EJBCA On Windows

Global Open Versity ICT Labs Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss on Win2k8 AD DC v1.
Global Open Versity

IT Security & PKI Integration Hands-on Labs Training Manual
Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss

on Win2k8 Active Directory
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
Table of Contents Page No.
STEP-BY-STEP INSTALL GUIDE EJBCA PKI WITH JBOSS ON WIN2K8 AD DC 2
Introduction 2
Part 1: Prerequisites 3
Step 1: Clean Install Windows Server 2008 Active Directory DC 3
Step 2: Install SUN JDK1.6 4
Step 3: Install JBoss Application Server 4
Step 4: Install Ant Package 6
Step 5: Install JCE 6
Step 6: Configuring the Base Packages 7
Part 2: Download and Install EJBCA 10

Step 1: Download and prepare EJBCA 10
Step 2: Deploy EJBCA and supplementary Components 10
Step 3: Import Certificate 13
Step 4: Testing 17
Step 5: Accessing EJBCA Administration Page 18
Part 3: Need More Training on Linux: 19

EJBCA PKI Administration Training 19
Part 4: Hands-on Labs Assignments 20
A GOV Open Knowledge Access Technical Academic Publications

Enhancing education & empowering people worldwide through eLearning in the 21st Century
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

Global Open Versity ICT Labs Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss on Win2k8 AD DC v1.0
Global Open Versity

IT Security & PKI Integration Hands-on Labs Training Manual
Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss on

Win2k8 Active Directory
By Kefa Rabah, krabah@globalopenversity.org June 10, 2010 GTS Institute
Introduction
Enterprise Java Bean Certificate Authority (EJBCA) is an open source fully functional enterprise class
Public Key Infrastructure (PKI) Certificate Authority built in Java base software package maintained and
sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most
of the codebase. Based on J2EE technology it constitutes a robust, high performance and component
based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any
J2EE application.
It’s intended for the serious PKI management. And can be used for Certificate issuance, Validation
service, and SSO, signing and tamping. For example, it can be used to issue certificates for network
authentication, digital signatures, smart card logon just to mention etc. You can use EJBCA to setup a CA-
independent, high performance, highly available OCSP responder service. The Online Certificate Status
Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital
certificate. Finally, you can use EJBCA to provide the necessary infrastructure for other software to
perform e.g., single-sign-on (SSO), time stamping, digital signature, encryption and issuance of electronic
passport and hard tokens (smart cards). Others: implement VPN connections by issuing certificates to
your VPN routers such as OpenVPN, Cisco, Juniper etc; Client VPN access with certificates in users VPN
clients; Single sign-on by using a single certificate to secure logon to web applications; Creating signed
documents, and Issue citizen certificates for access to government recourses, used in passports etc.
Windows Server® 2008 R2: Microsoft wants administrators of Windows Server 2008 editions (which
ships in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the
server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of
services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-
based Web services. Microsoft has defined 18 roles in all.
Microsoft Active Directory provides the structure to centralize the network management and store
information about network resources across the entire domain. Active Directory uses Domain Controllers
to keep this centralized storage available to network users. In order to configure a Windows Server 2008
machine to act as Domain Controller, several considerations and prerequisites should be taken into
account, and several steps should be performed. Domain Controller requires that a DNS server is
installed and configured appropriately.
2

In this Hands-on Labs you’ll learn how to install EJBCA (3.6.0) with JBoss (4.2.2.GA) application server on
Windows Server 2008 Active Directory DC. It is for testing purpose only. For building production, please
refer to EJBCA official website here. The EJBCA Homepage can be found at http://ejbca.org/.
For more reading on cryptosystems knowledge base, check these articles:

1. Data Security & Cryptographic Techniques
2. Using Elliptic Curve Cryptography to Secure Online Data & Content
3. Elliptic Curve Cryptography Theory
4. Using Elliptic Curve Cryptography for Information Security
5. Module 11- PHP MySQL Database Security
Assumptions:
It’s assumed that you have a good understanding of Windows operating system and its working
environment. It’s also assumed that you know how to install and configure Windows Server 2008Active
Directory DC integrated with Exchange Server 2007. If not then you can check out an excellent article on
docstoc.com entitled “Install Guide MS Exchange Server 2007 on Windows Server 2008 Active Directory”
to get you started.
Part 1: Prerequisites
This document describes installation of EJBCA3_6_0, starting from a clean Windows Server 2008 and a
clean Window XP Professional.
In this document, EJBCA 3_6_0 is used together with:

• JCE6
• ApacheAnt1.7.0
• Jboss4.2.2.GA
• 5. JDK 6 Update 20
• GemSAFE toolbox
• GemSAFE PCSC token
for workstation smart card logon. The procedures to use EJBCA for email signing, email encryption and
SSL service will be described in another hands-on document in series
Step 1: Clean Install Windows Server 2008 Active Directory DC

1. Clean install of base Windows Server 2008 Enterprise Edition and Windows XP Pro Systems, and
ensure that they’re effectively updated and patched up with hot fixes.
2. Promote Win2k8 Server Enterprise Edition into Active Directory Domain Controller using the
"DCPROM" command, with following parameters:
Server name: server01.rabahtech.com

Domain name: rabahtech.com
IP address: 192.168.83.6
3

3. Issue the NSLOOKUP command to test that your server is correctly installed and configured
appropriately to act as Active Directory DC, as shown in Fig. 1.
Fig. 1
4. We’re done with this section
Step 2: Install SUN JDK1.6

1. To download Java SE SDK 6, just go to http://java.sun.com/javase/downloads/index.jsp, and follow
the instructions to download a file called: jdk-6u20-windows-i586-p.exec, and save and Run and
install it in from "C:\java" folder. You may have to create the java directory if it’s not there.
2. Now ensure that the paths for jdk6 and jre6 are follows:
• JDK6 at "C:\java\java1.6.0_20"
• JRE6 at "C:\jre\java1.6.0_20"
Step 3: Install JBoss Application Server

1. Hope over and download and unzip "jboss-4.2.2.GA.zip" from
http://www.jboss.org/jbossas/downloads/ save it under "C:\jboss422"
2. Start/Stop JBoss: to test that JBoss Application server is successfully installed, move to the
"C:\jboss422\bin":
Double-click: run \ starts Jboss AS (see Fig. 2)
4

Fig. 2
Note: You can also start JBoss with the normal command 'run/cmd' from APPSRV_HOME/bin.
When start-up completes, you should see final line as shown in Fig. 3.
Fig. 3
1. Now start your browser & enter URL: http://localhost:8080, or http://<ip-address>:8080 or

http://<domain-name>:8080 to access Jboss homepage, as shown in Fig. 4.
Fig. 3
5

2. Shutdown JBoss: - issue "Ctrl C" or double-click "shutdown" to stop JBoss, when prompted
with <Y/N> to confirm stopping JBoss, type Y and hit Enter key. When done stopping JBoss.
Step 4: Install Ant Package

1. The source code compilation process for EJBCA is managed by the Ant package. Head over to
http://ant.apache.org/bindownload.cgi and download "apache-ant-1.7.0-bin.zip" and unzip it
under "C:\ant170":
Note: Due to Java’s memory handling you may need to assign more memory to ant in order to build
the system without OutOfMemory errors. You can do this by setting an environment variable, as
follows:
ANT_OPTS=-Xmx512m
Step 5: Install JCE

EJBCA makes use of strong crypto and keystore passwords longer than 7 characters. For this to work
you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy
files can be found at the same place as the JDK download at java.sun.com. The text "Using
exportable cryptography" is shown on the first page in the Admin GUI if you fail to install this
package. Further information on this can be found in the Sun documentation on the JCE.
To download and setup the "Unlimited Strength Jurisdiction Policy Files", perform the
following procedures:
1. Fire your browser and hope over to: http://java.sun.com/javase/downloads/index.jsp, and download
the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6” in the
"C:\jce6" folder, or change as desired.
2. Next, perform the following procedure to set the files in the appropriate location:
Overwrite Using
C:\java\jdk1.6.0_06\jre\lib\security\local_policy.jar C:\jce\local_policy.jar
C:\java\jdk1.6.0_06\jre\lib\security\local_policy.jar C:\jce\local_policy.jar
C:\java\jre1.6.0_06\lib\security\US_export_policy.jar C:\jce\US_export_policy.jar
C:\java\jre1.6.0_06\lib\security\US_export_policy.jar C:\jce\US_export_policy.jar
6

Step 6: Configuring the Base Packages

A few environment variables need to be set to support EJBCA server. Our installed pre-requisite
packages now looks like shown in Fig. 5.
Fig. 5
Add user variables

4. Click Start Æ Control Panel Æ Double-click System Æ Advanced system settings Æ
System Properties Æ Advanced Æ click Environment Variables button Æ under
User variable for Administrator Æ click New button"
5. Add user variable one by one form the table below, e.g., starting with C:\Ant170, as shown in Fig. 6.
Fig. 6
User Variables Value

ANT_HOME C:\ant170
ANT_OPTS -Xmx512m
APPSRV_HOME C:\jboss422
CLASSPATH C:\java\jdk1.6.0_20\lib
EJBCA _HOME C:\ejbca3101
JAVA_HOME C:\java\jdk1.6.0_20
7

when completed it should look like shown in Fig. 7.
Fig. 7: Setting up Environment variable
6. When done setting Environment variable, now set Path. Under System variables, double-click Path
and then add ";" at the end. Next add the new directory to the value, as shown in the table below and
Fig. 8.
System variables Value

Path C:\java\jdk1.6.0_20\bin;C:\ant181
8

Fig. 8
7. The infrastructure is now in place and it is time to get the EJBCA source code.
8. Test that JDK6 and Ant are set correctly on Environment Variable and System Path, issue this two
commands to the respective version installed, as shown in Fig. 9:
Fig. 9
9. We’re done with this section.
9

Part 2: Download and Install EJBCA
Step 1: Download and prepare EJBCA

1. Fire your browser and hope over to: http://ejbca.org/download.html, and download and unzip:
"ejbca_3_6_0.zip" in the folder "C:\ejbca360".
2. Rename the file "ejbca.properties.sample" in "C:\ejbca60\conf", as follows (see Fig. 10):
Renames Value
C:\ejbca360\conf\ejbca.properties.sample" ejbca.properties
Fig.10
Step 2: Deploy EJBCA and supplementary Components

1. Bootstrap: Open a command prompt: StartÆ type "cmd" and hit Enter key.
2. Change to the ejbca directory, C:\ejbca360 and issue the "ant bootstrap" command, as
shown in Fig. 11.
10

Fig. 11
Note: it will compile, jar, war, ear everything and deploy it to JBoss
You should see the printout indicating BUILD SUCCESSFUL.
Note: if the ant bootstrap is completed successfully, then start Jboss AS.
3. Start JBoss: Open another command prompt, start JBoss service by going to “C:\jboss422\bin” and
double click on "run", and then wait for it complete the start-up process, see Fig. 12.
Note: During the start-up process, you should see JBoss picking up everything and deploying the ear
without errors, as shown in Fig. 13.
Fig. 12
When done starting Jboss, run "ant install".
4. Install in EJBCA terminal: Move back to EJBCA terminal and issue the command:
C:\ejbca360> ant install
Warning! The command 'ant install' is only run once, when the CA is first installed. It can not
be run again (it will give an error if you try)
11

5. To use default setting for super admin certificate, just hit the “Enter” key when command prompt
prompts you to input anything, see Fig. 13.
Fig. 13
Note 1: It generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys
in ${ejbca.home}/p12. (do not delete those files!)
Note 1: Superadmin.p12 should be imported in your browser, that's your administration certificate.
I’ll show you how to do this later in the text.
6. Again when done "ant install" without error, you should see BUILD SUCCESSFUL, see Fig. 14.
Fig. 14
6. Stop JBoss in JBoss terminal: Use Ctrl c (or whatever), when prompted with <Y/N> to confirm
stopping JBoss, type Y and hit Enter key. When done stopping JBoss, run ant deploy command.
7. Deploy in EJBCA terminal issue:
C:\ejbca360> ant deploy
Again when done "ant deploy" without error, you should see BUILD SUCCESSFUL, see Fig. 15.
12

Fig. 15
Note: Import C:\ejbca360\p12\superadmin.p12 to web the browser with default password

"ejbca" (or use the password used during the ant install command!)
Step 3: Import Certificate

1. If build successfully in previous step, Import super administrator’s certificate from
C:\ejbca360\p12\superadmin.p12
2. Change to the “C:\ejbca360\p12" directory and double-click "superadmin.p12" certificate file,

see Fig. 16.
Fig. 16
3. From Fig. 17, click Next to continue.
13

Fig. 17
4. From 18, click on the Browse button to locate and select the respective certificate. Click Next to
continue.
Fig. 18
14

5. You should be prompted for a password, as shown in Fig. 19, type "ejbca", if you used the default
install is in our case. Click Next to continue.
Fig. 19
6. From Fig. 20, accept the default selection and then click Next to continue.
Fig. 20
15

7. From Fig. 21, click Finish to complete import certificate process.
Fig. 21
8. When you click Finish from Fig. 21, you’ll be prompted with Security Warning window as shown
in Fig. 22. Click Yes to accept the warning close the window.
Fig. 22
16

9. Click OK when prompted.

Step 4: Testing
1. Start JBoss in JBoss service again by going to "C:\jboss422\bin", and double-click on

