Skip to main content
This section covers installing and configuring the AXway VA server.

Install Axway VA Server

Select your operating system and perform the steps to install the VA server:

Windows

Perform the following steps to install Axway VA Server on Windows:
VA Server is no longer installed as an interactive service on Windows. This applies to both the Admin UI service and the Validation Authority Service that is installed as part of VA Server.
1
Using an account in the Administrators group, log on to the computer on which you plan to install the VA Server.
2
Copy the Validation_Authority_Server_<Release Version>win-x86-64_BNXXX.exe file that you received from Axway Global Support to the Windows system.
3
Double-click Validation_Authority_Server_<Release Version>win-x86-64_BNXXX.exe. In the Welcome page, follow the on-screen instructions as you proceed through the installation.
  • Select [ Next ] to move forward to the next installation window.
  • Select [ Back ] to return to the previous installation window.
  • Select [ Cancel ] to close the installation program without installing any component of the VA Server. To install VA Server, re-run the installation program.
  • Select [ Next ] to display the License Agreement page.
4
Select [ Accept ] to accept the license agreement and go to the next page in the installer. Select [ No ] to cancel the installation.
5
In the Customer Information page, type your User Name, Company Name, and Email Address in the text fields provided. These are required fields except for the Email Address. However, you should provide an email address because the VA administration server uses it to perform email notifications.
6
Select [ Next ]. The Choose Destination Location page displays, showing the default destination folder where VA Server components are installed.
7
To select a different destination folder, select [ Browse ] and enter the folder location.
8
Select [ Next ].
9
In the VA Server Information page, enter the requested information on the host name, port number, and user for the VA administration server.
  • Enter the VA Server host name. The host name identifies the computer. The default host name is the name of the computer on which you are installing the VA Server.
  • Enter the VA administration server port number. This port number identifies the port at which the VA administration server listens for HTTPS requests from the browser. If you use a port other than the default (13333), note it for future reference.
  • Enter the VA administration server user and password. This user is the initial user who can log in to the VA administration server. The default user name is admin. If you type a different name, make a note of it.
  • After completing the installation, log in to the VA administration server by using this username. The password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the Manage VA administration server users section on page 77 of the Axway Validation Authority Administrator Guide. Re-type the password to confirm it. Select [ Next ] to continue.
Because you are using VA Server with an HSM device conforming to PKCS #11, you must configure VA Server to use the same password as the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
10
Select either the option to generate a self-signed certificate or import a PFX / P12 file. If you select Generate a Self-Signed Certificate, select [ Next ] and continue to step 11. If you select Import PFX / P12 from file:
  • Select the file to import from the file selection dialog box and then select [ Open ].
  • Enter a password to decrypt the file. This password was originally used to protect the PFX file.
  • By default, the Encrypt Admin UI Private Key option is selected. If you do not want this option, uncheck the box to disable the password field. Enter a password to encrypt the admin server key for the VA Server. The password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the Manage VA administration server users section on page 77 of the Axway Validation Authority Administrator Guide. This encryption option, along with the provided password, automatically calls apachepassphrase for unattended startup.
  • Select [ Next ] to continue. The Start Copying Files page displays.
11
Review the current settings. If you need to make any changes to the settings, use the [ Back ] button. Otherwise, select [ Next ] to continue.
12
Files are installed in the specified destination location. After the installation finishes, the InstallShield Wizard Complete page displays. The VA Server is successfully installed. You can verify this later by using the Admin Server User Interface > Help > About page, which displays the current version.
13
Clear the Launch Administrative Server User Interface check box to start the VA administration server at a later time.
14
Select [ Finish ]. The installation program adds the VA Server to your Start menu. If you access Control Panel > Administrative Tools > Services, you see Axway Validation Authority and Axway VA Admin included in the list of services. You can access the VA Server admin UI and this document from the Start menu. The installation also automatically creates an VA administrative server private key (adminserver.key) and SSL certificate (adminserver.crt) in the <VADataDir>\entserv directory. (Example: C:\ProgramData\Axway\VA\entserv in Windows.) You are now ready to use the VA administration server to configure, start, and manage the VA Server.

Linux

You do not have to be root to install the VA Server, but non-root users cannot configure the installation to use a port lower than 1024. When installing as root on a port lower than 1024, you must choose whether to run the server in setuid root mode. This mode is required to start the server using the admin UI. In this case, the server runs as root, but only during initialization. After the listening sockets are established, the process steps down to that of the invoking user (for example, nobody).
The Axway-generated GPG key digitally signs the distributed installation file, and you can verify it by using the shipped GPG public key before installation.
Perform the following steps to install Axway VA Server on Linux:
1
Copy the Validation_Authority_Server_<Release Version>_linux-x86-64_BN<build number>.rpm file that you received from Axway Global Support to the Linux system.
This RPM package depends on other RPM packages that are generally available from RHEL RPM repository(s). If these packages are not already installed on the system, the installation reports the necessary packages as missing and fails. If this happens, install the missing packages and install this RPM package again.
2
Extract the files with the following command.
Text
rpm -U Validation_Authority_Server_<Release Version>_linux-x86-64_BN<build number>.rpm
If a previous version of the RPM is installed on the system, this command removes the previous version and installs the new version to /opt/va_install/<Version><SPnumber>/VCeva. SPnumber is only applicable for Service Pack releases (example: SP1).
3
Change directories to the Validation Authority Server directory.
Text
cd /opt/va_install/<Version><SPnumber>/VCeva
WARNINGDo not install under the vainstall directory when running the install script. The rpm uninstall erases the vainstall directory.)
4
Enter the following at the command line prompt to run the installation script:
Text
./install_eva
The installation script then prompts whether to install using ports 1024 and greater, assuming you are not installing as root. You must install as root to select a port lower than 1024. You must also answer yes when prompted to run setuid root to start the server through the admin UI.
5
Enter y (yes) or n (no). The installation script displays the Axway software licensing agreement and prompts you with the following:
Text
Do you agree to the above terms? [y/n]
Default: [y]
6
Press [ Enter ] to accept the software licensing agreement. The installation script next prompts you for a location to install the VA Server.
Text
Enter the Validation Authority install directory
Default: [/opt/axway]
7
Press [ Enter ] to accept the default, or enter a location to install the VA Server, then press [ Enter ]. The installation script next prompts you to enter a port number for the VA administration server:
Text
Enter the port number for the Validation Authority Administration Server [1-65535].
Default: [13333]
8
The VA administration server is the administration component of the Validation Authority. This server, which is installed during the installation process, provides an administration user interface (admin UI) through which you configure and operate the VA validation server.If you choose to use a port other than the default, note it for future reference. This port number identifies the port at which the VA administration server listens and exchanges information to perform configuration operations with the browser using HTTPS requests.
9
Select [ Enter ] to accept the default port number for the VA administration server, or enter a different number and press [ Enter ]. The script prompts you for the email address of the server administrator. It displays:
Text
Enter the email address of the server administrator:
Default: [sysadmin]
The VA administration server uses this email address to send informational messages to the server administrator during configuration and administration performed at the VA dialog boxes.
10
Press [ Enter ] to accept this email address, or enter a different address and then press [ Enter ]. The script prompts you for the server host name:
Text
Enter the server's hostname (either a DNS name or IP address):
Default: [computer_name.yourdomain.com]
Where computer_name is the name of your host computer, and yourdomain is the domain name for your host computer. The host name identifies the computer on which you have installed the Validation Authority.
11
Select [ Enter ] to accept the default server host name, or enter a different name and select [ Enter ]. The script prompts you for a user name to run the VA administration server. It displays:
Text
Enter the username to run the VA and Administration Servers as:
Default: []
If you are not installing as root, the default username displayed is the user ID.
12
Select [ Enter ] to use the default username, or enter a different name and select [ Enter ].
13
The following message displays:
Text
In order to start the VA via the web interface on a port less than 1024 ves must executre as setuid root. Do you wish to set this bit?
Default: [y]
The name of the VA Server process is ves.
14
If you plan to use a validation port number of 1024 or greater, type n; otherwise, accept the default and press [ Enter ]. The script prompts you to identify the VA administration server user. This user is the initial user who can log in to the VA administration server. The default user name is admin.
Text
Please enter the Administration server user id
[admin]:
15
Press [ Enter ] to use the default VA administration server user name, or enter a different name and press [ Enter ]. If you type a different name, make a note of it. After completing the installation, log in to the VA administration server by using this username. The system configures the VA administration server user and then prompts for the VA administration server user password.
16
Enter and confirm the VA administration server user password.
Because you are using VA Server with an HSM device conforming to PKCS #11, you must configure VA Server to use the same password as the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Text
Please enter the Administration Server user password:
Please confirm the Administration Server user password:
The password must be at least eight characters long and contain one uppercase, one lowercase, one digit, and one special character.
17
The following message displays:
Text
Would you like to use an imported certificate, rather than generating a self-signed one, for the admin server's SSL certificate? [y|n]:
Default: [n]
Either enter n to generate a self-signed certificate, or y to import a PFX / P12 certificate. For a self-signed certificate, continue to Step 18. Otherwise, perform the following steps:
  1. Optionally, enter y to protect the private key. If you enter y, a password prompt displays when the admin server starts.
  2. Enter the path to the certificate you are importing.
  3. Enter the password to decrypt the file. This password originally protected the PFX file.
  4. At the PEM pass phrase prompt, enter a password to encrypt the admin server key for the admin UI. When prompted, enter this password after the admin server starts. The installation automatically creates a VA administration server private key (adminserver.key) and SSL certificate (adminserver.crt) in the /var/lib/va/entserv directory.
18
The installation process completes, and you are prompted to start the admin server.
Text
Would you like to start the EVA Administration Server [y/n]?
Default: [y]
VA Server is successfully installed. You can verify this by using the Admin Server User Interface > Help > About page, which displays the current version.
19
Press [ Enter ] to start the VA administration server.

Configure Axway VA Server

Perform the following tasks in this section to configure the VA Server:
  1. Access the VA administration server UI.
  2. Install the Responder product license.
  3. Bypass optional configurations.
  4. Change the server password.
  5. Create an OCSP and SCVP signing key pair.
  6. Configure SSL communication for the admin server.
  7. Configure Axway VA.

Access the VA administration server UI

The admin UI requires an HTTPS server. This server is automatically installed and configured during VA Server installation. You can launch the admin UI automatically as the final installation step, from the desktop icon created during the installation, or by accessing it directly from a browser using the VA administration server URL. For a standard connection, the URL is: https://<hostname>:<port> (where <hostname> and <port> are the VA Server host name and VA administration server port number you provided during installation (13333 by default)).
The VA administration server is, by default, only available using SSL (https). Operating the VA administration server using non-SSL (http) disables certificate-based authentication for users.
Perform the following steps:
1
When the web interface opens for the first time, you receive an SSL certificate warning. Bypass this warning and proceed to the login page.
2
At the Administrative Login prompt, log in with Basic Authentication by using the credentials set during installation.
After a successful login, the home page of the admin UI loads.

Install the product license

Perform the following steps to install the Responder product license:
1
In the file manager for your system, find the VA Responder Temp license file that Axway Global Support provided.
2
Double-click the VA Responder Temp license file to open it. Then enter Ctrl+A to select all, and then Ctrl+C to copy to the clipboard.
3
Select the Enter License menu on the left and paste the license information into the blank text area, and select [ Submit License ].
4
Enter the SAC ID that Axway Global Support provided, and select [ Verify License ].
5
If the submission is successful, you can review the license information on the Axway Validation Authority License page. Select [ Next Step ] after you have finished reviewing the information.

Bypass optional configurations

Perform the following steps to bypass optional configurations:
1
On the Import Configuration File page, select [ Skip ].
2
On the Install Custom Extensions page, select [ NO ], and then select [ Submit ].

Change the server password

To prevent unauthorized access to the VA Server, change the server password.
1
If you already created a server password matching the CryptoHub identity password configured inside the **<CRYPTO-OPR-PASS> ** tag in the fxpkcs11.cfg file, leave the field blank, and proceed to step 3. If you did not, you must do this now. Enter the server password you set during installation in the Enter Current Server Password field.
2
Type the CryptoHub identity password in Enter New Password. The password must be at least eight characters long and contain one uppercase, one lowercase, one digit, and one special character.
3
Verify the new password by entering Confirm New Password and selecting [ Submit ].
4
Select [ Next Step ] to continue with the initial configuration. The Key Type Selection page displays.

Create an OCSP and SCVP signing key pair

Because you must generate a public/private key pair to sign OCSP and SCVP responses when operating as a Responder, this key type is assigned as the default. Perform the following steps to create an OCSP and SCVP signing key pair:
1
Select [ Submit Key Type ].
2
The Key Generation/Import Mechanism page displays.
3
Select the Generate/Import Hardware Key on custom PKCS11 provider option, set the Vendor as Other, and type in the location of the Futurex PKCS #11 library. Then, select [ Submit Key Generation Technique ].
4
Fill in all of the required information, and select [ Submit ].
In the User PIN field, you must specify the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
All of the Certificate Options should be left as their default values.
If Axway VA successfully created the OCSP/SCVP Response Signing key on the HSM, a success message displays.

