Kebutuhannya :
1. Server Linux menggunakan Centos 5.5 berjalan dalam model Virtual server menggunakan Xen Server(dom0).
2. Server Asterisk dan perangkat Digium Digital Telephony Card berjalan dalam Centos 5.5 Xen(domU.)
3. Digium Digital Telephony Card menggunakan Digium TE121BF dengan fasilitas utama T1/E1/J1/PRI PCI-Express x1 card and hardware echo cancellation
4. Perangkat dan instalasi Telkom E1 ISDN PRA
5. Helpdesk menggunakan softphone dan Cisco SPA 502G 1-Line IP Phone

Untuk point 1,2,3, dan testing di 5 dikerjakan oleh saya, dan point 4 dikerjakan oleh pihak Telkom.

Point 1 servernya sudah berjalan dan berisi DNS,Email,Webserver,Proxy,Database,Fileserver semua berjalan dalam model virtual server, untuk keperluan instalasi ini diperlukan domU baru dan tantangannya menempatkan Digium TE121BF hanya di domU, jadi tidak di dom0, istilahnya dalam Xen adalah pciback.

Digium TE121BF PCIexpress card dibeli melalui Digium distributor di Malaysia sekitar US$800, Layanan Telkom E1 ISDN PRA untuk sambungan baru ke kantor perusahaan ini kena biaya pasang sekitar Rp 10 juta, Cisco SPA 502G sekitar US$106, yang lainnya free memakai software opensource Linux.

Okay selesai bicara teori dan sekarang praktek dan saya mau bagi ilmunya melalui dokumenasi yang sempat saya buatkan.

Point 1.  Server Linux menggunakan Centos 5.5 sudah terinstall dan berjalan dalam model Virtual server menggunakan Xen Server(dom0).  Tinggal create guest domain baru atau domU baru untuk instalasi keperluan Asterisk  diatas. Pembuatan domU dikerjakan oleh Xen melalui dom0.

Setelah domU untuk server Asterisk dibuat, kita matikan dahulu Server (jangan lupa matikan terlebih dahulu satu persatu domU sebelum shutdown mesin). Kemudian pasang Digium TE121BF card, buka casing dan pada motherboard, pasang card tersebut pada slot PCIExpress tipe x1 yang lebih kecil dibandingkan slot PCI tipe normal dan tipe x4/16. Setelah terpasang kita hidupkan kembali server.

Setelah server up, kita masuk ke dom0 dan cek keberadaan card dengan lspci :

[root@ID41-ND201 ~]# lspci
00:00.0 Host bridge: Intel Corporation 4 Series Chipset DRAM Controller (rev 02)
00:01.0 PCI bridge: Intel Corporation 4 Series Chipset PCI Express Root Port (rev 02)
00:1a.0 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #4
00:1a.1 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #5
00:1a.2 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #6
00:1a.7 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB2 EHCI Controller #2
00:1b.0 Audio device: Intel Corporation 82801JI (ICH10 Family) HD Audio Controller
00:1c.0 PCI bridge: Intel Corporation 82801JI (ICH10 Family) PCI Express Port 1
00:1c.2 PCI bridge: Intel Corporation 82801JI (ICH10 Family) PCI Express Port 3
00:1c.4 PCI bridge: Intel Corporation 82801JI (ICH10 Family) PCI Express Port 5
00:1c.5 PCI bridge: Intel Corporation 82801JI (ICH10 Family) PCI Express Port 6
00:1d.0 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #1
00:1d.1 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #2
00:1d.2 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #3
00:1d.7 USB Controller: Intel Corporation 82801JI (ICH10 Family) USB2 EHCI Controller #1
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev 90)
00:1f.0 ISA bridge: Intel Corporation 82801JIB (ICH10) LPC Interface Controller
00:1f.2 SATA controller: Intel Corporation 82801JI (ICH10 Family) SATA AHCI Controller
00:1f.3 SMBus: Intel Corporation 82801JI (ICH10 Family) SMBus Controller
01:00.0 VGA compatible controller: nVidia Corporation G73 [GeForce 7300 GT] (rev a1)
03:00.0 PCI bridge: Texas Instruments XIO2000/XIO2200 PCI Express-to-PCI Bridge (rev 03)
04:08.0 Ethernet controller: Digium, Inc. Wildcard TE121 single-span T1/E1/J1 card (PCI-Express) (rev 11)
05:00.0 IDE interface: JMicron Technology Corp. JMB368 IDE controller
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 02)
07:00.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
07:01.0 Ethernet controller: D-Link System Inc DGE-530T Gigabit Ethernet Adapter (rev 11) (rev 11)

Tanda yang di bold adalah identifikasi card yang tadi sudah terpasang. Berarti Centos 5.5 mendeteksi baik card ini.

Masih dalam dom0 kita akan konfigurasikan agar card ini masuk ke domU asterisk yang sudah saya buat sebelumnya atau konfigurasi pciback module.

Tambahkan options pciback hide=(0000:04:08.0) pada modprobe.conf vi /etc/modprobe.conf

[root@ID41-ND201 ~]# cat /etc/modprobe.conf
alias scsi_hostadapter ahci
alias scsi_hostadapter1 ata_piix
remove snd-hda-intel { /usr/sbin/alsactl store 0 >/dev/null 2>&1 || : ; }; /sbin/modprobe r—ignoreremove snd-hda-intel
alias eth0 r8169
alias snd-card-0 snd-hda-intel
options snd-card-0 index=0
alias eth1 3c59x
alias eth2 8139too
alias eth3 skge
alias eth skge
options pciback hide=(0000:04:08.0)
Kemudian buat file initrd agar maload pciback module sebelum modules lain:

[root@ID41-ND201 ~]# mkinitrd f—preload=pciback /boot/initrd$(uname -r).img $(uname -r)

Saya tambahkan pci = [ ‘04:08.0’ ]  pada file konfigurasi domU

[root@ID41-ND201 ~]# vi /etc/xen/domU-ID41-ND015
name = “domU-ID41-ND015”
memory = “384”
pci = [ ‘04:08.0’ ]
disk = [‘tap:aio:/dev/vg0/domU-ID41-ND015,xvda,w’,
‘tap:aio:/dev/vg0/domU-ID41-ND015-swap,xvdb,w’,
‘tap:aio:/dev/vg0/domU-ID41-ND015-opt,xvdc,w’]
vif = [ ‘mac=00:16:3E:5B:5D:62,bridge=id41br’ ]
bootloader=”/usr/bin/pygrub”
vcpus=1
on_reboot = ‘restart’
on_crash = ‘restart’

Selesai pada dom0(ID41-ND201) saya pindah ke domU.

[root@ID41-ND201 ~]# xm console domU-ID41-ND015

Edit /boot/grub/menu.lst  untuk menambahkan swiotlb=force hal ini untuk menghindari kernel panic pada domU Asterisk(domU-ID41-ND015)  saat dijalankan.

[root@ID41-ND015 ~]# vi /boot/grub/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.11.1.el5xen)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-194.11.1.el5xen ro root=LABEL=/ console=xvc00
swiotlb=force
initrd /boot/initrd-2.6.18-194.11.1.el5xen.img
title CentOS (2.6.18-194.11.1.el5)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-194.11.1.el5 ro root=LABEL=/ console=xvc0
initrd /boot/initrd-2.6.18-194.11.1.el5.img
title CentOS (2.6.18-194.8.1.el5xen)

Kemudian kembali ke dom0 dan restart server.

[root@ID41-ND201 ~]# reboot

Setelah login saya masuk ke domU kembali
[root@ID41-ND201 ~]# xm console domU-ID41-ND015
INIT: version 2.86 reloading

CentOS release 5.5 (Final)
Kernel 2.6.18-194.11.1.el5xen on an x86_64

ID41-ND015.xxxx.com login:
CentOS release 5.5 (Final)
Kernel 2.6.18-194.11.1.el5xen on an x86_64

[root@ID41-ND015 ~]# lspci
00:00.0 Ethernet controller: Digium, Inc. Wildcard TE121 single-span T1/E1/J1 card (PCI-Express) (rev 11)
[root@ID41-ND015 ~]#

Horeee…......pciback module berjalan di domU.

Setelah ini tinggal konfigurasi point 2 dan 3  Instalasi Asterisk® / DAHDI / Libpri

[root@ID41-ND015 ~]# wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.6.2.11.tar.gz
[root@ID41-ND015 ~]# tar zxvf asterisk1.6.2.11.tar.gz
[root@ID41-ND015 ~] # cd asterisk-1.6.2.11
[root@ID41-ND015 ~]# ./configure
[root@ID41-ND015 ~] # make menuselect
[root@ID41-ND015 ~]# make
[root@ID41-ND015 ~]# make install
[root@ID41-ND015 ~]# make samples

[root@ID41-ND015 ~]# wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-1.2.8.tar.gz
[root@ID41-ND015 ~] # tar zxvf libpri1.2.8.tar.gz
[root@ID41-ND015 ~] # cd libpri-1.2.8
[root@ID41-ND015 ~] # make
[root@ID41-ND015 ~] # make install

[root@ID41-ND015 ~]# wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-2.4.0+2.4.0.tar.gz
[root@ID41-ND015 ~] # tar zxvf dahdilinux-complete-2.4.0+2.4.0.tar.gz
[root@ID41-ND015 ~] # cd dahdi-linux-complete-2.4.0+2.4.0
[root@ID41-ND015 ~] # make
[root@ID41-ND015 ~] # make install

Beberapa settingan untuk bisa berhubungan dengan layanan Telkom E1 ISDN PRA
[root@ID41-ND015 ~]# vi /etc/asterisk/chan_dahdi.conf
[trunkgroups]
national:    National ISDN 2 (default)
dms100:      Nortel DMS100
4ess:        AT&T 4ESS
5ess:        Lucent 5ESS
euroisdn:    EuroISDN (common in Europe)
ni1:         Old National ISDN 1
qsig:        Q.SIG
usecallerid=yes
callwaiting=yes
usecallingpres=yes
callwaitingcallerid=yes
threewaycalling=yes
transfer=yes
canpark=yes
cancallforward=yes
callreturn=yes
echocancel=yes
echocancelwhenbridged=yes
group=1
callgroup=1
pickupgroup=1
signalling = pri_cpe
switchtype = euroisdn
context = incoming
channel => 1-15,17-31

[root@ID41-ND015 asterisk]# vi /etc/dahdi/system.conf
loadzone = us
defaultzone=us

span = 1,1,0,ccs,hdb3
bchan = 1-15,17-31
dchan = 16
echocanceller = mg2,1-15,17-31

[root@ID41-ND015 dahdi]# vi /etc/dahdi/modules
wcte12xp
[root@ID41-ND015 ~]# /etc/init.d/asterisk start

[root@ID41-ND015 asterisk]# ps axf |grep asterisk
1939 pts/1    T      0:00          less /var/log/asterisk/eventlog
2620 pts/1    S+     0:00          _ grep asterisk
3956 ?        S      0:00 /bin/sh /usr/sbin/safe_asterisk
3966 ?        Sl     0:02  _ /usr/sbin/asterisk -f -vvvg -c
[root@ID41-ND015 asterisk]#

[root@ID41-ND015 asterisk]#  dahdi_cfg -vv
[root@ID41-ND015 dahdi]# /etc/init.d/dahdi start

[root@ID41-ND015 asterisk]# lsmod |grep dahdi
dahdi_echocan_mg2      39688  30
dahdi_voicebus         79424  1 wcte12xp
dahdi                 238384  67 dahdi_echocan_mg2,wcte12xp,dahdi_voicebus
crc_ccitt              35265  1 dahdi
[root@ID41-ND015 asterisk]#

[root@ID41-ND015 ~]# dahdi_tool

DAHDI Tool©2002-2008 Digium, Inc.

+——————————-+ DAHDI Telephony Interfaces +———————-+
|                                                                        |
|     Alarms          Span                                               |
|     RED             Wildcard TE121 Card 0                           ^  |
|                                                                     :  |
|                                                                     :  |
|                                                                     :  |
|                                                                     :  |
|                                                                     :  |
|                                                                     :  |
|                                                                     :  |
|                                                                     #  |
|                                                                     v  |
|                                                                        |
|                                                                        |
|          +————+                              +———+              |
|          | Select |                              | Quit |              |
|          +————+                              +———+              |
|                                                                        |
+——————————————————————————————————-+

Span 1: 31 total channels, 31 configured                    F1=Details F10=Quit

quit.

Alarm masih RED karena kabel dari Telkom ISDN belum selesai di pasang.

[root@ID41-ND015 asterisk]# less /var/log/asterisk/queue_log
1279525356|1279525345.6|NONE|Agent/1234|AGENTLOGIN|SIP/henryg-00000006
1279525383|1279525371.7|queue-customer-service|NONE|ENTERQUEUE||henryg
1279525383|1279525371.7|queue-customer-service|Agent/1234|CONNECT|0|1279525383.8|0
1279525403|1279525371.7|queue-customer-service|Agent/1234|COMPLETECALLER|0|20|1
1279525406|1279525345.6|NONE|Agent/1234|AGENTLOGOFF|SIP/henryg-00000006|50
1279692470|NONE|NONE|NONE|QUEUESTART|

[root@ID41-ND015 log]# cat messages |grep dahdi

Aug 30 20:51:29 ID41-ND015 kernel: dahdi: Telephony Interface Registered on major 196
Aug 30 20:51:29 ID41-ND015 kernel: dahdi: Version: 2.3.0.1
Aug 30 20:51:32 ID41-ND015 kernel: dahdi: Registered tone zone 0 (United States / North America)
Aug 30 20:56:37 ID41-ND015 kernel: dahdi: Telephony Interface Unloaded
Aug 30 20:56:37 ID41-ND015 kernel: dahdi: Telephony Interface Registered on major 196
Aug 30 20:56:37 ID41-ND015 kernel: dahdi: Version: 2.3.0.1
Aug 30 20:57:17 ID41-ND015 kernel: dahdi: Telephony Interface Unloaded
Aug 30 20:57:17 ID41-ND015 kernel: dahdi: Telephony Interface Registered on major 196
Aug 30 20:57:17 ID41-ND015 kernel: dahdi: Version: 2.3.0.1
Aug 30 20:57:19 ID41-ND015 kernel: dahdi_echocan_mg2: Registered echo canceler ‘MG2’
Aug 30 20:57:19 ID41-ND015 kernel: dahdi: Registered tone zone 0 (United States / North America)

Sampai disini selesai, dokumentasi selanjutnya pembuatan Dialplan dan testing ke Telkom ISDN PRA yang sampai artikel ini ditulis pihak Telkom belum selesai mengerjakannya.

- Centos 5.5 sebagai sistem operasi Linux yang free dan mudah diinstall.

- DNS menggunakan BIND ISC untuk nameserver(primary DNS) domain perusahaan ini. Primary DNS disini menghandle NS,MX,Web perusahaan. Untuk settingan MX di pointing ke server mail server perusahaan ini beda mesin menggunakan Zimbra.

- DHCP menggunakan DHCP dari ISC berfungsi untuk pemberian intenet address ototmatis ke seluruh komputer karyawan di perusahaan ini yang sudah tersambung dalam jaringan local area network(LAN)

- Webserver mengunakan Apache, berfungsi sebagai tempat file-file website domain perusahaan yang dapat diakses menggunakan www atau http, Apache juga dapat diset untuk meng host domain-domain lain yang dimiliki perusahaan ini.

- Proxy menggunakan SQUID sebagai cache proxy gateway akses browsing semua komputer karyawan. Untuk access filtering digunakan SQUIDGUARD dan Shalla’s Blacklists

- IDS sebagai security intrusion detection dalam hal ini menggunakan The Advanced Intrusion Detection Environment (AIDE)

- DDOS protection untuk menghadapin serangan baik dari incoming dan outgoing. Untuk ini digunakan APF, BFD, mod_dosevasive, dan mod_security.

- FTP menggunakan VSFTP yang berfungsi sebagai file transfer ke webserver prusahaan jika untuk mengupdate website perusahaan.

- MRTG menggunakan mrtg untuk visual monitoring bandiwdth management baik pada server ini, server lain,dan router. Data dari mrtg bisa di capture dan diberikan ke ISP jika didapat kapasitas Bandwidth yang disewa jauh dibawah rata-rata.

[root@ns1 gtoms]# uname -a
Linux ns1.xyz.co.id 2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:09:06 EDT 2010 i686 i686 i386 GNU/Linux

[root@ns1 gtoms]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root@ns1 gtoms]# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:BA:C3:71:D2
inet addr:202.137.2x.2xx Bcast:202.137.20.223 Mask:255.255.255.240
inet6 addr: fe80::250:baff:fec3:71d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1028 errors:0 dropped:0 overruns:0 frame:0
TX packets:757 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:93229 (91.0 KiB) TX bytes:143908 (140.5 KiB)
Interrupt:209 Base address:0×2000

eth1 Link encap:Ethernet HWaddr 00:13:D4:01:65:1F
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1124 errors:0 dropped:0 overruns:0 frame:0
TX packets:1124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1981916 (1.8 MiB) TX bytes:1981916 (1.8 MiB)

Instalasi Domain Name Server  sebagai Primary Nameserver

[root@ns1 selinux]# yum install bind-chroot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons: centos.idrepo.or.id
base: centos.idrepo.or.id
extras: centos.idrepo.or.id
updates: centos.idrepo.or.id
Setting up Install Process
Package 30:bind-chroot-9.3.6-4.P1.el5_4.2.i386 already installed and latest version
Nothing to do
[root@ns1 gtoms]#

[root@ns1 gtoms]# chmod 755 /var/named/
[root@ns1 gtoms]# chmod 775 /var/named/chroot/
[root@ns1 gtoms]# chmod 775 /var/named/chroot/var/
[root@ns1 gtoms]# chmod 775 /var/named/chroot/var/named/
[root@ns1 gtoms]# chmod 775 /var/named/chroot/var/run/
[root@ns1 gtoms]# chmod 777 /var/named/chroot/var/run/named/
[root@ns1 gtoms]# cd /var/named/chroot/var/named/
[root@ns1 named]# ln -s ../../ chroot
[root@ns1 named] cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
[root@ns1 named] cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
[root@ns1 named] touch /var/named/chroot/etc/named.conf.local

[root@ns1 named]# nano /var/named/chroot/etc/named.conf
key “rndckey” {
algorithm hmac-md5;
secret “PatIBVa6D1zrSKnEOBsO4siZyJO0cytbujld1boBT7W8RrVee5dsCkGSID79”;
};

options {
listen-on port 53 { 127.0.0.1; 192.168.0.2; 202.137.2x.2xx; };
listen-on-v6 port 53 { ::1; };
directory “/var/named/chroot/var/named”;
dump-file “/var/named/chroot/var/named/data/cache_dump.db”;
statistics-file “/var/named/chroot/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/chroot/var/named/data/named_mem_stats.txt”;
allow-query { localhost; };
recursion yes;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.root”;
};

zone “xyz.co.id” IN {
type master;
file “data/xyz.co.id.zone”;
allow-update { none; };
};

[root@ns1 named]# nano /var/named/chroot/var/named/data/xyz.co.id

$ORIGIN .
$TTL 86400 ; 1 day

xyz.co.id IN SOA ns1.xyz.co.id. admin.xyz.co.id. (
2010082100
7200
7200
1209600
86400 )
NS ns1.xyz.co.id.
NS ns2.xyz.co.id.
A 202.137.2x.2xx
MX 10 mail.xyz.co.id.

