Configure Axway VA

this section covers installing and configuring the axway va server install axway va server select your operating system and perform the steps to install the va server windows va server is no longer installed as an interactive service on windows this applies to both the admin ui service and the validation authority service that is installed as part of va server using an account in the administrators group, log on to the computer on which you plan to install the va server copy the validation authority server \<release version>win x86 64 bnxxx exe file that you received from axway global support to the windows system double click validation authority server \<release version>win x86 64 bnxxx exe in the welcome page, follow the on screen instructions as you proceed through the installation select \[ next ] to move forward to the next installation window select \[ back ] to return to the previous installation window select \[ cancel ] to close the installation program without installing any component of the va server to install va server, re run the installation program select \[ next ] to display the license agreement page select \[ accept ] to accept the license agreement and go to the next page in the installer select \[ no ] to cancel the installation in the customer information page, type your user name , company name , and email address in the text fields provided these are required fields except for the email address however, you should provide an email address because the va administration server uses it to perform email notifications select \[ next ] the choose destination location page displays, showing the default destination folder where va server components are installed to select a different destination folder, select \[ browse ] and enter the folder location select \[ next ] in the va server information page, enter the requested information on the host name , port number , and user for the va administration server enter the va server host name the host name identifies the computer the default host name is the name of the computer on which you are installing the va server enter the va administration server port number this port number identifies the port at which the va administration server listens for https requests from the browser if you use a port other than the default (13333), note it for future reference enter the va administration server user and password this user is the initial user who can log in to the va administration server the default user name is admin if you type a different name, make a note of it after completing the installation, log in to the va administration server by using this username the password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the manage va administration server users section on page 77 of the axway validation authority administrator guide re type the password to confirm it select \[ next ] to continue because you are using va server with an hsm device conforming to pkcs #11, you must configure va server to use the same password as the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file select either the option to generate a self signed certificate or import a pfx / p12 file if you select generate a self signed certificate , select \[ next ] and continue to step 11 if you select import pfx / p12 from file select the file to import from the file selection dialog box and then select \[ open ] enter a password to decrypt the file this password was originally used to protect the pfx file by default, the encrypt admin ui private key option is selected if you do not want this option, uncheck the box to disable the password field enter a password to encrypt the admin server key for the va server the password must be at least eight characters long, contain at least one alphabetic character, one digit, one special character, one upper case character, one lower case character, and meet the requirements in the manage va administration server users section on page 77 of the axway validation authority administrator guide this encryption option, along with the provided password, automatically calls apachepassphrase for unattended startup select \[ next ] to continue the start copying files page displays review the current settings if you need to make any changes to the settings, use the \[ back ] button otherwise, select \[ next ] to continue files are installed in the specified destination location after the installation finishes, the installshield wizard complete page displays the va server is successfully installed you can verify this later by using the admin server user interface > help > about page, which displays the current version clear the launch administrative server user interface check box to start the va administration server at a later time select \[ finish ] the installation program adds the va server to your start menu if you access control panel > administrative tools > services , you see axway validation authority and axway va admin included in the list of services you can access the va server admin ui and this document from the start menu the installation also automatically creates an va administrative server private key ( adminserver key ) and ssl certificate ( adminserver crt ) in the \<vadatadir>\entserv directory (example c \programdata\axway\va\entserv in windows ) you are now ready to use the va administration server to configure, start, and manage the va server linux you do not have to be root to install the va server, but non root users cannot configure the installation to use a port lower than 1024 when installing as root on a port lower than 1024, you must choose whether to run the server in setuid root mode this mode is required to start the server using the admin ui in this case, the server runs as root, but only during initialization after the listening sockets are established, the process steps down to that