Basics
Purpose
The webdb server provides the web front-end to the world for CAcert's certificate services. It also runs the database with all subscriber data. It communicates with the signer server for submission of certificate signing requests and retrieval of signed certificates, certificate revocation lists and signed PGP keys. This is one of CAcert's critical servers, and is operated under the requirements of the CAcert Security Policy and Security Manual.
Physical Location
The signing server is located on physical machine webdb in the CAcert rack at BIT 2, Ede.
Physical Configuration
The webdb machine contains an Intel Pentium 4 processor running at 1700 MHz, 512 MB of RAM, one SATA disk of 160 GB and two PATA disks of 320 GB each.
Connections
This system has two ethernet connections, one to the CAcert internal administrative network (172.28.50) and one to the internet switch provided by BIT.
The keyboard, mouse and video monitor connections are normally connected to the CAcert KVM server located elsewhere in the CAcert rack.
The system is also connected by a serial cable and/or USB cable to the signer server. The serial cable is a shielded and crossed RS-232 cable. The USB cable is a USB-Link cable based on the Prolific Technology Inc. PL2501 chipset, which can be found in USB 2.0 NET Link Cable from EdNet. A custom-developed software module named CommModule is used to transfer controlled data over this link between the webdb server and the signer server.
Applicable Documentation
CommModule - Documentation and Operator Manual (to be put online somewhere)
Administration
Critical System Administrator Team:
- Wytze van der Raay
- Mendel Mobach
(to be added after completing background check: Stefan Kooman)
Services
Listening services
Protocol |
Port |
Remarks |
HTTP |
TCP/80 |
web server for main CAcert application |
HTTPS |
TCP/443 |
web server for main CAcert application in secure mode |
SSH |
TCP/995 |
remote system maintenance via alternative port number, only for a limited # of IP sources |
DNS
External names are:
- www.cacert.org secure.cacert.org tverify.cacert.org
Internal names are:
- hlin.intern.cacert.org www.intern.cacert.org
Connected Systems
Outbound network connections
Protocol |
Port |
Remarks |
DNS |
UDP/53 + TCP/53 |
DNS lookups by main CAcert application and utilities |
SMTP |
TCP/25 |
outgoing mail sent by main CAcert application |
WHOIS |
TCP/43 |
domain name lookup by main CAcert application |
HTTP |
TCP/80 |
web lookups, mainly for system updates |
NTP |
UDP/123 |
time synchronization with internet time servers |
boxbackup |
TCP/2201 |
only to backup.intern.cacert.org; for on-line backups |
Security
Privileged Access: Critical System Administrators
Other Access: CAcert support engineers
Software installation
The base OS for the signing server is a minimum install of Debian 4.0 (Etch). During the installation, LUKS volume encryption must be activated, as described in Disk Encryption.
The following packages need to be added after performing the base install:
- apt-list-changes
- apt-show-versions
- hddtemp
- hdparm
- rcs
- sysv-rc-conf
- a whole lot more to be documented later ...
The following packages need to be removed after performing the base install:
- dhcp3-client
- dhcp3-common
- ftp
- nfs_common
- portmap
NOTE: need to check the above lists against reality
# aptitude install \ apt-list-changes apt-show-versions hddtemp hdparm rcs sysv-rc-conf \ dhcp3-client_ dhcp3-common_ ftp_ nfs_common_ portmap_
The only custom software to be installed is the main CAcert web application. This is found in the CVS tree, currently not public.
Software Configuration
All configuration files should be kept under RCS control wherever possible, i.e. when you want to modify a pristine configuration file, do this:
# mkdir RCS # vi configfile # ci -u configfile
Next time you want to change the configuration file, do this:
# co -l configfile # vi configfile # ci -u configfile
Common Tasks
Logfile Inspection
Full Backup
Log File Extraction
Password Changes
Planned Changes
[Record planned changes here].
Changelog
All modifications to this system must be logged to the cacert-systemlog mailing list, which is primarily archived here.