$ORIGIN xyz.co.id.

webmail A 202.137.2x.2zz
ns1 A 202.137.2x.2xx
ns2 A 202.137.2x.2yy
mail A 202.137.2x.2zz
www A 202.137.2x.2xx
mail2 A 202.137.2x.2yy
xyz.co.id. IN TXT “PT. xyz”
IP 202.137.2x.2zz dengan mail.xyz.co.id merupakan server mailserver menggunakan Zimbra 6.0.6 berada beda mesin dengan server ini.

[root@ns1 named]# /etc/init.d/named start
Starting named: [ OK ]

[root@ns1 etc]# tail -f /var/log/messages
Aug 21 11:31:35 ns1 named[3766]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -u named -t /var/named/chroot
Aug 21 11:31:35 ns1 named[3766]: adjusted limit on open files from 1024 to 1048576
Aug 21 11:31:35 ns1 named[3766]: found 2 CPUs, using 2 worker threads
Aug 21 11:31:35 ns1 named[3766]: using up to 4096 sockets
Aug 21 11:31:35 ns1 named[3766]: loading configuration from ‘/etc/named.conf’
Aug 21 11:31:35 ns1 named[3766]: using default UDP/IPv4 port range: [1024, 65535]
Aug 21 11:31:35 ns1 named[3766]: using default UDP/IPv6 port range: [1024, 65535]
Aug 21 11:31:35 ns1 named[3766]: listening on IPv6 interface lo, ::1#53
Aug 21 11:31:35 ns1 named[3766]: listening on IPv4 interface lo, 127.0.0.1#53
Aug 21 11:31:35 ns1 named[3766]: listening on IPv4 interface eth1, 192.168.0.2#53
Aug 21 11:31:35 ns1 named[3766]: listening on IPv4 interface eth0, 202.137.2x.2xx#53
Aug 21 11:31:35 ns1 named[3766]: command channel listening on 127.0.0.1#953
Aug 21 11:31:35 ns1 named[3766]: command channel listening on ::1#953
Aug 21 11:31:35 ns1 named[3766]: zone xyz.co.id/IN: loaded serial 2010082100
Aug 21 11:31:35 ns1 named[3766]: running
Aug 21 11:31:35 ns1 named[3766]: zone xyz.co.id/IN: sending notifies (serial 2010082100)

Instalasi DHCP Server

[root@ns1 data]# yum install dhcp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons: centos.idrepo.or.id
base: centos.idrepo.or.id
extras: centos.idrepo.or.id
updates: centos.idrepo.or.id
Setting up Install Process
Resolving Dependencies—> Running transaction check—-> Package dhcp.i386 12:3.0.5-23.el5_5.1 set to be updated—> Finished Dependency Resolution
——————————————cut————————————————————-

Total download size: 867 k
Is this ok [y/N]: y
Downloading Packages:
dhcp-3.0.5-23.el5_5.1.i386.rpm | 867 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : dhcp 1/1

Installed:
dhcp.i386 12:3.0.5-23.el5_5.1

Complete!
[root@ns1 data]#

[root@ns1 data]# nano /etc/dhcpd.conf

authoritative;
ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.2;
option subnet-mask 255.255.255.0;
option domain-name “xyz.co.id”;
option domain-name-servers 192.168.0.2,202.137.2x.2xx;
range dynamic-bootp 192.168.0.9 192.168.0.254;
default-lease-time 43200;
max-lease-time 604800;

}

Range IP untuk seluruh komputer karyawan 192.168.0.9 192.168.0.254

[root@ns1 data]# /etc/init.d/dhcpd start
Starting dhcpd: [ OK ]

[root@ns1 data]# tail -f /var/log/messages
Aug 21 11:44:36 ns1 dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Aug 21 11:44:36 ns1 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Aug 21 11:44:36 ns1 dhcpd: All rights reserved.
Aug 21 11:44:36 ns1 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 21 11:44:36 ns1 dhcpd: Wrote 0 leases to leases file.
Aug 21 11:44:36 ns1 dhcpd:
Aug 21 11:44:36 ns1 dhcpd: No subnet declaration for eth0 (202.137.2x.2xx).
Aug 21 11:44:36 ns1 dhcpd: ** Ignoring requests on eth0. If this is not what
Aug 21 11:44:36 ns1 dhcpd: you want, please write a subnet declaration
Aug 21 11:44:36 ns1 dhcpd: in your dhcpd.conf file for the network segment
Aug 21 11:44:36 ns1 dhcpd: to which interface eth0 is attached. **
Aug 21 11:44:36 ns1 dhcpd:
Aug 21 11:44:36 ns1 dhcpd: Listening on LPF/eth1/00:13:d4:01:65:1f/192.168.0/24
Aug 21 11:44:36 ns1 dhcpd: Sending on LPF/eth1/00:13:d4:01:65:1f/192.168.0/24
Aug 21 11:44:36 ns1 dhcpd: Sending on Socket/fallback/fallback-net

3766 ? Ssl 0:00 /usr/sbin/named -u named -t /var/named/chroot
3928 ? Ss 0:00 /usr/sbin/dhcpd
[root@ns1 gtoms]#

Instalasi Webserver menggunakan Apache

[root@ns1 gtoms]# yum install httpd httpd-devel mysql-server php php-mysql php-mbstring php-mcrypt

[root@ns1 gtoms]# nano /etc/httpd/conf/httpd.conf

Listen 202.137.2x.2xx:80

NameVirtualHost *:80

ServerAdmin webmaster@xyz.co.id
DocumentRoot /home/webxyz
ServerName xyz.co.id
ServerAlias www.xyz.co.id

ServerAdmin webmaster@xyz.co.id
DocumentRoot /var/www/html/stat
ServerName xyz.co.id/stat
ServerAlias www.xyz.co.id/stat

Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all

Instalasi SQUID sebagai cache proxy server

[root@ns1 gtoms]# yum install squid
[root@ns1 gtoms]# cd /etc/squid

[root@ns1 squid] nano squid.conf

[root@ns1 squid]# /usr/sbin/squid -z

Banyak konfigurasi di file squid.conf tinggal disesuaikan sesuai kebutuhan salah satunya squid si setting transparant proxy, dan jika ingin menggunakan Squidguard jangan lupa menambahkan url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf jika sudah menginstall squidguard.

Instalasi SQUIDGUARD sebagai content filtering.

[root@ns1 gtoms]# wget http://www.excaliburtech.net/wp-content/uploads/2009/02/squidguard-1.4-3.i386.rpm—2010-08-21 18:49:02—http://www.excaliburtech.net/wp-content/uploads/2009/02/squidguard-1.4-3.i386.rpm
Resolving www.excaliburtech.net… 72.66.114.15
Connecting to www.excaliburtech.net|72.66.114.15|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 119416 (117K) [application/x-rpm]
Saving to: `squidguard-1.4-3.i386.rpm’
2010-08-21 18:49:05 (54.0 KB/s) – `squidguard-1.4-3.i386.rpm’ saved [119416/119416]

[root@ns1 gtoms]# rpm ivh squidguard1.4-3.i386.rpm
Preparing… ########################################### [100%]
1:squidguard ########################################### [100%]

[root@ns1 gtoms]# locate squidguard
/etc/logrotate.d/squidguard
/etc/squid/squidguard.conf
/home/gtoms/squidguard-1.4-3.i386.rpm
/usr/bin/squidguard
/usr/libexec/webmin/blue-theme/squidguard
/usr/libexec/webmin/blue-theme/squidguard/images
/usr/libexec/webmin/blue-theme/squidguard/images/icon.gif
/usr/share/doc/squidguard-1.4
/usr/share/doc/squidguard-1.4/LDAPFlow.txt
/usr/share/doc/squidguard-1.4/authentication.html
/usr/share/doc/squidguard-1.4/authentication.txt
/usr/share/doc/squidguard-1.4/configuration.html
/usr/share/doc/squidguard-1.4/configuration.txt
/usr/share/doc/squidguard-1.4/configure.html
/usr/share/doc/squidguard-1.4/configure.txt
/usr/share/doc/squidguard-1.4/expressionlist.html
/usr/share/doc/squidguard-1.4/expressionlist.txt
/usr/share/doc/squidguard-1.4/extended.html
/usr/share/doc/squidguard-1.4/extended.txt
/usr/share/doc/squidguard-1.4/faq.html
/usr/share/doc/squidguard-1.4/faq.txt
/usr/share/doc/squidguard-1.4/features.html
/usr/share/doc/squidguard-1.4/features.txt
/usr/share/doc/squidguard-1.4/index.html
/usr/share/doc/squidguard-1.4/install.html
/usr/share/doc/squidguard-1.4/install.txt
/usr/share/doc/squidguard-1.4/installation.html
/usr/share/doc/squidguard-1.4/installation.txt
/usr/share/doc/squidguard-1.4/ldap-ad-tips.html
/usr/share/doc/squidguard-1.4/ldap-ad-tips.txt
/usr/share/doc/squidguard-1.4/ldap.html
/usr/share/doc/squidguard-1.4/ldap.txt
/usr/share/doc/squidguard-1.4/runtimeops.html
/usr/share/doc/squidguard-1.4/runtimeops.txt
/usr/share/doc/squidguard-1.4/sample.conf
/usr/share/doc/squidguard-1.4/squidguard-simple.cgi
/usr/share/doc/squidguard-1.4/squidguard.cgi
/usr/share/doc/squidguard-1.4/squidguard.gif
/usr/share/doc/squidguard-1.4/troubleshoot.html
/usr/share/doc/squidguard-1.4/troubleshoot.txt

Sebelum mengkonfigurasi squidguard.conf  install dahulu Shalla’s Blacklists

[root@ns1 gtoms]# wget http://www.shallalist.de/Downloads/shallalist.tar.gz—2010-08-21 19:02:00—http://www.shallalist.de/Downloads/shallalist.tar.gz
Resolving www.shallalist.de… 78.47.242.85
Connecting to www.shallalist.de|78.47.242.85|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9670277 (9.2M) [application/x-tar]
Saving to: `shallalist.tar.gz’

11% [============> ] 1,126,182 119K/s eta 80s

[root@ns1 gtoms]# mkdir /var/lib/squidguard/db

[root@ns1 gtoms]# mv shallalist.tar.gz /var/lib/squidguard/db

[root@ns1 gtoms]# cd /var/lib/squidguard/db

[root@ns1 db]# gzip -d shallalist.tar.gz

[root@ns1 db]# tar xfv shallalist.tar
BL/
BL/porn/
BL/porn/domains
BL/porn/urls
BL/gamble/
BL/gamble/domains
BL/gamble/urls
BL/chat/
BL/chat/domains
BL/chat/urls
BL/automobile/
BL/automobile/cars/
BL/automobile/cars/domains
BL/automobile/cars/urls
BL/automobile/bikes/
BL/automobile/bikes/domains
BL/automobile/bikes/urls
BL/automobile/boats/
BL/automobile/boats/domains
BL/automobile/boats/urls
BL/automobile/planes/
BL/automobile/planes/urls
BL/automobile/planes/domains
BL/recreation/
BL/recreation/humor/
BL/recreation/humor/domains
BL/recreation/humor/urls
BL/recreation/martialarts/
BL/recreation/martialarts/urls
BL/recreation/martialarts/domains
BL/recreation/sports/
BL/recreation/sports/domains
BL/recreation/sports/urls
BL/recreation/travel/
BL/recreation/travel/urls
BL/recreation/travel/domains
BL/recreation/wellness/
BL/recreation/wellness/domains
BL/recreation/wellness/urls
BL/recreation/restaurants/
BL/recreation/restaurants/urls
BL/recreation/restaurants/domains
BL/webradio/
BL/webradio/domains
BL/webradio/urls
BL/webmail/
BL/webmail/domains
BL/webmail/urls
BL/warez/
BL/warez/urls
BL/warez/domains
BL/shopping/
BL/shopping/domains
BL/shopping/urls
BL/adv/
BL/adv/domains
BL/adv/urls
BL/movies/
BL/movies/urls
BL/movies/domains
BL/science/
BL/science/chemistry/
BL/science/chemistry/urls
BL/science/chemistry/domains
BL/science/astronomy/
BL/science/astronomy/domains
BL/science/astronomy/urls
BL/hobby/
BL/hobby/pets/
BL/hobby/pets/domains
BL/hobby/pets/urls
BL/hobby/cooking/
BL/hobby/cooking/domains
BL/hobby/cooking/urls
BL/hobby/gardening/
BL/hobby/gardening/urls
BL/hobby/gardening/domains
BL/hobby/games-online/
BL/hobby/games-online/domains
BL/hobby/games-online/urls
BL/hobby/games-misc/
BL/hobby/games-misc/domains
BL/hobby/games-misc/urls
BL/violence/
BL/violence/domains
BL/violence/urls
BL/music/
BL/music/domains
BL/music/urls
BL/hacking/
BL/hacking/domains
BL/hacking/urls
BL/isp/
BL/isp/urls
BL/isp/domains
BL/drugs/
BL/drugs/domains
BL/drugs/urls
BL/aggressive/
BL/aggressive/domains
BL/aggressive/urls
BL/news/
BL/news/urls
BL/news/domains
BL/redirector/
BL/redirector/urls
BL/redirector/domains
BL/spyware/
BL/spyware/domains
BL/spyware/urls
BL/dating/
BL/dating/urls
BL/dating/domains
BL/finance/
BL/finance/banking/
BL/finance/banking/urls
BL/finance/banking/domains
BL/finance/other/
BL/finance/other/domains
BL/finance/other/urls
BL/finance/moneylending/
BL/finance/moneylending/domains
BL/finance/moneylending/urls
BL/finance/insurance/
BL/finance/insurance/urls
BL/finance/insurance/domains
BL/finance/realestate/
BL/finance/realestate/domains
BL/finance/realestate/urls
BL/finance/trading/
BL/finance/trading/domains
BL/finance/trading/urls
BL/dynamic/
BL/dynamic/urls
BL/dynamic/domains
BL/COPYRIGHT
BL/jobsearch/
BL/jobsearch/urls
BL/jobsearch/domains
BL/tracker/
BL/tracker/domains
BL/tracker/urls
BL/models/
BL/models/domains
BL/models/urls
BL/forum/
BL/forum/domains
BL/forum/urls
BL/webtv/
BL/webtv/urls
BL/webtv/domains
BL/downloads/
BL/downloads/urls
BL/downloads/domains
BL/ringtones/
BL/ringtones/domains
BL/ringtones/urls
BL/searchengines/
BL/searchengines/domains
BL/searchengines/urls
BL/socialnet/
BL/socialnet/urls
BL/socialnet/domains
BL/updatesites/
BL/updatesites/domains
BL/updatesites/urls
BL/weapons/
BL/weapons/domains
BL/weapons/urls
BL/webphone/
BL/webphone/domains
BL/webphone/urls
BL/global_usage
BL/religion/
BL/religion/domains
BL/religion/urls
BL/sex/
BL/sex/lingerie/
BL/sex/lingerie/urls
BL/sex/lingerie/domains
BL/sex/education/
BL/sex/education/urls
BL/sex/education/domains
BL/imagehosting/
BL/imagehosting/domains
BL/imagehosting/urls
BL/podcasts/
BL/podcasts/domains
BL/podcasts/urls
BL/hospitals/
BL/hospitals/domains
BL/hospitals/urls
BL/military/
BL/military/urls
BL/military/domains
BL/politics/
BL/politics/domains
BL/politics/urls
BL/remotecontrol/
BL/remotecontrol/urls
BL/remotecontrol/domains
BL/fortunetelling/
BL/fortunetelling/domains
BL/fortunetelling/urls
BL/library/
BL/library/domains
BL/library/urls
BL/costtraps/
BL/costtraps/urls
BL/costtraps/domains
BL/homestyle/
BL/homestyle/domains
BL/homestyle/urls
BL/education/
BL/education/schools/
BL/education/schools/domains
BL/education/schools/urls
BL/government/
BL/government/domains
BL/government/urls
BL/alcohol/
BL/alcohol/domains
BL/alcohol/urls
BL/radiotv/
BL/radiotv/domains
BL/radiotv/urls
[root@ns1 db]#

[root@ns1 db]# cd BL

[root@ns1 BL] cp -R * /var/lib/squidguard/db

[root@ns1 BL]# nano /etc/squid/squidguard.conf

dbhome /var/lib/squidguard/db
logdir /var/log/squid

dest whitelist {
domainlist whitelist/domains
urllist whitelist/urls
}

dest adv {
domainlist adv/domains
urllist adv/urls
}

acl {
default {

pass whitelist    !adv

redirect http://www.xyz.co.id/redirect.html
}

}

[root@ns1 db]# chmod -R 777 *

[root@ns1 db]# chown -R squid:squid /var/lib/squidguard/db/*

[root@ns1 squid]# nano /etc/squid/squid.conf

url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 8

[root@ns1 squid]# /usr/sbin/squid -k reconfigure

[root@ns1 db]# tail -f /var/log/squid/cache.log

2010/08/22 08:52:43| Reconfiguring Squid Cache (version 2.6.STABLE21)...
2010/08/22 08:52:43| FD 10 Closing HTTP connection
2010/08/22 08:52:43| FD 12 Closing ICP connection
2010/08/22 08:52:43| Initialising SSL.
2010/08/22 08:52:43| User-Agent logging is disabled.
2010/08/22 08:52:43| Referer logging is disabled.
2010/08/22 08:52:43| DNS Socket created at 0.0.0.0, port 52827, FD 9
2010/08/22 08:52:43| Adding nameserver 202.137.2x.2xx from squid.conf
2010/08/22 08:52:43| helperOpenServers: Starting 8 ‘squidguard’ processes
2010/08/22 08:52:43| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 19.
2010/08/22 08:52:43| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2010/08/22 08:52:43| WCCP Disabled.
2010/08/22 08:52:43| Loaded Icons.
2010/08/22 08:52:43| Ready to serve requests.

