Installation

Before proceeding with the installation, a MongoDB database must already be running. You need the hostname, replica set name, and any database authentication details for the WSOP configuration. If a replica set is not in use, this option must be commented out.
  1. Open a terminal window and create a temporary directory to unpack the WSOP tar to:

    mkdir wsop_install
  2. Extract the WSOP tar to the temporary directory created above:

    sudo tar -xzf wsop-p11-X.X.X.tar.gz -C wsop_install

The WSOP release tarball contains the following installation archives:

Filename Package

corecrypto.tar.gz
wsop-common.tar.tz

WSOP Server

dbmt.tar.gz

Database Management Tool

pkcs11.tar.gz

PKCS #11 library and utilities

To install the WSOP Server, see WSOP Server Installation for more information.

To install the Database Management tool, see Database Management Tool.

To install the PKCS #11 library, see PKCS 11.

WSOP Server Installation

To install the Web Services Option Pack Server:

  1. Change to the root directory.

  2. Extract the following files from the unpacked WSOP tar. This installs all files required by the WSOP service to /opt/nfast.

    sudo tar -xzf /path/to/wsop_install/corecrypto.tar.gz
    sudo tar -xzf /path/to/wsop_install/wsop-common.tar.gz
  3. The Web Services Option Pack service can now be installed using the command:

    sudo /opt/nfast/wsop/sbin/install

    The installer does not start the WSOP service. The installer will create the following, as required:

    • Either a SysV-style init script or systemd script for automatically starting and stopping the service.

    • The wsopd user. This user is dedicated to running corecrypto service.

  4. Update relevant sections of the config.yaml for your server and MongoDB environment.

    For assistance in configuring a new deployment, the Health Check configuration option allow_unauthenticated_clients can be disabled to allow unrestricted access to the health check endpoint.
    Entrust recommends using a secure connection to the database at all times. In the default configuration, TLS for database connection is on and the authentication method with database is set to X509.

    The following database fields must be configured correctly before starting the WSOP service:

    • hosts field specifies the addresses and ports of the database hosts:

          # List of database hosts
          hosts:
            - database1.ncipher.com:30001
            - database2.ncipher.com:30002
            - database3.ncipher.com:30003
    • db_ca_file, db_cert_file and db_key_file specify the Certificate Authority (CA) files for database TLS.

          # Path to the mongoDB TLS certificate
          db_ca_file: /opt/nfast/wsop/corecrypto/tls/db/db_ca.crt
      
          # Path to the corecrypto client certificate (used when Mutual Authentication is enabled)
          db_cert_file: /opt/nfast/wsop/corecrypto/tls/db/db_client.pem
      
          # Path to the corecrypto client private key (used when Mutual Authentication is enabled)
          db_key_file: /opt/nfast/wsop/corecrypto/tls/db/db_client.key
    • replica_set field specifies the name of the MongoDB replica set used for WSOP server. The default value must be changed to the correct replica set for your configuration.

              # Name of the Replication Set
              replica_set: rs1
  5. Install the Database Management Tool (DBMT) and initialise the database. For details, see the Database Management Tool chapter.

  6. Start the corecrypto service to run with the configuration changes.

    /opt/nfast/scripts/init.d/corecrypto start
  7. Check the corecrypto service

    The following example logging outputs can be used to verify the installation and successful start up of the corecrypto service in the log file located at /opt/nfast/wsop/corecrypto/log/corecrypto.log.

    [INFO] [WSOP] [1079] [server] Serving n shield web services option pack at https://[::]:18001

    In a successful installation and start up, you should see periodic [debug] level log entries for successful database and sworld health checks. For more information on how to enable debugging, see section Server Logging Level in Configuration in this User Guide.

    [DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: started with loop counter 0 / 60
    [DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: sworld health check details health check details: Error:[<nil>]
Each time the configuration file is changed, you must restart the WSOP service to take the new configuration into use.

To restart the WSOP service:

/opt/nfast/scripts/init.d/corecrypto restart