VM0014: Enterprise - ejbca.minoss.nlejbca.minoss.nl/vm0014.pdf · Refresh repositories → zypper...

VM0014: Enterprise

Application Used at training More recent

Ejbca Ejbca-3.10.1 Ejbca-3.11.5Ejbca-4.0.12Ejbca-4.0.13

Application-server jboss-4.2.3.GA-jdk6 jboss-5.1.0.GA-jdk6jboss-as-distribution-6.0.0.Finaljboss-as-distribution-6.1.0.Finaljboss-as-7.0.2.Final, jboss-as-7.1.1.Final

Java development kit jdk-6u20-linux-i586 jdk-6u38-ea-bin-b04-linux-amd64-31_oct_2012.binjdk-6u38-ea-bin-b04-linux-i586-31_oct_2012.binjava-1_6_0-ibm-1.6.0_sr12.0-0.5.1java-1_6_0-openjdk-1.6.0.0_b24.1.11.5-2.1java-1_7_0-openjdk, java-1_7_0-openjdk-devel

Java crypto env jce_policy-6

Mysql connector mysql-connector-java-5.1.13 mysql-connector-java-5.1.22

Java-dev-tool apache-ant-1.8.1-bin apache-ant-1.8.4-binant-1.8.2-11.1.1.noarch

Fedora or OpenSUSE are great for developping and testing, but production should be either on RedHat-ES or Suse Linux Enterprise Server (SLES11sp2)

First, building of virtual machine.→ lvcreate -L 5GB -n vm0014 mainorion:~ # lvcreate -L 5GB -n vm0014 mainLogical volume "vm0014" created

→ time dd if=/dev/main/sles11sp2 of=/dev/mapper/main-vm0014 bs=1Morion:~ # time dd if=/dev/main/sles11sp2 of=/dev/mapper/main-vm0014 bs=1M5120+0 records in5120+0 records out5368709120 bytes (5.4 GB) copied, 132.687 s, 40.5 MB/s

real 2m12.700suser 0m0.040ssys 0m9.901s

Create vm startup file:→ cp vm0000 vm0014orion:/etc/xen/vm # cp vm0000 vm0014orion:/etc/xen/vm # vi vm0014

Change MAC-addressModify config on dhcp and dns server, machine will get unique name&addressDon't forget kicking dhcp and dns server process...

Start new machine→ xm create -c vm0014orion:/etc/xen/vm # xm create -c vm0014

Welcome to SUSE Linux Enterprise Server 11 SP2 (x86_64) - Kernel 3.0.13-0.27-xen (tty1).

Networking: check own addresses (ifconfig is depreciated) → ip addr show dev eth0vm0014 login: rootPassword:

Last login: Wed Dec 19 16:42:33 CET 2012 on tty1vm0014:~ # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 brd 127.255.255.255 scope host loinet 127.0.0.2/8 brd 127.255.255.255 scope host secondary loinet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:16:3e:00:14:00 brd ff:ff:ff:ff:ff:ffinet 192.168.0.134/24 brd 192.168.0.255 scope global eth0inet6 2001:470:1f01:3785:216:3eff:fe00:1400/64 scope global dynamic valid_lft 2592000sec preferred_lft 604800secinet6 fe80::216:3eff:fe00:1400/64 scope link valid_lft forever preferred_lft forever

Test if sshd is properly working, and the address→ ssh vm0014orion:~ # ssh vm0014The authenticity of host 'vm0014 (192.168.0.134)' can't be established.RSA key fingerprint is 4a:41:85:94:b5:af:43:39:b5:48:1b:c2:a4:6a:df:70.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'vm0014,192.168.0.134' (RSA) to the list of known hosts.Password: Last login: Wed Dec 19 16:44:28 2012

Seems OK.

Check mount point repositories→ zypper lr -uvm0014:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------------------------------------------------+--------------------------------------------------+---------+---------+---------------------------------1 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | Yes | Yes | hd:///?device=/dev/xvdb&filesystem=auto

→ echo "192.168.0.2 storage" >> /etc/hostsvm0014:~ # echo "192.168.0.2 storage" >> /etc/hosts

→ mkdir -p /data/software/distro/suse/sles11sp2vm0014:~ # mkdir -p /data/software/distro/suse/sles11sp2

→ mount -o nolock storage:/data/software/distro/suse/sles11sp2 /data/software/distro/suse/sles11sp2vm0014:~ # mount -o nolock storage:/data/software/distro/suse/sles11sp2 /data/software/distro/suse/sles11sp2

→ zypper addrepo --refresh --check -n "update" dir:/data/software/distro/suse/sles11sp2 updatevm0014:~ # zypper addrepo --refresh --check -n "update" dir:/data/software/distro/suse/sles11sp2 updateAdding repository 'update' [done]Repository 'update' successfully addedEnabled: YesAutorefresh: YesGPG check: YesURI: dir:///data/software/distro/suse/sles11sp2

→ zypper lr -uvm0014:~ # zypper lr -u# | Alias | Name | Enabled | Refresh | URI --+--------------------------------------------------+--------------------------------------------------+---------+---------+-------------------------------------------1 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234 | Yes | Yes | hd:///?device=/dev/xvdb&filesystem=auto 2 | update | update | Yes | Yes | dir:///data/software/distro/suse/sles11sp2

Refresh repositories→ zypper refvm0014:~ # zypper refRepository 'SUSE-Linux-Enterprise-Server-11-SP2 11.2.2-1.234' is up to date.Retrieving repository 'update' metadata [done]Building repository 'update' cache [done]All repositories have been refreshed.

→ zypper upvm0014:~ # zypper upLoading repository data...Reading installed packages...

The following package update will NOT be installed:sles-release

The following packages are going to be upgraded:PolicyKit PolicyKit-32bit SuSEfirewall2 aaa_base apache2-mod_php5 apache2-mod_python audit audit-libs audit-libs-32bit augeas-lenses autofs bash bash-doc bind-libs bind-libs-32bit bind-utils binutils boost-license cifs-utils coreutils coreutils-lang crash crash-sial cron curl dbus-1 dbus-1-32bit device-mapper device-mapper-32bit dhcpcd ethtool expat freetype2 freetype2-32bit glib2 glib2-lang glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit gpg2 gpg2-lang hal hal-32bit hwinfo inst-source-utils ipmitool kdump kernel-firmware kernel-xen kernel-xen-base klogd kpartx ksh libMagickCore1 libaugeas0 libblkid1 libblkid1-32bit libboost_regex1_36_0 libcurl4 libcurl4-32bit libexpat1 libexpat1-32bit libglib-2_0-0 libglib-2_0-0-32bit libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libjpeg libjpeg-32bit libldap-2_4-2 libldap-2_4-2-32bit libmysqlclient15 libnuma1 libopenssl0_9_8 libopenssl0_9_8-32bit libpng12-0 libpng12-0-32bit libpython2_6-1_0 libreadline5 libsnmp15 libssh2-1 libtalloc2 libtiff3 libtiff3-32bit libudev0 libudev0-32bit libuuid1 libuuid1-32bit libxml2 libxml2-32bit libxslt libxslt-32bit libzypp lvm2 mailx makedumpfile man-pages mcelog mdadm microcode_ctl mkinitrd multipath-tools mysql mysql-client nfs-client nscd numactl openldap2-client openssh openssl openssl-certs pam_mount pam_mount-32bit parted parted-32bit pciutils pciutils-32bit perl perl-32bit perl-Bootloader perl-base perl-doc perl-satsolver php5 php5-ctype php5-dom php5-hash php5-iconv php5-json php5-suhosin php5-tokenizer php5-xmlreader php5-xmlwriter popt popt-32bit postfix procps puppet python python-base python-satsolver python-tk python-xml quota readline-doc reiserfs rpcbind rpm rpm-32bit rsync satsolver-tools sg3_utils snmp-mibs subscription-tools sudo supportutils suse-sam suse-sam-data sysconfig syslinux syslog-ng sysvinit tcsh timezone udev util-linux util-linux-lang uuid-runtime xen-libs xen-tools-domU xfsprogs yast2 yast2-backup yast2-core yast2-country yast2-country-data yast2-dns-server yast2-ftp-server yast2-http-server yast2-kerberos-client yast2-ldap yast2-ldap-client yast2-ncurses yast2-ncurses-pkg yast2-network yast2-nfs-common yast2-nfs-server yast2-pkg-bindings yast2-registration yast2-registration-branding-SLE yast2-samba-server yast2-vm yast2-wagon zypper zypper-log