Instalasi FTP Server menggunakan VSFTP

[root@ns1 gtoms]# yum install vsftpd

Disini tinggal mengkonfigurasi user untuk akses ke webserver.

Instalasi MRTG

[root@ns1 gtoms]# yum install mrtg net-snmp net-snmp-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons: centos.idrepo.or.id
base: centos.idrepo.or.id
epel: bali.idrepo.or.id
extras: centos.idrepo.or.id
updates: centos.idrepo.or.id
addons | 951 B 00:00
base | 2.1 kB 00:00
epel | 3.4 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Setting up Install Process
Package 1:net-snmp-5.3.2.2-9.el5_5.1.i386 already installed and latest version————————cut—————————————-

Installed:
mrtg.i386 0:2.14.5-2 net-snmp-utils.i386 1:5.3.2.2-9.el5_5.1

Complete!
[root@ns1 gtoms]#

[root@ns1 gtoms]# nano /etc/snmp/snmpd.conf

com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
view all included .1 80
access MyROGroup “” any noauth exact all none none
access MyRWGroup “” any noauth exact all all none
syslocation PT. xyz, Jakarta
syscontact Root

[root@ns1 gtoms]# /etc/init.d/snmpd start
Starting snmpd: [ OK ]
[root@ns1 gtoms]#

[root@ns1 gtoms]# tail -f /var/log/messages
Aug 21 21:13:50 ns1 yum: Installed: 1:net-snmp-utils-5.3.2.2-9.el5_5.1.i386
Aug 21 21:13:53 ns1 yum: Installed: mrtg-2.14.5-2.i386
Aug 21 21:22:54 ns1 snmpd[7612]: Creating directory: /var/net-snmp
Aug 21 21:22:54 ns1 snmpd[7612]: NET-SNMP version 5.3.2.2

[root@ns1 gtoms]# /usr/bin/snmpwalk v 1 -c public localhost IPMIB::ipAdEntIfIndex
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.192.168.0.2 = INTEGER: 3
IP-MIB::ipAdEntIfIndex.202.137.2x.2xx = INTEGER: 2
[root@ns1 gtoms]#

[root@ns1 gtoms]# /usr/bin/cfgmaker—global ‘WorkDir: /var/www/mrtg’—output /etc/mrtg/mrtg.cfg public@localhost

[root@ns1 gtoms]# /usr/bin/indexmaker—output=/var/www/mrtg/index.html /etc/mrtg/mrtg.cfg

[root@ns1 mrtg]# nano /etc/cron.d/mrtg

*/5 * * * * root LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg—lock-file /var/lock/mrtg/mrtg_l—confcache-file /var/lib/mrtg/mrtg.ok

[root@ns1 mrtg]# nano /etc/httpd/conf.d/mrtg.conf
Alias /mrtg /var/www/mrtg

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1

[root@ns1 mrtg]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

Untuk mengkases melalui browser ke http://iphostname/mrtg/

Memonitor server/router lain kedalam MRTG

Jika menggunakan device router/modem tinggal mengaktifkan snmp, jika server lain linux ingin di monitor tinggal menginstall snmp, contoh disini pada server lain dengan IP 202.137.2x.2zz :

[root@mail gtoms]# yum install net-snmp net-snmp-utils
Setting up Install Process
Parsing package install arguments
Resolving Dependencies—> Running transaction check—-> Package net-snmp.i386 1:5.3.2.2-9.el5_5.1 set to be updated—> Processing Dependency: libsensors.so.3 for package: net-snmp—> Processing Dependency: net-snmp-libs = 1:5.3.2.2-9.el5_5.1 for package: net-snmp—-> Package net-snmp-utils.i386 1:5.3.2.2-9.el5_5.1 set to be updated—> Running transaction check—-> Package net-snmp-libs.i386 1:5.3.2.2-9.el5_5.1 set to be updated—-> Package lm_sensors.i386 0:2.10.7-9.el5 set to be updated—> Finished Dependency Resolution
———————-cutt————————————-

Installed: net-snmp-utils.i386 1:5.3.2.2-9.el5_5.1
Dependency Installed: lm_sensors.i386 0:2.10.7-9.el5 net-snmp.i386 1:5.3.2.2-9.el5_5.1
Updated: net-snmp-libs.i386 1:5.3.2.2-9.el5_5.1
Complete!
[root@mail gtoms]#

[root@mail gtoms]# nano /etc/snmp/snmpd.conf

com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
view all included .1 80
access MyROGroup “” any noauth exact all none none
access MyRWGroup “” any noauth exact all all none
syslocation Zimbra Mailserver XYZ, Jakarta
syscontact Root

[root@mail gtoms]# /etc/init.d/snmpd start
Starting snmpd: [ OK ]
[root@mail gtoms]#

Kembali ke server MRTG nya

[root@ns1 gtoms]# /usr/bin/cfgmaker—global ‘WorkDir: /var/www/mrtg’—output /etc/mrtg/mrtg.cfg public@202.137.2x.2zz

[root@ns1 mrtg]# /usr/bin/cfgmaker—global ‘WorkDir: /var/www/mrtg’—output /etc/mrtg/mrtg.cfg public@192.168.0.1

Instalasi Webmin

[root@ns1 gtoms]# rpm U webmin1.510-1.noarch.rpm
warning: webmin-1.510-1.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 11f63c51
Operating system is CentOS Linux
Webmin install complete. You can now login to https://ns1.xyz.co.id:10000/
as root with your root password.
[root@ns1 gtoms]#

Instalasi IDS mengunakan The Advanced Intrusion Detection Environment (AIDE)

Untuk mengkonfigurasi AIDE, SELINUX harus enabled.

[root@ns1 gtoms]# yum install aide

[root@ns1 gtoms]# /usr/sbin/aide—init

[root@ns1 gtoms]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@ns1 gtoms]# /usr/sbin/aide—check

[root@ns1 gtoms]# aide—check
AIDE, version 0.13.1

### All files match AIDE database. Looks okay!

[root@ns1 gtoms]# vi /etc/cron.weekly/aide.cron

#!/bin/bash
/usr/sbin/aide—check | /bin/mail -s “Weekly Aide Data” IT@zyx.co.id

Instalasi DDOS protection

APF —Advanced Policy-based Firewall

[root@ns1 gtoms]# wget http://rfxnetworks.com/downloads/apf-current.tar.gz
[root@ns1 gtoms]# tar xfz apf-current.tar.gz
[root@ns1 apf-current]# cd apf-*
[root@ns1 apf-current]# ./install.sh

[root@ns1 apf-current]# vi /etc/apf/conf.apf
DEVEL_MODE=”0”
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,3306”
IG_UDP_CPORTS=”53,111”
USE_AD=”1”

[root@ns1 apf-current]# vi /etc/apf/ad/conf.antidos
sesuaikan sendiri ….

BFD —Brute Force Detection
[root@ns1 gtoms]# wget http://rfxnetworks.com/downloads/bfd-current.tar.gz
[root@ns1 gtoms]# tar xfz bfd-current.tar.gz
[root@ns1 bfd-current]# cd bfd-*
[root@ns1 bfd-current]# ./install.sh

[root@ns1 bfd-current]# vi /usr/local/bfd/conf.bfd

ALERT=”1”
EMAIL_USR=”IT@xyz.co.id”

[root@ns1 bfd-current]# vi /usr/local/bfd/ignore.hosts
sesuaikan sendiri ….

DDoS Deflate
[root@ns1 gtoms]# wget http://www.inetbase.com/scripts/ddos/install.sh
[root@ns1 gtoms]# sh install.sh

[root@ns1 gtoms]#vi  /usr/local/ddos/ddos.conf
sesuaikan sendiri ….

[root@ns1 gtoms]# /usr/local/ddos/ddos.sh -c

RootKit—Spyware and Junkware detection and removal tool

[root@ns1 gtoms]# wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz/download
[root@ns1 gtoms]# tar xfz  rkhunter-1.3.6.tar.gz
[root@ns1 gtoms]# cd rkhunter-1.3.6
[root@ns1 rkhunter-1.3.6]# ./installer.sh
[root@ns1 rkhunter-1.3.6]# run rkhunter
[root@ns1 rkhunter-1.3.6]# rkhunter -c

Install Mod_dosevasive untuk Apache

[root@ns1 gtoms]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

[root@ns1 gtoms]# tar -zxvf mod_evasive_1.10.1.tar.gz

[root@ns1 gtoms]# cd mod_evasive_1.10.1

[root@ns1 mod_evasive_1.10.1]# $APACHE_ROOT/bin/apxs -cia mod_evasive20.c

[root@ns1 mod_evasive_1.10.1]# vi /usr/local/apache/conf/httpd.conf

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300

[root@ns1 mod_evasive_1.10.1]# /usr/loca/apache/bin/apachectl restart

Install Mod_security

[root@ns1 gtoms]# http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz

[root@ns1 gtoms]# tar zxvf modsecurityapache-1.9.2.tar.gz

[root@ns1 gtoms]# cd modsecurity-apache-1.9.2

[root@ns1 modsecurity-apache-1.9.2]# /usr/local/apache/bin/apxs -cia mod_security.c

Buat sebuah file dengan nama mod_security.conf didalam folder /usr/local/apache/conf

[root@ns1 modsecurity-apache-1.9.2]# vi /usr/local/apache/conf/mod_security.conf

Rules yang dapat kita buat bisa merujuk ke http://www.modsecurity.org/documentation/quick-examples.html

Kita masukkan path  mod_security.conf kedalam file httpd.conf

[root@ns1 modsecurity-apache-1.9.2]# vi /usr/local/apache/conf/httpd.conf

/usr/local/apache/conf/mod_security.conf

[root@ns1 modsecurity-apache-1.9.2]# /usr/local/apache/bin/apachectl stop

[root@ns1 modsecurity-apache-1.9.2]# /usr/local/apache/bin/apachectl start

Selesai,Tinggal memonitor.

henry@gultom.or.id

Okay kali ini saya dokumentasikan instalasi Lotus Domino Server 8.5 pada platform Linux Centos 5.5(Final). Loh kok Linux ? Kata Project Managernya lebih murah daripada pakai platform Windows Server, jadi dalam implementasi ini tidak perlu membeli lisensi untuk sistem operasi servernya, dan tetap untuk Lotus Dominonya harus beli.

Tahapannya :

- Install sistem operasi Linux Centos 5.5(Final)

- Setting dan install required Linux packages untuk Domino 8.5

- Copy file setup dari Domino 8.5 CD yaitu Domino85Linux.tar ke server.

- Instalasi Lotus Domino 8.5 Server ke Linux Centos 5.5

Install sistem operasi Linux Centos 5.5(Final)

Disini instalasi Centos 5.5 sudah selesai.

[root@mail gtoms]# uname -a
Linux mail.xxxxxxx.com 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux

[root@mail ~]# cat /etc/redhat-release
CentOS release 5.5 (Final)

Setting dan install required Linux packages untuk Domino 8.5

[root@mail gtoms]# yum install glibc libgcc libstdc++ libXp

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

addons: centos.idrepo.or.id

base: centos.idrepo.or.id

extras: centos.idrepo.or.id

updates: centos.idrepo.or.id

Setting up Install Process

Package libgcc-4.1.2-48.el5.i386 already installed and latest version

Package libstdc++-4.1.2-48.el5.i386 already installed and latest version

Resolving Dependencies
—> Running transaction check
—> Processing Dependency: glibc = 2.5-49 for package: nscd
—-> Package glibc.i686 0:2.5-49.el5_5.4 set to be updated
—> Processing Dependency: glibc-common = 2.5-49.el5_5.4 for package: glibc
—-> Package libXp.i386 0:1.0.0-8.1.el5 set to be updated
—> Running transaction check
—-> Package glibc-common.i386 0:2.5-49.el5_5.4 set to be updated
—-> Package nscd.i386 0:2.5-49.el5_5.4 set to be updated
—> Finished Dependency Resolution

Dependencies Resolved
———————-skip————————-

Installed:

libXp.i386 0:1.0.0-8.1.el5

Updated:

glibc.i686 0:2.5-49.el5_5.4

Dependency Updated:

glibc-common.i386 0:2.5-49.el5_5.4                                                nscd.i386 0:2.5-49.el5_5.4

Complete!

[root@mail gtoms]#

[root@mail gtoms]# yum install compat-libstdc++-296 compat-libstdc++-33

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

addons: centos.idrepo.or.id

base: centos.idrepo.or.id

extras: centos.idrepo.or.id

updates: centos.idrepo.or.id

Setting up Install Process

Resolving Dependencies
—> Running transaction check
—-> Package compat-libstdc++-296.i386 0:2.96-138 set to be updated
—-> Package compat-libstdc++-33.i386 0:3.2.3-61 set to be updated
—> Finished Dependency Resolution

Dependencies Resolved
—————————-skip————-

Installed:

compat-libstdc++-296.i386 0:2.96-138              compat-libstdc++-33.i386 0:3.2.3-61

Complete!

[root@mail gtoms]#

[root@mail gtoms]# yum  install glib libpng pango unixODBC
——————-skip————————————————
Installed:

glib.i386 1:1.2.10-20.el5                                                    unixODBC.i386 0:2.2.11-7.1

Updated:

libpng.i386 2:1.2.10-7.1.el5_5.3                                              pango.i386 0:1.14.9-8.el5.centos

Complete!

[root@mail gtoms]#

Langkah berikut ini penting agar instalasi setup files Domino 8.5 lancar :

[root@mail gtoms]# chmod 1777 /tmp

[root@mail gtoms]# ls -ald /tmp

drwxrwxrwt 3 root root 4096 Aug 14 16:03 /tmp

[root@mail gtoms]# cat /etc/fstab

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1

LABEL=/boot             /boot                   ext3    defaults        1 2

tmpfs                   /dev/shm                tmpfs   defaults        0 0

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

sysfs                   /sys                    sysfs   defaults        0 0

proc                    /proc                   proc    defaults        0 0

/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

pastikan  /etc/fstab tidak ada noexec dan nosuid options untuk /tmp.

[root@mail gtoms]# /usr/sbin/adduser notes

[root@mail gtoms]# passwd notes

Changing password for user notes.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@mail gtoms]#

[root@mail gtoms]# mkdir /local

[root@mail gtoms]# mkdir /local/notesdata

[root@mail gtoms]# chown notes: /local/notesdata

Disini nanti kita perlu tiga ID files untuk  Domino server: Organization certifier,Administrator ID, Server ID without a password. Hal ini bisa di set menggunakan Domino Administrator client.

Instalasi Lotus Domino 8.5 Server

Mount CDROM berisi Domino 8.5 CD dan copy file Domino85Linux.tar ke folder /opt

Letak file instalasi di folder /opt

[root@mail gtoms]# cd /opt

[root@mail opt]#

[root@mail opt]# ls

Domino85Linux.tar

[root@mail opt]# tar xvf  Domino85Linux.tar

linux/domino/

linux/domino/tools/

linux/domino/tools/checkminimumos.pl

linux/domino/tools/install.nls

linux/domino/tools/PathUtil.pl

linux/domino/tools/MoveExistingRevision.pl

linux/domino/tools/checksoftlink.pl

linux/domino/tools/Lsetup.pl

linux/domino/tools/os390_script_full.dat

linux/domino/tools/ShScript.pm

linux/domino/tools/install.pl

linux/domino/tools/install.sh

linux/domino/tools/GetUserId.pl

linux/domino/tools/SysCmd.pl

linux/domino/tools/checkos.dat

linux/domino/tools/ChangeDataSubPermissions.pl

linux/domino/tools/CheckOwnerGroup.pl

linux/domino/tools/PerlUtil.pl

linux/domino/tools/media.inf

linux/domino/tools/setup.jar

linux/domino/tools/InstBE.pl

linux/domino/tools/tty.nls

linux/domino/tools/CreateSoftLink.pl

linux/domino/tools/ChangeJavaPermissions.pl

linux/domino/tools/checkos.pl

linux/domino/tools/tty.pl

linux/domino/tools/nui.cfg

linux/domino/tools/uxrmfile.txt

linux/domino/tools/InstBE.nls

linux/domino/tools/uxrmfile64.txt

linux/domino/tools/ProcessLangFiles.pl

linux/domino/tools/CdPath.pl

linux/domino/tools/GetGroupId.pl

linux/domino/tools/AddSolarisDrivers.pl

linux/domino/tools/CfgData.pm

linux/domino/tools/GetPreviousRevision.pl

linux/domino/tools/setupLinux.bin

linux/domino/remote_script.dat

linux/domino/install

linux/domino/unix_response.dat

linux/notes/

linux/notes/repository/

linux/notes/repository/notes.linux.kit/

linux/notes/repository/notes.linux.kit/build_contents.xml

linux/notes/repository/notes.linux.kit/felement.xml

linux/notes/repository/notes.linux.kit/fe.zip

linux/notes/repository/notes.linux.kit/build_fitness.xml

[root@mail opt]#

[root@mail opt]# cd linux

[root@mail linux]# ls

domino  notes

[root@mail linux]# cd domino

[root@mail domino]# ls

install  remote_script.dat  tools  unix_response.dat

[root@mail domino]# ./install

Lotus Domino for Unix Install Program
——————————————————
You have to set environment variable DISPLAY to run in graphic mode

Answer Yes to continue in console mode

Answer No to exit application.

