://www.example.com/ocsprespondercore in enter address field place (For ex: https:// 127.0.0.1:8080/ocsprespondercore)
Following message is displayed. This implies that the application is deployed properly.
“HTTP Status 405 - OCSP only supports POST”.
To verify whether logs are getting generated as per the path defined, please open the folder that is mentioned in the configuration path set in log4j.xml file (Configuration->log4j.xml)
"[Local Server Path]/ocspresponder.log
Please make sure that the log file is created in the above-mentioned path.
OCSP Responder Web
This section provides step by step guide for installation, configuration and usage of OCSP Web. This is generally deployed in the DMZ for external applications to interface. OCSP Web will in turn interfaces with OCSP Core that is deployed in the MZ where in only selected internal application will have access to it.
Configuration
Note – all actions required for setting up and configuring OCSP Web should be done using administrator privileges
Environment Variables
For Java
In order to deploy ocspresponderweb.war, java environment has to be set. Please follow the below procedure. If this is already configured, then please ignore this section.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
For ocspweb.properties
This file is used to configure logs.
For Windows
Configure the property file path in environment variables as shown below in figure 17.
Fig 17
Variable name: OCSPWEB_CONFIGURATION_PATH
Variable value: location of property files (ocspweb.properties)
Snapshot
Please find below is the ocspweb.properties file snapshot for reference:
emca.ocsp.url=http://localhost:8800/ocsprespondercore
logFilePath=G:/emCA/BASE/2.3.0/PropertyFiles/ocsp/web/log4j.xml
Connection
OCSP Web has to connect to OCSP Core for passing the requests received by OCSP Web to OCSP Core. For connecting to OCSP Core, in the properties file as shown below
# URL where ocspcore is deployed
emca.ocsp.url=http://<ipaddress>:<port>/ocsprespondercore
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in ocspweb.properties file which is set in the environment variables [please refer section 6.4.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd" >
<log4j:configuration>
<appender name="file" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader.log" /> -->
<param name="File" value="[Local Server Path]/OCSPResponderWeb.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="servicefile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_service.log" /> -->
<param name="File" value="[Local Server Path]/OCSPResponderWeb_service.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="daofile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_mgr.log" /> -->
<param name="File" value="[Local Server Path]/OCSPResponderWeb_mgr.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="debugfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_debug.log" /> -->
<param name="File" value="[Local Server Path]/OCSPResponderWeb_debug.log" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
<filter class="org.apache.log4j.varia.LevelRangeFilter">
<param name="LevelMin" value="debug" />
<param name="LevelMax" value="fatal" />
</filter>
</appender>
<appender name="errorfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/emas_error.log" /> -->
<param name="File" value="[Local Server Path]/OCSPResponderWeb_error.log" />
<param name="threshold" value="error" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<category name="com.emudhra.LogicImpl.CrlLogicImpl">
<appender-ref ref="servicefile" />
</category>
<category name="com.emudhra.DaoImpl.crlDaoImpl">
<appender-ref ref="daofile" />
</category>
<root>
<priority value="debug"></priority>
<appender-ref ref="errorfile" />
<appender-ref ref="debugfile" />
<appender-ref ref="file" />
</root>
</log4j:configuration >
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
OCSP Web (ocspresponderweb.war file)
OCSP Web comes as a war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.4.1 then deploy the configured OCSP Web war file.
Please find below steps to deploy the application:
Copy the ocspresponderweb.war inside Tomcat->Web apps folder apache-tomcat\webapps
Windows run services.msc
Go to Apache Tomcat and click Start
Quick Check Guide
Once deployment is successfully done and the server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- as mentioned below
https://www.example.com/ocspresponderweb in enter address field place (For ex: https:// 127.0.0.1:8080/ocspresponderweb)
Following message is displayed. This implies that the application is deployed properly.
“HTTP Status 405 - OCSP only supports POST”.
To verify whether logs are getting generated as per the path defined, please open the folder that is mentioned in the configuration path set in log4j.xml file (Configuration->log4j.xml)
"[Local Server Path]/OCSPResponderWeb.log
Please make sure that the log file is created in the above-mentioned path.
emOCSP
This section provides step by step guide for installation, configuration and usage of emOCSP. This is generally deployed in the DMZ for external applications to interface. emOCSP is deployed in the MZ where in only selected internal application will have access to it.
Configuration
Note – all actions required for setting up and configuring emOCSP should be done using administrator privileges
Environment Variables
For Java
In order to deploy emocsp.war, java environment has to be set. Please follow the below procedure. If this is already configured, then please ignore this section.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
For emocsp.properties
This file is used to configure logs.
