Configure CertAgent with the Futurex PKCS #11 Library

2min
The CertAgent package for Linux platforms consists of a zip archive that you may unzip into any directory on your server while preserving the directory structure.
Set the LD_LIBRARY_PATH environment variable and run the CertAgent installer
1
In a terminal, go to the certagent<version>-install directory. This directory should have the install.sh file. 
The CertAgent installer requires you to specify the location of the  PKCS #11 (FXPKCS11) directory in the LD_LIBRARY_PATH environment variable. Run the following command to set the LD_LIBRARY_PATH variable and run the CertAgent installer in the same command:
The path to the FXPKCS11 library must be specific to the installed location on your system.
Shell
[centos@centos6 certagent.7.0.8-install]$ sudo env LD_LIBRARY_PATH=/usr/local/bin/fxpkcs11 ./install.sh
[centos@centos6 certagent.7.0.8-install]$ sudo env LD_LIBRARY_PATH=/usr/local/bin/fxpkcs11 ./install.sh
﻿
The output should be similar to the following example:
Shell
******************************************************************************
CertAgent Installation 7.0.8
Copyright(c) 2020 Information Security Corp. All rights reserved.
******************************************************************************

You are going to install CertAgent 7.0.8.
An HSM is required to be installed. Credentials will be
generated on the HSM during the installation.

The following information is required during the installation process:
 - 64-bit Java 8, 11, or above installation directory
 - 64-bit HSM library, label, and PIN
 - if an existing Oracle, PostgreSQL, or HyperSQL database will be used, 
   the location of the JDBC driver, access URL, user name and password for
   the Oracle, PostgreSQL, or HyperSQL database; otherwise, an HyperSQL
   database will be installed and requires a listening port
 - system hostname or IP address
 - TLS port for the administrator site
 - TLS port for the public site

The following directories must be specified in the LD_LIBRARY_PATH variable:
 - the 64-bit HSM libraries
 - the Oracle Instant Client libraries (if OCI driver will be used)

LD_LIBRARY_PATH is currently set to:
/usr/local/bin/fxpkcs11

Are the required directories specified in the
LD_LIBRARY_PATH? [yes]:
******************************************************************************
CertAgent Installation 7.0.8
Copyright(c) 2020 Information Security Corp. All rights reserved.
******************************************************************************

You are going to install CertAgent 7.0.8.
An HSM is required to be installed. Credentials will be
generated on the HSM during the installation.

The following information is required during the installation process:
 - 64-bit Java 8, 11, or above installation directory
 - 64-bit HSM library, label, and PIN
 - if an existing Oracle, PostgreSQL, or HyperSQL database will be used, 
   the location of the JDBC driver, access URL, user name and password for
   the Oracle, PostgreSQL, or HyperSQL database; otherwise, an HyperSQL
   database will be installed and requires a listening port
 - system hostname or IP address
 - TLS port for the administrator site
 - TLS port for the public site

The following directories must be specified in the LD_LIBRARY_PATH variable:
 - the 64-bit HSM libraries
 - the Oracle Instant Client libraries (if OCI driver will be used)

LD_LIBRARY_PATH is currently set to:
/usr/local/bin/fxpkcs11

Are the required directories specified in the
LD_LIBRARY_PATH? [yes]:
﻿
2
Select the Enter key to confirm that the required directories are specified in the LD_LIBRARY_PATH variable.
3
Scroll through the license agreement and accept it. The first prompt after the license agreement is particularly important. It looks like the following example:
Shell
******************************************************************************
Specifying CertAgent installation type...
******************************************************************************

1) NIAP-compliance:
   - Require Java 8
   - Install Tomcat 8.5.50
   - Create a HyperSQL database server or use an existing PostgreSQL database
   - Generate HSM-based TLS credential

2) Non-NIAP-compliance:
   - Require Java 8, 11, or above
   - Install Tomcat 8.5.50
   - Create a HyperSQL database or use an existing PostgreSQL, Oracle, 
     or HyperSQL database
   - Generate software-based TLS credential

Answer [1]:
******************************************************************************
Specifying CertAgent installation type...
******************************************************************************

1) NIAP-compliance:
   - Require Java 8
   - Install Tomcat 8.5.50
   - Create a HyperSQL database server or use an existing PostgreSQL database
   - Generate HSM-based TLS credential

2) Non-NIAP-compliance:
   - Require Java 8, 11, or above
   - Install Tomcat 8.5.50
   - Create a HyperSQL database or use an existing PostgreSQL, Oracle, 
     or HyperSQL database
   - Generate software-based TLS credential

Answer [1]:
﻿
Make sure to select the first option. You want to install the Tomcat and HyperSQL database server automatically and generate TLS credentials using the HSM.
For all prompts not specifically mentioned here, select the default value.
4
At the following prompt, select option number one.
Shell
******************************************************************************
Specifying database...
******************************************************************************
Which database are you going to use?

  1) I don't have one. Install and configure a HyperSQL 2.4.0 database for me

  2) An existing PostgreSQL database

Answer [1]: 
******************************************************************************
Specifying database...
******************************************************************************
Which database are you going to use?

  1) I don't have one. Install and configure a HyperSQL 2.4.0 database for me

  2) An existing PostgreSQL database

Answer [1]: 
﻿
5
When the installer prompts for the location of the HSM library, provide the full path to the libfxpkcs11.so.
If using an older version of CertAgent (such as CertAgent 6), the installer asks for the HSM label. Leave the field blank and proceed with the rest of the installation.
Shell
******************************************************************************
* Specifying HSM info...
******************************************************************************
A CA account (account name: ca7) and an initial set of credentials will be
automatically generated.
System, root CA, and TLS credentials will be generated on the chosen HSM.

