Install the Web Services Option Pack
Before proceeding with the installation, a MongoDB database must already be running. You need the hostname, replica set name, and any database authentication details for the WSOP configuration. If a replica set is not in use, this option must be commented out. |
-
Open a terminal window and create a temporary directory to unpack the WSOP tar to:
mkdir wsop_install
-
Extract the WSOP tar to the temporary directory created above:
sudo tar -xzf wsop-p11-X.X.X.tar.gz -C wsop_install
The WSOP release tarball contains the following installation archives:
Filename | Package |
---|---|
corecrypto.tar.gz |
WSOP Server |
dbmt.tar.gz |
Database Management Tool |
nShield-WebServicesClient-Linux-1.1.0.tar.gz |
PKCS #11 library and utilities for Linux |
nShield-WebServicesClient-Windows-1.1.0.tar.gz |
PKCS #11 library and utilities for Windows |
To install the WSOP Server, see WSOP Server Installation for more information.
To install the Database Management tool, see WSOP Database Management Tool.
To install the PKCS #11 library, see the nShield® Web Services PKCS #11 Provider User Guide.
WSOP Server Installation
To install the Web Services Option Pack Server:
-
Change to the root directory.
-
Extract the following files from the unpacked WSOP tar. This installs all files required by the WSOP service to
/opt/nfast
.sudo tar -xzf /path/to/wsop_install/corecrypto.tar.gz sudo tar -xzf /path/to/wsop_install/wsop-common.tar.gz
-
Update relevant sections of
config.yaml
for your server and MongoDB environment.An example configuration is provided at
/opt/nfast/webservices/corecrypto/conf/config.yaml.example
If
config.yaml
is not found in thewebservices/corecrypto/conf
directory during the installation, then theconfig.yaml.example
file will be copied over as the initialconfig.yaml
.For assistance in configuring a new deployment, the Health Check configuration option allow_unauthenticated_clients
can be disabled to allow unrestricted access to the health check endpoint.Entrust recommends using a secure connection to the database at all times. In the default configuration, TLS for database connection is on and the authentication method with database is set to X509
.The following database fields must be configured correctly before starting the WSOP service:
-
hosts
field specifies the addresses and ports of the database hosts:# List of database hosts hosts: - database1.ncipher.com:30001 - database2.ncipher.com:30002 - database3.ncipher.com:30003
-
db_ca_file
,db_cert_file
anddb_key_file
specify the Certificate Authority (CA) files for database TLS.# Path to the mongoDB TLS certificate db_ca_file: /opt/nfast/webservices/corecrypto/tls/db/db_ca.crt # Path to the corecrypto client certificate (used when Mutual Authentication is enabled) db_cert_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.pem # Path to the corecrypto client private key (used when Mutual Authentication is enabled) db_key_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.key
-
replica_set
field specifies the name of the MongoDB replica set used for WSOP server. The default value must be changed to the correct replica set for your configuration.# Name of the Replication Set replica_set: rs1
-
-
Install the Database Management Tool (DBMT) and initialize the database. For details, see the WSOP Database Management Tool chapter.
-
The Web Services Option Pack service can now be installed using the command:
sudo /opt/nfast/webservices/sbin/install
The installer will create the following, as required:
-
Either a SysV-style init script or systemd script for automatically starting and stopping the service.
-
The
wsopd
user. This user is dedicated to runningcorecrypto
service.
-
-
Check the
corecrypto
service.The following example logging outputs can be used to verify the installation and successful startup of the corecrypto service in the log file located at /opt/nfast/log/corecrypto.log.
[INFO] [WSOP] [1079] [server] Serving n shield web services option pack at https://[::]:18001
In a successful installation and start up, you should see periodic
[debug]
level log entries for successful database and sworld health checks. For more information on how to enable debugging, see section Server Logging Level in Configuration in this User Guide.[DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: started with loop counter 0 / 60 [DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: sworld health check details health check details: Error:[<nil>]
Each time the configuration file is changed, you must restart the WSOP service to take the new configuration into use. |
To restart the WSOP service:
/opt/nfast/scripts/init.d/corecrypto restart