Generating PKI Ke Materials and Starting the WSOP Server

At this point the Security World software has been installed and configured to use the existing security world and HSM devices, and the Hardserver is running with the non-privileged port open, listening for requests from the WSOP server. The WSOP server components have been copied into the /opt/nfast/wsop directory, but the WSOP Tomcat application server has not yet been installed and started.

The next step is to generate public key infrastructure (PKI) key materials for the WSOP application server, as it cannot be started without these materials in place. To be clear, the only requirement here is that a properly configured Java key store be configured and installed into the /opt/nfast/wsop/tls directory.

The following steps will guide you through this process. These instructions assume you are still logged in as root and sitting in the root directory of the Linux WSOP server:

  1. Rename the example files:

    # pushd /opt/nfast/wsop/conf

    /opt/nfast/wsop/conf /

    # mv application.properties.example application.properties

    # mv wsop_java.security.example wsop_java.security

    # popd

    /

  2. Generate a Java key store containing a self-signed server certificate, using the Java keytool utility:

    # export JAVA_TOOL_OPTIONS='-Dprotect=module -DignorePassphrase=true \

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security'

    # keytool -genkeypair -storetype nCipher.sworld -keyalg RSA \

    -keysize 2048 -validity 3650 -alias mykey

    -keystore /opt/nfast/wsop/tls/keystore.ks

    Picked up JAVA_TOOL_OPTIONS: -Dprotect=module -DignorePassphrase=true

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security

    Enter keystore password: <contrive a reasonable password>

    Re-enter new password: <repeat>

    What is your first and last name?

    [Unknown]: <enter Linux WSOP server host name here>

    What is the name of your organizational unit?

    [Unknown]: <enter your organization within your company>

    What is the name of your organization?

    [Unknown]: <enter your company name>

    What is the name of your City or Locality?

    [Unknown]: <enter your city name>

    What is the name of your State or Province?

    [Unknown]: <enter your two-letter state>

    What is the two-letter country code for this unit?

    [Unknown]: US

    Is CN=???, OU=???, O=???, L=???, ST=??, C=US correct?

    [no]: yes

    Enter key password for <mykey>

    (RETURN if same as keystore password): <press ENTER>

    You may also use a CA-signed certificate for your WSOP application server’s identity. In this case, follow the instructions on page 8 of the WSOP User Guide, the section entitled, “Using a Certificate Signed by a CA”.

  3. Edit the /opt/nfast/wsop/conf/application.properties file and modify the key store password to match the one you selected when you created the key store in the previous step. (The key store filename should already be keystore.ks.)
  4. Change into the root home directory (/root) and create a self-signed client certificate and private key pair using the openssl tool:

    # cd

    # openssl req -x509 -newkey rsa:2048 -keyout client-key.pem \

    -out client-cert.pem -days 3650 –nodes

    Generating a 2048 bit RSA private key

    .....................................................................+++

    .........+++

    writing new private key to 'client-key.pem'

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [AU]: US

    State or Province Name (full name) [Some-State]: <two-letter state>

    Locality Name (eg, city) []: <city>

    Organization Name (eg, company) [Internet Widgits Pty Ltd]: <company>

    Organizational Unit Name (eg, section) []: <organization>

    Common Name (e.g. server FQDN or YOUR name) []: <client host name>

    Email Address []: <press ENTER>

    The Common Name used above should uniquely identity the DataCore vFilO client that will converse with the WSOP server. If possible, it should be the host name of the DataCore vFilO metadata server (MDS). If unknown, any unique host-like name will work.

  5. Still in the root user’s home directory, export the WSOP server certificate to a DER certificate file, then convert that DER file to PEM format so it can be used with DataCore vFilO:

    # keytool -export -alias mykey -file server-cert.der \

    -storetype nCipher.sworld -keystore /opt/nfast/wsop/tls/keystore.ks

    Picked up JAVA_TOOL_OPTIONS: -Dprotect=module -DignorePassphrase=true

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security

    Enter keystore password: <ENTER>

    ***************** WARNING WARNING WARNING *****************

    * The integrity of the information stored in your keystore *

    * has NOT been verified! In order to verify its integrity, *

    * you must provide your keystore password. *

    ***************** WARNING WARNING WARNING *****************

    Certificate stored in file <server-cert.der>

    # openssl x509 -inform der -in server-cert.der -out server-cert.pem

    # keytool -export -alias mykey -file server-cert.der \

    -storetype nCipher.sworld -keystore /opt/nfast/wsop/tls/keystore.ks

    Picked up JAVA_TOOL_OPTIONS: -Dprotect=module -DignorePassphrase=true

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security

    Enter keystore password: <ENTER>

    ***************** WARNING WARNING WARNING *****************

    * The integrity of the information stored in your keystore *

    * has NOT been verified! In order to verify its integrity, *

    * you must provide your keystore password. *

    ***************** WARNING WARNING WARNING *****************

    Certificate stored in file <server-cert.der>

    # openssl x509 -inform der -in server-cert.der -out server-cert.pem

    The WARNING above is not important. It’s merely telling us that since we didn’t provide the proper password, the integrity of the key store was not verified by keytool when it opened it to read the server’s certificate.

  6. Back in the root directory, import the client certificate (but not the private key) into a new Java trust store for the WSOP server:

    # cd /

    # keytool -import -trustcacerts -file /root/client-cert.pem \

    -alias client2 -keystore /opt/nfast/wsop/tls/truststore.ts

    Picked up JAVA_TOOL_OPTIONS: -Dprotect=module -DignorePassphrase=true

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security

    WARNING: nCipher provider was called for keystore mechanism 'JKS'.

    A new keystore was loaded, so a software keystore is being used.

    Enter keystore password: changeit

    Re-enter new password: changeit

    Trust this certificate? [no]: yes

    Certificate was added to keystore

    # cd /

    # keytool -import -trustcacerts -file /root/client-cert.pem \

    -alias client2 -keystore /opt/nfast/wsop/tls/truststore.ts

    Picked up JAVA_TOOL_OPTIONS: -Dprotect=module -DignorePassphrase=true

    -Djava.security.properties=/opt/nfast/wsop/conf/wsop_java.security

    WARNING: nCipher provider was called for keystore mechanism 'JKS'.

    A new keystore was loaded, so a software keystore is being used.

    Enter keystore password: changeit

    Re-enter new password: changeit

    Trust this certificate? [no]: yes

    Certificate was added to keystore

    The WARNING above is fine – it just means you didn’t specify -storetype nCipher.sworld on the keytool command line, which is ok because this is merely a trust store and will not hold any private key material.

    The trust store password was set to ‘changeit’ because all Java key stores require a password but trust stores hold public information and it’s industry convention to set the trust store password to this value. The application properties file is already configured with this trust store password.

  7. Install the WSOP application server by running the installation script:

    # /opt/nfast/wsop/sbin/install

    -- Running install fragment wsopd

    Checking for user 'wsopd' in group 'wsopd'

    Creating wsopd group.

    Creating wsopd user.

    useradd: warning: the home directory already exists.

    Not copying any file from skel directory into it.

    Checking user 'wsopd' is in correct group 'wsopd'

    users created correctly

    Installing startup scripts for 'wsopd'.

    Created symlink /etc/systemd/system/multi-user.target.wants/wsopd.service → /etc/systemd/system/wsopd.service.

    Starting nCipher 'wsopd' server process.

    ---- Installation complete ----

    # /opt/nfast/wsop/sbin/install

    -- Running install fragment wsopd

    Checking for user 'wsopd' in group 'wsopd'

    Creating wsopd group.

    Creating wsopd user.

    useradd: warning: the home directory already exists.

    Not copying any file from skel directory into it.

    Checking user 'wsopd' is in correct group 'wsopd'

    users created correctly

    Installing startup scripts for 'wsopd'.

    Created symlink /etc/systemd/system/multi-user.target.wants/wsopd.service → /etc/systemd/system/wsopd.service.

    Starting nCipher 'wsopd' server process.

    ---- Installation complete ----

  8. The WSOP REST service listens on port 18001 for remote requests. If you enabled the CentOS firewall during server installation, it must be configured to allow inbound traffic on this port:

    # firewall-cmd --zone=public --add-port=18001/tcp --permanent

    success

    # firewall-cmd --reload

    success