Install Axway Server and configure Futurex PKCS #11 Library with Axway VA Server

11min
Perform the following tasks to install and configure the Axway VA server and configure SSL communication for the admin server:
1 | Install the Axway VA Server
Perform the following steps for your operating system to install the Axway VA server:
Install on Windows
Install on Linux
VA Server is no longer installed as an interactive service on Windows. This applies to both the Admin UI service and the Validation Authority Service that is installed as part of VA Server. 
1
Using an Administrators identity, log on to the computer where you plan to install the VA Server 
2
Copy the Validation_Authority_Server_win-x86-64_BNXXX.exe file that you received from Axway Global Support to the Windows system. Where: 
Release Version = 5.1_Install for 5.1 GA 
Release Release Version = 5.1_SP1 for Service Pack 1 
The distributed installation file is digitally signed and checked by the Windows platform before installation.
3
Double-click Validation_Authority_Server_win-x86-64_BNXXX.exe. On the Welcome page, follow the on-screen instructions as you proceed through the installation:
Select [ Next ]  to move forward to the next installation window.
Select [ Back ] to return to the previous installation window.
Select [ Cancel ] to close the installation program without installing any component of the VA Server. 
To install VA Server, re-run the installation program. 
Select [ Next ].
4
On the License Agreement page, select [ Accept ] to accept the license agreement and go to the next page in the installer, or select [ No ] to cancel the installation.  
5
On the Customer Information page, type your User Name, Company Name, and Email Address in the text fields provided. All fields except the email address are required. However, you should provide an email address because the VA administration server uses it to send email notifications. 
6
Select [ Next ].
The Choose Destination Location page displays, showing the default destination folder where VA Server
 components are installed. To select a different destination folder, select [ Browse ] and enter the folder location.
7
Select [ Next ].
8
On the VA Server Information page, enter the following requested information on the hostname, port number, and user for the VA administration server: 
Information
Description
VA server hostname
The hostname identifies the computer. The default hostname is the name of the computer on which you are installing the VA Server.
﻿
VA administration server port number
This port number identifies the port at which the VA administration server listens for HTTPS requests from the browser. If you use a port other than the default (13333), note it for future reference.
﻿
VA administration server user and password
This is the initial user who can log in to the VA administration server. The default user name is admin. If you enter a different name, make a note of it.
After installing and logging into the VA administration server with this user name, enter a new password with the following criteria:
At least eight characters long.
Contains at least one alphabetic character, one number, one special character, one upper-case character, and one lower-case character.
Meets the requirements in the Manage VA administration server users section on page 77 of the Axway Validation Authority Administrator Guide. 
Re-type the password to confirm it.
﻿
9
Select [ Next ] to continue.
10
Select either the option to generate a self-signed certificate or import a PFX or P12 file. 
If you select Generate a Self-Signed Certificate, select [ Next ] and continue to step 11. 
If you select Import PFX / P12 from file, perform the following steps:
Select the file to import from the file selection dialog box and then select [ Open ].
Enter a password to decrypt the file. This password originally protected the PFX file. 
By default, the Encrypt Admin UI Private Key option is selected. If you do not want this option, uncheck the box to disable the password field. 
Enter a password to encrypt the admin server key for the VA Server (see the password notes from step 8). This encryption option, along with the provided password, automatically calls apachepassphrase for an unattended startup. 
Select [ Next ] to continue. 
11
On the Start Copying page, check the current settings to ensure they are as desired. If you need to make any changes to the settings, select [ Back ]. Otherwise, select [ Next ] to continue. 
After the installation finishes, the InstallShield Wizard Complete page displays: The VA Server is successfully installed. You can verify this by using the Admin Server User Interface > Help > About page, which displays the current version.
12
Clear the Launch Administrative Server User Interface checkbox to start the VA administration server at a later time 
13
Select [ Finish ].
The installation program adds the VA Server to your Start menu. 
When you access Control Panel > Administrative Tools > Services, you see Axway Validation Authority and Axway VA Admin included in the list of services. You can access the VA Server admin UI and this document from the Start menu. 
The installation also automatically creates an VA administrative server private key (adminserver.key) and SSL certificate (adminserver.crt) in the \entserv directory. (Example: C:\ProgramData\Axway\VA\entserv in Windows.) 
You are now ready to use the VA administration server to configure, start, and manage the VA Server. 
You do not have to be root to install the VA Server, but non-root users cannot configure the installation to use a port lower than 1024. When installing as root on a port lower than 1024, the system asks whether to run the server in setuid root mode. You need to use this mode to start the server using the admin UI. In this case, the server runs as root, but only during initialization. After the listening sockets are established, the process steps down to that of the invoking user (for example, nobody). 
The distributed installation file is digitally signed by the Axway-generated GPG key and can be verified using the shipped GPG public key prior to installation 
1
Copy the Validation_Authority_Server__linux-x86-64_BN.rpm file that you received from Axway Global Support to the Linux system. Where: 
Release Version = 5.1_Install for 5.1 GA release 
Release Version = 5.1_SP1 for Service Pack 1
This RPM package depends on other RPM packages that are generally available from RHEL RPM repositories. If these packages are not already installed on the system, the installation reports necessary missing packages and fails. If this happens, install the missing packages and install this RPM package again. 
2
Run the following command to extract the files: 
Shell
rpm -U Validation_Authority_Server__linux-x86-64_BN.rpm
rpm -U Validation_Authority_Server__linux-x86-64_BN.rpm
﻿
If a previous version of the RPM is installed on the system, the following command removes the previous version and installs the new version to /opt/va_install/:
/VCeva where Version = 5.1. SPnumber is only applicable for Service Pack releases (example: SP1)
3
Run the following command to change directories to the Validation Authority Server directory: 
Shell
cd /opt/va_install/VCeva
cd /opt/va_install/VCeva
﻿
Do not install under the va_install directory when running the install script. The rpm uninstall command erases the va_install directory. 
4
Run the following command to run the installation script:
Shell
./install_eva
./install_eva
﻿
When prompted, you must select a port under 1024 for the installation and agree to run setuid root to start the server through the admin UI.
5
Enter y (yes) or n (no).
The installation script displays the Axway software licensing agreement and prompts you with the following:
Shell
Do you agree to the above terms? [y/n]
Default: [y]
Do you agree to the above terms? [y/n]
Default: [y]
﻿
6
Select [ Enter ] to accept the software licensing agreement.
The installation script next prompts you for a location to install the VA Server.
Shell
Enter the Validation Authority install directory
Default: [/opt/axway]
Enter the Validation Authority install directory
Default: [/opt/axway]
﻿
7
Press [ Enter ] to accept the default, or enter a location to install the VA Server, then press [ Enter ]. The installation script next prompts you to enter a port number for the VA administration server:
Shell
Enter the port number for the Validation Authority Administration Server [1-65535].
Default: [13333]
Enter the port number for the Validation Authority Administration Server [1-65535].
Default: [13333]
﻿

The VA administration server is the administration component of the Validation Authority. This server, which is installed during the installation process, provides an administration user interface (admin UI) through which you configure and operate the VA validation server. If you choose to use a port other than the default, make a note of it for future reference. This port number identifies the port at which the VA administration server listens and exchanges information to perform configuration operations with the browser using HTTPS requests
8
Select [ Enter ] to accept the default port number for the VA administration server, or enter a different number and press [ Enter ].
The script prompts you for the email address of the server administrator. It displays:
Shell
Enter the email address of the server administrator:
Default: [sysadmin]
Enter the email address of the server administrator:
Default: [sysadmin]
﻿
The VA administration server uses this email address to send informational messages to the server administrator during configuration and administration performed at the VA dialog boxes.
9
Select [ Enter ] to accept this email address, or enter a different address and then select [ Enter ]. The script prompts you for the server hostname:
Shell
Enter the server's hostname (either a DNS name or IP address):
Default: [computer_name.yourdomain.com]
Enter the server's hostname (either a DNS name or IP address):
Default: [computer_name.yourdomain.com]
﻿
Where computer_name is the name of your host computer, and yourdomain is the domain name for your host computer.
The hostname identifies the computer on which you installed the Validation Authority.
10
Select [ Enter ] to accept the default server hostname, or enter a different name and press [ Enter ]. The script prompts you for a user name to run the VA administration server. It displays:
Shell
Enter the username to run the VA and Administration Servers as:
Default: []
Enter the username to run the VA and Administration Servers as:
Default: []
﻿
If you are not installing as root, the default username displayed will be the user ID.
11
Select [ Enter ] to use the default username, or enter a different name and select [ Enter ].
12
The following message displays:
Shell
In order to start the VA via the web interface on a port less than 1024 ves must executre as
setuid root. Do you wish to set this bit?
Default: [y]
In order to start the VA via the web interface on a port less than 1024 ves must executre as
setuid root. Do you wish to set this bit?
Default: [y]
﻿
The name of the VA Server process is ves.
13
If you plan to use a validation port number of 1024 or greater, type n, or accept the default and press [ Enter ]. 
The script prompts you to identify the VA administration server user. This user is the initial user who can log in to the VA administration server. The default user name is admin.
Shell
Please enter the Administration server user id
[admin]:
Please enter the Administration server user id
[admin]:
﻿
14
Select [ Enter ] to use the default VA administration server user name, or enter a different name and select [ Enter ]. 
If you enter a different name, make a note of it. After completing the installation, yoi can log on to the VA administration server by using this user name. 
The system configures the VA administration server user and then prompts for the VA administration server user password. Next, confirm the password entry.
15
Enter and confirm the VA administration server user password.
Shell
Please enter the Administration Server user password:
Please confirm the Administration Server user password:
Please enter the Administration Server user password:
Please confirm the Administration Server user password:
﻿
The password must be at least eight characters long and contain one upper-case, one lower-case, one digit, and one special character.
16
The following message displays:
Shell
Would you like to use an imported certificate, rather than generating a self-signed one, for
the admin server's SSL certificate? [y|n]:
Default: [n]
Would you like to use an imported certificate, rather than generating a self-signed one, for
the admin server's SSL certificate? [y|n]:
Default: [n]
﻿
Either enter n to generate a self-signed certificate, or y to import a PFX / P12 certificate. If you choose n, continue to Step 18. If you choose y, perform the following steps:
(Optional) Enter y to protect the private key. If you select y, a password prompt is displayed when the admin server starts.
Enter the path to the certificate you are importing.
Enter the password to decrypt the file. This password was originally used to protect the PFX file.
At the PEM pass phrase prompt, enter a password to encrypt the admin server key for the admin UI. The system prompts you for this password when the admin server starts. The installation automatically creates a VA administration server private key (adminserver.key) and SSL certificate (adminserver.crt) in the /var/lib/va/entserv directory.
17
The installation process completes and you are prompted to start the admin server.
Shell
Would you like to start the EVA Administration Server [y/n]?
Default: [y]
Would you like to start the EVA Administration Server [y/n]?
Default: [y]
﻿
VA Server successfully installed. You can verify by using the Admin Server User Interface > Help > About page, which displays the current version.
18
Press [ Enter ] to start the VA administration server.
2 | Configure the VA Server
Perform the following tasks to configure the VA Server:
a | Access the VA administration server UI
The admin UI requires an HTTPS server. This server is automatically installed and configured during VA Server installation. You can launch the admin UI automatically as the final step of installation from the desktop icon created during the installation or by accessing it directly from a browser using the VA administration server URL. For a standard connection, the URL is:
https://<hostname>:<port>
Where <hostname> and <port> are the VA Server host name and VA administration server port number you provided during installation (13333 by default).
The VA administration server is, by default, only available using SSL (HTTPS). Operating it using non-SSL (HTTP) disables certificate-based authentication for users.
When the web interface opens for the first time, you see an SSL certificate warning. Bypass this warning and proceed to the login page. Then, perform the following steps:
1
At the Administrative Login prompt, log in with Basic Authentication using the credentials set during installation. 
After you log in, the home page of the admin UI displays.
b | Install the Responder product license
Perform the following steps to install the license:
1
Select the Enter License menu on the left. You will see a blank text area where you can paste in a product license.
2
In the file manager for your system, find the VA Responder Temp license file that was provided by Axway Global Support.
3
Double-click the VA Responder Temp license file name to open it. Then, enter Ctrl+A to select all the text and Ctrl+C to copy to the clipboard.
4
Paste the license information into the blank text area on the Enter License page in the admin UI, and select [ Submit License ].
5
Enter the SAC ID that was provided by Axway Global Support, then select [ Verify License ].
If the submission is successful, the license information is available for your review on the Axway Validation Authority License page. 
6
Select [ Next Step ] after you finish reviewing the information.
c | Bypass optional configurations
Perform the following steps to bypass the optional configurations:
1
On the Import Configuration File page, select [ Skip ].
