Deploy the Entrust Timestamping Authority

The TSA can be deployed as a stand-alone product, as well as part of the Entrust PKI Hub. This integration deploys and operates the TSA as a stand-alone virtual machine on VMware vSphere.

Deploy the Entrust Deployment Manager

  1. Create a Entrust Deployment Manager (EDM) virtual machine on VMware vSphere. The ISO image is available in the Software Downloads tab at Entrust Deployment Manager. Follow the instructions in the Entrust Deployment Manager 2.0.2 - Installation and Administration Guide available in the Documents tab.

  2. Configure the Entrust Deployment Manager (EDM) per section Configuring the operating system.

  3. Continue with section Starting up Entrust Deployment Manager. This integration testing was configured as follows.

    • A single node cluster was deployed. The operation takes several minutes to execute.

      [sysadmin@timestamping-auth-edm ~]$ sudo clusterctl install --mode single-node
[sudo] password for sysadmin:
Installing  done ╢▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌╟ 100 %

    • The default TLS certificate was kept.

    • Both Management Console and Grafana default passwords were changed.

Deploy the Entrust Timestamping Authority

Two methods are available to deploy the TSA: through the Management console, and with the clusterctl command-line tool provided by the EDM. We utilized the clusterctl command-line tool in this integration.

  1. Download the TSA files to the EDM virtual machine created above. The ISO image, CLI, and configuration file example are available in the Software Downloads tab at Entrust Timestamping Authority. Follow the instructions in the Entrust Timestamping Authority 2.1 Deployment Guide available in the Documents tab.

    Example of downloaded software before installation:

    [sysadmin@timestamping-auth-edm ~]$ ls -al /usr/local/bin
total 48
drwxr-xr-x.  2 root     root  4096 May  7 19:24 .
drwxr-xr-x. 12 root     root  4096 May  7 14:44 ..
-rwxr-x---.  1 sysadmin edm  37344 May  7 18:33 tsactl

[sysadmin@timestamping-auth-edm ~]$ ls -al /home/sysadmin/Downloads/
total 2348404
drwxr-x---. 2 sysadmin edm         50 May  7 19:24 .
drwx------. 3 sysadmin edm        100 May  7 18:28 ..
-rw-r-----. 1 sysadmin edm 2404761327 May  5 18:23 tsa-2.1.1.sln
-rw-r-----. 1 sysadmin edm        430 May  7 18:46 tsa-config.json

  2. Download the license file to the EDM virtual machine. See the Entrust Timestamping Authority 2.1 Deployment Guide available in the Documents tab for product licensing information.

    [sysadmin@timestamping-auth-edm ~]$ ls -al /home/sysadmin/Downloads/
total 2348408
drwxr-x---. 2 sysadmin edm         74 May  8 13:49 .
drwx------. 3 sysadmin edm        100 May  7 14:28 ..
-rw-r-----. 1 sysadmin edm       3975 May  6 15:52 inttesttsa00.lic
-rw-r-----. 1 sysadmin edm 2404761327 May  5 14:23 tsa-2.1.1.sln
-rw-r-----. 1 sysadmin edm        430 May  7 14:46 tsa-config.json

  3. Register the TSA.

    [sysadmin@timestamping-auth-edm ~]$ sudo clusterctl solution register --file /home/sysadmin/Downloads/inttesttsa00.lic
[sudo] password for sysadmin:
tsa registered

  4. Uploads the TSA to the Management Console endpoint.

    [sysadmin@timestamping-auth-edm ~]$ sudo clusterctl solution upload -i tsa -f /home/sysadmin/Downloads/tsa-2.1.1.sln
[sudo] password for sysadmin:
Uploading  done ╢▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌╟ 100 %
Processing  done ╢▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌▌╟ 100 %
tsa: version 2.1.1 uploaded. A redeploy of the tsa solution is required for changes to take effect

Configure the TSA

  1. Open the following ports.

    # sudo firewall-cmd --zone=public --permanent --add-port=323/udp
[sudo] password for sysadmin:
success
# sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
success
# sudo firewall-cmd --reload
success

  2. Edit the /etc/chrony.conf file following the instructions in the Entrust Timestamping Authority 2.1 Deployment Guide, section Configuring chrony.

    [sysadmin@timestamping-auth-edm ~]$ cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool 2.rhel.pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

...

# TSA configuration
bindcmdaddress <IP of Entrust Entrust Deployment Manager virtual machine>
cmdallow all

  3. Restart the chrony service.

    [sysadmin@timestamping-auth-edm ~]$ sudo systemctl restart chronyd.service