Install Axway Server and configure Futurex PKCS #11 Library with Axway VA Server

perform the following tasks to install and configure the axway va server and configure ssl communication for the admin server 1 | install the axway va server perform the following steps for your operating system to install the axway va server va server is no longer installed as an interactive service on windows this applies to both the admin ui service and the validation authority service that is installed as part of va server using an administrators identity, log on to the computer where you plan to install the va server copy the validation authority server win x86 64 bnxxx exe file that you received from axway global support to the windows system where release version = 5 1 install for 5 1 ga release release version = 5 1 sp1 for service pack 1 the distributed installation file is digitally signed and checked by the windows platform before installation double click validation authority server win x86 64 bnxxx exe on the welcome page, follow the on screen instructions as you proceed through the installation select \[ next ] to move forward to the next installation window select \[ back ] to return to the previous installation window select \[ cancel ] to close the installation program without installing any component of the va server to install va server, re run the installation program select \[ next ] on the license agreement page, select \[ accept ] to accept the license agreement and go to the next page in the installer, or select \[ no ] to cancel the installation on the customer information page, type your user name , company name , and email address in the text fields provided all fields except the email address are required however, you should provide an email address because the va administration server uses it to send email notifications select \[ next ] the choose destination location page displays, showing the default destination folder where va server components are installed to select a different destination folder, select \[ browse ] and enter the folder location select \[ next ] on the va server information page, enter the following requested information on the hostname, port number, and user for the va administration server information description va server hostname the hostname identifies the computer the default hostname is the name of the computer on which you are installing the va server va administration server port number this port number identifies the port at which the va administration server listens for https requests from the browser if you use a port other than the default ( 13333 ), note it for future reference va administration server user and password this is the initial user who can log in to the va administration server the default user name is admin if you enter a different name, make a note of it after installing and logging into the va administration server with this user name, enter a new password with the following criteria at least eight characters long contains at least one alphabetic character, one number, one special character, one upper case character, and one lower case character meets the requirements in the manage va administration server users section on page 77 of the axway validation authority administrator guide re type the password to confirm it select \[ next ] to continue select either the option to generate a self signed certificate or import a pfx or p12 file if you select generate a self signed certificate , select \[ next ] and continue to step 11 if you select import pfx / p12 from file , perform the following steps select the file to import from the file selection dialog box and then select \[ open ] enter a password to decrypt the file this password originally protected the pfx file by default, the encrypt admin ui private key option is selected if you do not want this option, uncheck the box to disable the password field enter a password to encrypt the admin server key for the va server (see the password notes from step 8) this encryption option, along with the provided password, automatically calls apachepassphrase for an unattended startup select \[ next ] to continue on the start copying page, check the current settings to ensure they are as desired if you need to make any changes to the settings, select \[ back ] otherwise, select \[ next ] to continue after the installation finishes, the installshield wizard complete page displays the va server is successfully installed you can verify this by using the admin server user interface > help > about page , which displays the current version clear the launch administrative server user interface checkbox to start the va administration server at a later time select \[ finish ] the installation program adds the va server to your start menu when you access control panel > administrative tools > services , you see axway validation authority and axway va admin included in the list of services you can access the va server admin ui and this document from the start menu the installation also automatically creates an va administrative server private key ( adminserver key ) and ssl certificate ( adminserver crt ) in the \entserv directory (example c \programdata\axway\va\entserv in windows ) you are now ready to use the va administration server to configure, start, and manage the va server you do not have to be root to install the va server, but non root users cannot configure the installation to use a port lower than 1024 when installing as root on a port lower than 1024 , the system asks whether to run the server in setuid root mode you need to use this mode to start the server using the admin ui in this case, the server runs as root, but only during initialization after the listening sockets are established, the process steps down to that of the invoking user (for example, nobody ) the distributed installation file is digitally signed by the axway generated gpg key and can be verified using the shipped gpg public key prior to installation copy the validation authority server linux x86 64 bn rpm file that you received from axway global support to the linux system where release version = 5 1 install for 5 1 ga release release version = 5 1 sp1 for service pack 1 this rpm package depends on other rpm packages that are generally available from rhel rpm repositories if these packages are not already installed on the system, the installation reports necessary missing packages and fails if this happens, install the missing packages and install this rpm package again run the following command to extract the files shell rpm u validation authority server linux x86 64 bn rpm if a previous version of the rpm is installed on the system, the following command removes the previous version and installs the new version to /opt/va install/ /vceva where version = 5 1 spnumber is only applicable for service pack releases (example sp1) run the following command to change directories to the validation authority server directory cd /opt/va install/vceva do not install under the va install directory when running the install script the rpm uninstall command erases the va install directory run the following command to run the installation script /install eva when prompted, you must select a port under 1024 for the installation and agree to run setuid root to start the server through the admin ui enter y (yes) or n (no) the installation script