EJBCA是一個(gè)全功能的CA系統(tǒng)軟件，它基于J2EE技術(shù)，并提供了一個(gè)強(qiáng)大的、高性能并基于組件的CA。EJBCA兼具靈活性和平臺(tái)獨(dú)立性，能夠獨(dú)立使用，也能和任何J2EE 應(yīng)用程序集成。

安裝環(huán)境[ ]

• Windows
• jdk
• apache
• Jboss
• MySQL
• jce_policy

安裝步驟[ ]

整合[ ]

• 拷貝文件%EJBCA_HOME%\conf\ejbca.properties.sample到%EJBCA_HOME%\conf\ejbca.properties,這個(gè)文件是ejbca的主配置文件，可以進(jìn)行自定義配置，例如對(duì)CA的配置：

# ------------ Basic CA configuration ---------------------
# When upgrading, the important options are:
# - ca.keystorepass
# - ca.ocspkeystorepass
 
# This installation will create a first administrative CA. This CA will be used to create the first
# superadministrator and for the SSL server certificate of administrative web server.
# When the administrative web server have been setup you can create other CA:s and administrators.
# This is only used for administrative purposes,
# Enter a short name for the CA.
ca.name=AdminCA1
 
# The Distinguished Name of the CA.
# This is used in the CA certificate to distinguish the CA.
ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE
 
# The keysize in bits of the CA, only digits.
ca.keysize=2048
 
# The keytype, can be RSA or ECDSA
ca.keytype=RSA
 
# The validity in days for the CA, only digits.
ca.validity=3650
 
# The policy id of the CA. Policy id determines which PKI policy the CA uses.
# Type your policy id or use '2.5.29.32.0' for 'any policy' (rfc3280) or 'null' for no policy at all.
ca.policy=null
 
# This password is used internally to protect CA keystores in database (i.e. the CAs private key).
# foo123 is to keep compatibility with default installations of EJBCA 3.0, please change this if possible
# If upgrading from EJBCA 3.0.x, you should take this value from src/ca/ca/META-INF/ejb-jar.xml -> keyStorePass.
# The default value is the same for convenience.
ca.keystorepass=foo123
#ca.keystorepass=!secret!
 
# Password user to protect OCSP keystores in the database (CAs OCSP signer certificate).
# If upgrading from EJBCA 3.0.x, you should take this value from src/ca/ca/META-INF/ejb-jar.xml -> OCSPKeyStorePass.
# The default value is the same for convenience.
ca.ocspkeystorepass=foo123
#ca.ocspkeystorepass=ocsp!secret!
 
# Password user to protect XKMS keystores in the database (CAs XKMS signer/enc certificate).
# The default value is the same for convenience.
ca.xkmskeystorepass=foo123
 
# Password user to protect CMS keystores in the database (CAs CMS signer/enc certificate).
# The default value is the same for convenience.
ca.cmskeystorepass=foo123
由于只是實(shí)驗(yàn)性的學(xué)習(xí)，所以保持默認(rèn)配置。原文檔說(shuō)明為：The default values works fine for a test installaton. If you are using JBoss < 4.0.3 you must
configure the property web.jsfimpl in conf/web.properties.
# Specifies the JSF implementation used by the application server EJBCA is deployed on.
# Possible values are: myfaces
# Using nojsf means that the admin-GUI will be limited with some functions not working.
# It can however be useful if there are problems with your application server and JSF/MyFaces.
# Use nojsf for JBoss < 4.0.3
#
# Default: myfaces
#web.jsfimpl=myfaces
如果使用的JBoss版本< 4.0.3，需要修改默認(rèn)配置。

• 將mysql數(shù)據(jù)庫(kù)jdbc鏈接程序包mysql-connector-java-5.0.6-bin.jar拷貝到%JBOSS_HOME%\server\default\lib目錄下

• ejbca支持的數(shù)據(jù)庫(kù)有MySQL, PostgreSQL 7 and 8, Oracle 8 and 9, Sybase, HypersonicSQL, SAPDB and MSSQL，默認(rèn)的數(shù)據(jù)庫(kù)配置是JBoss內(nèi)建的HypersonicSQL數(shù)據(jù)庫(kù)（該數(shù)據(jù)庫(kù)有以下缺點(diǎn)：內(nèi)存消耗太大、不支持全部SQL語(yǔ)句集），我們將其修改為MySQL的配置：

# ------------- Database configuration ------------------------
 
# jndi name of the datasource to use in deployment descriptors of ejbs.
#datasource.jndi-name=EjbcaDS
 
# Prefix for the jndi name of the datasource to use in deployment descriptors of ejbs.
# JBoss requires 'java:/' as divfix, while Weblogic does not want anything (''), and Glassfish wants jdbc/
# default: java:/
#datasource.jndi-name-divfix=java:/
#datasource.jndi-name-divfix=
#datasource.jndi-name-divfix=jdbc/
 