of the invoking user (for example, nobody ) the axway generated gpg key digitally signs the distributed installation file, and you can verify it by using the shipped gpg public key before installation copy the validation authority server \<release version> linux x86 64 bn\<build number> rpm file that you received from axway global support to the linux system this rpm package depends on other rpm packages that are generally available from rhel rpm repository(s) if these packages are not already installed on the system, the installation reports the necessary packages as missing and fails if this happens, install the missing packages and install this rpm package again extract the files with the following command rpm u validation authority server \<release version> linux x86 64 bn\<build number> rpm if a previous version of the rpm is installed on the system, this command removes the previous version and installs the new version to /opt/va install/\<version>\<spnumber>/vceva spnumber is only applicable for service pack releases (example sp1 ) change directories to the validation authority server directory cd /opt/va install/\<version>\<spnumber>/vceva warning do not install under the va install directory when running the install script the rpm uninstall erases the va install directory ) enter the following at the command line prompt to run the installation script /install eva the installation script then prompts whether to install using ports 1024 and greater, assuming you are not installing as root you must install as root to select a port lower than 1024 you must also answer yes when prompted to run setuid root to start the server through the admin ui enter y (yes) or n (no) the installation script displays the axway software licensing agreement and prompts you with the following do you agree to the above terms? \[y/n] default \[y] press \[ enter ] to accept the software licensing agreement the installation script next prompts you for a location to install the va server enter the validation authority install directory default \[/opt/axway] press \[ enter ] to accept the default, or enter a location to install the va server, then press \[ enter ] the installation script next prompts you to enter a port number for the va administration server enter the port number for the validation authority administration server \[1 65535] default \[13333] the va administration server is the administration component of the validation authority this server, which is installed during the installation process, provides an administration user interface (admin ui) through which you configure and operate the va validation server if you choose to use a port other than the default, note it for future reference this port number identifies the port at which the va administration server listens and exchanges information to perform configuration operations with the browser using https requests select \[ enter ] to accept the default port number for the va administration server, or enter a different number and press \[ enter ] the script prompts you for the email address of the server administrator it displays enter the email address of the server administrator default \[sysadmin] the va administration server uses this email address to send informational messages to the server administrator during configuration and administration performed at the va dialog boxes press \[ enter ] to accept this email address, or enter a different address and then press \[ enter ] the script prompts you for the server host name enter the server's hostname (either a dns name or ip address) default \[computer name yourdomain com] where computer name is the name of your host computer, and yourdomain is the domain name for your host computer the host name identifies the computer on which you have installed the validation authority select \[ enter ] to accept the default server host name, or enter a different name and select \[ enter ] the script prompts you for a user name to run the va administration server it displays enter the username to run the va and administration servers as default \[] if you are not installing as root, the default username displayed is the user id select \[ enter ] to use the default username, or enter a different name and select \[ enter ] the following message displays in order to start the va via the web interface on a port less than 1024 ves must executre as setuid root do you wish to set this bit? default \[y] the name of the va server process is ves if you plan to use a validation port number of 1024 or greater, type n ; otherwise, accept the default and press \[ enter ] the script prompts you to identify the va administration server user this user is the initial user who can log in to the va administration server the default user name is admin please enter the administration server user id \[admin] press \[ enter ] to use the default va administration server user name, or enter a different name and press \[ enter ] if you type a different name, make a note of it after completing the installation, log in to the va administration server by using this username the system configures the va administration server user and then prompts for the va administration server user password enter and confirm the va administration server user password because you are using va server with an hsm device conforming to pkcs #11, you must configure va server to use the same password as the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file please enter the administration server user password please confirm the administration server user password the password must be at least eight characters long and contain one uppercase, one lowercase, one digit, and one special character the following message displays would you like to use an imported certificate, rather than generating a self signed one, for the admin server's ssl certificate? \[y|n] default \[n] either enter n to generate a self signed certificate, or y to import a pfx / p12 certificate for a self signed certificate, continue to step 18 otherwise, perform the following steps optionally, enter y to protect the private key if you enter y , a password prompt displays when the admin server starts enter the path to the certificate you are importing enter the password to decrypt the file this password originally protected the pfx file at the pem pass phrase prompt, enter a password to encrypt the admin server key for the admin ui when prompted, enter this password after the admin server starts the installation automatically creates a va administration server private key ( adminserver key ) and ssl certificate ( adminserver crt ) in the /var/lib/va/entserv directory the installation process completes, and you are prompted to start the admin server would you like to start the eva administration server \[y/n]? default \[y] va server is successfully installed you can verify this by using the admin server user interface > help > about page, which displays the current version press \[ enter ] to start the va administration server configure axway va server perform the following tasks in this section to configure the va server access the va administration server ui install the responder product license bypass optional configurations change the server password create an ocsp and scvp signing key pair configure ssl communication for the admin server configure axway va access the va administration server ui the admin ui requires an https server this server is automatically installed and configured during va server installation you can launch the admin ui automatically as the final installation step, from the desktop icon created during the installation, or by accessing it directly from a browser using the va administration server url for a standard connection, the url is https //\<hostname> \<port> (where \<hostname> and \<port> are the va server host name and va administration server port number you provided during installation (13333 by default)) the va administration server is, by default, only available using ssl (https) operating the va administration server using non ssl (http) disables certificate based authentication for users perform the following steps when the web interface opens for the first time, you receive an ssl certificate warning bypass this warning and proceed to the login page at the administrative login prompt, log in with basic authentication by using the credentials set during installation after a successful login, the home page of the admin ui loads install the product license perform the following steps to install the responder product license in the file manager for your system, find the va responder temp license file that axway global support provided double click the va responder temp license file to open it then enter ctrl+a to select all, and then ctrl+c to copy to the clipboard select the enter license menu on the left and paste the license information into the blank text area, and select \[ submit license ] enter the sac id that axway global support provided, and select \[ verify license ] if the submission is successful, you can review the license information on the axway validation authority license page select \[ next step ] after you have finished reviewing the information bypass optional configurations perform the following steps to bypass optional configurations on the import configuration file page, select \[ skip ] on the install custom extensions page, select \[ no ] , and then select \[ submit ] change the server password to prevent unauthorized access to the va server, change the server password if you already created a server password matching the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file, leave the field blank, and proceed to step 3 if you did not, you must do this now enter the server password you set during installation in the enter current server password field type the {{ch}} identity password in enter new password the password must be at least eight characters long and contain one uppercase, one lowercase, one digit, and one special character verify the new password by entering confirm new password and selecting \[ submit ] select \[ next step ] to continue with the initial configuration the key type selection page displays create an ocsp and scvp signing key pair because you must generate a public/private key pair to sign ocsp and scvp responses when operating as a responder, this key type is assigned as the default perform the following steps to create an ocsp and scvp signing key pair select \[ submit key type ] the key generation/import mechanism page displays select the generate/import hardware key on custom pkcs11 provider option, set the vendor as other , and type in the location of the {{futurex}} pkcs #11 library then, select \[ submit key generation technique ] fill in all of the required information, and select \[ submit ] in the user pin field, you must specify the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file all of the certificate options should be left as their default values if axway va successfully created the ocsp/scvp response signing key on the hsm, a success message displays configure ssl communication for the admin server before configuring the axway va admin ui in the next section, complete the following actions directly on the {{ch}} by using fxcli to configure ssl communication for the admin server run the {{ch}} cli program set the tls configuration to anonymous by using the following command $ tls config anonymous=true result status success statuscode 0 tlsconfig anonymous false enabled false verifydepth 1 anonymous tls here helps simplify the demonstration we do not recommend using anonymous in a production setting if you choose to connect to the hsm anonymously, you must enable the anonymous setting for the