EpointSystemInstall

epoint_issuer install procedure - we have set up our test server successfully http://epoint.vems.hu:8180/letsTest/info (test server behind firewall, not online 100%)

This is a draft only, notes about EpointSystem,

• Specification, setup.pdf and LETSconfig.pdf files were removed after request from Janis, the author (because they were old, partially obsolete, and new official docs is being prepared anyway). Please contact us here if you need them.
• Sourcecode (old) zip and other files:  http://www.ideje.hu/download/epointsystem/

---

setup epoint server (eg. on linux; MS-windows is not recommended for any security-sensitive task)

Sections:

 

• EpointSystemIssuerDebian - preparations on Debian
• EpointSystemIssuerPostgres -
• EpointSystemIssuerGpg - setting up GNUpg keys and trusts
• EpointSystemIssuerTomcat - tomcat and apache

 

---

Debian GNU Linux ( other linux can be set up somewhat similarly)

apt-get install sun-java6-jdk

update-java-alternatives -s java-6-sun

apt-get install maven2

apt-get install postgresql

And after tomcat and apache2:
apt-get install  libapache2-mod-jk

 

compile redcentSpringBranch:



cd /svn/cc/epoint_issuer/branches/redcentSpringBranch

mvn clean install -Dmaven.test.skip=true



mvn package (not appropriate any longer ?)

 

 

BUILD SUCCESSFUL:

redcent-webapp/target/redcent-webapp-0.0.6-spring-SNAPSHOT.war



Aki nem forrásból fordít, hanem eleve kapott ilyen binárist, az a fenti műveleteket átugorhatja. Persze nem javasoljuk, hogy elfogadjon binárist. Legjobb, ha a forrást átnézi, teszteli, és maga fordítja.

 

---

Postgresql setup:

One DB user is enough, but it must be same in createdb.sql and run all scripts with -U dbuser

•  createuser -P redcentTest

1. dropdb issuerDB

createdb -O redcentTest  --encoding utf-8 issuerDB

edit script (if using other than redcentTest user), adjust passwd and run:

 

psql -h 127.0.0.1 -p 5432 -U redcentTest issuerDB < /svn/epoint_issuer/issuer/trunk/redcent-database.sql 

 

(During the fights with database permissions,) We also added 

GRANT SELECT, INSERT, UPDATE ON TABLE balance TO "redcentTest";

GRANT SELECT, INSERT, UPDATE ON TABLE certificate TO "redcentTest";

GRANT SELECT, INSERT, UPDATE ON TABLE certificate TO "redcentTest";

GRANT SELECT, INSERT, UPDATE ON TABLE certificate_issuingcause_values TO "redcentTest";

GRANT SELECT, INSERT, UPDATE ON TABLE authorizedIssuer TO "redcentTest";

GRANT SELECT, INSERT, UPDATE ON TABLE template TO "redcentTest";

(not sure if it's actually needed).

For the market, also GRANT  for tables and views (!) UserAcc
OCert
document
Draft
Offer
OfferSearch
OfferSearchAvail
OfferSearchAvailNA
psql -c 'GRANT SELECT ON TABLE OfferSearch TO "market";' marketDB
psql -c 'GRANT SELECT ON TABLE OfferSearchAvail TO "market";' marketDB
psql -c 'GRANT SELECT ON TABLE OfferSearchAvailNA TO "market";' marketDB


Postgres 8.3.8   JDBC driver  http://repo1.maven.org/maven2/postgresql/postgresql/8.3-603.jdbc3/postgresql-8.3-603.jdbc3.jar


Verify that   redcentTest user can access DB with password:

 

psql -h localhost -p 5432 -U redcentTest issuerDB

 

---

 

Note: download bouncycastle manually  NOT needed ! mvn downloads it automatically. 

 

 

 

---

 OBSOLETE! untested JBOSS (not needed if using tomcat. This is incomplete, we haven't set up JBOSS )

apt-get install jbossas4


Datasource definition redcent-ds.xml:

<?xml version="1.0" encoding="UTF-8"?>



<!-- $Id: mysql-ds.xml,v 1.3.2.1 2004/12/01 11:46:00 schrouf Exp $ -->

<!-- Datasource config for MySQL using 3.0.9 available from:

http://www.mysql.com/downloads/api-jdbc-stable.html

-->



<datasources>

<local-tx-datasource>

<jndi-name>jdbc/redcentSpringTest</jndi-name>

<connection-url>jdbc:postgresql:redcentSpringTest</connection-url>

<driver-class>org.postgresql.Driver</driver-class>

<user-name>redcentTest</user-name>

<password>test</password>

<!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->

<metadata>

<type-mapping>PostgreSQL 8.0</type-mapping>

</metadata>

</local-tx-datasource>

</datasources>


Just place it in JBOSS_HOME/server/default/deploy and configure dbname and user accordingly.