displays the axway software licensing agreement and prompts you with the following do you agree to the above terms? \[y/n] default \[y] select \[ enter ] to accept the software licensing agreement the installation script next prompts you for a location to install the va server enter the validation authority install directory default \[/opt/axway] press \[ enter ] to accept the default, or enter a location to install the va server, then press \[ enter ] the installation script next prompts you to enter a port number for the va administration server enter the port number for the validation authority administration server \[1 65535] default \[13333] the va administration server is the administration component of the validation authority this server, which is installed during the installation process, provides an administration user interface (admin ui) through which you configure and operate the va validation server if you choose to use a port other than the default, make a note of it for future reference this port number identifies the port at which the va administration server listens and exchanges information to perform configuration operations with the browser using https requests select \[ enter ] to accept the default port number for the va administration server, or enter a different number and press \[ enter ] the script prompts you for the email address of the server administrator it displays enter the email address of the server administrator default \[sysadmin] the va administration server uses this email address to send informational messages to the server administrator during configuration and administration performed at the va dialog boxes select \[ enter ] to accept this email address, or enter a different address and then select \[ enter ] the script prompts you for the server hostname enter the server's hostname (either a dns name or ip address) default \[computer name yourdomain com] where computer name is the name of your host computer, and yourdomain is the domain name for your host computer the hostname identifies the computer on which you installed the validation authority select \[ enter ] to accept the default server hostname, or enter a different name and press \[ enter ] the script prompts you for a user name to run the va administration server it displays enter the username to run the va and administration servers as default \[] if you are not installing as root, the default username displayed will be the user id select \[ enter ] to use the default username, or enter a different name and select \[ enter ] the following message displays in order to start the va via the web interface on a port less than 1024 ves must executre as setuid root do you wish to set this bit? default \[y] the name of the va server process is ves if you plan to use a validation port number of 1024 or greater, type n , or accept the default and press \[ enter ] the script prompts you to identify the va administration server user this user is the initial user who can log in to the va administration server the default user name is admin please enter the administration server user id \[admin] select \[ enter ] to use the default va administration server user name, or enter a different name and select \[ enter ] if you enter a different name, make a note of it after completing the installation, yoi can log on to the va administration server by using this user name the system configures the va administration server user and then prompts for the va administration server user password next, confirm the password entry enter and confirm the va administration server user password please enter the administration server user password please confirm the administration server user password the password must be at least eight characters long and contain one upper case, one lower case, one digit, and one special character the following message displays would you like to use an imported certificate, rather than generating a self signed one, for the admin server's ssl certificate? \[y|n] default \[n] either enter n to generate a self signed certificate, or y to import a pfx / p12 certificate if you choose n , continue to step 18 if you choose y , perform the following steps (optional) enter y to protect the private key if you select y , a password prompt is displayed when the admin server starts enter the path to the certificate you are importing enter the password to decrypt the file this password was originally used to protect the pfx file at the pem pass phrase prompt, enter a password to encrypt the admin server key for the admin ui the system prompts you for this password when the admin server starts the installation automatically creates a va administration server private key ( adminserver key ) and ssl certificate ( adminserver crt ) in the /var/lib/va/entserv directory the installation process completes and you are prompted to start the admin server would you like to start the eva administration server \[y/n]? default \[y] va server successfully installed you can verify by using the admin server user interface > help > about page, which displays the current version press \[ enter ] to start the va administration server 2 | configure the va server perform the following tasks to configure the va server a | access the va administration server ui the admin ui requires an https server this server is automatically installed and configured during va server installation you can launch the admin ui automatically as the final step of installation from the desktop icon created during the installation or by accessing it directly from a browser using the va administration server url for a standard connection, the url is https //\<hostname> \<port> where \<hostname> and \<port> are the va server host name and va administration server port number you provided during installation ( 13333 by default) the va administration server is, by default, only available using ssl (https) operating it using non ssl (http) disables certificate based authentication for users when the web interface opens for the first time, you see an ssl certificate warning bypass this warning and proceed to the login page then, perform the following steps at the administrative login prompt, log in with basic authentication using the credentials set during installation after you log in, the home page of the admin ui displays b | install the responder product license perform the following steps to install the license select the enter license menu on the left you will see a blank text area where you can paste in a product license in the file manager for your system, find the va responder temp license file that was provided by axway global support double click the va responder temp license file name to open it then, enter ctrl+a to select all the text and ctrl+c to copy to the clipboard paste the license information into the blank text area on the enter license page in the admin ui, and select \[ submit license ] enter the sac id that was provided by axway global support, then select \[ verify license ] if the submission is successful, the license information is available for your review on the axway validation authority license page select \[ next step ] after you finish reviewing the information c | bypass optional configurations perform the following steps to bypass the optional configurations on the import configuration file page, select \[ skip ] on the install