64-bit HSM library: /usr/local/bin/fxpkcs11/libfxpkcs11.so
******************************************************************************
* Specifying HSM info...
******************************************************************************
A CA account (account name: ca7) and an initial set of credentials will be
automatically generated.
System, root CA, and TLS credentials will be generated on the chosen HSM.

64-bit HSM library: /usr/local/bin/fxpkcs11/libfxpkcs11.so
﻿
6
The next prompt displays something similar to the following example:
Shell
One partition found: 
  Label: 10.0.5.223:9100; Slot: 0
Use this partition? [yes]: 
HSM PIN (no echo of input):
One partition found: 
  Label: 10.0.5.223:9100; Slot: 0
Use this partition? [yes]: 
HSM PIN (no echo of input):
﻿
Confirm that you want to use the partition that it found, then enter the password of the HSM identity that is defined in the FXPKCS11 configuration file (fxpkcs11.cfg).
7
Next, CertAgent creates several different keys and certificates on the Vectera Plus. Accept the default values for all prompts.
8
When prompted to enter passwords for several different items, specify a password of your choice for each instance.
If the CertAgent installation completes successfully, output similar to the following example displays:
Shell
******************************************************************************
Summary
******************************************************************************
CertAgent has been installed.
Installation directory: /usr/local/certagent7
 
CertAgent service (isc-certagent7) has been installed.
CertAgent restarts automatically upon system startup.
 
HSQLDB service (isc-certagent7-hsqldb) has been installed.
HSQLDB server restarts automatically upon system startup.

Entering System PIN
===================
An administrator must enter the PIN of the HSM in which the system
credential resided on each time the system is booted.
Run the following command, enter the HSM PIN and press ENTER:
/usr/local/certagent7/certagent.sh setpin

Importing Authorized Users
==========================
Please import the administrator, auditor, and CA operations staff PKCS#12 files:
   /usr/local/certagent7/keystore/ca-admin.p12
   /usr/local/certagent7/keystore/ca-auditor.p12
   /usr/local/certagent7/keystore/ca-operations-staff.p12
and the root certificate file: 
   /usr/local/certagent7/keystore/ca-root.der
into your browser's certificate and trust stores and use
these keys to authenticate yourself to the webserver.
NOTE: AES-256 is used to encrypt your private key during the
installation, the PKCS#12 files generated by the installer
can only be imported to compatible browsers (e.g., Firefox 56+)

Accessing CertAgent Sites
==========================
The following URLs may be used to access CertAgent using
Internet Explorer or other supported browsers.
 
Admin access:
   https://centos6.linuxvmimages.local:8443/certagentadmin/admin/login.jsp
CA Account access:
   https://centos6.linuxvmimages.local:8443/certagentadmin/ca/login.jsp
Public access:
   https://centos6.linuxvmimages.local:443/certagent/main.jsp
-----------------------------------------------------------------------------
The above information has been saved to install.log.

Please run the '/usr/local/certagent7/certagent.sh setpin' command to set the system PIN.
EXIT
******************************************************************************
Summary
******************************************************************************
CertAgent has been installed.
Installation directory: /usr/local/certagent7
 
CertAgent service (isc-certagent7) has been installed.
CertAgent restarts automatically upon system startup.
 
HSQLDB service (isc-certagent7-hsqldb) has been installed.
HSQLDB server restarts automatically upon system startup.

Entering System PIN
===================
An administrator must enter the PIN of the HSM in which the system
credential resided on each time the system is booted.
Run the following command, enter the HSM PIN and press ENTER:
/usr/local/certagent7/certagent.sh setpin

Importing Authorized Users
==========================
Please import the administrator, auditor, and CA operations staff PKCS#12 files:
   /usr/local/certagent7/keystore/ca-admin.p12
   /usr/local/certagent7/keystore/ca-auditor.p12
   /usr/local/certagent7/keystore/ca-operations-staff.p12
and the root certificate file: 
   /usr/local/certagent7/keystore/ca-root.der
into your browser's certificate and trust stores and use
these keys to authenticate yourself to the webserver.
NOTE: AES-256 is used to encrypt your private key during the
installation, the PKCS#12 files generated by the installer
can only be imported to compatible browsers (e.g., Firefox 56+)

Accessing CertAgent Sites
==========================
The following URLs may be used to access CertAgent using
Internet Explorer or other supported browsers.
 
Admin access:
   https://centos6.linuxvmimages.local:8443/certagentadmin/admin/login.jsp
CA Account access:
   https://centos6.linuxvmimages.local:8443/certagentadmin/ca/login.jsp
Public access:
   https://centos6.linuxvmimages.local:443/certagent/main.jsp
-----------------------------------------------------------------------------
The above information has been saved to install.log.

Please run the '/usr/local/certagent7/certagent.sh setpin' command to set the system PIN.
EXIT
﻿
Post-installation step
1
Run the following command to set the system PIN:
Shell
[centos@centos6 certagent.7.0.8-install]$ sudo /usr/local/certagent7/certagent.sh setpin
Setting system PIN...
Enter CertAgent system PIN (no echo of input):           
01/21/21 14:57:05 EST: System PIN set successfully
[centos@centos6 certagent.7.0.8-install]$ sudo /usr/local/certagent7/certagent.sh setpin
Setting system PIN...
Enter CertAgent system PIN (no echo of input):           
01/21/21 14:57:05 EST: System PIN set successfully
﻿
﻿
Updated 29 Jul 2024
Did this page help you?
Edit the Futurex PKCS #11 configuration file
Verify that the CertAgent keys and certificates exist on the Vectera Plus