Install StrongKey CryptoEngine 2.0

These are the steps to be followed to download and install SKCE 2.0. All though the instructions below are accurate to Linux based operating systems like CentOS, most of the steps are relevant to Windows as well. Steps that are different for Windows will have links pointing to windows specific instructions.

• 1—Download StrongKey CryptoEngine 2.0 (SKCE 2.0)
• 2—Install Java Development Kit (JDK) 8 and the Java Cryptography Extension (JCE)
  • 2.1—Download JDK
  • 2.2—Install JDK
  • 2.3—Setup Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.0
• 3—Install and Setup OpenDJ
  • 3.1—Install JDK 6
  • 3.2—Download OpenDJ 2.5.0
  • 3.3—Unzip the Downloaded fFle
  • 3.4—Install and Setup OpenDJ 2.5.0 Xpress1
• 4—Install MySQL Server 5.5.30
  • 4.1—Download MySQL
  • 4.2—Install MySQL
  • 4.3—Create a Database schema for SKCE
• 5—Configure SKCE 2.0
  • 5.1—Configure SKCE_HOME Directory
  • 5.2—SAKA Server Information
  • 5.3—FIDO AppID File Information
  • 5.4—Configure SKCE to Cloud
  • 5.5—Configure skce-configuration.properties to Talk to OpenDJ (for Windows Users Only)
• 6—Install and Configure GlassFish
  • 6.1—Download GlassFish 4.1
  • 6.2—Install GlassFish 4.1
  • 6.3—Configure GlassFish 4.1
  • 6.4—Configure HTTP Session Timeout
  • 6.5—Configure JVM Heap Size
  • 6.6—Configure Request Timeout
  • 6.7—Configure Thread Pool
  • 6.8—Create JDBC Resources
  • 6.9—Generate a New SSL Certificate for SKCE
  • 6.10—Download SKCE SSL Certificate
  • 6.11—Import SKCE SSL Certificate into the Glassfish TrustStore
  • 6.12—Import SAKA SSL Certificate into GlassFish TrustStore
  • 6.13—Configure Two-step FIDO Origin Verification
  • 6.14—Copy index.html to GlassFish 4.1 docroot
  • 6.15—Restart GlassFish Server
• 7—Deploy SKCE 2.0 on GlassFish
• 8—Activate SKCE 2.0 for Cryptographic Operations
  • 8.1—Setup Key Custodians
  • 8.2—Import SKCE SSL Certificate into JVM TrustStore
  • 8.3—Activate SKCE for Cryptographic Operations
• 9—Test SKCE 2.0 Using the Sample SKCE Client Program
  • 9.1—Import the SKCE SSL Certificate into the JVM TrustStore
  • 9.2—Perform Tests Using skceclient
• 10—Build SKCE 2.0 Source Code
  • 10.1—Download SKCE 2.0 Source Code
  • 10.2—Setup Resources in NetBeans 8
  • 10.3—Build SKCE 2.0 in NetBeans 8
• 11—What Next? Developers! Learn How to FIDO-enable Your Applications

---

1—Download StrongKey CryptoEngine 2.0 (SKCE 2.0)

Make sure you have the following set up and/or ready to run before you begin:

Please create the following directories on the server (Windows/Linux) where you are about to install.
Why do I need to do this? This document will walk through extracting and installing SKCE and its components into an example folder structure. Although, an alternate directory can be used, It is HIGHLY RECOMMENDED to install StrongKey CryptoEngine and its dependent software in this directory to avoid configuration issues during installation. If you decide to use another folder, please make note of it and replace it accordingly during installation steps.

No.	Windows	Linux
1.	C:\usr	already exists
2.	C:\usr\local	already exists
3.	C:\usr\tmp	already exists
4.	C:\usr\local\workspace	/usr/local/workspace
5.	C:\usr\local\strongauth	/usr/local/strongauth
6.	C:\usr\local\strongauth\skce	/usr/local/strongauth/skce
7.	C:\usr\local\strongauth\skce\etc	/usr/local/strongauth/skce/etc
8.	C:\usr\local\strongauth\skce\keystores	/usr/local/strongauth/skce/keystores
9.	C:\usr\local\strongauth\jade\	/usr/local/strongauth/jade/

Ensure the logged in account has read/write/execute privileges on the /strongauth directory. Failing to have privileges on /strongauth directory will lead to many problems in the further steps of installation.

Linux Users:
chmod 755 /usr/local/strongauth/

Windows Users: Do the same in the folder properties window.

NOTE: It is highly recommended to perform the installation as a user other than root. Specific instructions in the installation process will need root access and those instructions explicitly state so. Right after executing them, exit out of the root session and continue.

• Download and install Cygwin. (Optional) Ignore this if you are a Linux user.
• Download the binary distribution file skce-v2.0-build-73.zip.

Linux Users:
a. Open a terminal window and change directory to /usr/tmp.
cd /usr/tmp

b. Unzip the downloaded file.
unzip skce-v2.0-build-N.zip

c. Navigate to /usr/tmp/skce-v2.0-build-N.
cd /usr/tmp/skce-v2.0-build-N

d. Change directory to /usr/local/strongauth.
cd /usr/local/strongauth

e. Move the SKCE distribution directory to /usr/local/strongauth/ with a new directory name called jade.
mv /usr/tmp/skce-v2.0-build-N/ /usr/local/strongauth/jade/

f. List the contents of the jade directory to make sure all binary files are present.
ls -l jade/

Windows Users: Extract the .ZIP file to C:\usr\local\strongauth\jade. If the folder doesn't exist, create it.

---

2—Install Java Development Kit (JDK) 8 and the Java Cryptography Extension (JCE)

Windows Users: How to install JDK8 and JCE for Windows users. After you complete this, please go to 3—Install and Setup OpenDJ.

The CryptoEngine assumes JDK is installed in the /usr/local/strongauth/jdk1.8.045 directory. Wherever it is installed, this documentation will refer to that locationas $JAVAHOME.

2.1—Download JDK

Please make sure the following is installed and ready to run.
1. Change user to strongauth.

1. Download JDK 8 version appropriate to your operating system and processor type. For example, on a Linux 64-bit machine, download jdk-8u45-linux-x64.tar.gz. Be prepared to accept Oracle's license agreement prior to downloading. Save the download in any directory for now.
   
   

2.2—Install JDK

1. Open a terminal window.
   
   

2. Change directory to where JDK has been downloaded. Assuming it is downloaded to /usr/local/strongauth directory, type the command below in the terminal window:
   cd /usr/local/strongauth
   
   

3. Change the files mode by using the command shown here:
   chmod 755 jdk-8u45-linux-x64.tar.gz
   
   

4. Extract the contents of the downloaded binary file in the current directory using the command below:
   tar zxf jdk-8u45-linux-x64.tar.gz
   
   

5. Set the JAVAHOME environment variable and prepend the same to the PATH variable.
   export "JAVA_HOME=/usr/local/strongauth/jdk1.8.0_45" PATH=$JAVA_HOME/bin:$PATH
   
   

JDK is now installed.

2.3—Setup Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.0

1. If you are in a country where it is available, download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.0. Without this this file, symmetric keys above 128 bits will be unavailable. Accept Oracle's license agreement and save the download in any directory for now.
   
   

2. If you have the terminal window still open, stay in the /usr/local/strongauth drectory. Assuming you have downloaded the jcepolicy-8.zip file to the /strongauth directory, unzip the file:
   cd /usr/local/strongauth unzip jce_policy-8.zip
   
   

3. Copy the two .JAR files from the extracted /jce directory (localpolicy.jar and USexportpolicy.jar) to $JAVAHOME/jre/lib/security, as follows:
   mv jce/*.jar $JAVA_HOME/jre/lib/security
   
   

4. Close the terminal window.
   
   

JCE 8.0 is now installed.

---

3—Install and Setup OpenDJ

Windows Users: How to install OpenDJ 2.5.0-Xpress1 on Windows. After you complete this step, continue to 4—Install MySQL Server 5.5.30.