Do you want to continue installation in console mode?[Yes]

Continuing in console mode

InstallShield Wizard

Initializing InstallShield Wizard…

Preparing Java™ Virtual Machine…

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

...................................

..............................
———————————————————————————————————————-

Welcome to the InstallShield Wizard for Lotus Domino

The InstallShield Wizard will install Lotus Domino on your computer.

To continue, choose Next.

Lotus Domino

IBM

http://www.lotus.com

Press 1 for Next, 3 to Cancel or 4 to Redisplay [1] 1
———————————————————————————————————————-

Software Licensing Agreement

Press Enter to display the license agreement on your screen. Please

read the agreement carefully before installing the Program. After

reading the agreement, you will be given the opportunity to accept it

or decline it. If you choose to decline the agreement, installation

will not be completed and you will not be able to use the Program.

International License Agreement for Evaluation of Programs

Part 1 – General Terms

BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR USING

THE PROGRAM YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU

ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A

COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT

THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY,

OR LEGAL ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO

THESE TERMS,

PROGRAM; AND

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

ACQUIRED IT. IF YOU DOWNLOADED THE PROGRAM, CONTACT THE

PARTY FROM WHOM YOU ACQUIRED IT.

“IBM” is International Business Machines Corporation or one

of its subsidiaries.

“License Information” (“LI”) is a document that provides

information specific to a Program. The Program’s LI is

available in a file in the Program’s directory, by the use

of a system command, or as a booklet which accompanies the

Program. The LI may also be found at

http://www.ibm.com/software/sla/ .

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

“Program” is the following, including the original and all

whole or partial copies: 1) machine-readable instructions

and data, 2) components, 3) audio-visual content (such as

images, text, recordings, or pictures), 4) related licensed

materials, and 5) license use documents or keys, and

documentation.

“You” and “Your” refer either to an individual person or to

a single legal entity.

This Agreement includes Part 1 – General Terms, Part 2 –
Country-unique Terms (if any), and License Information and

is the complete agreement between You and IBM regarding the

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

use of the Program. It replaces any prior oral or written

communications between You and IBM concerning Your use of

the Program. The terms of Part 2 and License Information

may replace or modify those of Part 1.

1. Entitlement

License

The Program is owned by IBM or an IBM supplier, and is

copyrighted and licensed, not sold.

IBM grants You a nonexclusive license to use the Program

when You lawfully acquire it.

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

You may 1) use the Program only for internal evaluation,

testing, or demonstration purposes, on a trial or

“try-and-buy” basis; and 2) make and install a reasonable

number of copies, including a backup copy, of the Program

to support such use. The terms of this license apply to

each copy You make. You will reproduce all copyright

notices and all other legends of ownership on each copy, or

partial copy, of the Program.

THE PROGRAM MAY CONTAIN A DISABLING DEVICE THAT WILL

PREVENT IT FROM BEING USED AFTER THE EVALUATION PERIOD

ENDS. YOU WILL NOT TAMPER WITH THIS DISABLING DEVICE OR THE

PROGRAM. YOU SHOULD TAKE PRECAUTIONS TO AVOID ANY LOSS OF

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

DATA THAT MIGHT RESULT WHEN THE PROGRAM CAN NO LONGER BE

USED.

You will 1) maintain a record of all copies of the Program

and 2) ensure that anyone who uses the Program (accessed

either locally or remotely) does so only for Your

authorized use and complies with the terms of this

Agreement.

You may not 1) use, copy, modify or distribute the Program

except as provided in this Agreement; 2) reverse assemble,

reverse compile, or otherwise translate the Program except

as specifically permitted by law without the possibility of

contractual waiver; or 3) sublicense, rent, or lease the

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

Program.

The evaluation period begins when You agree to the terms of

this Agreement and ends 1) as of the duration or date

specified in the License Information, or 2) when the

Program automatically disables itself. There is no charge

for the use of the Program for the duration of the

evaluation period. Unless IBM specifies in the License

Information that You may retain the Program, You will

destroy the Program and all copies made of it within ten

days of the end of the evaluation period. If IBM specifies

that You may retain the Program, and You elect to do so,

the Program will be then subject to a different license

agreement, that will be provided to You at that time. In

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

addition, a charge may apply.

IBM may terminate Your license if You fail to comply with

the terms of this Agreement. If IBM does so, You must

destroy all copies of the Program.

2. No Warranty

SUBJECT TO ANY STATUTORY WARRANTIES WHICH CANNOT BE

EXCLUDED, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT,

REGARDING THE PROGRAM OR TECHNICAL SUPPORT, IF ANY.

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

The exclusion also applies to any of IBM’s Program

developers and suppliers.

Manufacturers, suppliers, or publishers of non-IBM Programs

may provide their own warranties.

IBM does not provide technical support, unless IBM

specifies otherwise.

3. Limitation of Liability

Circumstances may arise where, because of a default on

IBM’s part or other liability, You are entitled to recover

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

damages from IBM. In each such instance, regardless of the

basis on which You may be entitled to claim damages from

IBM, (including fundamental breach, negligence,

misrepresentation, or other contract or tort claim), IBM is

liable for no more than 1) damages for bodily injury

(including death) and damage to real property and tangible

personal property and 2) the amount of any other actual

direct damages up to the charges for the Program that is

the subject of the claim.

This limitation of liability also applies to IBM’s Program

developers and suppliers. It is the maximum for which they

and IBM are collectively responsible.

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

UNDER NO CIRCUMSTANCES IS IBM, ITS PROGRAM DEVELOPERS OR

SUPPLIERS LIABLE FOR ANY OF THE FOLLOWING, EVEN IF INFORMED

OF THEIR POSSIBILITY:

1. LOSS OF, OR DAMAGE TO, DATA;

2. SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES, OR FOR ANY

ECONOMIC CONSEQUENTIAL DAMAGES; OR

3. LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR

ANTICIPATED SAVINGS.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION

OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

screen.

==skip==============

1

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Selecting the option below allows you to install additional or upgrade existing

Server Partitions. The existing Program directory must be specified in order

for new Server Partitions to be created, but it will not be upgraded. Existing

Data directories do not need to be listed. Only those Data directories

specified will be upgraded or added. If you wish to add more than one Partition

to your existing Domino server, check the box when asked if you want to install

a Partitioned server. Otherwise you will only be able to upgrade or install one

Data directory. Warning: If you do not have an existing Domino Server on your

system, please do not check the box below for the option to add data

directories only.

[ ] 1 – Install Data  Directories Only for Partitioned Domino Server

To select an item enter its number, or 0 when you are finished: [0]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Lotus Domino Install Location

Please specify a directory or press Enter to accept the default directory.

Program Files Directory Name [/opt/ibm/lotus]

Server with more than one partition

Answer Yes to install partitioned server

Answer No  to install non-partitioned server

Partitioned Server: [No]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Lotus Domino Install Location

Please specify a directory or press Enter to accept the default directory.

Data Files Directory Name [/local/notesdata]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Input Unix/Linux user name and group name panel

User Name [notes]

Group Name [notes]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Select Server Setup

After the installation completes, for new installation server setup will be

launched and for upgrade the server will be restarted automatically.

The default value is “Manual Server Setup” which does not launch server setup

or restart the server after installation.

Select “Local Server Setup” to launch server setup after a new server

installation or to restart the server after a server upgrade.

Select “Remote Server Setup” to launch server setup in listen mode for new

server installations. You will then be able to connect to the server with the

Remote Server Setup tool.

[ ] 1 – Local

[ ] 2 – Remote

[X] 3 – Manual

To select an item enter its number, or 0 when you are finished: [0] 2

[ ] 1 – Local

[X] 2 – Remote

[ ] 3 – Manual

To select an item enter its number, or 0 when you are finished: [0]

Choose the setup type that best suits your needs.

[ ] 1 – Domino Utility Server

Installs a Domino server that provides application services only. Note

that it does not include support for messaging services. See full

licensing text for details.

[ ] 2 – Domino Messaging Server

Installs a Domino server that provides messaging services. Note that it

does not include support for application services or Domino clusters.

[X] 3 – Domino Enterprise Server

Installs a Domino server that provides both messaging and application

services.

[ ] 4 – Customize Domino Server

Allows you to select the features you want to install.

To select an item enter its number, or 0 when you are finished: [0] 0

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
———————————————————————————————————————-

Lotus Domino will be installed in the following location:

Program Files:        /opt/ibm/lotus

Data Files:           /local/notesdata

Domino Kit Type:      EnterpriseServer

Unix Install Options:

User Name: notes

Group Name: notes

Install Data Only: No

Start Server Setup: Yes (Remote)

with the following features:

Program Files

Billing Support

Clustering Support

Data Files

Required Templates

Administration Templates

Press ENTER to read the text [Type q to quit]

Optional Templates

Certificate Management

Web Services Data Files

Readme – NSF File

Dojo

XPages

Domino Enterprise Connection Services

Domino Offline Services

Lotus iNotes

Sametime Integration

Resource Modeling Engine

Help

for a total size:

1051.5 MB

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

Installing Lotus Domino. Please wait…

|—————-|—————-|—————-|——————|

0%         25%         50%         75%        100%

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

Creating uninstaller…

Configuring Domino Server from

Unix user name : notes

Unix group name : notes

Domino program directory: /opt/ibm/lotus

Domino data directory: /local/notesdata

You will be prompted for the password of the notesdata owner.
———————————————————————————————————————-

The InstallShield Wizard has successfully installed Lotus Domino. Choose Finish

to exit the wizard.

Press 3 to Finish or 4 to Redisplay [3]

Press 3 to Finish or 4 to Redisplay [3]

WARNING: the maximum number of file handles (ulimit -n)

allowed for Domino is 1024.

See Release Notes and set the allowable maximum to 20000.

/proc/sys/kernel/sem has been set to “250       256000  32      1024”.

/proc/sys/net/ipv4/tcp_fin_timeout has been set to “15”.

/proc/sys/net/ipv4/tcp_max_syn_backlog has been set to “16384”.

/proc/sys/net/ipv4/tcp_tw_reuse has been set to “1”.

/proc/sys/net/ipv4/ip_local_port_range has been set to “1024    65535”.

08/14/2010 05:36:06 PM  Created new log file as /local/notesdata/log.nsf

08/14/2010 05:36:06 PM  IBM Lotus Domino does not have a production license.  A temporary evaluation license has been enrolled for you to use for 90 days.

08/14/2010 05:36:06 PM  WARNING:  You are using a temporary license.  You have 89 days left in the trial license period.

./java -ss512k -Xoss5M -cp jhall.jar:cfgdomserver.jar:Notes.jar lotus.domino.setup.WizardManagerDomino -data /local/notesdata -listen

Remote server setup enabled on port 8585.

The Domino setup server is now in listening mode.

A remote client can now connect to this server and configure Domino.

To connect to this server, launch the Remote Domino Setup program from a command-prompt as follows:

From a Domino administrator client: serversetup -remote

From a Domino server: server -remote

To end this server, launch the Remote Domino Setup program from a command-prompt as follows:

From a Domino administrator client: serversetup -q mail.xxxxxx.com

From a Domino server: server -q mail.xxxxxx.com

For more information, see the printed guide Setting Up Domino Networks and Servers.

Sampai disini instalasi Domino Server berhasil. Selanjutnya menggunakan Windows client untuk remote setup console menggunakan Domino Administrator, karena saya remote ke server ini menggunanakan Putty.

Untuk menjalankan Domino

su notes

cd /local/notesdata && /opt/ibm/lotus/bin/server

show server

Test konek ke Domino server melalui Lotus Notes.

Beberapa untuk  setting Startup scripts, Domino Administrator, dan sebagainya, belum disertakan dalam  tutorial ini.

Henry Gultom (henry@gultom.or.id)

Berikut proses instalasi dan konfigurasi apcupsd pada Linux Centos 5.4 :

yum install apcups*

vi /etc/apcupsd/apcupsd.conf
UPSCABLE usb
UPSTYPE usb
DEVICE
LOCKFILE /var/lock
SCRIPTDIR /etc/apcupsd
PWRFAILDIR /etc/apcupsd
NOLOGINDIR /etc
ONBATTERYDELAY 6
BATTERYLEVEL 5
MINUTES 3
TIMEOUT 0
ANNOY 300
ANNOYDELAY 60
NOLOGON disable
KILLDELAY 0
NETSERVER on
NISIP 0.0.0.0
NISPORT 3551
EVENTSFILE /var/log/apcupsd.events
EVENTSFILEMAX 10
UPSCLASS standalone
UPSMODE disable
STATTIME 0
STATFILE /var/log/apcupsd.status
LOGSTATS off
DATATIME 0

Sebelum saya menjalankan apcupsd, kabel USB dari UPS APC di colokkan(plug in) ke slot USB pada server :

#/etc/init.d/apcupsd start
Starting UPS monitoring:                                   [  OK  ]

Log messages :

Jul 15 11:57:11 ID41-ND201 apcupsd[2383]: apcupsd 3.14.2 (15 September 2007) redhat startup succeeded
Jul 15 11:57:12 ID41-ND201 apcupsd[2383]: NIS server startup succeeded

1. /etc/init.d/apcupsd status
   apcupsd (pid  2383) is running…
   APC      : 001,043,1054
   DATE     : Thu Jul 15 11:57:15 WIT 2010
   HOSTNAME : ID41-ND201.xxxx
   RELEASE  : 3.14.2
   VERSION  : 3.14.2 (15 September 2007) redhat
   UPSNAME  : ID41-ND201.xxxx
   CABLE    : USB Cable
   MODEL    : Back-UPS CS 650
   UPSMODE  : Stand Alone
   STARTTIME: Thu Jul 15 11:57:09 WIT 2010
   STATUS   : ONLINE
   LINEV    : 216.0 Volts
   LOADPCT  :  24.0 Percent Load Capacity
   BCHARGE  : 100.0 Percent
   TIMELEFT :  25.0 Minutes
   MBATTCHG : 5 Percent
   MINTIMEL : 3 Minutes
   MAXTIME  : 0 Seconds
   OUTPUTV  : 230.0 Volts
   SENSE    : Medium
   DWAKE    : 000 Seconds
   DSHUTD   : 000 Seconds
   LOTRANS  : 180.0 Volts
   HITRANS  : 266.0 Volts
   RETPCT   : 000.0 Percent
   ITEMP    : 29.2 C Internal
   ALARMDEL : Always
   BATTV    : 13.5 Volts
   LINEFREQ : 50.0 Hz
   LASTXFER : Low line voltage
   NUMXFERS : 0
   TONBATT  : 0 seconds
   CUMONBATT: 0 seconds
   XOFFBATT : N/A
   SELFTEST : NO
   STATFLAG : 0×07000008 Status Flag
   SERIALNO : QB0645339457
   BATTDATE : 2006-11-05
   NOMOUTV  : 230
   NOMINV   : 230
   NOMBATTV :  12.0
   FIRMWARE : 817.v4.I USB FW:v4
   APCMODEL : Back-UPS CS 650
   END APC  : Thu Jul 15 11:57:16 WIT 2010

1. ps axf |grep apcupsd
   2507 pts/4    S+     0:00          _ grep apcupsd
   2383 ?        Ssl    0:00 /sbin/apcupsd -f /etc/apcupsd/apcupsd.conf

Dogtag memiliki features seperti : Certificate issuance, revocation, dan retrieval, Certificate Revocation List (CRL) generation dan publishing, Certificate profiles, Simple Certificate Enrollment Protocol (SCEP), Local Registration Authority (LRA) for organizational authentication and policies, Encryption key archival and recovery, dan Smartcard lifecycle management Token profiles,Token enrollment, on-hold, key recovery, and format, Face-to-face enrollment with the security officer workstation interface.

Disamping dipakai untuk smart card, Dog Tag Certification system juga dipakai oleh Militer Amerika Serikat untuk mengidentifikasi semua tentaranya.  Pernah kan, lihat film perang Hollywood kalau tentara Amerika Serikat itu selalu memakai 2 kalung dilehernya yang dinamakan Dog Tag seperti gambar logo diatas,  Indentitas/Data didalam kalung(dog tag) tersebut berisi nama, Social Security number, blood type dan religion. Jadi jika tentaranya mati, satu dog tag nya diambil dan satu lagi tetap tinggal di lehernya.  Satu kalung yang diambil itu untuk  update data identitas tentara tersebut disemua sistem komputer militer Amerika Serikat. Dog Tag dapat dipakai juga sebagai  password/identitas tentara jika sedang mengunakan fasilitas militer dan sebagainya.

Dogtag Certificate System memiliki 6 subsystems :
-Certificate Authority (CA) – implemented in Java
-Data Recovery Manager (DRM) – implemented in Java
-Online Status Procotol Protocol Manager (OCSP) – implemented in Java
-Token Key Service (TKS) – implemented in Java
-Registration Authority (RA) – implemented in Perl
-Token Processing System (TPS) – implemented in C and C++

Pembuatan Public Key Infrastructure dengan Dog Tag Certificate System kali ini terdiri dari Instalasi dan Konfigurasi dengan environment :

-Sistem operasi pada server : Centos 5.4
-389 Directory Server (Open Source LDAP)
-Dog Tag Certificate System 1.3 (repo EPEL)
-Java,Tomcat Web Server,Perl,Ant,Apache,mod_nss

Berikut proses instalasi dan konfigurasi, saya menggunakan Centos 5.4 32 bit dan sudah terinstall dengan baik :

Instalasi Tools :

[root@i ~]# rpm ev tomcatnative.i386

[root@i ~]# yum install db4-devel gzip rpm rpm-build subversion tar wget zip

[root@i ~]# yum install perl

[root@i ~]# yum install ant

[root@i ~]# yum install ant-junit

[root@i ~]# java -version
java version “1.6.0”
OpenJDK Runtime Environment (build 1.6.0-b09)
OpenJDK Client VM (build 1.6.0-b09, mixed mode)

Jika belum terinstall bisa install menggunakan yum install java-1.6.0-openjdk.