The following packages are not supported by their vendor:PolicyKit PolicyKit-32bit SuSEfirewall2 aaa_base apache2-mod_php5 apache2-mod_python audit audit-libs audit-libs-32bit augeas-lenses autofs bash bash-doc bind-libs bind-libs-32bit bind-utils binutils boost-license cifs-utils coreutils coreutils-lang crash crash-sial cron curl dbus-1 dbus-1-32bit device-mapper device-mapper-32bit dhcpcd ethtool expat freetype2 freetype2-32bit glib2 glib2-lang glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit gpg2 gpg2-lang hal hal-32bit hwinfo inst-source-utils ipmitool kdump kernel-firmware kernel-xen kernel-xen-base klogd kpartx ksh libMagickCore1 libaugeas0 libblkid1 libblkid1-32bit libboost_regex1_36_0 libcurl4 libcurl4-32bit libexpat1 libexpat1-32bit libglib-2_0-0 libglib-2_0-0-32bit libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libjpeg libjpeg-32bit libldap-2_4-2 libldap-2_4-2-32bit libmysqlclient15 libnuma1 libopenssl0_9_8 libopenssl0_9_8-32bit libpng12-0 libpng12-0-32bit libpython2_6-1_0 libreadline5 libsnmp15 libssh2-1 libtalloc2 libtiff3 libtiff3-32bit libudev0 libudev0-32bit libuuid1 libuuid1-32bit libxml2 libxml2-32bit libxslt libxslt-32bit libzypp lvm2 mailx makedumpfile man-pages mcelog mdadm microcode_ctl mkinitrd multipath-tools mysql mysql-client nfs-client nscd numactl openldap2-client openssh openssl openssl-certs pam_mount pam_mount-32bit parted parted-32bit pciutils pciutils-32bit perl perl-32bit perl-Bootloader perl-base perl-doc perl-satsolver php5 php5-ctype php5-dom php5-hash php5-iconv php5-json php5-suhosin php5-tokenizer php5-xmlreader php5-xmlwriter popt popt-32bit postfix procps puppet python python-base python-satsolver python-tk python-xml quota readline-doc reiserfs rpcbind rpm rpm-32bit rsync satsolver-tools sg3_utils snmp-mibs subscription-tools sudo supportutils suse-sam suse-sam-data sysconfig syslinux syslog-ng sysvinit tcsh timezone udev util-linux util-linux-lang uuid-runtime xen-libs xen-tools-domU xfsprogs yast2 yast2-backup yast2-core yast2-country yast2-country-data yast2-dns-server yast2-ftp-server yast2-http-server yast2-kerberos-client yast2-ldap yast2-ldap-client yast2-ncurses yast2-ncurses-pkg yast2-network yast2-nfs-common yast2-nfs-server yast2-pkg-bindings yast2-registration yast2-registration-branding-SLE yast2-samba-server yast2-vm yast2-wagon zypper zypper-log

197 packages to upgrade.Overall download size: 157.2 MiB. After the operation, additional 6.4 MiB will be used.

Continue? [y/n/?] (y):

Sometimes due to kernel patch reboot is required.

→ init 0vm0014:~ # init 0vm0014:~ # logoutConnection to vm0014 closed.

In that case, restart new kernel→ xm create -c vm0014Not unloading kdump during runlevel changes skippeddoneTurning off quotadonedoneTurning off swap filesUnmounting file systems/dev/xvda1 has been unmounted doneNot shutting down MD RAID - reboot/halt scripts do this. missingStopping udevd: doneSending all processes the TERM signal... doneSending all processes the KILL signal... doneThe system will be halted immediately.[19285.562674] System halted.orion:/etc/xen/vm #

orion:/etc/xen/vm # xm create -c vm0014Welcome to SUSE Linux Enterprise Server 11 SP2 (x86_64) - Kernel 3.0.42-0.7-xen (tty1).

vm0014 login:

used to be: Kernel 3.0.13-0.27-xen

Login again(thru ssh) instead of virtual consoleorion:~ # ssh vm0014Password: Last login: Wed Dec 19 16:49:17 2012 from orion

Something that should be done in template:→ zypper install lsb-releasevm0014:~ # zypper install lsb-releaseLoading repository data...Reading installed packages...Resolving package dependencies...

The following NEW package is going to be installed:lsb-release

1 new package to install.Overall download size: 9.0 KiB. After the operation, additional 15.0 KiB will be used.Continue? [y/n/?] (y): Retrieving package lsb-release-2.0-1.2.18.noarch (1/1), 9.0 KiB (15.0 KiB unpacked)Installing: lsb-release-2.0-1.2.18 [done]

If needed, just for documentation purposese adjust the prompt:→ hostname vm0014.minoss.nl#not needed anymore

Pre-installation tests /actionsArchitecture test: → uname -avm0014:~ # uname -aLinux vm0014 3.0.42-0.7-xen #1 SMP Tue Oct 9 11:58:45 UTC 2012 (a8dc443) x86_64 x86_64 x86_64 GNU/Linux

OS: → lsb_release -d; echo; cat /etc/SuSE-releasevm0014:~ # lsb_release -d; echo; cat /etc/SuSE-releaseDescription: SUSE Linux Enterprise Server 11 (x86_64)

SUSE Linux Enterprise Server 11 (x86_64)VERSION = 11PATCHLEVEL = 2

Available diskspace: → df -hvm0014:~ # df -hFilesystem Size Used Avail Use% Mounted on/dev/xvda3 3.5G 1.2G 2.2G 36% /udev 520M 64K 520M 1% /devtmpfs 520M 0 520M 0% /dev/shm/dev/xvda1 493M 46M 422M 10% /boot

check memory → freevm0014:~ # freetotal used free shared buffers cachedMem: 1064672 153496 911176 0 5008 64708-/+ buffers/cache: 83780 980892Swap: 1051644 0 1051644

Slightly more mem available, compared to openSUSE.

networking: fqdnPermanent change: → echo "vm0014.minoss.nl" > /etc/HOSTNAMEDone in dhcp & dns

(prove would require reboot)

Make fqdn locally known: → vi /etc/hostsnot needed

add: #192.168.0.181 vm0014.minoss.nl vm0014#

(Note: do not add the name to 127.0.0.1 !!!!!!)

