Standalone External RA with Internal CA Architecture (EJBCA 4)

Roman
2013-08-20
2013-08-21
  • Roman

    Roman - 2013-08-20

    What is the best practice how to install an external RA with externalra-gui and scep capabilty? Do I need to install EJCBA in order to deploy externalra-gui or external scep ra?

    It is clear that the CA should be installed on a separate server than external ra or external scep ra, but is it possible to deploy RA as a standalone function in EJBCA? Creating EJBCA with externalra and configuring it all on one server is a straightforward process thanks to documentation from ejbca.org.

    I would like to achieve the following architecture (and I think it is the aim of almost all of us):

    First server:
    Runs EJBCA with a MyCA which is the root CA
    Configured CRL distribution points and updaters
    Configured users, profiles and other settings to get it work as I want
    Active externalra and configured externalraworker to ExternalRA (see below)
    No inbound communication from ExternalRA or other components

    Second server:
    Runs only ExternalRA-GUI and ExternalRA-SCEP
    Possibility to enroll certificate through externalra-gui and scep
    Databases and profiles configured to be able to get the certificates from MyCA
    Can be reached by users or applications from public internet
    No publicweb-gui of CA or admin-gui of CA, just externalra

    Do I need to go through the whole proces of installing EJBCA on second server in order to get the ExternalRA-GUI and ExternalRA-SCEP work? If so, what is the best practice of deploying it?

    Maybe I am missing something. If I install EJBCA on second server then there will be created TempRootCA which I don't want to be there.

    I assume that the ExternalRA component needs to be configured on .properties files, database needs to be configured for storing messages and it should work. MyCA on the first server will poll messages from the database on the second server and do its job (which is controled in a periodic interval by the externalraworker on MyCA side).

    What's your experience with that? I would like to understand how this is meant by EJCBA.
    Every contribution is appreciated.

     
  • Tomas Gustavsson

    You don't need EJBCA on the external RA server. Since they are part of the same zip package, you of course use that, but for deployment you deploy ExternalRA-X standalone, no need to deploy EJBCA.

    Cheers,
    Tomas

     
  • Roman

    Roman - 2013-08-21

    So how it would look like?

    My steps to deploy only ExternalRA-SCEP on a different server than running CA was following:
    1. Create MySQL database "scep_messages"
    2. Configure scep.properties:
    - to use created database "scep_messages"
    - to use SCEPRA certificate issued by the CA on different server
    - set the default CA to be used
    3. ant bootstrap
    4. ant externalra-scep-deploy

    then I tryied to connect to http://scepraserver.hostname:8080/scepraserver/scep/pkiclient.exe, but with no success

    After that:
    4. run jboss
    5. ant install
    6. ant externalra-scep-deploy

    then I tryied to connect to http://scepraserver.hostname:8080/scepraserver/scep/pkiclient.exe, but with no success

    After that:
    7. stop jboss
    8. ant deploy
    9. ant externalra-scep-deploy

    then I tryied to connect to http://scepraserver.hostname:8080/scepraserver/scep/pkiclient.exe and now it is working

    So how it should look like without installation of EJBCA? Would it be please possible to send the neccessary steps here? It would be very appreciated.
    Thank you.

     
  • Tomas Gustavsson

    I think you should use the method described in http://ejbca.org/externalra.html#Using%20the%20SCEP%20RA%20Server.

     
    • Roman

      Roman - 2013-08-21

      Thank you Tomas.
      I was deploying the ExternalRA-SCEP using this page, but I still don't get how to deploy ExternalRA-SCEP without EJBCA.
      Would it be please possible to provide me with the example steps how to do that?
      How should I change my process described above?

      Would it be the following?:
      1. Create MySQL database "scep_messages"
      2. Configure externalra.propertis:
      - to use created database "scep_messsages"
      2. Configure scep.properties:
      - to use created database "scep_messages"
      - to use SCEPRA certificate issued by the CA on different server
      - set the default CA to be used
      3. ant bootstrap
      4. ant deploy
      4. ant externalra-scep-deploy

       
  • Tomas Gustavsson

    ant bootstrap and ant deploy are not mentioned on the documentation, jsut remove those steps from your list.

     
    • Roman

      Roman - 2013-08-21

      OK, so I tried to deploy externalra-scep with a clean ejbca_4_0_16 a jboss-5.1.0.GA on externalra-scep server.

      I have followed exactly these steps:
      1. configure MySQL database
      2. configure externalra.properties to specify DataSource
      externalra.source-1.jdbc-url=jdbc:mysql://127.0.0.1/scep_messages
      and enable External RA Service
      externalra.enabled=true
      3. configure scep.properties to specify DataSource
      externalra.source-1.jdbc-url=jdbc:mysql://127.0.0.1/scep_messages
      and other settings which I won't be typing
      4. run ant externalra-scep-deploy
      5. run jboss

      Then on different server where is installed CA:
      1. stop jboss
      2. configure externalra.properties to specify DataSource
      externalra.source-1.jdbc-url=jdbc:mysql://externalra-scepIP/scep_messages
      3. run ant clean
      4. run ant deploy
      5. run jboss
      6. configure Custom Worker in admin gui to work with SCEP database on different server and set to active

      I'm not able to connect to http://externalra-scepIP:8080/scepraserver/scep/pkiclient.exe with SCEP client and also the Custom Worker is telling me: javax.persistence.RollbackException: Transaction marked as rollbackOnly.

      I tried to connect to mysql database from CA server to externalra-scep server and it works correctly. Then there is probably something wrong with my deployment. May I ask you for another advice?

       
  • Tomas Gustavsson

    You have to check your server.log's. They usually provide error messages from the database so you can see why.

     
    • Roman

      Roman - 2013-08-21

      It is working now, thank you.
      The main problém was that I had also to configure database.properties to connect through mysql connector.

      Now it's working like a charm :)
      Thank you again.

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks