|
|
Document Name |
KeyScaler 6.7.3 Installation Single Tenant |
---|---|---|
|
Host |
Red Hat Enterprise Linux Server 7.9 |
|
Version |
Published |
|
Date Published |
October 2021 |
|
Classification |
External Document |
|
Author |
Nirmal Misra |
© 2021 Device Authority This document contains proprietary and confidential information of Device Authority and shall not be reproduced or transferred to other documents, disclosed to others, or used for any purpose other than that for which it is furnished, without the prior written consent of Device Authority. It shall be returned to the respective Device Authority companies upon request. The trademark and service marks of Device Authority, including the Device Authority mark and logo, are the exclusive property of Device Authority, and may not be used without permission. All other marks mentioned in this material are the property of their respective owners. |
Table of Contents |
1. Introduction
1.1 Document Version Control
Version |
Description |
Date |
Author |
1.0 |
Initial Document Creation |
20th October 2018 |
Frode Nilsen |
2.0 |
Updated for KS 6.7.0 |
18th Sept 2020 |
Nirmal Misra |
2.1 |
Securing Certs - Best Practice |
7th October |
Nirmal Misra |
2.2 |
Updated for KS 6.7.3 |
October 2021 |
Nirmal Misra |
Item 1 - Document Version Control
1.2 Assumptions
No |
Description |
1 |
Document tested on Redhat7 and CentOS7.X |
Item 2 - Assumptions
1.3 Constraints
No |
Description |
|
|
Item 3- Constraints
1.2 Terms and Definitions
Term |
Meaning |
KMS |
Key Management Store |
DAE |
Device Authority Engine |
CP |
Control Panel |
DDKG |
Dynamic Device Key Generator |
SAC |
Service-Access-Controller |
DA |
Device Authority |
KS |
KeyScaler |
Item 4 - Terms and Definitions
1.3 Related Documentation
Doc # |
Title |
Comment |
[2] |
KeyScaler Installation Prerequisites document |
Item 5 – Related Documentation
2. KeyScaler Installation
2.1. Install Pre-requisites
2.1.1 Verify dfactor service is running
Check to see that the dfactor service is running:
[root@test ~]# service dfactor status DeviceAuthority D-Factor (pid 16535) is running... |
---|
Item 6 – Start dfactor Service
2.1.2 Add Hosts Entries
The following host names will be used by KeyScaler throughout installation. Resolve these by adding entries to /etc/hosts on the server on which KeyScaler is being installed.
[root@ip-172-31-47-94 cert]# vi /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 kms.keyscaler-672-001.com 127.0.0.1 kafka.keyscaler-672-001.com 127.0.0.1 dae.keyscaler-672-001.com 127.0.0.1 queue.keyscaler-672-001.com 127.0.0.1 cp.keyscaler-672-001.com 127.0.0.1 sac.keyscaler-672-001.com |
---|
Item 7 – KeyScaler Server – This domain name keyscaler-6.7 matches the one set when creating the wildcard certificate in the pre-requisite document. Please update this to match your own domain name.
51.132.8.93 wizard.keyscaler-672-001.com 51.132.8.93 tenant.keyscaler-672-001.com 51.132.8.93 master.keyscaler-672-001.com 51.132.8.93 sac.keyscaler-672-001.com |
---|
Item 8 - Your Computer /etc/hosts (replace IP address to match your own environment)
2.2 Installation Wizard
2.2.1 Run the KeyScaler Setup Wizard
https://wizard.keyscaler-672-001.com:8443/
2.2.2 Welcome Page
Start the Wizard by using a browser window to navigate to e.g. https://wizard.keyscaler-672-001.com (replacing organization as appropriate). The Device Authority Setup Wizard is intended to be used in a start-to-finish manner and does not allow you to repeat steps. You may however,` exit the Wizard at any time. Click Next.
2.2.3 Database Configuration
The database details used when creating your database during the installation of MySQL are provided for you.
The database host name must the same as used when granting table permissions in the database configuration step. This was set to "localhost" by the install script.
-
The database port number is set to the default of 3306 which is recommended.
-
The default Database Name is dfactordb
-
The default database username is dfactor_user.
-
The default password is mypassword, change this to the password used in the pre-requisite guide, e.g. !Passw0rd!
note
For ‘Truststore’ configuration - Please refer to APPENDIX XX
For ‘Truststore’ configuration - Please refer to APPENDIX XX
2.2.4 Apache Kafka Configuration
2.2.4.1 Update server.properties
[root@ config]# vi /opt/kafka_2.11-1.0.0/config/server.properties |
---|
Item 12 – Configure Apache Kafka
Update the following line listeners=PLAINTEXT://kafka.keyscaler-672-001.com:9092 to match your domain.
# The address the socket server listens on. It will get the value returned from # java.net.InetAddress.getCanonicalHostName() if not configured. # FORMAT: # listeners=listener_name://host_name:port # EXAMPLE: # listeners=PLAINTEXT://your.host.name:9092 listeners=PLAINTEXT://kafka.keyscaler-672-001.com:9092 |
---|
Item 13 – Update Kafka server.properties. Please ensure that the domain keyscaler-672-001.com is swapped for your own domain name
2.2.4.2 Start Zookeeper as daemon
[root@host ~] /opt/kafka_2.11-1.0.0/bin/zookeeper-server-start.sh -daemon /opt/kafka_2.11-1.0.0/config/zookeeper.properties |
---|
Item 14 – Start Zookeeper as a daemon
2.2.4.3 Start Apache Kafka as daemon
[root@host ~]# /opt/kafka_2.11-1.0.0/bin/kafka-server-start.sh -daemon /opt/kafka_2.11-1.0.0/config/server.properties |
---|
Item 15 – Start Apache Kafka as daemon
Verify that Kafka is running indicated by output shown in Item 17. If there is no output, please ensure that you have correct entry in hosts file (Item 7)
[root@host ~]# ps ax | grep -i 'kafka\.Kafka' |
---|
Item 16 – Check if Kafka is running. If there is no output, it is not running. If there is output (Item 17), kafka is running.
