Sudo-less Installation and Operation

This section addresses differences when CORE software has to be used in non-privileged mode.

Sudo-less Server

Sudo-less Server Quickstart on Linux

In the following example, we create a CORE system with one partition and one RSA key.

Step Where Command Note
1 EP

Create two sub-directories in the user's home directory.

Replicate the RPMClosedFile format for software package distributed by RPM Package Manager repository

cp /var/lib/rpm/* ~/UbRPM/

Obtain the CORE server installation package using sftp or scp

<sftp | scp > <path to the distribution source>

Install CORE in the CORE base (~/Ub) directory:

rpm -ivh --prefix ~/Ub --dbpath ~/UbRPM ./ekm-<version>.x86_64.rpm

Add the following to the ~/.bashrc file and source it.

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:~/Ub/usr/lib64
export PATH=$PATH:~/Ub/usr/bin/
export DY_CONF_HOME=~/Ub/etc/

source ~/.bashrc

a
Partner
2 EP

Bootstrap the software.

~/Ub/opt/ekm/bin/ekm_boot_ep.sh -s ep1:8443 -p partner1:8443 -w <pwd> -f

b
Partner

~/Ub/opt/ekm/bin/ekm_boot_partner.sh -s partner1:8443 -p ep1:8443 -f

3 EP

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the Partner and Aux servers

~/Ub/etc/init.d/ekm start

 
Partner
4 EP

Make sure that the system is up and running.

ucl server test

Continue using UCLClosedUnbound Command Language or jump to Step #7 to switch to UI.

 
5

Create a CORE partition "test".

sudo ucl partition create -p test --so_password Password2! -w Password1!

c
6

Create and display an RSA key.

ucl generate -t rsa --name rsa1 -p test
ucl show --name rsa1 -p test

 
7

Disable the requirement to present client certificate for using UI.

ucl system-settings set -k no-cert -v 1 -w Password1!

d
8 Work station

https://ep1

 

Sudo-less Server Software Upgrade

To upgrade a server that was installed in a user's folder, follow these steps:

  1. Obtain the required software version and store it in your home directory.

    Note
    An upgrade of the CORE server software resets Java and Tomcat configuration files to their default settings.
    To preserve your changes, if any, copy and save the following files:
    - ~/Ub/opt/ekm/conf/log4j.xml
    - ~/Ub/opt/ekm/conf/server.xml

  2. Run the standard RPMClosedFile format for software package distributed by RPM Package Manager upgrade procedure referring to the folders used for the initial CORE server installation:

    rpm -Uvh --prefix ~/Ub --dbpath ~/UbRPM ./ekm-<version>.rpm

  3. Check that the process is completed with the following messages:
    Starting EKM // ... truncated ... tomcat started. EKM started

Sudo-less Server Operation

  • Service Control:
  • To start, stop, restart, and probe the EKMClosedEnterprise Key Management - previous name of the product. Service status, use

    ~/Ub/etc/init.d/ekm <start | stop | restart | status>

  • To run CORE Admin scripts:
    • Prefix each script with its path ~/Ub/opt/ekm/bin/<script>.
    • If a script has the -o option (to specify server port), the use of -o 8443 is mandatory.

Sudo-less Client

Sudo-less Client Installation

Perform the following steps:

  1. Create two subdirectories in a user's home directory:
  2. Replicate the main RPMClosedFile format for software package distributed by RPM Package Manager repository:

    cp /var/lib/rpm/* ~/UbRPM/

  3. Run the rpm -ivh installer program, specifying the path to the root installation:

    Syntax:

    rpm -ivh
    --prefix <path to the root of the installation>
    --dbpath <path to the private RPM repository>
    ekm-client-<version>-RHES.x86_64.rpm

    Example:

    rpm -ivh --prefix ~/Ub --dbpath ~/UbRPM \
    ./ekm-client-2.0.1806.26380-RHES.x86_64.rpm

  4. Update environment variables. Add the following to the ~/.bashrc file and source it:

    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:~/Ub/usr/lib64
    export PATH=$PATH:~/Ub/usr/bin/
    export DY_CONF_HOME=~/Ub/etc/

    source ~/.bashrc

  5. Configure the servers attribute in the client configuration

    Important
    Refer to the CORE server port 8443.

    vi ~/Ub/etc/ekm/client.conf

    #url of entry point
    servers=ep1:8443

Sudo-less Client Software Upgrade

To upgrade a server that was installed as specified in Install Server Pair in User's Folder, follow these steps:

  1. Obtain the required software version and store it in your home directory.
  2. Run the standard RPMClosedFile format for software package distributed by RPM Package Manager upgrade procedure referring to the folders used for the initial CORE server installation.

    rpm -Uvh --prefix ~/Ub --dbpath ~/UbRPM ./ekm-client-<version>.rpm

  3. When upgrading a client from the pre-1801 release, add the system's Root CA certificate to the client's Certificates Folder by running ucl root_ca.

    ucl root_ca -o ~/Ub/etc/ekm/server-ca.cer

  4. Test the upgrade by running the ucl list -p <partition> command.