Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sv translation
languageen_US

The QR-CERT Appliance is a specific image of a virtual machine containing an environment installed, configured and fully ready to issue certificates QR-CERT Serwer. The configuration of the shared virtual machine allows you to test all the functionalities offered by the QR-CERT in the Standard version.

Info
titleInfo

The QR-CERT Appliance gives you the opportunity to create your own PKI based on the templates used in the demo version.

The QR-CERT Appliance includes the following modules installed, configured and ready to use:

  • CA-ENGINE:
    • RootCA with a self-signed certificate and private key deposited in softHSM.
    • CRL profile and the policy of issuing the full CRL.
    • Certificate profile and configured policy of issuing certificates for people authentication.
    • Certificate profile and configured policy of issuing certificates for SSL server.
  • CAO-GATEWAY:
  • CA-PUBLISHER:
    • Service ready to publish the CRL to the local file system.
  • OCSP-SERVER:
    • Service ready to respond to a query about the status of a certificate.
  • TSA-SERVER:
    • Service ready to issue timestamps.


Info
titleInfo

The image file of the QR-CERT Appliance is available for download here.

The QR-CERT Appliance image (in the OVA file format) can be run, among others, on the following virtualization environments:

  • KVM,
  • Oracle VirtualBox,
  • VMware ESXi/Player.


Info
titleInfo

The QR-CERT Appliance has been prepared based on the CentOS 7 operating system and the PostgreSQL 9.6 database. The newly created QR-CERT Appliance virtual machine from an image has a fresh installation of the software QR-CERT Serwer ready to be used for demonstration or production.


Note
titleNote

The default password for root in the QR-CERT Appliance is: malkom.

Oracle VirtualBox

After downloading the QR-CERT Appliance image file, import it into the Oracle VirtualBox. Once it starts, select the File menu, click Import Appliance. A window will appear as in the picture below. In the Appliance to import field specify the location of the downloaded QR-CERT Appliance image file. On the Appliance Settings list, locate the Network Adapter item and select the network adapter available on your computer.

Figure: Virtual machine import window

 

Then click the Import button and wait for the end of the procedure of importing the virtual machine. After a successful import of the QR-CERT Appliance image, run the virtual machine and perform the configuration of the network adapter to allow network connections to the QR-CERT Appliance server.

Network card configuration

By default, the QR-CERT Appliance system obtains the IP address using DHCP. If the virtual machine runs in a network environment using the DHCP server, the IP address is assigned automatically.

Note
titleNote

It is recommended to configure a static IP address for the QR-CERT Appliance server.

In order to assign a fixed IP address to the QR-CERT Appliance server, perform in the system the following commands using the root account:

Code Block
languagetext
# nmcli con mod enp0s3 ipv4.method manual ipv4.addr 10.10.10.1/16
# nmcli con mod enp0s3 ipv4.gateway 10.10.1.1
# systemctl restart network.service

Where:

  • 10.10.10.1/16 – IP address and subnet mask of the QR-CERT Appliance server (enter values appropriate for your network);
  • 10.10.1.1 – gateway server IP address (please provide the right value for your network).

Time zone configuration

CentOS

By default, the QR-CERT Appliance system use America/New_York time zone (EST UTC-0500/EDT UTC-0400).

Note
titleNote

It is recommended to set up a time zone specific to Your country.

In order to change the operating system's time zone of the QR-CERT Appliance, perform in the system the following commands using the root account:

Code Block
languagetext
# timedatectl set-timezone Europe/Warsaw
# timedatectl
...
Time zone: Europe/Warsaw (CEST, +0200)
...

The example above shows how to set Europe/Warsaw time zone. A list of all available time zones can be obtained using:

Code Block
languagetext
# timedatectl list-timezones

PostgreSQL

By default, QR-CERT Appliance database use US/Eastern time zone (EST UTC-0500/EDT UTC-0400).

Note
titleNote

It is recommended to set the database for the same time zone as the operating system.