Enter kafka.keyscaler-672-001.com:9092 and click Next
Click on the Check Status button.
If you encounter the error “Oh Snap! Ajax query failed for health check request” please check your /etc/hosts file that you have the correct entry and ensure that Kafka is running: ps ax | grep -i 'kafka\.Kafka'. If Kafka is not running, start it as shown above. |
Once the wizard page shows a success message, Click Next as shown below:
Success! The Apache Kafka is operational and reachable using the remote address specified. Select Next to Proceed. |
2.2.5 KMS Deployment
Enter URL https://kms.keyscaler-672-001.com
note
Note: Enter the protocol https, else you will get a message as shown above in red.
Note: Enter the protocol https, else you will get a message as shown above in red.
2.2.5.1 KeyStore Initialization
No input is needed other than to initialize the KeyStore.
2.2.5.2 KMS Configuration
Values entered elsewhere are displayed for your confirmation. If these are correct, click Next.
note
For ‘Truststore’ Configuration - Please refer to APPENDIX XX
For ‘Truststore’ Configuration - Please refer to APPENDIX XX
2.2.5.3 KMS Deployment
The KMS war file will be deployed in this step and assumes that all the required IP rules have been properly configured as performed by the installer script in the DAE, KMS and CP Installation Prerequisites. Follow the instructions in the Wizard to copy (deploy) the KMS war file to the tomcat webapps directory. Once deployed, click the Check Status button to verify the KMS has deployed successfully.
note
Note: At this stage copy only the KMS.war file, not the other war files, as doing so will break the install procedure.
Note: At this stage copy only the KMS.war file, not the other war files, as doing so will break the install procedure.
[root@ip-172-31-42-166 software]# cd /home/ec2-user/installer/software [root@ip-172-31-42-166 software]# cp kms.war /var/www/tomcat/webapps |
---|
Item 24 – Please note the user may differ from centos in which case you need to swap centos in above path with your own user
The following message indicates success:
Success! The KMS is operational and reachable using the HTTP/s remote address specified. Click Next to Proceed. |
2.2.6 KMS Message Queue Service Deployment
2.2.6.1 Host Information
Please enter the following Message Queue host address, e.g. https://queue.keyscaler-672-001.com, as shown below and click Next.
2.2.6.2 KMS Message Queue Deployment
Deploy the following war file.
[root@ip-172-31-42-166 software]# cd /home/ec2-user/installer/software [root@ip-172-31-42-166 software]# cp kms-uservice.war /var/www/tomcat/webapps |
---|
Item 28 – KeyScaler Server – Deploy KMS.war
Click the Check Status button and you should see a green success message after a couple of seconds.
The following message indicates success:
Success! The message queue is operational and reachable using the HTTP/s remote address specified. Click Next to Proceed. |
2.2.7 Memcached Configuration
The Memcached server address is localhost:11211
2.2.8 Account Creation
The Device Authority IoT Security Platform is a multi-tenant application. You will be creating a Master account and one Tenant account.
2.2.8.1 Master Account Creation
In the Master Account Creation step, you will be defining details about the Master Account. The Master Account allows you to configure and manage system-wide settings and tenant accounts. Make note of the account information used as you'll need it to access the Management Control Panel and register your device.
The Master Tenant Sub-Domain Name will be used as the sub-domain when accessing the Management Control Panel, so choose something simple and easy to type. Common sub-domain names for the Master Account are master, or cp.
2.2.8.2 Tenant Account Creation
The Tenant Account is tied to the application(s) and/or service(s) you are protecting. Make note of the account information used here as well. The Tenant Sub-Domain Name will be used as the sub-domain when accessing the Management Control Panel, so choose something simple and easy to type. For example, you could use devtenant for the Tenant Account sub-domain name.
note
Note: The Master and Tenant email address used for administrator access can be the same.
Note: The Master and Tenant email address used for administrator access can be the same.
2.2.8.3 Download DAE Account Public Keys
In this step, you download your master and tenant public keys. These files (or ones created again in the future) will be used to build your custom DDKG generator packages. Click on the buttons to download the Public Key files. These xml files are not needed at this time. Then click Next to continue.
2.2.9 System License
2.2.9.1 Import System License
If you haven't already downloaded your system license, go to the Device Authority Customer Portal, Product License page and click the Download License button. Transfer the license file to your server.
-
Locate and open the license file using an editor. Copy the contents of the file.
-
Navigate back to the Wizard and paste it into the window provided. Then click Import System License.
If the import is successful, you will automatically proceed to the next step. If the import is unsuccessful, retry the copy/paste and make sure there are no missing nor extra characters copied.
2.2.10 DAE Deployment
2.2.10.1 Host Information
Enter the DAE host address https://dae.keyscaler-672-001.com and click Next
2.2.10.2 Configuration
In CP Host field enter dae.keyscaler-672-001.com
2.2.10.3 Deployment
Copy the DAE (service.war file) to the tomcat webapps directory. Once deployed, click the Check Status button to verify the DAE has deployed successfully, and toggling the log viewer.