Check: → hostname -fvm0014:~ # hostname -fvm0014.minoss.nl

Networking: local ping to self (needed for db connection) → ping -c2 `hostname`vm0014:~ # ping -c2 `hostname`PING vm0014.minoss.nl (192.168.0.134) 56(84) bytes of data.64 bytes from vm0014.minoss.nl (192.168.0.134): icmp_seq=1 ttl=64 time=0.020 ms64 bytes from vm0014.minoss.nl (192.168.0.134): icmp_seq=2 ttl=64 time=0.029 ms

--- vm0014.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.020/0.024/0.029/0.006 ms

Note the correct IP address (not 127.0.0.1)

networking: remote ping to self (needed for browser connection)

→ ping -c2 vm0014.minoss.nlorion:~ # ping -c2 vm0014.minoss.nlPING vm0014.minoss.nl (192.168.0.134) 56(84) bytes of data.64 bytes from vm0014.minoss.nl (192.168.0.134): icmp_seq=1 ttl=64 time=0.297 ms64 bytes from vm0014.minoss.nl (192.168.0.134): icmp_seq=2 ttl=64 time=0.136 ms

--- vm0014.minoss.nl ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 0.136/0.216/0.297/0.081 ms

If not present, add on host that will launch the browser lines in /etc/hosts/

Networking: firewall (if firewall too active db-connection or browser-connection might fail) → iptables -L -n -v ; echo; ip6tables -L -n -vvm0014:~ # iptables -L -n -v ; echo; ip6tables -L -n -vChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

If not, adjust manually.

Aditional users (needed for unprivileged ownership of files and deamon) → egrep "ejbca|jboss" /etc/passwdvm0014:~ # egrep "ejbca|jboss" /etc/passwdejbca:x:1002:100:ejbca:/home/ejbca:/bin/bashjboss:x:1001:100:jboss:/home/jboss:/bin/bashDone in template.

Expected software (mysql server and client are needed, and product relies on openssl)→ rpm -qa | egrep "ssh|ssl|mysql" |sortvm0014:~ # rpm -qa | egrep "ssh|ssl|mysql" |sortlibmysqlclient15-5.0.96-0.4.1libopenssl0_9_8-0.9.8j-0.44.1libopenssl0_9_8-32bit-0.9.8j-0.44.1libssh2-1-1.2.9-4.2.2.1mysql-5.0.96-0.4.1mysql-client-5.0.96-0.4.1openssh-5.1p1-41.55.1openssl-0.9.8j-0.44.1openssl-certs-1.85-0.6.1yast2-sshd-2.17.2-1.21

Slightly older libopenssl, mysql-server, mysql-client and openssh

Gathering of unbundeled software, on depot-host:→ cd ejbca→ sftp ejbca@vm0014→ mkdir log→ mkdir DEPOT

mailto:ejbca@vm0014

→ cd DEPOT→ pwdorion:~/ejbca # sftp ejbca@vm0014Password: Password: Connected to vm0014.sftp>

sftp> mkdir logsftp> mkdir DEPOTsftp> cd DEPOTsftp> pwdRemote working directory: /home/ejbca/DEPOTsftp>

sftp> put ejbca_4_0_13.zipUploading ejbca_4_0_13.zip to /home/ejbca/DEPOT/ejbca_4_0_13.zipejbca_4_0_13.zip 100% 41MB 40.8MB/s 00:01 sftp>

sftp> put jboss-as-distribution-6.1.0.Final.zipUploading jboss-as-distribution-6.1.0.Final.zip to /home/ejbca/DEPOT/jboss-as-distribution-6.1.0.Final.zipjboss-as-distribution-6.1.0.Final.zip 100% 174MB 34.9MB/s 00:05 sftp>

Sles11sp2 version of ANT is way to old!!sftp> put apache-ant-1.8.4-bin.zipUploading apache-ant-1.8.4-bin.zip to /home/ejbca/DEPOT/apache-ant-1.8.4-bin.zipapache-ant-1.8.4-bin.zipsftp>

sftp> put mysql-connector-java-5.1.22.zipUploading mysql-connector-java-5.1.22.zip to /home/ejbca/DEPOT/mysql-connector-java-5.1.22.zipmysql-connector-java-5.1.22.zip 100% 4170KB 4.1MB/s 00:00 sftp> quit

Java options:→ zypper search java-vm0014:~ # zypper search java-Loading repository data...Reading installed packages...

S | Name | Summary | Type --+-----------------------+---------------------------------------------------------------------+-----------| java-1_4_2-ibm | IBM(R) Runtime Environment for Linux, Java(TM) 2 Technology Edition | package | java-1_4_2-ibm | IBM(R) Runtime Environment for Linux, Java(TM) 2 Technology Edition | srcpackage| java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage| java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package

OR:→ mkdir -p /data/software/obs/Java:/vm0014:~ # mkdir -p /data/software/obs/Java:/

→ mount -o nolock storage:/data/software/obs/Java:/ /data/software/obs/Java:/vm0014:~ # mount -o nolock storage:/data/software/obs/Java:/ /data/software/obs/Java:/

→ zypper addrepo --refresh --check -n "java hack" dir:/data/software/obs/Java://openjdk6:/Factory/SLE_11_SP2 javavm0014:~ # zypper addrepo --refresh --check -n "java hack" dir:/data/software/obs/Java://openjdk6:/Factory/SLE_11_SP2 javaAdding repository 'java hack' [done]Repository 'java hack' successfully addedEnabled: YesAutorefresh: YesGPG check: YesURI: dir:///data/software/obs/Java://openjdk6:/Factory/SLE_11_SP2

→ zypper search java-vm0014:~ # zypper search java-Retrieving repository 'java hack' metadata [\]

New repository or package signing key received:Key ID: E38C29BC4276E0B9Key Name: Java OBS Project <[email protected]>Key Fingerprint: 9711921972E27C87BBC1BA89E38C29BC4276E0B9Key Created: Wed Dec 7 09:43:54 2011Key Expires: Fri Feb 14 09:43:54 2014Repository: java hack

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): aRetrieving repository 'java hack' metadata [done]Building repository 'java hack' cache [done]Retrieving repository 'update' metadata [done]Building repository 'update' cache [done]Loading repository data...Reading installed packages...

S | Name | Summary | Type --+--------------------------------+---------------------------------------------------------------------+-----------| java-1_4_2-ibm | IBM(R) Runtime Environment for Linux, Java(TM) 2 Technology Edition | package | java-1_4_2-ibm | IBM(R) Runtime Environment for Linux, Java(TM) 2 Technology Edition | srcpackage| java-1_6_0-ibm | Java(TM) 6 Runtime Environment | package | java-1_6_0-ibm | Java(TM) 6 Runtime Environment | srcpackage| java-1_6_0-ibm-fonts | Java(TM) 2 Runtime Environment | package | java-1_6_0-ibm-jdbc | JDBC/ODBC bridge driver for java-1.6.0-ibm | package | java-1_6_0-ibm-plugin | Browser plugin files for java-1.6.0-ibm | package | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk | Java runtime environment based on OpenJDK 6 and IcedTea 6 | srcpackage| java-1_6_0-openjdk-debuginfo | Debug information for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-debugsource | Debug sources for package java-1_6_0-openjdk | package | java-1_6_0-openjdk-demo | Sources for building demo applications with OpenJDK 6 | package | java-1_6_0-openjdk-devel | Java SDK based on OpenJDK 6 and IcedTea 6 | package | java-1_6_0-openjdk-javadoc | Documentation of the Java API of OpenJDK 6 | package | java-1_6_0-openjdk-src | OpenJDK 6 Java class sources for developers | package

Either: → zypper install ant java-1_6_0-openjdk java-1_6_0-openjdk-develOr → zypper install ant java-1_6_0-ibmvm0014:~ # zypper install ant java-1_6_0-openjdk java-1_6_0-openjdk-develLoading repository data...Reading installed packages...'ant' is already installed.No update candidate for 'ant-1.7.0-200.15.noarch'. The highest available version is already installed.Resolving package dependencies...