custom extensions page, select \[ no ] and select \[ submit ] d | change the server password to prevent unauthorized access to the va server, perform the following steps to change the server password if you already created a server password, type it into the enter current server password field otherwise, leave the field blank and go to the next step type the password you want to use in enter new password the password must be at least eight characters long and contain one upper case letter, one lower case letter, one digit, and a special character verify the new password by typing it into confirm new password and select \[ submit ] select \[ next step ] to continue with the initial configuration the key type selection page displays because you are using va server with an hsm device conforming to pkcs #11, you must configure va server to use the same password that you assigned to the hsm e | create an ocsp and scvp signing key pair because you must generate a public/private key pair for signing ocsp and scvp responses when operating as a responder, this key type is assigned as the default perform the following steps to the key pair select \[ submit key type ] on the key generation/import mechanism page, perform the following steps select the generate/import hardware key on custom pkcs11 provider option set the vendor as other enter the location of the futurex pkcs #11 library select \[ submit key generation technique ] you can configure the hsm type and pkcs #11 location in a configuration file rather than through the web user interface, but we don't recommend this to do so, refer to the following information the valicert ini file contains hardware signing device parameters for configuring an hsm for integration with va, defined in the following table these parameters are set automatically when va server detects an installed device ini file \[pkcs11] parameter type description pkcs11deviceenable= boolean enables pkcs11 device processing if set to 1 pkcs11librarypath= "path" string defines the path to the library used by the pkcs11 device this only needs to be provided if the path differs from that defined by the device pkcs11slotid= ( 1=autosense, 1=ncipher using capi) integer slot number of the pkcs11 device token pkcs11vendorid= ( 1=autosense, 0=generic, 1=safenet, 2=ncipher, 3=aep, 5=capi) integer specifies pkcs11 (hardware signing) vendor set the pkcs11slotid parameter to 1 (autosense) and the pkcs11vendorid parameter to 0 (generic) soon, a pkcs11vendorid value specifically for futurex will be available, but this is still in the works as a reminder, we strongly recommend you use the user interface to define these parameters, so only define them manually in the valicert ini file if absolutely necessary for this integration, select generate new private key so that axway va creates a key pair on the hsm with the key attributes that it requires fill in all of the required information, and select \[ submit ] in the user pin field you must specify the password of the hsm identity configured in the futurex pkcs #11 ( fxpkcs11 ) configuration file all of the certificate options should be left set to their default values if axway va successfully created the ocsp/scvp response signing key on the hsm, you see the following message self signed certificate for default ocsp/scvp response signing was created successfully you can use excrypt manager to view the two keys that axway va created in the key storage table one of them is a private key, and the other is a public key you can also view the keys by using fxcli or pkcs11manager , which comes packaged with the {{futurex}} pkcs #11 (fxpkcs11) installation 3 | configure ssl communication for the admin server before performing any configurations in the axway va admin ui, complete the following tasks directly on the hsm by using fxcli generate a key pair export a signing request (csr) sign the csr with a test ca after you complete these steps, perform the remaining configurations in this section on the machine running axway va a | configure fxcli perform the following steps to configure fxcli run the hsm cli program set the tls configuration to anonymous by using the following command tls config anonymous=true anonymous tls helps simplify the demonstration we don't recommend using anonymous in a production setting if you choose to connect to the hsm anonymously, you must enable the anonymous setting for the hsm production port connect to the hsm through tcp connect tcp c 10 0 5 223 9100 log in with the default admin identities you must run this twice to log in with both admin identities login userlogin user create a new key pair in the next available slot on the hsm generate algo rsa bits 2048 name axwaysslkeypair slot next usage mak add a pkcs #11 label to the private key keytable extdata slot 2 p11 attr label p11 value "axwaysslforadminserver" the generate command in step 5 set axwaysslkeypair as the hsm label for the key pair however, axway va cannot find the key using the hsm label it must find it by using a pkcs #11 label that is why you must run the preceding keytable extdata command, which sets the pkcs #11 label in a separate field from where the hsm label is set generate a certificate signing request (csr) x509 req private slot axwaysslkeypair out axwaysslcsr pem dn 'o=futurex\cn=axwaysslforadminserver' sign the csr with a certificate authority (ca) certificate x509 sign private slot 2 issuer c \futurex\sandbox\axwaytlsca pem csr c \futurex\sandbox\axwaysslcsr pem eku server key usage digitalsignature key usage keyagreement ca false dn 'o=futurex\cn=axwaysignedsslforadminserver' out c \futurex\sandbox\axwaysignedssl pem you also created the ca certificate that you used to sign the axway va certificate by using fxcli go to the next task to import this signed certificate in the axway va admin ui b | configure axway va perform the following steps to configure axway va on the machine where you installed the axway va server, install the ca that signed the certificate we are importing in the trusted root certificate authorities store for windows, or your browser's equivalent store log in to the va admin ui go to the create/import private key menu, select ssl communication for admin server , and select \[ submit key type ] for the key generation/import mechanism, select hardware key generation/import using other , and select \[ submit key generation technique ] select import previously generated private key , and select \[ submit key generation or import ] fill in all of the pkcs11 token information fields, paste in the pem/base64 certificate that you signed in the previous section, and select \[ submit hardware key to import ] in the friendly key name field, set the value to the pkcs #11 label of the key also, the slot id field must be set to auto sense if these two fields are not set correctly, axway va cannot find the private key associated with the signed certificate on the hsm if the certificate import is successful, you see the following message success! certificate for ssl communication for admin server was imported successfully start a command prompt as administrator and call apachepassphrase apachepassphrase set "\<va server password>" this sets the password in the registry the apache http server automatically reads it from there by using apachepassphrase during startup restart the axway va admin service in the service control panel for changes to take effect