EJBCA/EJBCA的安装

来自站长百科
跳转至: 导航、​ 搜索

EJBCA | EJBCA安装 | EJBCA使用

EJBCA是一个全功能的CA系统软件,它基于J2EE技术,并提供了一个强大的、高性能并基于组件的CA。EJBCA兼具灵活性和平台独立性,能够独立使用,也能和任何J2EE 应用程序集成。

安装环境[ ]

安装步骤[ ]

整合[ ]

  • 拷贝文件%EJBCA_HOME%\conf\ejbca.properties.sample到%EJBCA_HOME%\conf\ejbca.properties,这个文件是ejbca的主配置文件,可以进行自定义配置,例如对CA的配置:
# ------------ Basic CA configuration ---------------------
# When upgrading, the important options are:
# - ca.keystorepass
# - ca.ocspkeystorepass
 
# This installation will create a first administrative CA. This CA will be used to create the first
# superadministrator and for the SSL server certificate of administrative web server.
# When the administrative web server have been setup you can create other CA:s and administrators.
# This is only used for administrative purposes,
# Enter a short name for the CA.
ca.name=AdminCA1
 
# The Distinguished Name of the CA.
# This is used in the CA certificate to distinguish the CA.
ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE
 
# The keysize in bits of the CA, only digits.
ca.keysize=2048
 
# The keytype, can be RSA or ECDSA
ca.keytype=RSA
 
# The validity in days for the CA, only digits.
ca.validity=3650
 
# The policy id of the CA. Policy id determines which PKI policy the CA uses.
# Type your policy id or use '2.5.29.32.0' for 'any policy' (rfc3280) or 'null' for no policy at all.
ca.policy=null
 
# This password is used internally to protect CA keystores in database (i.e. the CAs private key).
# foo123 is to keep compatibility with default installations of EJBCA 3.0, please change this if possible
# If upgrading from EJBCA 3.0.x, you should take this value from src/ca/ca/META-INF/ejb-jar.xml -> keyStorePass.
# The default value is the same for convenience.
ca.keystorepass=foo123
#ca.keystorepass=!secret!
 
# Password user to protect OCSP keystores in the database (CAs OCSP signer certificate).
# If upgrading from EJBCA 3.0.x, you should take this value from src/ca/ca/META-INF/ejb-jar.xml -> OCSPKeyStorePass.
# The default value is the same for convenience.
ca.ocspkeystorepass=foo123
#ca.ocspkeystorepass=ocsp!secret!
 
# Password user to protect XKMS keystores in the database (CAs XKMS signer/enc certificate).
# The default value is the same for convenience.
ca.xkmskeystorepass=foo123
 
# Password user to protect CMS keystores in the database (CAs CMS signer/enc certificate).
# The default value is the same for convenience.
ca.cmskeystorepass=foo123
由于只是实验性的学习,所以保持默认配置。原文档说明为:The default values works fine for a test installaton. If you are using JBoss < 4.0.3 you must
configure the property web.jsfimpl in conf/web.properties.
# Specifies the JSF implementation used by the application server EJBCA is deployed on.
# Possible values are: myfaces
# Using nojsf means that the admin-GUI will be limited with some functions not working.
# It can however be useful if there are problems with your application server and JSF/MyFaces.
# Use nojsf for JBoss < 4.0.3
#
# Default: myfaces
#web.jsfimpl=myfaces
如果使用的JBoss版本< 4.0.3,需要修改默认配置。
  • 将mysql数据库jdbc链接程序包mysql-connector-java-5.0.6-bin.jar拷贝到%JBOSS_HOME%\server\default\lib目录下
  • ejbca支持的数据库有MySQL, PostgreSQL 7 and 8, Oracle 8 and 9, Sybase, HypersonicSQL, SAPDB and MSSQL,默认的数据库配置是JBoss内建的HypersonicSQL数据库(该数据库有以下缺点:内存消耗太大、不支持全部SQL语句集),我们将其修改为MySQL的配置:
# ------------- Database configuration ------------------------
 
