怎样部署CoCCA

2018年8月9日 | 分类: 【域名】, 【技术】

【结论】

貌似http://wiki.cocca.org.nz/不能解析,也就无法获得最新的CoCCA软件包,仅能从Google镜像中恢复说明文档。

经与CoCCA开发方交流,CoCCA目前仅对在IANA注册在案的TLD管理机构开放,而且需要签订商业合同或者公益援助。

CoCCA SRS的负责人 Garth Miller 建议从 FRED 系统入手:

如果你只是出于学习研究的目的,想测试EPP、WHOIS、RDAP等,我建议你试试 https://fred.nic.cz/ 。不少TLD也选择了它作为域名管理系统。

在SourceForge上的CoCCA代码太过陈旧,存在不少RFC合规性问题。并不建议使用它学习或者用于生产环境。新版本的CoCCA几乎完整重写。

结论:为期3天的CoCCA研究告一段落?至少搞定了PostgreSQL/phpPGAdmin。

参考:http://amon.org/fred
参考:http://amon.org/wp-admin/post.php?post=9967&action=edit

【介绍】

CoCCA代表国家代码管理员理事会(Council of County Code Administrators)。CoCCA建立于2004年,是一个互联网基础设施支持公司,由一系列ccTLD管理组织联合组成。

这个我们创建并维护的注册局软件是业内部署最广泛的ccTLD注册局解决方案。目前,CoCCA SRS被用于54个ccTLD和6个gTLD。

CoCCA软件可以托管,或者部署在本地。

CoCCA提供商业化支持,包括培训、托管、数据迁移、失效备援、灾难恢复和投诉解决服务。

【源码】

下载:https://sourceforge.net/projects/coccaopenreg/
版本:最新版本v2.6.16;公开版本v2.2.9

下载:https://wiki.cocca.org.nz/mediawiki/index.php/CoCCA_SRS_Software
版本:最新,但无法访问。

构成:CoCCA注册局开发包 CoCCAtools-v2.2.9.zip
下载:https://master.dl.sourceforge.net/project/coccaopenreg/CoCCA%20Registry%20-%20Stable/V2.2.9/CoCCAtools-v2.2.9.zip

构成:CoCCA注册商开发包 CoCCARegistrarTools-v1.1.2_Production.zip & CoCCARegistrarSRC-v1.1.2.zip & RegistrarInstall_v1.1.2.pdf
下载:https://master.dl.sourceforge.net/project/coccaopenreg/CoCCA%20Registrar%20Package/Registrar_v1.1.2_Production/CoCCARegistrarTools-v1.1.2_Production.zip

【安装】

必要环境

1. PostgreSQL 8.1或更高版本

参考:http://amon.org/postgresql
参考:http://amon.org/phppgadmin

2. java 1.5或更高版本

参考:http://amon.org/java

3. Resin 3.1.1更高版本

参考:http://amon.org/resin

必要环境

wget https://master.dl.sourceforge.net/project/coccaopenreg/CoCCA%20Registry%20-%20Stable/V2.2.9/CoCCAtools-v2.2.9.zip && unzip CoCCAtools-v2.2.9.zip

Notes on Security �

In a production environment the registry should be behind a firewall and the registry database should be on an internal network.

* the firewall should only allow access from a known IP via port 700 and 443 for EPP registrars and 443 only for registrars only using the GUI. A combination hardware appliance and use of the OS firewall is recommended. The database server should only allow connections from the EPP and backup servers.

* registrars using the GUI should be provided with two-factor authentication keys.

Only trusted parties should have access to the registry via secure certificates, trusted IP’s and a user name and password PLUS a two factor authentication for GUI access. If you only grant access to a handful of trusted parties with whom you have an contract or are accredited security is simply addressed. Make sure the client accounts and registry staff have the correct level of access to avoid any accidental bulk changes / deletions.

If you have a registrar that is “hacking” or creating other mischief you really have a problem. We use best practice in designing the code and subscribe to and check all releases against – http://www.scanalert.com/ for known issues or coding flaws.

Automated incremental backups every 10-15 min as well as a full daily backup to a backup server is highly recommended. CoCCA offers an off-site backup server to members if they wish to use this facility. Grabing a “snap shot” each time you do the zone generation is also not a bad idea…

Regularly update the OS and the registry code – Aotea makes updates available once a month or more to members, mostly to add features but also to address any security issues that have been identified.

Database preparation �

1. Create two databases, one for a dns server and one for the main registry functionality. I’ll use epp and pdns for the names respectively. From a terminal window on a *nix system, you can try

createdb epp
createdb pdns

2. Create the pdns role if it doesn’t exist. The SQL statement for this is

create role pdns;

Binary File Installation �
EPP Server �

We assume a directory structure like that in the download. If it is not the same, paths will need to be changed where applicable.