For Windows
Configure the property file path in environment variables as shown below in figure 17.
Fig 17
Variable name: emocsp_CONFIGURATION_PATH
Variable value: location of property files (ocspweb.properties)
Snapshot
Please find below is the ocspweb.properties file snapshot for reference:
hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://database/dbname
jdbc.dbName=dbname
jdbc.username=dbname
jdbc.password=encrypted password ==
jdbc.dbHost=databaseip
jdbc.dbPort=portnumber
#output to a temp_folder/file
emOCSPlogFilePath=E:/ocspca/OCSPProperties/emocsp/log4j.xml
#PKCS12 Keyprofile Location
Pkcs12TypeKeyProfilesLocation=E:/ocspca/OCSPProperties/PKCS12
pkcs11TypeKeyProfilesLocation=E:/ocspca/OCSPProperties/PKCS11
Connection
OCSP Web has to connect to OCSP Core for passing the requests received by OCSP Web to OCSP Core. For connecting to OCSP Core, in the properties file as shown below
# URL where ocspcore is deployed
emca.ocsp.url=http://<ipaddress>:<port>/ocsprespondercore
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in ocspweb.properties file which is set in the environment variables [please refer section 6.4.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN" monitorInterval="30">
<!-- Logging Properties -->
<Properties>
<Property name="LOG_PATTERN">[%d{yyyy-MM-dd HH:mm:ss.SSS}] -- {%pid} [%p] - %m%n</Property>
<Property name="APP_LOG_ROOT">E:/ocspca/logs/emocsp</Property>
</Properties>
<Appenders>
<!-- Console Appender -->
<Console name="Console" target="SYSTEM_OUT" follow="true">
<PatternLayout disableAnsi="false" pattern="${CONSOLE_LOG_PATTERN}" />
</Console>
<RollingFile name="debugLog" fileName="${APP_LOG_ROOT}/emocsp-debug.log" filePattern="${APP_LOG_ROOT}/emocsp-debug-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="DEBUG" maxLevel="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="warnLog" fileName="${APP_LOG_ROOT}/emocsp-warn.log" filePattern="${APP_LOG_ROOT}/emocsp-warn-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="WARN" maxLevel="WARN" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="infoLog" fileName="${APP_LOG_ROOT}/emocsp-info.log" filePattern="${APP_LOG_ROOT}/emocsp-info-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="INFO" maxLevel="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
<RollingFile name="errorLog" fileName="${APP_LOG_ROOT}/emocsp-error.log" filePattern="${APP_LOG_ROOT}/emocsp-error-%d{yyyy-MM-dd}_%i.log" immediateFlush="true" append="true">
<LevelRangeFilter minLevel="ERROR" maxLevel="ERROR" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout pattern="${LOG_PATTERN}"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="10MB" />
</Policies>
<DefaultRolloverStrategy max="30000"/>
</RollingFile>
</Appenders>
<Loggers>
<AsyncRoot level="debug" includeLocation="false">
<AppenderRef ref="infoLog" />
<AppenderRef ref="errorLog" />
<AppenderRef ref="warnLog" />
<AppenderRef ref="debugLog" />
<AppenderRef ref="Console" />
</AsyncRoot>
</Loggers>
</Configuration>
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
emOCSP (emOCSP.war file)
emOCSP comes as a war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.4.1 then deploy the configured emOCSP Web war file.
Please find below steps to deploy the application:
Copy the emOCSP.war inside Tomcat->Web apps folder apache-tomcat\webapps
Windows run services.msc
Go to Apache Tomcat and click Start
Quick Check Guide
Once deployment is successfully done and the server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- as mentioned below
https://www.example.com/ocspresponderweb in enter address field place (For ex: https:// 127.0.0.1:8080/ocspresponderweb)
Following message is displayed. This implies that the application is deployed properly.
“HTTP Status 405 - OCSP only supports POST”.
To verify whether logs are getting generated as per the path defined, please open the folder that is mentioned in the configuration path set in log4j.xml file (Configuration->log4j.xml)
"[Local Server Path]/emOCSP.log
Please make sure that the log file is created in the above-mentioned path.
TSA Core
This section provides step by step guide for installation, configuration and usage of TSA Core. TSA Core including (emTSA and eTSA) is used for timestamping the requests received. And also help in managing timestamping Signers as well as keys.
Configuration
Note – all actions required for setting up and configuring TSA Core should be done using administrator privileges
Environment Variables
For Java
In order to deploy emTSA.war and eTSA.war, java environment has to be set. Please follow the below procedure. If this is already configured, then please ignore this section.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
For tsacore.properties
This file is used to configure database related properties like dialect, driver class name, URL, Username, password (database user should have full privilege to the schema created for TSA application) as well as logs.
