MTG Mini-CA System Configuration

Context path and port number of the application

The application includes an embedded Tomcat web server that is accessible via the AJP protocol from an Apache web server. The application has its own AJP port number and context path, as follows:

Application	Port number	Context path
Mini-CA	8805	mini-ca

Application

Port number

Context path

Mini-CA

8805

mini-ca

The port numbers must be defined inside the worker.properties file.
Example for the Mini-CA application: worker.mini-ca.port=8805

Heap Size

The application will be started with an defined heap size. The heap size is defined at the /etc/opt/mtg-kms-server directory. The following table defines the size and the file were the heap size is set of each application.

Application	File	The maximum heap size	The initial Java heap size
Mini-CA	mtg-minica.service.conf	-Xmx128M	-Xms128M

Application

File

The maximum heap size

The initial Java heap size

Mini-CA

mtg-minica.service.conf

-Xmx128M

-Xms128M

The heap size must be adapted to your requirements at mtg-minica.service.conf

Configuration Files

There are always two configuration files, one is the application.properties for the Java-Application und the other is the logback.xml for the log configuration.

During the initial installation the application.properties and logback.xml are pre-set with default values copied from the corresponding configuration templates. All values have to be checked and if required, changed to their appropriate values.

The default configuration templates are stored in the /etc/opt/<Application> directory.

After an update installation, the package management may place a newer version of the config files beside your existing. Always compare the default configuration files in with the new version. In case an update requires additional/changed parameters, those have to be added manually to the existing configuration files. Please also check the package release notes for such additional/changed parameters.

Parameters in configuration files are always case-sensitive!

Configuration of the MTG Mini-CA

Application Configuration

The Mini-CA is a standalone Java-Application.

The applet’s application.properties are located in:

/etc/opt/mini-ca/application.properties

Name Description

Name	Description
`tomcat.ajp.maxThreads`	The maximum number of request processing threads to be created, which therefore determines the maximum number of simultaneous requests that can be handled.
`tomcat.ajp.minSpareThreads`	The minimum number of threads always kept running.
`tomcat.ajp.processorCache`	The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached.
`tomcat.ajp.secretRequired`	If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is `false`.
`tomcat.ajp.secret`	Only requests from workers with this secret keyword will be accepted. The default value is `null`. This attribute must be specified with a non-null, non-zero length value if `secretRequired` is explicitly configured to be `true`. Match the secret to the defined `worker<worker.list.name>.secret` in the `worker.properties` see mod_jk configuration.
spring.datasource.url	URL for DBMS. Default is PostgreSQL `jdbc:postgresql://localhost:5432/<db-name>` Please insert the valid URL for your database.
spring.datasource.username	Username DBMS. Default is `minica`.
spring.datasource.password	Password DBMS. Default is `minica`.
spring.jpa.hibernate.ddl-auto	DB DDL generation feature. Default is `validate`.
spring.jpa.database-platform	Can be left empty for most databases. Must be set to `de.mtg.minica.dialects.MtgOracleSQLDialect` for Oracle.
minica.admin.username	Admin username for the MTG Mini-CA. Default is `admin`.
minica.admin.password	MTG Mini-CA Admin password used for BasicAuth. Password must be hashed using BCrypt. Required.
minica.client.username	Client username for the MTG Mini-CA. Default is `client`.
minica.client.password	Client password used for BasicAuth. Password must be hashed using BCrypt. Required.
minica.hsm.encryption.aes-key	Key for encrypting the hsm user’s credentials in the database. Recommended is a 32 bytes, base64-encoded string. Required.
minica.hsm.keystore.password	Password for encrypting the Software HSM’s keystores. Required.
jwt.secret	The secret used to sign all issued JWTs. Should be a 64-bytes base64-encoded string (E.g. `vZlGndzDd1SnVCplF1lrJJ+ftdEt9WCa8tRjVOh7iJq9+hMCj8bNi/FBX/i/FZwBA43Y9z5/Mivmfmn58l0Lkg==`)
jwt.expiration	JWT expiration duration in ISO 8601 Duration format (E.g. `P1D`)
spring.flyway.enabled	If this attribute is true, Flyway is enabled for automatic database migrations. The default value is `true`.
spring.flyway.locations	The locations for Flyway to scan for migration scripts (Default: `classpath:flyway/migration/{vendor}`, the vendor placeholder is replaced automatically).
`management.elastic.metrics.export.enabled`	If set to true then metrics are sent to an OpenSearch server. It can be left empty.
`management.elastic.metrics.export.host`	Specifies the URL where the OpenSearch server can be accessed. It can be left empty.
`management.elastic.metrics.export.user-name`	Specifies the user who has access to the OpenSearch server. It can be left empty.
`management.elastic.metrics.export.password`	Specifies the password of the user of the OpenSearch server. It can be left empty.
`metrics.client.truststore.path`	The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.
`metrics.client.truststore.password`	The password for the truststore. Must be set if metrics.client.truststore.path is set.
`metrics.client.truststore.type`	The format of the truststore (see property `metrics.client.trustStore.path`). Valid values are JKS, JCEKS or PKCS12. Must be set if metrics.client.truststore.path is set.