Install OpenDJ 2.5.0 Xpress1 on Linux:

3.1—Install JDK 6

1. OpenDJ Xpress1 has a JDK 6 dependency, hence JDK 6 has to be installed before installing OpenDJ.
   
   

2. Download JDK 6. Make sure to download the appropriate file(s) for your operating system processor type. For example, on a Linux 64-bit machine, download jdk-6u45-linux-x64.bin. You must accept Oracle's license agreement to download. Save the files in any directory.
   
   

3. Open a terminal window.
   
   

4. Change directory to where you have downloaded JDK. In this example it was downloaded to /usr/local/strongauth directory. Type the command below in the terminal window.
   cd /usr/local/strongauth
   
   

5. Change the files mode by using the command below:
   chmod 755 jdk-6u45-linux-x64.bin
   
   

6. Run the installation file.
   ./jdk-6u45-linux-x64.bin
   
   

7. Change to the root user. Set OPENDJ_JAVA_HOME and JAVA_HOME environment variables. To do this, edit /etc/bashrc and export the variables.
   vi /etc/bashrc
   Add these lines at the end of the file:
   export JAVA_HOME=/usr/local/strongauth/jdk1.8.0_45 export OPENDJ_HOME=/usr/local/strongauth/OpenDJ-2.5.0-Xpress1 export OPENDJ_JAVA_HOME=/usr/local/strongauth/jdk1.6.0_45 export PATH==$JAVA_HOME/bin:$OPENDJ_HOME/bin:$PATH
   
   

8. Save and close the file.
   :wq exec
   
   

9. Do not forget to exit out of root.
   
   

JDK 6 is now successfully installed; OpenDJ can now be installed.

3.2—Download OpenDJ 2.5.0

1. Download the OpenDJ-2.5.0-Xpress1.ZIP installation file.
   
   

2. Save the file to directory /usr/local/strongauth.
   
   

3.3—Unzip the Downloaded fFle

1. Open a terminal window.
   
   

2. Change directory to where OpenDJ-2.5.0-Xpress1.zip is being stored. In thie example it was downloaded to /usr/local/strongauth directory. Type the command below in the terminal window:
   cd /usr/local/strongauth
   
   

3. Change the files mode by using the command below:
   chmod 755 OpenDJ-2.5.0-Xpress1.zip
   
   

4. Unzip the file into the current directory.
   unzip OpenDJ-2.5.0-Xpress1.zip
   
   

3.4—Install and Setup OpenDJ 2.5.0 Xpress1

1. Change directory to OpenDJ-2.5.0-Xpress1.
   cd /usr/local/strongauth/OpenDJ-2.5.0-Xpress1
   
   

2. Copy 99-user.ldif to the OpenDJ schema directory. This file contains definitions of specific LDAP schemas used by StrongKey CryptoEngine. Not copying this file leads to failure in importing the skce.ldif file in further steps.
   cp /usr/local/strongauth/jade/skce-config/ldap/99-user.ldif /usr/local/strongauth/OpenDJ-2.5.0-Xpress1/config/schema/
   
   

3. Run the setup file.
   ./setup
   
   

4. The OpenDS Directory Server QuickSetup wizard will open:
   
   OpenDS Directory Server QuickSetup wizard.
   
   

5. Click Next to continue.
   
   

6. On the form for server settings, edit the settings with proper values for the following fields:

   Field Name	Value
   Fully Qualified Host Name	server FQDN
   LDAP Listener Port	recommended value: 1389
   Root User DN	cn=Directory Manager
   Password	your password
   Password (confirm)	your password

   Your screen should be similar to the image below:

   
   Server Settings.
   
   
   View Windows Image.
   
   

7. Click Next to continue.
   
   

8. On the Topology Options form, select the option This will be a standalone server. You will see something like the image below:
   
   Topology Options.
   
   

9. Click Next to continue.
   
   

10. You will see a form to set the Directory Data. Type dc=strongauth,dc=com for the field, Directory Base DN.
    
    

11. For Directory Data, select the option: Import data from LDIF file.
    
    

12. Using the Browse button, navigate and select the file /usr/local/strongauth/jade/skce-config/ldap/skce.ldif. At this point, your screen should look similar to this:
    
    Directory Data.
    
    

13. Click Next to continue.
    
    

14. Leave the runtime settings as the defaults.
    
    Runtime options (default).
    
    

15. Click Next to continue.
    
    

16. You will see the review page similar to the image below:
    
    Review your choices.
    
    

17. Ensure that the checkbox for Start Server when Configuration has completed is checked.
    
    

18. Carefully review the information and if everything is satisfactory, click Finish to install. If everything went right, you should get a message that says “OpenDJ Quick setup completed successfully.”
    
    Successful completion.
    
    

19. Close the window.
    
    

20. To ensure that the skce.ldif import went successful, run OpenDJ's Control Panel and view the entries. Change directory to OpenDJ's /bin directory.
    cd /usr/local/strongauth/OpenDJ-2.5.0-Xpress1/bin/
    
    

21. Run the command below to run Control Panel.
    ./control-panel
    
    

22. A dialog box opens, prompting for the OpenDJ admin login. Please enter the directory manager's password chosen in Step 6 during OpenDJ installation.
    
    Login to OpenDJ.
    
    

23. A successful login will open the OpenDJ's control panel, which has a GUI like the image below:
    
    The OpenDJ home page.
    
    

24. Click Manage Entries under Directory data on the left side panel of the control panel. This shows in a tree structure all entries that imported from skce.ldif.
    
    Click Manage Entries.
    
    

25. Since we installed JDK 6 for OpenDJ, it has overwritten the JAVAHOME environment variable to point to JDK6 instead of JDK 8 (which is needed by SKCE). Set the JAVAHOME variable to point to JDK 8. Please use the commands below:
    export "JAVA_HOME=/usr/local/strongauth/jdk1.8.0_45" PATH=$JAVA_HOME/bin:$PATH
    
    

26. Close the terminal window.
    
    

OpenDJ is now installed on Linux.

4—Install MySQL Server 5.5.30

Windows Users: If you are a Windows user, please go to this Windows-specific document to install MySQL Server 5.5.30. After you complete it, continue at 5—Configure SKCE 2.0.

Linux Users: The StrongKey CryptoEngine persists some of the information and uses a MySQL database to do the same.

4.1—Download MySQL

1. Download MySQL 5.5.30 community edition.TAR file (mysql-5.5.30-linux2.6-x8664.tar.gz on Linux and an equivalent on Windows).
   
   

2. Save the file in /usr/local/strongauth/ directory.
   
   

4.2—Install MySQL

1. Open a terminal window.
   
   

2. Change directory to /usr/local/strongauth directory where MySQL installable has been downloaded. Type in the command below in the terminal window.
   cd /usr/local/strongauth
   
   

3. Change the in a tree structure by using the command below:
   chmod 755 mysql-5.5.30-linux2.6-x86_64.tar.gz
   
   

4. Extract the contents of the downloaded .TAR file in the current directory. Use the command below to extract it.
   tar zxf mysql-5.5.30-linux2.6-x86_64.tar.gz mv mysql-5.5.30-linux2.6-x86_64/ mysql-5.5.30/
   
   

5. This step requires root access (administrator privileges on Windows). Copy the mysql.server file to etc/init.d/mysqld.
   cp /usr/local/strongauth/mysql-5.5.30/support-files/mysql.server /etc/init.d/mysqld chkconfig --add mysqld
   
   

6. Change to root user. Copy my.cnf from /usr/local/strongauth/jade/skce-config/mysql/my.cnf to /etc/.
   cp /usr/local/strongauth/jade/skce-config/mysql/my.cnf /etc/ exit
   
   

7. Once the commands are complete, exit out of root.
   
   

8. The sample my.cnf file packaged with the SKCE distribution assumes MySQL is being installed in /usr/local/strongauth/mysql-5.5.30 and references that specific folder more than once. If not installing MySQL in the same directory, please edit the file to provide the right paths. Open the my.cnf file to verify the MySQL configuration is relevant to your environment. View the contents of the my.cnf file in a text editor.
   
   

9. Make directories under the MySQL install directory:
   mkdir -p /usr/local/strongauth/mysql-5.5.30/{backups,binlog,log,ibdata}
   
   

10. Using a text editor, edit my.cnf to reflect the current operating system user login. By default, the value is strongauth. Please change it to your user name.
    