For Windows
Configure the property file path in environment variables as shown below in figure 21.
Fig 21
Variable name: TSACORE_CONFIGURATION_PATH
Variable value: location of property files (tsacore.properties)
Snapshot
Please find below is the tsacore.properties file snapshot for reference:
[This property is meant for configuring MySQL database connection]
hibernate.dialect=org.hibernate.dialect.MySQLDialect
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/emcatsa
jdbc.username=root
jdbc.password= nNh0bStJeJxo3eu3taSY2Q==
[This property is meant to configure local server path of log4j file]
logFilePath=C:/emCA/ log4j.xml
[This property is meant for the URL where eTSA is deployed]
emca.tsa.url = http://10.80.106.87:8383/eTSA/etsa
Database
tsacore.properties file is used to configure database related properties where we can configure database properties like dialect, driver class name, URL, Username, password (database user should have full privilege to the schema created for TSA).
Open tsacore.properties file and change the below DB configuration:
Parameter | Description |
hibernate.dialect | [DialectInfo] refers to Dialect information |
jdbc.driverClassName | [DriverClassName] refers to Driver class name |
jdbc.url | [URL] refers to Database URL |
jdbc.username | [UserName] refers to UserName who has access to this schema |
jdbc.password | [Password] refers to Password for the user ( Refer Section 6) |
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in tsacore.properties file which is set in the environment variables [please refer section 6.5.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd" >
<log4j:configuration>
<appender name="file" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader.log" /> -->
<param name="File" value="[Local Server Path]/eTSA.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="servicefile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_service.log" /> -->
<param name="File" value="[Local Server Path]/eTSA_service.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="daofile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_mgr.log" /> -->
<param name="File" value="[Local Server Path]/eTSA_mgr.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="debugfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_debug.log" /> -->
<param name="File" value="[Local Server Path]/eTSA_debug.log" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
<filter class="org.apache.log4j.varia.LevelRangeFilter">
<param name="LevelMin" value="debug" />
<param name="LevelMax" value="fatal" />
</filter>
</appender>
<appender name="errorfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/emas_error.log" /> -->
<param name="File" value="[Local Server Path]/eTSA_error.log" />
<param name="threshold" value="error" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<category name="com.emudhra.LogicImpl.CrlLogicImpl">
<appender-ref ref="servicefile" />
</category>
<category name="com.emudhra.DaoImpl.crlDaoImpl">
<appender-ref ref="daofile" />
</category>
<root>
<priority value="debug"></priority>
<appender-ref ref="errorfile" />
<appender-ref ref="debugfile" />
<appender-ref ref="file" />
</root>
</log4j:configuration >
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
TSA CORE(emTSA.war and eTSA.war file)
TSA CORE comes as 2 war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.5.1 then deploy the configured TSA Core war file.
Please find below steps to deploy the application:
Copy the eTSA.war inside Tomcat ->Web apps folder apache-tomcat\webapps
Windows run services.msc
Go to Apache Tomcat and Click start
Quick Check Guide
Once deployment is successfully done and the server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- as mentioned below
https://www.example.com/eTSA in enter address field place (For ex: https:// 127.0.0.1:8080/eTSA)
TSA Login page will be displayed.
To verify whether logs are getting generated as per the path defined, please open the folder that is mentioned in the configuration path set in log4j.xml file (Configuration->log4j.xml)
"[Local Server Path]/eTSA.log
Please make sure that the log file is created in the above-mentioned path.
TSA Web
This section provides step by step guide for installation, configuration and usage of TSA Web. This is generally deployed in the DMZ for external applications to interface. TSA Web will in turn interfaces with TSA Core that is deployed in the MZ where in only selected internal application will have access to it.
Configuration
Note – all actions required for setting up and configuring TSA Web should be done using administrator privileges
Environment Variables
For Java
In order to deploy WebTSA.war, java environment has to be set. Please follow the below procedure. If this is already configured, then please ignore this section.
To correctly set the JAVA_HOME variable for all users, you should choose the first option, "Edit the system environment variables." Here's the corrected instruction:
Search for Environment Variables:
Type "environment variables" in the Windows search bar.
Click on "Edit the system environment variables".
System Properties Window:
In the System Properties window that opens, click on the "Environment Variables" button.
Edit System Variables:
Under "System variables," find the JAVA_HOME variable.
If the variable exists:
Select it and click "Edit."
In the "Variable value" field, enter the full path to your JDK 17 installation directory (e.g., C:\Program Files\Java\jdk-17.0.1).
If the variable does not exist:
Click "New."