tomcat.ajp.maxThreads

The maximum number of request processing threads to be created, which therefore determines the maximum number of simultaneous requests that can be handled.

tomcat.ajp.minSpareThreads

The minimum number of threads always kept running.

tomcat.ajp.processorCache

The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached.

tomcat.ajp.secretRequired

If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is false.

tomcat.ajp.secret

Only requests from workers with this secret keyword will be accepted. The default value is null. This attribute must be specified with a non-null, non-zero length value if secretRequired is explicitly configured to be true. Match the secret to the defined worker<worker.list.name>.secret in the worker.properties see mod_jk configuration.

spring.datasource.url

URL for DBMS. Default is PostgreSQL jdbc:postgresql://localhost:5432/<db-name>

Please insert the valid URL for your database.

spring.datasource.username

Username DBMS. Default is minica.

spring.datasource.password

Password DBMS. Default is minica.

spring.jpa.hibernate.ddl-auto

DB DDL generation feature. Default is validate.

spring.jpa.database-platform

Can be left empty for most databases. Must be set to de.mtg.minica.dialects.MtgOracleSQLDialect for Oracle.

minica.admin.username

Admin username for the MTG Mini-CA. Default is admin.

minica.admin.password

MTG Mini-CA Admin password used for BasicAuth. Password must be hashed using BCrypt. Required.

minica.client.username

Client username for the MTG Mini-CA. Default is client.

minica.client.password

Client password used for BasicAuth. Password must be hashed using BCrypt. Required.

minica.hsm.encryption.aes-key

Key for encrypting the hsm user’s credentials in the database. Recommended is a 32 bytes, base64-encoded string. Required.

minica.hsm.keystore.password

Password for encrypting the Software HSM’s keystores. Required.

jwt.secret

The secret used to sign all issued JWTs.
Should be a 64-bytes base64-encoded string (E.g. vZlGndzDd1SnVCplF1lrJJ+ftdEt9WCa8tRjVOh7iJq9+hMCj8bNi/FBX/i/FZwBA43Y9z5/Mivmfmn58l0Lkg==)

jwt.expiration

JWT expiration duration in ISO 8601 Duration format (E.g. P1D)

spring.flyway.enabled

If this attribute is true, Flyway is enabled for automatic database migrations. The default value is true.

spring.flyway.locations

The locations for Flyway to scan for migration scripts (Default: classpath:flyway/migration/{vendor}, the vendor placeholder is replaced automatically).

management.elastic.metrics.export.enabled

If set to true then metrics are sent to an OpenSearch server. It can be left empty.

management.elastic.metrics.export.host

Specifies the URL where the OpenSearch server can be accessed. It can be left empty.

management.elastic.metrics.export.user-name

Specifies the user who has access to the OpenSearch server. It can be left empty.

management.elastic.metrics.export.password

Specifies the password of the user of the OpenSearch server. It can be left empty.

metrics.client.truststore.path

The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.

metrics.client.truststore.password

The password for the truststore. Must be set if metrics.client.truststore.path is set.

metrics.client.truststore.type

The format of the truststore (see property metrics.client.trustStore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if metrics.client.truststore.path is set.

BCrypt

In order to configure a password for the admin minica.admin.password and the client minica.client.password inside the application.properties, the password must be hashed using BCrypt. The htpasswd command can be used from the apache installation with the following command line:

/usr/local/apache2/bin/htpasswd -bnBC 10 "" <password to be hashed> | tr -d ':\n' | sed 's/$2y/$2a/'

Secrets encoded as Base64 strings

The AES key minica.hsm.encryption.aes-key and the JWT Secret jwt.secret can be generated via the following openssl commands:

minica.hsm.encryption.aes-key 32 Bytes ->  openssl rand -base64 32

jwt.secret 64 Bytes -> openssl rand -base64 64

Apache Configuration

The Apache Configuration page contains information on the configuration of the Apache httpd-server.

Encryption

For the SSL connection between the components from MTG KMS and external software a certificate is required. The configuration for the SSL certificate, with private key and chain is contained in the apache-config.

System monitoring

General

For checking the Mini-CA the following endpoint is provided which can be reached via the following URL:

<base URL>/actuator/health

The access to these endpoint it is not further secured.

Health Endpoint

For checking the Mini-CA, an endpoint is provided that can be reached via the following URL:

<base URL>/actuator/health

An example call would be in the browser:

kms.mtg.de/mini-ca/actuator/health

or with curl:

curl kms.mtg.de/mini-ca/actuator/health -i -X GET -H 'Accept: application/json'

If the Mini-CA is accessible, a Http response with HTTP/1.1 200 OK and the following JSON structure is returned.

{
  "status": "UP"
}