[root@ip-172-31-42-166 software]# cd /home/ec2-user/installer/software [root@ip-172-31-42-166 software]# cp service.war /var/www/tomcat/webapps |
---|
Item 42 – Copy service.war file for deployment
The following message indicates success:
Success! The DAE is operational and reachable using the HTTP/s remote address specified. Click Next to Proceed. |
2.2.11 Message Queue Service Deployment
2.2.11.1 Message Queue Host Info
Enter https://queue.keyscaler-672-001.com and click Next
2.2.11.2 Deployment
[root@ip-172-31-42-166 software]# cd /home/ec2-user/installer/software [root@ip-172-31-42-166 software]# cp keyscaler-services.war /var/www/tomcat/webapps |
---|
Item 46 – KeyScaler Server – Copy keyscaler-services.war for deployment
Click Check Status
The following message indicates success:
Success! The message queue is operational and reachable using the HTTP/s remote address specified. Click Next to Proceed. |
2.2.12 CP Deployment
2.2.12.1 Configuration
Enter https://cp.keyscaler-672-001.com and click Next
Enter the values as shown in example below (e.g. CP Application Domain: *.keyscaler-672-001.com) the IP address of server in CP Application Public IP, and click Next
2.2.12.2 Deployment
Publish the cp.war by following the instructions in the Wizard. You'll be copying the file to your web application directory
[root@ip-172-31-42-166 software]# cd /home/ec2-user/installer/software [root@ip-172-31-42-166 software]# cp cp.war /var/www/tomcat/webapps |
---|
Item 51 KeyScaler Server – Copy cp.war for deployment
Once published, use the Wizard to verify the cp.war file has deployed properly by clicking Toggle Log Viewer and then Check Status.
The following message indicates success:
Success! The CP is operational and reachable using the HTTP/s remote address specified. Click Next to Proceed. |
2.2.13 Setup Complete
Make sure you note down the Master Account and Tenant Account Numbers or leave the wizard page open as you will need this info in subsequent sections. |
Next, please proceed with section 4.3 to configure license.
2.3 Configure Licenses
Licenses must be configured for the Master and Tenant Accounts that were created during installation. Licenses are configured using a menu-driven command-line license management tool (na-tool.sh) that is bundled with the DAE. Use the following steps to configure your licenses. Note: The steps outlined in this document must be executed on the server where DAE (service.war) was deployed and must be run as the dfactor_user user.
Below shows an example where there are 15 licenses available, where 5 are allocated for master account and the remaining 10 are allocated for tenant account. Your system will most likely have more than 15 licenses available for use, in which case the numbers you enter below is likely to differ from this example.
[root@ip-172-31-2-31 ec2-user]# su - dfactor_user Last login: Mon Apr 23 10:13:30 UTC 2018 on pts/1 [dfactor_user@ip-172-31-2-31 ~]$
[dfactor_user@ip-172-31-42-166 conf]$ sh /var/www/tomcat/webapps/service/WEB-INF/classes/tools/bin/na-tool.sh
Running in DAE mode! DAE Tool/ =========
Enter choice: [0 - 6] 3 DAE Tool/Manage - DAE Account Licenses/ =======================================
Enter choice: [0 - 4] 1
Enter number of registration seats for Master Account [Available 20]: 1 <PRESS ENTER>
Will attempt to create license with following information: Account Number : 442338917 Licensed Product : DAE Licensed Crypto Module : Yes Licensed Credential Module : Yes License Type : TRIAL License Seat Type : TENANT_DEVICES License Seat Limits : 1 Transaction Verification : Yes Expiration (in days) : 51 Grace Period (in days) : 12
Please review the above information. If the information is correct then confirm to proceed [y/N]: y
<PRESS ENTER>
DAE Tool/Manage - DAE Account Licenses/ =======================================
Enter choice: [0 - 4] 2 Enter Tenant Account Number: Plesase see Item 53 for where to find 624842953
Enter number of registration seats for Tenant Account [Available 19]: 19
<PRESS ENTER>
Will attempt to create license with following information: Account Number : 624842953 Licensed Product : DAE Licensed Crypto Module : Yes Licensed Credential Module : Yes License Type : TRIAL License Seat Type : TENANT_DEVICES License Seat Limits : 19 Transaction Verification : Yes Expiration (in days) : 51 Grace Period (in days) : 12
Please review the above information. If the information is correct then confirm to proceed [y/N]: y
<PRESS ENTER>
DAE Tool/Manage - DAE Account Licenses/ =======================================
Enter choice: [0 - 4] 0 DAE Tool/ =========
Enter choice: [0 - 6] 0 [dfactor_user@ip-172-31-19-187 ~]$ |
---|
Item 55 - Configure License
2.4 Deploy DDKGs
Ensure you have unzip installed
[root@ip]# yum install unzip -y |
---|
Item 56 - Install unzip utility
On the server running the Management Control Panel (CP), create a new directory as shown
[root@ ~]# mkdir /var/dfactor/data/cp-hosted-downloads |
---|
Item 57 - Create new directory
[root@ip-172-31-19-187 software]# cd /home/ec2-user/ [root@ip-172-31-22-127 ec2-user]# chmod +x ddkg_setup.sh [root@ip-172-31-22-127 ec2-user]# ./ddkg_setup.sh <content omitted> Please enter Master Account Id: 454526887 Please enter Tenant Account Id: 145293661 [root@ip-172-31-22-127 ec2-user]# |
---|
Item 58 – Please find the account numbers in Item 53
2.5 CP Access
Note: Master and tenant host name must be resolvable by your DNS. The preferred method is to create DNS entries for each; however, you can also provide access by creating /etc/host entries on the desktop or laptop you'll use to access the CP.
note
Please note: You will need to replace the below domain name (keyscaler-672-001.com) to match your own domain name.