Configure SSL communication for the admin server

Before configuring the Axway VA admin UI in the next section, complete the following actions directly on the CryptoHub by using FXCLI to configure SSL communication for the admin server:
1
Run the CryptoHub CLI program.
2
Set the TLS configuration to Anonymous by using the following command:
Text
$ tls config --anonymous=true
result:
    status: success
    statusCode: 0
tlsConfig:
    anonymous: false
    enabled: false
    verifyDepth: 1
Anonymous TLS here helps simplify the demonstration. We do not recommend using Anonymous in a production setting. If you choose to connect to the HSM anonymously, you must enable the Anonymous setting for the HSM’s production port.
3
Connect to the CryptoHub through TCP.
Text
$ connect tcp -c 10.0.5.223:2001
[2023-12-07 16:57:12]   INFO   Connected to 10.0.5.223:2001.
[2023-12-07 16:57:12]   INFO   10.0.5.223:2001 handshake successful.
Connected to '10.0.5.223:2001'.
result:
    status: success
    statusCode: 0
4
Log in with the default Admin1 and Admin2 identities.
Text
$ login user
  Username> Admin1
  Password>[2023-12-03 10:53:58]   INFO   Successfully logged in user 'Admin1'.
Successfully logged in as 'Admin1'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: false
numLogins: 1
loginsRemaining: 1
identities: "Admin1"
roles: "Single Admin"
[2023-12-03 10:53:58]   INFO   Successfully seeded local OpenSSL context with random data.