[root@i ~]# ant -version
Apache Ant version 1.6.5 compiled on January 6 2007

Install Apache untuk MOD_NSS dan PKI-RA

[root@i ~]# yum install httpd

Secara default Centos 5.4 terinstall mod_nss versi lama dan harus diupgrade untuk MOD_NSS

[root@i ~]# rpm Uvh mod_nss1.0.8-2.el5idm.i386.rpm

[root@i ~]# rpm -qa mod_nss
mod_nss-1.0.8-2.el5idm

Mengambil repo EPEL untuk Centos 5.4

[root@i ~]# rpm Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epelrelease-5-3.noarch.rpm

Instalasi Directory Server menggunakan 389-ds

[root@i ~]# yum upgrade—enablerepo=epel-testing

[root@i ~]# yum install 389-ds—enablerepo=epel-testing

Konfigurasi Directory Server :

[root@i ~]# setup-ds-admin.pl
============================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have “root” privilege to set up the software.
Tips for using this program: – Press “Enter” to choose the default and go to the next screen – Type “Control-B” then “Enter” to go back to the previous screen – Type “Control-C” to cancel the setup program
Would you like to continue with set up? [yes]:
==========================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes
============================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor).

NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.

WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.

WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.

Would you like to continue? [no]: yes
==============================================
Choose a setup type:

1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.

2. Typical
Allows you to specify common defaults and options.

3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: 2
======================================
Enter the fully qualified domain name of the computer
on which you’re setting up server software. Using the form
.
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [i.xxxxom.or.id]:
=======================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]:
System Group [nobody]:

==================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter ‘No’ to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]:

==============================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
The passwords do not match. Please try again.

Password (confirm):

==============================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [xxxxom.or.id]:

=============================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]:

=============================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [i]:

==========================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=xxxxom, dc=or, dc=id]:

=========================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word “back”, then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):

===============================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]:

===============================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance ‘i’ was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is ‘/tmp/setup8XSC5y.log’
[root@i ~]#

Untuk mengadministrasi menggunakan 389-ds console bisa menggunakan Windows XP Profesional dan Linux.
Jika mengunakan Fedora 12 Desktop menggunakan fedora-idm-console :

#yum install fedora-idm-console

#yum install xorg-x11-deprecated-libs

Untuk Login mengunakan :

cn=Directory Manager
Password : xxxxxxxxx
Administration URL : http://i.xxxxom.or.id:9830

Instalasi Dog Tag Certificate System mengunakan repo EPEL

[root@i ~]# yum—enablerepo=epel-testing install dogtag-pki

—————skip———————-

Installed:
dogtag-pki.noarch 0:1.3.0-2.el5
Complete!
[root@i ~]#

Konfigurasi Dog Tag Certificate System

Ada 6 subsystems (CA/SubCA,KRA/DRM,RA,TKS,TPS,OCSP)  yang dapat kita konfigurasi yaitu dengan menggunakan PKICREATE keenam subsystems harus kita konfigurasi satu persatu, pada instalasi ini semua berada di satu server, untuk pengembangan bisa kita buat berbeda server pada masing-masing subsystems:

Contoh command yang dapat dipakai sebagai berikut :

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkica
-subsystem_type=ca
-agent_secure_port=9443
-ee_secure_port=9444
-ee_secure_client_auth_port=9446
-admin_secure_port=9445
-unsecure_port=9180
-tomcat_server_port=9701
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkica
redirect logs=/var/log/pkica
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkisubca
-subsystem_type=ca
-agent_secure_port=9543
-ee_secure_port=9544
-ee_secure_client_auth_port=9546
-admin_secure_port=9545
-unsecure_port=9580
-tomcat_server_port=9801
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkisubca
redirect logs=/var/log/pkisubca
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkikra
-subsystem_type=kra
-agent_secure_port=10443
-ee_secure_port=10444
-admin_secure_port=10445
-unsecure_port=10180
-tomcat_server_port=10701
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkikra
redirect logs=/var/log/pkikra
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkiocsp
-subsystem_type=ocsp
-agent_secure_port=11443
-ee_secure_port=11444
-admin_secure_port=11445
-unsecure_port=11180
-tomcat_server_port=11701
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkiocsp
redirect logs=/var/log/pkiocsp
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkitks
-subsystem_type=tks
-agent_secure_port=13443
-ee_secure_port=13444
-admin_secure_port=13445
-unsecure_port=13180
-tomcat_server_port=13701
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkitks
redirect logs=/var/log/pkitks
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkira
-subsystem_type=ra
-secure_port=12889
-non_clientauth_secure_port=12890
-unsecure_port=12888
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkira
redirect logs=/var/log/pkira
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkitps
-subsystem_type=tps
-secure_port=7889
-non_clientauth_secure_port=7890
-unsecure_port=7888
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkitps
redirect logs=/var/log/pkitps
-verbose

pkicreate -pki_instance_root=/var/lib
pki_instance_name=pkitps1
-subsystem_type=tps
-secure_port=7989
-non_clientauth_secure_port=7990
-unsecure_port=7988
-user=pkiuser
-group=pkiuser
redirect conf=/etc/pkitps1
redirect logs=/var/log/pkitps1
-verbose

DEPLOY PKI-CA

[root@i /]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkica
> -subsystem_type=ca
> -agent_secure_port=9443
> -ee_secure_port=9444
> -ee_secure_client_auth_port=9446
> -admin_secure_port=9445
> -unsecure_port=9180
> -tomcat_server_port=9701
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkica
> redirect logs=/var/log/pkica
> -verbose—————————————————-skip—————————————————[2010-05-08 15:47:56] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ca
[2010-05-08 15:47:56] [debug] replacing: PKI_INSTANCE_ID with: pki-ca
[2010-05-08 15:47:56] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 15:47:56] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 15:47:56] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9446
[2010-05-08 15:47:56] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 15:47:56] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_SECURE_PORT with: 9443
[2010-05-08 15:47:56] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ca/CS.cfg
[2010-05-08 15:47:56] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 15:47:56] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9443
[2010-05-08 15:47:56] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 15:47:56] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 15:47:56] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 15:47:56] [debug] replacing: INSTALL_TIME with: Sat May 8 15:47:56 2010
[2010-05-08 15:47:56] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9445
[2010-05-08 15:47:56] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:56] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 15:47:56] [debug] replacing: PKI_UNSECURE_PORT with: 9180
[2010-05-08 15:47:56] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 15:47:56] [debug] Converting ‘/usr/share/pki/ca/conf/serverCertNick.conf’ > '/etc/pki-ca/serverCertNick.conf' ...
[2010-05-08 15:47:56] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ca/server.xml
[2010-05-08 15:47:56] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: TOMCAT_SERVER_PORT with: 9701
[2010-05-08 15:47:57] [debug] replacing: PKI_RANDOM_NUMBER with: 1JqIAUMw2MlN8CTldWPn
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 15:47:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 15:47:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT with: 9444
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ID with: pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9446
[2010-05-08 15:47:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ca/CS.cfg
[2010-05-08 15:47:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 15:47:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: INSTALL_TIME with: Sat May 8 15:47:56 2010
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9445
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT with: 9180
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 15:47:57] [debug] Converting '/usr/share/pki/ca/conf/tomcat5.conf' > ‘/etc/pki-ca/tomcat5.conf’ ...
[2010-05-08 15:47:57] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ca/server.xml
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: TOMCAT_SERVER_PORT with: 9701
[2010-05-08 15:47:57] [debug] replacing: PKI_RANDOM_NUMBER with: 1JqIAUMw2MlN8CTldWPn
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 15:47:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 15:47:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT with: 9444
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ID with: pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9446
[2010-05-08 15:47:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ca/CS.cfg
[2010-05-08 15:47:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 15:47:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: INSTALL_TIME with: Sat May 8 15:47:56 2010
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9445
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT with: 9180
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 15:47:57] [debug] Converting ‘/usr/share/pki/ca/webapps/ca/WEB-INF/velocity.properties’ > '/var/lib/pki-ca/webapps/ca/WEB-INF/velocity.properties' ...
[2010-05-08 15:47:57] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ca/server.xml
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: TOMCAT_SERVER_PORT with: 9701
[2010-05-08 15:47:57] [debug] replacing: PKI_RANDOM_NUMBER with: 1JqIAUMw2MlN8CTldWPn
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 15:47:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 15:47:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT with: 9444
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ID with: pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9446
[2010-05-08 15:47:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ca/CS.cfg
[2010-05-08 15:47:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 15:47:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: INSTALL_TIME with: Sat May 8 15:47:56 2010
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9445
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 15:47:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT with: 9180
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 15:47:57] [debug] Converting '/usr/share/pki/ca/webapps/ca/WEB-INF/web.xml' > ‘/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml’ ...
[2010-05-08 15:47:57] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ca/server.xml
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: TOMCAT_SERVER_PORT with: 9701
[2010-05-08 15:47:57] [debug] replacing: PKI_RANDOM_NUMBER with: 1JqIAUMw2MlN8CTldWPn
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 15:47:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 15:47:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 15:47:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT with: 9444
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_INSTANCE_ID with: pki-ca
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9446
[2010-05-08 15:47:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ca/CS.cfg
[2010-05-08 15:47:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9443
[2010-05-08 15:47:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 15:47:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 15:47:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: INSTALL_TIME with: Sat May 8 15:47:56 2010
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9445
[2010-05-08 15:47:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 15:47:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 15:47:57] [debug] replacing: PKI_UNSECURE_PORT with: 9180
[2010-05-08 15:47:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 15:47:57] [debug] Processing PKI files and symbolic links for ‘/var/lib/pki-ca’ ...
[2010-05-08 15:47:57] [debug] Processing PKI security databases for ‘/var/lib/pki-ca’ ...
[2010-05-08 15:47:57] [debug] Processing PKI security modules for ‘/var/lib/pki-ca’ ...
[2010-05-08 15:47:57] [debug] Attempting to add hardware security modules to system if applicable …
[2010-05-08 15:47:57] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 15:47:57] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 15:47:57] [debug] Restorecon file context for /usr/share/java/pki
[2010-05-08 15:47:57] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 15:47:57] [debug] restorecon file context for /usr/bin/dtomcat5-pki-ca
[2010-05-08 15:47:57] [debug] Restorecon file context for /var/lib/pki-ca
[2010-05-08 15:47:57] [debug] Restorecon file context for /var/run
[2010-05-08 15:47:58] [debug] Setting selinux file context for “/var/log/pki-ca(/.*)?”

PKI instance creation completed …
Stopping pki-ca:
process already stopped
===========================================
Starting pki-ca: [ OK ]
pki-ca (pid 5165) is running …
‘pki-ca’ must still be CONFIGURED!
(see /var/log/pki-ca-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.

Please start the configuration by accessing:
https://i.xxxxom.or.id:9445/ca/admin/console/config/login?pin=1JqIAUMw2MlN8CTldWPn
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
[root@i /]#
[root@i ~]# /sbin/service pki-cad restart pki-ca
Stopping pki-ca: ............................... [ OK ]
============================================
Starting pki-ca: [ OK ]
pki-ca (pid 6404) is running …
Unsecure Port = http://i.xxxxom.or.id:9180/ca/ee/ca
Secure Agent Port = https://i.xxxxom.or.id:9443/ca/agent/ca
Secure EE Port = https://i.xxxxom.or.id:9444/ca/ee/ca
Secure Admin Port = https://i.xxxxom.or.id:9445/ca/services
EE Client Auth Port = https://i.xxxxom.or.id:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://i.xxxxom.or.id:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
======================================================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
======================================================================
[root@i ~]#

DEPLOY SUB CA

[root@i ~]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkisubca
> -subsystem_type=ca
> -agent_secure_port=9543
> -ee_secure_port=9544
> -ee_secure_client_auth_port=9546
> -admin_secure_port=9545
> -unsecure_port=9580
> -tomcat_server_port=9801
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkisubca
> redirect logs=/var/log/pkisubca
> -verbose—————skip———————————————————————-
[2010-05-08 16:07:59] [debug] replacing: TOMCAT_SERVER_PORT with: 9801
[2010-05-08 16:07:59] [debug] replacing: PKI_RANDOM_NUMBER with: iBzt5I3F04LOKKJ6Zbzt
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 16:07:59] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 16:07:59] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT with: 9544
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ID with: pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9546
[2010-05-08 16:07:59] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-subca/CS.cfg
[2010-05-08 16:07:59] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 16:07:59] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: INSTALL_TIME with: Sat May 8 16:07:58 2010
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9545
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT with: 9580
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 16:07:59] [debug] Converting ‘/usr/share/pki/ca/conf/tomcat5.conf’ > '/etc/pki-subca/tomcat5.conf' ...
[2010-05-08 16:07:59] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-subca/server.xml
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: TOMCAT_SERVER_PORT with: 9801
[2010-05-08 16:07:59] [debug] replacing: PKI_RANDOM_NUMBER with: iBzt5I3F04LOKKJ6Zbzt
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 16:07:59] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 16:07:59] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT with: 9544
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ID with: pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9546
[2010-05-08 16:07:59] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-subca/CS.cfg
[2010-05-08 16:07:59] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 16:07:59] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: INSTALL_TIME with: Sat May 8 16:07:58 2010
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9545
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT with: 9580
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 16:07:59] [debug] Converting '/usr/share/pki/ca/webapps/ca/WEB-INF/velocity.properties' > ‘/var/lib/pki-subca/webapps/ca/WEB-INF/velocity.properties’ ...
[2010-05-08 16:07:59] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-subca/server.xml
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: TOMCAT_SERVER_PORT with: 9801
[2010-05-08 16:07:59] [debug] replacing: PKI_RANDOM_NUMBER with: iBzt5I3F04LOKKJ6Zbzt
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 16:07:59] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 16:07:59] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT with: 9544
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ID with: pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9546
[2010-05-08 16:07:59] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-subca/CS.cfg
[2010-05-08 16:07:59] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 16:07:59] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: INSTALL_TIME with: Sat May 8 16:07:58 2010
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9545
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT with: 9580
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 16:07:59] [debug] Converting ‘/usr/share/pki/ca/webapps/ca/WEB-INF/web.xml’ > '/var/lib/pki-subca/webapps/ca/WEB-INF/web.xml' ...
[2010-05-08 16:07:59] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-subca/server.xml
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: TOMCAT_SERVER_PORT with: 9801
[2010-05-08 16:07:59] [debug] replacing: PKI_RANDOM_NUMBER with: iBzt5I3F04LOKKJ6Zbzt
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 16:07:59] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 16:07:59] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 16:07:59] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT with: 9544
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_INSTANCE_ID with: pki-subca
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: 9546
[2010-05-08 16:07:59] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-subca/CS.cfg
[2010-05-08 16:07:59] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ca
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_SECURE_PORT with: 9543
[2010-05-08 16:07:59] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 16:07:59] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 16:07:59] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 16:07:59] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: INSTALL_TIME with: Sat May 8 16:07:58 2010
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 9545
[2010-05-08 16:07:59] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 16:07:59] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 16:07:59] [debug] replacing: PKI_UNSECURE_PORT with: 9580
[2010-05-08 16:07:59] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 16:07:59] [debug] Processing PKI files and symbolic links for '/var/lib/pki-subca' ...
[2010-05-08 16:08:00] [debug] Processing PKI security databases for '/var/lib/pki-subca' ...
[2010-05-08 16:08:00] [debug] Processing PKI security modules for '/var/lib/pki-subca' ...
[2010-05-08 16:08:00] [debug] Attempting to add hardware security modules to system if applicable ...
[2010-05-08 16:08:00] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 16:08:00] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 16:08:00] [debug] Restorecon file context for /usr/share/java/pki
[2010-05-08 16:08:00] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 16:08:00] [debug] Setting selinux file context for /usr/bin/dtomcat5-pki-subca

PKI instance creation completed ...

