epoint_issuer install procedure - we have set up our test server successfully http://epoint.vems.hu:8180/letsTest/info (test server behind firewall, not online 100%)
This is a draft only, notes about EpointSystem,
setup epoint server (eg. on linux; MS-windows is not recommended for any security-sensitive task)
Sections:
- EpointSystemIssuerDebian - preparations on Debian
- EpointSystemIssuerPostgres -
- EpointSystemIssuerGpg - setting up GNUpg keys and trusts
- EpointSystemIssuerTomcat - tomcat and apache
Debian GNU Linux ( other linux can be set up somewhat similarly)
apt-get install sun-java6-jdk
update-java-alternatives -s java-6-sun
apt-get install maven2
apt-get install postgresql
And after tomcat and apache2:
apt-get install libapache2-mod-jk
compile redcentSpringBranch:
cd /svn/cc/epoint_issuer/branches/redcentSpringBranch
mvn clean install -Dmaven.test.skip=true
mvn package (not appropriate any longer ?)
BUILD SUCCESSFUL:
redcent-webapp/target/redcent-webapp-0.0.6-spring-SNAPSHOT.war
Aki nem forrásból fordít, hanem eleve kapott ilyen binárist, az a fenti műveleteket átugorhatja. Persze nem javasoljuk, hogy elfogadjon binárist. Legjobb, ha a forrást átnézi, teszteli, és maga fordítja.
Postgresql setup:
One DB user is enough, but it must be same in createdb.sql and run all scripts with -U dbuser
- createuser -P redcentTest
- dropdb issuerDB
createdb -O redcentTest --encoding utf-8 issuerDB
edit script (if using other than redcentTest user), adjust passwd and run:
psql -h 127.0.0.1 -p 5432 -U redcentTest issuerDB < /svn/epoint_issuer/issuer/trunk/redcent-database.sql
(During the fights with database permissions,) We also added
GRANT SELECT, INSERT, UPDATE ON TABLE balance TO "redcentTest";
GRANT SELECT, INSERT, UPDATE ON TABLE certificate TO "redcentTest";
GRANT SELECT, INSERT, UPDATE ON TABLE certificate TO "redcentTest";
GRANT SELECT, INSERT, UPDATE ON TABLE certificate_issuingcause_values TO "redcentTest";
GRANT SELECT, INSERT, UPDATE ON TABLE authorizedIssuer TO "redcentTest";
GRANT SELECT, INSERT, UPDATE ON TABLE template TO "redcentTest";
(not sure if it's actually needed).
For the market, also GRANT for tables and views (!) UserAcc
OCert
document
Draft
Offer
OfferSearch
OfferSearchAvail
OfferSearchAvailNA
psql -c 'GRANT SELECT ON TABLE OfferSearch TO "market";' marketDB
psql -c 'GRANT SELECT ON TABLE OfferSearchAvail TO "market";' marketDB
psql -c 'GRANT SELECT ON TABLE OfferSearchAvailNA TO "market";' marketDB
Postgres 8.3.8 JDBC driver http://repo1.maven.org/maven2/postgresql/postgresql/8.3-603.jdbc3/postgresql-8.3-603.jdbc3.jar
Verify that redcentTest user can access DB with password:
psql -h localhost -p 5432 -U redcentTest issuerDB
Note: download bouncycastle manually NOT needed ! mvn downloads it automatically.
OBSOLETE! untested JBOSS (not needed if using tomcat. This is incomplete, we haven't set up JBOSS )
apt-get install jbossas4
Datasource definition redcent-ds.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: mysql-ds.xml,v 1.3.2.1 2004/12/01 11:46:00 schrouf Exp $ -->
<!-- Datasource config for MySQL using 3.0.9 available from:
http://www.mysql.com/downloads/api-jdbc-stable.html
-->
<datasources>
<local-tx-datasource>
<jndi-name>jdbc/redcentSpringTest</jndi-name>
<connection-url>jdbc:postgresql:redcentSpringTest</connection-url>
<driver-class>org.postgresql.Driver</driver-class>
<user-name>redcentTest</user-name>
<password>test</password>
<!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
<metadata>
<type-mapping>PostgreSQL 8.0</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
Just place it in JBOSS_HOME/server/default/deploy and configure dbname and user accordingly.
Make sure that the db user you selected in the datasource in /etc/tomcat5.5/server.xml has permissions on the database and its tables.