    

11. Initialize the MySQL data directory and start MySQL server for the first time.
    scripts/mysql_install_db –basedir=/usr/local/strongauth/mysql-5.5.30/ --datadir=/usr/local/strongauth/mysql-5.5.30/ibdata bin/mysqld_safe > /dev/null 2> /dev/null &
    
    

12. Create MYSQL_HOME environment variable and append the same to the path variable:
    MYSQL_HOME=/usr/local/strongauth/mysql-5.5.30 export MYSQL_HOME=$MYSQL_HOME PATH=$MYSQL_HOME/bin:$PATH
    
    

13. Restart MySQL server.
    /sbin/service mysqld restart
    
    

14. To ensure the MySQL installation went well, check the MySQL version. The output should read, “MySQL Ver 14.14 Distrib 5.5.30, for linux2.6 (x86_64) using readline 5.1.”
    mysql --version mysql Ver 14.14 Distrib 5.5.30, for linux2.6 (x86_64) using readline 5.1
    
    

4.3—Create a Database schema for SKCE

1. Copy the file skce.sql from the distribution.
   cp /usr/local/strongauth/jade/skce-config/mysql/skce.sql /usr/local/strongauth
   
   

2. Login to MySQL as root and use the mysql database. This will open MySQL access as root.
   mysql -u root mysql -pBigKahuna mysql>
   
   

3. Update the root password to something of your choice. This document uses BigKahuna as the root password.
   mysql> update user set password=password('BigKahuna') where user = 'root'; mysql> delete from mysql.db where host = '%'; mysql> delete from mysql.user where user = '';
   
   

4. Create a database called skce and a MySQL user called skcedbuser for the StrongKey CryptoEngine application and grant privileges for the user on the new database. This document uses AbracaDabra as the password for the skcedbuser.
   mysql> create database skce; mysql> grant all on skce.* to skcedbuser@localhost identified by 'AbracaDabra'; mysql> flush privileges;
   
   

5. Log out of root from MySQL.
   mysql> exit;
   
   

6. Create tables inside the skce database. The tables creation information is in the file, skce.sql, that comes with the SKCE distribution. Sourcing skce.sql will create all the needed tables.
   
   

7. Login to MySQL as skcedbuser using the skce database.
   mysql -u skcedbuser -pAbracaDabra skce
   
   

8. Source the skce.sql file to create tables. The output should not have any errors.
   source /usr/local/strongauth/skce.sql;
   
   

9. Use the show tables command in MySQL to list the created tables.
   show tables;
   
   

10. Exit MySQL.
    exit
    
    

11. Close the terminal window.
    
    

MySQL is now installed and configured for StrongKey CryptoEngine.

---

5—Configure SKCE 2.0

The StrongKey CryptoEngine is completely configurable to suit a specific enterprise environment. These settings must be altered before the software is deployed and run.

Windows Users: For command line statements, change the Linux-based paths to Windows. For example: /usr/local/strongauth/> becomes C:\user\local\strongauth.

5.1—Configure SKCE_HOME Directory

---

Windows Users: Please follow these steps and proceed to 5.2: SAKA Server Information.
Copy the skce-configuration.properties file from the zipped folder or from C:\usr\local\strongauth\jade.

Paste it into C:\usr\local\strongauth\skce\etc. If the target folder doesnt exist, create it.


Go to Step 5b: SAKA Server Information*.

---

1. Open a terminal window.
   
   

2. Change directory to /usr/local/strongauth.
   cd /usr/local/strongauth
   
   

3. Make a directory called skce and change to that directory.
   mkdir skce cd skce/
   
   

4. Make a directory called etc.
   mkdir etc
   
   

5. /usr/local/strongauth/skce is the SKCE_HOME directory for this install.
   
   

6. Change directory to /usr/local/strongauth/skce/etc/.
   cd /usr/local/strongauth/skce/etc
   
   

7. Copy the skce configuration file, skce-configuration.properties from the SKCE distribution you downloaded to this directory.
   cp /usr/local/strongauth/jade/skce-config/skce-configuration.properties .
   
   

8. Copy the sample file, abc.txt, from the SKCE distribution downloaded to this directory. This sample file will be used bythe ping operation in SKCE to perform a sample encryption and decryption.
   cp /usr/local/strongauth/jade/skce-config/abc.txt .
   This file contains various configuration properties . The defaults should work for most properties with a few exceptions, which will be explained in later steps.
   
   

9. Ensure that the configuration property for the SKCEHOME directory is correct in the file. To do this, open skce-configuration.properties file and look for the property called skce.cfg.property.skce_home. By default, this property points to /usr/local/strongauth/skce. Change it if you are not using /usr/local/strongauth/ to install SKCE. Otherwise, leave it as is and continue ahead.
   
   

10. Set up an environment variable called SKCEHOME for the SKCE program to look up. To do that, edit the /etc/bashrc file and export the variables. You must be a root user to do this.
    vi /etc/bashrc
    
    

11. Add these lines at the end of the file.
    export SKCE_HOME=/usr/local/strongauth/skce
    
    

12. Save and close the file and exit out of root.
    :wq exec
    
    

5.2—SAKA Server Information

1. If you wish to configure SKCE to communicate with your own SAKA servers, execute the next step (2). Otherwise continue with step (4).
   
   

2. In the terminal window, change directory to /usr/local/strongauth/skce/etc/:
   cd /usr/local/strongauth/skce/etc
   
   

3. The section of properties where the StrongKey SAKA server information is specified is as follows:
   **Default** skce.cfg.property.saka.cluster.1.hosturls.count=2 skce.cfg.property.saka.cluster.1.hosturl.1=https://demo2.strongauth.com skce.cfg.property.saka.cluster.1.hosturl.2=https://demo3.strongauth.com
   Change this to point to the SAKA servers. For example, with three SAKA servers clustered in your environment, property values should be:
   **Customized** skce.cfg.property.saka.cluster.1.hosturls.count=3 skce.cfg.property.saka.cluster.1.hosturl.1=https://<saka1.yourdomain>:8181 skce.cfg.property.saka.cluster.1.hosturl.2=https://<saka2.yourdomain>:8181
   Additionally, the SAKA domain and user credentials pertaining to those SAKA somains must be specified.
   **Default** skce.cfg.property.saka.cluster.1.domains.count=1 skce.cfg.property.saka.cluster.1.domain.1.id=1 skce.cfg.property.saka.cluster.1.domain.1.username=encryptdecrypt skce.cfg.property.saka.cluster.1.domain.1.password=Abcd1234!
**Customized** skce.cfg.property.saka.cluster.1.domains.count=1 skce.cfg.property.saka.cluster.1.domain.1.id=1 skce.cfg.property.saka.cluster.1.domain.1.username={our-saka-domain1-username} skce.cfg.property.saka.cluster.1.domain.1.password={our-saka-domain1-userpwd}
   
   

NOTE: SKCE reads all the content of the skce-configuration.properties file upon being deployed. Any changes to this file will need GlassFish restarted for the changes to take effect.

5.3—FIDO AppID File Information

1. In the terminal window, change directory to /usr/local/strongauth/skce/etc/.
   cd /usr/local/strongauth/skce/etc
   
   

2. Open the skce-configuration.properties file located in the /etc directory with a text editor.
   
   

3. Search for the skfe.cfg.property.applicationid property. It holds the appid.json file location used for FIDO origin verification.
   
   

4. Change the default value to point to the location of app.json on the machine where SKCE is being installed. The app.json file is created while installing GlassFish (Step 6m: Configure 2 Step-FIDO Origin Verification) and this file should usually be accessible over a browser; it is placed in GlassFish's docroot directory.
   
   

5. The new value of this property should be something like the following:
   **https://{your-machine-fqdn}:{port}/app.json** (or) **http://{your-machine-fqdn}:{port}/app.json**
   
   

6. Save skce-configuration.properties and close it.
   
   

5.4—Configure SKCE to Cloud

NOTE: StrongKey CryptoEngine currently supports AWS, Azure, and Eucalyptus. AWS and Azure do not require additional configurations from the SKCE side. This properties file is configured to communicate with a test instance of Eucalyptus Walrus on a DEMO machine at StrongKey, Inc. (demo.strongauth.com). However, if you intend to test the SKCE with your own Eucalyptus Walrus cloud, please follow the steps below.

