Professional Documents
Culture Documents
EJBCA On Windows
EJBCA On Windows
EJBCA On Windows
Introduction 2
Part 1: Prerequisites 3
Step 1: Clean Install Windows Server 2008 Active Directory DC 3
Step 2: Install SUN JDK1.6 4
Step 3: Install JBoss Application Server 4
Step 4: Install Ant Package 6
Step 5: Install JCE 6
Step 6: Configuring the Base Packages 7
Introduction
Enterprise Java Bean Certificate Authority (EJBCA) is an open source fully functional enterprise class
Public Key Infrastructure (PKI) Certificate Authority built in Java base software package maintained and
sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most
of the codebase. Based on J2EE technology it constitutes a robust, high performance and component
based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any
J2EE application.
It’s intended for the serious PKI management. And can be used for Certificate issuance, Validation
service, and SSO, signing and tamping. For example, it can be used to issue certificates for network
authentication, digital signatures, smart card logon just to mention etc. You can use EJBCA to setup a CA-
independent, high performance, highly available OCSP responder service. The Online Certificate Status
Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital
certificate. Finally, you can use EJBCA to provide the necessary infrastructure for other software to
perform e.g., single-sign-on (SSO), time stamping, digital signature, encryption and issuance of electronic
passport and hard tokens (smart cards). Others: implement VPN connections by issuing certificates to
your VPN routers such as OpenVPN, Cisco, Juniper etc; Client VPN access with certificates in users VPN
clients; Single sign-on by using a single certificate to secure logon to web applications; Creating signed
documents, and Issue citizen certificates for access to government recourses, used in passports etc.
Windows Server® 2008 R2: Microsoft wants administrators of Windows Server 2008 editions (which
ships in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the
server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of
services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-
based Web services. Microsoft has defined 18 roles in all.
Microsoft Active Directory provides the structure to centralize the network management and store
information about network resources across the entire domain. Active Directory uses Domain Controllers
to keep this centralized storage available to network users. In order to configure a Windows Server 2008
machine to act as Domain Controller, several considerations and prerequisites should be taken into
account, and several steps should be performed. Domain Controller requires that a DNS server is
installed and configured appropriately.
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
In this Hands-on Labs you’ll learn how to install EJBCA (3.6.0) with JBoss (4.2.2.GA) application server on
Windows Server 2008 Active Directory DC. It is for testing purpose only. For building production, please
refer to EJBCA official website here. The EJBCA Homepage can be found at http://ejbca.org/.
Assumptions:
It’s assumed that you have a good understanding of Windows operating system and its working
environment. It’s also assumed that you know how to install and configure Windows Server 2008Active
Directory DC integrated with Exchange Server 2007. If not then you can check out an excellent article on
docstoc.com entitled “Install Guide MS Exchange Server 2007 on Windows Server 2008 Active Directory”
to get you started.
Part 1: Prerequisites
This document describes installation of EJBCA3_6_0, starting from a clean Windows Server 2008 and a
clean Window XP Professional.
for workstation smart card logon. The procedures to use EJBCA for email signing, email encryption and
SSL service will be described in another hands-on document in series
2. Promote Win2k8 Server Enterprise Edition into Active Directory Domain Controller using the
"DCPROM" command, with following parameters:
3. Issue the NSLOOKUP command to test that your server is correctly installed and configured
appropriately to act as Active Directory DC, as shown in Fig. 1.
Fig. 1
2. Now ensure that the paths for jdk6 and jre6 are follows:
• JDK6 at "C:\java\java1.6.0_20"
• JRE6 at "C:\jre\java1.6.0_20"
2. Start/Stop JBoss: to test that JBoss Application server is successfully installed, move to the
"C:\jboss422\bin":
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 2
Note: You can also start JBoss with the normal command 'run/cmd' from APPSRV_HOME/bin.
When start-up completes, you should see final line as shown in Fig. 3.
Fig. 3
Fig. 3
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. Shutdown JBoss: - issue "Ctrl C" or double-click "shutdown" to stop JBoss, when prompted
with <Y/N> to confirm stopping JBoss, type Y and hit Enter key. When done stopping JBoss.
Note: Due to Java’s memory handling you may need to assign more memory to ant in order to build
the system without OutOfMemory errors. You can do this by setting an environment variable, as
follows:
ANT_OPTS=-Xmx512m
To download and setup the "Unlimited Strength Jurisdiction Policy Files", perform the
following procedures:
1. Fire your browser and hope over to: http://java.sun.com/javase/downloads/index.jsp, and download
the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6” in the
"C:\jce6" folder, or change as desired.