The following NEW packages are going to be installed:giflib java-1_6_0-openjdk java-1_6_0-openjdk-devel libasound2 timezone-java

The following packages are not supported by their vendor:java-1_6_0-openjdk java-1_6_0-openjdk-devel

5 new packages to install.Overall download size: 33.8 MiB. After the operation, additional 117.8 MiB will be used.Continue? [y/n/?] (y):

Check: (create file)→ > /etc/profile.local→ echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.local→ echo export EIL=/home/ejbca/log/ >> /etc/profile.localvm0014:~ # > /etc/profile.localvm0014:~ # echo export DEPOT=/home/ejbca/DEPOT/ >> /etc/profile.localvm0014:~ # echo export EIL=/home/ejbca/log/ >> /etc/profile.localvm0014:~ # cat /etc/profile.localexport DEPOT=/home/ejbca/DEPOT/export EIL=/home/ejbca/log/

re-read env's and use them:→ source /etc/profile ; ll $DEPOTvm0014:~ # source /etc/profile ; ll $DEPOTtotal 224700

-rw-r--r-- 1 ejbca users 42808566 Dec 19 22:25 ejbca_4_0_13.zip-rw-r--r-- 1 ejbca users 182762510 Dec 19 22:26 jboss-as-distribution-6.1.0.Final.zip-rw-r--r-- 1 ejbca users 4270471 Dec 19 22:28 mysql-connector-java-5.1.22.zip

Database status: default status after reboot→ chkconfig mysqlvm0014:~ # chkconfig mysqlmysql off

(still should have been set in the template)

vm0014:~ # chkconfig mysql onvm0014:~ # chkconfig mysqlmysql on

Database status: current status, use systemd method → /etc/rc.d/mysql statusvm0014:~ # /etc/rc.d/mysql statusChecking for service MySQL: unused

→ /etc/rc.d/mysql startvm0014:~ # /etc/rc.d/mysql startCreating MySQL privilege database... Installing MySQL system tables...OKFilling help tables...OKPLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !To do so, start the server, then issue the following commands:/usr/bin/mysqladmin -u root password 'new-password'/usr/bin/mysqladmin -u root -h vm0014.minoss.nl password 'new-password'

Alternatively you can run:/usr/bin/mysql_secure_installation

which will also give you the option of removing the testdatabases and anonymous user created by default. This isstrongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.plcd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web athttp://www.mysql.comSupport MySQL by buying support/licenses at http://shop.mysql.comUpdating MySQL privilege database... Looking for 'mysql' as: /usr/bin/mysqlLooking for 'mysqlcheck' as: /usr/bin/mysqlcheckRunning 'mysqlcheck'...mysql.columns_priv OKmysql.db OKmysql.func OKmysql.help_category OKmysql.help_keyword OKmysql.help_relation OKmysql.help_topic OKmysql.host OKmysql.proc OKmysql.procs_priv OKmysql.tables_priv OKmysql.time_zone OKmysql.time_zone_leap_second OKmysql.time_zone_name OKmysql.time_zone_transition OKmysql.time_zone_transition_type OKmysql.user OKRunning 'mysql_fix_privilege_tables'...OKStarting service MySQL

database ip-port: (used in the config files)→ lsof -i -P

vm0014:~ # lsof -i -PCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2163 root 6u IPv4 5030 0t0 UDP *:111 rpcbind 2163 root 7u IPv4 5034 0t0 UDP *:642 rpcbind 2163 root 8u IPv4 5035 0t0 TCP *:111 (LISTEN)rpcbind 2163 root 9u IPv6 5037 0t0 UDP *:111 rpcbind 2163 root 10u IPv6 5039 0t0 UDP *:642 rpcbind 2163 root 11u IPv6 5040 0t0 TCP *:111 (LISTEN)sshd 2501 root 3u IPv4 5975 0t0 TCP *:22 (LISTEN)sshd 2501 root 4u IPv6 5977 0t0 TCP *:22 (LISTEN)master 2580 root 12u IPv4 6080 0t0 TCP localhost:25 (LISTEN)master 2580 root 13u IPv6 6082 0t0 TCP localhost:25 (LISTEN)sshd 2739 root 3r IPv4 7078 0t0 TCP vm0014.minoss.nl:22->orion:47584 (ESTABLISHED)mysqld 3405 mysql 10u IPv4 8983 0t0 TCP *:3306 (LISTEN)

check if re-startable?

→ /etc/rc.d/mysql restart; lsof -i -Pvm0014:~ # /etc/rc.d/mysql restart; lsof -i -PRestarting service MySQL Shutting down service MySQL doneStarting service MySQL doneCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMErpcbind 2163 root 6u IPv4 5030 0t0 UDP *:111 rpcbind 2163 root 7u IPv4 5034 0t0 UDP *:642 rpcbind 2163 root 8u IPv4 5035 0t0 TCP *:111 (LISTEN)rpcbind 2163 root 9u IPv6 5037 0t0 UDP *:111 rpcbind 2163 root 10u IPv6 5039 0t0 UDP *:642 rpcbind 2163 root 11u IPv6 5040 0t0 TCP *:111 (LISTEN)sshd 2501 root 3u IPv4 5975 0t0 TCP *:22 (LISTEN)sshd 2501 root 4u IPv6 5977 0t0 TCP *:22 (LISTEN)master 2580 root 12u IPv4 6080 0t0 TCP localhost:25 (LISTEN)master 2580 root 13u IPv6 6082 0t0 TCP localhost:25 (LISTEN)sshd 2739 root 3r IPv4 7078 0t0 TCP vm0014.minoss.nl:22->orion:47584 (ESTABLISHED)mysqld 3642 mysql 10u IPv4 9523 0t0 TCP *:3306 (LISTEN)

It can properly be restarted (comes up with different PID) and still listens of proper TCP-port.

Java→ java -versionvm0014:~ # java -versionjava version "1.6.0_24"OpenJDK Runtime Environment (IcedTea6 1.11.5) (suse-2.1-x86_64)OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Jboss application server

→ cd /usr/local/→ unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zipvm0014:~ # cd /usr/local/vm0014:/usr/local # unzip $DEPOT/jboss-as-distribution-6.1.0.Final.zip(extracting from archive not shown...)

Symbolic link for version independence:

→ ln -s -v jboss-6.1.0.Final/ jbossvm0014:/usr/local # ln -s -v jboss-6.1.0.Final/ jboss`jboss' -> `jboss-6.1.0.Final/'Check:→ ll jboss* -dvm0014:/usr/local # ll jboss* -dlrwxrwxrwx 1 root root 18 Dec 20 00:39 jboss -> jboss-6.1.0.Final/drwxrwxr-x 8 root root 4096 Aug 16 2011 jboss-6.1.0.Final

mysql connector

→ cd /usr/local/→ unzip $DEPOT/mysql-connector-java-5.1.22.zip

vm0014:~ # cd /usr/local/vm0014:/usr/local # unzip $DEPOT/mysql-connector-java-5.1.22.zip(extracting from archive not shown...)Copy it to the lib-directory:→ cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/vm0014:/usr/local # cp -v mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar jboss/server/default/lib/`mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar' -> `jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar'

Check:

→ ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar vm0014:/usr/local # ls -l /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar -rw-r--r-- 1 root root 832960 Dec 20 00:41 /usr/local/jboss/server/default/lib/mysql-connector-java-5.1.22-bin.jar

Note proper place, date, time.