hsm's production port connect to the {{ch}} through tcp $ connect tcp c 10 0 5 223 2001 \[2023 12 07 16 57 12] info connected to 10 0 5 223 2001 \[2023 12 07 16 57 12] info 10 0 5 223 2001 handshake successful connected to '10 0 5 223 2001' result status success statuscode 0 log in with the default admin1 and admin2 identities $ login user username> admin1 password>\[2023 12 03 10 53 58] info successfully logged in user 'admin1' successfully logged in as 'admin1' result status success statuscode 0 dualfactor wanted false loggedin true fullyloggedin false numlogins 1 loginsremaining 1 identities "admin1" roles "single admin" \[2023 12 03 10 53 58] info successfully seeded local openssl context with random data $ login user username> admin2 password>\[2023 12 03 10 54 07] info successfully logged in user 'admin2' successfully logged in as 'admin2' result status success statuscode 0 dualfactor wanted false loggedin true fullyloggedin true numlogins 2 loginsremaining 0 identities \ "admin1" \ "admin2" roles \ "administrator" \ "key manager" \ "operations" \ "settings manager" \ "single admin" create a new key pair on the {{ch}} $ generate algo rsa bits 2048 name axwaysslkeypair slot next usage mak generated key in board slot result status success statuscode 0 keyslot slot 2 name "axwaysslkeypair" kcv "26484fc3" algorithm rsa bits 2048 usage sign,verify startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable true clearexportable false passwordexportable false requiresauth false modifiable true add a pkcs #11 label to the private key $ keytable extdata slot 2 p11 attr label p11 value "axwaysslforadminserver" the generate command in step 5 sets axwaysslkeypair as the hsm label for the key pair however, axway va cannot find the key by using the hsm label it must find it using a pkcs #11 label that is why it is necessary to run the preceding keytable extdata command, which sets the pkcs #11 label in a separate field from where the hsm label is set generate a certificate signing request (csr) $ x509 req private slot axwaysslkeypair out axwaysslcsr pem dn 'o=futurex\cn=axwaysslforadminserver' saved csr file 'axwaysslcsr pem' result status success statuscode 0 request | \ begin certificate request miicedccawacaqawmzeqma4ga1uechmhrnv0dxjledefmb0ga1ueaxmwqxh3yxlt c2xgb3jbzg1pblnlcnzlcjccasiwdqyjkozihvcnaqebbqadggepadccaqocggeb ambhewpulbu5gczywkjrtaxgu0+apcsgzore6k1cdnkfxz0g2zfyconcz6dg5f60 6m1pieaehkmnzlbasn2f1bbvj5ecfbxyaowmqysf7r7o+q7hfr7qudz0ant09qqt pt885wwcfh6lfhdwtpot2bmcemceugrljygg7nhkjkournhkjba2cj06uahe/qoc dxiptwejows9muau7snxedfuwuy9qaorp4h0drht+nl/gucwu2zcnamr+ugvxvnw nipip22/zcdiuygjmp3mmcburk9sjnae3ogcwvbu30crmbtjyuhxfjalnqcjehtt 1v+cxzozikyimfeors/k+vscaweaaaaama0gcsqgsib3dqebcwuaa4ibaqc0ugst p3mgfmt8vbmcf51m4dh5j8u3iknqoesycr7hchaszn6jpeom5o5tdzvxnztfrs5x vy0mssm6wozujdjqpatwczakj46dlfy2kabwec/mzfurgjfcjtrghnptuipdwxtk 0gutuaraeu+jg287qhbnmmpypbwskekdwt7rgyvvzvf5h6lvtwypufhautk7oqjw mvre2b5eoe9idkld1tjfhxuaqa+bflyadm/itltfrtroango6winrrpdeg8azwja ifyufmxhalsdinsqefy2u8vgle4q81v7j1gsgzc4m3uq4wkk4zunt7kpdlcvbtvb wcmhlxk2n+bdz/ho \ end certificate request sign the csr with a certificate authority (ca) certificate $ x509 sign private slot 2 issuer c \futurex\sandbox\axwaytlsca pem csr c \futurex\sandbox\axwaysslcsr pem eku server key usage digitalsignature key usage keyagreement ca false dn 'o=futurex\cn=axwaysignedsslforadminserver' out c \futurex\sandbox\axwaysignedssl pem output certificate to 'axwaysignedssl pem' result status success statuscode 0 certificate | \ begin certificate miidbtccae2gawibagijamwv+gngm+vsma0gcsqgsib3dqebcwuamcexedaobgnv baotb0z1dhvyzxgxdtalbgnvbamtbfjvb3qwihgpmjaymdeymdixotixmdhaga8y mdixmtiwmze5mjewofowkzeqma4ga1uechmhrnv0dxjledexmbuga1ueaxmoqxh3 yxlubhntzxj2zxiwggeima0gcsqgsib3dqebaquaa4ibdwawggekaoibaqc/mufv pj+dwm9q1iz0k/tbjcwp9oxdibj5y4lg7hvub5wt3bz+urz57t7bvyr5tqltfwgj fbhrqxwawppc3g3aou0crrppma86axovvhpm/r4up5lpweo4aezczlrgwetkop5z qma824r581p0zxulu5hrps0ye0qbccfjnakuwug5hdv0tfllwyfhrfnonivm666z incwyvrtxgrgjmtrkn84m1qqoldf8vuo4ba/ccdvlbilkmrifs4s69ctw1r5kyvx do6xreocgg4nr5nd//mc8oh0jgnrnfmbaeehoudoqicdjj5onjngq6lcnuodmp3v nr2wzjr1ooohi9zzagmbaagjmjawmawga1udeweb/wqcmaawcwydvr0pbaqdagoi mbmga1udjqqmmaogccsgaqufbwmbma0gcsqgsib3dqebcwuaa4ibaqc1hlpjr5qv kgcgaqdkzmlmjnmstdjzvjzmtv3fv/p15k5lg8/p14g755pbgmgzc74pntufau+a greiiwxxy6hga6l2+xla6wigv+hgpuswko1q0q4s3ryqeuwwwfqawe2d/lxk0xvp irkzfzxbupvhr/ofy+b0czhkxfwcckt4ly0tmwqkvwnjrgsy8am6ui8zpbtnkx5r 4mn0rqrq9rjesvjc06r40ahpc5jfcb5vvgux7mof1lebmry4f+inufqtdt7yqf/3 8cur17qnx1e5imuzg+dwj9sncj3hl44fbylg1pay7uuyhnatowcpmc4k6rzkacxk zgpgy1xbwrwm \ end certificate the ca certificate that is being used to sign the axway va certificate was also created using fxcli configure axway va perform the following steps to configure axway va first, install the ca that signed the certificate you're importing on the machine where you installed the axway va server install the ca in the trusted root certificate authorities store for windows or the equivalent store on your browser log in to the va admin ui go to the create/import private key menu, select ssl communication for admin server , and select \[ submit key type ] for the key generation/import mechanism, select hardware key generation/import using other , and select \[ submit key generation technique ] select import previously generated private key and select \[ submit key generation or import ] fill in all of the pkcs11 token information fields, paste in the pem/base64 certificate signed in the previous section, and select \[ submit hardware key to import ] start a command prompt as administrator and call apachepassphrase $ apachepassphrase set "\<va server password>" this sets the password in the registry the apache http server reads it from there by using apachepassphrase during startup automatically restart the axway va admin service in the service control panel for changes to take effect