EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:
PrimeKey Support, Development and Maintenance services

Standalone VA Installation

Building and configuring EJBCA

EJBCA should be configured as for any other installation but you must also set all preferences of the VA database in conf/va-publisher.properties. The VA database is the master database of all standalone VA installations. It is there that EJBCA will publish certificates when they are issued or revoked.

After this configuration EJBCA is built and deployed as usual with the command 'ant deploy', as described in the EJBCA installation guide.

The deploy command sets up a datasource java:/OcspDS in JBoss, if you use another application server you must set up this datasource manually. It should be a datasource that is not involved in transactions (a no-tx-datasource in JBoss), and it should have autocommit (should be default in JBoss).

When EJBCA has been started you have to add a new publisher. As a superadministrator you add this publisher on the "Edit Publishers" page in the Admin GUI. Use publisher type "Validation Authority Publisher".

Validation Authority Settings :

  • 'Data Source' - is the database of the standalone VA where this publisher will publish certificates. Use java:/OcspDS if ocsp-datasource.jndi-name=OcspDS.
  • 'Store certificate at the Validation Authority' - stores the complete certificate on the VA. If this is unchecked only the information needed to answer OCSP requests are stored, but not the certificate itself. There are good reasons not to publish the whole certificate. It is large, thus making it a bit of heavy insert and it may contain sensitive information. On the other hand some OCSP Extension plug-ins may not work without the certificate. A regular OCSP responder works fine without the certificate. A publisher for CA certificates (used on a 'Edit Certificate Authorities' page) must have this enabled.
  • 'Publish only revoked certificates' - If checked only revoked certificate are stored on the VA. The OCSP responder of the VA must have the 'nonexistingisgood' (conf/ocsp.properties) enabled if only revoked certificates are published. A publisher for CA certificates (used on a 'Edit Certificate Authorities' page) must have this disabled.
  • 'Store CRL at the Validation Authority' - should be set if the CRL store service of the VA should be used for a CA (only has a meaning for publishers used on a 'Edit Certificate Authorities' page).

All certificate profiles for certificates that should be available to the OCSP responder should have a reference to this publisher. To configure this you must be a superadministrator.

All CAs that should have their certificates and CRLs published to the VA should have a reference to this publisher. To configure this you must be a superadministrator.

When all settings above have been done, every issued or revoked certificate with a certificate profile that uses the ValidationAuthorityPublisher should be published in the responder database as well as in the EJBCA database. If the publishing is not working it is important to notice this and synchronize the databases again, see Error handling below.

Building and configuring the VA

The VA is configured using the same configuration files as EJBCA. Only the preferences ocsp.*, crlstore.*, certstore.*, httpsserver.* and database.* are relevant to the responder but you may keep conf/*.properties from the EJBCA setup since definitions of other properties does no harm.

Note
Note that the standalone VA uses the configuration options database.* and not the ocsp-database.* options to access the VA database.

Please read description of the configuration properties in conf/ocsp.properties.sample, conf/database.properties.sample, conf/crlstore.properties.sample, conf/certstore.properties.sample and perhaps conf/web.properties.sample (if SSL or different ports should be configured).

For the certificate and CRL store service the sample file should be enough to understand how to set it up. For the OCSP responder service there is separate setup instructions for the Standalone OCSP installation.

The validation authority is built and deployed with: 

ant va-deploy

on the VA server.

*** Responder database ***

The standalone VA database (that OcspDS in EJBCA and EjbcaDS in standalone VA points to) only have to contain the CertificateData and CRLData table. These tables are created automatically by JBoss when it starts on the standalone VA.

The database connection settings on the standalone VA is configured and deployed in JBoss in the file JBOSS_HOME/server/default/deploy/ejbca-ds.xml.

Error handling

If there is an error publishing to the VA database, the VA/OCSP Responder will be out of sync with the CA. It is very important to re-synchronize the databases in that case.

In case of failure to publish to the VA database the following error message will appear in the server log on the EJBCA server: 

Validation Authority ERROR, publishing is not working

This will be followed by more details of the error.

The log must be monitored to discover such a fault and if such a fault is discovered an alarm should notify the operator that he has to fix whatever is wrong and then synchronise the VA database with the EJBCA database (see 'Synchronise the database of the responder').

Synchronise the database of the responder

At the beginning and after failure in publishing to the VA responder, the master database of the publishers must be synchronised with the CertificateData and CRLData table of the database of EJBCA. If you only use OCSP and not CRL store, only the CertificateData table needs to be synchronised.

If there is a single certificate out of sync you can re-sync it by doing a 'Republish' from the admin-GUI.

The following procedure may be used to synchronise the database of EJBCA with the database of the responder:

1. Prevent any further issuing of new certificates and revocation of old certificates until the synchronisation is finished. This might be done by simply blocking the port to the adminweb.
2. On the host of ejbca the following commands can be used to make the synchronisation: Run on the OCSP responder machine (as root user in mysql): 

mysqladmin drop ocsp_db;
mysqladmin create ocsp_db;

This drops and re-creates the ocsp database to clean it. Replace ocsp_db with the database name of your database.
Run on the CA server: 

mysqldump -u ejbca -p --compress ejbca_db CertificateData > CertificateData.dat
mysqldump -u ejbca -p --compress ejbca_db CRLData > CRLData.dat
cat CertificateData.dat | mysql -h ocspresponder ocsp_db
cat CRLData.dat | mysql -h ocspresponder ocsp_db

Replace your the username ejbca with your username. ocspresponder is the external VA/OCSP responder host.

Note
Note, that this can usually not be done from a windows machine, to a Linux machine, because windows is not case sensitive.

3. Check that the publishing is working before allowing issuing and revoking.

Copyright © 2001-2011 EJBCA team. All rights reserved.