The following describes the server side installation of SignServer:
Before you install SignServer, see the following sections:
Download and Unpack SignServer
Download and unzip the latest SignServer Enterprise Edition from your PrimeKey download area or use the latest SignServer Community Edition release archive from SourceForge.
SignServer is available in the following different distributions:
- signserver-5.x.y-bin.zip: The binary distribution. Recommended.
- signserver-5.x.y.zip: The mixed distribution. Contains the sources and all required libraries. This distribution requires you to build SignServer before deploying, see Optional: Build SignServer.
- signserver-5.x.y-src.tar.gz: The source-only tarball distribution. This distribution cannot be deployed without first gathering all the dependencies and then building it. If you choose this one, you are on your own.
Make sure to compare the checksums as provided on https://signserver.org/download.html, or from a by PrimeKey provided download site.
sha256sum signserver-5.x.y-bin.zip unzip signserver-5.x.y-bin.zip
Alternatively, you can checkout the latest unstable version from the Subversion (SVN) repository. Note that as with the mixed distribution, the latest unstable version needs to be built before deploying.
Optional: Build SignServer
Skip this step if you downloaded the binary distribution (recommended) and proceed to the step Set Environment Variables.
Building SignServer is only required if you chose to download the mixed distribution, or checked out the latest SVN version, and want to build SignServer yourself before copying it to the target server.
To build SignServer, perform the following steps on your build machine.
For example, to install Maven in CentOS 7, run something like the following:
sudo yum install maven
Ensure Secure Maven Installation
Before running Maven (mvn) commands, ensure that you have a secure Maven installation that does not contact the Central repository over insecure HTTP. Ensure that the URL for the Central repository is specified with HTTPS (and/or use an internal repository).
For an example on how to override the default Maven settings in
~/.m2/settings.xml, refer to the
sample-maven-settings-community.xml file provided in your SignServer release. To view the current settings, run:
To set the edition (generating
Build from Sources
To build from the sources, run:
mvn install -DskipTests
Set Environment Variables
Set APPSRV_HOME to point to your application server installation.
To set the APPSRV_HOME environment variable for WildFly 14, for example use:
The APPSRV_HOME variable is used when deploying to the application server and could for example be set in your
.bashrc or similar file, or be provided every time the deploy command is executed.
To set SIGNSERVER_NODEID to a unique ID for the server, use:
The SIGNSERVER_NODEID variable should be available to the application server and might need to be set in
/etc/environment or similar. The variable is generally not mandatory but if not set, warnings will be printed in the log.
signserver_deploy.properties includes configuration settings for the application, database, and web services.
conf/signserver_deploy.properties and open it for editing in a text editor.
cp conf/signserver_deploy.properties.sample conf/signserver_deploy.properties
If using a database other than MySQL and MariaDB, update the property
database.name. The following shows the default value, used for both MySQL and MariaDB:
SignServer Without Database
You can choose to install SignServer without a database management system and instead rely on SignServer to manage persistence using local files, see SignServer without Database.
To run SignServer without a database, set database.name to nodb in the
signserver_deploy.properties file :
Set the location for the local file-based database:
Ensure to specify a path to a location where SignServer can write files. The default value is empty. If a relative path is used, it is most likely relative to the application server's working directory. The directory should either point to an existing SignServer file database, or be completely empty. If the directory is empty, SignServer will create the initial database structure at startup.
Audit Log Signing Properties
The file databaseprotection.properties includes configuration for audit log signing and verification that can be used in Enterprise Edition when running with database.
conf/databaseprotection.properties and open it for editing in a text editor.
cp conf/databaseprotection.properties.sample conf/databaseprotection.properties
For information on how to configure for signed audit logs in the database, see Signed log.
Custom Configuration Outside of Installation Directory
To ease upgrades and allow keeping your configurations from a version to another, you can now store your SignServer configurations in a
signserver-custom folder outside of the SignServer home directory. Your configuration files placed in the
signserver-custom folder will override the corresponding files found in the
SIGNSERVER_HOME directory before executing an ant command.
To maintain changes in for example the
signserver_deploy.properties file, that includes settings for the application, database, and web services, create a
signserver-custom folder and copy the
signserver_deploy.properties file to this folder:
mkdir -p ../signserver-custom/conf cp conf/signserver_deploy.properties.sample ../signserver-custom/conf/signserver_deploy.properties
Later when upgrading SignServer, the signserver_deploy.properties file does not need to be copied to the new directory.
bin/ant deploy to build the configuration and deploy it to the selected application server:
Make sure the application server is running and verify that SignServer was deployed correctly.
For example, look at the server log or for WildFly, run:
ls /opt/wildfly/standalone/deployments | grep signserver.ear*
Verify Installation and Access SignServer
To verify your SignServer installation, access one of the available user interfaces.
To verify that SignServer is deployed and to access links to documentation and so on, point your web browser to http://localhost:8080/signserver.
To test the access to the server and print the deployed version, run the following Admin CLI command:
bin/signserver getstatus brief all Current version of server is: SignServer EE 5.0.0
For more information, see Administration CLI.
To access the SignServer Admin Web, point your web browser to http://localhost:8080/signserver/adminweb.
To temporarily allow all valid client certificates to administer the Administration Web, run the following:
bin/signserver wsadmins -allowany
For more information, see Administration Web.