Ejbca Install

For the impatient

The main installation instructions are available over at http://ejbca.org/. Always go there first.

Platforms

EJBCA is also know to work on these OS:

  • Debian Stable and unstable
  • Ubuntu 6.06 through 10.11
  • Suse 9 and 10
  • Oracle Enterprise Linux 4
  • RHEL 4 and 5
  • Solaris 10
  • Windows XP, Windows 7, 2003 and 2008 Server
  • Mac OS X 10.4.11 through Leopard
  • BSD

EJBCA 3.11 works on the following application servers:

  • JBoss 4.2.x and JBoss 5.1.x
  • Glassfish v2
  • OC4J 10g (perhaps)
  • Weblogic 10.x (partly)

EJBCA 4.0 works on the following application servers:

  • JBoss JBoss 5.1.x and 6.0.x
  • Glassfish v2

Some older version was also known to work on Websphere. Maintaining support for Websphere is too pricey though (read too much work).

Express download and install script [Alpha]

Mainly for developers and bug-testers. You can find it here.

Other

There was once a Debian package, that is no longer maintained.
The auto-setup script that was used used for debian can be used for other purposes as well, auto-setup.

Log4j configuration in JBoss

Basic filtering configuration

In the default installation everything is output in JBoss server.log. This includes lots of debug messages from JBoss, making it hard to filter out EJBCA related events. We recommend limiting what is displayed in server.log.

  • Disable the console appender
  • Limit the category org.ejbca to INFO
  • Limit the category org.cesecore to INFO
  • Limit the default root appender to ERROR
   <category name="org.ejbca">
      <priority value="INFO"/>
   </category>
   <category name="org.cesecore">
      <priority value="INFO"/>
   </category>

   <root>
      <priority value="ERROR"/>
      <appender-ref ref="FILE"/>
   </root>

Another interesting configuration is if you want to separate the EJBCA log into a separate log file, so you have only EJBCA logging in ejbca.log. You can do that by defining a new appender, and assigning a logger for the org.ejbca packages to this appender.
Remove the "category" for org.ejbca if you have made the configuration like above.

    <appender name="EJBCA" class="org.jboss.logging.appender.DailyRollingFileAppender">
        <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
        <param name="File" value="${jboss.server.log.dir}/ejbca.log" />
        <param name="Append" value="true" />

        <!-- Rollover at midnight each day -->
        <param name="DatePattern" value="'.'yyyy-MM-dd" />
        <layout class="org.apache.log4j.PatternLayout">
            <!-- The default pattern: Date Priority [Category] Message\n -->
            <param name="ConversionPattern" value="%d %-5p [%c] %m%n" />
        </layout>
    </appender>

    <logger name="org.ejbca">
        <priority value="INFO"/>
        <appender-ref ref="EJBCA" />
    </logger>

Separating different CAs into different logfiles.

If you have audit log files and use different CAs you may want to have the audit of the different CAs in different files. You can use log4j filtering on the CAID in the log entries to do this. In the code below, change the caId value of "value="CAId : -692495638" to the id of the CA you want to separate to it's own file. You can find the caId value by going to "Edit Certificate Authorities" and editing a CA in the admin GUI, or using the cli.

<!-- Appender for EJBCA audit log -->
<appender name="AUDITLOG" class="org.jboss.logging.appender.DailyRollingFileAppender">
      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
      <param name="File" value="${jboss.server.log.dir}/serverothercas.log"/>
      <param name="Append" value="false"/>
      <param name="DatePattern" value="'.'yyyy-MM-dd"/>
      <layout class="org.apache.log4j.PatternLayout">
         <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
      </layout>

   <!-- Filter out logs about NoStoreCA -->
   <filter class="org.apache.log4j.varia.StringMatchFilter">
      <param name="StringToMatch" value="CAId : -692495638" />
      <param name="AcceptOnMatch" value="false" />
   </filter>
</appender>

<!-- Appender for EJBCA audit log: Only NoStoreCA -->
<appender name="AUDITLOG1" class="org.jboss.logging.appender.DailyRollingFileAppender">
      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
      <param name="File" value="${jboss.server.log.dir}/servernostoreca.log"/>
      <param name="Append" value="false"/>
      <param name="DatePattern" value="'.'yyyy-MM-dd"/>
      <layout class="org.apache.log4j.PatternLayout">
         <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
      </layout>

     <!-- Only accept logs for SecondCA -->
     <filter class="org.apache.log4j.varia.StringMatchFilter">
       <param name="StringToMatch" value="CAId : -692495638" />
       <param name="AcceptOnMatch" value="true" />
     </filter>
     <filter class="org.apache.log4j.varia.DenyAllFilter"/>
</appender>

<!-- Category for EJBCA audit log -->
<category name="org.ejbca.core.model.log.Log4jLogDevice">
     <priority value="DEBUG"/>
     <appender-ref ref="AUDITLOG"/>
     <appender-ref ref="AUDITLOG1"/>
</category>

LiveCD

Descriptions about the LiveCD.

page revision: 21, last edited: 29 Jun 2011 12:40
EditTags History Files Print Site tools+ Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License