Please note: You will need to replace the below domain name (keyscaler-672-001.com) to match your own domain name.
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
54.186.32.181 master.keyscaler-672-001.com 54.186.32.181 tenant.keyscaler-672-001.com |
---|
Item 59 – Example of /etc/hosts file on your local computer that you will use to access the KeyScaler Control Panel.
2.5.1 Tenant Control Panel
Now you should be able to access CP via https://tenant.keyscaler-672-001.com:8443/cp
2.5.2 Master Control Panel
Login as with the tenant in previous section. https://master.keyscaler-672-001.com:8443/cp/
2.5.3 Post-installation activities
Next, there are some post-installation activities in section 6.2, which are necessary if you want to fully configure your system to handle notifications and configure outgoing emails etc. This can also be done at a later stage.
Next, we will proceed with the installation of the Service Access Controller in section 5, which is required to successfully register devices the KeyScaler System. E.g. a device will never communicate directly to the KeyScaler System, but only the Service Access Controller (SAC), which will take care of relaying the messages to KeyScaler.
|
---|
3 Service Access Controller Installation
3.1 Overview
The Device Authority Service Access Controller (SAC) is a web application that provides an out-of-the-box management service for managed Device Authority Gateway Agents. It has been designed to keep external TCP/IP traffic from ever connecting directly to internal infrastructure, such as the core Device Authority Engine API, or database instances. On a production environment the SAC should be installed on its own server, but it is possible to have the SAC running on the same server as that of the KeyScaler system (See 0)
3.2 Install on Same Server
Install the Service Access Controller on the same server on which the KeyScaler system was installed. Please use the instructions below to install the SAC on the same server used to run KeyScaler. On your KeyScaler server, change the directory to the installer directory in Item 62
3.2.1 Unpack the SAC Zip file
[root@ ~]# cd /home/ec2-user/installer/software |
---|
Item 63 - Change Directory
Unpack the sac.tar.gz file
[root@ ~]# tar -xvzf sac.tar.gz |
---|
Item 64 - Unpack the sac software package
3.2.2 Configure the SAC
Create sac.properties and copy the configuration shown in Item 65Item 90
[root@ip-172-31-22-20 ec2-user]# vi /var/dfactor/conf/sac.properties |
---|
Item 65 – Create sac.properties file with the content shown in Item 64
Add the following content shown in Item 65 the sac.properties file and update the the following values:
-
participantId to be swapped with the Tenant value found in Control Panel Item 66
-
participant.secret to be swapped with the Tenant value found in Control Panel Item 66
-
hostVerificationDomainPublicIP to be swapped with the IP address of your server
deviceAuthenticationService=https://dae.keyscaler-672-001.com multiTenancy=false participantId=4132c7d2-6f21-4c74-ad93-8d5c4a7fcabe participantSecret=65a24097-c97d-42b7-a45c-d09f092e5926 hostVerificationProtocol=https hostVerificationDomain=sac.keyscaler-672-001.com hostVerificationWildcardDomain = hostVerificationDomainPublicIP=18.236.164.27 hostVerificationPort = schedule.orders.new=800000000 schedule.orders.pending=800000000 schedule.orders.revoked=800000000 schedule.orders.renewal=1240000000 schedule.awsiot.new=8640000000 schedule.awsiot.status=8640000000 schedule.mpowners.new=8640000000 |
---|
Item 66 - sac.properties
3.2.3 Deploy service-access-controller.war
[root@ip-172-31-22-20 ~]$ cp service-access-controller.war /var/www/tomcat/webapps/ |
---|
Item 69 – Deploy the service access controller to Tomcat
3.2.4 Restart the KeyScaler DFactor Service
[root@ip-172-31-22-20 ~]$ service dfactor restart |
---|
Item 70 - If the service is not running, start the service
[root@ip-172-31-22-20 ~]$ tail -f /var/www/tomcat/logs/catalina.out |
---|
Item 71 - Tail the catalina.out log file to make sure the service has started successfully. You should see output similar to the following:
The output should look similar to the following output:
Item 72 - Tail the catalina.out log file to make sure the service has started successfully. You should see output similar to the above
3.2.5 Connectivity Test
Test connectivity from your laptop to the SAC by running following curl command from your laptop. A successful connection should return an HTTP 200 Status Code.
frodes-MBP-9:~ fbnilsen$ curl -k https://sac.keyscaler-672-001.com:8443/service-access-controller/health/ping {"requestId":"72be70bc-2d1b-4b43-b77d-aed938816e80","responseTimestamp":1524687633452,"httpCode":200,"statusCode":0,"message":null,"assets":[]} frodes-MBP-9:~ fbnilsen$ |
---|
Item 73 – curl command connectivity test
note
Note: At this point you are done with the KeyScaler Installation and ready to register a device to sanity test the system.
Note: At this point you are done with the KeyScaler Installation and ready to register a device to sanity test the system.
