Install SignServer
The following describes the server side installation of SignServer:
Before you install SignServer, see the following sections:
Download and Unpack SignServer
Download and unzip the latest SignServer Enterprise Edition from your PrimeKey download area or use the latest SignServer Community Edition release archive from SourceForge.
SignServer is available in the following different distributions:
-
signserver-5.x.y-bin.zip: The binary distribution. Recommended.
-
signserver-5.x.y.zip: The mixed distribution. Contains the sources and all required libraries. This distribution requires you to build SignServer before deploying, see Optional: Build SignServer.
-
signserver-5.x.y-src.tar.gz: The source-only tarball distribution. This distribution cannot be deployed without first gathering all the dependencies and then building it. If you choose this one, you are on your own.
Make sure to compare the checksums as provided on https://signserver.org/download.html, or from a by PrimeKey provided download site.
sha256sum signserver-
5
.x.y-bin.zip
unzip signserver-
5
.x.y-bin.zip
Alternatively, you can checkout the latest unstable version from the Subversion (SVN) repository. Note that as with the mixed distribution, the latest unstable version needs to be built before deploying.
Optional: Build SignServer
Skip this step if you downloaded the binary distribution (recommended) and proceed to the step Set Environment Variables.
Building SignServer is only required if you chose to download the mixed distribution, or checked out the latest SVN version, and want to build SignServer yourself before copying it to the target server.
To build SignServer, perform the following steps on your build machine.
Install Maven
For example, to install Maven in CentOS 7, run something like the following:
sudo yum install maven
Ensure Secure Maven Installation
Before running Maven (mvn) commands, ensure that you have a secure Maven installation that does not contact the Central repository over insecure HTTP. Ensure that the URL for the Central repository is specified with HTTPS (and/or use an internal repository).
For an example on how to override the default Maven settings in ~/.m2/settings.xml, refer to the sample-maven-settings-community.xml file provided in your SignServer release. To view the current settings, run:
mvn help:effective-settings
Set Edition
To set the edition (generating res/edition.properties), run:
bin/ant init
Build from Sources
To build from the sources, run:
mvn install -DskipTests
Set Environment Variables
APPSRV_HOME
Set APPSRV_HOME to point to your application server installation.
To set the APPSRV_HOME environment variable for WildFly 14, for example use:
export APPSRV_HOME=/opt/wildfly-
14.0
.
1
.Final
The APPSRV_HOME variable is used when deploying to the application server and could for example be set in your .bashrc or similar file, or be provided every time the deploy command is executed.
SIGNSERVER_NODEID
To set SIGNSERVER_NODEID to a unique ID for the server, use:
export SIGNSERVER_NODEID=node1
The SIGNSERVER_NODEID variable should be available to the application server and might need to be set in /etc/environment or similar. The variable is generally not mandatory but if not set, warnings will be printed in the log.
Configure Deployment
Deployment Properties
The file signserver_deploy.properties includes configuration settings for the application, database, and web services.
Copy conf/signserver_deploy.properties.sample to conf/signserver_deploy.properties and open it for editing in a text editor.
cp conf/signserver_deploy.properties.sample conf/signserver_deploy.properties
If using a database other than MySQL and MariaDB, update the property database.name. The following shows the default value, used for both MySQL and MariaDB:
database.name=mysql
SignServer Without Database
You can choose to install SignServer without a database management system and instead rely on SignServer to manage persistence using local files, see SignServer without Database.
To run SignServer without a database, set database.name to nodb in the signserver_deploy.properties file :
database.name=nodb
Set the location for the local file-based database:
database.nodb.location=/opt/signserver/nodb
Ensure to specify a path to a location where SignServer can write files. The default value is empty. If a relative path is used, it is most likely relative to the application server's working directory. The directory should either point to an existing SignServer file database, or be completely empty. If the directory is empty, SignServer will create the initial database structure at startup.
mkdir /opt/signserver/nodb
Audit Log Signing Properties
The file databaseprotection.properties includes configuration for audit log signing and verification that can be used in Enterprise Edition when running with database.
Copy conf/databaseprotection.properties.sample to conf/databaseprotection.properties and open it for editing in a text editor.
cp conf/databaseprotection.properties.sample conf/databaseprotection.properties
For information on how to configure for signed audit logs in the database, see Signed log.
Deploy SignServer
Run bin/ant deploy to build the configuration and deploy it to the selected application server:
bin/ant deploy
Make sure the application server is running and verify that SignServer was deployed correctly.
For example, look at the server log or for WildFly, run:
ls /opt/wildfly/standalone/deployments | grep signserver.ear*
Verify Installation and Access SignServer
To verify your SignServer installation, access one of the available user interfaces.
Public Web
To verify that SignServer is deployed and to access links to documentation and so on, point your web browser to http://localhost:8080/signserver.
Administration CLI
To test the access to the server and print the deployed version, run the following Admin CLI command:
bin/signserver getstatus brief all
Current version of server is: SignServer EE
5.0
.
0
For more information, see Administration CLI.
Administration Web
To access the SignServer Admin Web, point your web browser to http://localhost:8080/signserver/adminweb.
To temporarily allow all valid client certificates to administer the Administration Web, run the following:
bin/signserver wsadmins -allowany
For more information, see Administration Web.