2
On the Install Custom Extensions page, select [ NO ] and select [ Submit ].
d | Change the server password
To prevent unauthorized access to the VA Server, perform the following steps to change the server password:
1
If you already created a server password, type it into the Enter Current Server Password field. Otherwise, leave the field blank and go to the next step.
2
Type the password you want to use in Enter New Password. 
The password must be at least eight characters long and contain one upper-case letter, one lower-case letter, one digit, and a special character.
3
Verify the new password by typing it into Confirm New Password and select [ Submit ].
4
Select [ Next Step ] to continue with the initial configuration. The Key Type Selection page displays.
Because you are using VA Server with an HSM device conforming to PKCS #11, you must configure VA Server to use the same password that you assigned to the HSM.
e | Create an OCSP and SCVP signing key pair
Because you must generate a public/private key pair for signing OCSP and SCVP responses when operating as a Responder, this key type is assigned as the default.
Perform the following steps to the key pair:
1
Select [ Submit Key Type ].
2
On the Key Generation/Import Mechanism page, perform the following steps:
Select the Generate/Import Hardware Key on custom PKCS11 provider option. 
Set the Vendor as Other.
Enter the location of the Futurex PKCS #11 library.
Select [ Submit Key Generation Technique ].
You can configure the HSM type and PKCS #11 location in a configuration file rather than through the web user interface, but we don't recommend this. To do so, refer to the following information:
The valicert.ini file contains hardware signing device parameters for configuring an HSM for integration with VA, defined in the following table. These parameters are set automatically when VA Server detects an installed device.
ini file [pkcs11] Parameter 
Type
Description
pkcs11DeviceEnable= 
boolean
Enables PKCS11 device processing if set to 1.
pkcs11LibraryPath= "path"
string
Defines the path to the library used by the PKCS11 device. This only needs to be provided if the path differs from that defined by the device.
pkcs11SlotId= (-1=autosense, 1=ncipher using CAPI)
integer
Slot number of the PKCS11 device token.
pkcs11VendorID= (-1=autosense, 0=generic, 1=SafeNet, 2=nCipher, 3=AEP, 5=CAPI)
integer
Specifies PKCS11 (hardware signing) vendor
Set the pkcs11SlotId parameter to -1 (autosense) and the pkcs11VendorID parameter to 0 (generic). Soon, a pkcs11VendorID value specifically for Futurex will be available, but this is still in the works.
As a reminder, we strongly recommend you use the user interface to define these parameters, so only define them manually in the valicert.ini file if absolutely necessary.
For this integration, select Generate new private key so that Axway VA creates a key pair on the HSM with the key attributes that it requires.
3
Fill in all of the required information, and select [ Submit ].
In the User PIN field you must specify the password of the HSM Identity configured in the Futurex PKCS #11 (FXPKCS11) configuration file.
All of the Certificate Options should be left set to their default values.
If Axway VA successfully created the OCSP/SCVP Response Signing key on the HSM, you see the following message:
Self signed certificate for Default OCSP/SCVP Response Signing was created successfully.
You can use Excrypt Manager to view the two keys that Axway VA created in the Key Storage Table. One of them is a private key, and the other is a public key.
You can also view the keys by using FXCLI or PKCS11Manager, which comes packaged with the  PKCS #11 (FXPKCS11) installation.
3 | Configure SSL communication for the admin server
Before performing any configurations in the Axway VA admin UI, complete the following tasks directly on the HSM by using FXCLI:
Generate a key pair
Export a signing request (CSR)
Sign the CSR with a test CA
After you complete these steps, perform the remaining configurations in this section on the machine running Axway VA.
a  | Configure FXCLI
Perform the following steps to configure FXCLI:
1
Run the HSM CLI program.
2
Set the TLS configuration to Anonymous by using the following command:
Shell
tls config --anonymous=true
tls config --anonymous=true
﻿
Anonymous TLS helps simplify the demonstration. We don't recommend using Anonymous in a production setting. If you choose to connect to the HSM anonymously, you must enable the Anonymous setting for the HSM production port.
3
Connect to the HSM through TCP.
Shell
connect tcp -c 10.0.5.223:9100
connect tcp -c 10.0.5.223:9100
﻿
4
Log in with the default admin identities. You must run this twice to log in with both Admin identities.
Shell
Text
Login user
Login user
﻿
5
Create a new key pair in the next available slot on the HSM.