Stopping pki-subca:
process already stopped
==========================================================
Starting pki-subca: [ OK ]
pki-subca (pid 29931) is running …
‘pki-subca’ must still be CONFIGURED!
(see /var/log/pki-subca-install.log)

Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:9545/ca/admin/console/config/login?pin=T6TF1PtACWnLDIkzR9gI
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-subca
[root@i ~]#
[root@i ~]# /sbin/service pki-cad restart pki-subca
Stopping pki-subca: ............................... [ OK ]
========================================================
Starting pki-subca: [ OK ]
pki-subca (pid 31171) is running …
Unsecure Port = http://i.xxxxom.or.id:9580/ca/ee/ca
Secure Agent Port = https://i.xxxxom.or.id:9543/ca/agent/ca
Secure EE Port = https://i.xxxxom.or.id:9544/ca/ee/ca
Secure Admin Port = https://i.xxxxom.or.id:9545/ca/services
EE Client Auth Port = https://i.xxxxom.or.id:9546/ca/eeca/ca
PKI Console Port = pkiconsole https://i.xxxxom.or.id:9545/ca
Tomcat Port = 9801 (for shutdown)
PKI Instance Name: pki-subca
PKI Subsystem Type: Subordinate CA
Registered PKI Security Domain Information:
=====================================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
=====================================================
[root@i ~]#

DEPLOY PKI-KRA

[root@i etc]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkikra
> -subsystem_type=kra
> -agent_secure_port=10443
> -ee_secure_port=10444
> -admin_secure_port=10445
> -unsecure_port=10180
> -tomcat_server_port=10701
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkikra
> redirect logs=/var/log/pkikra
> -verbose——————skip——————————————————————-
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:36:44] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-kra
[2010-05-08 17:36:44] [debug] replacing: PKI_INSTANCE_ID with: pki-kra
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:36:44] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_SECURE_PORT with: 10443
[2010-05-08 17:36:44] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-kra/CS.cfg
[2010-05-08 17:36:44] [debug] replacing: PKI_SUBSYSTEM_TYPE with: kra
[2010-05-08 17:36:44] [debug] replacing: PKI_AGENT_SECURE_PORT with: 10443
[2010-05-08 17:36:44] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:36:44] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:36:44] [debug] replacing: INSTALL_TIME with: Sat May 8 17:36:44 2010
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 10445
[2010-05-08 17:36:44] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT with: 10180
[2010-05-08 17:36:44] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:36:44] [debug] Converting ‘/usr/share/pki/kra/conf/serverCertNick.conf’ > '/etc/pki-kra/serverCertNick.conf' ...
[2010-05-08 17:36:44] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-kra/server.xml
[2010-05-08 17:36:44] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: TOMCAT_SERVER_PORT with: 10701
[2010-05-08 17:36:44] [debug] replacing: PKI_RANDOM_NUMBER with: f7wZwxm4UZA8kCJIQTQ0
[2010-05-08 17:36:44] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:36:44] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:36:44] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:36:44] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_PORT with: 10444
[2010-05-08 17:36:44] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:36:44] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-kra
[2010-05-08 17:36:44] [debug] replacing: PKI_INSTANCE_ID with: pki-kra
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:36:44] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:36:44] [debug] replacing: PKI_SECURE_PORT with: 10443
[2010-05-08 17:36:44] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-kra/CS.cfg
[2010-05-08 17:36:44] [debug] replacing: PKI_SUBSYSTEM_TYPE with: kra
[2010-05-08 17:36:44] [debug] replacing: PKI_AGENT_SECURE_PORT with: 10443
[2010-05-08 17:36:44] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:44] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:36:44] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:36:44] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:36:44] [debug] replacing: INSTALL_TIME with: Sat May 8 17:36:44 2010
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:36:44] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 10445
[2010-05-08 17:36:44] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:36:44] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:36:44] [debug] replacing: PKI_UNSECURE_PORT with: 10180
[2010-05-08 17:36:44] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:36:44] [debug] Converting '/usr/share/pki/kra/conf/tomcat5.conf' > ‘/etc/pki-kra/tomcat5.conf’ ...
[2010-05-08 17:36:45] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-kra/server.xml
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: TOMCAT_SERVER_PORT with: 10701
[2010-05-08 17:36:45] [debug] replacing: PKI_RANDOM_NUMBER with: f7wZwxm4UZA8kCJIQTQ0
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:36:45] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:36:45] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT with: 10444
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ID with: pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:36:45] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-kra/CS.cfg
[2010-05-08 17:36:45] [debug] replacing: PKI_SUBSYSTEM_TYPE with: kra
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:36:45] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: INSTALL_TIME with: Sat May 8 17:36:44 2010
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 10445
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT with: 10180
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:36:45] [debug] Converting ‘/usr/share/pki/kra/webapps/kra/WEB-INF/velocity.properties’ > '/var/lib/pki-kra/webapps/kra/WEB-INF/velocity.properties' ...
[2010-05-08 17:36:45] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-kra/server.xml
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: TOMCAT_SERVER_PORT with: 10701
[2010-05-08 17:36:45] [debug] replacing: PKI_RANDOM_NUMBER with: f7wZwxm4UZA8kCJIQTQ0
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:36:45] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:36:45] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT with: 10444
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ID with: pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:36:45] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-kra/CS.cfg
[2010-05-08 17:36:45] [debug] replacing: PKI_SUBSYSTEM_TYPE with: kra
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:36:45] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: INSTALL_TIME with: Sat May 8 17:36:44 2010
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 10445
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:36:45] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT with: 10180
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:36:45] [debug] Converting '/usr/share/pki/kra/webapps/kra/WEB-INF/web.xml' > ‘/var/lib/pki-kra/webapps/kra/WEB-INF/web.xml’ ...
[2010-05-08 17:36:45] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-kra/server.xml
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: TOMCAT_SERVER_PORT with: 10701
[2010-05-08 17:36:45] [debug] replacing: PKI_RANDOM_NUMBER with: f7wZwxm4UZA8kCJIQTQ0
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:36:45] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:36:45] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:36:45] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT with: 10444
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_INSTANCE_ID with: pki-kra
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:36:45] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-kra/CS.cfg
[2010-05-08 17:36:45] [debug] replacing: PKI_SUBSYSTEM_TYPE with: kra
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_SECURE_PORT with: 10443
[2010-05-08 17:36:45] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:36:45] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:36:45] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: INSTALL_TIME with: Sat May 8 17:36:44 2010
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 10445
[2010-05-08 17:36:45] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:36:45] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:36:45] [debug] replacing: PKI_UNSECURE_PORT with: 10180
[2010-05-08 17:36:45] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:36:45] [debug] Processing PKI files and symbolic links for ‘/var/lib/pki-kra’ ...
[2010-05-08 17:36:45] [debug] Processing PKI security databases for ‘/var/lib/pki-kra’ ...
[2010-05-08 17:36:45] [debug] Processing PKI security modules for ‘/var/lib/pki-kra’ ...
[2010-05-08 17:36:45] [debug] Attempting to add hardware security modules to system if applicable …
[2010-05-08 17:36:45] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 17:36:45] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 17:36:45] [debug] Restorecon file context for /usr/share/java/pki
[2010-05-08 17:36:45] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 17:36:45] [debug] restorecon file context for /usr/bin/dtomcat5-pki-kra
[2010-05-08 17:36:45] [debug] Restorecon file context for /var/lib/pki-kra
[2010-05-08 17:36:45] [debug] Restorecon file context for /var/run
[2010-05-08 17:36:46] [debug] Setting selinux file context for “/var/log/pki-kra(/.*)?”

PKI instance creation completed …
Stopping pki-kra:
process already stopped
=======================================
Starting pki-kra: [ OK ]
pki-kra (pid 10994) is running …
‘pki-kra’ must still be CONFIGURED!
(see /var/log/pki-kra-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:10445/kra/admin/console/config/login?pin=f7wZwxm4UZA8kCJIQTQ0
After configuration, the server can be operated by the command:
/sbin/service pki-krad restart pki-kra
[root@i etc]#

[root@i etc]# /sbin/service pki-krad restart pki-kra
Stopping pki-kra: .. [ OK ]
========================================================
Starting pki-kra: [ OK ]
pki-kra (pid 11937) is running …

Unsecure Port = http://i.xxxxom.or.id:10180/kra/ee/kra
Secure Agent Port = https://i.xxxxom.or.id:10443/kra/agent/kra
Secure EE Port = https://i.xxxxom.or.id:10444/kra/ee/kra
Secure Admin Port = https://i.xxxxom.or.id:10445/kra/services
PKI Console Port = pkiconsole https://i.xxxxom.or.id:10445/kra
Tomcat Port = 10701 (for shutdown)
PKI Instance Name: pki-kra
PKI Subsystem Type: DRM
Registered PKI Security Domain Information:
======================================================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
======================================================================
[root@i etc]#

DEPLOY PKI-OCSP

[root@i etc]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkiocsp
> -subsystem_type=ocsp
> -agent_secure_port=11443
> -ee_secure_port=11444
> -admin_secure_port=11445
> -unsecure_port=11180
> -tomcat_server_port=11701
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkiocsp
> redirect logs=/var/log/pkiocsp
> -verbose————————————————skip——————————————————-
[2010-05-08 17:45:32] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:45:32] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ocsp
[2010-05-08 17:45:32] [debug] replacing: PKI_INSTANCE_ID with: pki-ocsp
[2010-05-08 17:45:32] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:45:32] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:45:32] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:45:32] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:45:32] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_SECURE_PORT with: 11443
[2010-05-08 17:45:32] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ocsp/CS.cfg
[2010-05-08 17:45:32] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ocsp
[2010-05-08 17:45:32] [debug] replacing: PKI_AGENT_SECURE_PORT with: 11443
[2010-05-08 17:45:32] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:45:32] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:45:32] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:45:32] [debug] replacing: INSTALL_TIME with: Sat May 8 17:45:32 2010
[2010-05-08 17:45:32] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 11445
[2010-05-08 17:45:32] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:45:32] [debug] replacing: PKI_UNSECURE_PORT with: 11180
[2010-05-08 17:45:32] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:45:32] [debug] Converting ‘/usr/share/pki/ocsp/conf/serverCertNick.conf’ > '/etc/pki-ocsp/serverCertNick.conf' ...
[2010-05-08 17:45:32] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ocsp/server.xml
[2010-05-08 17:45:32] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:32] [debug] replacing: TOMCAT_SERVER_PORT with: 11701
[2010-05-08 17:45:32] [debug] replacing: PKI_RANDOM_NUMBER with: hA0oT8qGoqBjsHGEqqv7
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:45:33] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:45:33] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT with: 11444
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ID with: pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:45:33] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ocsp/CS.cfg
[2010-05-08 17:45:33] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:45:33] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: INSTALL_TIME with: Sat May 8 17:45:32 2010
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 11445
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT with: 11180
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:45:33] [debug] Converting '/usr/share/pki/ocsp/conf/tomcat5.conf' > ‘/etc/pki-ocsp/tomcat5.conf’ ...
[2010-05-08 17:45:33] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ocsp/server.xml
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: TOMCAT_SERVER_PORT with: 11701
[2010-05-08 17:45:33] [debug] replacing: PKI_RANDOM_NUMBER with: hA0oT8qGoqBjsHGEqqv7
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:45:33] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:45:33] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT with: 11444
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ID with: pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:45:33] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ocsp/CS.cfg
[2010-05-08 17:45:33] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:45:33] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: INSTALL_TIME with: Sat May 8 17:45:32 2010
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 11445
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT with: 11180
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:45:33] [debug] Converting ‘/usr/share/pki/ocsp/webapps/ocsp/WEB-INF/velocity.properties’ > '/var/lib/pki-ocsp/webapps/ocsp/WEB-INF/velocity.properties' ...
[2010-05-08 17:45:33] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ocsp/server.xml
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: TOMCAT_SERVER_PORT with: 11701
[2010-05-08 17:45:33] [debug] replacing: PKI_RANDOM_NUMBER with: hA0oT8qGoqBjsHGEqqv7
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:45:33] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:45:33] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT with: 11444
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ID with: pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:45:33] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ocsp/CS.cfg
[2010-05-08 17:45:33] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_SECURE_PORT with: 11443
[2010-05-08 17:45:33] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:45:33] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: INSTALL_TIME with: Sat May 8 17:45:32 2010
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 11445
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:45:33] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT with: 11180
[2010-05-08 17:45:33] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:45:33] [debug] Converting '/usr/share/pki/ocsp/webapps/ocsp/WEB-INF/web.xml' > ‘/var/lib/pki-ocsp/webapps/ocsp/WEB-INF/web.xml’ ...
[2010-05-08 17:45:33] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-ocsp/server.xml
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: TOMCAT_SERVER_PORT with: 11701
[2010-05-08 17:45:33] [debug] replacing: PKI_RANDOM_NUMBER with: hA0oT8qGoqBjsHGEqqv7
[2010-05-08 17:45:33] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:45:33] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:45:33] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:45:33] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT with: 11444
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_INSTANCE_ID with: pki-ocsp
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:33] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:45:33] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:45:33] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:45:33] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_SECURE_PORT with: 11443
[2010-05-08 17:45:34] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-ocsp/CS.cfg
[2010-05-08 17:45:34] [debug] replacing: PKI_SUBSYSTEM_TYPE with: ocsp
[2010-05-08 17:45:34] [debug] replacing: PKI_AGENT_SECURE_PORT with: 11443
[2010-05-08 17:45:34] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:45:34] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:45:34] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:45:34] [debug] replacing: INSTALL_TIME with: Sat May 8 17:45:32 2010
[2010-05-08 17:45:34] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 11445
[2010-05-08 17:45:34] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:45:34] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:45:34] [debug] replacing: PKI_UNSECURE_PORT with: 11180
[2010-05-08 17:45:34] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:45:34] [debug] Processing PKI files and symbolic links for ‘/var/lib/pki-ocsp’ ...
[2010-05-08 17:45:34] [debug] Processing PKI security databases for ‘/var/lib/pki-ocsp’ ...
[2010-05-08 17:45:35] [debug] Processing PKI security modules for ‘/var/lib/pki-ocsp’ ...
[2010-05-08 17:45:35] [debug] Attempting to add hardware security modules to system if applicable …
[2010-05-08 17:45:35] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 17:45:35] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 17:45:35] [debug] Restorecon file context for /usr/share/java/pki
[2010-05-08 17:45:35] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 17:45:35] [debug] restorecon file context for /usr/bin/dtomcat5-pki-ocsp
[2010-05-08 17:45:35] [debug] Restorecon file context for /var/lib/pki-ocsp
[2010-05-08 17:45:35] [debug] Restorecon file context for /var/run
[2010-05-08 17:45:35] [debug] Setting selinux file context for “/var/log/pki-ocsp(/.*)?”

PKI instance creation completed …
Stopping pki-ocsp:
process already stopped
========================================================
Starting pki-ocsp: [ OK ]
pki-ocsp (pid 12804) is running …
‘pki-ocsp’ must still be CONFIGURED!
(see /var/log/pki-ocsp-install.log)

Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:11445/ocsp/admin/console/config/login?pin=hA0oT8qGoqBjsHGEqqv7
After configuration, the server can be operated by the command:
/sbin/service pki-ocspd restart pki-ocsp
[root@i etc]#

[root@i etc]# /sbin/service pki-ocspd restart pki-ocsp
Stopping pki-ocsp: ... [ OK ]
========================================================
Starting pki-ocsp: [ OK ]
pki-ocsp (pid 13741) is running …
Unsecure Port = http://i.xxxxom.or.id:11180/ocsp/ee/ocsp
Secure Agent Port = https://i.xxxxom.or.id:11443/ocsp/agent/ocsp
Secure EE Port = https://i.xxxxom.or.id:11444/ocsp/ee/ocsp
Secure Admin Port = https://i.xxxxom.or.id:11445/ocsp/services
PKI Console Port = pkiconsole https://i.xxxxom.or.id:11445/ocsp
Tomcat Port = 11701 (for shutdown)
PKI Instance Name: pki-ocsp
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==============================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
==============================================

DEPLOY PKI-TKS

[root@i etc]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkitks
> -subsystem_type=tks
> -agent_secure_port=13443
> -ee_secure_port=13444
> -admin_secure_port=13445
> -unsecure_port=13180
> -tomcat_server_port=13701
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkitks
> redirect logs=/var/log/pkitks
> -verbose—————————————skip————————————————————-
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_ID with: pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:59:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT with: 13443
[2010-05-08 17:59:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-tks/CS.cfg
[2010-05-08 17:59:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: tks
[2010-05-08 17:59:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 13443
[2010-05-08 17:59:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:59:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:59:57] [debug] replacing: INSTALL_TIME with: Sat May 8 17:59:57 2010
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 13445
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT with: 13180
[2010-05-08 17:59:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:59:57] [debug] Converting ‘/usr/share/pki/tks/conf/serverCertNick.conf’ > '/etc/pki-tks/serverCertNick.conf' ...
[2010-05-08 17:59:57] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-tks/server.xml
[2010-05-08 17:59:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: TOMCAT_SERVER_PORT with: 13701
[2010-05-08 17:59:57] [debug] replacing: PKI_RANDOM_NUMBER with: uiHRXQPOplP0aRJouePc
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:59:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:59:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:59:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT with: 13444
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_ID with: pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:59:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT with: 13443
[2010-05-08 17:59:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-tks/CS.cfg
[2010-05-08 17:59:57] [debug] replacing: PKI_SUBSYSTEM_TYPE with: tks
[2010-05-08 17:59:57] [debug] replacing: PKI_AGENT_SECURE_PORT with: 13443
[2010-05-08 17:59:57] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:59:57] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:59:57] [debug] replacing: INSTALL_TIME with: Sat May 8 17:59:57 2010
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 13445
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:59:57] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT with: 13180
[2010-05-08 17:59:57] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:59:57] [debug] Converting '/usr/share/pki/tks/conf/tomcat5.conf' > ‘/etc/pki-tks/tomcat5.conf’ ...
[2010-05-08 17:59:57] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-tks/server.xml
[2010-05-08 17:59:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: TOMCAT_SERVER_PORT with: 13701
[2010-05-08 17:59:57] [debug] replacing: PKI_RANDOM_NUMBER with: uiHRXQPOplP0aRJouePc
[2010-05-08 17:59:57] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:59:57] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:59:57] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:59:57] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT with: 13444
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_INSTANCE_ID with: pki-tks
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:57] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:59:57] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:59:57] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:59:57] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-tks/CS.cfg
[2010-05-08 17:59:58] [debug] replacing: PKI_SUBSYSTEM_TYPE with: tks
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:59:58] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: INSTALL_TIME with: Sat May 8 17:59:57 2010
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 13445
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT with: 13180
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:59:58] [debug] Converting ‘/usr/share/pki/tks/webapps/tks/WEB-INF/velocity.properties’ > '/var/lib/pki-tks/webapps/tks/WEB-INF/velocity.properties' ...
[2010-05-08 17:59:58] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-tks/server.xml
[2010-05-08 17:59:58] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: TOMCAT_SERVER_PORT with: 13701
[2010-05-08 17:59:58] [debug] replacing: PKI_RANDOM_NUMBER with: uiHRXQPOplP0aRJouePc
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:59:58] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:59:58] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:59:58] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT with: 13444
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-tks
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_ID with: pki-tks
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Port Connector -->
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:59:58] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with: <!-- Port Separation: EE Secure Client Auth Port Connector -->
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-tks/CS.cfg
[2010-05-08 17:59:58] [debug] replacing: PKI_SUBSYSTEM_TYPE with: tks
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:59:58] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: INSTALL_TIME with: Sat May 8 17:59:57 2010
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Unsecure Port Connector -->
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Admin Secure Port Connector -->
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 13445
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with: <!-- Port Separation: Agent Secure Port Connector -->
[2010-05-08 17:59:58] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT with: 13180
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:59:58] [debug] Converting '/usr/share/pki/tks/webapps/tks/WEB-INF/web.xml' > ‘/var/lib/pki-tks/webapps/tks/WEB-INF/web.xml’ ...
[2010-05-08 17:59:58] [debug] replacing: PKI_SERVER_XML_CONF with: /etc/pki-tks/server.xml
[2010-05-08 17:59:58] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: TOMCAT_SERVER_PORT with: 13701
[2010-05-08 17:59:58] [debug] replacing: PKI_RANDOM_NUMBER with: uiHRXQPOplP0aRJouePc
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT_CONNECTOR_NAME with: Agent
[2010-05-08 17:59:58] [debug] replacing: PKI_MACHINE_NAME with: i.gultom.or.id
[2010-05-08 17:59:58] [debug] replacing: PKI_FLAVOR with: pki
[2010-05-08 17:59:58] [debug] replacing: PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT with: 13444
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_ROOT with: /var/lib
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME with: EEClientAuth
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_PATH with: /var/lib/pki-tks
[2010-05-08 17:59:58] [debug] replacing: PKI_INSTANCE_ID with: pki-tks
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME with: Admin
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT_CONNECTOR_NAME with: Unsecure
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT with: -1
[2010-05-08 17:59:58] [debug] replacing: PKI_WEBAPPS_NAME with: webapps
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CFG_PATH_NAME with: /etc/pki-tks/CS.cfg
[2010-05-08 17:59:58] [debug] replacing: PKI_SUBSYSTEM_TYPE with: tks
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_SECURE_PORT with: 13443
[2010-05-08 17:59:58] [debug] replacing: PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_CERT_DB_PASSWORD with: (sensitive)
[2010-05-08 17:59:58] [debug] replacing: PKI_EE_SECURE_PORT_CONNECTOR_NAME with: EE
[2010-05-08 17:59:58] [debug] replacing: PKI_GROUP with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: INSTALL_TIME with: Sat May 8 17:59:57 2010
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_ADMIN_SECURE_PORT with: 13445
[2010-05-08 17:59:58] [debug] replacing: PKI_SECURE_PORT_SERVER_COMMENT with:
[2010-05-08 17:59:58] [debug] replacing: PKI_USER with: pkiuser
[2010-05-08 17:59:58] [debug] replacing: PKI_UNSECURE_PORT with: 13180
[2010-05-08 17:59:58] [debug] replacing: PKI_AGENT_CLIENTAUTH with: true
[2010-05-08 17:59:58] [debug] Processing PKI files and symbolic links for ‘/var/lib/pki-tks’ ...
[2010-05-08 17:59:58] [debug] Processing PKI security databases for ‘/var/lib/pki-tks’ ...
[2010-05-08 17:59:59] [debug] Processing PKI security modules for ‘/var/lib/pki-tks’ ...
[2010-05-08 17:59:59] [debug] Attempting to add hardware security modules to system if applicable …
[2010-05-08 17:59:59] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 17:59:59] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 17:59:59] [debug] Restorecon file context for /usr/share/java/pki
[2010-05-08 17:59:59] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 17:59:59] [debug] restorecon file context for /usr/bin/dtomcat5-pki-tks
[2010-05-08 17:59:59] [debug] Restorecon file context for /var/lib/pki-tks
[2010-05-08 17:59:59] [debug] Restorecon file context for /var/run
[2010-05-08 17:59:59] [debug] Setting selinux file context for “/var/log/pki-tks(/.*)?”