$ login user
  Username> Admin2
  Password>[2023-12-03 10:54:07]   INFO   Successfully logged in user 'Admin2'.
Successfully logged in as 'Admin2'.
result:
    status: success
    statusCode: 0
dualFactor:
    wanted: false
loggedIn: true
fullyLoggedIn: true
numLogins: 2
loginsRemaining: 0
identities:
    - "Admin1"
    - "Admin2"
roles:
    - "Administrator"
    - "Key Manager"
    - "Operations"
    - "Settings Manager"
    - "Single Admin"
5
Create a new key pair on the CryptoHub.
Text
$ generate --algo RSA --bits 2048 --name AxwaySslKeyPair --slot next --usage mak
Generated key in board slot.
result:
    status: success
    statusCode: 0
keySlot:
    slot: 2
    name: "AxwaySslKeyPair"
    kcv: "26484FC3"
    algorithm: RSA
    bits: 2048
    usage: Sign,Verify
    startValidity: "1971-01-01 00:00:00"
    endValidity: "2999-01-01 00:00:00"
    exportable: true
    clearExportable: false
    passwordExportable: false
    requiresAuth: false
    modifiable: true
6
Add a PKCS #11 label to the private key.
Text
$ keytable extdata --slot 2 --p11-attr label --p11-value "AxwaySslForAdminServer"
The generate command in step 5 sets AxwaySslKeyPair as the HSM label for the key pair. However, Axway VA cannot find the key by using the HSM label. It must find it using a PKCS #11 label. That is why it is necessary to run the preceding keytable extdata command, which sets the PKCS #11 label in a separate field from where the HSM label is set.
7
Generate a certificate signing request (CSR).
Text
$ x509 req --private-slot AxwaySslKeyPair --out AxwaySslCSR.pem --dn 'O=Futurex\CN=AxwaySslForAdminServer'
Saved CSR file 'AxwaySslCSR.pem'.
result:
    status: success
    statusCode: 0
request: |-
    -----BEGIN CERTIFICATE REQUEST-----
    MIICeDCCAWACAQAwMzEQMA4GA1UEChMHRnV0dXJleDEfMB0GA1UEAxMWQXh3YXlT
    c2xGb3JBZG1pblNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AMbHeWpulBU5gcZywKJRTAXgu0+aPCSGzORe6K1CDNkFXZ0g2zfYcONCZ6dG5F60
    6M1piEaEHkMNzLBaSn2F1bBvj5ecFBxyAoWmqYsF7R7o+Q7hFr7Qudz0anT09Qqt
    pt885wWcfH6lFhDwtpoT2bMcEmcEUgrlJYgg7NHkJKournhkjBA2CJ06UAHE/qOC
    DXIptWeJOws9mUaU7sNXEDfuwuy9qAoRP4H0dRhT+NL/GUcwu2zcnAMr+UgVXvnw
    NIpIp22/zCDiUyGJmP3mMcBurk9sjnaE3OgCWvbU30crMBtJyUhXFJAlnqcjEHtt
    1v+CxzoZikYimFEors/k+vsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQC0ugsT
    p3MgfmT8VBMCF51M4Dh5J8U3iKNqOESYcr7hCHASzn6jpeom5o5tdZVxnzTfRS5x
    VY0MSSm6WOZUjDJqpAtWczaKJ46Dlfy2kabwec/MZfurgJfcjTRGHnPTuipdwXTk
    0GUTuAraEU+Jg287QHbnMmPyPBWskEKdWT7rgYVvzvF5H6LvtWYPUfHAUTk7OQjW
    MvRE2B5eoe9iDKlD1TjfHXuaqA+bFLyadM/iTLtfRTRoangO6WinRrPDEG8AZwja
    IfyUfmxHalSdInsqefY2u8VGlE4q81V7j1Gsgzc4M3Uq4wkk4zUnT7kpDlCvBTvB
    WcmHLxk2N+bdz/ho
    -----END CERTIFICATE REQUEST-----
8
Sign the CSR with a certificate authority (CA) certificate.
Text
$ x509 sign --private-slot 2 --issuer C:\Futurex\sandbox\AxwayTlsCa.pem --csr C:\Futurex\sandbox\AxwaySslCSR.pem --eku Server --key-usage DigitalSignature --key-usage KeyAgreement --ca false --dn 'O=Futurex\CN=AxwaySignedSslForAdminServer' --out C:\Futurex\sandbox\AxwaySignedSsl.pem
Output certificate to 'AxwaySignedSsl.pem'.
result:
    status: success
    statusCode: 0
certificate: |-
    -----BEGIN CERTIFICATE-----
    MIIDBTCCAe2gAwIBAgIJAMWV+GNGM+vSMA0GCSqGSIb3DQEBCwUAMCExEDAOBgNV
    BAoTB0Z1dHVyZXgxDTALBgNVBAMTBFJvb3QwIhgPMjAyMDEyMDIxOTIxMDhaGA8y
    MDIxMTIwMzE5MjEwOFowKzEQMA4GA1UEChMHRnV0dXJleDEXMBUGA1UEAxMOQXh3
    YXlUbHNTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/mUfV
    Pj+DWM9q1iz0k/TbJCWP9OxDIbJ5y4Lg7hVUb5wT3bZ+UrZ57t7bvyR5tQLtFwgj
    fbHrQxwAwPPc3G3AoU0crRPpmA86AXOvVHPm/R4Up5LpweO4AezCZlrGwetkop5z
    QMA824R581p0zxULu5HrpS0Ye0qBcCFJnAKuWUG5HDV0TFLLwyfhRFnOnIvM666Z
    incWYVRTxgrgjMtRKN84M1qqOldF8VuO4ba/CcdVLbIlkMRIfS4S69cTw1r5kYVx
    Do6xrEocgG4NR5nD//mC8oh0jgNRnFMbAEEHOUdOQICdJJ5onjNGq6LcnuOdmP3v
    nR2wzJr1OOOHi9ZZAgMBAAGjMjAwMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgOI
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQC1HlPjr5qV
    kgcGaqDKZmLMJnMstDJzvjZmTv3fV/p15k5Lg8/P14g755PbGmgzC74PntuFAu+A
    GReiIwXxY6hgA6l2+xLA6wigv+HGpuswKO1Q0Q4s3RYqeUwWWFQawE2d/LxK0XVp
    IrkzfzxbuPvHR/Ofy+B0CzHKXFwcckt4lY0TmWqkvWNjrGSY8am6UI8ZPbTnkX5R
    4mN0rqrQ9rJEsvjC06R40AhpC5JFcB5Vvgux7mOf1lEBmry4f+INufQTdT7yQf/3
    8Cur17QNX1E5ImUzG+DwJ9SncJ3hl44fBYLG1pAy7uUyhnATOWcPMC4k6RZkacXk
    ZgPGY1XbWRWM
    -----END CERTIFICATE-----
The CA certificate that is being used to sign the Axway VA certificate was also created using FXCLI.

Configure Axway VA

Perform the following steps to configure Axway VA:
1
First, install the CA that signed the certificate you’re importing on the machine where you installed the Axway VA Server. Install the CA in the Trusted Root Certificate Authorities store for Windows or the equivalent store on your browser.
2
Log in to the VA admin UI
3
Go to the Create/Import Private Key menu, select SSL Communication For Admin Server, and select [ Submit Key Type ].
4
For the key generation/import mechanism, select Hardware Key Generation/Import using Other, and select [ Submit Key Generation Technique ].
5
Select Import previously generated private key and select [ Submit Key Generation Or Import ].
6
Fill in all of the PKCS11 Token Information fields, paste in the PEM/BASE64 Certificate signed in the previous section, and select [ Submit Hardware Key to Import ].
7
Start a command prompt as administrator and call apachepassphrase.
Text
$ apachepassphrase -set "<VA Server password>"
This sets the password in the registry. The Apache HTTP Server reads it from there by using apachepassphrase during startup automatically.
8
Restart the Axway VA Admin service in the Service Control Panel for changes to take effect.