Shell
generate --algo RSA --bits 2048 --name AxwaySslKeyPair --slot next --usage mak
generate --algo RSA --bits 2048 --name AxwaySslKeyPair --slot next --usage mak
﻿
6
Add a PKCS #11 label to the private key.
Shell
keytable extdata --slot 2 --p11-attr label --p11-value "AxwaySslForAdminServer"
keytable extdata --slot 2 --p11-attr label --p11-value "AxwaySslForAdminServer"
﻿
The generate command in step 5 set AxwaySslKeyPair as the HSM label for the key pair. However, Axway VA cannot find the key using the HSM label. It must find it by using a PKCS #11 label. That is why you must run the preceding keytable extdata command, which sets the PKCS #11 label in a separate field from where the HSM label is set.
7
Generate a certificate signing request (CSR).
Shell
x509 req --private-slot AxwaySslKeyPair --out AxwaySslCSR.pem --dn 'O=Futurex\CN=AxwaySslForAdminServer'
x509 req --private-slot AxwaySslKeyPair --out AxwaySslCSR.pem --dn 'O=Futurex\CN=AxwaySslForAdminServer'
﻿
8
Sign the CSR with a certificate authority (CA) certificate.
Shell
x509 sign --private-slot 2 --issuer C:\Futurex\sandbox\AxwayTlsCa.pem --csr C:\Futurex\sandbox\AxwaySslCSR.pem --eku Server --key-usage DigitalSignature --key-usage KeyAgreement --ca false --dn 'O=Futurex\CN=AxwaySignedSslForAdminServer' --out C:\Futurex\sandbox\AxwaySignedSsl.pem
x509 sign --private-slot 2 --issuer C:\Futurex\sandbox\AxwayTlsCa.pem --csr C:\Futurex\sandbox\AxwaySslCSR.pem --eku Server --key-usage DigitalSignature --key-usage KeyAgreement --ca false --dn 'O=Futurex\CN=AxwaySignedSslForAdminServer' --out C:\Futurex\sandbox\AxwaySignedSsl.pem
﻿
You also created the CA certificate that you used to sign the Axway VA certificate by using FXCLI.
Go to the next task to import this signed certificate in the Axway VA admin UI.
b | Configure Axway VA
Perform the following steps to configure Axway VA:
1
On the machine where you installed the Axway VA server, install the CA that signed the certificate we are importing in the Trusted Root Certificate Authorities store for Windows, or your browser's equivalent store.
2
Log in to the VA admin UI.
3
Go to the Create/Import Private Key menu, select SSL Communication For Admin Server, and select [ Submit Key Type ].
4
For the key generation/import mechanism, select Hardware Key Generation/Import using Other, and select [ Submit Key Generation Technique ].
5
Select Import previously generated private key, and select [ Submit Key Generation Or Import ].
6
Fill in all of the PKCS11 Token Information fields, paste in the PEM/BASE64 Certificate that you signed in the previous section, and select [ Submit Hardware Key to Import ].
In the Friendly Key Name field, set the value to the PKCS #11 label of the key. Also, the Slot ID field must be set to Auto Sense. If these two fields are not set correctly, Axway VA cannot find the private key associated with the signed certificate on the HSM.
If the certificate import is successful, you see the following message:
SUCCESS!
Certificate for SSL Communication For Admin Server was imported successfully.
7
Start a command prompt as administrator and call apachepassphrase.
Shell
apachepassphrase -set "<VA Server password>"
apachepassphrase -set "<VA Server password>"
﻿
This sets the password in the registry. The Apache HTTP server automatically reads it from there by using apachepassphrase during startup.
8
Restart the Axway VA Admin service in the Service Control Panel for changes to take effect.
﻿
ini file [pkcs11] Parameter	Type	Description
pkcs11DeviceEnable=	boolean	Enables PKCS11 device processing if set to 1.
pkcs11LibraryPath= "path"	string	Defines the path to the library used by the PKCS11 device. This only needs to be provided if the path differs from that defined by the device.
pkcs11SlotId= (-1=autosense, 1=ncipher using CAPI)	integer	Slot number of the PKCS11 device token.
pkcs11VendorID= (-1=autosense, 0=generic, 1=SafeNet, 2=nCipher, 3=AEP, 5=CAPI)	integer	Specifies PKCS11 (hardware signing) vendor
Updated 22 Aug 2024
Did this page help you?
Edit the Futurex PKCS #11 configuration file
Test CRL signing