ANT

→ rpm -qa |grep antvm0014:/usr/local # rpm -qa |grep antant-1.7.0-200.15Installed in template. This is absolutely a problem as in the instalation pages is declared that you need atleast ant-1.7.1However, for sles11_sp2 there is no newer version available in the distro. So you need the version from Apache...

vm0014:~ # cd /usr/localvm0014:/usr/local # unzip $DEPOT/apache-ant-1.8.4-bin.zip

vm0014:/usr/local # ln -v -s apache-ant-1.8.4/ antànt' -> àpache-ant-1.8.4/'

vm0014:/usr/local # ll *ant* -dlrwxrwxrwx 1 root root 17 Dec 20 13:55 ant -> apache-ant-1.8.4/drwxr-xr-x 6 root root 4096 May 22 2012 apache-ant-1.8.4

Environment variables(used to be in /etc/profile, but that might be overwritten during upgrade)

→ vi /etc/profile.localvm0014:/usr/local # vi /etc/profile.local

add:

############################### env settings for ejbca##############################APPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca#JAVA_OPTS="-Xmx512M -Xms512M -XX:MaxPermSize=512m"ANT_HOME=/usr/local/antPATH=${APPSRV_HOME}/bin:${JAVA_HOME}/bin:${EJBCA_HOME}/bin:${ANT_HOME}/bin:$PATH

export PATH APPSRV_HOME JAVA_HOME JAVA_OPTS EJBCA_HOME ANT_HOME ANT_OPTS

############################### EOF env settings for ejbca##############################

Note ommision of java_home

reread environment:→ source /etc/profilevm0014:/usr/local # source /etc/profile

check:→ env |egrep "JAVA_HOME|JAVA_OPTS|EJBCA_HOME|ANT_HOME|ANT_OPTS|APPSRV_HOME" |sortANT_HOME=/usr/local/antAPPSRV_HOME=/usr/local/jbossEJBCA_HOME=/usr/local/ejbca

Note the omission of JAVA_HOME (is /usr/bin/java) !

Create database

→ mysqladmin create -u root -p ejbcadbvm0014:/usr/local # mysqladmin create -u root -p ejbcadbEnter password:

Create user, Set privileges→ mysql -u root -p→ grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';→ flush privileges;vm0014:/usr/local # mysql -u root -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2Server version: 5.0.96 SUSE MySQL RPM

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant all privileges on ejbcadb.* to 'ejbca-user'@'localhost' identified by 'mysql123';Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)

mysql>

(note: no disclaimers..)Check actions:

→ use mysql;→ select Host,user from user where user='ejbca-user';mysql> use mysql;Database changedmysql> select Host,user from user where user='ejbca-user';+-----------+------------+| Host | user |+-----------+------------+| localhost | ejbca-user | +-----------+------------+1 row in set (0.00 sec)

mysql> quitBye

Login as DB-user (pwd check)

→ mysql ejbcadb -u ejbca-user -pvm0014:/usr/local # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 3Server version: 5.0.96 SUSE MySQL RPM




mysql>

Note: user and pwd are correct (later on used in config files) and minor mysql update.

Check DB content:

→ show tables;mysql> show tables;Empty set (0.00 sec)

mysql> exit;Bye

Note: no left overs (in this case hardly possible)

Installing ejbca software

→ cd /usr/local/→ unzip $DEPOT/ejbca_4_0_13.zipvm0014:~ # cd /usr/local/vm0014:/usr/local # unzip $DEPOT/ejbca_4_0_13.zip(extracting from archive not shown...)Symbolic link for version independence:

→ ln -v -s ejbca_4_0_13/ ejbcavm0014:/usr/local # ln -v -s ejbca_4_0_13/ ejbcaèjbca' -> èjbca_4_0_13/'

Check:→ ll ejbca* -dvm0014:/usr/local # ll ejbca* -dlrwxrwxrwx 1 root root 13 Dec 20 12:37 ejbca -> ejbca_4_0_13/drwx------ 9 root root 4096 Dec 19 12:36 ejbca_4_0_13

Set file permissions:

→ chown -R ejbca ejbca/vm0014:/usr/local # chown -R ejbca ejbca/(wonder why here, later on done again..)

(show that dirs are filled)

→ du -sk * |sort -nvm0014:/usr/local # du -sk * |sort -n0 ejbca0 jboss4 bin4 games4 include4 lib4 lib644 sbin4 share4 src44 man10224 mysql-connector-java-5.1.2267636 ejbca_4_0_13213940 jboss-6.1.0.Final

Note: links have size 0k, empty dirs are 4k

Configuring ejbca

→ cd /usr/local/ejbca/conf ; llvm0014:~ # cd /usr/local/ejbca/conf ; lltotal 168-rw------- 1 ejbca root 6827 Jun 18 2012 cache.properties.sample

-rw------- 1 ejbca root 1219 Jun 18 2012 catoken.properties.sample-rw------- 1 ejbca root 387 Jun 18 2012 certstore.properties.sample-rw------- 1 ejbca root 10562 Sep 12 10:06 cmp.properties.sample-rw------- 1 ejbca root 353 Jun 18 2012 crlstore.properties.sample-rw------- 1 ejbca root 100 Jun 18 2012 custom.properties.sample-rw------- 1 ejbca root 2500 Jun 18 2012 database.properties.sample-rw------- 1 ejbca root 10661 Jun 18 2012 ejbca.properties.sample-rw------- 1 ejbca root 5606 Dec 18 10:53 extendedkeyusage.properties-rw------- 1 ejbca root 3195 Jun 18 2012 externalra-gui.properties.sample-rw------- 1 ejbca root 1721 Jun 18 2012 externalra.properties.sample-rw------- 1 ejbca root 2854 Sep 1 16:52 install.properties.sample-rw------- 1 ejbca root 2755 Jun 18 2012 jaxws.properties.sample-rw------- 1 ejbca root 50 Jun 18 2012 jndi.properties.glassfish-rw------- 1 ejbca root 361 Jun 18 2012 jndi.properties.jboss-rw------- 1 ejbca root 217 Jun 18 2012 jndi.properties.weblogic-rw------- 1 ejbca root 259 Jun 18 2012 jndi.properties.websphere-rw------- 1 ejbca root 874 Jun 18 2012 log.properties.sample-rw------- 1 ejbca root 3146 Jun 18 2012 log4j-glassfish.xml.sample-rw------- 1 ejbca root 3637 Jun 18 2012 log4j-jboss6.xml.sample-rw------- 1 ejbca root 3137 Jun 18 2012 log4j-weblogic.xml.sample-rw------- 1 ejbca root 3518 Jun 18 2012 log4j-websphere.xml.sampledrwx------ 2 ejbca root 4096 Jun 18 2012 logdevices-rw------- 1 ejbca root 1723 Jun 18 2012 mail.properties.sample-rw------- 1 ejbca root 16453 Aug 13 17:32 ocsp.properties.sampledrwx------ 2 ejbca root 4096 Jun 18 2012 plugins-rw------- 1 ejbca root 3775 Jun 18 2012 scep.properties.sample-rw------- 1 ejbca root 1786 Jun 18 2012 va-publisher.properties.sample-rw------- 1 ejbca root 3849 Jun 18 2012 va.properties.sample-rw------- 1 ejbca root 6508 Oct 16 11:00 web.properties.sample-rw------- 1 ejbca root 2339 Jun 18 2012 xkms.properties.sample

