Suomi.fi-palveluväylä –  Security Server installation requirements, Development Environment

1 Purpose of this document

This document lists technical requirements for X-road Security Server (liityntäpalvelin) for the development environment of Suomi.fi-palveluväylä.

2 Key terms

  • Security Server is a standard software solution for using the X-Road safe data exchange channel and ensuring the later forgery resistance and integrity of the messages/data mediated through X-Road.
  • X-Road is a legal, organisational and technical environment that enables the organisation of safe online information exchange.

3 Software version information

Security server version: Security server version

  • FI-DEV environment: 6.4-0-201505291153
  • OS version: Ubuntu 14.04 LTS, server install

Server requirements

  • Physical or virtual server
  • 2 cores
  • 2-4 GB memory (in production 4GB)
  • 40GB hard disk (in production, more is probably needed )
  • 1 network interface – one leg configuration preferred
  • Additional network interface for BU if needed
  • NTP configured

4 Networking requirements

Inbound ports

From your own internal networks

  • management network IPs: TCP 22, 4000
  • Information systems (adapter server, web server) connections: TCP 80,443

From Internet

  • Communication from Central Servers security server (86.50.27.68): TCP 5500, 5577
  • Communication from other allowed security servers: TCP 5500, 5577

Outbound ports (in case outbound ports are blocked)

Global Config fetch from Central Server: 86.50.27.139: TCP 80, 4001

Communication to Central Server’s security server 86.50.27.68: TCP 5500, 5577

Communication to other allowed security servers: TCP 5500, 5577

CA service: 86.50.28.70: TCP 80, 443

TSA service: 86.50.28.69: TCP 80, 443

X-road software download: 193.166.3.3: TCP 80

Other software download: ppa.launchpad.net, keyserver.ubuntu.com, fi.archive.ubuntu.com, security.ubuntu.com: TCP: 80

Communication to other allowed security servers: TCP 5500, 5577

DNS servers: TCP 53

NTP servers: UDP 123

Information system (adapter server,  web server) connection: TCP 80,443

5 How to check if particular port is open/closed to the target host

In console of your Security server give a command

telnet target host port

For example:

telnet www.csc.fi 80

If you get “Connected to…” port in question is open, if you only see trying  or unable to connect…, that port is not open to the target host

Keep in mind that your own network may have restrictions for outbound traffic

6 Information you should have available before starting installation

The information/data security policy of your organization must be followed when saving the below information.

Use the name or the abbreviation of the owner organisation in the host part of the security server, e.g. vrklp01.csc.fi or csclp01.csc.fi

Server OS Administrator’s credentials (root level)

  • User name         _____________________
  • Password          _____________________

Operator of the Service security server (the person who has the rights to change Security server settings in the web-interface)

  • User name         ___________________________
  • Password          ___________________________

Member name (Organization’s name)  that has been registered into Service, the  organization that  owns the server: __________________________

You will receive the final registered Member name for your organization from the Service Support after you have asked your organisation to be connected into Service

  • Server owners Business ID (Y-tunnus) Member code:  __________________________
  • Server name: e.g. pv6tvrklp01                                   _________________________
  • Server FQDN: e.g. pv6tvrklp01.csc.fi                        _________________________

The server must have a valid entry in the public domain name service (DNS)

  • Server code, e.g. pv6tvrklp01 (the same as the server’s FQDN:n host-part): ________________________
  • Server PIN (must contain eight numbers):                                               _________________________

Make sure you will have the PIN in a safe place and that you can find it.

The distinguished name of the Sign certificate on the Server

C=FI-DEV, O=GOV, CN=               ________________________

CN is the Business ID (Y-tunnus) of your organization

The Distinguished name of the Auth certificate

C=FIDEV, CN=  _________________________

CN is the server code of the server to be installed e.g. pv6tvrklp01

In case  private IP addresses and NAT is used in the installation environment

Server private (IPv4) IP: __________________________

The address must be static

If DHCP is used, the server must always get the same address

Public  IPv4) IP: ______________________

The address must be static.

The private IP should be saved in /etc/hosts file. Below two first lines of the hosts file:

127.0.0.1 localhost

10.10.10.11 pv6tvrklp01 pv6tvrklp01.csc.fi

If only public IP addresses are being used

Public (IPv4) IP of the server: _________________________

The address must be static.

7 Other installation information

Note!

Security server should be protected from all unneeded network access. In other words: security server should be accessible only from other systems like:

  • Other security servers (and only from those you are directly granting access)
  • Adapter servers connected to that particular security server
  • Information systems linked
  • Management systems
  • Certificate authority, CA
  • Time stamp authority, TSA
  • All other connections should be blocked

VersioMitä tehty / muutettuPvm/
henkilö
1.0Dokumentti julkaistu eSuomessa15.09.15 / NP
1.1Dokumenttia päivitetty09.03.16 / PK

Yksilöintitunnus:  JPVT31