In order to change the database's time zone of the QR-CERT Appliance, perform in the system the following commands using the root account:

Code Block
languagetext
# vi /var/opt/pgsql/data/mca/9.6/postgresql.conf
...
timezone = 'Europe/Warsaw'
log_timezone = 'Europe/Warsaw'
...
 
# systemctl restart pgsql-mca

The example above shows how to set Europe/Warsaw time zone. A list of all available time zones can be obtained using:

Code Block
languagetext
# module load pg/9.6.2
# psql -p 5441 -U postgres
postgres=# SELECT * FROM pg_timezone_names;
               name               | abbrev | utc_offset | is_dst
----------------------------------+--------+------------+--------
...
 Europe/Warsaw                    | CEST   | 02:00:00   | t
...

Working mode selection

The QR-CERT Appliance can be used for both demonstration and production purposes. Depending on the purpose you choose, you need to install a demo setup or install a production instance.

Installation of the demo configuration

If the QR-CERT Appliance is intended for demonstration purposes only, after starting the virtual machine log in to the QR-CERT Appliance system as the root user and execute the following commands:

Code Block
languagetext
# su - mca
$ cd /opt/mca/demo
$ ./demo-setup.sh
Home directory: /opt/mca
Shared directory: /var/opt/mca
Backup directory: /var/opt/mca/backup

Warning! All current data and configuration will be replaced with sample data.
Do you want to proceed? [yes/no]: yes
Installing sample configuration...
Backing up current data...
...
OK
Importing sample data...
DROP DATABASE
CREATE DATABASE
OK

Backup file: /var/opt/mca/backup/mca-backup-20170221110005.tar.gz
Done
 
^D (CRTL+D)

# systemctl enable mca.service
# systemctl start mca.service

# ps -fu mca
UID        PID  PPID  C STIME TTY          TIME CMD
mca       2593     1  0 08:33 ?        00:00:00 /opt/mca/bin/logserver -config /opt/mca/etc/mca.conf
mca       2597     1  0 08:33 ?        00:00:05 /opt/mca/bin/ca-engine -config /opt/mca/etc/mca.conf
mca       2598     1  0 08:33 ?        00:00:00 /opt/mca/bin/cao-gateway -config /opt/mca/etc/mca.conf
mca       2599     1  0 08:33 ?        00:00:03 /opt/mca/bin/publisher -config /opt/mca/etc/mca.conf
mca       2638     1  0 08:33 ?        00:00:00 /opt/mca/bin/ocsp -config /opt/mca/etc/mca.conf
mca       2639     1  0 08:33 ?        00:00:00 /opt/mca/bin/tsa -config /opt/mca/etc/mca.conf


Info
titleInfo

Executing the command ps -fu mca is optional and is intended only to verify that the service is running properly. Six services should be started at the time of initial launch.

You can log in from the client to the prepared demo instance from the QR-CERT Operator client.

Note
titleNote

At the time of the QR-CERT Operator application installation it is important to select the QR-CERT Appliance configuration component feature, so that after the installation it is be possible to connect to the QR-CERT Appliance server in the VSPACE Administrator and the VSPACE Operator roleroles.

The OCSP demo service is available at:

http://<hostname>:4542 

The TSA demo service is available at:

http://<hostname>:4552/tsa

Where:

  • <hostname> - The hostname or IP address assigned to the QR-CERT Appliance server.

Installation of the production instance

If the QR-CERT Appliance is intended for production purposes, the following procedures needs to be performed:

After completing these procedures, you need to log in to the QR-CERT Appliance system as the root user and execute the following command:

Code Block
languagetext
# systemctl enable mca.service

This command will provide automatic start of the QR-CERT server modules when you start the virtual machine.

 


Scroll Ignore


Panel
bgColor#F1F1F1
titleBGColor#F7F7F7
titleOn this page


Table of Content Zone
Table of Contents
excludeSearch documentation


Search documentation

Livesearch
placeholderSearched phrase
typepage