Configure Intune EJBCA Connector Server

The following sections cover how to configure the Intune EJBCA Connector Server.

Launch AWS Ubuntu Instance

Note the following prerequisites for launching the AWS Ubuntu instance for the Intune EJBCA Connector:

  • Use the same AWS Virtual Private Cloud (VPC) as the EBJCA Enterprise Cloud instance.
  • Use an Amazon Ubuntu 18.04 Linux Instance
  • Add AWS security groups for the following:
    • 443 access from the Internet
    • Allow access from VPC
    • Allow 8080 access from an admin IP
    • Allow 8443 access from an admin IP

For more information on Amazon Virtual Private Cloud (Amazon VPC) and Security groups, refer to the EJBCA Cloud AWS Launch Guide section VPC and Security Group.

Install Applications

Follow the steps outlined below to install the applications:

Install Java 8 JDK

First, update all packages on the system to be current:

sudo apt update
sudo apt upgrade

Confirm whether Java 8 is installed or not:

java -version

Install Java8 JDK if required:

sudo apt install openjdk-8-jdk

Confirm that Java is installed by running the following:

java -version

Install Tomcat 7

Tomcat 7 is used to run the Intune EJBCA Connector application. Follow these steps to install and configure Tomcat.

  • Create Tomcat Group and User:
sudo useradd -r -m -U -d /opt/tomcat -s /bin/false tomcat
  • Download the latest version of Apache Tomcat 7. Change the URL if there are newer versions:
wget http://apache.mirrors.ionfish.org/tomcat/tomcat-7/v7.0.96/bin/apache-tomcat-7.0.96.tar.gz -P /tmp
  • Extract the archive to the /opt/tomcat directory:
sudo tar xf /tmp/apache-tomcat-7*.tar.gz -C /opt/tomcat
  • To support multiple versions of Tomcat, create a sym link to /opt/tomcat/latest:
sudo ln -s /opt/tomcat/apache-tomcat-7.0.96 /opt/tomcat/latest
  • Update permissions and owner:
sudo chown -RH tomcat: /opt/tomcat/latest
sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'
  • Create a systemd service file. Update the JAVA_HOME variable if you are using a different version of Java.
sudo nano /etc/systemd/system/tomcat.service
  • Paste the following contents into this file:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target
  • Reload the systemd daemon and start Tomcat service:
sudo systemctl daemon-reload
sudo systemctl start tomcat
  • Check the Tomcat service status:
sudo systemctl status tomcat
  • Enable Tomcat to start at boot:
sudo systemctl enable tomcat
  • Configure Tomcat Users by editing /opt/tomcat/latest/conf/tomcat-users.xml:
sudo nano /opt/tomcat/latest/conf/tomcat-users.xml
  • Add the following lines above </tomcat-users>:
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="admin-gui,manager-gui"/>
  • Restart the tomcat service:
sudo systemctl restart tomcat
  • Test logging into the Manger user interface app by browsing to http://<public-ip>:8080/manager/html and use the user name and password admin/admin.

Install Nginx

Nginx is used to provide SSL Reverse proxy services for the Intune EJBCA Connector application.

  • To install Nginx with apt, run the following:
sudo apt install nginx
  • To confirm that Nginx is running, use:
sudo systemctl status nginx

Install Gradle

Gradle is used to compile the Intune EJBCA Connector.

To install Gradle, run the following:

sudo apt install gradle

Clone the Intune EJBCA Connector Git

To clone the Intune EJBCA Connector git, run the following:

cd /opt
sudo git clone https://github.com/agerbergt/intune-ejbca-connector.git

Create Certificates and Key Stores

To create the certificates, keys, and keystores that will be used when configuring the applications, follow the steps outlined in the following sections.

Create an Intune EJBCA Data Directory

  1. Create an Intune EJBCA data directory:

    sudo mkdir /opt/intune-ejbca-connector-data/
  2. Copy the certificate files to /opt/intune-ejbca-connector-data/

    sudo cp /home/ubuntu/* /opt/intune-ejbca-connector-data/

Create a Web Server Certificate and Java Key Store

This web server certificate will be used by Nginx for SSL offloading as well as by the Intune EJBCA Connector SCEP service.

  1. Generate a new key and keystore:

    cd /opt/intune-ejbca-connector-data/
    
    sudo keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore intune-ejbca-connector-chain.jks
  2. Generate a certificate request:

    sudo keytool -certreq -keyalg RSA -alias tomcat -file intune-ejbca-connector-chain.csr -keystore intune-ejbca-connector-chain.jks
    

    Use the following responses for the request. You will need the FQDN of your AWS instance public IP DNS.