"run.bat".
2. Fire-up your browser again and enter: http://hostname:8080/ejbca/ for the public access pages, or
https://hostname:8443/ejbca to access the admin-GUI page.
11. Now access https://hostname:8080/ejbca/, if you see the welcome page, as shown in Fig. 23, then
well done! Ask your boss for a paycheck raise!
Fig. 23: EJBCA public access welcome page
17

Step 5: Accessing EJBCA Administration Page

Now we need to access https://hostname:8443/ejbca/ page, which requires that we import the certificate
we had generated earlier during the installation step. To do this, you first need to import the certificate to
your browser, by performing the following procedures
1. From your browser page, click Tools menu Æ Options…, click Advance tab Æ click View
Certificate button. From the Certificate Manager dialog box, click Your Certificate Æ Import …
button and follows the process to import your certificate.
2. Now start your browser and point it to: https://hostname:8443/ejbca/adminweb, and accept the
warning and you should the User Identification Request dialog box, as shown in Fig. 24. Click Ok to
accept.
Fig. 24
3. If you see the EJBCA Administration welcome page, as shown in Fig. 25, then well done!
18

Fig. 25: EJBCA Administration home page.
4.
5. Shutdown JBoss AS
6. Power down your server
8. We’ll be back shortly to continue with this labs session!
Part 3: Need More Training on Linux:

Are you having trouble understanding or comprehending the working of Linux OS, if so, then check out
some of our introductory courses on Linux at: Global Open Versity, Vancouver Canada.
EJBCA PKI Administration Training

You can now register and take our superb On-Demand EJBCA Training course:
• ICT303 - EJBCA PKI Administration Training
19

Call us today:
Tel: +1-604-495-6361
Email: info@globalopenversity.org. URL: www.globalopenversity.org
Part 4: Hands-on Labs Assignments

1. Install and update Window Server 2008
2. Promote as-installed Window Server 2008 to Active Directory DC
3. Install all the pre-requisite software needed for installing EJBCA
4. Install EJBCA
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.
20

EJBCA On Windows

Uploaded by

Copyright:

Available Formats

You might also like

EJBCA On Windows

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EJBCA On Windows

Uploaded by

Copyright:

Available Formats

Global Open Versity ICT Labs Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss on Win2k8 AD DC v1.

Global Open Versity

Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss

Table of Contents Page No.

STEP-BY-STEP INSTALL GUIDE EJBCA PKI WITH JBOSS ON WIN2K8 AD DC 2

Part 2: Download and Install EJBCA 10

Part 3: Need More Training on Linux: 19

Part 4: Hands-on Labs Assignments 20

A GOV Open Knowledge Access Technical Academic Publications

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

Global Open Versity

Step-by-Step Install Guide EJBCA Enterprise PKI with JBoss on

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

For more reading on cryptosystems knowledge base, check these articles:

In this document, EJBCA 3_6_0 is used together with:

Step 1: Clean Install Windows Server 2008 Active Directory DC

Server name: server01.rabahtech.com

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

4. We’re done with this section

Step 2: Install SUN JDK1.6

3. We’re done with this section

Step 3: Install JBoss Application Server

Double-click: run \ starts Jboss AS (see Fig. 2)

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

1. Now start your browser & enter URL: http://localhost:8080, or http://<ip-address>:8080 or

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

3. We’re done with this section

Step 4: Install Ant Package

2. We’re done with this section

Step 5: Install JCE

3. We’re done with this section

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

Step 6: Configuring the Base Packages

Add user variables

User Variables Value

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

when completed it should look like shown in Fig. 7.

Fig. 7: Setting up Environment variable

System variables Value

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

9. We’re done with this section.

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

Part 2: Download and Install EJBCA

Step 1: Download and prepare EJBCA

2. Rename the file "ejbca.properties.sample" in "C:\ejbca60\conf", as follows (see Fig. 10):

Step 2: Deploy EJBCA and supplementary Components

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

You should see the printout indicating BUILD SUCCESSFUL.

When done starting Jboss, run "ant install".

C:\ejbca360> ant install

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

7. Deploy in EJBCA terminal issue:

C:\ejbca360> ant deploy

www.globalopenversity.org ICT303 – EJBCA PKI Administration Training

Note: Import C:\ejbca360\p12\superadmin.p12 to web the browser with default password

Step 3: Import Certificate

2. Change to the “C:\ejbca360\p12" directory and double-click "superadmin.p12" certificate file,

3. From Fig. 17, click Next to continue.