Basics

Purpose

The webdb server provides the web front-end to the world for CAcert's certificate services. It also runs the database with all subscriber data. It communicates with the signer server for submission of certificate signing requests and retrieval of signed certificates, certificate revocation lists and signed PGP keys. This is one of CAcert's critical servers, and is operated under the requirements of the CAcert Security Policy and Security Manual.

Physical Location

The signing server is located on physical machine webdb in the CAcert rack at BIT 2, Ede.

Physical Configuration

The webdb machine contains an Intel Pentium 4 processor running at 1700 MHz, 512 MB of RAM, and two IDE disks of 320 GB each.

Connections

This system has two ethernet connections, one to the CAcert internal administrative network (172.28.50) and one to the internet switch provided by BIT.

The keyboard, mouse and video monitor connections are normally connected to the CAcert KVM server located elsewhere in the CAcert rack.

The system is also connected by a serial cable and/or USB cable to the signer server. The serial cable is a shielded and crossed RS-232 cable. The USB cable is a USB-Link cable based on the Prolific Technology Inc. PL2501 chipset, which can be found in USB 2.0 NET Link Cable from EdNet. A custom-developed software module named CommModule is used to transfer controlled data over this link between the webdb server and the signer server.

Applicable Documentation

  1. CommModule - Documentation and Operator Manual (to be put online somewhere)

  2. Security Policy

  3. Security Manual

  4. Disk Encryption

  5. Disk Mirroring

  6. Drive Retirement

Administration

Critical System Administrator Team:

Services

Listening services

Protocol

Port

Remarks

HTTP

TCP/80

web server for main CAcert application

HTTPS

TCP/443

web server for main CAcert application in secure mode

SSH

TCP/995

remote system maintenance via alternative port number, only for a limited # of IP sources

DNS

External names are:

Internal names are:

Connected Systems

Outbound network connections

Protocol

Port

Remarks

DNS

UDP/53 + TCP/53

DNS lookups by main CAcert application and utilities

SMTP

TCP/25

outgoing mail sent by main CAcert application

WHOIS

TCP/43

domain name lookup by main CAcert application

HTTP

TCP/80

web lookups, mainly for system updates

NTP

UDP/123

time synchronization with internet time servers

boxbackup

TCP/2201

only to backup.intern.cacert.org; for on-line backups

Security

Privileged Access: Critical System Administrators

Other Access: CAcert support engineers

Software installation

The base OS for the signing server is a minimum install of Debian 4.0 (Etch). During the installation, LUKS volume encryption must be activated, as described in Disk Encryption.

The following packages need to be added after performing the base install:

The following packages need to be removed after performing the base install:

NOTE: need to check the above lists against reality

# aptitude install \
   apt-list-changes apt-show-versions hddtemp hdparm rcs sysv-rc-conf \
   dhcp3-client_ dhcp3-common_ ftp_ nfs_common_ portmap_

The only custom software to be installed is the main CAcert web application. This is found in the CVS tree, currently not public.

Software Configuration

All configuration files should be kept under RCS control wherever possible, i.e. when you want to modify a pristine configuration file, do this:

   # mkdir RCS
   # vi configfile
   # ci -u configfile

Next time you want to change the configuration file, do this:

   # co -l configfile
   # vi configfile
   # ci -u configfile

Common Tasks

Logfile Inspection

Full Backup

Log File Extraction

Password Changes

Planned Changes

[Record planned changes here].

Changelog

All modifications to this system must be logged to the cacert-systemlog mailing list, which is primarily archived here.


CategorySystems