    #Enter keystore password:  changeit
    #Re-enter new password: changeit
    #What is your first and last name?
    #  [Unknown]:  <fqdn of intune ejbca connector server public ip dns>
    #What is the name of your organizational unit?
    #  [Unknown]:  Website Security
    #What is the name of your organization?
    #  [Unknown]:  Corporation
    #What is the name of your City or Locality?
    #  [Unknown]:  San Mateo
    #What is the name of your State or Province?
    #  [Unknown]:  California
    #What is the two-letter country code for this unit?
    #  [Unknown]:  US
    #Is <fqdn>, OU=Website Security, O=Corporation, L=San Mateo, ST=California, C=US correct?
    #  [no]:  yes
    #
    #Enter key password for <tomcat> <press return>
    #        (RETURN if same as keystore password):
  3. Access the RA Web in one of the following ways:
    • In the EJBCA Administration GUI, select RA Web.
    • Access the RA Web directly at https://<EJBCA FQDN>/ejbca/ra/
  4. In the EJBCA RA Web, click Make New Request.
  5. In the Select Request Template Certificate Type field, select SslServerProfile.
  6. In the CA field, select Corporate Issuing CA - G1.
  7. Select the Key-pair generation option Provided by user option.
  8. Copy the contents of the /opt/intune-ejbca-connector/data/intune-ejbca-connector-chain.csr file to the Upload CSR text box, and then click Upload CSR.

  9. Click Download PEM to enroll the certificate and download the newly created certificate file.
  10. Rename the file to <FQDN>.pem.
  11. Copy the certificate file to the Intune-EJBCA-Connector AWS Instance /opt/intune-ejbca-data/ directory.
  12. Import the web server certificate to the intune-ejbca-connector-chain.jks keystore. Ensure to change the name of the certificate pem file from <fqdn>.pem.

    sudo keytool -import -alias tomcat -keystore intune-ejbca-connector-chain.jks -trustcacerts -file /opt/intune-ejbca-connector-data/<fqdn>.pem
  13. Import the Corporate Root CA - G1 certificate to the intune-ejbca-connector-chain.jks keystore:

    sudo keytool -import -alias root -keystore intune-ejbca-connector-chain.jks -trustcacerts -file /opt/intune-ejbca-connector-data/root.pem
  14. Import the Corporate Issuing CA - G1 certificate to the intune-ejbca-connector-chain.jks keystore:

    sudo keytool -import -alias intermediate -keystore intune-ejbca-connector-chain.jks  -trustcacerts -file /opt/intune-ejbca-connector-data/issuing.pem
  15. Create a PEM chain cert for intune-ejbca-connector for Nginx. Make sure to change the name of the certificate pem file from <fqdn>.pem:

    sudo su 
    cat <fqdn>.pem issuing.pem >> intune-ejbca-connector-chain.pem
    exit
  16. Export the Intune EJBCA connector web server private key from the intune-ejbca-connector-chain.jks keystore:

    1. Change to p12 file:

      sudo keytool -importkeystore -srckeystore intune-ejbca-connector-chain.jks -srcstorepass changeit -srckeypass changeit -srcalias tomcat -destalias tomcat -destkeystore intune-ejbca-connector-chain.p12 -deststoretype PKCS12 -deststorepass changeit -destkeypass changeit
    2. Export the key and use the password "changeit" when prompted.

      sudo openssl pkcs12 -in intune-ejbca-connector-chain.p12 -nodes -nocerts -out intune-ejbca-connector-chain.key

Create the EJBCA Superadmin Java Key Store

The EJBCA Superadmin Java Key Store is used by the Intune EJBCA Connector to access the EJBCA Web Service interface.

  • Source password will be the AWD Instance ID of the EJBCA Server.
sudo keytool -importkeystore -srckeystore /opt/intune-ejbca-connector-data/superadmin.p12 -srcstoretype pkcs12 -destkeystore /opt/intune-ejbca-connector-data/superadmin.jks -deststoretype jks -deststorepass <use the EJBCA Cloud AWS Isntance ID>

Create the EJBCA ManagementCA Java Key Store

The EJBCA ManagementCA Java Key Store is used by the Intune EJBCA Connector to access the EJBCA Web Service interface.

  • Use password changeit and type yes to trust certificate when prompted.
sudo keytool -import -alias ManagementCA -keystore /opt/intune-ejbca-connector-data/managementca.jks -file /opt/intune-ejbca-connector-data/managementca.crt

Configure Applications

Follow the steps outlined in the sections below to configure applications.

