X-ROAD 6
Version: 0.2
Doc. ID: IG-SS
| Date | Version | Description | Author |
|---|---|---|---|
| 12.09.2019 | 0.1 | Initial version | Gudvardur Olafsson |
| 01.12.2020 | 0.2 | Topology update, text correction | Gudvardur Olafsson |
The intended audience of this Installation Guide are X-Road Security server system administrators responsible for installing and using X-Road software. The daily operation and maintenance of the security server is covered by its User Guide [UG-SS].
The document is intended for readers with a moderate knowledge of Linux server management, computer networks, and the X-Road working principles.
See X-Road terms and abbreviations documentation [TA-TERMS].
-
[UG-SS] X-Road 6. Security Server User Guide. Document ID: UG-SS
-
[TA-TERMS] X-Road Terms and Abbreviations. Document ID: TA-TERMS.
The security server runs on the following platforms:
- Red Hat Enterprise Linux 7.3 (RHEL7) or newer operating system on a 64-bit platform. The security server software is distributed as .rpm packages through the official X-Road repository at https://artifactory.niis.org/xroad-release-rpm/
- Ubuntu Server 14.04 and 18.04 Long-Term Support (LTS) operating system. See IG-SS for more information.
Note: If run in production environment, RHEL7 install with subscription is recommenend by Icelandic X-Road Operators
Note: The information in empty cells should be determined before the server’s installation, by the person performing the installation.
Caution: Data necessary for the functioning of the operating system is not included.
| Ref | Explanation | |
|---|---|---|
| 1.0 | RHEL7 (v7.3 or newer), 64-bit 2 CPU, 4 GB RAM, 10 GB free disk space |
Minimum requirements |
| 1.1 | https://artifactory.niis.org/xroad-release-rpm | X-Road package repository |
| 1.2 | https://artifactory.niis.org/api/gpg/key/public | The repository key |
| 1.3 | Account name in the user interface | |
| 1.4 | TCP 5500 | Port for inbound connections (from the external network to the security server) Message exchange between security servers |
| TCP 5577 | Port for inbound connections (from the external network to the security server) Querying of OCSP responses between security servers |
|
| 1.5 | TCP 5500 | Ports for outbound connections (from the security server to the external network) Message exchange between security servers |
| TCP 5577 | Ports for outbound connections (from the security server to the external network) Querying of OCSP responses between security servers |
|
| TCP 4001 | Ports for outbound connections (from the security server to the external network) Communication with the central server |
|
| TCP 80 | Ports for outbound connections (from the security server to the external network) Downloading global configuration |
|
| TCP 80,443,8080 | Ports for outbound connections (from the security server to the external network) Most common OCSP and time-stamping services |
|
| 1.6 | TCP 4000 | User interface (local network) |
| 1.7 | TCP 8080 | Information system access points (in the local network) Connections from information systems |
| TCP 8443 | Information system access points (in the local network) Connections from information systems |
|
| 1.8 | Security server internal IP address(es) and hostname(s) | |
| 1.9 | Security server public IP address, NAT address |
The following network diagram is an example of a simple stand-alone Security Server setup. Attention should be paid when configuring the firewall of your Security Server, as misconfigurations (e.g. exposing port 80/tcp to the public internet) can leave your server vulnerable.
Allowing incoming connections from the Monitoring Security Server on ports 5500/tcp and 5577/tcp (reference data: 1.10) is necessary for the X-Road Center to be able to monitor the ecosystem and provide statistics and support for Members.
Caution: The enabling of auxiliary services which are necessary for the functioning and management of the operating system (such as DNS, NTP, and SSH) stay outside the scope of this guide.
| IS IP Address Whitelist | IS - Production | IS test | IS dev |
|---|---|---|---|
| Central Server | 2a06:a101:42::/64 - 176.57.224.0/25 | 2a06:a101:42:abab::/64 - 176.57.224.128/25 | 2a06:a101:42:dede::/64 - 176.57.227.96/27 |
| Central Monitoring Server | 2a06:a101:42::/64 - 176.57.224.0/25 | 2a06:a101:42:abab::/64 - 176.57.224.128/25 | 2a06:a101:42:dede::/64 - 176.57.227.96/27 |
| Managment Security Server | 2a06:a101:42::/64 - 176.57.224.0/25 | 2a06:a101:42:abab::/64 - 176.57.224.128/25 | 2a06:a101:42:dede::/64 - 176.57.227.96/27 |
Minimum recommended hardware parameters:
-
the server’s hardware (motherboard, CPU, network interface cards, storage system) must be supported by RHEL7 in general;
-
a 64-bit dual-core Intel, AMD or compatible CPU; AES instruction set support is highly recommended;
-
2 CPU;
-
4 GB RAM;
-
10 GB free disk space (OS partition), 20-40 GB free disk space (
/varpartition); -
a 100 Mbps network interface card.
Requirements to software and settings:
-
an installed and configured RHEL7 (v7.3 or newer) x86-64 operating system;
-
if the security server is separated from other networks by a firewall and/or NAT, the necessary connections to and from the security server are allowed (reference data: 1.4; 1.5; 1.6; 1.7). The enabling of auxiliary services which are necessary for the functioning and management of the operating system (such as DNS, NTP, and SSH) stay outside the scope of this guide;
-
if the security server has a private IP address, a corresponding NAT record must be created in the firewall (reference data: 1.9).