In order to start using Roksnet, You will need to set up a Security Server. Security Server provides a secure way to communicate with other members in the network.
Security Servers main roles are to provide authentication and verification of messages, that are transmitted peer to peer between members. Security server also provides access control toward your own information system, if you are a service provider.
Roksnet requires each member to have a unique member code to function. Please send us your information, for us to generate a code for you:
Roksnet security servers are designed to currently run on Ubuntu 20.04 LTS x86-64. Minimum requirements are 4GB of memory and 10GB of drive space.
Ports to open:
TCP 5500 inbound/outbound for message exchange between security servers
TCP 5577 inbound/outbound for OCSP service requests between security servers
TCP 4001 outbound for communication with central servers
TCP 80 outbound for downloading global configuration
TCP 80/443 outbound for communication with time stamping services and OCSP services
TCP 4000 inbound (local) for access to the user interface of the security server
TCP 80/443 inbound/outbound (local) for information system connections
1. Add system user whom all roles in the user interface are granted to:
sudo adduser username
2. Set operating system locale. Add the following line to /etc/environment:
3. Add the address of the X-Road package repository and the nginx repository to the apt repository
sudo apt-add-repository -y "deb https://artifactory.niis.org/xroad-release-deb $(lsb_release -sc)-current main"
4. Add X-Road repository's signing key to the list of trusted keys:
curl https://artifactory.niis.org/api/gpg/key/public | sudo apt-key add -
5. Install the security server software:
sudo apt-get update sudo apt-get install xroad-securityserver
6. During the installation you will be asked to specify the username (added at step 1.) that will be granted the rights to perform all activities in the user interface.
7. The other questions can be answered with their default values as they are detected from the OS.
POST INSTALLATION CHECKS
8. Check if all the processes started. The following services should be running.(process numbers are just an example)
sudo systemctl list-units "xroad*" UNIT LOAD ACTIVE SUB DESCRIPTION xroad-confclient.service loaded active running X-Road confclient xroad-jetty.service loaded active running X-Road Jetty server xroad-monitor.service loaded active running X-Road Monitor xroad-proxy.service loaded active running X-Road Proxy xroad-signer.service loaded active running X-Road signer
Security Servers user interface can be accessed at https://SECURITYSERVER:4000/, where SECURITYSERVER is your security servers IP or DNS name.
To log in, use the account name chosen during the installation. While the user interface is still starting up, the web browser may display the “502 Bad Gateway” error.
1. The first thing the server will ask, is to provide a global configuration anchor file. This file holds the information what ecosystem you are joining and holds the important information about available CAs and TSA services.
Hash (SHA-224): 36:05:49:88:C3:A4:69:C8:C1:0D:23:1C:AF:86:FF:20:2D:1A:27:73:A2:BF:23:65:45:09:1F:E4
Hash (SHA-224): 3A:D4:74:FD:40:01:1B:1A:B5:7D:F3:C9:87:9C:EF:F0:C4:4D:F6:4A:AD:02:C6:63:24:F0:A1:72
2. If the configuration is correctly downloaded (Check ports, if not), the server will ask the following information:
Member Class - The security server owner’s member class (COM for private sector business, GOV for governmental organization and NGO for non-profit organization)
Member Code - The security server owner’s Member Code, that was sent to you by Roksnet.
Security Server Code - Free form
PIN - Software token’s PIN, that is used to get access to the certificates by the server.
Example (demo values used in the example):
If the server prompts a warning, as shown below, this is fine and setup can be continued. This means the Member is not in the global configuration yet.
3. On the top of the page You see warning message that softtoken PIN is not entered. Click on the red message to enter the PIN. You can also reach it using *Keys and Certificate* menu item from the left side.
4. Go to System Parameters section and add a TSA service. All available TSA services will be listed.
5. Start generating keys and certificate requests in the Keys and Certificates view
Security Servers use 2 types of certificates
AUTH certificates for authentication between security servers when initiating a secure TLS channel. AUTH certificates are used 1 per security server.
SIGN certificates for e-Stamps. SIGN certificates are used 1 per Member/User (i.e. organization).
Generate AUTH and SIGN keys by selecting the SoftToken-0 and press GENERATE KEY. Give the key a label and press OK. Your keys should now look similar to this:
6. Generate a CSR for a SIGN certificate by choosing a key and selecting GENERATE CSR. Make sure the Usage: SIGN is selected. If the Common Name (CN) field is empty, please use the Member/User Name in that field.
7. Generate a CSR for an AUTH certificate. Make sure the Usage: AUTH is selected. If the Common Name (CN) field is empty, please use the Member/User Name in that field.
8. After downloading CSRs continue with next step (Send CSR) of these instuctions..Back to top
Once you have received the certificates you should be able to import them in the “Keys and Certificates” view. After importing them, select the AUTH certificate and press “ACTIVATE” and “REGISTER”. Your keys and certificates should now look like this:
Once we have accepted the registration request in the RoksNet User Registry, the OCSP response and status of the AUTH certificate will change to “good, registered”.
The next step would be registering a Subsystem. Select “ADD CLIENT” in the Security Server Clients view.
Select “CONFIRM” in the next prompt.
Once we have accepted the registration request in the RoksNet User Registry, you'll be ready to Consume or Provide User Content Services on RoksNet's ecosystem.