1. In the terminal window, change directory to /usr/local/strongauth/skce/etc/.
   cd /usr/local/strongauth/skce/etc
   
   

2. Copy the SKCE configuration file, jets3t.properties from the downloaded SKCE distribution to this directory.
   cp /usr/local/strongauth/jade/skce-config/jets3t.properties .
   
   

3. To communicate with your own Eucalyptus Cloud, configure SKCE to communicate with the Walrus instance by pointing it to the jets3t.properties file. Create a symbolic link in /usr/local/strongauth/skce/etc, pointing to jets3t.properties. For example, if the actual jets3t.properties file for your Eucalyptus Walrus configuration is in /home/johndoe/euca/jets3t.properties, execute the following two commands. Note the space and the period at the end of the second command.
   cd /usr/local/strongauth/skce/etc ln -s /home/johndoe/euca/jets3t.properties .
   
   

4. In a text editor, modify /usr/local/strongauth/skce/etc/skce-configuration.properties and configure the following property to point to the symbolic link:
   skce.euca.mywalrus.jets3tprop.location=/usr/local/strongauth/skce/etc/jets3t.properties
   ...where /usr/local/strongauth/skce/etc/jets3t.properties is an example file.
   
   

5.5—Configure skce-configuration.properties to Talk to OpenDJ (for Windows Users Only)

1. Open the Control Panel of OpenDJ and Login. A batch file to open Control Panel can be found at <OpenDJ-Install-location>\OpenDJ-2.5.0-Xpress1\bat\control-panel.bat.
   
   

2. Once logged in, note the port used by OpenDJ:
   
   The port on which OpenDJ is running.
   
   

3. Open the skcc-configuration.properties file at *C:\usr\local\strongauth\skce\etc*.
   
   

4. Look for the following properties:
   

   
   
   • ldape.cfg.property.service.ce.ldap.search.ldapurl
   
   
   • ldape.cfg.property.service.ce.ldap.ldapurl
   
   
   
   Change the port number to your value. For example, in the image above, since our LDAP is running on port 389, we will change its property to ldap://localhost:389.
   
   Change the value in the properties file.
   
   

SKCE 2.0 is configured and the software is ready to be deployed on GlassFish application server.

---

6—Install and Configure GlassFish

The StrongKey CryptoEngine is fully tested using GlassFish 4.1 application server.

6.1—Download GlassFish 4.1

1. Download GlassFish 4.1 edition .ZIP file (glassfish-4.1.zip).
   
   

2. Save the file in /usr/local/strongauth (Linux) and *C:\usr\local\strongauth* (Windows).
   
   

6.2—Install GlassFish 4.1

1. Open a terminal window.
   
   

2. Change directory to /usr/local/strongauth, where the GlassFish install has been downloaded. Type the command below in the terminal window:
   cd /usr/local/strongauth
   
   

3. (Windows users can skip this step.) Change the files mode by using the command shown here:
   chmod 755 glassfish-4.1.zip
   
   

4. Unzip the contents of the downloaded .ZIP file in the current directory. Since the download is a .TAR file, use the command below to extract it.
   unzip glassfish-4.1.zip
   
   

5. (Windows Users can skip this step.) Create the GLASSFISHHOME environment variable:
   *GLASSFISH_HOME=***/usr/local/strongauth/glassfish4/glassfish/*** *export GLASSFISH_HOME*=***/usr/local/strongauth/glassfish4/glassfish/*** *PATH*=***$GLASSFISH_HOME/bin:$PATH***
   
   

   1. Download and copy the MySQL JDBC driver .JAR file into the GlassFish /lib directory.
      cp {jar-location}/mysql-connector-java-5.1.12-bin.jar /usr/local/strongauth/glassfish4/glassfish/lib
      
      

6. Start GlassFish application server using the command below and ensure that the server has started successfully.
   /usr/local/strongauth/glassfish4/glassfish/bin/asadmin start-domain
   <bR>
   NOTE: To stop GlassFish, use the following command:
   /usr/local/strongauth/glassfish4/glassfish/bin/asadmin stop-domain
   
   

6.3—Configure GlassFish 4.1

1. All configuration changes to GlassFish in this step can be done either on the command line using asadmin commands, or via a browser-based administration console for GlassFish. For simplicity and ease of use, this document explains how to configure GlassFish using the GlassFish administration console.
   
   

2. Open a web browser and type localhost:4848 where 4848 is the default port for GlassFish. If your instance of GlassFish has been configured to use another port, use that port instead.
   
   GlassFish login page.
   
   
   NOTE: The pictures of the admin console in this document use port 44848 instead of 4848 since the test machine had GlassFish set up on 44848. Ignore this difference.
   
   

3. Enter admin as the username and adminadmin as the password (the GlassFish default admin credentials). Depending on how the GlassFish admin login credentials are configured, the first page shown might be the login page for the console or might be the console's home page.
   
   

4. Clicking Login opens the console's home page.
   
   GlassFish console homepage.
   
   

6.4—Configure HTTP Session Timeout

1. On the left panel, click Configurations -> server-config -> Web Container.
   
   

2. On the right panel, select the tab Session Properties.
   
   

3. Set Session Timeout to 900. Feel free to change the value to match your requirements.
   
   

4. Click Save.
   
   Configure HTTP session timeout.
   
   

6.5—Configure JVM Heap Size

1. On the left panel, click Configurations -> server-config -> JVM Settings.
   
   

2. On the right panel, select the JVM Options tab and click Add JVM Option.
   
   

3. Enter -Xmx1024m if it is not already there.
   
   

4. Click Save.
   
   Configure JVM heap size.
   
   

6.6—Configure Request Timeout

1. On the left panel, click Configurations -> server-config -> Network Config -> Network Listeners -> http-listener-2.
   
   

2. On the right panel, select the tab, HTTP.
   
   

3. Scroll down to Request Timeout and set its value to 7200.
   
   

4. Click Save.
   NOTE: A minor defect in GlassFish might prompt for entering a positive integer for Max Post Size when saving the Request Timeout change. If you are not prompted, proceed with the next step. If prompted, delete the value (if -1) for Max Post Size and then click on Save.
   
   Configure request timeout.
   
   

6.7—Configure Thread Pool

1. On the left, expand the node Configurations -> server-config -> Thread Pools -> http-thread-pool.
   
   

2. Set Max Thread Pool Size to 100.
   
   

3. Click Save.
   
   Configure thread pool.
   
   

6.8—Create JDBC Resources

1. Copy the MySQL JDBC Connector .JAR file into GlassFish.
   
   

2. On the left side, expand Resources -> JDBC -> JDBC Connection Pools.
   
   JDBC Connection Pools page.
   
   

3. Click New. A page opens to create a new JDBC connection pool. Enter the information as shown here:

   Field	Value
   Pool name	SKCEPool
   Resource Type	javax.sql.ConnectionPoolDataSource
   Database Driver Vendor	MySQL

   
   Create new JDBC connection pool
   
   

4. Click Next. On the next page, scroll down to the Additional properties section. This is where you must specify the database name, hostname, port, and user credentials for access. Delete all the existing values and add the new values as shown here:

   Field	Value
   user	skcedbuser
   port	3306
   password	AbracaDabra
   ServerName	localhost
   DatabaseName	skce

   
   
   
   Set JDBC properties.
   
   

5. Click Finish. This will create the connection pool; but to test the connection, click ping and it should respond, "Ping succeeded":
   
   Ping succeeded.
   
   
   NOTE: If the ping has failed as shown in the image below, please verify you copied the JDBC driver .JAR file into the GlassFish /lib directory.
   cp /usr/local/strongauth/jade/lib/mysql-connector-java-5.1.12-bin.jar /usr/local/strongauth/glassfish4/glassfish/lib
   
   Failed ping.
   
   

6. Now, we need to create a JDBC resource that uses the connection pool we just created above.

7. On the left, expand Resources -> JDBC -> JDBC Resources. You would see a screen like the one here:
   
   JDBC resources page.
   
   

8. Click New and enter the JDBC resource information, as shown.
   JNDI Name = jdbc/skce
   Pool Name = SKCEPool

   
   Create a new JDBC resource.
   