PKI instance creation completed …
Stopping pki-tks:
process already stopped
===========================================
Starting pki-tks: [ OK ]
pki-tks (pid 14607) is running …
‘pki-tks’ must still be CONFIGURED!
(see /var/log/pki-tks-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:13445/tks/admin/console/config/login?pin=uiHRXQPOplP0aRJouePc
After configuration, the server can be operated by the command:
/sbin/service pki-tksd restart pki-tks
[root@i etc]#

[root@i etc] /sbin/service pki-tksd restart pki-tks
Stopping pki-tks: ... [ OK ]
============================================
Starting pki-tks: [ OK ]
pki-tks (pid 15512) is running …
Unsecure Port = http://i.xxxxom.or.id:13180/tks/ee/tks
Secure Agent Port = https://i.xxxxom.or.id:13443/tks/agent/tks
Secure EE Port = https://i.xxxxom.or.id:13444/tks/ee/tks
Secure Admin Port = https://i.xxxxom.or.id:13445/tks/services
PKI Console Port = pkiconsole https://i.xxxxom.or.id:13445/tks
Tomcat Port = 13701 (for shutdown)
PKI Instance Name: pki-tks
PKI Subsystem Type: TKS
Registered PKI Security Domain Information:
============================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
============================================
[root@i etc]#

DEPLOY PKI-RA

[root@i etc]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkira
> -subsystem_type=ra
> -secure_port=12889
> -non_clientauth_secure_port=12890
> -unsecure_port=12888
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkira
> redirect logs=/var/log/pkira
> -verbose———————————————————skip——————————————————-
[2010-05-08 18:07:55] [debug] Converting ‘/usr/share/pki/ra/setup/config.desktop’ > '/usr/share/applications/pki-ra-config.desktop' ...
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:07:55] [debug] replacing: with: pki
[2010-05-08 18:07:55] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SUBSYSTEM_TYPE with: ra
[2010-05-08 18:07:55] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 12890
[2010-05-08 18:07:55] [debug] replacing: PROCESS_ID with: 15745
[2010-05-08 18:07:55] [debug] replacing: SERVER_ROOT with: /var/lib/pki-ra
[2010-05-08 18:07:55] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:07:55] [debug] replacing: PKI_RANDOM_NUMBER with: 3l6C1izcFyoUtU28lKrr
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ID with: pki-ra
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:07:55] [debug] replacing: NSS_CONF with: /etc/pki-ra/nss.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:07:55] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:07:55] [debug] replacing: TPS_DIR with: /usr/share/pki/ra
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:07:55] [debug] replacing: PORT with: 12888
[2010-05-08 18:07:55] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SECURE_PORT with: 12889
[2010-05-08 18:07:55] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:07:55] [debug] replacing: REQUIRE_CFG_PL with: require "";
[2010-05-08 18:07:55] [debug] replacing: HTTPD_CONF with: /etc/pki-ra/httpd.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:07:55] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:07:55] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:07:55] [debug] Converting '/usr/share/pki/ra/conf/httpd.conf' > ‘/etc/pki-ra/httpd.conf’ ...
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:07:55] [debug] replacing: with: pki
[2010-05-08 18:07:55] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SUBSYSTEM_TYPE with: ra
[2010-05-08 18:07:55] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 12890
[2010-05-08 18:07:55] [debug] replacing: PROCESS_ID with: 15745
[2010-05-08 18:07:55] [debug] replacing: SERVER_ROOT with: /var/lib/pki-ra
[2010-05-08 18:07:55] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:07:55] [debug] replacing: PKI_RANDOM_NUMBER with: 3l6C1izcFyoUtU28lKrr
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ID with: pki-ra
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:07:55] [debug] replacing: NSS_CONF with: /etc/pki-ra/nss.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:07:55] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:07:55] [debug] replacing: TPS_DIR with: /usr/share/pki/ra
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:07:55] [debug] replacing: PORT with: 12888
[2010-05-08 18:07:55] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SECURE_PORT with: 12889
[2010-05-08 18:07:55] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:07:55] [debug] replacing: REQUIRE_CFG_PL with: require “”;
[2010-05-08 18:07:55] [debug] replacing: HTTPD_CONF with: /etc/pki-ra/httpd.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:07:55] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:07:55] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:07:55] [debug] Converting ‘/usr/share/pki/ra/conf/nss.conf’ > '/etc/pki-ra/nss.conf'
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:07:55] [debug] replacing: with: pki
[2010-05-08 18:07:55] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SUBSYSTEM_TYPE with: ra
[2010-05-08 18:07:55] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 12890
[2010-05-08 18:07:55] [debug] replacing: PROCESS_ID with: 15745
[2010-05-08 18:07:55] [debug] replacing: SERVER_ROOT with: /var/lib/pki-ra
[2010-05-08 18:07:55] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:07:55] [debug] replacing: PKI_RANDOM_NUMBER with: 3l6C1izcFyoUtU28lKrr
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ID with: pki-ra
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:07:55] [debug] replacing: NSS_CONF with: /etc/pki-ra/nss.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:07:55] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:07:55] [debug] replacing: TPS_DIR with: /usr/share/pki/ra
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:07:55] [debug] replacing: PORT with: 12888
[2010-05-08 18:07:55] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SECURE_PORT with: 12889
[2010-05-08 18:07:55] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:07:55] [debug] replacing: REQUIRE_CFG_PL with: require "";
[2010-05-08 18:07:55] [debug] replacing: HTTPD_CONF with: /etc/pki-ra/httpd.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:07:55] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:07:55] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:07:55] [debug] Converting '/usr/share/pki/ra/conf/perl.conf' > ‘/etc/pki-ra/perl.conf’
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:07:55] [debug] replacing: with: pki
[2010-05-08 18:07:55] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SUBSYSTEM_TYPE with: ra
[2010-05-08 18:07:55] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 12890
[2010-05-08 18:07:55] [debug] replacing: PROCESS_ID with: 15745
[2010-05-08 18:07:55] [debug] replacing: SERVER_ROOT with: /var/lib/pki-ra
[2010-05-08 18:07:55] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:07:55] [debug] replacing: PKI_RANDOM_NUMBER with: 3l6C1izcFyoUtU28lKrr
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ID with: pki-ra
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:07:55] [debug] replacing: NSS_CONF with: /etc/pki-ra/nss.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:07:55] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:07:55] [debug] replacing: TPS_DIR with: /usr/share/pki/ra
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:07:55] [debug] replacing: PORT with: 12888
[2010-05-08 18:07:55] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SECURE_PORT with: 12889
[2010-05-08 18:07:55] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:07:55] [debug] replacing: REQUIRE_CFG_PL with: require “”;
[2010-05-08 18:07:55] [debug] replacing: HTTPD_CONF with: /etc/pki-ra/httpd.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:07:55] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:07:55] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:07:55] [debug] Converting ‘/usr/share/pki/ra/scripts/nss_pcache’ > '/var/lib/pki-ra/scripts/nss_pcache' ...
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:07:55] [debug] replacing: with: pki
[2010-05-08 18:07:55] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SUBSYSTEM_TYPE with: ra
[2010-05-08 18:07:55] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 12890
[2010-05-08 18:07:55] [debug] replacing: PROCESS_ID with: 15745
[2010-05-08 18:07:55] [debug] replacing: SERVER_ROOT with: /var/lib/pki-ra
[2010-05-08 18:07:55] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:07:55] [debug] replacing: PKI_RANDOM_NUMBER with: 3l6C1izcFyoUtU28lKrr
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ID with: pki-ra
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:07:55] [debug] replacing: NSS_CONF with: /etc/pki-ra/nss.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:07:55] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:07:55] [debug] replacing: TPS_DIR with: /usr/share/pki/ra
[2010-05-08 18:07:55] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:07:55] [debug] replacing: PORT with: 12888
[2010-05-08 18:07:55] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:07:55] [debug] replacing: SECURE_PORT with: 12889
[2010-05-08 18:07:55] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:07:55] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:07:55] [debug] replacing: REQUIRE_CFG_PL with: require "";
[2010-05-08 18:07:55] [debug] replacing: HTTPD_CONF with: /etc/pki-ra/httpd.conf
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:07:55] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:07:55] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:07:55] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:07:55] [debug] Processing PKI files and symbolic links for '/var/lib/pki-ra' ...
[2010-05-08 18:07:55] [debug] Processing PKI security databases for '/var/lib/pki-ra' ...
[2010-05-08 18:07:56] [debug] Processing PKI security modules for '/var/lib/pki-ra' ...
[2010-05-08 18:07:56] [debug] Attempting to add hardware security modules to system if applicable ...
[2010-05-08 18:07:56] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 18:07:57] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 18:07:57] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 18:07:57] [debug] Restorecon file context for /var/lib/pki-ra
[2010-05-08 18:07:57] [debug] Setting selinux file context for "/var/log/pki-ra(/.*)?"
-------skip----------------------------------
[2010-05-08 18:08:11] [debug] Restorecon /etc/pki-ra
[2010-05-08 18:08:11] [debug] Restorecon file context for /usr/sbin/httpd.worker
[2010-05-08 18:08:11] [debug] Setting selinux context pki_ra_port_t for 12890
PKI instance creation completed ...
Stopping pki-ra:
process already stopped
==========================================================
Starting pki-ra: . [ OK ]
pki-ra (pid 15887) is running …
‘pki-ra’ must still be CONFIGURED!
(see /var/log/pki-ra-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:12890/ra/admin/console/config/login?pin=3l6C1izcFyoUtU28lKrr
After configuration, the server can be operated by the command:
/sbin/service pki-rad restart pki-ra
[root@i etc]#

[root@i etc]# /sbin/service pki-rad restart pki-ra
Stopping pki-ra: . [ OK ]
========================================================
Starting pki-ra: . [ OK ]
pki-ra (pid 17771) is running …
Unsecure Port = http://i.xxxxom.or.id:12888
Secure Clientauth Port = https://i.xxxxom.or.id:12889
Secure Non-Clientauth Port = https://i.xxxxom.or.id:12890
PKI Instance Name: pki-ra
PKI Subsystem Type: RA
Registered PKI Security Domain Information:
=================================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
=================================================
[root@i etc]#