Basic (installation) settings:→ cp install.properties.sample install.propertiesvm0014:/usr/local/ejbca/conf # cp install.properties.sample install.propertiesCheck unchanged fields:

→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0014:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=AdminCA1ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SEca.keyspec=2048ca.keytype=RSAca.signaturealgorithm=SHA1WithRSAca.validity=3650ca.policy=null

Change it carefully

→ vi install.propertiesvm0014:/usr/local/ejbca/conf # vi install.propertiesCheck important fields:

line 17: ca.name=AdminCAv1line 23: ca.dn=CN=AdminCAv1,O=minoss,C=NLline 54: ca.keyspec=4096line 57: ca.keytype=RSAline 62: ca.signaturealgorithm=SHA256WithRSAline 65: ca.validity=3650line 69: ca.policy=null

Note: line numbers aply only to this release of ejbca!!!

→ egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesvm0014:/usr/local/ejbca/conf # egrep "ca.name=|ca.dn=|ca.keyspec=|ca.keytype=|ca.signaturealgorithm=|ca.validity=|ca.policy=" install.propertiesca.name=AdminCAv1ca.dn=CN=AdminCAv1,O=minoss,C=NLca.keyspec=4096ca.keytype=RSAca.signaturealgorithm=SHA256WithRSAca.validity=3650ca.policy=null

→ diff install.properties.sample install.propertiesvm0014:/usr/local/ejbca/conf # diff install.properties.sample install.properties17c17< ca.name=AdminCA1---> ca.name=AdminCAv123c23< ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE---> ca.dn=CN=AdminCAv1,O=minoss,C=NL54c54< ca.keyspec=2048---> ca.keyspec=409662c62< ca.signaturealgorithm=SHA1WithRSA---> ca.signaturealgorithm=SHA256WithRSA

Note: → cp ejbca.properties.sample ejbca.propertiesvm0014:/usr/local/ejbca/conf # cp ejbca.properties.sample ejbca.propertiesCheck unchanged fields:

→ egrep "ca.keystorepass=" ejbca.propertiesvm0014:/usr/local/ejbca/conf # egrep "ca.keystorepass=" ejbca.properties#ca.keystorepass=foo123#ca.keystorepass=!secret!

Change what is needed:→ vi ejbca.propertiesvm0014:/usr/local/ejbca/conf # vi ejbca.properties

line 55: ca.keystorepass=ca123Note: line numbers aply only to this release of ejbca!!!

quick check, grep on the file:

→ egrep "ca.keystorepass=" ejbca.propertiesvm0014:/usr/local/ejbca/conf # egrep "ca.keystorepass=" ejbca.propertiesca.keystorepass=ca123#ca.keystorepass=!secret!

Differences:

→ diff ejbca.properties.sample ejbca.propertiesvm0014:/usr/local/ejbca/conf # diff ejbca.properties.sample ejbca.properties55c55< #ca.keystorepass=foo123---> ca.keystorepass=ca123

Note: either way, check what you need to change and what you actually did..

Database definitions / settings

→ cp database.properties.sample database.propertiesvm0014:/usr/local/ejbca/conf # cp database.properties.sample database.properties

Check unchanged fields:→ egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0014:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0014:/usr/local/ejbca/conf #

Note that the latest grep did produce any results!

You must change some fields:→ vi database.propertiesvm0014:/usr/local/ejbca/conf # vi database.properties

line 14: database.name=mysql

line 27: database.url=jdbc:mysql://127.0.0.1:3306/ejbcadbline 42: database.driver=com.mysql.jdbc.Driverline 55: database.username=ejbca-userline 59: database.password=mysql123

Note: that line numbers are ejbca-release specific, there are here NO defaults.Note2: the deviation from default db-name and passwords!Note3: In version 4.X “datasource.mapping=mySQL” is not needed anymore.

quick check:→ egrep "^database.name=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesvm0014:/usr/local/ejbca/conf # egrep "^database.name=|^datasource.mapping=|^database.url=|^database.driver=|^database.username=|^database.password=" database.propertiesdatabase.name=mysqldatabase.url=jdbc:mysql://127.0.0.1:3306/ejbcadbdatabase.driver=com.mysql.jdbc.Driverdatabase.username=ejbca-userdatabase.password=mysql123

→ diff database.properties.sample database.propertiesvm0014:/usr/local/ejbca/conf # diff database.properties.sample database.properties14c14< #database.name=mysql---> database.name=mysql27c27< #database.url=jdbc:mysql://127.0.0.1:3306/ejbca---> database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb42c42< #database.driver=com.mysql.jdbc.Driver---> database.driver=com.mysql.jdbc.Driver55c55< #database.username=ejbca---> database.username=ejbca-user59c59< #database.password=ejbca---> database.password=mysql123

Web-page settings:

→ cp web.properties.sample web.propertiesvm0014:/usr/local/ejbca/conf # cp web.properties.sample web.propertiesOrginal settings→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesvm0014:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=changeitsuperadmin.password=ejbcahttpsserver.password=serverpwdhttpsserver.hostname=localhosthttpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE

Change it carefully:→ vi web.propertiesvm0014:/usr/local/ejbca/conf # vi web.properties

line 08: java.trustpassword=java123line 19: superadmin.password=superadmin123line 30: httpsserver.password=serverpwd123line 42: httpsserver.hostname=vm0014.minoss.nlline 46: httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Note, again lines are ejbca release specific!New settings:→ egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|

httpsserver.dn=" web.propertiesvm0014:/usr/local/ejbca/conf # egrep "java.trustpassword=|superadmin.password=|httpsserver.password=|httpsserver.hostname=|httpsserver.dn=" web.propertiesjava.trustpassword=java123superadmin.password=superadmin123httpsserver.password=serverpwd123httpsserver.hostname=vm0014httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Quick check:

→ diff web.properties.sample web.propertiesvm0014:/usr/local/ejbca/conf # diff web.properties.sample web.properties8c8< java.trustpassword=changeit---> java.trustpassword=java12319c19< superadmin.password=ejbca---> superadmin.password=superadmin12330c30< httpsserver.password=serverpwd---> httpsserver.password=serverpwd12342c42< httpsserver.hostname=localhost---> httpsserver.hostname=vm001446c46< httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE---> httpsserver.dn=CN=${httpsserver.hostname},O=minoss,C=NL

Note, jot down the superadmin pwd, you need it later on.Note2 here it is important that the hostname in properly set and resolvable!

Stopping JBossCheck if it is running:

→ ps -ef |grep -v grep | grep -c jbossvm0014:/usr/local/ejbca/conf # ps -ef |grep -v grep | grep -c jboss0Zero instances, so not running!

Change ownership of files, again

→ cd /usr/local→ chown -R ejbca ejbca/ ; chown -R ejbca jboss/vm0014:~ # cd /usr/localvm0014:/usr/local # chown -R ejbca ejbca/ ; chown -R ejbca jboss/

Note: don't omit the trailing slash

Cleaning

→ cd /usr/local/ejbca→ time ant clean > $EIL/ant_clean.logvm0014:~ # cd /usr/local/ejbcavm0014:/usr/local/ejbca # time ant clean > $EIL/ant_clean.log


Note the redirection of all default output, so you can read it later on.