3.3 Install SAC on Standalone Server
3.3.1 Pre-requisites
For a production environment it is recommended that the SAC is installed on a separate server. Please review the following documents to ensure you have met all the necessary hardware and software requirements for the Service Access Controller.
-
https://deviceauthority.zendesk.com/hc/en-us/articles/217078538-KeyScaler-Hardware-Requirements
-
https://deviceauthority.zendesk.com/hc/en-us/articles/217078568
Create a single dedicated Linux server instance and install and/or complete the following prerequisites.
3.3.1.1 Java Runtime Environment (JRE) 1.8
From oracle pages, download Java 8 as follows:
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Item 74 – Java Download
Right click on link in Item 73 and Copy Link Address to clipboard.
[ec2-user@ip-172-31-40-78 ~]$ sudo yum install wget -y |
---|
Item 75 – Install package installer wget
Download Java using the URL copied above.
[ec2-user@ip-172-31-40-78 ~]$ sudo wget --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jdk-8u191-linux-x64.rpm |
---|
Item 76 - Get Java license
Install Java:
[ec2-user@ip-172-31-40-78 ~]$ sudo yum localinstall jdk-8u191-linux-x64.rpm |
---|
Item 77 - Install Java
[ec2-user@ip-172-31-26-184 ~]$ java -version java version "1.8.0_191" Java(TM) SE Runtime Environment (build 1.8.0_191-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode) [ec2-user@ip-172-31-26-184 ~]$ |
---|
Item 78 - Check Java version
3.3.1.2 Apache Tomcat 7
Go to apache tomcat site and right click tar.gz link and Copy Link Address.
[ec2-user@ip-172-31-40-78 ~]$ sudo wget http://www.mirrorservice.org/sites/ftp.apache.org/tomcat/tomcat-8/v8.5.34/bin/apache-tomcat-8.5.34.tar.gz |
---|
Item 80 - Get Apache tomcat software
[ec2-user@ip-172-31-40-78 ~]$ sudo tar -xvzf apache-tomcat-8.5.34.tar.gz |
---|
Item 81 - Install Apache tomcat
3.3.1.3 Communicating over HTTPS
Please see Section 3.3.1 in pre-requisites section
3.3.2 Install Instructions
Please use these instructions to install the SAC on a standalone server. These instructions are to be run as root unless otherwise instructed. For AWS instances, you'll need to issue the command sudo su to gain root access before beginning.
3.3.2.1 Transfer the Service Access Controller Package to Your Server
On your KeyScaler server, locate the installer, e.g. /home/ec2-user/installer/software (see Section - https://deviceauthority.atlassian.net/wiki/spaces/DFACTORDOC/pages/2049376261#2.3.1--Unpack-downloaded-file), locate the sac.tar.gz file and transfer it to your server. This document will assume sac.tar.gz is uploaded to the /home/ec2-user directory
3.3.2.2 Unpack the sac.tar.gz file
Item 82 - KeyScaler Server – Upload the following file to the SAC Server
$ scp -i <keyfile>.pem /Users/fbnilsen/Documents/ks6.2_2018-10-21/keyscaler.software-6.2/sac.tar.gz ec2-user@<SAC HOST>:/home/ec2-user |
---|
Item 83 – Local Computer – Upload the sac.tar.gz file to the SAC server
Unpacking this file will result in service-access-controller.war, which will be deployed shortly.
[root@ip-172-31-40-78 ec2-user]# cd /home/ec2-user [root@ip-172-31-40-78 ec2-user]# tar -xvzf sac.tar.gz service-access-controller.war |
---|
Item 84 - Unpack the SAC software
3.3.2.3 Create Service User
The Service Access Controller runs as an application within the Tomcat web service. To keep configuration consistent, create a service user for running Tomcat.
[root@ip-172-31-40-78 ec2-user]# groupadd tomcat |
---|
Item 85 – Tomcat group
Then create the new service user as a member of that new group:
[root@ip-172-31-40-78 ec2-user]# useradd -s /bin/bash -g tomcat dfactor_user |
---|
Item 86 – add user to tomcat group
3.3.2.4 Create Necessary Directories
There are a few directories that will need to be present to complete the service setup. Note the /var/dfactor directory may exists if a self-signed certificate was created in the KeyScaler Pre-requisites document.
[root@ip-172-31-40-78 ec2-user]# mkdir /var/www [root@ip-172-31-40-78 ec2-user]# mkdir /var/dfactor [root@ip-172-31-40-78 ec2-user]# mkdir /var/dfactor/conf [root@ip-172-31-40-78 ec2-user]# mkdir /var/dfactor/logs |
---|
Item 87 – Create new directories
3.3.2.5 Copy Tomcat to /var/lib
[root@ip-172-31-40-78 ec2-user]# cp -r apache-tomcat-8.5.34 /var/lib/apache-tomcat-8.5.34 |
---|
Item 88 - Copy tomcat software to /var/lib directory
3.3.2.6 Symbolic link
Create a symbolic link in the newly created '/var/www' directory to the Tomcat folder
[root@ip-172-31-40-78 ec2-user]# ln -s /var/lib/apache-tomcat-8.5.34/ /var/www/tomcat |
---|
Item 89 - Create symbolic link
3.3.2.7 Configure Tomcat and Service Access Controller
Create the configuration file that will be read by the Service Access Controller on service Startup. Note this file does not exist yet, so create it as shown next.