# jndi name of the datasource to use in deployment descriptors of ejbs.
#datasource.jndi-name=EjbcaDS
 
# Prefix for the jndi name of the datasource to use in deployment descriptors of ejbs.
# JBoss requires 'java:/' as divfix, while Weblogic does not want anything (''), and Glassfish wants jdbc/
# default: java:/
#datasource.jndi-name-divfix=java:/
#datasource.jndi-name-divfix=
#datasource.jndi-name-divfix=jdbc/
 
# Weblogic in combination with Oracle requires special handling of LONG/BLOB columns
# If, and only if, you are using Weblogic and Oracle, uncomment the row below.
# Use OracleBlob in Weblogic 8.x and Blob in Weblogic 9.x
# default:
#weblogic-oracle-columntype=@weblogic.dbms-column-type OracleBlob
 
# The database name selected for deployment, used to copy XDoclet merge files.
# All supported databases are defined below, others can easily be added
# See the document doc/howto/HOWTO-database.txt for database specifics and tips and tricks.
# Default: hsqldb
database.name=mysql
 
# The datasource mapping selected for deployment.
# The J2EE server needs to be configured with the appropriate datasource mapping.
# For JBoss this maps to a setting in standardjbosscmp-jdbc.xml and must match the database chosen above.
# All supported mappings are defined below, others can easily be added
# Default: Hypersonic SQL
datasource.mapping=mySQL
 
# Database connection url.
# This is the URL used to connect to the database, used to configure a new datasource in JBoss.
# Default: jdbc:hsqldb:${jboss.server.data.dir}${/}hypersonic${/}localDB
database.url=jdbc:mysql://127.0.0.1:3306/ejbca?characterEncoding=UTF-8
 
# JDBC driver classname.
# The J2EE server needs to be configured with the appropriate JDBC driver for the selected database
# Default: org.hsqldb.jdbcDriver
database.driver=com.mysql.jdbc.Driver
 
# Database username.
# Default: sa (works with hsqldb)
database.username=root
 
# Database password.
# Default: (blank works with hsqldb)
database.password=root

控制台[ ]

  • 打开一个控制台(命令提示符),进入目录%EJBCA_HOME%,执行命令
ant bootstrap
  • 这时进行编译、打包和部署的工作。打包完成后,生成文件如下图所示:

Ejbca in.png

  • 其中ejbca.ear用来部署到jboss中。
  • 打开另外一个控制台,进入%JBOSS_HOME%\bin,执行run命令,启动jboss服务器
  • 在上一个控制台(执行ant bootstrap的控制台)执行
ant install

进行安装工作。这个过程将生成所有的证书密钥以及初始化CA所需要的所有内容。执行完成后,将生成${ejbca.home}/p12目录,该目录种包含管理员密钥。

it will generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys in ${ejbca.home}/p12
Ø         tomcat.jks is for the servlet container (don't bother with it)
Ø         superadmin.p12 should be imported in your browser, that's your administration certificate.
  • 以上过程如果在linux操作系统运行,需要使用带管理员权限的账户执行。
  • 停止jboss服务器。(可以在控制台按下CTRL+C)
  • 在上一个控制台(执行ant bootstrap的控制台)执行
ant deploy

这个过程将重新部署ejbca应用程序。并进行servlet容器的keystore的配置。

  • 重新启动JBOSS服务器,将%EJBCA_HOME%\p12目录下的superadmin.p12文件导入到浏览器中(默认密码为ejbca)

页面[ ]

打开浏览器,输入

http://localhost:8080/ejbca

进入公共页面,或者输入

https://localhost:8443/ejbca

进入管理员页面。页面如下:

Ejbca br.png

注意:

  1. 可以设置%JBOSS_HOME%\server\default\conf\log4j.xml中log等级为ERROR来减少控制台的日志输出数量。
  2. 网络上有很多配置数据库都需要设置例如mysql-ds.xml文件,还有拷贝文件到某某目录之类的,可能是由于版本关系吧,不需要拷贝也可以实现。

查看数据库ejbca,可以看到一些数据库表已经自动建立:

Ejbca last.png


参考来源[ ]

http://read.newbooks.com.cn/info/130101.html

EJBCA使用手册导航

EJBCA安装

EJBCA安装 | EJBCA+JBOSS+Oracle安装

EJBCA使用

EJBCA的使用 | 使用EJBCA证书服务的工作整理 | 管理员使用指南