Install the Web Services Option Pack

Before proceeding with the installation, a MongoDB database must already be running. You need the hostname, replica set name, and any database authentication details for the WSOP configuration. If a replica set is not in use, this option must be commented out.

Open a terminal window and create a temporary directory to unpack the WSOP tar to:
```
mkdir wsop_install
```
Extract the WSOP tar to the temporary directory created above:
```
sudo tar -xzf wsop-p11-X.X.X.tar.gz -C wsop_install
```

The WSOP release tarball contains the following installation archives:

Filename	Package
corecrypto.tar.gz wsop-common.tar.gz	WSOP Server
dbmt.tar.gz	Database Management Tool
nShield-WebServicesClient-Linux-1.1.0.tar.gz	PKCS #11 library and utilities for Linux
nShield-WebServicesClient-Windows-1.1.0.tar.gz	PKCS #11 library and utilities for Windows

Filename

Package

corecrypto.tar.gz
wsop-common.tar.gz

WSOP Server

dbmt.tar.gz

Database Management Tool

nShield-WebServicesClient-Linux-1.1.0.tar.gz

PKCS #11 library and utilities for Linux

nShield-WebServicesClient-Windows-1.1.0.tar.gz

PKCS #11 library and utilities for Windows

To install the WSOP Server, see WSOP Server Installation for more information.

To install the Database Management tool, see WSOP Database Management Tool.

To install the PKCS #11 library, see the nShield® Web Services PKCS #11 Provider User Guide.

WSOP Server Installation

To install the Web Services Option Pack Server:

Change to the root directory.
Extract the following files from the unpacked WSOP tar. This installs all files required by the WSOP service to /opt/nfast.
```
sudo tar -xzf /path/to/wsop_install/corecrypto.tar.gz
sudo tar -xzf /path/to/wsop_install/wsop-common.tar.gz
```

Update relevant sections of config.yaml for your server and MongoDB environment.

An example configuration is provided at

/opt/nfast/webservices/corecrypto/conf/config.yaml.example

If config.yaml is not found in the webservices/corecrypto/conf directory during the installation, then the config.yaml.example file will be copied over as the initial config.yaml.

For assistance in configuring a new deployment, the Health Check configuration option allow_unauthenticated_clients can be disabled to allow unrestricted access to the health check endpoint.

Entrust recommends using a secure connection to the database at all times. In the default configuration, TLS for database connection is on and the authentication method with database is set to X509.

The following database fields must be configured correctly before starting the WSOP service:

hosts field specifies the addresses and ports of the database hosts:

    # List of database hosts
    hosts:
      - database1.ncipher.com:30001
      - database2.ncipher.com:30002
      - database3.ncipher.com:30003

db_ca_file, db_cert_file and db_key_file specify the Certificate Authority (CA) files for database TLS.

    # Path to the mongoDB TLS certificate
    db_ca_file: /opt/nfast/webservices/corecrypto/tls/db/db_ca.crt

    # Path to the corecrypto client certificate (used when Mutual Authentication is enabled)
    db_cert_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.pem

    # Path to the corecrypto client private key (used when Mutual Authentication is enabled)
    db_key_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.key

replica_set field specifies the name of the MongoDB replica set used for WSOP server. The default value must be changed to the correct replica set for your configuration.
```
        # Name of the Replication Set
        replica_set: rs1
```

Install the Database Management Tool (DBMT) and initialize the database. For details, see the WSOP Database Management Tool chapter.
The Web Services Option Pack service can now be installed using the command:
```
sudo /opt/nfast/webservices/sbin/install
```
The installer will create the following, as required:
- Either a SysV-style init script or systemd script for automatically starting and stopping the service.
- The wsopd user. This user is dedicated to running corecrypto service.
Check the corecrypto service.

The following example logging outputs can be used to verify the installation and successful startup of the corecrypto service in the log file located at /opt/nfast/log/corecrypto.log.
```
[INFO] [WSOP] [1079] [server] Serving n shield web services option pack at https://[::]:18001
```
In a successful installation and start up, you should see periodic [debug] level log entries for successful database and sworld health checks. For more information on how to enable debugging, see section Server Logging Level in Configuration in this User Guide.
```
[DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: started with loop counter 0 / 60
[DEBUG] [WSOP] [28551] [KM] NCoreKeyManager[ncore]: sworldHealthCheck: sworld health check details health check details: Error:[<nil>]
```

Each time the configuration file is changed, you must restart the WSOP service to take the new configuration into use.

To restart the WSOP service:

/opt/nfast/scripts/init.d/corecrypto restart