 Make sure that the db user you selected in the datasource in /etc/tomcat5.5/server.xml has permissions on the database and its tables.

---

Publish (binary) /pubkey 

Also publish (ascii armoured) /pubkey.asc if possible. (current applications might not depend on it, but it cannot be bad to publish in ascii format as well)

NOTE1: <server URL>

/pubkey

(eg. http://epoint.vems.hu/letsTest/pubkey )

MUST return the issuer's public key

in gpg -a --export ... format.

Content-type: text/plain

header is very important (missing Content-type is not good). Verify with telnet ... GET /letsTest ...

Copy to the right directory (sibling of WEB-INF):

drwxr-xr-x  3 tomcat55 users      4096 okt 25 07.36 META-INF
drwxr-xr-x  6 tomcat55 www-data   4096 okt 28 14.41 WEB-INF

-rw-r--r--  1 tomcat55 nogroup    1190 nov 12 18.12 pubkey
-rw-r--r--  1 tomcat55 users       331 okt 25 06.22 welcome.jsp

But this is not enough, tomcat needs some (what ?) config so the correct header is also returned. PocketBook is a bit fragile, says NullPointerException if the header is not correct. We could not fix it with bare-bone tomcat. However, the Content-type: text/plain got automagically added, after setting up apache + jk_mod properly.

In Debian-GNU Linux after

apt-get install  libapache2-mod-jk

execute this (somehow half-configured in the debian package as it comes from the debian factory :-)

cd /etc/apache2/mods-enabled; ln -s ../mods-available/jk.conf .

---

tested Tomcat /etc/tomcat5.5/server.xml configuration:

NOTE2: autodeploy does NOT work for datasource !!! You MUST deploy manually !

<Host name="www.epointsystem.org">

<Context path="/letsTest" docBase="/home/janis/web/letsTest" debug="5" reloadable="true" >

<Resource name="jdbc/letsTest" auth="Container"

type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"

url="jdbc:postgresql://127.0.0.1:5432/letsTest"

username="redcentTest" password="test" maxActive="20" maxIdle="10" maxWait="-1"

/>

</Context>

</Host>

WEB-INF/classes/dataSourceJNDI.properties must contain the resource name:

dataSourceJndiName=comp/env/jdbc/letsTest

 

Without correct dataSourceJNDI.properties we got a confusing Tomcat error message sg like:

• Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /home/cell/epoint_tomcat/WEB-INF/classes/logging.properties read)
  
  
  
  • note:  classes directory is world writable, but classes/logging.properties does not exist
    

To run from the command line (recommended, to get log output to console)

• cd /usr/share/tomcat5.5
• export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.12/jre
• ./bin/catalina.sh run
   

---

Apache worker (apache-tomcat integration. Incomplete)

apt-get install libapache2-mod-jk
vi /etc/libapache2-mod-jk/workers.properties

workers.tomcat_home=/usr/share/tomcat5.5
workers.java_home=/usr/lib/jvm/java-6-sun
ps=/
worker.list=worker1

worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.connection_pool_size=25
worker.worker1.connection_pool_minsize=13
worker.worker1.lbfactor=1


vi /etc/apache2/sites-enabled/000-default

 JkMount? /letsTest/* worker1

/etc/init.d/tomcat5.5 restart
/etc/init.d/apache2 restart
 

---

Testing

http://t208.home:8180/letsTest/info

The format of the server documents:

• follow template (reference to used template included)
• filled with actual data
• signed with GnuPG compatible PKI signature (DSA or RSA, according to server setup)

---

Verify signature on documents signed by the epoint_issuer server:

Set up GnuPG keys for verification

export issuer key from the server keyring (on which URL is this pubkey published ?):

gpg -a --export 7E309FBF >epoint_issuer_server.pubkey

gpg --import < epoint_issuer_server.pubkey

verify signature:

gpg -v < document_from_server

gpg: Signature made Thu Oct 29 08:33:28 2009 CET using DSA key ID 7E309FBF
gpg: Good signature from ....

---

Market Install - a raw method to build the classes

Digital Market builds on an earlier (to quote Janis "deprecated") version of the issuer code. Unfortunately no maven pom.xml yet. A way to build (especially if eclipse neglects some build external jar entries even after delete + readd)... BTW, this method minimizes security risks (or is that illusoric if java vm and javac are used anyway ?):

• export CLASSPATH=`find . -iname '*.jar'`
• javac `find . -iname *.java`
• zip -r /tmp/market_classes.zip hu de -x '*.svn/*'
• cd $deploymentdir/WEB-INF/classes
• unzip /tmp/market_classes.zip

This is a giant hack, but it works. Actually, it also makes sure the tested .jar -s are used. New, unreviewed, untested (possibly broken or otherwise risky) bouncycastle and other jar-s cannot sneak in this way. Neither can bugfixes.

 

---