Configure Nginx

  1. Create the Intune EJBCA Connector site file in the Nginx sites-available directory:

    sudo nano /etc/nginx/sites-available/intune-ejbca-connector
  2. Copy the following into the file. Replace <fqdn> with the server's FQDN:

    server {
       listen 443 ssl;
       server_name <fqdn>;
    
       ssl_certificate      /opt/intune-ejbca-connector-data/intune-ejbca-connector-chain.pem;
       ssl_certificate_key  /opt/intune-ejbca-connector-data/intune-ejbca-connector-chain.key;
    
       location / {
         proxy_pass http://127.0.0.1:8080;
       }
    }
  3. Remove the Nginx sites-enabled/default sym link:

    sudo unlink /etc/nginx/sites-enabled/default 
  4. Create a new sym link for /etc/nginx/sites-enabled/default targeting /etc/nginx/sites-available/:

    sudo ln -s /etc/nginx/sites-available/intune-ejbca-connector /etc/nginx/sites-enabled/default 
  5. Test the configuration:

    sudo nginx -t
  6. Restart Nginx:

    sudo systemctl restart nginx

Configure Intune EJBCA Connector

  1. Configure /etc/intune-ejbca-connector.yml:

    sudo nano /etc/intune-ejbca-connector.yml
    1. Add the following configurations to the file. Make sure to replace all information within the "< >":

      intune:
          tenant: <Intune Tenant Name>
          appId: <Intune third party CA API ID>
          appKey: <Intune third party CA API key>
      
      ejbca:
          serviceName: EJBCA 7.1.0
          serviceUrl: https://<AWS EJBCA Instance private ip dns FQDN>/ejbca/ejbcaws/ejbcaws?wsdl
          keystorePath: /opt/intune-ejbca-connector-data/superadmin.jks
          keystorePassword: <AWS Instance ID of the EJBCA Cloud Instance>
          truststorePath: /opt/intune-ejbca-connector-data/management.jks
          truststorePassword: changeit
      scep:
          keystorePath: /opt/intune-ejbca-connector-data/intune-ejbca-connector-chain.jks
          keystorePassword: changeit
      
      profile:
          certificateAuthority: Corporate Issuing CA – G1
          certificateProfile: Corporate Workstation Certificate Profile
          endEntityProfile: Corporate Workstation EE Profile
          baseDN: OU=Intune,O=Stress1,C=US
  2. Make tomcat owner of the file /etc/intune-ejbca-connector.yml:

    sudo chown tomcat:tomcat /etc/intune-ejbca-connector.yml
  3. Create db directory owned by Tomcat service:

    sudo mkdir /opt/intune-ejbca-connector-db
    sudo chown tomcat:tomcat /opt/intune-ejbca-connector-db
  4. Modify the intune-ejbca-connector application.yml file to change the location of the Production DB file from ./ProdDb to ./opt/intune-ejbca-connector-db/prodDb:

    sudo nano /opt/intune-ejbca-connector/grails-app/conf/application.yml 
  5. Modify the production db location. The last line in the next sample is default configuration provided as an example:

    environments:
        development:
            <...>
        test:
            <...>
        production:
            dataSource:
                dbCreate: none
                url: jdbc:h2:./prodDb;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE
    
  6. Change the last line in the example above to read:

    url: jdbc:h2:./opt/intune-ejbca-connector-db/prodDb;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE
  7. Compile the Intune EJBCA Connector Application

    cd /opt/intune-ejbca-connector
    sudo ./gradlew build

Deploy Intune EJBCA Connector

Building the Intune EJBCA Connector application will create a WAR file that can be deployed to the Tomcat server. 

  1. To deploy the WAR file, run:

    sudo cp /opt/intune-ejbca-connector/build/libs/intune-ejbca-connector-1.1.war /opt/tomcat/latest/webapps/
  2. Test by using a browser to access https://<fqdn>/intune-ejbca-connector-1.1/

Troubleshooting

To troubleshoot the startup of the Intune EJBCA Connector, refer to the following information.

Tomcat Log file

Location: /opt/tomcat/latest/logs/catalina.out

Intune EJBCA Connector Tomcat App Log File

Location: /opt/tomcat/latest/logs/intune-ejbca-connect.log

Intune EJBCA Connector GitHub

Additional debug logging help is available at the Intune EJBCA Connector GitHub on https://github.com/agerbergt/intune-ejbca-connector.