DEPLOY PKI-TPS

[root@i etc]# pkicreate -pki_instance_root=/var/lib
> pki_instance_name=pkitps
> -subsystem_type=tps
> -secure_port=7889
> -non_clientauth_secure_port=7890
> -unsecure_port=7888
> -user=pkiuser
> -group=pkiuser
> redirect conf=/etc/pkitps
> redirect logs=/var/log/pkitps
> -verbose——————skip——————————[2010-05-08 18:19:02] [debug] Converting ‘/usr/share/pki/tps/scripts/schemaMods.ldif’ > '/var/lib/pki-tps/scripts/schemaMods.ldif' ...
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:19:02] [debug] replacing: with: pki
[2010-05-08 18:19:02] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SUBSYSTEM_TYPE with: tps
[2010-05-08 18:19:02] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 7890
[2010-05-08 18:19:02] [debug] replacing: PROCESS_ID with: 18670
[2010-05-08 18:19:02] [debug] replacing: SERVER_ROOT with: /var/lib/pki-tps
[2010-05-08 18:19:02] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:19:02] [debug] replacing: PKI_RANDOM_NUMBER with: cDtRK8DGDN3kjvIhxiah
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ID with: pki-tps
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:19:02] [debug] replacing: NSS_CONF with: /etc/pki-tps/nss.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:19:02] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:19:02] [debug] replacing: TPS_DIR with: /usr/share/pki/tps
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:19:02] [debug] replacing: PORT with: 7888
[2010-05-08 18:19:02] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SECURE_PORT with: 7889
[2010-05-08 18:19:02] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:19:02] [debug] replacing: REQUIRE_CFG_PL with: require "/var/lib/pki-tps/cgi-bin/sow/cfg.pl";
[2010-05-08 18:19:02] [debug] replacing: HTTPD_CONF with: /etc/pki-tps/httpd.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:19:02] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:19:02] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:19:02] [debug] Converting '/usr/share/pki/tps/conf/httpd.conf' > ‘/etc/pki-tps/httpd.conf’ ...
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:19:02] [debug] replacing: with: pki
[2010-05-08 18:19:02] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SUBSYSTEM_TYPE with: tps
[2010-05-08 18:19:02] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 7890
[2010-05-08 18:19:02] [debug] replacing: PROCESS_ID with: 18670
[2010-05-08 18:19:02] [debug] replacing: SERVER_ROOT with: /var/lib/pki-tps
[2010-05-08 18:19:02] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:19:02] [debug] replacing: PKI_RANDOM_NUMBER with: cDtRK8DGDN3kjvIhxiah
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ID with: pki-tps
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:19:02] [debug] replacing: NSS_CONF with: /etc/pki-tps/nss.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:19:02] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:19:02] [debug] replacing: TPS_DIR with: /usr/share/pki/tps
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:19:02] [debug] replacing: PORT with: 7888
[2010-05-08 18:19:02] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SECURE_PORT with: 7889
[2010-05-08 18:19:02] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:19:02] [debug] replacing: REQUIRE_CFG_PL with: require “/var/lib/pki-tps/cgi-bin/sow/cfg.pl”;
[2010-05-08 18:19:02] [debug] replacing: HTTPD_CONF with: /etc/pki-tps/httpd.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:19:02] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:19:02] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:19:02] [debug] Converting ‘/usr/share/pki/tps/conf/nss.conf’ > '/etc/pki-tps/nss.conf' ...
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:19:02] [debug] replacing: with: pki
[2010-05-08 18:19:02] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SUBSYSTEM_TYPE with: tps
[2010-05-08 18:19:02] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 7890
[2010-05-08 18:19:02] [debug] replacing: PROCESS_ID with: 18670
[2010-05-08 18:19:02] [debug] replacing: SERVER_ROOT with: /var/lib/pki-tps
[2010-05-08 18:19:02] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:19:02] [debug] replacing: PKI_RANDOM_NUMBER with: cDtRK8DGDN3kjvIhxiah
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ID with: pki-tps
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:19:02] [debug] replacing: NSS_CONF with: /etc/pki-tps/nss.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:19:02] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:19:02] [debug] replacing: TPS_DIR with: /usr/share/pki/tps
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:19:02] [debug] replacing: PORT with: 7888
[2010-05-08 18:19:02] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SECURE_PORT with: 7889
[2010-05-08 18:19:02] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:19:02] [debug] replacing: REQUIRE_CFG_PL with: require "/var/lib/pki-tps/cgi-bin/sow/cfg.pl";
[2010-05-08 18:19:02] [debug] replacing: HTTPD_CONF with: /etc/pki-tps/httpd.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:19:02] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:19:02] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:19:02] [debug] Converting '/usr/share/pki/tps/conf/perl.conf' > ‘/etc/pki-tps/perl.conf’ ...
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:19:02] [debug] replacing: with: pki
[2010-05-08 18:19:02] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:19:02] [debug] replacing: SUBSYSTEM_TYPE with: tps
[2010-05-08 18:19:02] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 7890
[2010-05-08 18:19:02] [debug] replacing: PROCESS_ID with: 18670
[2010-05-08 18:19:02] [debug] replacing: SERVER_ROOT with: /var/lib/pki-tps
[2010-05-08 18:19:02] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:19:02] [debug] replacing: PKI_RANDOM_NUMBER with: cDtRK8DGDN3kjvIhxiah
[2010-05-08 18:19:02] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:19:02] [debug] replacing: INSTANCE_ID with: pki-tps
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:19:02] [debug] replacing: NSS_CONF with: /etc/pki-tps/nss.conf
[2010-05-08 18:19:02] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:19:02] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:19:02] [debug] replacing: TPS_DIR with: /usr/share/pki/tps
[2010-05-08 18:19:03] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:19:03] [debug] replacing: PORT with: 7888
[2010-05-08 18:19:03] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:19:03] [debug] replacing: SECURE_PORT with: 7889
[2010-05-08 18:19:03] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:19:03] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:19:03] [debug] replacing: REQUIRE_CFG_PL with: require “/var/lib/pki-tps/cgi-bin/sow/cfg.pl”;
[2010-05-08 18:19:03] [debug] replacing: HTTPD_CONF with: /etc/pki-tps/httpd.conf
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:19:03] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:19:03] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:19:03] [debug] Converting ‘/usr/share/pki/tps/scripts/nss_pcache’ > '/var/lib/pki-tps/scripts/nss_pcache' ...
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_MODULE with: /etc/httpd/modules
[2010-05-08 18:19:03] [debug] replacing: with: pki
[2010-05-08 18:19:03] [debug] replacing: USERID with: pkiuser
[2010-05-08 18:19:03] [debug] replacing: SUBSYSTEM_TYPE with: tps
[2010-05-08 18:19:03] [debug] replacing: NON_CLIENTAUTH_SECURE_PORT with: 7890
[2010-05-08 18:19:03] [debug] replacing: PROCESS_ID with: 18670
[2010-05-08 18:19:03] [debug] replacing: SERVER_ROOT with: /var/lib/pki-tps
[2010-05-08 18:19:03] [debug] replacing: SERVER_NAME with: i.gultom.or.id
[2010-05-08 18:19:03] [debug] replacing: PKI_RANDOM_NUMBER with: cDtRK8DGDN3kjvIhxiah
[2010-05-08 18:19:03] [debug] replacing: SYSTEM_LIBRARIES with: /lib
[2010-05-08 18:19:03] [debug] replacing: INSTANCE_ID with: pki-tps
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_APACHE with: Apache2
[2010-05-08 18:19:03] [debug] replacing: NSS_CONF with: /etc/pki-tps/nss.conf
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_DIR with: /usr
[2010-05-08 18:19:03] [debug] replacing: OBJ_EXT with: .so
[2010-05-08 18:19:03] [debug] replacing: TPS_DIR with: /usr/share/pki/tps
[2010-05-08 18:19:03] [debug] replacing: INSTANCE_ROOT with: /var/lib
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_LIB_DIR with: /etc/httpd
[2010-05-08 18:19:03] [debug] replacing: PORT with: 7888
[2010-05-08 18:19:03] [debug] replacing: GROUPID with: pkiuser
[2010-05-08 18:19:03] [debug] replacing: SECURE_PORT with: 7889
[2010-05-08 18:19:03] [debug] replacing: TMP_DIR with: /tmp
[2010-05-08 18:19:03] [debug] replacing: SYSTEM_USER_LIBRARIES with: /usr/lib
[2010-05-08 18:19:03] [debug] replacing: REQUIRE_CFG_PL with: require "/var/lib/pki-tps/cgi-bin/sow/cfg.pl";
[2010-05-08 18:19:03] [debug] replacing: HTTPD_CONF with: /etc/pki-tps/httpd.conf
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_NSS_MODULES with:
LoadModule nss_module /etc/httpd/modules/libmodnss.so
[2010-05-08 18:19:03] [debug] replacing: FORTITUDE_AUTH_MODULES with:
LoadModule auth_basic_module /etc/httpd/modules/mod_auth_basic.so
LoadModule authn_file_module /etc/httpd/modules/mod_authn_file.so
LoadModule authz_user_module /etc/httpd/modules/mod_authz_user.so
LoadModule authz_groupfile_module /etc/httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module /etc/httpd/modules/mod_authz_host.so
[2010-05-08 18:19:03] [debug] replacing: LIB_PREFIX with: lib
[2010-05-08 18:19:03] [debug] replacing: SECURITY_LIBRARIES with: /usr/lib/dirsec
[2010-05-08 18:19:03] [debug] Processing PKI files and symbolic links for '/var/lib/pki-tps' ...
[2010-05-08 18:19:03] [debug] Processing PKI security databases for '/var/lib/pki-tps' ...
[2010-05-08 18:19:03] [debug] Processing PKI security modules for '/var/lib/pki-tps' ...
[2010-05-08 18:19:03] [debug] Attempting to add hardware security modules to system if applicable ...
[2010-05-08 18:19:03] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2.so DOES NOT EXIST!
[2010-05-08 18:19:03] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2010-05-08 18:19:03] [debug] Restorecon file context for /usr/share/pki
[2010-05-08 18:19:03] [debug] Restorecon file context for /var/lib/pki-tps
[2010-05-08 18:19:03] [debug] Setting selinux file context for "/var/log/pki-tps(/.*)?"
libsepol.context_from_record: type pki_tps_log_t is not defined
libsepol.context_from_record: could not create context structure
-----------skip------------------------------
[2010-05-08 18:19:17] [debug] Restorecon /etc/pki-tps
[2010-05-08 18:19:17] [debug] Restorecon file context for /usr/sbin/httpd.worker
[2010-05-08 18:19:17] [debug] Setting selinux context pki_tps_port_t for 7890
PKI instance creation completed ...
Stopping pki-tps:
process already stopped
==========================================================
Starting pki-tps: . [ OK ]
pki-tps (pid 18818) is running …
‘pki-tps’ must still be CONFIGURED!
(see /var/log/pki-tps-install.log)
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://i.xxxxom.or.id:7890/tps/admin/console/config/login?pin=cDtRK8DGDN3kjvIhxiah
After configuration, the server can be operated by the command:
/sbin/service pki-tpsd restart pki-tps
[root@i etc]#

[root@i etc]# /sbin/service pki-tpsd restart pki-tps
Stopping pki-tps: .......... [ OK ]
========================================================
Starting pki-tps: . [ OK ]
pki-tps (pid 21265) is running …
Unsecure Port = http://i.xxxxom.or.id:7888/cgi-bin/so/enroll.cgi
(ESC Security Officer Enrollment)
Unsecure Port = http://i.xxxxom.or.id:7888/cgi-bin/home/index.cgi
(ESC Phone Home)
Secure Clientauth Port = https://i.xxxxom.or.id:7889/cgi-bin/sow/welcome.cgi
(ESC Security Officer Workstation)
Secure Clientauth Port = https://i.xxxxom.or.id:7889/tus
(TPS Roles – Operator/Administrator/Agent)
Secure Non-Clientauth Port = https://i.xxxxom.or.id:7890/cgi-bin/so/enroll.cgi
(ESC Security Officer Enrollment)
Secure Non-Clientauth Port = https://i.xxxxom.or.id:7890/cgi-bin/home/index.cgi
(ESC Phone Home)
PKI Instance Name: pki-tps
PKI Subsystem Type: TPS
Registered PKI Security Domain Information:
==============================================
Name: GultomOr Domain
URL: https://i.xxxxom.or.id:9445
============================================
[root@i etc]#

LISTING SEMUA PORT DOGTAG :

[root@i etc]# netstat -nltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 3067/httpd.worker
tcp 0 0 0.0.0.0:909 0.0.0.0:* LISTEN 1575/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1539/portmap
tcp 0 0 :::13443 :::* LISTEN 15512/java
tcp 0 0 :::9443 :::* LISTEN 6404/java
tcp 0 0 :::13444 :::* LISTEN 15512/java
tcp 0 0 :::10180 :::* LISTEN 11937/java
tcp 0 0 :::9444 :::* LISTEN 6404/java
tcp 0 0 ::ffff:127.0.0.1:13701 :::* LISTEN 15512/java
tcp 0 0 :::13445 :::* LISTEN 15512/java
tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 6404/java
tcp 0 0 :::9445 :::* LISTEN 6404/java
tcp 0 0 :::389 :::* LISTEN 2970/ns-slapd
tcp 0 0 :::9446 :::* LISTEN 6404/java
tcp 0 0 :::9543 :::* LISTEN 9933/java
tcp 0 0 :::9544 :::* LISTEN 9933/java
tcp 0 0 ::ffff:127.0.0.1:9801 :::* LISTEN 9933/java
tcp 0 0 :::9545 :::* LISTEN 9933/java
tcp 0 0 :::9546 :::* LISTEN 9933/java
tcp 0 0 :::10443 :::* LISTEN 11937/java
tcp 0 0 :::11180 :::* LISTEN 13741/java
tcp 0 0 :::10444 :::* LISTEN 11937/java
tcp 0 0 :::9580 :::* LISTEN 9933/java
tcp 0 0 ::ffff:127.0.0.1:10701 :::* LISTEN 11937/java
tcp 0 0 :::10445 :::* LISTEN 11937/java
tcp 0 0 :::7888 :::* LISTEN 21265/httpd.worker
tcp 0 0 :::7889 :::* LISTEN 21265/httpd.worker
tcp 0 0 :::7890 :::* LISTEN 21265/httpd.worker
tcp 0 0 :::11443 :::* LISTEN 13741/java
tcp 0 0 :::11444 :::* LISTEN 13741/java
tcp 0 0 ::ffff:127.0.0.1:11701 :::* LISTEN 13741/java
tcp 0 0 :::11445 :::* LISTEN 13741/java
tcp 0 0 :::22 :::* LISTEN 1840/sshd
tcp 0 0 :::12888 :::* LISTEN 17771/httpd.worker
tcp 0 0 :::12889 :::* LISTEN 17771/httpd.worker
tcp 0 0 :::12890 :::* LISTEN 17771/httpd.worker
tcp 0 0 :::13180 :::* LISTEN 15512/java
tcp 0 0 :::9180 :::* LISTEN 6404/java
udp 0 0 0.0.0.0:903 0.0.0.0:* 1575/rpc.statd
udp 0 0 0.0.0.0:906 0.0.0.0:* 1575/rpc.statd
udp 0 0 0.0.0.0:36701 0.0.0.0:* 1920/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1920/avahi-daemon:
udp 0 0 0.0.0.0:111 0.0.0.0:* 1539/portmap
udp 0 0 :::59845 :::* 1920/avahi-daemon:
udp 0 0 :::5353 :::* 1920/avahi-daemon:
[root@i etc]#

Selesai, tinggal mengatur konfigurasi lebih mendalam melalui pkiconsole dan web interface baik untuk user,agent,admin.  Pada pembahasan lain akan saya buat integrasi menggunakan smart card yang dihubungkan dengan Enterprise Security Client dan Dog Tag.

Red Hat Certificate System Documentation

https://www.redhat.com/docs/manuals/cert-system/

Tujuan saya adalah menambah partisi root yang sebelumnya hanya 2 GB dan sudah penuh, untuk ini saya mau jadikan 4 GB.  Caranya menggunakan fdisk dan resize2fs,  jangan takut kehilangan data, kalau mau backup dulu bisa juga, tapi dalam pekerjaan ini saya tidak backup.

[root@ID41-ND013 gtoms]# /sbin/fdisk -l

Disk /dev/xvda: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/xvda1 * 1 261 2096451 83 Linux

Disk /dev/xvdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/xvdb doesn’t contain a valid partition table

Disk /dev/xvdc: 2147 MB, 2147483648 bytes
255 heads, 63 sectors/track, 261 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/xvdc doesn’t contain a valid partition table

[root@ID41-ND013 gtoms]# /sbin/fdisk /dev/xvda

Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition’s system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

Command (m for help): p

Disk /dev/xvda: 4294 MB, 4294967296 bytes
255 heads, 63 sectors/track, 522 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/xvda1 * 1 261 2096451 83 Linux

Command (m for help): d
Selected partition 1

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p

Partition number (1-4): 1
First cylinder (1-522, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-522, default 522):
Using default value 522

Command (m for help): a
Partition number (1-4): 1

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

[root@ID41-ND013 gtoms]# reboot
Broadcast message from root (pts/1) (Mon May 10 13:35:54 2010):

The system is going down for reboot NOW!
[root@ID41-ND013 gtoms]# Connection to 10.62.41.13 closed by remote host.
Connection to 10.62.41.13 closed.

[root@ID41-ND201 ~]# ssh 10.62.41.13 -l root
root@10.62.41.13’s password:

Setelah direboot bisa dicek partisi masih 2 GB

[root@ID41-ND013 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/xvda1 2030736 1783504 142412 93% /
tmpfs 262144 0 262144 0% /dev/shm
/dev/xvdc 2064208 68684 1890668 4% /opt

Kita mulai resize partisi :

[root@ID41-ND013 ~]# resize2fs /dev/xvda1
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/xvda1 is mounted on /; on-line resizing required
Performing an on-line resize of /dev/xvda1 to 1048233 (4k) blocks.
The filesystem on /dev/xvda1 is now 1048233 blocks long.

Cek kembali dan voila partisi sudah menjadi 4 GB :

[root@ID41-ND013 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 3.9G 1.8G 2.0G 47% /
tmpfs 256M 0 256M 0% /dev/shm
/dev/xvdc 2.0G 68M 1.9G 4% /opt

selesai.

Instalasi dan konfigurasi ini dilakukan pada salah satu server Qotexxx yang berada di Data Centre CalPOP Los Angeles. Pekerjaan dilakukan secara remote menggunakan putty ke server yang dalam kondisi awal sebagai berikut :

Hardware server Intel® Core™2 CPU 6300 @ 1.86GHz 32-bit, Memory 2 GB, Sistem Operasi CentOS 5.x  32-bit, berisi standart system instalasi dengan kernel 2.6.18-53.el5 dan  ssh yang sudah terinstall baik. Ditambah 1 Allocated IP yang sudah up 216.240.142.1xx, dan daftar Addittional IP’s – 216.240.142.1xx-1xx yang belum dikonfigurasi. Guna addittional IP’s ini nanti untuk alokasi multi domain per IP, khususnya untuk pemakaian SMTP yang dalam hal ini menggunakan Postfix.

216.240.142.1xx- qotexxx.info
216.240.142.1ss- qoteonlxxx.info
216.240.142.1yy- qoteyyy.info
216.240.142.1zz- qotesxxx.info
216.240.142.1aa- qotesyy.info
216.240.142.1bb- qotestxxx.info

Kondisi basic installan sistem operasi dari data centre perlu di rapihkan dahulu, biasanya dapat instalasi yang kurang bersih dari pihak datacentre terhadap server tersebut. Setelah login mengunakan root, create new user baru dan disable login root melalui sshd_config dan kembali login menggunakan user biasa. Kemudian perhatikan service yang up dan matikan service yang tidak perlu seperti cupsd, sendmail,dsb. Setelah beres upgrade sistem operasi CentOS dengan yum update.

Setelah kondisi rapih, reboot servernya untuk memastikan tidak ada masalah. Jika tidak up kordinasi dengan technical support CalPOP yang 24 jam.

Berikut proses instalasi dan konfigurasi yang berhasil saya dokumentasikan dari putty saya.

Dokumentasi Instalasi dan Konfigurasi.

Secara tidak sengaja aku menemukan salah satu postingan di milist tersebut yang meminta/provide commercial installation & support untuk mailservernya dengan 5 domain.

Aku langsung kirim email ke yang bersangkutan dan berikut balasannya :

I have few domains hosted. I need frontend from where I can add / remove email, change password & check email. I am planning to host 5 domains initially.
Outgoing emails would be authenticated by userID and password created through control panel. Mail server should be secured & should not be open relay. I shall enable SSH so that you can access it remotely. I shall give you root access of the server.

I have a budget of US$x00. Payment will be by paypal. 50% immediately & balance 50% on completion.

Let me know:
1. Whether you have expertise to perform the above task.
2. Whether terms and conditions are agreeable to you.

Kindly reply
K. Gandhi

Setelah komunikasi melalui email dan yahoo messenger kita deal untuk harga dan requirement yang disepakati bersama. Client ku ini tinggal di Oshiwara, Mumbai, India. Dan server yang akan di remote berada di Ohio USA dan dihost oleh xlhost.com merupakan server dedicated yang disewa clientku ini. Server dedicated ini sudah berisi sistem operasi Linux Centos 5.2 dengan aplikasi ssh aktif dengan ip public/static sehingga bisa di remote. Spesifikasi servernya Intel Core 2 Duo E4400, 2.0GHz, 800MHz, 2MB L2 Cache 1GB DDR2 RAM, 80GB SATA HDD, 1000GB Transfer, 10Mbps Uplink, 5 IP Addresses.

Waktu pekerjaan aku minta 2 hari karena aku tidak punya waktu 1 hari full untuk konsentrasi mengerjakan custom server nya, sehingga memakai sistem cicil dalam waktu-waktu istirahat dan tidurku.

Proyek ini sukses dengan installasi pada  OS: Centos 5.2 (Final) sbb : – MTA: Postfix – Domain Key (DKIM), for outgoing email – Control Panel:  ISPConfig – Statistics – MailGraph, Queuegraph – Antispam Spamassasin dan Anti virus Clamav – Dovecot( POP3, IMAP Server) – Squirrelmail webmail

yang agak lama saat setting ISPconfig, untungnya ispconfig sangat cocok dengan Centos sehingga semua proses berjalan lancar tanpa ada kesulitan yang berarti. Setelah payment lewat paypal kuterima, aku baru tahu perusahaan clientku ini adalah IKON Infoservices Pvt Ltd yang berada di Mumbai India. Dari postfix dapat dollar deh.. :)