Check result:

→ tail -3 $EIL/ant_clean.logvm0014:/usr/local/ejbca # tail -3 $EIL/ant_clean.log

BUILD SUCCESSFULTotal time: 3 seconds

→ grep -ic warning $EIL/ant_clean.logvm0014:/usr/local/ejbca # grep -ic warning $EIL/ant_clean.log0

Bootstrap

→ time ant bootstrap > $EIL/ant_bootstrap.logvm0014:/usr/local/ejbca # time ant bootstrap > $EIL/ant_bootstrap.log[copy] Warning: Could not find file /home/hudson/clover/clover-ant-3.0.2/lib/clover.jar to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss.xml.sample to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss.xml to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss6.xml to copy.


Note : unclear if missing XML's and clover.jar are harmful.Note2: Very strange reference towards a file in somebodies home dir....

Check result:

→ tail -3 $EIL/ant_bootstrap.logvm0014:/usr/local/ejbca # tail -3 $EIL/ant_bootstrap.log


→ grep -ic warning $EIL/ant_bootstrap.logvm0014:/usr/local/ejbca # grep -ic warning $EIL/ant_bootstrap.log0

Check results:Some files should be created:

→ ll /usr/local/jboss/server/default/deploy/ejbca*vm0014:/usr/local/ejbca # ll /usr/local/jboss/server/default/deploy/ejbca*-rw------- 1 root root 3347 Dec 20 14:05 /usr/local/jboss/server/default/deploy/ejbca-ds.xml-rw------- 1 root root 2092 Dec 20 14:05 /usr/local/jboss/server/default/deploy/ejbca-mail-service.xml-rw-r--r-- 1 root root 26095151 Dec 20 14:05 /usr/local/jboss/server/default/deploy/ejbca.ear

Seems ok...

Jboss starting for the first time

→ cd /usr/local/jboss→ ./bin/run.sh > $EIL/JBoss_first_run.logvm0014:~ # cd /usr/local/jbossvm0014:/usr/local/jboss # ./bin/run.sh > $EIL/JBoss_first_run.log

From other console, first couple of lines (showing proper opts)

→ head -22 $EIL/JBoss_first_run.logvm0014:~ # head -22 $EIL/JBoss_first_run.log=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /usr/local/jboss

JAVA: java

JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64

CLASSPATH: /usr/local/jboss/bin/run.jar

=========================================================================

14:11:11,906 INFO [AbstractJBossASServerBase] Server Configuration:

JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xmlCommon Base: $JBOSS_HOME/common/Common Library: $JBOSS_HOME/common/lib/Server Name: defaultServer Base: $JBOSS_HOME/server/

Note the use of different ENV's!Note the other position of “JAVA”

Last couple of lines:

→ tail -5 $EIL/JBoss_first_run.logvm0014:~ # tail -5 $EIL/JBoss_first_run.log14:12:03,651 INFO [HornetQServerImpl] trying to deploy queue jms.queue.DLQ14:12:03,727 INFO [service] Removing bootstrap log handlers14:12:03,850 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-127.0.0.1-808014:12:03,853 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800914:12:03,854 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 51s:939ms

The first run should have created DB-tables, Checking if DB has been initialized:

→ mysql ejbcadb -u ejbca-user -p→ show tables;vm0014:~ # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 9Server version: 5.0.96 SUSE MySQL RPM




mysql> show tables;+-----------------------------+| Tables_in_ejbcadb |+-----------------------------+| AccessRulesData | | AdminEntityData | | AdminGroupData | | AdminPreferencesData | | ApprovalData | | AuthorizationTreeUpdateData | | CAData | | CRLData | | CertReqHistoryData | | CertificateData | | CertificateProfileData | | EndEntityProfileData | | GlobalConfigurationData | | HardTokenCertificateMap | | HardTokenData | | HardTokenIssuerData | | HardTokenProfileData | | HardTokenPropertyData | | KeyRecoveryData | | LogConfigurationData | | LogEntryData | | PublisherData | | PublisherQueueData | | ServiceData | | UserData | | UserDataSourceData | +-----------------------------+26 rows in set (0.00 sec)

mysql> exit;Bye

So the database can be reached and filled!

EJBCA ant install

→ cd /usr/local/ejbca→ time ant install > $EIL/ant_install.log

vm0014:/usr/local/ejbca # time ant install > $EIL/ant_install.log[copy] Warning: Could not find file /home/hudson/clover/clover-ant-3.0.2/lib/clover.jar to copy.


Check on log file:

→ tail -3 $EIL/ant_install.logvm0014:/usr/local/ejbca # tail -3 $EIL/ant_install.log


→ grep -ic warning $EIL/ant_install.logvm0014:/usr/local/ejbca # grep -ic warning $EIL/ant_install.log0

Stopping JBossCheck if it is running:

→ ps -ef |grep -v grep | grep -c jbossvm0014:~ # ps -ef |grep -v grep | grep -c jboss1

Stop it nicely:→ cd /usr/local/jboss ; ./bin/shutdown.sh -Svm0014:~ # cd /usr/local/jboss ; ./bin/shutdown.sh -SShutdown message has been posted to the server.Server shutdown may take a while - check logfiles for completion

last lines from logfile:→ tail -5 $EIL/JBoss_first_run.logvm0014:/usr/local/jboss # tail -5 $EIL/JBoss_first_run.log14:21:35,502 INFO [HornetQServerImpl] HornetQ Server version 2.2.5.Final (HQ_2_2_5_FINAL_AS7, 121) [cace72db-4aa6-11e2-a44d-00163e001400] stopped14:21:35,567 INFO [MailService] Mail service 'java:/Mail' removed from JNDI14:21:35,574 INFO [JMXConnector] JMXConnector stopped14:21:35,659 INFO [MailService] Mail service 'java:/EjbcaMail' removed from JNDI14:21:37,541 INFO [AbstractServer] Stopped: JBossAS [6.1.0.Final "Neo"] in 4s:385ms

Ejbca deploy

→ time ant deploy > $EIL/ant_deploy.logvm0014:/usr/local/ejbca # time ant deploy > $EIL/ant_deploy.log[copy] Warning: Could not find file /home/hudson/clover/clover-ant-3.0.2/lib/clover.jar to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss.xml.sample to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss.xml to copy.[copy] Warning: Could not find file /usr/local/ejbca_4_0_13/conf/log4j-jboss6.xml to copy.


Last lines from log file:→ tail -3 $EIL/ant_deploy.logvm0014:/usr/local/ejbca # tail -3 $EIL/ant_deploy.log


→ grep -ic warning $EIL/ant_deploy.log vm0014:/usr/local/ejbca # grep -ic warning $EIL/ant_deploy.log 0

Further checks:

→ ls -l /usr/local/jboss/server/default/conf/keystore/vm0014:/usr/local/ejbca # ls -l /usr/local/jboss/server/default/conf/keystore/total 12-rw------- 1 root root 4509 Dec 20 14:23 keystore.jks-rw------- 1 root root 1423 Dec 20 14:23 truststore.jks

Observe date & time of the files...

Restart Jboss.