   

9. Click Ok to create the JDBC resource.

6.9—Generate a New SSL Certificate for SKCE

For its security-sensitive operations, StrongKey CryptoEngine should allow communication over SSL for the client applications talking to it. To enable the same, this step explains how to generate a self-signed SSL certificate for SKCE that the client applications should trust before they can make use of the SKCE services. All this can be achieved by using Java's built-in tool called keytool.

1. Open a terminal window and change directory to the GlassFish's /config directory.
   cd /usr/local/strongauth/glassfish4/glassfish/domains/domain1/config/
   
   

2. Execute the below command using keytool. Please note couple of things: 1) The storepass for the keystore, keystore.jks, is changeit by default, and 2) The alias is s1as (with a number '1' and not alphablet 'l').
   keytool -changealias -keystore keystore.jks -storepass changeit -alias s1as -destalias s1as.org
   
   

3. Generate a new certificate. Execute the command below all in one line. Please make sure you change the elements in marked in curly brackets {} to your machine FQDN and to organizational unit (OU) details.
   keytool -genkeypair -alias {your-machine-fqdn} -keystore keystore.jks -storepass changeit -keypass changeit -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 3652 -dname "CN={your-machine-fqdn},OU={your-organizational-unit},O=Strongauth Inc"
   
   

4. The certificate generated above is the new SSL certificate SKCE shows to all its client applications for them to trust.
   
   

5. Change the alias of the newly generated certificate to s1as:
   keytool -changealias -keystore keystore.jks -storepass changeit -alias <your-machine-fqdn> -destalias s1as
   
   

6. GlassFish application server must be rebooted. Type in the command below and press Enter.
   /usr/local/strongauth/glassfish4/glassfish/bin/asadmin restart-domain
   
   

6.10—Download SKCE SSL Certificate

As mentioned in the previous steps, StrongKey CryptoEngine enables communication over SSL; and to make use of it, the sample client applications trying to SKCE should download the self-signed certificate SKCE holds and should import the same into the TrustStore. The JVM TrustStore is used with simple console clients and the application server's TrustStore is used for web application clients.

1. To download SSL certificates, open Firefox and type the URL of your SAKA server in the address bar (The URL must specify the HTTPS protocol and port 8181. For example, https://skce.yourdomain.com:8181 where, skce is your SAKA server and yourdomain.com is your domain name). You should see the following screen on your browser. Expand the I Understand the Risks link. You will now see the following image:
   
   Initial page on accessing https://skce.yourdomain.com:8181.
   
   
   NOTE: The images in this document are captured from a machine on which SKCE is installed and is running on a different port, i.e., 48181 instead of the default port, i.e., 8181. Please ignore this change and you should always use the port on which the SKCE you just installed is running on.
   Also, while it is possible to perform these “certificate-trust” steps using another browser, such as Internet Explorer, Chrome, or Safari, StrongKey has not documented these detailed steps in this document. There is no difference in the SSL certificate no matter which browser downloads the certificate to your computer.
   
   

2. Click Add Exception.... The following image displays:
   
   After clicking Add Exception.
   
   

3. Click the 'Get Certificate' button which would fetch the SSL certificate that we are about to trust. Then click on 'View' button to view the certificate. You will now see the following image
   
   After clicking Get Certificate.
   
   

4. Select the Details... tab. You will see the following image:
   
   After selecting the Details tab.
   
   

5. Select Export... to store the certificate in a directory of your choice. Add a .PEM extension to the filename and Save.
   
   Save the certificate.
   
   

6. Click Close on all visible panels related to certificate import.
   
   

7. Select Confirm Security Exception on the visible panel. You should now see the following screen on the browser:
   
   After clicking the Confirm Security Exception button.
   
   

6.11—Import SKCE SSL Certificate into the Glassfish TrustStore

StrongKey CryptoEngine accesses its own URL over SSL for certain functionality (FIDO origin verification, etc.). Hence, the SKCE SSL certificate must be imported to the GlassFish TrustStore.

1. Open a terminal window.
   
   

2. Change directory to GlassFish /config directory where the GlassFish TrustStore is located. Type the command below into the terminal window:
   cd /usr/local/strongauth/glassfish4/glassfish/domains/domain1/config/
   
   

3. Type the following command on a single line. The command below assumes that the certificate file has been saved in /usr/local/strongauth directory. If it is not the case for you, please point to the correct location.
   keytool -importcert -keystore cacerts.jks -storepass changeit -alias deiskce04 -file /usr/local/strongauth/jade/deiskce04.strongauth.com.pem
   Your output should resemble the image below. You will be prompted to trust the certificate, for which you should type yes.
   
   You will be prompted to trust the certificate.
   
   

4. Once you trust the certificate, it is added to the TrustStore. The output should look like the image below:
   
   After the certificate was added to the keystore.
   
   

5. To verify the above step, try listing the certificate using the command below.
   keytool -list -keystore cacerts.jks -storepass changeit -alias demo2
   The output should be like the image below.
   
   Certificate being successfully listed in the keystore.
   
   

This concludes importing SKCE SSL certificate import process.

6.12—Import SAKA SSL Certificate into GlassFish TrustStore

StrongKey CryptoEngine uses StrongAuth KeyAppliance (SAKA) demo version (hosted on StrongKey's site and purely meant for demonstration) as a key vault to store the cryptographic keys it generates to encrypt documents. To achieve this key escrow, SKCE communicates with SAKA over SSL. Hence, the SAKA server's self-signed SSL certificate must be imported into the GlassFish TrustStore file: cacerts.jks. This step explains how to do that. The demo SAKA servers that SKCE is configured (by default) to communicate with are:
https://demo2.strongauth.com:8181 and https://demo3.strongauth.com:8181
This document explains how to import certificate of one SAKA server; the process must be repeated for the other SAKA server(s), too.

NOTE: If you have SAKA servers hosted on your site, you should use them instead of demo servers and certificates from your SAKA servers must be imported (instead of demo servers' certificates).

1. To download SSL certificates, open Firefox.
   NOTE: While it is possible to perform these “certificate-trust” steps using another browser, such as Internet Explorer, Chrome, or Safari, StrongKey has not documented these detailed steps in this document. There is no difference in the SSL certificate no matter which browser downloads the certificate to your computer.
   
   

2. Type the URL of your SAKA server in the address-bar (The URL must specify the https protocol and port 8181. For example, https://saka01.yourdomain.com:8181/index.html where, skce01 is your SAKA server and yourdomain.com is your domain name). You should see the following screen on your browser. Expand the 'I Understand the Risks' link. You will now see the following image.
   
   On expanding the I Understand the Risks link.
   
   

3. Select the Add Exception... button. You will see the following image:
   
   After clicking Add Exception.
   
   

4. Click Get Certificate to fetch the SSL certificate that we are about to trust. Then click View to view the certificate. You will now see the following image:
   
   After clicking Get Certificate.
   
   

5. Select the Details... tab. You will now see the following image:
   
   After selecting the Details tab.
   
   

6. Click Export... and store the certificate in a directory of your choice. Add a .PEM extension to the filename and click Save.
   
   Save the certificate.
   
   

7. Select Close on all visible panels related to certificate import.
   
   

8. Click Confirm Security Exception on the visible panel. You should now see the following screen on the browser:
   
   After clicking Confirm Security Exception.
   
   

9. Add the certificate just downloaded into GlassFish TrustStore. Make sure to substitute the example certificate filename used (demo2.strongauth.com.pem) with your SAKA certificate file name.
   
   

10. Open a terminal window.
    
    

11. Change directory to GlassFish /config directory where the GlassFish TrustStore is located. Type the command below into the terminal window.
    cd /usr/local/strongauth/glassfish4/glassfish/domains/domain1/config/
    
    

12. Type in the following command on a single line. The command below assumes that the certificate file has been saved in /usr/local/strongauth directory. If it is not the case for you, please point to the correct location.
    keytool -importcert -keystore cacerts.jks -storepass changeit -alias demo2 -file /usr/local/strongauth/demo2.strongauth.com.pem
    Your output will look like the image below. You will be prompted to trust the certificate, for which you should type yes.
    
    When prompted for a certificate, type yes.
    
    

13. Once you trust the certificate, it is added to the TrustStore. The output at this point resembles the image below.
    
    Certificate added to the keystore.
    
