Versions Compared

Version Old Version 1 New Version 2
Changes made by

Karolin Hemmingsson

Ann Base

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for CM 8.1

This article describes how to install Nexus Certificate Manager (CM) server components on Linux.

The CM servers comprises several sub-components that may be loaded into the same computer or distributed to several computers in order to obtain higher performance. See this list of CM server components.


Prerequisites

Expand
titlePrerequisites

Make sure you have access to the license file before starting the installation.

Step-by-step instruction

Expand
titleInstall server components
  1. To make install_server.sh executable, issue this command:
    chmod a+x install_server.sh
  2. Execute install_server.sh.

  3. Enter the full installation path, for example:

    Panel
    titleExample: Full installation path

    /opt/cm/server


    Note
    titleWarning

    If CM clients are already installed on this computer, the server installation must not be made to the same directory.


  4. Confirm the path.

  5. Enter the full configuration files path, for example:

    Panel
    titleExample: Full configuration file path

    /opt/cm/server


  6. Confirm the path.
  7. Enter the name of the license file.
  8. Confirm the file name.

  9. Enter the number or name of each server component, for which you have a license, separated by space (" "). See this list of CM server components.

    Note

    The CMDB database must already exist and the JDBC component should be included to create the database connection parameters.

    If CF is selected without the CIS component, the CF will automatically be configured to run CIS locally within the CF service. If both the CF and CIS components are selected, CF will be automatically configured to connect to the installed independent CIS service (see Configure the Certificate Factory).


    Note
    titleWarning

    Install all server components at the same time. It is not possible to add new components later. Instead you will have to uninstall existing components before you can reinstall. (See Uninstall CM server components and clients.)

    If you have a license for the functions Key Archive and Recovery or Card Production Manager but are not going to use them, you must set the following parameters in cm.conf:

    CardProductionManager.start=false
    KARFactory.start=false



  10. Select the database engine from the list.
  11. Select the machine where the database is installed. Default is localhost.
  12. Select JDBC port for the database.
  13. Enter the database instance name.
  14. Enter the name of the database CM user. Default is lcmreq.
  15. Enter the password for the lcmreq user.


Expand
titleAfter the installation

Message after installation

  1. Await a message from the installation program confirming a successful installation. If an error message occurs, correct the indicated error and restart the installation using the shell script setup.sh located in the directory <install_root>/install.

  2. Option: Start CM SNMP monitor: <install_root>/bin/cmsnmp start.

    Note

    If the CM SNMP monitor is installed, set the configuration parameter *.agent.connectToSupervisor to 'true' in the configuration files cis.conf and cm.conf.

    Code Block
    *.agent.connectToSupervisor = true
  3. Start CIS: <install_root>/bin/cis start
  4. Start CF: <install_root>/bin/cf start
  5. Check that the two processes are started and that two instances of the java process is started as well.
  6. Check the log files in <configuration_root>/logs to see that the starting was successful.
note



Option: Move configuration files

After the installation, it is possible to manually move the configuration files to any other path. Do this before you start any of the CM server components.

  1. Modify each <install_root>/bin/*_launch.conf file and point to a new configuration path:

    Code Block
    titleExample
    SERVICEARGUMENTS='-p <new_configuration_path>'


  2. The service user used to run the CM components must have both read and write access rights to the new configuration path.


Expand
titleExecuting as a service user

It is recommended to execute the CM services as a separate non-root service user. Do the following:

  1. Make sure the CM services are stopped.
  2. Create the user (for example, useradd cmuser).

  3. Make the service user owner of the directory <install_root> . For example, by issuing the following command:

    Code Block
    chown -R cmuser:cmuser /opt/cm/server/


  4. Update the files <install_root>/bin/*_launch.conf so that they specify a line with SERVICEUSER, for example:

    Code Block
    SERVICEUSER=cmuser

    This can be scripted using a command such as:

    Code Block
    sed -i -e 's/# SERVICEUSER/SERVICEUSER/' /opt/cm/server/bin/*_launch.conf



It is recommended to execute the CM services as a separate non-root service user. Do the following:

  • Make sure the CM services are stopped.
  • Create the user (for example, useradd cmuser).

    • Make the service user owner of the directory <install_root> . For example, by issuing the following command:

    Expand
    titleExecuting as a system service

    The <install_root>/bin/cmservices script can be used to install or remove the CF, CIS and CMSNMP services as system services:

    1. Run the following command:

      Code Block
      <install_root>/bin/cmservices install

      This script can also be used to start, stop or check the status of all services (for example, ./cmservices status).

    2. Start the services:

      Code Block
      service cmsnmp start
service cis start
service cf start


    3. Check the log files in <configuration_root>/logs to see that the services started successfully. If not, see the following steps for troubleshooting.

    4. The CM server components will use the first found Java executable available on the $PATH. To use a specific Java version, or if $PATH does not include a directory where Java can be found, you can explicitly specify which Java to use by setting a parameter in <install_root>/bin/*_launch.conf:

      Code Block
      JAVA=/usr/jvm/jdk-default/bin/java


    5. When installing CM services on a system that uses systemd, it is possible that the default $PATH as seen by the systemd service wrappers, does not include the expected Java version. If this is the case, then invoking, for example, service cis start might not start the service - it will instead be reported as active (exited) by service cis status. To remedy this, see the previous step on how to explicitly set the Java executable to use.
    Expand
    titleExecuting as a service user
    Code Block
    chown -R cmuser:cmuser /opt/cm/server/

    Update the files <install_root>/bin/*_launch.conf so that they specify a line with SERVICEUSER, for example:

    Code Block
    SERVICEUSER=cmuser



    Related information

    Nexus

    This article is valid from CM 8.1

    Related information