[root@ip-172-31-40-78 ec2-user]# vi /var/dfactor/conf/sac.properties |
---|
Item 90 – create sac.properties file
Copy/Paste the following example (Item 91) config into the file and fill out the details appropriate to your environment. For a basic provisioning system, the only properties that you would have to change to get up and running with a basic provisioning system are the bold properties. Use as a guideline for each parameter:
deviceAuthenticationService=https://dae.keyscaler-672-001.com multiTenancy=false participantId=4132c7d2-6f21-4c74-ad93-8d5c4a7fcabe participantSecret=65a24097-c97d-42b7-a45c-d09f092e5926 hostVerificationProtocol=https hostVerificationDomain=sac.keyscaler-672-001.com hostVerificationWildcardDomain = hostVerificationDomainPublicIP=18.236.164.27 hostVerificationPort = schedule.orders.new=800000000 schedule.orders.pending=800000000 schedule.orders.revoked=800000000 schedule.orders.renewal=1240000000 schedule.awsiot.new=8640000000 schedule.awsiot.status=8640000000 schedule.mpowners.new=8640000000 |
---|
Item 91 – sac.properties (relates to step: Item 66)
Item 92 – participantId and participantSecret
3.3.2.8 Install service-access-controller.war into Tomcat
The Service Access Controller application is deployed much like any other Tomcat web application. You can simply copy the .war file into the $TOMCAT_HOME/webapps directory, and it will auto-extract on service start.
[root@ip-172-31-40-78 ec2-user]# cd /home/ec2-user [root@ip-172-31-40-78 ec2-user]# cp service-access-controller.war /var/www/tomcat/webapps |
---|
Item 93 - Copy SAC software to webapps directory
3.3.2.9 Set permissions
Remove write permissions for the core Tomcat directory
[root@ip-172-31-40-78 ec2-user]# chmod -R go-w /var/www/tomcat |
---|
Item 94 - Set Permissions
Change to the Tomcat directory and give ownership of the appropriate sub-directories to the service user that was created in Item 86.
[root@ip-172-31-40-78 ec2-user]# cd /var/www/tomcat [root@ip-172-31-40-78 tomcat]# chown -R dfactor_user:tomcat webapps/ work/ temp/ logs/ conf/ bin/ lib/ [root@ip-172-31-40-78 tomcat]# chown -R dfactor_user:tomcat /var/dfactor |
---|
Item 95 - Change tomcat ownership
3.3.2.10 Configure Tomcat SSL Connector
At this stage, you have an SSL Certificate, and need to configure Tomcat to use it when sending/receiving traffic over SSL/HTTPs. Update the server.xml file to specify the name and location of your p12 file along with the keystore password you supplied when creating the p12 file.
Edit the file /var/www/tomcat/conf/server.xml and add the following connector definition
[root@ip-172-31-4-186 cert]# vi /var/www/tomcat/conf/server.xml |
---|
Item 96 - Edit server.xml file
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" useBodyEncodingForURI="true"
keystoreType="pkcs12" keystoreFile="/var/dfactor/cert/self_sign_certificate.p12" keystorePass="mypassword" /> |
---|
Item 97 - server.xml
[root@ip-172-31-40-78 tomcat]# su - dfactor_user [dfactor_user@ip-172-31-40-78 ~]$ /var/www/tomcat/bin/startup.sh [dfactor_user@ip-172-31-40-78 ~]$ /var/www/tomcat/bin/shutdown.sh [dfactor_user@ip-172-31-40-78 ~]$ tail -f /var/www/tomcat/logs/catalina.out |
---|
Item 98 - ??? why we need to do this?
Item 99 - Monitor logs catalina.out
3.3.3 DNS Entry
note
Note: In order for the SAC to communicate to KeyScaler, the following entry 34.212.224.67 dae.keyscaler-672-001.com must be added to the /etc/hosts entry on the SAC server, where 34.212.224.67 is the IP Address of the KeyScaler system.
Note: In order for the SAC to communicate to KeyScaler, the following entry 34.212.224.67 dae.keyscaler-672-001.com must be added to the /etc/hosts entry on the SAC server, where 34.212.224.67 is the IP Address of the KeyScaler system.
[ec2-user@ip-172-31-40-78 ~]$ cat /etc/hosts |
---|
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
34.212.224.67 dae.keyscaler-672-001.com |
---|
Item 100 - Edit Hosts file
3.3.4 Connectivity Tests
3.3.4.1 Curl from local computer to SAC
Note: The hostname sac.keyscaler-672-001.com in Item 101 needs to be resolvable by either an /etc/hosts entry on your local computer (Item 100) or a public DNS entry. If resolving by /etc/hosts, your hosts file will have the following entry, where 18.236.164.27 is the IP address of the SAC.
18.236.164.27 sac.keyscaler-672-001.com |
---|
Item 101 - Entry Hosts file
frodes-MBP-9:~ fbnilsen$ curl -k https://sac.keyscaler-672-001.com:8443/service-access-controller/health/ping {"requestId":"b8f58d85-41cf-471f-9c5c-ab7f846cf59a","responseTimestamp":1524579718653,"httpCode":200,"statusCode":0,"message":null,"assets":[]} frodes-MBP-9:~ fbnilsen$ |
---|
Item 102 - curl from local Machine to SAC
3.3.4.2 Curl from SAC to KeyScaler
[ec2-user@ip-172-31-40-78 ~]$ curl -k https://dae.keyscaler-672-001.com:8443/service/api/health/ping {"req_id":"2d1e638f-4b1e-4260-b85c-019457a24f72","response_ts":1524580057004,"http_code":200,"status_code":0,"response_data":null} [ec2-user@ip-172-31-40-78 ~]$ |
---|
Item 103 - curl from SAC to KeyScaler System
4 End to End Sanity Tests
End to end sanity test can be performed by installing and registering the Credential Manager Agent with the KeyScaler System.
