Install the Web Services Option Pack

Before proceeding with the installation, a MongoDB database must already be running. You need the hostname, replica set name, and any database authentication details for the WSOP configuration. If a replica set is not in use, this option must be commented out.
  1. Open a terminal window and create a temporary directory to unpack the WSOP tar to:

    mkdir wsop_install
  2. Extract the WSOP tar to the temporary directory created above:

    sudo tar -xzf wsop-p11-X.X.X.tar.gz -C wsop_install

The WSOP release tarball contains the following installation archives:

Filename Package


WSOP Server


Database Management Tool


PKCS #11 library and utilities for Linux


PKCS #11 library and utilities for Windows

To install the WSOP Server, see WSOP Server Installation for more information.

To install the Database Management tool, see WSOP Database Management Tool.

To install the PKCS #11 library, see the nShield® Web Services PKCS #11 Provider User Guide.

WSOP Server Installation

To install the Web Services Option Pack Server:

  1. Change to the root directory.

  2. Extract the following files from the unpacked WSOP tar. This installs all files required by the WSOP service to /opt/nfast.

    sudo tar -xzf /path/to/wsop_install/corecrypto.tar.gz
    sudo tar -xzf /path/to/wsop_install/wsop-common.tar.gz
  3. Update relevant sections of config.yaml for your server and MongoDB environment.

    An example configuration is provided at


    If config.yaml is not found in the webservices/corecrypto/conf directory during the installation, then the config.yaml.example file will be copied over as the initial config.yaml.

    For assistance in configuring a new deployment, the Health Check configuration option allow_unauthenticated_clients can be disabled to allow unrestricted access to the health check endpoint.
    Entrust recommends using a secure connection to the database at all times. In the default configuration, TLS for database connection is on and the authentication method with database is set to X509.

    The following database fields must be configured correctly before starting the WSOP service:

    • hosts field specifies the addresses and ports of the database hosts:

          # List of database hosts
    • db_ca_file, db_cert_file and db_key_file specify the Certificate Authority (CA) files for database TLS.

          # Path to the mongoDB TLS certificate
          db_ca_file: /opt/nfast/webservices/corecrypto/tls/db/db_ca.crt
          # Path to the corecrypto client certificate (used when Mutual Authentication is enabled)
          db_cert_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.pem
          # Path to the corecrypto client private key (used when Mutual Authentication is enabled)
          db_key_file: /opt/nfast/webservices/corecrypto/tls/db/db_client.key
    • replica_set field specifies the name of the MongoDB replica set used for WSOP server. The default value must be changed to the correct replica set for your configuration.

              # Name of the Replication Set
              replica_set: rs1
  4. Install the Database Management Tool (DBMT) and initialize the database. For details, see the WSOP Database Management Tool chapter.

  5. The Web Services Option Pack service can now be installed using the command:

    sudo /opt/nfast/webservices/sbin/install

    The installer will create the following, as required:

    • Either a SysV-style init script or systemd script for automatically starting and stopping the service.

    • The wsopd user. This user is dedicated to running corecrypto service.

Restarting the service

To restart the WSOP service:

/opt/nfast/scripts/init.d/corecrypto restart

Each time the configuration file is changed, you must restart the WSOP service to take the new configuration into use.