2. Next, perform the following procedure to set the files in the appropriate location:
Overwrite Using
C:\java\jdk1.6.0_06\jre\lib\security\local_policy.jar C:\jce\local_policy.jar
C:\java\jdk1.6.0_06\jre\lib\security\local_policy.jar C:\jce\local_policy.jar
C:\java\jre1.6.0_06\lib\security\US_export_policy.jar C:\jce\US_export_policy.jar
C:\java\jre1.6.0_06\lib\security\US_export_policy.jar C:\jce\US_export_policy.jar
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 5
5. Add user variable one by one form the table below, e.g., starting with C:\Ant170, as shown in Fig. 6.
Fig. 6
6. When done setting Environment variable, now set Path. Under System variables, double-click Path
and then add ";" at the end. Next add the new directory to the value, as shown in the table below and
Fig. 8.
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 8
7. The infrastructure is now in place and it is time to get the EJBCA source code.
8. Test that JDK6 and Ant are set correctly on Environment Variable and System Path, issue this two
commands to the respective version installed, as shown in Fig. 9:
Fig. 9
9
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Renames Value
C:\ejbca360\conf\ejbca.properties.sample" ejbca.properties
Fig.10
2. Change to the ejbca directory, C:\ejbca360 and issue the "ant bootstrap" command, as
shown in Fig. 11.
10
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 11
Note: it will compile, jar, war, ear everything and deploy it to JBoss
Note: if the ant bootstrap is completed successfully, then start Jboss AS.
3. Start JBoss: Open another command prompt, start JBoss service by going to “C:\jboss422\bin” and
double click on "run", and then wait for it complete the start-up process, see Fig. 12.
Note: During the start-up process, you should see JBoss picking up everything and deploying the ear
without errors, as shown in Fig. 13.
Fig. 12
4. Install in EJBCA terminal: Move back to EJBCA terminal and issue the command:
Warning! The command 'ant install' is only run once, when the CA is first installed. It can not
be run again (it will give an error if you try)
11
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
5. To use default setting for super admin certificate, just hit the “Enter” key when command prompt
prompts you to input anything, see Fig. 13.
Fig. 13
Note 1: It generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys
in ${ejbca.home}/p12. (do not delete those files!)
Note 1: Superadmin.p12 should be imported in your browser, that's your administration certificate.
I’ll show you how to do this later in the text.
6. Again when done "ant install" without error, you should see BUILD SUCCESSFUL, see Fig. 14.
Fig. 14
6. Stop JBoss in JBoss terminal: Use Ctrl c (or whatever), when prompted with <Y/N> to confirm
stopping JBoss, type Y and hit Enter key. When done stopping JBoss, run ant deploy command.
Again when done "ant deploy" without error, you should see BUILD SUCCESSFUL, see Fig. 15.
12
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 15
Fig. 16
13
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 17
4. From 18, click on the Browse button to locate and select the respective certificate. Click Next to
continue.
Fig. 18
14
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
5. You should be prompted for a password, as shown in Fig. 19, type "ejbca", if you used the default
install is in our case. Click Next to continue.
Fig. 19
6. From Fig. 20, accept the default selection and then click Next to continue.
Fig. 20
15
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 21
8. When you click Finish from Fig. 21, you’ll be prompted with Security Warning window as shown
in Fig. 22. Click Yes to accept the warning close the window.
Fig. 22
16
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Step 4: Testing
2. Fire-up your browser again and enter: http://hostname:8080/ejbca/ for the public access pages, or
https://hostname:8443/ejbca to access the admin-GUI page.
11. Now access https://hostname:8080/ejbca/, if you see the welcome page, as shown in Fig. 23, then
well done! Ask your boss for a paycheck raise!
17
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. From your browser page, click Tools menu Æ Options…, click Advance tab Æ click View
Certificate button. From the Certificate Manager dialog box, click Your Certificate Æ Import …
button and follows the process to import your certificate.
2. Now start your browser and point it to: https://hostname:8443/ejbca/adminweb, and accept the
warning and you should the User Identification Request dialog box, as shown in Fig. 24. Click Ok to
accept.
Fig. 24
3. If you see the EJBCA Administration welcome page, as shown in Fig. 25, then well done!
18
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
4.
5. Shutdown JBoss AS
19
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Call us today:
Tel: +1-604-495-6361
Email: info@globalopenversity.org. URL: www.globalopenversity.org
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.
20
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada