· 6 years ago · Dec 19, 2019, 09:04 AM
1#!/bin/bash
2
3########################################################################################
4#
5# Copyright 2017 by Christian Felsing <support@felsing.net>
6#
7# This program is free software: you can redistribute it and/or modify
8# it under the terms of the GNU Lesser General Public License as published by
9# the Free Software Foundation, either version 2 of the License, or
10# any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU Lesser General Public License
18# along with this program. If not, see <http://www.gnu.org/licenses/>.
19#
20########################################################################################
21#
22# Original at GitHub: https://github.com/ip6li/ejbca-setup
23#
24# This script modified by EJBCA Team to run on a local EJBCA package
25#
26########################################################################################
27#
28# # # # ###### # # ### # # #####
29# # # # # # # # ## # # ## # # #
30# # # # # # # # # # # # # # # #
31# # # # # # ###### # # # # # # # # ####
32# # # # ####### # # # # # # # # # # #
33# # # # # # # # # ## # # ## # #
34# ## ## # # # # # # ### # # #####
35#
36# THIS SCRIPT WILL DESTROY EXISTING EJBCA INSTALLATION
37# YOU HAVE BEEN WARNED
38########################################################################################
39
40
41########################################################################################
42
43# Configurables
44httpsserver_hostname="localhost"
45database_host="localhost"
46database_name="ejbca"
47database_driver="org.mariadb.jdbc.Driver"
48database_url="jdbc:mysql://${database_host}:3306/${database_name}?characterEncoding=UTF-8"
49database_username="ejbca"
50database_password="ejbca"
51BASE_DN="O=PlaceholderCA,C=SE"
52
53# Variables that should not be configured
54superadmin_cn="460N1"
55ca_name="PlaceholderCA"
56ca_dn="CN=PlaceholderCA,${BASE_DN}"
57
58ejbca_user=$(whoami)
59ejbca_group=$(id -g -n $ejbca_user)
60ejbca_user_home=~
61
62# Full path to where we run the script, which will be where we unpack and install software
63INSTALL_DIRECTORY=$(pwd)
64# The name of the EJBCA directory
65startdirectory=$(cd "$(dirname "$0")"; pwd -P)
66EJBCA_DIRECTORY=$(echo "$startdirectory" | sed 's/\/bin\/.*//')
67
68mysql_root_user="root"
69
70WILDFLY_VERSION="10.1.0.Final"
71#EJBCA_VERSION="6_5.0.5"
72MARIADB_CONNECTOR_VERSION="2.2.0"
73
74#EJBCA_DOWNLOAD_URL="https://downloads.sourceforge.net/project/ejbca/ejbca6/ejbca_6_5_0/ejbca_ce_${EJBCA_VERSION}.zip"
75#EJBCA_DOWNLOAD_SHA256=85c09d584896bef01d207b874c54ae2f994d38dd85b40fd10c21f71f7210be8a
76#EJBCA_DOWNLOAD_SHA256_URL="https://downloads.sourceforge.net/project/ejbca/ejbca6/ejbca_6_5_0/ejbca_ce_${EJBCA_VERSION}.zip.SHA-256"
77
78MARIADB_DOWNLOAD_URL="https://downloads.mariadb.com/Connectors/java/connector-java-${MARIADB_CONNECTOR_VERSION}/mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar"
79MARIADB_DOWNLOAD_SHA256=fead0b3c61eba772fdaef2abed3b80eaeadbb5706abd78acf7698fe0a871cd4c
80#MARIADB_DOWNLOAD_SHA256_URL="https://downloads.mariadb.com/Connectors/java/connector-java-${MARIADB_CONNECTOR_VERSION}/sha256sums.txt"
81
82WILDFLY_TAR="wildfly-${WILDFLY_VERSION}.tar.gz"
83WILDFLY_TAR_SHA256=80781609be387045273f974662dadf7f64ad43ee93395871429bc6b7786ec8bc
84WILDFLY_DIR="wildfly-${WILDFLY_VERSION}"
85WILDFLY_DOWNLOAD_URL=https://download.jboss.org/wildfly/${WILDFLY_VERSION}/${WILDFLY_TAR}
86
87# Which OS are we running? RHEL or UBUNTU? This is updated automagically in the end of this script
88BASE_OS=UBUNTU
89
90########################################################################################
91
92pwgen() {
93 NEW_PASSWORD=$(dd if=/dev/urandom bs=1 count=64 2> /dev/null | sha1sum | awk '{print $1}' | tr -d "\n")
94 if [ -z "$NEW_PASSWORD" ]; then
95 echo "Created empty password - very bad"
96 exit 1
97 fi
98 echo -n "${NEW_PASSWORD}"
99}
100
101cakeystorepass=$(pwgen)
102truststorepass=$(pwgen)
103httpsserver_password=$(pwgen)
104cmskeystorepass=$(pwgen)
105passwordencryptionkey=$(pwgen)
106superadmin_password=$(pwgen)
107
108init_mysql() {
109 cd $INSTALL_DIRECTORY || exit 1
110 mysql_host=$(grep database.url ejbca-custom/conf/database.properties | awk -F/ '{print $3}' | awk -F: '{print $1}' | grep -v '^$')
111 echo "Dropping all database tables in database ${database_name} (using the script ejbca/doc/sql-scripts/drop-tables-ejbca-mysql.sql), using DB user ${database_username}, who should have privileges to do that"
112 cat ejbca/doc/sql-scripts/drop-tables-ejbca-mysql.sql | mysql --host=${database_host} --user=${database_username} --password=${database_password} ${database_name} -f
113}
114
115
116create_mysql_index() {
117 cd $INSTALL_DIRECTORY || exit 1
118 cat ejbca/doc/sql-scripts/create-index-ejbca.sql | mysql --host=${database_host} --user=${database_username} --password=${database_password} ${database_name}
119}
120
121
122wildfly_killall() {
123 pidof java > /dev/null 2> /dev/null
124 if [ $? -eq 0 ]; then
125 echo "There are Java processes running, make sure there is no WildFly, JBoss or Tomcat server already running, installation will fail if so."
126 echo "Are you sure you want to continue?"
127 select yn in "Yes" "No"; do
128 case $yn in
129 Yes ) echo "Continuing..."; break;;
130 No ) exit;;
131 esac
132 done
133# killall -9 java
134# sleep 10
135 fi
136}
137
138
139wildfly_exec() {
140 wildfly/bin/jboss-cli.sh --connect "$1"
141}
142
143
144wildfly_shutdown() {
145 cd $INSTALL_DIRECTORY || exit 1
146 wildfly/bin/jboss-cli.sh --connect command=:shutdown
147}
148
149
150wildfly_reload() {
151 cd $INSTALL_DIRECTORY || exit 1
152 wildfly/bin/jboss-cli.sh --connect command=:reload
153}
154
155
156wildfly_check() {
157 DURATION_SECONDS=30
158 if [ ! -z "$1" ]; then
159 DURATION_SECONDS="$1"
160 fi
161 DURATION=$(echo "$DURATION_SECONDS / 5" | bc)
162
163 echo "wait ${DURATION_SECONDS}s for start up wildfly"
164 cd $INSTALL_DIRECTORY || exit 1
165 for i in `seq 1 $DURATION`; do
166 wildfly/bin/jboss-cli.sh --connect ":read-attribute(name=server-state)" | grep "result" | awk '{ print $3; }'|grep running
167 if [ $? -eq 0 ]; then
168 return 0
169 fi
170 sleep 5
171 done
172 echo "wildfly not started after ${DURATION_SECONDS}s, exit"
173 exit 1
174}
175
176
177ejbca_deploy_check() {
178 cd $INSTALL_DIRECTORY
179 DURATION_SECONDS=30
180 if [ ! -z "$1" ]; then
181 DURATION_SECONDS="$1"
182 fi
183 DURATION=$(echo "$DURATION_SECONDS / 5" | bc)
184
185 echo "wait ${DURATION_SECONDS}s for deploying EJBCA"
186 cd $INSTALL_DIRECTORY || exit 1
187 for i in `seq 1 $DURATION`; do
188 if [ -f wildfly/standalone/deployments/ejbca.ear.deployed ]; then
189 echo "EJBCA deployed"
190 return 0
191 fi
192 sleep 5
193 done
194 echo "EJBCA not deployed after ${DURATION_SECONDS}s, exit"
195 exit 1
196}
197
198
199wildfly_register_database() {
200 wildfly/bin/jboss-cli.sh --connect "/subsystem=datasources/jdbc-driver=org.mariadb.jdbc.Driver:add(driver-name=org.mariadb.jdbc.Driver,driver-module-name=org.mariadb,driver-xa-datasource-class-name=org.mariadb.jdbc.MariaDbDataSource)"
201 wildfly_reload
202}
203
204
205wildfly_enable_ajp() {
206 wildfly/bin/jboss-cli.sh --connect "/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add(socket-binding=ajp, scheme=https, enabled=true)"
207}
208
209
210wildfly_setup_https() {
211 cd $INSTALL_DIRECTORY || exit 1
212
213 wildfly_server_config_dir="wildfly/standalone/configuration"
214 keystore_password=$(grep '^httpsserver.password' ejbca-custom/conf/web.properties | awk -F= '{ print $2 }' | grep -v '^$')
215 truststore_pass=$(grep '^java.trustpassword' ejbca-custom/conf/web.properties | awk -F= '{ print $2 }' | grep -v '^$')
216 web_hostname=$(grep '^httpsserver.hostname' ejbca-custom/conf/web.properties | awk -F= '{ print $2 }' | grep -v '^$')
217
218 wildfly_exec "/interface=http:add(inet-address=\"0.0.0.0\")"
219 wildfly_exec "/interface=httpspub:add(inet-address=\"0.0.0.0\")"
220 wildfly_exec "/interface=httpspriv:add(inet-address=\"0.0.0.0\")"
221 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface=\"http\")"
222 wildfly_exec "/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)"
223 wildfly_exec "/subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value=\"httpspriv\")"
224 wildfly_exec ":reload"
225
226 wildfly_check
227
228 wildfly_exec "/core-service=management/security-realm=SSLRealm:add()"
229 wildfly_exec "/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-relative-to=\"jboss.server.config.dir\", keystore-path=\"keystore/keystore.jks\", keystore-password=\"${keystore_password}\", alias=\"${web_hostname}\")"
230 wildfly_exec "/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-relative-to=\"jboss.server.config.dir\", keystore-path=\"keystore/truststore.jks\", keystore-password=\"${truststore_pass}\")"
231 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface=\"httpspriv\")"
232 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface=\"httpspub\")"
233
234 wildfly_exec ":shutdown"
235 nohup wildfly/bin/standalone.sh -b 0.0.0.0 > /dev/null 2> /dev/null &
236 wildfly_check 240
237
238 wildfly_exec "/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm=\"SSLRealm\", verify-client=REQUIRED)"
239 wildfly_exec "/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm=\"SSLRealm\")"
240 wildfly_exec ":reload"
241 wildfly_check 30
242
243 wildfly_exec "/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)"
244 wildfly_exec "/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)"
245 wildfly_exec "/system-property=org.apache.catalina.connector.URI_ENCODING:add(value=\"UTF-8\")"
246 wildfly_exec "/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)"
247 wildfly_exec "/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)"
248 wildfly_exec "/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)"
249 wildfly_exec ":reload"
250 wildfly_check 30
251}
252
253
254wildfly_setup_logging() {
255 wildfly_exec "/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)"
256 wildfly_exec "/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)"
257 wildfly_exec ":reload"
258 wildfly_check 30
259}
260
261
262ejbca_installer() {
263 cd $INSTALL_DIRECTORY
264 #rm -f /tmp/run_as_root.sh
265
266 wildfly_killall
267
268 create_config_files
269
270# if [ ! -f Download/ejbca_ce_${EJBCA_VERSION}.zip ]; then
271# cd Download
272# echo "Downloading EJBCA ${EJBCA_VERSION}"
273# curl -o ejbca_ce_${EJBCA_VERSION}.zip -L "${EJBCA_DOWNLOAD_URL}"
274# curl -o ejbca_ce_${EJBCA_VERSION}.zip.sha256 -L "${EJBCA_DOWNLOAD_SHA256_URL}"
275# sha256sum --check ejbca_ce_6_5.0.5.zip.sha256
276# echo ${EJBCA_DOWNLOAD_SHA256} ejbca_ce_${EJBCA_VERSION}.zip > ejbca_ce_${EJBCA_VERSION}.zip.sha256
277# sha256sum --check ejbca_ce_${EJBCA_VERSION}.zip.sha256
278# if [ $? -ne 0 ]; then
279# echo "SHA256 for EJBCA does not match"
280# exit 1
281# fi
282# rm ejbca_ce_${EJBCA_VERSION}.zip
283# cd ..
284# fi
285
286# unzip Download/ejbca_ce_${EJBCA_VERSION}.zip || exit 1
287 if [ -h ejbca ]; then
288 rm -f ejbca
289 fi
290 if [ ! -d ejbca ]; then
291# ln -s ejbca_ce_${EJBCA_VERSION} ejbca
292 ln -s ${EJBCA_DIRECTORY} ejbca
293 fi
294
295 echo
296 echo "Init database"
297 init_mysql
298
299 if [ ! -d Download ]; then
300 mkdir Download
301 fi
302
303 echo
304 echo "Downloading(if needed) and unpacking WildFly"
305 if [ ! -f Download/${WILDFLY_TAR} ]; then
306 cd Download
307 echo "Downloading WildFly to $(pwd)"
308 curl -o ${WILDFLY_TAR} -L ${WILDFLY_DOWNLOAD_URL}
309 echo ${WILDFLY_TAR_SHA256} ${WILDFLY_TAR} > ${WILDFLY_TAR}.sha256
310 sha256sum --check ${WILDFLY_TAR}.sha256
311 if [ $? -ne 0 ]; then
312 echo "SHA256 for wildfly does not match"
313 rm ${WILDFLY_TAR}
314 exit 1
315 fi
316 cd ..
317 fi
318
319 if [ ! -f Download/mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar ]; then
320 cd Download
321 echo "Downloading MariaDB Java Connector to $(pwd)"
322 curl -o mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar -L ${MARIADB_DOWNLOAD_URL}
323# curl -o mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.sha256 -L ${MARIADB_DOWNLOAD_SHA256_URL}
324# sha256sum --check mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.sha256 2>&1| grep mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar
325 echo ${MARIADB_DOWNLOAD_SHA256} mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar > mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar.sha256
326 sha256sum --check mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar.sha256
327 if [ $? -ne 0 ]; then
328 echo "SHA256 for mariadb-java-client does not match"
329 rm mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar
330 exit 1
331 fi
332 cd ..
333 fi
334
335 rm -rf "${WILDFLY_DIR}" > /dev/null 2> /dev/null
336# rm -rf "ejbca_ce_${EJBCA_VERSION}" > /dev/null 2> /dev/null
337
338 tar xvf Download/${WILDFLY_TAR}
339 if [ -h wildfly ]; then
340 rm -f wildfly
341 fi
342 ln -s "${WILDFLY_DIR}" wildfly
343
344 cp "Download/mariadb-java-client-${MARIADB_CONNECTOR_VERSION}.jar" "wildfly/standalone/deployments/mariadb-java-client.jar" || exit 1
345
346 echo
347 echo "Configuring WildFly"
348
349 # patch standalone.conf
350 cd $INSTALL_DIRECTORY/wildfly/bin || exit 1
351 sed -i.bak 's/JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true"/JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MaxPermSize=384m -Djava.net.preferIPv4Stack=true"/g' standalone.conf
352 cd $INSTALL_DIRECTORY
353
354 nohup wildfly/bin/standalone.sh -b 0.0.0.0 > /dev/null 2> /dev/null &
355 sleep 3
356 wildfly_check || exit 1
357 #wildfly_register_database || exit 1
358 wildfly_enable_ajp || exit 1
359 wildfly_reload || exit 1
360 wildfly_check || exit 1
361
362 # Add datasource
363 wildfly_exec "data-source add --name=ejbcads --driver-name=\"mariadb-java-client.jar\" --connection-url=\"jdbc:mysql://${mysql_host}:3306/${database_name}\" --jndi-name=\"java:/EjbcaDS\" --use-ccm=true --driver-class=\"org.mariadb.jdbc.Driver\" --user-name=\"${database_username}\" --password=\"${database_password}\" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql=\"select 1;\""
364 wildfly_exec ":reload"
365
366 # Configure WildFly Remoting
367 wildfly_exec "/subsystem=remoting/http-connector=http-remoting-connector:remove"
368 wildfly_exec "/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref=\"remoting\",security-realm=\"ApplicationRealm\")"
369 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=\"4447\")"
370 wildfly_exec "/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting)"
371 wildfly_exec ":reload"
372
373 # Configure logging
374 wildfly_exec "/subsystem=logging/logger=org.ejbca:add"
375 wildfly_exec "/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)"
376 wildfly_exec "/subsystem=logging/logger=org.cesecore:add"
377 wildfly_exec "/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)"
378
379 # Remove existing TLS and HTTP configuration
380 wildfly_exec "/subsystem=undertow/server=default-server/http-listener=default:remove"
381 wildfly_exec "/subsystem=undertow/server=default-server/https-listener=https:remove"
382 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=http:remove"
383 wildfly_exec "/socket-binding-group=standard-sockets/socket-binding=https:remove"
384 wildfly_exec ":reload"
385
386 echo
387 echo "Deploying EJBCA"
388
389 cd ejbca || exit 1
390 ant clean deployear
391
392 ejbca_deploy_check 240
393 cd ejbca || exit 1
394 echo "starting EJBCA initialization"
395 ant runinstall
396
397 echo "deploy keystore"
398 cd $INSTALL_DIRECTORY
399 wildfly_check || exit 1
400 cd ejbca || exit 1
401 ant deploy-keystore
402
403 cp -a p12 ../ejbca-custom/
404
405 cd $INSTALL_DIRECTORY || exit 1
406 #wildfly_exec ":shutdown"
407 #nohup wildfly/bin/standalone.sh -b 0.0.0.0 > /dev/null 2> /dev/null &
408 #wildfly_check 240
409
410 echo "creating SQL index"
411 create_mysql_index
412
413 echo "set up Wildfly https connectors"
414 wildfly_setup_https
415
416 echo "set up Wildfly logging"
417 wildfly_setup_logging
418
419 echo "*********************************************************************"
420 echo "* SUCCESS *"
421 echo "*********************************************************************"
422}
423
424
425are_you_sure() {
426 echo "LAST CHANCE TO STOP THIS"
427 echo "Do you really want to destroy your EJBCA installation in database $database_name?"
428 select yn in "Yes" "No"; do
429 case $yn in
430 Yes ) ejbca_installer; break;;
431 No ) exit;;
432 esac
433 done
434}
435
436
437init_installer() {
438 echo "This will destroy your complete EJBCA installation in database $database_name"
439 echo "Do you want this?"
440 select yn in "Yes" "No"; do
441 case $yn in
442 Yes ) are_you_sure; break;;
443 No ) exit;;
444 esac
445 done
446}
447
448
449create_config_files() {
450mkdir -p ejbca-custom/conf || exit 1
451
452cat <<EOF > ejbca-custom/conf/batchtool.properties
453# Property file used to configure the batch tool for generating
454# keystores. This file should be in either current directory or conf/
455# subdirectory or in your home directory if personlized settings is
456# required. If no property file is found,default values will be used.
457
458# Indicates which type of keys should be generated by the batch tool
459# Examples: RSA, ECDSA or DSA
460#
461# Default: RSA
462keys.alg=RSA
463
464# Indicates which key size of the RSA or DSA keys that should be used, or curve if ECDSA.
465# Examples: 1024 for RSA or DSA and prime256v1 for ECDSA
466#
467# Default: 2048
468keys.spec=2048
469EOF
470
471cat <<EOF > ejbca-custom/conf/certstore.properties
472# ------------ RFC 4387 Certificate store configuration ---------------------
473# These configurations are used both for EJBCA and the Validation Authority (VA).
474
475# Certificate store servlet enabled. If false there will be no servlet.
476# Default is false.
477certstore.enabled=true
478
479# Context root (the path in the URL)
480# Default is '/certificates'
481#certstore.contextroot=/ejbca/publicweb/certificates
482EOF
483
484cat <<EOF > ejbca-custom/conf/cesecore.properties
485# Set to true to allow dynamic re-configuration using properties files in the file
486# system. Using this you can place a file /etc/cesecore/conf/cesecore.properties in the file system and
487# override default values compiled into ejbca.ear.
488#
489# Default: false
490#allow.external-dynamic.configuration=false
491
492# -------------- NOTE for Upgrades --------------
493# When upgrading, the important options are:
494# - ca.keystorepass
495# - password.encryption.key
496# - ca.cmskeystorepass (in ejbca.properties)
497
498# -------------- General security --------------
499# The following key (strictly speaking, PBE input password) allows for encrypting passwords used in EJBCA (e.g. End Entity and Crypto Token
500# passwords stored in database).
501# This property should be set before initial EJBCA installation and it should't be changed later, because there could exist
502# passwords encrypted with the key about to be changed and EJBCA would be unable to decrypt them (note that the current implementation
503# is capable to try decryption with the default key, i.e. qhrnf.f8743;12%#75, but it won't be able to decrypt passwords encrypted
504# with a custom key being replaced for another custom key).
505# For setting this property you could use any password you consider safe, but it is strongly recommended that you use a randomly
506# generated password, e.g. by using `openssl rand -base64 24`.
507#
508# When upgrading a 100% up-time cluster all nodes must produce password encryption that is decryptable by old nodes.
509# When all nodes run EJBCA 6.8.0 or higher you can change the password, and count, to increase security when passwords are saved in clear text.
510# (mostly used for batch generation and auto-activation)
511#
512# Default: qhrnf.f8743;12%#75
513password.encryption.key=${passwordencryptionkey}
514
515# Nr of rounds when creating password based encryption keys (PBE).
516# To be able to change this you also need to set password.encryption.key to something other than the default (with applicable 100% uptime consideration).
517#password.encryption.count=100
518
519# ------------ Basic CA configuration ---------------------
520# When upgrading, the important options are:
521# - ca.keystorepass
522# - ca.cmskeystorepass (in ejbca.properties)
523
524# This password is used internally to protect CA keystores in database (i.e. the CAs private key).
525# foo123 is to keep compatibility with default installations of EJBCA 3.0, please change this if possible
526# Note! If changing this value AFTER installation of EJBCA you must do 'ant clean; ant bootstrap' in order to activate changes.
527ca.keystorepass=${cakeystorepass}
528
529# Default Random Number Generator algorithm for certificate serial number generation.
530# Available algorithms are:
531# SHA1PRNG
532ca.rngalgorithm=SHA1PRNG
533
534# The length in octets of certificate serial numbers generated. 8 octets is a 64 bit serial number.
535# It is really recommended to use at least 64 bits, so please leave as default unless you are really sure,
536# and have a really good reason to change it.
537# Possible values: between 4 and 20
538# Default: 8
539#ca.serialnumberoctetsize=8
540
541# The date and time from which an expire date of a certificate is to be considered to be too far in the future.
542# The time could be specified in two ways:
543# 1. The unix time see http://en.wikipedia.org/wiki/Unix_time given as an integer decoded to an hexadecimal string.
544# The value 80000000 will give the time when the integer becomes negative if casted to 32 bit.
545# This is when the year 2038 problem occurs. See http://en.wikipedia.org/wiki/Year_2038_problem .
546# Set to this value if you don't want to issue any certificates that could cause this problem.
547# 2. For you convenience this could also be specified in the ISO8601 date format.
548# Default: no limitation
549# The 2038 problem:
550#ca.toolateexpiredate=80000000
551#ca.toolateexpiredate=2038-01-19 03:14:08+00:00
552
553
554# The idea of a HSM to use a HSM is to have the private keys protected. It should not be possible to extract them.
555# To prevent using a key with the private part extractable a test is made before activating a CA.
556# If this test shows that you can read the private part from the key the CA will not be activated unless the key is a SW key.
557# You may (but should not) permit using extractable private keys by setting this property to 'true'.
558# Default: false
559#ca.doPermitExtractablePrivateKeys=true
560
561# Forbidden characters in DB.
562# When one of these characters is found in any string that should be stored in
563# the DB it will be replaced by a forward slash (/). Same replacement will also
564# be done when searching for strings in the DB.
565# Example of strings affected by this:
566# * user names
567# * issuer and subject DN of certificates.
568# * profile names
569# It will also be impossible to use any of these characters in any field of a
570# certificate (like issuer or subject DN).
571# It is strongly discouraged to change this property. Instead set it to the
572# desired value before you install EJBCA.
573# If you change these characters later it might be that some search for a string
574# that include one of the characters that have been changed will fail. This could
575# result in that some important functionality stops working. Examples what could
576# fail is:
577# * An administrator user can not be used any more.
578# * A certificate can not be found.
579# * A certificate can not be issued since the used profile can not be found.
580# The default are these characters: '\\n', '\\r', ';', '!', '\\0', '%', '\`', '?', '$', '~'.
581# The property value is a string with all forbidden characters concatenated
582# (without any space). Note that '\\' is an escape character.
583# This will be the same as not defining the property:
584#forbidden.characters = \\n\\r;!\\u0000%\`?$~
585# And nothing forbidden will be:
586#forbidden.characters =
587
588# ------------- Core language configuration -------------
589# The language that should be used internally for logging, exceptions and approval notifications.
590# The languagefile is stored in 'src/intresources/ejbcaresources.xx.properties' and 'intresources.xx.properties'.
591# Should be one of: en, fr, ja, pt, sv.
592# Default: en
593intresources.preferredlanguage=en
594
595# The language used internally if a resource not found in the preferred language.
596# Default: sv
597intresources.secondarylanguage=en
598
599# ------------ Audit log configuration ---------------------
600# I you want to use integrity protection of the audit log (in the IntegrityProtectedDevice) you
601# must also configure integrity protection in conf/databaseprotection.properties
602#
603
604#### Secure audit log configuration.
605
606# All security log events are written to all enabled/configured devices.
607# The following AuditLogDevice implementations are available:
608#securityeventsaudit.implementation.X=org.cesecore.audit.impl.log4j.Log4jDevice
609#securityeventsaudit.implementation.X=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice
610
611# Default is to use the Log4jDevice and the IntegrityProtectedDevice (without integrity protection enabled),
612# To de-configure these devices, set their implementation to "null" value (don't forget to comment out default section below).
613# i.e.
614#securityeventsaudit.implementation.0=null
615securityeventsaudit.implementation.1=null
616
617# Each device can have a different exporter.
618# The following AuditExporter implementations are available:
619#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterDummy (default)
620#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExportCsv
621#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterXml
622
623# Device implementation specific parameters (e.g. "key.subkey=value") can be passed by using
624#securityeventsaudit.deviceproperty.X.key.subkey=value
625
626# Example configuration of Log4jDevice that logs to log4j server log file.
627# The Log4jDevice does not support query, validation or export operations
628securityeventsaudit.implementation.0=org.cesecore.audit.impl.log4j.Log4jDevice
629
630# Example configuration of IntegrityProtectedDevice that logs to the database
631# With XML export to /tmp/ (default export dir)
632# On windows a path would be for example 'C:/Temp/'
633#securityeventsaudit.implementation.1=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice
634#securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
635#securityeventsaudit.deviceproperty.1.export.dir=/tmp/
636#securityeventsaudit.deviceproperty.1.export.fetchsize=1000
637#securityeventsaudit.deviceproperty.1.validate.fetchsize=1000
638
639# Nodeid used for integrity protected audit log. If not set the hostname of local host is used.
640# Default: not set
641#cluster.nodeid=
642
643# When upgrading a 100% up-time cluster, all nodes should be deployed with db.keepjbossserialization=true.
644# For upgrades from EJBCA version 4.0 to later versions.
645# Once all nodes are running > 4.0, set to false to increase efficiency and portability.
646# Default: false
647#db.keepjbossserialization=true
648
649# Option if we should keep internal CA keystores in the CAData table to be compatible with CeSecore 1.1/EJBCA 5.0.
650# Default to true. Set to false when all nodes in a cluster have been upgraded to CeSecore 1.2/EJBCA 5.1 or later,
651# then internal keystore in CAData will be replaced with a foreign key in to the migrated entry in CryptotokenData.
652#
653# When upgrading a 100% up-time cluster, all nodes should initially be deployed with db.keepinternalcakeystores=true.
654# Once all nodes are running > EJBCA 5.0, set to false again to increase efficiency and portability.
655# For upgrades from EJBCA version 5.0 to later versions.
656# Default: true
657#db.keepinternalcakeystores=true
658
659# When upgrading a 100% up-time cluster, all nodes should be deployed with ca.keepocspextendedservice=true.
660# Once all nodes are running > 6.0, set to true to increase efficiency and portability.
661# Default: false
662#ca.keepocspextendedservice=true
663
664# When generating large CRLs, the RAM of the Java process will limit how many entries that can be
665# fetched from the database at the time. A small value will lead to multiple round-trips to the
666# database and CRL generation will take more time.
667#
668# The heap usage can be estimated to roughly 600 bytes * rows per database read. The default of
669# 0.5M revoked entries per database round trip will usually fit within a 2GiB heap assigned to the
670# application server. If multiple large CRLs are generated at the same time, the used heap will be
671# the sum of the heap used by each CRL generation.
672#
673# If you have plenty of RAM assigned to the application server you should increase this value.
674# Default: 500000
675#database.crlgenfetchsize=500000
676
677#------------------- ECDSA implicitlyCA settings -------------
678# Sets pre-defined EC curve parameters for the implicitlyCA facility.
679# See the User's Guide for more information about the implicitlyCA facility.
680# Setting these parameters are not necessary when using regular named curves.
681# if you don't know what this means, you can safely ignore these settings.
682#
683# Default values that you can experiment with:
684# ecdsa.implicitlyca.q=883423532389192164791648750360308885314476597252960362792450860609699839
685# ecdsa.implicitlyca.a=7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc
686# ecdsa.implicitlyca.b=6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a
687# ecdsa.implicitlyca.g=020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf
688# ecdsa.implicitlyca.n=883423532389192164791648750360308884807550341691627752275345424702807307
689
690#------------------- PKCS#11 -------------------------------------
691# Configuration of PKCS#11 tokens.
692#
693# Disabling of sign mechanisms that are using PKCS#11 to hash the data before signing.
694# If these mechanisms are disabled then the sun PKCS#11 wrapper will do the hashing
695# before PKCS#11 is called.
696# Default: true (the mechanisms are disabled).
697#pkcs11.disableHashingSignMechanisms=false
698
699# Caching the references to PKCS#11 objects can make a big performance difference.
700# Default: true
701#cryptotoken.keystorecache=true
702
703# ------------------- Authentication Key Binding settings -------------------
704# Configuration of available cipher suites for outgoing SSL/TLS connections
705# that can be selected for an Authentication Key Binding.
706#
707# Java 6: http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
708# TLS versions: SSLv3, TLSv1, SSLv2Hello
709# Java 7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
710# TLS versions: SSLv3, TLSv1, SSLv2Hello, TLSv1.1, TLSv1.2
711# Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later.
712#
713# The configuration format is "<TLS version>;cipher" and the follow ciphers are defined by default
714# and can be undefined by setting the properties to "undefined".
715#authkeybind.ciphersuite.0=TLSv1.2;TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
716#authkeybind.ciphersuite.1=TLSv1.2;TLS_RSA_WITH_AES_256_CBC_SHA256
717#authkeybind.ciphersuite.2=TLSv1.2;TLS_RSA_WITH_AES_128_CBC_SHA
718#authkeybind.ciphersuite.3=TLSv1;TLS_DHE_RSA_WITH_AES_256_CBC_SHA
719#authkeybind.ciphersuite.4=TLSv1;TLS_RSA_WITH_AES_256_CBC_SHA
720#authkeybind.ciphersuite.5=TLSv1;TLS_RSA_WITH_AES_128_CBC_SHA
721
722
723# ------------------- Certificate Transparency settings -------------------
724# If your EJBCA has support for CT in it, you may configure caching of SCTs
725# here. The cache is only used when using CT in OCSP responses (and not in
726# the CT publisher or when using CT in new certificates).
727#
728# Enables or disables the cache.
729# Default: true (caching enabled)
730#ct.cache.enabled=false
731#
732# Maximum number of OCSP response extensions to cache, or -1 for no limit.
733# You may need to adjust java heap parameters if you adjust this.
734# Default: 100000
735#ct.cache.maxentries=1000000
736#
737# Maximum frequency in milliseconds of clean ups when the cache is over its
738# limit. During a clean up, cache entries are randomly queued for removal
739# at the next clean up if they aren't used.
740# Default: 10000 (10 seconds)
741#ct.cache.cleanupinterval=60000
742#
743# Whether log availability should be tracked, and requests should "fast fail"
744# whenever a log is known to be down. A log is "known to be down" when it
745# is either unreachable or responds with an HTTP error status to a request.
746# NOTE: Since a single error will cause ALL subsequent requests that are not
747# cached to "fast fail" until the backoff time is over, make sure to:
748# 1. Disallow CAs that are not trusted by the CT logs in CT-enabled
749# certificate profiles. If a log server receives a request for a
750# certificate from an untrusted CA, it will return an error, and trigger
751# "fail fail" for other certificates.
752# 2. Make sure the certificate profiles are restrictive and do not allow
753# uncommon certificate fields etc., that could cause a parse error
754# in the CT log, which would also trigger fast fail.
755# Default: false (fast fail disabled)
756#ct.fastfail.enabled=true
757#
758# How long time (in milliseconds) EJBCA should wait until trying to use a log
759# which has failed to respond to a request.
760# Default: 1000 (1 second)
761#ct.fastfail.backoff=60000
762EOF
763
764
765cat <<EOF > ejbca-custom/conf/crlstore.properties
766# ------------ RFC 4387 CRL store configuration ---------------------
767# These configurations are used both for EJBCA and the Validation Authority (VA).
768
769# CRL store servlet enabled. If false there will be no servlet.
770# Default is false.
771crlstore.enabled=true
772
773# Context root (the path in the URL)
774# Default is '/crls'
775#crlstore.contextroot=/ejbca/publicweb/crls
776EOF
777
778
779cat <<EOF > ejbca-custom/conf/database.properties
780# ------------- Database configuration ------------------------
781
782# The default values in this file is good for a default install, using the build in H2 test database, with JBoss 7/EAP 6.
783# For a default install with Hypersonic database on JBoss 5, change database.name, database.url, database.driver and database.password.
784
785# JNDI name of the DataSource used for EJBCA's database access. The prefix
786# (e.g. 'java:/', '' or 'jdbc/')is automatically determined for each
787# application server.
788# default: EjbcaDS
789#datasource.jndi-name=EjbcaDS
790
791# The database name selected for deployment, used to copy XDoclet merge files.
792# All supported databases are defined below, others can easily be added
793# See the document doc/howto/HOWTO-database.txt for database specifics and tips and tricks.
794# (Note that the names below are fixed for the database type, it is not the name of your database instance.)
795# Default: h2
796database.name=mysql
797
798# Database connection URL.
799# This is the URL used to connect to the database, used to configure a new datasource in JBoss.
800# Default: jdbc:h2:~/ejbcadb;DB_CLOSE_DELAY=-1
801database.url=${database_url}
802
803# JDBC driver classname.
804# The JEE server needs to be configured with the appropriate JDBC driver for the selected database
805# The Default h2 works (as test database) on JBoss 7, on JBoss 5 use org.hsqldb.jdbcDriver
806# Default: h2
807database.driver=${database_driver}
808
809# Database username.
810# Default: sa (works with H2 on JBoss 7)
811# Set to empty for hsql on JBoss 5
812database.username=${database_username}
813
814# Database password.
815# Default: sa (works with H2 on JBoss 7)
816# Set to empty for hsql on JBoss 5)
817database.password=NOT_SHOWN
818
819# The encoded certificate may be stored in the table Base64CertData instead of
820# in a column in the CertificateData table. Using a separate table for the
821# certificate data may speed up searching for certificates if there are lots of
822# them (>100Million).
823# Default: false
824database.useSeparateCertificateTable=true
825EOF
826
827
828cat <<EOF > ejbca-custom/conf/ejbca.properties
829#
830# \$Id: ejbca.properties.sample 20512 2015-01-05 14:25:14Z mikekushner $
831#
832# This is a sample file to override properties used
833# during development (or deployment) of EJBCA. Note that some properties
834# have been moved to cesecore.properties.
835#
836# You should copy and rename this file to ejbca.properties
837# and customize at will.
838#
839
840# Application server home directory used during development. The path can not end with a slash or backslash.
841# Default: \$APPSRV_HOME
842appserver.home=${INSTALL_DIRECTORY}/wildfly
843
844# See also the section 'cluster configuration' for other JBoss options, for example
845# for deploying on JBoss EAP.
846
847# Which application server is used? Normally this is auto-detected from 'appserver.home' and should not be configured.
848# Possible values: jboss, glassfish (, weblogic)
849# Default: <auto-detect>
850#appserver.type=jboss
851
852# To prevent accidental runs of tests or deploying the wrong thing in a production environment, we
853# could prevent this by setting this variable to either "true" or "false".
854# Setting this value to 'false' will allow system tests to alter the configuration of the running
855# EJBCA instance.
856# Default: true
857ejbca.productionmode=true
858#ejbca.productionmode=false
859
860# Set to true to allow dynamic re-configuration using properties files in the file
861# system. Using this you can place a file /etc/ejbca/conf/ocsp.properties in the file system and
862# override default values compiled into ejbca.ear.
863# Currently this works for most values in ejbca.properties, web.properties, cmp.properties, externalra-caservice.properties, ocsp.properties, extendedkeyusage.properties, jaxws.properties, xkms.properties
864#
865# Default: false
866#allow.external-dynamic.configuration=false
867
868# ------------ Basic CA configuration ---------------------
869# Most CA options are configured in cesecore.properties, but some EJBCA-
870# specific ones are configured here. When upgrading, the important options are:
871# - ca.keystorepass (in cesecore.properties)
872# - ca.cmskeystorepass
873
874# Password used to protect CMS keystores in the database (CAs CMS signer/enc certificate).
875# The default value is the same for convenience.
876ca.cmskeystorepass=${cmskeystorepass}
877
878# ------------- Approval configuration ------------------------
879# Settings working as default values in the approval functionality
880#
881# Default request validity in seconds
882# Default : 28800 (8 Hours)
883#approval.defaultrequestvalidity=28800
884#approval.defaultrequestvalidity=86400
885
886# Default approval validity (how long an approved request should stay valid)
887# Default : 28800 (8 Hours)
888#approval.defaultapprovalvalidity=28800
889
890# Setting excluding some classes from approval. When one of the classes in this list calls a method that normally
891# required approval, the call is immediately allowed, bypassing the approval mechanism. The list is comma separated.
892# Uncomment the line below to exclude extra from approvals.
893#approval.excludedClasses=org.ejbca.extra.caservice.ExtRACAServiceWorker
894# Uncomment the line below to exclude CMP from approval.
895#approval.excludedClasses=org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean
896# Uncomment the line below to exclude revocation by CMP from approval.
897#approval.excludedClasses=org.ejbca.core.protocol.cmp.RevocationMessageHandler
898# Default : empty
899#approval.excludedClasses=
900
901# ----------------- cluster configuration ----------------
902# The configuration. Use "all" when clustering,
903# or for example "production" when deploying on JBoss EAP.
904# Default: default
905#jboss.config=all
906
907# Name of the farm directory. Use "farm" when clustering.
908# Default: deploy
909#jboss.farm.name=farm
910
911#------------------- EJBCA Healthcheck settings -------------
912# Specifies the basic settings of the EJBCA Healthcheck servlet
913# for more detailed configuration edit the file src/publicweb/healthcheck/WEB-INF/web.xml
914# URL: http://localhost:8080/ejbca/publicweb/healthcheck/ejbcahealth
915#
916# Parameter specifying amount of free memory (Mb) before alarming
917# Default: 1
918#healthcheck.amountfreemem=1
919
920# Parameter specifying database test query string. Used to check that
921# the database is operational.
922# Default : Select 1 From CertificateData where fingerprint='XX'
923#healthcheck.dbquery=Select 1 From CertificateData where fingerprint='XX'
924
925# Parameter specifying IP addresses authorized to access the healthcheck
926# servlet. Use ';' for between multiple IPs.
927# IPv6 address can be specified, for example 127.0.0.1;0:0:0:0:0:0:0:1.
928# "ANY" can be specified to allow any remote IP.
929# Default: 127.0.0.1
930#healthcheck.authorizedips=127.0.0.1
931
932# Parameter to specify if the check of CA tokens should actually perform a signature test
933# on the CA token, or it should only see if the token status is active.
934# Default: false (don't perform a signature operation)
935#healthcheck.catokensigntest=false
936
937# Parameter to specify if a connection test should be performed on each publisher.
938# Default: true
939#healthcheck.publisherconnections=true
940
941# Parameter to specify location of file containing information about maintenance
942# Use this file to specify weather to include node in healthcheck or report as down for maintenance,
943# which will return an error message (either the property name specified below or a custom message specified in web.xml).
944# Default: empty (not used)
945#healthcheck.maintenancefile=~/maintenance.properties
946
947# Parameter to configure name of maintenance property, default = DOWN_FOR_MAINTENANCE
948# The healthcheck.maintenancefile should contain a single line like this:
949# DOWN_FOR_MAINTENANCE=true
950# Where the node will be down for maintenance of the property is true, and not down for maintenance if the property is false.
951# Default: DOWN_FOR_MAINTENANCE
952#healthcheck.maintenancepropertyname=DOWN_FOR_MAINTENANCE
953
954# Text string used to say that every thing is ok with this node.
955# Default=ALLOK
956#healthcheck.okmessage=ALLOK
957
958# Parameter saying if a errorcode 500 should be sent in case of error.
959# Default=true
960#healthcheck.sendservererror=true
961
962# Uncomment this parameter if you want a static error message instead of one generated by the HealthChecker.
963# Default=null
964#healthcheck.customerrormessage=EJBCANOTOK
965
966#------------------- CLI settings -------------
967ejbca.cli.defaultusername=ejbca
968ejbca.cli.defaultpassword=ejbca
969
970#------------------- Debug and special settings -------------
971#
972# Custom Available Access Rules. Use ';' to separate multiple access rules
973# Available values are the Access Rules strings in Advanced mode of 'Access Rules' in 'Administrator Roles'
974# Default: ""
975#ejbca.customavailableaccessrules=
976
977# When upgrading a 100% up-time cluster, all nodes should be deployed with the effective version
978# of the oldest still running EJBCA version.
979# Default: \${app.version.number}
980#app.version.effective=4.0.x
981
982# To better protect from off-line brute force attacks of passwords on a compromised database, the
983# computationally expensive BCrypt algorithm can be used. Using a higher log-rounds value will
984# increase computational cost by log2. 1-31 can be used as BCrypt strength.
985# 0 means simple SHA1 hashing will be used. A decent value for high security is ~8.
986# Default=1
987#ejbca.passwordlogrounds=1
988
989# Parallel publishing invokes all the configured publishers for certificates in parallel instead of
990# sequentially. So instead of waiting for the total time it takes to write to all publishers, you
991# only have to wait for the time it takes to publish to the slowest one.
992#
993# This feature is non-compliant with the JEE5 specifications and could potentially have unintended
994# side effects (even though none has been found so far).
995# If you find any type of problem with this feature that can be mitigated by disabling it, please
996# report it to the EJBCA developers or this option will disappear in a future version.
997#
998# Default: true
999#publish.parallel.enabled=true
1000
1001# ------------------- Peer Connector settings (Enterprise Edition only) -------------------
1002# These settings are never expected to be used and should be considered deprecated. If you do need
1003# to tweak this, please inform the EJBCA developers how and why this was necessary.
1004#
1005# Don't go through JCA for outgoing connections to peer systems. Applied at build time.
1006# Default: false
1007#peerconnector.rar.disabled=false
1008#
1009# Use TCP keep alive. Applied when connection pool is restarted. Default: true
1010#peerconnector.connection.sokeepalive=true
1011#
1012# Disable Nagle's algorithm. Applied when connection pool is restarted. Default: false
1013#peerconnector.connection.tcpnodelay=false
1014#
1015# Socket timeout in milliseconds. Applied when connection pool is restarted.
1016# Default: 20000 (default for Tomcat on the server side)
1017#peerconnector.connection.sotimeout=20000
1018#
1019# Connection pool size per peer connector. Applied when connection pool is restarted. Default: 100
1020#peerconnector.connection.maxpoolsize=100
1021#
1022# Background sync of certificate data. Batch size to compare. Default: 2000
1023#peerconnector.sync.batchsize=2000
1024#
1025# Background sync of certificate data. Number of entries to write in parallel. 1=sequential writes. Default: 12
1026#peerconnector.sync.concurrency=12
1027#
1028# Maximum allowed size for incoming messages. Default: 134217728 (128MiB)
1029#peerconnector.incoming.maxmessagesize=134217728
1030#
1031# How long a peer can be absent in milliseconds before (re-)authentication is triggered. Default: 60000
1032#peerconnector.incoming.authcachetime=60000
1033#
1034# How long to cache outgoing PeerData database objects.
1035# Default: 60000 (60 seconds)
1036# Possible values -1 (no caching) to 9223372036854775807 (2^63-1 = Long.MAX_VALUE).
1037# If you want caching for an infinite time then set something high for example 157680000000 (5years).
1038#peerconnector.cachetime=157680000000
1039#peerconnector.cachetime=-1
1040EOF
1041
1042
1043
1044cat <<EOF > ejbca-custom/conf/install.properties
1045#
1046# \$Id$
1047#
1048# This is a sample file to override default properties used
1049# during installation of EJBCA (ant install)
1050#
1051# You should copy and rename this file to install.properties
1052# and customize at will.
1053#
1054
1055# ------------ Administrative CA configuration ---------------------
1056# This installation will create a first administrative CA. This CA will be used to create the first
1057# superadministrator and for the SSL server certificate of administrative web server.
1058# When the administrative web server have been setup you can create other CA:s and administrators.
1059# This is only used for administrative purposes,
1060# Enter a short name for the administrative CA.
1061ca.name=${ca_name}
1062
1063# The Distinguished Name of the administrative CA.
1064# This is used in the CA certificate to distinguish the CA.
1065# Note, you can not use DC components for the initial CA, you can create CAs
1066# using DC components later on once the admin GUI is up and running.
1067ca.dn=${ca_dn}
1068
1069# The token type the administrative CA will use.
1070# Use soft for software generated keys (default) or enter a class path for the HSM class.
1071# Normally the HSM class should be the PKCS11CryptoToken.
1072#
1073# Possible values are:
1074# soft
1075# org.cesecore.keys.token.PKCS11CryptoToken
1076# se.primeKey.caToken.card.PrimeCAToken
1077# Note: If you use JBoss 7/EAP 6 and want to use PKCS#11 you have to configure JBoss to permit this.
1078# See instructions in the Install Guide.
1079#
1080# Default: soft
1081ca.tokentype=soft
1082
1083# Password for the administrative CA token.
1084# With soft token, use password null.
1085# To prompt for the password on the terminal, don't set, i.e. comment out the line below.
1086# If no password should be used (for example nCipher module protected), use password '' (nothing).
1087ca.tokenpassword=null
1088
1089# Configuration file were you define key name, password and key alias for the HSM used
1090# by the administrative CA. Same as the Hard CA Token Properties in Admin gui.
1091# Remove everything in the file and add your own configuration.
1092# Note that this must be a full path.
1093# On windows use / instead of \
1094#ca.tokenproperties=${ejbca_home}/ejbca/conf/catoken.properties
1095
1096# The keyspec for the administrative CAs key, to be generated in soft keystore.
1097# Keyspec for RSA keys is size of RSA keys (1024, 2048, 4096, 8192).
1098# Keyspec for ECDSA keys is name of curve or 'implicitlyCA', see docs.
1099ca.keyspec=2048
1100
1101# The keytype for the administrative CA, can be RSA, ECDSA or DSA
1102# For the key to be generated in soft keystore.
1103ca.keytype=RSA
1104
1105# Default signing algorithm for the administrative CA.
1106# Available algorithms are:
1107# SHA1WithRSA, SHA1withECDSA, SHA256WithRSA, SHA256withECDSA.
1108ca.signaturealgorithm=SHA256WithRSA
1109
1110# The validity in days for the administrative CA, only digits.
1111ca.validity=3650
1112
1113# The policy id of the administrative CA. Policy id determines which PKI policy the CA uses.
1114# Type your policy id or use '2.5.29.32.0' for 'any policy' (rfc5280) or 'null' for no policy at all.
1115ca.policy=null
1116
1117# Certificate profile used for the CA certificate created during 'ant install'.
1118# If you have a certificate profile imported you can use that. Otherwise default
1119# profile for ROOTCA is used.
1120# Default: ROOTCA
1121#ca.certificateprofile=MyOwnRootCACertificateProfile
1122EOF
1123
1124cat <<EOF > ejbca-custom/conf/web.properties
1125# ------------ Web GUI configuration ---------------------
1126# When upgrading, the important options are:
1127# - httpsserver.password
1128
1129# If you prefer to manually configure the web settings for your application
1130# server, you should uncomment this property. Enabling this option will prevent
1131# the 'ant web-configure' command from making any changes to the configuration
1132# of your application server (in terms of web settings, like paths etc).
1133# Can not be set to false, commented away means that web will be configured.
1134#web.noconfigure=true
1135
1136# If you enable this option, the 'ant web-configure' command will not set-up the
1137# SSL access on your application server. This is normally desired for the OCSP
1138# responder or Validation Authority (unless you want to run them over https as
1139# well). Normally, in case of a CA build you should _not_ enable this option
1140# (otherwise you won't have access to the administration web interface). If you
1141# wish to use the Unid functionality on the OCSP responder, make sure to also
1142# have a look at the 'Configuring TLS on the Unid lookup server' how-to.
1143# Can not be set to false, commented away means that web will be configured.
1144# web.nosslconfigure=true
1145
1146# Password for java trust keystore (p12/truststore.jks). Default is changeit
1147# This truststore will contain the CA-certificate after running 'ant javatruststore'
1148# Run 'ant -Dca.name=FooCA javatruststore' to install the CA-certificate for FooCA instead of the default ManagementCA
1149java.trustpassword=${truststorepass}
1150
1151# The CN and DN of the super administrator.
1152# Comment out if you want 'ant install' to prompt for this.
1153superadmin.cn=${superadmin_cn}
1154# Note that superadmin.dn must start with the same CN as in superadmin.cn.
1155# example: superadmin.dn=CN=\${superadmin.cn},${BASE_DN}
1156superadmin.dn=CN=\${superadmin.cn}
1157
1158# The password used to protect the generated super administrator P12 keystore (to be imported in browser).
1159# Choose a good password here.
1160superadmin.password=${superadmin_password}
1161
1162# Set this to false if you want to fetch the certificate from the EJBCA public web pages, instead of
1163# importing the P12-keystore. This can be used to put the initial superadmin-certificate on a smart card.
1164superadmin.batch=true
1165
1166# The password used to protect the web servers SSL keystore. Default is serverpwd
1167# Choose a good password here.
1168# If upgrading from EJBCA 3.1, enter here the password found in
1169# \$JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml
1170# under the section about 'HTTPS Connector...', the password is in attribute 'keystorePass=...'.
1171httpsserver.password=${httpsserver_password}
1172
1173# The CA servers DNS host name, must exist on client using the admin GUI.
1174httpsserver.hostname=${httpsserver_hostname}
1175
1176# The Distinguished Name of the SSL server certificate used by the administrative web gui.
1177# The CN part should match your host's DNS name to avoid browser warnings.
1178httpsserver.dn=CN=${httpsserver_hostname},${BASE_DN}
1179
1180# The Alternative Name (certificate extension) of the SSL server certificate used by the administrative web gui.
1181# The dnsName part should match your hosts DNS name (and the CN above) to avoid browser warnings.
1182# Set automatically, so no need to change this property unless you want something exotic.
1183#httpsserver.an=dnsName=${httpsserver_hostname}
1184
1185# The public port JBoss will listen to http on
1186# Default 8080
1187#httpserver.pubhttp=8080
1188
1189# The public port JBoss will listen to https on, no client cert required
1190# Default 8442
1191#httpserver.pubhttps=8442
1192
1193# The private port JBoss will listen to https on, client cert required
1194# Default 8443
1195#httpserver.privhttps=8443
1196
1197# The private port exposed externally, i.e. if you run an Apache proxy in front of JBoss
1198# the port may be 443 instead.
1199# Default same as httpserver.privhttps
1200#httpserver.external.privhttps=443
1201
1202# The fully qualified domain name (FQDN) of the front-end, e.g. an Apache proxy
1203# In order to build absolute URL, the server name is got from the web client request.
1204# But with an Apache proxy, via ProxyPass directive, the server name is 'localhost'.
1205# Use:
1206# - empty: without Apache proxy, or with Apache proxy via AJP (not with ProxyPass)
1207# - ${httpsserver_hostname}: when an Apache proxy is used on the same server than EJBCA
1208# - any FQDN: when an Apache proxy with a ProxyPass directive is used (on any server)
1209# Default: (empty)
1210#httpserver.external.fqdn=
1211#httpserver.external.fqdn=${httpsserver_hostname}
1212
1213# The interfaces JBoss will bind to. E.g. 127.0.0.1 will only allow connections from localhost.
1214# You can also specify \${jboss.bind.address} to use JBoss configuration which interface to listen on.
1215# Default 0.0.0.0
1216httpsserver.bindaddress.pubhttp=0.0.0.0
1217httpsserver.bindaddress.pubhttps=0.0.0.0
1218httpsserver.bindaddress.privhttps=0.0.0.0
1219
1220# Defines the available languages by ISO 639-1 language codes separated with a comma (example: en,zh).
1221# If you are not sure that you know how to add a new language (languagefile.xx.properties, etc.),
1222# we suggest you stick with the default the first time you install if you wan't to add your own language.
1223# Otherwise you may not be able to log in to the Admin GUI.
1224# Default: en,bs,de,es,fr,it,ja,pt,sv,uk,zh
1225#web.availablelanguages=en,bs,de,es,fr,it,ja,pt,sv,uk,zh
1226
1227# Default content encoding used to display JSP pages, for example ISO-8859-1, UTF-8 or GBK.
1228# Default: UTF-8
1229web.contentencoding=UTF-8
1230
1231# The language configuration that should be used internally for logging, exceptions and approval
1232# notifications has been moved to ejbca.properties from EJBCA 3.10.
1233
1234# Setting to indicate if the secret information stored on hard tokens (i.e initial PIN/PUK codes) should
1235# be displayed for the administrators. If false only non-sensitive information is displayed.
1236# Values should be "true" or "false".
1237# Default = true
1238#hardtoken.diplaysensitiveinfo=true
1239
1240# Show links to the EJBCA documentation. The links can either point to internally deployed
1241# documentation on the server or any exteral location like ejbca.org.
1242# Default = internal
1243#web.docbaseuri=disabled
1244web.docbaseuri=internal
1245#web.docbaseuri=http://www.ejbca.org
1246
1247# Require administrator certificates to be available in database for revocation
1248# checks. Set this to false, if you want to be able to use admin certificates
1249# issued by external CAs.
1250# Default: true
1251#web.reqcertindb=true
1252
1253# Allow users to self-register on public web, by entering their information.
1254# This creates an approval request for the admin.
1255# Default = false
1256web.selfreg.enabled=false
1257
1258# Certificate types to make available for the user
1259#web.selfreg.defaultcerttype=1
1260#web.selfreg.certtypes.1.description=User certificate
1261#web.selfreg.certtypes.1.eeprofile=SOMEPROFILE
1262#web.selfreg.certtypes.1.certprofile=ENDUSER
1263
1264# Optional: Instead of asking the user for a username, EJBCA can generate
1265# the username from a field in the subject DN
1266#web.selfreg.certtypes.1.usernamemapping=CN
1267
1268# Deploy the request browser certificate renewal web application and show a
1269# link to it from the EJBCA public web.
1270# Default = false
1271#web.renewalenabled=true
1272
1273# Wether it should be possible to manually specify a custom class name in
1274# the admin web (e.g. for a custom Publisher or Service), or if the choice
1275# of class should be constrained to auto-detected classes only.
1276# If you are using classes made for EJBCA 5.0 or earlier you must enable
1277# this option, or wrap them in a "service" JAR file (see the Admin Guide).
1278# Default = false
1279#web.manualclasspathsenabled=true
1280
1281# Presentation of the an exception on the web error page.
1282#
1283# General error message to be presented to the user when an exception occur.
1284# Default: An exception has occurred
1285#web.errorpage.notification=An exception has occurred.
1286#
1287# Print the stacktrace of the exception
1288# Default: true
1289#web.errorpage.stacktrace=false
1290
1291# Custom Servlet filter for emulation of client certificate authentication to the Admin GUI
1292# using a Tomcat Valve or similar proxy.
1293# Default is false.
1294#web.enableproxiedauth=true
1295
1296# Whether the remote IP address should be logged during administrator login.
1297# This works as expected when using an Apache AJP proxy, but if a reverse proxy
1298# server is running in front of EJBCA then the address of the proxy will be logged.
1299# In that case the web.log.adminforwardingip can be used in addition to this.
1300#
1301# If you want this information to be included in the webservice transaction log,
1302# you should add \${ADMIN_FORWARDED_IP} to the "ejbcaws.trx-log-order" property instead.
1303#
1304# Default: true
1305web.log.adminremoteip=true
1306
1307# Whether the IP address seen at the proxy (from the HTTP header "X-Forwarded-For")
1308# should be logged. This information can only be trusted if the request
1309# is known to come from a trusted proxy server.
1310#
1311# If you want this information to be included in the webservice transaction log,
1312# you should add \${ADMIN_FORWARDED_IP} to the "ejbcaws.trx-log-order" property instead.
1313#
1314# Default: false
1315#web.log.adminforwardedip=true
1316
1317# Available PKCS#11 CryptoToken libraries and their display names
1318# If a library file's presence is not detected it will not show up in the Admin GUI.
1319# Default values (see src/java/defaultvalues.properties for most up to date values):
1320#cryptotoken.p11.lib.10.name=SafeNet ProtectServer Gold Emulator
1321#cryptotoken.p11.lib.10.file=/opt/ETcpsdk/lib/linux-x86_64/libctsw.so
1322#cryptotoken.p11.lib.11.name=SafeNet ProtectServer Gold
1323#cryptotoken.p11.lib.11.file=/opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so
1324#cryptotoken.p11.lib.20.name=SafeNet Luna SA
1325#cryptotoken.p11.lib.20.file=/usr/lunasa/lib/libCryptoki2_64.so
1326#cryptotoken.p11.lib.21.name=SafeNet Luna PCI
1327#cryptotoken.p11.lib.21.file=/usr/lunapci/lib/libCryptoki2_64.so
1328#cryptotoken.p11.lib.22.name=SafeNet Luna PCI
1329#cryptotoken.p11.lib.22.file=/Program Files/LunaPCI/cryptoki.dll
1330#cryptotoken.p11.lib.23.name=SafeNet Luna Client
1331#cryptotoken.p11.lib.23.file=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
1332#cryptotoken.p11.lib.30.name=Utimaco
1333#cryptotoken.p11.lib.30.file=/opt/utimaco/p11/libcs2_pkcs11.so
1334#cryptotoken.p11.lib.31.name=Utimaco
1335#cryptotoken.p11.lib.31.file=/opt/Utimaco/Software/PKCS11/lib/Linux-x86-64/libcs2_pkcs11.so
1336#cryptotoken.p11.lib.32.name=Utimaco
1337#cryptotoken.p11.lib.32.file=/etc/utimaco/libcs2_pkcs11.so
1338#cryptotoken.p11.lib.33.name=Utimaco
1339#cryptotoken.p11.lib.33.file=C:/Program Files/Utimaco/SafeGuard CryptoServer/Lib/cs2_pkcs11.dll
1340#cryptotoken.p11.lib.40.name=Thales
1341#cryptotoken.p11.lib.40.file=/opt/nfast/toolkits/pkcs11/libcknfast.so
1342#cryptotoken.p11.lib.50.name=ARX CoSign
1343#cryptotoken.p11.lib.50.file=C:/windows/system32/sadaptor.dll
1344#cryptotoken.p11.lib.60.name=OpenSC
1345#cryptotoken.p11.lib.60.file=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
1346#cryptotoken.p11.lib.61.name=OpenSC
1347#cryptotoken.p11.lib.61.file=/usr/lib/i386-linux-gnu/opensc-pkcs11.so
1348#cryptotoken.p11.lib.62.name=OpenSC
1349#cryptotoken.p11.lib.62.file=/usr/local/lib/opensc-pkcs11.so
1350#cryptotoken.p11.lib.63.name=OpenSC
1351#cryptotoken.p11.lib.63.file=C:/Windows/system32/opensc-pkcs11.dll
1352#cryptotoken.p11.lib.64.name=OpenSC
1353#cryptotoken.p11.lib.64.file=/usr/lib64/pkcs11/opensc-pkcs11.so
1354#cryptotoken.p11.lib.70.name=Bull TrustWay CryptoBox
1355#cryptotoken.p11.lib.70.file=/usr/lib64/libcryptobox_clnt.so
1356#cryptotoken.p11.lib.71.name=Bull TrustWay PCI Crypto Card
1357#cryptotoken.p11.lib.71.file=/usr/lib64/libgpkcs11cc2000.so
1358#cryptotoken.p11.lib.72.name=Bull TrustWay Proteccio
1359#cryptotoken.p11.lib.72.file=/usr/lib64/libnethsm64.so
1360#cryptotoken.p11.lib.80.name=SoftHSM 2
1361#cryptotoken.p11.lib.80.file=/usr/local/lib/softhsm/libsofthsm2.so
1362#cryptotoken.p11.lib.81.name=SoftHSM 2
1363#cryptotoken.p11.lib.81.file=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
1364#cryptotoken.p11.lib.82.name=SoftHSM 2
1365#cryptotoken.p11.lib.82.file=/usr/lib/softhsm/libsofthsm2.so
1366#cryptotoken.p11.lib.83.name=SoftHSM 2
1367#cryptotoken.p11.lib.83.file=/usr/lib64/pkcs11/libsofthsm2.so
1368#cryptotoken.p11.lib.90.name=SoftHSM
1369#cryptotoken.p11.lib.90.file=/usr/lib/softhsm/libsofthsm.so
1370#cryptotoken.p11.lib.91.name=SoftHSM
1371#cryptotoken.p11.lib.91.file=/usr/lib64/softhsm/libsofthsm.so
1372#cryptotoken.p11.lib.100.name=PKCS11 Spy
1373#cryptotoken.p11.lib.100.file=/usr/lib/x86_64-linux-gnu/pkcs11-spy.so
1374#cryptotoken.p11.lib.101.name=PKCS11 Spy
1375#cryptotoken.p11.lib.101.file=/usr/lib64/pkcs11/pkcs11-spy.so
1376#cryptotoken.p11.lib.110.name=Utimaco R2
1377#cryptotoken.p11.lib.110.file=/opt/utimaco/p11/libcs_pkcs11_R2.so
1378#cryptotoken.p11.lib.111.name=Utimaco R2
1379#cryptotoken.p11.lib.111.file=/opt/Utimaco/Linux/x86_64/Crypto_APIs/PKCS11_R2/lib/libcs_pkcs11_R2.so
1380#cryptotoken.p11.lib.112.name=Utimaco R2
1381#cryptotoken.p11.lib.112.file=/etc/utimaco/libcs_pkcs11_R2.so
1382#
1383# You can add your own values with an available number, or override numbers from defaults...
1384#cryptotoken.p11.lib.255.name=P11 Proxy
1385#cryptotoken.p11.lib.255.file=/home/user/local/p11proxy/dist/p11proxy.so
1386#
1387# If you would like to restrict the accessible slots, you can use the following property:
1388# (you can use ranges, and if you omit the low or high number it means "no limit")
1389#cryptotoken.p11.lib.30.slotlist=1-100
1390#cryptotoken.p11.lib.30.slotlist=0,1,65537
1391#cryptotoken.p11.lib.30.slotlist=i1-i
1392# To change the default slot (e.g. if you have disabled access to slot 0)
1393#cryptotoken.p11.defaultslot=1
1394#cryptotoken.p11.defaultslot=i1
1395
1396# Available PKCS#11 CryptoToken attribute files and their display names
1397# Use if the default PKCS#11 attributes are not good for the PKCS#11 module and if needs specific attributes
1398#cryptotoken.p11.attr.0.name=
1399#cryptotoken.p11.attr.0.file=
1400#...
1401#cryptotoken.p11.attr.255.name=
1402#cryptotoken.p11.attr.255.file=
1403EOF
1404}
1405
1406
1407cat <<EOF
1408####### # ###### ##### #
1409# # # # # # # #
1410# # # # # # #
1411##### # ###### # # #
1412# # # # # # #######
1413# # # # # # # # #
1414####### ##### ###### ##### # #
1415
1416This installs the EJBCA PKI
1417EOF
1418
1419cd $INSTALL_DIRECTORY
1420if [ $EUID -eq 0 ]; then
1421 echo "Do not execute this script as root"
1422 echo "We did nothing yet"
1423 exit 1
1424fi
1425
1426
1427cd $INSTALL_DIRECTORY
1428if [ -d ejbca-custom ]; then
1429 echo "$INSTALL_DIRECTORY/ejbca-custom already exists"
1430 echo "we will do nothing here"
1431 echo "remove the ejbca-custom directory to re-install from scratch"
1432 exit 0
1433fi
1434
1435
1436PKG_INSTALL=""
1437if [ -f /etc/redhat-release ]; then
1438 echo "found RedHat/CentOS"
1439 PKG_INSTALL="yum install tar unzip java-1.8.0-openjdk-devel ant psmisc mariadb bc patch"
1440 BASE_OS=RHEL
1441else if [ -f /etc/debian_version ]; then
1442 echo "found Debian/Ubuntu"
1443 PKG_INSTALL="apt install unzip openjdk-8-jdk-headless ant ant-optional psmisc mariadb-client bc patch"
1444 BASE_OS=UBUNTU
1445 else
1446 echo "Unknown platform, your milage may vary"
1447 fi
1448fi
1449
1450#RUN_AS_ROOT_FILE="/tmp/run_as_root.sh"
1451#cat <<EOF >${RUN_AS_ROOT_FILE}
1452#$PKG_INSTALL
1453
1454#cat <<EOF2 > /etc/systemd/system/ejbca.service
1455#[Unit]
1456#Description=EJBCA PKI
1457#After=network.target
1458
1459#[Service]
1460#Type=simple
1461#User=${ejbca_user}
1462#Group=${ejbca_group}
1463#WorkingDirectory=${ejbca_home}
1464#ExecStart=${ejbca_home}/wildfly/bin/standalone.sh -b 0.0.0.0
1465#ExecStop=${ejbca_home}/wildfly/bin/jboss-cli.sh --connect command=:shutdown
1466#Restart=on-failure
1467#RestartSec=300s
1468
1469#[Install]
1470#WantedBy=multi-user.target
1471#EOF2
1472
1473#systemctl daemon-reload
1474
1475#rm -f "${RUN_AS_ROOT_FILE}"
1476#EOF
1477#chmod 755 "${RUN_AS_ROOT_FILE}"
1478
1479echo "EJBCA will be installed as OS user '${ejbca_user}'"
1480echo
1481echo "please install dependencies with:"
1482echo $PKG_INSTALL
1483#echo "please execute /tmp/run_as_root.sh as root (installs needed packages and creates a systemctl service for ejbca)"
1484echo
1485echo "Please select \"Yes\" if you did so, but not before"
1486select yn in "Yes" "No"; do
1487 case $yn in
1488 Yes )
1489 init_installer;
1490 echo;
1491 echo "You can now install the superadmin.p12 keystore, from ${EJBCA_DIRECTORY}/p12, in your web browser, using the password ${superadmin_password}, and access EJBCA at https://localhost:8443/ejbca";
1492 echo;
1493 break;;
1494 No ) exit;;
1495 esac
1496done