4.1 Helpful Information
By default, CP access is allowed without device authentication. Instructions on enforcing CP access by device authentication are provided in the Control Panel User Guide.
Different DDKG plugins are used to access the Device Authority CP, your on-prem CP as a Master administrator and your on-prem CP as Tenant administrator. When each plugin is first used by the browser, you must allow the DDKG plugin to run in order to gain access to the CP. For Chrome users, you also need to install the Chrome DDKG Extension. The link will be provided on screen and is also available here.
4.2 Post-Installation Activities
Following the completion of the installation, there are some activities needed to configure your installation. These can be found here in the next sections.
4.2.1 Account Settings
4.2.1.1 General Settings
Change the time zone used to display alerts and data in the CP if desired.
4.2.1.2 Email URIs for PC Devices
On the Account Settings tab, supply the following URIs so administrators will receive well-formed links in the Administrator invite email to send when creating new administrators. The domain portion of the URI will have to be modified to match your environment. In the examples below, the domain for master CP access is master.keyscaler-672-001.com This domain was specified during the installation Wizard.
-
Login URI: https://master.xycorp62.com/cp/login
-
Registration URI: https://master.keyscaler-672-001.com/cp/registerdevice
-
Download URI: https://master.keyscaler-672-001.coml/cp/downloadddkg
4.2.1.3 Manage Notifications
(Optional) Customize the email templates used when sending out email notifications to CP administrators. In addition, you can control who will receive notifications on this page.
4.2.1.4 Configure Outgoing Mail
The Management Control Panel (CP) sends out emails for various notification purposes (invitations for new administrator access, alerts, etc.), and you'll need to set up the SMTP credentials for successful email delivery for both CP alerts and application alerts. To configure email, select Configure Outgoing Mail, and supply the requested parameters. Values appropriate for your installation can usually be obtained from your IT Operations department.
The following parameters are needed:
-
Protocol
-
Mail Server Host
-
Server Port Number
-
From Address
-
TLS
-
User Name
-
Password
4.2.1.2 Manage Administrators
It is a good practice to have at least two administrators authorized to access the CP as Master Admin. Use the Manage Administrators tab to create a new Master CP admin. This feature can also be used to create administrators for your tenant(s) accounts, by selecting the appropriate Organization Name. This step should be done after SMTP has been set up and tested so the new administrators receive an email invitation with their credentials.
4.2.1.3 Tenant Account Setup
Following the installation of your DAE and CP, there are a few housekeeping steps to complete your installation. These functions are all found by accessing your CP tenant and going to the pull-down menu under the tenant name on the CP header.
4.2.1.3.1 Account Settings
URI Setup - for PC Devices
(Optional, and only needed if you are using device authentication for end-user application access.)
4.2.1.3.1.1 URI Setup - for PC Devices
(Optional, and only needed if you are using device authentication for end-user application access.)
On the Account Settings tab, supply the following URIs if email notifications are to be sent out from your application. These settings are needed so end-users will receive well-formed links in the invitations to register their devices. The domain portion of the URI will have to be modified to match your environment. In the examples below, the domain for tenant CP access is https://mytenant.keyscaler-672-001.com . This domain was specified during the installation Wizard.
-
Registration URI: https://mytenant.keyscaler-672-001.com/cp/registerdevic
-
Download URI: https://mytenant.keyscaler-672-001.com/cp/downloadddkg
4.2.1.4 Manage Notifications
When logged into the CP as a tenant admin, the notification templates are used when sending notifications generated by application (end-user or IoT device) access. These can be customized if desired.
In addition, you can control who will receive notifications on this page.
4.3.1.5 Manage Administrators
It is a good practice to have at least two administrators authorized to access the CP as Tenant Admins. Use the Manage Administrators tab to create a new Tenant CP admin. This step should be done after SMTP has been set up and tested so the new administrators receive an email invitation with their credentials.
4.2.1.6 Manage DAE API Settings
To increase the security of your system, you can limit the Extended API calls that will be accepted by your DAE by disabling those API calls not used. While developing your system, it is often useful to enable all extended APIs in your system, and then selectively disable unused APIs prior to deploying your production application.
4.2.2 Other Configuration Customization's
4.2.2.1 Blocking the Wizard from General Access
Once your system is installed, it is desirable to redirect anyone browsing to your KeyScaler server and make sure the Management Control Panel is loaded instead of the Installation Wizard. To do this, edit the file /var/www/tomcat/webapps/ROOT/index.html to contain only the following line:
<meta http-equiv="refresh" content="0;url=/cp/"/> |
---|
4.2.2.2 Installing DFACTOR Tools
We provide a download package called DFACTOR tools which is available from the Software Section of the Customer Portal. This is a collection of useful scripts and programs. Use the instructions Deploying the D-FACTOR Tools to install the DFACTOR tools.
4.2.3 Master Account Setup
These functions are all found by accessing your master tenant and going to the pull-down menu under the tenant name on the CP header.
4.2.4 DAE And CP Configuration
Following the installation of your DAE and CP, there are a few housekeeping steps to complete your installation. These steps are separated by tasks to be performed as Master Account administrator and those to be performed as Tenant Account administrator.
4.2.5 KeyScaler-Securing Certs and Best Practice
The following are some of the best practices for securing certs in an production / operational environment.