    

14. To verify the above step, try listing the certificate using the command below:
    keytool -list -keystore cacerts.jks -storepass changeit -alias demo2
    The output will look like the image below.
    
    Successfully listing a certificate from the keystore.
    
    

15. Repeat 6.12—Import SAKA SSL Certificate into GlassFish TrustStore for the other SAKA server in the demo cluster, accessible at https://demo3.strongauth.com:8181. Remember, if you are using your own SAKA servers, you should repeat Step 9 for each one with which SKCE will communicate.

This concludes importing SSL certificates process.

6.13—Configure Two-step FIDO Origin Verification

1. StrongKey CryptoEngine is a built-in FIDO server. For the FIDO functionality of SKCE, app.json must be placed in GlassFish's /docroot directory. The downloaded SKCE distribution contains a sample app.json file, but the content of that file must be modified to reflect your machine's FQDN.
   
   

2. In a terminal window, change directory to /usr/local/strongauth.
   cd /usr/local/strongauth
   
   

3. Copy the sample app.json file from the SKCE distribution downloaded into the current directory.
   cp /usr/local/strongauth/jade/skce-config/fido/app.json .
   
   

4. Using a text editor, open the file to observe its contents. The contents of the file by default will be:
   ["https://fido.strongauth.com:8181"]
   
   

5. Change the contents to append the URL to your machine's FQDN and Save it. Please also include the non-SSL URL in case you plan to use it. This file can have any number of entries, separated by a comma:

   Example 1: Single entry:
   ["https://<your-machine-FQDN>:<port>"]
   
   
   Example 2: Multiple entries separated by commas
   [“https://fido.strongauth.com:8181”, "https://demo.mydomain:8181", "http://demo.mydomain:8080"]
   
   
   The reason behind leaving the default origin, i.e., https://fido.strongauth.com:8181, is we would be running tests on SKCE that we will install in later steps. As part of the FIDO steps, the sample client tool provided by StrongKey uses https://fido.strongauth.com:8181 as origin.
   
   

6. This assumes SKCE FIDO functionality will be tested from your machine. If planning to test FIDO from external machines, app.json should have entries reflecting the external (client) machines.
   
   

7. After all changes, Save and Close the file.
   
   

8. Move app.json to GlassFish4's /docroot directory using the command below, all in one line:
   mv /usr/local/strongauth/app.json /usr/local/strongauth/glassfish4/glassfish/domains/domain1/docroot/
   
   

9. Ensure that the file is copied by listing it:
   ls -l /usr/local/strongauth/glassfish4/glassfish/domains/domain1/docroot/app.json
   
   

This finishes configuring GlassFish for SKCE FIDO functionality.

6.14—Copy index.html to GlassFish 4.1 docroot

Copy the SKCE welcome page called index.html to your GlassFish's /docroot directory. This page contains SOAP-based web service resource information (WSDL/XSD) for various modules within SKCE.
Type this command:
cp /usr/local/strongauth/jade/skce-config/index.html /usr/local/strongauth/glassfish4/glassfish/domains/domain1/docroot/

6.15—Restart GlassFish Server

1. To get all the configuration changes into efffect, the GlassFish server must be restarted.
   
   

2. On the terminal window, type the command below and press Enter.
   /usr/local/strongauth/glassfish4/glassfish/bin/asadmin restart-domain
   
   

3. In case the server must be stopped or started for some reason, please use the commands below:
   /usr/local/strongauth/glassfish4/glassfish/bin/asadmin stop-domain /usr/local/strongauth/glassfish4/glassfish/bin/asadmin start-domain
   
   

Glassfish 4.1 is now installed, configured, and started.

---

7—Deploy SKCE 2.0 on GlassFish

Windows Users: Follow the instructions here to deploy it. After you are done, please go to 8—Activate SKCE 2.0 for Cryptographic Operations.

The StrongKey CryptoEngine is ready to be deployed.

1. Open a terminal window.
   
   

2. Change directory to /usr/local/strongauth, where the Glassfish install has been downloaded. Type the command below into the terminal window:
   cd /usr/local/strongauth
   
   

3. Copy the skce.ear file (SKCE's enterprise application archive file) from the SKCE distribution you downloaded.
   cp /usr/local/strongauth/jade/skce.ear .
   
   

4. Change permissions on the file:
   chmod 755 skce.ear
   
   

5. Change directory to the GlassFish /home directory:
   cd /usr/local/strongauth/glassfish4/glassfish/bin
   
   

6. Deploy skce.ear on the GlassFish application server. Continue viewing the GlassFish logs as the deployment proceeds. Open another terminal window (leaving the current one open; it will be referred to as Window2 and the first one as Window1 for clarity.
   
   

7. In Window2, change directory to the GlassFish /logs directory.
   cd /usr/local/strongauth/glassfish4/glassfish/domains/domain1/logs
   
   

8. In Window2, tail the Glassfish logs and leave the window open as we work with SKCE to observe the logged information:
   tail -f server.log
   
   

9. In Window1, deploy skce.ear on GlassFish using the asadmin deploy command:
   ./asadmin deploy /usr/local/strongauth/skce.ear
   
   

10. As the deployment proceeds, observe the output in the log on Window2 and check to see there are no errors. If no errors are observed in the log, SKCE 2.0 has been successfully deployed. Another way to confirm successful deployment of SKCE 2.0 is to try accessing the SOAP-based web service WSDL links to various modules of SKCE.
    
    

11. Open a browser of your choice and type in the URL, https://{your-machine-fqdn}:{port}/index.html. You should see the SKCE Welcome page (please refer to the image below) with links to bunches of resources.
    
    SKCE Welcome page.
    
    

12. Click any of the WSDL links, and if you are able to see the WSDL, SKCE has been deployed successfully.
    
    Successfully loading the WSDL.
    
    

This finishes deploying SKCE 2.0. The software is now ready to be tested.

---

8—Activate SKCE 2.0 for Cryptographic Operations

The StrongKey CryptoEngine must be enabled by three Key Custodians (KCs) by providing their credentials for all of the cryptographic operations to work. This document describes a step-by-step procedure of generating KC credentials and how to activate SKCE using those credentials.

8.1—Setup Key Custodians

The SKCE uses three KCs to activate cryptographic operations on SKCE. The role names are:

• Security Officer
• Key Custodian 1
• Key Custodian 2

Setting up KCs for SKCE can be accomplished by running a script provided along with the distribution downloaded for SKCE. Throughout the whole process, it is highly recommended to watch the GlassFish server logs. To that end, two terminal windows will be used as we proceed.
NOTE: In production environments, KC credentials are stored in USB flash drives and are handed over to real administrators who would further be responsible for the key custodianship. But for demonstration purposes, the credentials will be generated onto a directory called keystores on the local file system.


WINDOWS USERS
1. Find instruction on how to view logs files here. Once done, go to the next step.


2. How to Set up Key Custodians for Windows.

• Go to the /jade folder at C:\usr\local\strongauth\jade.
• Open a command prompt (cmd).
• Type java -version to make sure you are using JDK1.8.
• Type java -jar skcewizards.jar.
• If successful, go to Step 9 in this section and continue the steps that follow.

1. Open a terminal window (referred to going forward as Window1). Change directory to GlassFish /logs directory.
cd /usr/local/strongauth/glassfish4/glassfish/domains/domain1/logs

1. Window1: Tail the GlassFish logs and leave the window open as we work with SKCE to observe the logs information. Keep this window open through out the steps.
   tail -f server.log
   
   

2. Open another terminal window (referred to going forward as Window2). Change directory to /usr/local/strongauth/skce.
   cd /usr/local/strongauth/skce
   
   

3. Window2: Make a new directory called keystores where all the KC credentials will be stored by the wizard we are going to run shortly.
   mkdir keystores
   
   

4. Window2: Change directory to /usr/local/strongauth/jade.
   cd /usr/local/strongauth/jade/
   
   

5. Window2: Change permissions of the Linux shell script files (.sh files) in the /jade directory to have execute priviliges.
   chmod 755 *.sh
   
   

6. Window2 : Run the Primary-SKCE-KeyCustodian-Setup-Wizard.sh script using the command below and press Enter:
   ./Primary-SKCE-KeyCustodian-Setup-Wizard.sh
   
   

7. The script will open a wizard to generate KC credentials for SKCE. Make sure to keep watching the logs that are scrolling on Window1.
   