Enter JAVA_HOME as the variable name.
Enter the full path to your JDK 17 installation directory as the variable value.
Save Changes:
Click "OK" to save the changes in the Environment Variables window.
Click "OK" to close the System Properties window.
For tsaweb.properties
This file is used to configure connection with TSA Core as well as logs.
For Windows
Configure the property file path in environment variables as shown below in figure 25.
Fig 25
Variable name: TSAWEB_CONFIGURATION_PATH
Variable value: location of property files (tsaweb.properties)
Snapshot
Please find below is the tsaweb.properties file snapshot for reference:
emca.tsa.url=http://localhost:8800/eTSA/etsa
logFilePath=G:/emCA/BASE/2.3.0/PropertyFiles/tsa/web/log4j.xml
Connection
TSA Web has to connect to TSA Core for passing the requests received by TSA Web to TSA Core. For connecting to TSA Core, in the properties file as shown below
#URL where tsacore is deployed
emca.tsa.url=http://localhost:8800/eTSA/etsa
Logs
The application uses Log4j for logging. Please specify the local server path for collecting the logs in the log4j.xml file. The local server path of log4j.xml file need to be provided in tsaweb.properties file which is set in the environment variables [please refer section 6.6.1.1]
Log4J XML file as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd" >
<log4j:configuration>
<appender name="file" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader.log" /> -->
<param name="File" value="[Local Server Path]//WebTSA.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="servicefile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_service.log" /> -->
<param name="File" value="[Local Server Path]//WebTSA_service.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="daofile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_mgr.log" /> -->
<param name="File" value="[Local Server Path]//WebTSA_mgr.log" />
<param name="threshold" value="info" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<appender name="debugfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/crl_downloader_debug.log" /> -->
<param name="File" value="[Local Server Path]//WebTSA_debug.log" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
<filter class="org.apache.log4j.varia.LevelRangeFilter">
<param name="LevelMin" value="debug" />
<param name="LevelMax" value="fatal" />
</filter>
</appender>
<appender name="errorfile" class="org.apache.log4j.RollingFileAppender">
<param name="maxFileSize" value="10MB" />
<param name="maxBackupIndex" value="500000" />
<!-- <param name="File" value="${rootPath}logs/emas_error.log" /> -->
<param name="File" value="[Local Server Path]//WebTSA_error.log" />
<param name="threshold" value="error" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %5p %c{1}:%L - %m%n" />
</layout>
</appender>
<category name="com.emudhra.LogicImpl.CrlLogicImpl">
<appender-ref ref="servicefile" />
</category>
<category name="com.emudhra.DaoImpl.crlDaoImpl">
<appender-ref ref="daofile" />
</category>
<root>
<priority value="debug"></priority>
<appender-ref ref="errorfile" />
<appender-ref ref="debugfile" />
<appender-ref ref="file" />
</root>
</log4j:configuration >
In the above highlighted LOCAL SERVER PATH, the administrator has to provide folder path where in the log files get generated.
Deployment
Following component required for deployment:
TSA Web(WebTSA.war file)
TSA Web comes as a war file which has to be deployed on the application server. Server provides configuration through properties file.
Please configure and save all the properties defined in the properties file as per section 6.6.1 then deploy the configured TSA Core war file.
Please find below steps to deploy the application:
Copy the WebTSA.war inside Tomcat->Web apps folder apache-tomcat\webapps
Windows run services.msc
Go to Apache Tomcat and click Start
Quick Check Guide
Once deployment is successfully done and the server is started, Open any browser like internet explorer, Google Chrome, Firefox etc. and enter URL- as mentioned below
https://www.example.com/WebTSA in enter address field place (For ex: https:// 127.0.0.1:8080/WebTSA)
Following page is displayed [Figure 27]. This implies that the application is deployed properly.
Fig 27
To verify whether logs are getting generated as per the path defined, please open the folder that is mentioned in the configuration path set in log4j.xml file (Configuration->log4j.xml)
"[Local Server Path]/WebTSA.log
Please make sure that the log file is created in the above-mentioned path.
DB Password Encryptor
This utility is used to create encrypted passwords for connecting to database
Step 1
To get encrypted password, the user needs to run passwordSecure.jar from command prompt using below command (Figure 43)
“java –jar [Local Server path]/PasswordSecure.jar”
In the local server path, mention the server path where PasswordSecure.jar” is placed
Fig 28
Step 2
On running the jar from command prompt, the user will be asked to enter the DB password that needs to be encrypted.
Step 3
The response will be an encrypted password which need to be copied
Step 4
The same encrypted password which is generated by the said jar file need to be used in the properties files that requires connection with database.
Last updated