→ cd /usr/local/jboss→ ./bin/run.sh > $EIL/JBoss_second_run.logvm0014:~ # cd /usr/local/jbossvm0014:/usr/local/jboss # ./bin/run.sh > $EIL/JBoss_second_run.log

Again, first lines:

→ head -22 $EIL/JBoss_second_run.logvm0014:/usr/local/ejbca # head -22 $EIL/JBoss_second_run.log=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /usr/local/jboss

JAVA: java

JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:./bin/logging.properties -Djava.library.path=/usr/local/jboss/bin/native/lib64

CLASSPATH: /usr/local/jboss/bin/run.jar

=========================================================================

14:28:06,972 INFO [AbstractJBossASServerBase] Server Configuration:

JBOSS_HOME URL: file:/usr/local/jboss-6.1.0.Final/Bootstrap: $JBOSS_HOME/server/default/conf/bootstrap.xmlCommon Base: $JBOSS_HOME/common/Common Library: $JBOSS_HOME/common/lib/Server Name: defaultServer Base: $JBOSS_HOME/server/

Equally important: Last lines� tail -22 $EIL/JBoss_second_run.logvm0014:/usr/local/ejbca # tail -22 $EIL/JBoss_second_run.logejbca/EjbcaWS/local-org.ejbca.core.protocol.ws.common.IEjbcaWS - EJB3.x Local Business Interface

14:28:52,120 WARN [TimerServiceContainer] EJBTHREE-2193: using deprecated TimerServiceFactory for restoring timers14:28:52,213 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/ejbcaws14:28:52,273 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/adminweb14:28:52,355 INFO [config] Initializing Mojarra (1.2_15-20100816-SNAPSHOT) for context '/ejbca/adminweb'14:28:57,248 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/clearcache14:28:57,304 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb14:28:57,336 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/doc14:28:57,353 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/healthcheck14:28:57,369 INFO [TomcatDeployment] deploy, ctxPath=/ejbca14:28:57,382 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/apply14:28:57,398 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/status14:28:57,466 INFO [TomcatDeployment] deploy, ctxPath=/ejbca/publicweb/webdist14:28:57,604 INFO [HornetQServerImpl] trying to deploy queue jms.queue.DLQ14:28:57,626 INFO [HornetQServerImpl] trying to deploy queue jms.queue.ExpiryQueue14:28:57,697 INFO [service] Removing bootstrap log handlers14:28:57,890 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-808014:28:57,911 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844214:28:57,912 INFO [org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-844314:28:57,960 INFO [org.apache.coyote.ajp.AjpProtocol] Starting Coyote AJP/1.3 on ajp-127.0.0.1-800914:28:57,962 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.1.0.Final "Neo"] Started in 50s:981ms

Check on tcp-ports:

→ lsof -i -P |egrep "8080|844"vm0014:/usr/local/ejbca # lsof -i -P |egrep "8080|844"java 6415 root 495u IPv4 14661 0t0 TCP *:8442 (LISTEN)java 6415 root 496u IPv4 14664 0t0 TCP *:8443 (LISTEN)java 6415 root 498u IPv4 14658 0t0 TCP *:8080 (LISTEN)

Check results in DB:

→ mysql ejbcadb -u ejbca-user -p→ select * from AdminEntityData;vm0014:~ # mysql ejbcadb -u ejbca-user -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 18Server version: 5.0.96 SUSE MySQL RPM




mysql> select * from AdminEntityData;+------------+-----------+-----------+------------+-----------+---------------+------------+------------------------------+| pK | cAId | matchType | matchValue | matchWith | rowProtection | rowVersion | AdminGroupData_adminEntities |+------------+-----------+-----------+------------+-----------+---------------+------------+------------------------------+| 2131783214 | 749716675 | 1001 | SuperAdmin | 8 | NULL | 0 | 2116542367 | | 329358383 | 0 | 2003 | UNUSED | 11 | NULL | 0 | 596727308 | | 329358381 | 0 | 2001 | UNUSED | 11 | NULL | 0 | 596727308 | | 329358382 | 0 | 2002 | UNUSED | 11 | NULL | 0 | 596727308 | | 329358376 | 0 | 2004 | UNUSED | 11 | NULL | 0 | 596727308 | | 1346258728 | 0 | 2000 | UNUSED | 11 | NULL | 0 | 1760399226 | +------------+-----------+-----------+------------+-----------+---------------+------------+------------------------------+6 rows in set (0.03 sec)

mysql> exitBye

test transfer super end entity user

→ ll /usr/local/ejbca/p12vm0014:~ # ll /usr/local/ejbca/p12total 16-rw-r--r-- 1 root root 3566 Dec 20 14:17 superadmin.p12-rw-r--r-- 1 root root 4509 Dec 20 14:16 tomcat.jks-rw-r--r-- 1 root root 1423 Dec 20 14:17 truststore.jks

Store them on machine with browser.=> mkdir -p /root/ejbca/vm0014=> cd /root/ejbca/vm0014=> sftp vm0014 => cd /usr/local/ejbca/p12=> get superadmin.p12=> cd /usr/local/ejbca/conf=> get *.propertiesorion:~ # mkdir -p /root/ejbca/vm0014orion:~ # cd /root/ejbca/vm0014orion:~/ejbca/vm0014 # sftp vm0014 Password: Connected to vm0014.sftp> cd /usr/local/ejbca/p12sftp> get superadmin.p12Fetching /usr/local/ejbca_4_0_13/p12/superadmin.p12 to superadmin.p12/usr/local/ejbca_4_0_13/p12/superadmin.p12 100% 3566 3.5KB/s 00:00

sftp> cd /usr/local/ejbca/confsftp> get *.propertiesFetching /usr/local/ejbca_4_0_13/conf/database.properties to database.properties/usr/local/ejbca_4_0_13/conf/database.properties 100% 2505 2.5KB/s 00:00 Fetching /usr/local/ejbca_4_0_13/conf/ejbca.properties to ejbca.properties/usr/local/ejbca_4_0_13/conf/ejbca.properties 100% 10KB 10.4KB/s 00:00 Fetching /usr/local/ejbca_4_0_13/conf/extendedkeyusage.properties to extendedkeyusage.properties/usr/local/ejbca_4_0_13/conf/extendedkeyusage.properties 100% 5606 5.5KB/s 00:00 Fetching /usr/local/ejbca_4_0_13/conf/install.properties to install.properties/usr/local/ejbca_4_0_13/conf/install.properties 100% 2852 2.8KB/s 00:00 Fetching /usr/local/ejbca_4_0_13/conf/web.properties to web.properties/usr/local/ejbca_4_0_13/conf/web.properties 100% 6509 6.4KB/s 00:00 sftp> quit

Start firefoxTab “edit” � tab “preferences” � tab “Advanced” � tab “Encryption” � tab “view certificates” � tab “delete” if any precious crt's still aroundtab “import � tab “your certificates” � tab “import” �tab “root” �folder “root” �folder “ejbca” �folder “vm0014” � file “superadmin.p12”

browse to: https://vm0014.minoss.nl:8443/ejbca/

The CA has a selfsigned certificate and is hence untrusted.Confirm exception and accept.browse to: https://vm0014.minoss.nl:8442/ejbca/

https://vm0014.minoss.nl:8442/ejbca/

https://vm0014.minoss.nl:8443/ejbca/

Date post:	15-Sep-2018
Category:	Documents
Upload:	vophuc
View:	227 times
Download:	1 times

VM0014: Enterprise - ejbca.minoss.nlejbca.minoss.nl/vm0014.pdf · Refresh repositories → zypper...

Documents