   

8. The first screen of the wizard will look like the image below:
   
   First screen of the wizard.
   
   

9. Click Next. The screen opens where the crypto graphic module information is provided. Since this is a demonstration version of SKCE, it uses a software-based cryptographic module, which is a local keystore generated by this wizard. In production environment, it is HIGHLY RECOMMENDED not to use a software-based cryptographic module. Select Software-based Module (SunJCE) as the Type of cryptographic module and click Next.
   
   Select SunJCE.
   
   

10. Security Officer's credentials are generated next. Choose a password and repeat the same to confirm. Browse to the keystores directory (created earlier in this process) for the target location. Prior to clicking Create, the wizard should look like the image below:
    
    Creating a credential.
    
    

11. Once you ensure everything looks right, click Createnext to "Click to create keystore credential:" text on the wizard. The wizard creates the credential files and stores them in /usr/local/strongauth/skce/keystores/. The output on the wizard should look like the image below. Ignore the prompt that says, "Remove the flash drive after clicking 'Next' to continue." As explained above, for security purposes, these credentials are stored in flash drives that are handed over to real administrators.
    
    Ignore the prompt.
    
    
    There is also a message window in the wizard which will should never have any error messages as long as everything is going fine.
    
    A success message.
    
    

12. Click Next. The KC1 credentials page opens. Choose another password for KC1; for the Target Location, use the same /keystores directory. Click Create.
    
    Create credentials for Key Custodian #1.
    
    

13. Click Next. The KC2 credentials page opens. Choose another password for KC2; for the Target Location, use the same /keystores directory. Click Create. The successful output is shown here:
    
    Create credentials for Key Custodian #2.
    
    

14. Click Next. The signing key page opens. Please enter a commonname for the signing key (MyCompany, for example). The example below uses StrongAuth and for the SAKA domain, uses 1. The commonname and the SAKA domain are just for information purposes in the signing key, and will really not impact any functionality. Additionally, there is a certificate location where the certificate is stored. Leave it to be the default which is /usr/local/strongauth/skce/etc. After all the inputs, the page should look like the image below.
    
    Fill out fields and Browse to the certificate location.
    
    

15. At this point, click Createto generate the signing key and place it in the certificate location. Creation results show in the message window.
    
    Success after clicking Create.
    
    

16. Click Next again to proceed to the conclusion page.
    
    Finished!
    
    

17. Clicking Finish ends the process of the credentials generation. List the content of /usr/local/strongauth/skce/keystores to see all the credential keystore files.
    
    List the directory to make sure the certificates exists.
    
    

18. Restart GlassFish to pick up new property changes created by the wizard.
    /usr/local/strongauth/glassfish4/glassfish/bin/asadmin restart-domain
    
    

Key Custodian setup for SKCE is complete. Leave Window1 and Window2 open for the next steps.

8.2—Import SKCE SSL Certificate into JVM TrustStore

To download SKCE SSL certificate, please refer to 6.10—Download SKCE SSL Certificate and then continue. Make sure you substitute the example certificate filename used (deiskce04.strongauth.com.pem in the document) with your SKCE certificate filename.

---

Windows Users :
If you do not import a certificate into your JVM store, you make get a PKIX error like this one:

PKIX error if you forget to import the certificate.

How to import SKCE SSL Certificate into JVM trust store for Windows. After you complete this, please go to 8.3—Activate SKCE for Cryptographic Operations.

---

1. Open a terminal window.
   
   

2. Check the Java PATH by typing in the command below; this will tell you the default Jave PATH.
   which java /usr/local/strongauth/jdk1.8.0_45/bin/java
   If multiple Java versions are installed, to avoid confusion regarding which JVM TrustStore has the SKCE certificate imported and which does not, use the default Java installation.
   
   

3. Change directory to the default JDK security directory where the JVM's certificate TrustStore is located. Type the command below into the terminal window. The name of the TrustStore is cacerts.
   cd /usr/local/strongauth/jdk1.8.0_45/jre/lib/security/
   
   

4. Type in the following command on a single line. The command below assumes the certificate file has been saved in /usr/local/strongauth. If it is not the case, please point to the correct location.
   keytool -importcert -keystore cacerts -storepass changeit -alias deiskce04 -file /usr/local/strongauth/deiskce04.strongauth.com.pem
   Your output should like the image below. You will be prompted to trust the certificate, for which you should type in yes.
   
   Type yes.
   
   

5. Once you trust the certificate, it is added to the TrustStore. The output will look like the image below.
   
   After the certificate was successfully added.
   
   

6. To verify the above step, try listing the certificate using the command below.
   keytool -list -keystore cacerts -storepass changeit -alias deiskce04
   The output should like the image below.
   
   On successfully listing out the added certificate
   
   

7. This concludes importing SKCE SSL certificate process.
   
   

8.3—Activate SKCE for Cryptographic Operations

Now that the Key Custodians have been configured, SKCE must be activated to perform cryptographic operations using the KC credentials. Again, a shell script can be run and the whole process is wizard-based, as above.

---

Windows Users :
1. Find instruction on how to view logs files here. Once done, go to the next step.


2. How to Activate SKCE for Cryptographic operations for Windows.

• Open C:\usr\local\strongauth\jade.
• Open a command prompt (cmd).
• Type java -version to make sure you are using JDK1.8.
• Type java -jar skceconsoletool.jar.
• Go to Step 5 in this section and continue the steps that follow.

If you have not imported the right certificate into your JVM store, you may get a PKIX error:

PKIX Error if the certificate was not imported.

---

1. Leaving Window1 to capture logs, switch to Window2.
   
   

2. Window2: Change directory to /usr/local/strongauth/jade.
   cd /usr/local/strongauth/jade
   
   

3. Window2: Run SKCE-ConsoleTool.sh shell script in /usr/local/strongauth/jade.
   ./SKCE-ConsoleTool.sh
   
   

4. The script will open up a wizard to activate SKCE using all the three KC credentials: Security Officer, Key Custodian #1, and Key Custodian #2. Kepp an eye on the logs that are scrolling by on Window1 as you go.
   
   

5. The first screen of the wizard will look like the image below.
   
   The first screen of the wizard.
   
   
   Ensure that the Webservice URL points to the hostname of machine where SKCE is installed, and that it includes the port on which it is running. Leave the rest of the setting alone.
   For each of the Key Custodians including the Security Officer:

   • Select the 'key custodian role' from the drop down. (order does not matter)
   • Browse to and select the right keystore file:

   Role	Keystore File
   security officer	skce-securityofficer.jceks
   Key Custodian 1	skce-keycustodian1.jceks
   Key Custodian 2	skce-keycustodian2.jceks

   All three files can be found in /usr/local/strongauth/skce/keystores.

   • Enter the relevant password in the keystore password field.
   • Click Verify. A correct password results in a message: "Password has been successfully verified."
   • Click Submit. A success message will say, "Successfully set PIN for {key custodian} {code}."

   Please refer to the images below for your reference.
   
   Verify Security Officer credentials.
   
   
   
   Successfully verified Security Officer credentials.
   
   
   
   Successfully verified Key Custodian #1 credentials.
   
   
   
   Successfully verified Key Custodian #2 credentials.
   
   

6. Once all the three Key Custodians have submitted their credentials, Exit the wizard.
   
   

The Cryptographic Module of StrongKey CryptoEngine is active, and SKCE is ready to perform cryptographic operations.

---

9—Test SKCE 2.0 Using the Sample SKCE Client Program

StrongKey has put up a sample client application called skceclient to test StrongKey CryptoEngine 2.0 functionality. The sample client is a command line interface (CLI)-based client written in Java programming language and tested on JDK 8.
skceclient tests file encryption and decryption, cloud operations, LDAP/AD-based user authentications/authorizations, FIDO-based user registrations/authentications, etc.

NOTE: A full JDK installation (JDK 8 or above) is needed; JRE alone is not sufficient.

9.1—Import the SKCE SSL Certificate into the JVM TrustStore

As mentioned in the previous steps, StrongKey CryptoEngine enables communication over SSL; sample client applications trying to SKCE should download the self-signed certificate SKCE holds and import it into the TrustStore. The JVM's TrustStore is used for simple console clients and the application server's TrustStore is used for web application clients.

WINDOWS USERS: Import the SKCE certificate into JVM. (How do I do this?)

1. To download the SKCE SSL certificate, please follow 6.10—Download SKCE SSL Certificate, if not done already, and then continue.
   
   

2. To add the certificate we downloaded earlier into the JVM TrustStore (our sample skceclient just needs a JVM to run and does not run on any application server), follow the steps below. Make sure you substitute the example certificate filename used (deiskce04.strongauth.com.pem in the above picture) with your SKCE certificate filename.
   
   

3. Open a terminal window.
   
   

4. Check the Java PATH by typing in the command below; this will tell you the default Java PATH.
   which java /usr/local/strongauth/jdk1.8.0_45/bin/java
   If multiple Java versions are installed, to avoid confusion regarding which JVM TrustStore has the SKCE certificate imported and which does not, use the default Java installation.
   <bR>

5. Change directory to the default JDK security directory where the JVM certificate TrustStore is located. Type the command below into the terminal window. The name of the TrustStore is cacerts.
   cd /usr/local/strongauth/jdk1.8.0_45/jre/lib/security/
   
   

6. Type the following command on a single line. The command below assumes the certificate file has been saved in /usr/local/strongauth. If this is not the case in your installation, please point to the correct location.
   keytool -importcert -keystore cacerts -storepass changeit -alias deiskce04 -file /usr/local/strongauth/deiskce04.strongauth.com.pem
   Your output should look like the image below. You will be prompted to trust the certificate. Type yes.
   
   Type yes.
   
   

7. Once you trust the certificate, it is added to the TrustStore. The output will look like the image below:
   
   Successfully adding a certificate.
   
   

8. To verify the above step, list the certificate using the command below:
   keytool -list -keystore cacerts -storepass changeit -alias deiskce04
   The output should look like the image below:
   
   Successfully listing a certificate from the keystore.
   
   

This concludes importing the SKCE SSL certificate.

9.2—Perform Tests Using skceclient

Test SKCE v2.0 build 121 with a sample client program.

Test SKCE v2.0 build 77 with a sample client program.

---

10—Build SKCE 2.0 Source Code

Once SKCE 2.0 is installed and and tested, if you are interested in the source code, download it from SourceForge and build it using an Integrated Development Environment (IDE) to make a binary. The name of the SKCE binary file is skce.ear. This document only explains the build process using NetBeans 8 IDE.
Prerequisites : Netbeans 8 IDE with JavaEE support, JDK 1.8, Glassfish 4.1, and the MySQL database

Since JDK, GlassFish, and MySQL are already installed and configured based on the instructions above, NetBeans should be the only thing missing. If you have not installed JDK, MySQL, and GlassFish yet, please go through Steps 2, 4, and 6 above, respectively.

10.1—Download SKCE 2.0 Source Code

1. SKCE 2.0 source code can be downloaded from the Files section of the SKCE page on SourceForge.
   
   

2. Open a terminal window and change directory to /usr/local/strongauth. Ensure you have write privileges to the /strongauth directory.
   cd /usr/local/strongauth
   
   

3. Make a new directory called skce-src:
   mkdir skce-src
   
   

4. Save the SKCE source download .ZIP file into this directory and unzip it.
   ls skce-src-v2.0-build-N.zip unzip skce-src-v2.0-build-N.zip ls -l
   
   

The SKCE source code has been successfully downloaded.

10.2—Setup Resources in NetBeans 8

1. Open NetBeans 8 IDE.
   
   

2. Add a Java platform with name jdk8u45 and provide the right JDK paths for the same. Click Tools -> Java Platforms, which will open the Java Platform Manager.
   
   Select JDK8 in your project.
   
   

3. Click Add Platform, which is below the left panel.
   
   Select a platform.
   
   

4. Select Java Standard Edition and click Next. On the next page, select the JDK directory and click Next.
   
   Select Java Standard Edition.
   
   

5. On the next page, please use jdk8u45 as the platform name. The SKCE build process will look for a Java platform with this specific name.
   
   Select a platform.
   
   

6. Click Finish, which will successfully create the Java platform.
   
   Click Finish.
   
   

7. Click Close.
   
   

8. Now, let us add GlassFish server to NetBeans. Click Tools -> Servers, which will open a Server Manager.
   
   Server page.
   
   

9. Click Add Server, which will open the Add Server Instance page. Select GlassFish Server in the list and then click Next button.
   
   Select the GlassFish Server.
   
   

10. In the Server Location page, Browse to the GlassFish4 install path.
    
    Browse to the GlassFish4.x path.
    
    

11. Click Next where the wizard validates the GlassFish4 install and fills the domain information. Leave everything to defaults. You might be prompted to provide GlassFish admin credentials. By default the credentials are : username=admin and password=adminadmin unless changed.
    
    Fillout the domain field.
    
    

12. Click Finish. GlassFish4 server has been successfully added to the servers list in NetBeans. Click Close.
    
    After successfully adding the server.
    
    

13. You will be able to operate with the GlassFish server that we just added from the Services tab in the NetBeans left panel.
    
    'Services' tab on the LHS of the NetBeans UI.
    
    

14. Right-click Databases in the Services panel and then click New Connection which will open a New Connection Wizard. Select MySQL as the driver and click Next.
    
    New Connection wizard.
    
    

15. Provide details for the MySQL database schema called skce, along with the credentials. Click Test Connection and wait for success before you proceed ahead.
    
    Successful connection test.
    
    

16. Click Finish. A new database connection displays under Databases.
    
    Database added to the Databases tree.
    
    

The SKCE project is ready to be built.

10.3—Build SKCE 2.0 in NetBeans 8

1. Click File -> Open Project and Browse to the skce project downloaded from SourceForge.
   
   Browse to the SKCE project.
   
   

2. Once the project opens, notice that skce is the root project which contains many modules.
   
   Project successfully open.
   
   

3. (Optionally) Customize the build process. For example, choose to skip running JUnit tests as part of the build process. Do so through skce project properties -> Actions -> Clean and Build project -> Add. An option displays to skip running tests as part of the build process.
   
   Set Project Properties.
   
   

4. Right-click on skce project node and select Clean and Build which will start the build process for all the modules. This might take time as maven needs to download multiple dependencies. Please be patient. Watch the output of the build process in the 'Output' window.
   
   Clean and Build skce.
   
   

5. The build might fail because maven couldn't find some of StrongAuth's proprietary library dependencies in its public repositories. This would be apparent as a yellow triangle with an exclamation mark synbol on missing jar files. All of those dependencies maven couldn't fetch are bundled in the 'lib' directory of the SKCE 2.0 binary when you downloaded it in the previous steps.
   
   

6. Each of those missing dependencies have to be manually installed. To do so, right click on the missing .jar dependency (with yellow triangle warning) in any of the projects; and select 'Manually install artifact'. This will pop up a simple dialog box like the one below, where you can browse and select the .jar file that you have got from the SKCE 2.0 binary.
   
   Manually install artifact.
   
   

7. Verify all the projects in the NetBeans project panel are free of missing dependencies and then do a Clean and Build on the skce project again. This time, the build process should succeed and the output window should show that all the projects have been successfully built.
   
   Successful Clean and Build.
   
   

8. skce.ear (SKCE 2.0 Enterprise Application Archive) must be deployed on GlassFish 4. This file can be located inside the /target directory of the skce-ear sub-module (/usr/local/strongauth/skce-src/skce/skce-ear/target/skce.ear if you have followed the directory structure used in this document).
   
   

Congratulations! StrongKey CryptoEngine 2.0 source code using Netbeans 8 IDE has been successfuly built and configured! Yea!

---

11—What Next? Developers! Learn How to FIDO-enable Your Applications

You can use SKCE 2.0 to try out StrongKey CryptoCabinet (SKCC) 2.0.


Learn how to integrate SKCE's FIDO Engine into your web application:
1. FIDO-enable a simple JEE7 application using Servlet 3.0 and JSP.


2. FIDO-enable a simple JEE7 application using JSF 2.0 and XHTML.