4.2.5.1 Securing SAN Certs
The following commands can be executed as root user on the KeyScaler system to:
-
Hide the SAN SSL .pfx cert
-
Move the certs in /var/dfactor/conf
[root@ip-172-31-40-78 ~]$ chown dfactor_user:tomcat /var/dfactor/conf/.xxxcompany.crt [root@ip-172-31-40-78 ~]$ chmod 644 /var/dfactor/conf/.xxxcompany.crt |
---|
Item 104 – Hide SAN SSL certs
4.2.5.2 Keeping only the necessary certificates
It is also best practice to keep only the necessary certificates on the KeyScaler system. This can be achieved by moving the CSR/private.key from the production systems for safe keeping.
[root@ip-172-31-40-78 ~]$ chown user:group <path>.xxprivate.key [root@ip-172-31-40-78 ~]$ chmod 400 <path>.xxprivate.key |
---|
Item 104 – Hide SAN SSL certs
These will be needed during renewal or conversion to .p12/.pfx format.
Also note: certain configuration (*.properties) files may have a custom location. Please use the correct ownership.
4.3 Orientation to your KeyScaler System
This section describes key files, directories, users and commands useful for administering your KeyScaler system.
4.3.1 Database
KeyScaler uses a MySQL database. When the DAE or CP accesses the database, both programs use the database user dfactor_user. In the DAE, KMS and CP Installation Prerequisites, it was recommended that you change the database passwords. Should you need to change these database passwords in the future, please contact customer support for instructions on how to change database passwords as they are stored in encrypted form in KeyScaler configuration files.
Default Database Name |
Database Users |
dfactordb |
root, dfactor_use |
Item 105 - dfactor Database Users
4.3.2 Linux User
The Linux user dfactor_user owns the KeyScaler web applications (DAE, KMS and CP). It is occasionally necessary to run certain KeyScaler programs and tools as the dfactor_user. To do so, use the Linux "su" command as illustrated. Please use the - option to properly set environment variables for the dfactor_user.
$ su - dfactor_user |
---|
Item 106 - Switch user to dfactor_user
4.3.1 Log files
The CP, DAE, KMS and Wizard create log files for normal operational and error messages. Depending on system activity, the DAE and CP log files can grow in size and may need to be periodically removed or archived to another server.
Program |
Logfile Location and Name |
Rotated Logfile Location |
CP |
/var/dfactor/logs/cp.log |
/var/dfactor/logs/older/<yyyy-mm> |
DAE |
/var/dfactor/logs/dae.log |
/var/dfactor/logs/<yyyy-mm> |
KMS |
/var/dfactor/logs/kms.log |
no rotation needed |
NA-Tools |
/var/dfactor/logs/na-tools.log |
no rotation needed |
Install Wizard |
/var/dfactor/logs/wizard.log |
no rotation needed |
Item 107 - KeyScaler Logs Files
To unzip log files that have been rotated and compressed use the gunzip utility. For example: gunzip <filename>
4.3.2 Tomcat
The Tomcat Web application creates its own logs in /var/www/tomcat/logs. The information contained in these logs are generally specific to Tomcat, and not the KeyScaler platform. These log files should be monitored periodically and archived if needed.
Tomcat Location |
Tomcat Logfile Location |
/var/www/tomcat/webapps |
/var/www/tomcat/logs/catalina.out, and others |
Item 108 - Tomcat Log File
4.3.3 Helpful Commands
4.3.3.1 Start KeyScaler
[root]# service dfactor start |
---|
Item 109 – starting the tomcat service
4.3.3.2 Stop KeyScaler
[root]# service dfactor stop |
---|
Item 110 – stopping the tomcat service
4.3.3.3 Check If KeyScaler is running
[root]# service dfactor status |
---|
Item 111 – check status of tomcat service
4.3.3.4 Run NA Tool - used to configure your KeyScaler license
[root]# su - dfactor_user [dfactor_user]# sh /var/www/tomcat/webapps/service/WEB-INF/classes/tools/bin/na-tool.sh |
---|
Item 112 - Run na-tools utility
4.3.3.5 Check to see if KeyScaler is running via Browser
From a browser, issue the following commands from the URL bar. Response will vary but should be similar to what is shown.
https://<url_of_your_keyscaler_server>/service/api/health/ping {"req_id":"cbf6ffea-dbdd-4c82-a96b-7179a8ac1e21","response_ts":1498847206761,"http_code":200,"status_code":0,"response_data":null}
https://<url_of_your_keyscaler_server>/kms/api/health/ping {"req_id":"f89dfd67-c444-4dbf-ad84-4fa27bbd3484","response_ts":1498846769391,"http_code":200,"status_code":10000} |
---|
Item 113 - Ping Connectivity Tests from Browser
4.4 Troubleshooting
4.4.1 Oh Snap! Maximum status check attempts exceeded
Oh Snap! Maximum status check attempts exceeded. Response received: Connection refused (Connection refused). Verify that the HTTP/s remote address entered above is correct and accessible via internal networks, and try again.
4.3.1.1 Fix – Update hosts file
Ensure the bold entry is present in the hosts file.
[root@ip-172-31-42-166 software]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 kms.keyscaler-672-001.com 127.0.0.1 kafka.keyscaler-672-001.com 127.0.0.1 dae.keyscaler-672-001.com 127.0.0.1 queue.keyscaler-672-001.com |
---|
Item 115 - Hosts File
----------------------------End of Document-----------------------