Security Server Installation, Registration and Configuration
Hardware requirements
64-bit dual-core Intel, AMD or compatible CPU; AES instruction set support is highly recommended
2 CPU
4 GB RAM
10 GB free disk space (OS partition) and 20-40 GB free disk space on the “/var” partition
100 Mbps network interface card
Operating System Requirements
This guide assumes one of the following:
Red Hat Enterprise Linux
RHEL8+
Ubuntu
20.04 LTS
22.04 LTS
Note: Installing and configuring an X-Road Security Server requires sudopermissions on the host.
Running in a container
Running the X-Road Security Server in a container is outside the scope of this guide, but you can refer to the official Security Server Sidecar User Guide for guidance.
The X-Road Server should be run under a dedicated POSIX user, usually named xroad
Create this user by running the following command:
If that user will be used for interactive SSH log-ins, then we must ensure that the Security Server PIN (see below) doesn't get cleared (even though auto-login is configured), by running the following command:
Follow the installation guide
NIIS maintains a guide for setting up Security Servers on Ubuntu and RHEL inside their knowlegebase, which you can find here: How to Set Up a Security Server?
While following the guide above, take care to override the official documentation with specific steps for the Icelandic environment (Straumurinn), outlined at https://github.com/digitaliceland/Straumurinn
Certificate generation
During installation, a dialog will appear asking for host and IP information for certificate generation. The latter set of the dialog will be for configuring certificates for the xroad-proxy-ui-api.
Here it may be desirable to change the value from the auto-detected machine host name to a domain name used for accessing the Admin UI:
Registration
Once a Security Server has been successfully installed, the Admin UI can be accessed by pointing a web browser at https://SECURITYSERVER:4000/ .
Required configuration for registration
Before being able to import a Configuration Anchor, the Security Server IP and FQDN must be whitelisted by the operator of the Straumurinn X-Road Central Services.
To register a Security Server into Straumurinn, the following configuration values are required:
1. Outgoing IP Address of the Security Server
The public outgoing IP address of the server can be found with with the following command from a Security Server terminal session:
To register, an email containing the values listed above the should be sent to the operator of the Straumurinn X-Road Central Server at [email protected]
Example email for registering a Security Server to Central.
Example email for registering a X-Road Security Server to Central
If Auto-Login is not configured, the server will require manual entry of the Soft Token PIN during startup / restart, which can have implications for the Security Server's reliability.
For the PIN to be entered automatically when starting X-Road services, refer to the X-Road: Autologin User Guide
Test auto-login PIN entry functionality
To verify that auto-login PIN entry works as expected, you can try stopping and starting all the X-Road services like this:
Step 1 of the Initial Configuration Wizard, which allows the User to upload a Configuration Anchor
After anchor has been uploaded, it needs to be confirmed.
Ensure that the "Hash Generated" corresponds to the information on the Central Server.
Click [CONFIRM].
Configuration Anchor Confirmation Dialog
The Configuration Anchor has now been configured and should show you something like the following:
A successfully configured Configuration Anchor
Owner Member
In the initial configuration screen input the values as follows.
Member Class - the Member Class of the organization that maintains the central server.
Member Code - the Member Code of the organization that maintains the central server.
Member Name - is auto completed when Member Code is added.
Security Server Code - unique code identifying the Security Server.
Use short-name for Server Code
Do not use FQDN, ".", "/" or "".
Some extensions use dots as separators, e.g. REST Adapter Service.
X-Road Message Protocol imposes some restrictions on the characters that can be used in X-Road identifiers. The following characters SHALL NOT be used in the identifier values:
Step 2 of the Initial Configuration Wizard, which allows the User to configure the Owner Member of the Security Server
Software Token PIN
PIN - the password that protects the security server's secret keys.
Repeat PIN - repeat the above PIN.
Keep the PIN secret. Keep it safe.
Step 3 of the Initial Configuration Wizard, which allows the USer to set the Software Token PIN.
The initial configuration was saved successfully.
CSR certificates
Configuration window for adding members, clients or subsystems
The security server asks for PIN code.
Click the Please enter soft token PIN link.
An X-Road Security Server Admin UI page showing a red banner with the message "Please enter soft token PIN" along with a button for logging in with the PIN
Clicking the link navigates to Keys and Certificates page.
Click [LOG IN] on the softToken Service.
Enter PIN Code
Click [LOG IN] in the modal window.
Logging in with PIN Code
The red error message bar should now disappear.
Final steps
Configure Timestamping Services
Go to: Settings > Timestamping Services and click [ADD]
The Settings -> System Parameters page which shows the empty Timestamping Services.
Pick a time-stamping service from the list and click [OK.]
A modal for adding a Timestamping Service.
The message "Timestamping message added" should appear.
Admin UI: The Settings -> System Parameters page which shows that aTimestamping service has been added
Configure SIGN and AUTH Keys
SIGN Key
Navigate to "KEYS AND CERTIFICATES"
The Keys and Certificate Page
Click [ADD KEY]
The wizard for generating a certificate signing key
Enter ”sign” for the "Key Label" and click [NEXT]
The CSR Details page inside the Add Key wizard.
Fill out the form with the following values:
Usage: SIGNING
Client: Select the relevant Client from the dropdown.
CSR Format:PEM
Click [GENERATE CSR]
The Generate CSR page inside the Add Key wizard
Click [DONE]
Final confirmation page of the Add Key wizard
The CSR should be downloaded to browser's download folder.
An overview of SIGN and AUTH keys, showing that a CSR for the SIGN key has been created.
The AUTH key
If you are not already there, start by navigating to "KEYS AND CERTIFICATES"->"SIGN AND AUTH KEYS" of the Admin UI (see above).
Click [ADD KEY]
Enter “auth” and click [NEXT]
Part 1 of the The Add Key wizard, showing "Key Label" being set to "auth"
Choose AUTHENTICATON and change CSR Format to PEM
Fill out the form with the following values:
Usage: AUTHENTICATION
Certification Service: Select the appropriate certification service (there should only be 1)
CSR Format:PEM
Part 2 of the The Add Key wizard: CSR details
Enter your Server DNS name (CN)
Part 3 of the Add Key Wizard: Generate CSR
Press GENERATE CSR
Final confirmation page of the Add Key wizard
The certificate request is downloaded to browser's download folder.
An overview of SIGN and AUTH keys, showing that a CSR for both the SIGN and AUTH keys have been created.
Now you can see that there are two keys in the overview, Sign and Auth.
for i in xroad-confclient xroad-proxy xroad-signer xroad-monitor xroad-opmonitor xroad-proxy-ui-api ;\
do \
echo "stopping $i"; \
sudo service $i stop; \
done;
sudo systemctl list-units "xroad*"
for i in xroad-confclient xroad-proxy xroad-signer xroad-monitor xroad-opmonitor xroad-proxy-ui-api; \
do \
echo "starting $i"; \
sudo service $i start; \
done