# Weblogic in combination with Oracle requires special handling of LONG/BLOB columns
# If, and only if, you are using Weblogic and Oracle, uncomment the row below.
# Use OracleBlob in Weblogic 8.x and Blob in Weblogic 9.x
# default:
#weblogic-oracle-columntype=@weblogic.dbms-column-type OracleBlob
 
# The database name selected for deployment, used to copy XDoclet merge files.
# All supported databases are defined below, others can easily be added
# See the document doc/howto/HOWTO-database.txt for database specifics and tips and tricks.
# Default: hsqldb
database.name=mysql
 
# The datasource mapping selected for deployment.
# The J2EE server needs to be configured with the appropriate datasource mapping.
# For JBoss this maps to a setting in standardjbosscmp-jdbc.xml and must match the database chosen above.
# All supported mappings are defined below, others can easily be added
# Default: Hypersonic SQL
datasource.mapping=mySQL
 
# Database connection url.
# This is the URL used to connect to the database, used to configure a new datasource in JBoss.
# Default: jdbc:hsqldb:${jboss.server.data.dir}${/}hypersonic${/}localDB
database.url=jdbc:mysql://127.0.0.1:3306/ejbca?characterEncoding=UTF-8
 
# JDBC driver classname.
# The J2EE server needs to be configured with the appropriate JDBC driver for the selected database
# Default: org.hsqldb.jdbcDriver
database.driver=com.mysql.jdbc.Driver
 
# Database username.
# Default: sa (works with hsqldb)
database.username=root
 
# Database password.
# Default: (blank works with hsqldb)
database.password=root

控制臺(tái)[ ]

• 打開一個(gè)控制臺(tái)（命令提示符），進(jìn)入目錄%EJBCA_HOME%,執(zhí)行命令

ant bootstrap

• 這時(shí)進(jìn)行編譯、打包和部署的工作。打包完成后，生成文件如下圖所示：

• 其中ejbca.ear用來(lái)部署到j(luò)boss中。

• 打開另外一個(gè)控制臺(tái)，進(jìn)入%JBOSS_HOME%\bin，執(zhí)行run命令，啟動(dòng)jboss服務(wù)器。

• 在上一個(gè)控制臺(tái)（執(zhí)行ant bootstrap的控制臺(tái)）執(zhí)行

ant install

進(jìn)行安裝工作。這個(gè)過(guò)程將生成所有的證書，密鑰以及初始化CA所需要的所有內(nèi)容。執(zhí)行完成后，將生成${ejbca.home}/p12目錄，該目錄種包含管理員密鑰。

it will generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys in ${ejbca.home}/p12
?         tomcat.jks is for the servlet container (don't bother with it)
?         superadmin.p12 should be imported in your browser, that's your administration certificate.

• 以上過(guò)程如果在linux操作系統(tǒng)運(yùn)行，需要使用帶管理員權(quán)限的賬戶執(zhí)行。

• 停止jboss服務(wù)器。（可以在控制臺(tái)按下CTRL+C）

• 在上一個(gè)控制臺(tái)（執(zhí)行ant bootstrap的控制臺(tái)）執(zhí)行

ant deploy

這個(gè)過(guò)程將重新部署ejbca應(yīng)用程序。并進(jìn)行servlet容器的keystore的配置。

• 重新啟動(dòng)JBOSS服務(wù)器，將%EJBCA_HOME%\p12目錄下的superadmin.p12文件導(dǎo)入到瀏覽器中（默認(rèn)密碼為ejbca）

頁(yè)面[ ]

打開瀏覽器，輸入

http://localhost:8080/ejbca

進(jìn)入公共頁(yè)面，或者輸入

https://localhost:8443/ejbca

進(jìn)入管理員頁(yè)面。頁(yè)面如下：

注意：

1. 可以設(shè)置%JBOSS_HOME%\server\default\conf\log4j.xml中l(wèi)og等級(jí)為ERROR來(lái)減少控制臺(tái)的日志輸出數(shù)量。
2. 網(wǎng)絡(luò)上有很多配置數(shù)據(jù)庫(kù)都需要設(shè)置例如mysql-ds.xml文件，還有拷貝文件到某某目錄之類的，可能是由于版本關(guān)系吧，不需要拷貝也可以實(shí)現(xiàn)。

查看數(shù)據(jù)庫(kù)ejbca，可以看到一些數(shù)據(jù)庫(kù)表已經(jīng)自動(dòng)建立：

參考來(lái)源[ ]

http://read.newbooks.com.cn/info/130101.html