Publish (binary) /pubkey
Also publish (ascii armoured) /pubkey.asc if possible. (current applications might not depend on it, but it cannot be bad to publish in ascii format as well)
NOTE1: <server URL>
/pubkey
(eg. http://epoint.vems.hu/letsTest/pubkey )
MUST return the issuer's public key
in gpg -a --export ... format.
Content-type: text/plain
header is very important (missing Content-type is not good). Verify with telnet ... GET /letsTest ...
Copy to the right directory (sibling of WEB-INF):
drwxr-xr-x 3 tomcat55 users 4096 okt 25 07.36 META-INF
drwxr-xr-x 6 tomcat55 www-data 4096 okt 28 14.41 WEB-INF
-rw-r--r-- 1 tomcat55 nogroup 1190 nov 12 18.12 pubkey
-rw-r--r-- 1 tomcat55 users 331 okt 25 06.22 welcome.jsp
But this is not enough, tomcat needs some (what ?) config so the correct header is also returned. PocketBook is a bit fragile, says NullPointerException if the header is not correct. We could not fix it with bare-bone tomcat. However, the Content-type: text/plain got automagically added, after setting up apache + jk_mod properly.
In Debian-GNU Linux after
apt-get install libapache2-mod-jk
execute this (somehow half-configured in the debian package as it comes from the debian factory :-)
cd /etc/apache2/mods-enabled; ln -s ../mods-available/jk.conf .
tested Tomcat /etc/tomcat5.5/server.xml configuration:
NOTE2: autodeploy does NOT work for datasource !!! You MUST deploy manually !
<Host name="www.epointsystem.org">
<Context path="/letsTest" docBase="/home/janis/web/letsTest" debug="5" reloadable="true" >
<Resource name="jdbc/letsTest" auth="Container"
type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://127.0.0.1:5432/letsTest"
username="redcentTest" password="test" maxActive="20" maxIdle="10" maxWait="-1"
/>
</Context>
</Host>
WEB-INF/classes/dataSourceJNDI.properties must contain the resource name:
dataSourceJndiName=comp/env/jdbc/letsTest
Without correct dataSourceJNDI.properties we got a confusing Tomcat error message sg like:
- Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /home/cell/epoint_tomcat/WEB-INF/classes/logging.properties read)
- note: classes directory is world writable, but classes/logging.properties does not exist
To run from the command line (recommended, to get log output to console)
- cd /usr/share/tomcat5.5
- export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.12/jre
- ./bin/catalina.sh run
Apache worker (apache-tomcat integration. Incomplete)
apt-get install libapache2-mod-jk
vi /etc/libapache2-mod-jk/workers.properties
workers.tomcat_home=/usr/share/tomcat5.5
workers.java_home=/usr/lib/jvm/java-6-sun
ps=/
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.connection_pool_size=25
worker.worker1.connection_pool_minsize=13
worker.worker1.lbfactor=1
vi /etc/apache2/sites-enabled/000-default
JkMount? /letsTest/* worker1
/etc/init.d/tomcat5.5 restart
/etc/init.d/apache2 restart
Testing
http://t208.home:8180/letsTest/info
The format of the server documents:
- follow template (reference to used template included)
- filled with actual data
- signed with GnuPG compatible PKI signature (DSA or RSA, according to server setup)
Verify signature on documents signed by the epoint_issuer server:
Set up GnuPG keys for verification
export issuer key from the server keyring (on which URL is this pubkey published ?):
gpg -a --export 7E309FBF >epoint_issuer_server.pubkey
gpg --import < epoint_issuer_server.pubkey
verify signature:
gpg -v < document_from_server
gpg: Signature made Thu Oct 29 08:33:28 2009 CET using DSA key ID 7E309FBF
gpg: Good signature from ....
Market Install - a raw method to build the classes
Digital Market builds on an earlier (to quote Janis "deprecated") version of the issuer code. Unfortunately no maven pom.xml yet. A way to build (especially if eclipse neglects some build external jar entries even after delete + readd)... BTW, this method minimizes security risks (or is that illusoric if java vm and javac are used anyway ?):
- export CLASSPATH=`find . -iname '*.jar'`
- javac `find . -iname *.java`
- zip -r /tmp/market_classes.zip hu de -x '*.svn/*'
- cd $deploymentdir/WEB-INF/classes
- unzip /tmp/market_classes.zip
This is a giant hack, but it works. Actually, it also makes sure the tested .jar -s are used. New, unreviewed, untested (possibly broken or otherwise risky) bouncycastle and other jar-s cannot sneak in this way. Neither can bugfixes.