1. Edit the configuration file (CoCCAtools/EPP Server/epp/conf/epp.conf.xml).
1. The db-object-pool element will need to be changed to connect to the database created previously
2. The secure-store element will need to be changed to use your keystore
3. Setup classpath to include all files in the lib directory
4. Start the server (from command line)

java -server -Xmx512m cx.cocca.epp.EppServer conf/epp.conf.xml > log/epp.log

where ‘conf/epp.conf.xml’ is the configuration file and log/epp.log is the log file. We’ve provided a script, CoCCAtools/EPP Server/epp/epp-run.sh, that sets the classpath, starts the server.
2. Web Interface
1. Configure resin to use ssl
1. Create a keystore file. The following command (run from the command line) is sufficient. When asked for your first and last name, give the domain name you will be using for the site.

keytool -genkey -keyalg RSA -keystore server.keystore

2. Add the following to the $RESIN_HOME/conf/resin.conf file. If you are using a basic resin setup, add it beneath the tag. Change the path and password to the location of the server.keystore file you just created and the password you provided while creating the keystore file respectively.




jks
path/server.keystore password

2. Configure the registry application to recognize the epp server’s ssl certificate. You will not need to do this if you’ve replaced the epp server’s keystore with one containing a valid SSL certificate provided by a Certificate Authority (Thawte, Verisign, etc.)
1. Add the following to the $RESIN_HOME/conf/resin.conf file. Add them anywhere beneath the resin tag, but not in a place enclosed by another tag.



edit the path in the second line to wherever the cocca.tools.keystore is located on your machine (“path to CoCCATools”/EPP Server/epp/cert/cocca.tools.keystore)

3. Edit resin.conf file to include database elements similar to the following. You can put these elements inside a specific element (e.g. ), or just before the element.


jdbc/registry

org.postgresql.Driver
jdbc:postgresql://localhost/epp
postgres pass



jdbc/pdns

org.postgresql.Driver
jdbc:postgresql://localhost/pdns
postgres pass

the url, user, and password elements will need to be changed to connect to the databases you’ve setup. The jndi-name elements must be kept the same.
4. add postgres driver to server’s lib directory

cp CoCCAtools/Web\ App/lib/dependencies/postgresql-8.2-506.jdbc3.jar $RESIN_HOME/lib

5. Deploy the provided registry.war file. This can be by placing it in the resin_home/webapps directory.
6. Start Resin
7. Login to the application (at https://localhost/registry/index.jsp … replacing localhost with the name of the server you installed it on). You’ll be asked to give information necessary to running the system. Once that is complete, you’ll be up and running!

If you have questions concerning the changes to the resin.conf file, please look at the sample_resin.conf included in the download. Specifically, look at the lines enclosed by the following:
********************** Begin – required for CoCCATools *****************
… and …
********************** End – required for CoCCATools *******************

【证书】

使用Java的keystore工具生成EPP连接所用的SSL证书

CoCCA使用Java的keystore工具完成SSL部署,证书在Web访问或者EPP访问时都说必须的。

查证:https://epp.whois.ai/login.jsp 使用的证书颁发机构 thawte DV SSL CA – G2.

第一步:创建keystore,生成CSR,发送到证书颁发机构。

用于创建和管理证书的是Java keytool,位于 /opt/cocca-8/java/bin

下载:https://cfhcable.dl.sourceforge.net/project/coccaopenreg/CoCCA%20Registry%20-%20Stable/V2.2.9/CoCCAtools-v2.2.9.zip

We create the keystore and CSR with the following command:(example generate Certificate for .OTE CoCCA)

./keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore registry_cocca_ote.jks -dname “CN=registry.cocca.ote,OU=Naming and Numbering, O=CoCCA Registry Systems , L=Aculand, ST=Aculand, C=NZ” && ./keytool -certreq -alias server -file registry_cocca_ote.csr -keystore registry_cocca_ote.jks

( create password when prompted – it prompts for 2, use the same for both.. )

Step 2

send the CSR file away for signing, example digicert

Step 3

When the authority sends you files back import the intermediate certificate and the singed certificate for your domain as :

./keytool -import -trustcacerts -alias intermediate -file DigiCertCA.crt -keystore registry_cocca_ote.jks ( enter password )

./keytool -import -trustcacerts -alias server -file registry_cocca_ote.crt -keystore registry_cocca.ote.jks

( enter password ) Copy the keystore to /opt/cocca-8/keys

Step 4

Edit the webserver ( resin ) to point to the new keystore

/opt/cocca-8/resin/conf/resin.xml

look for this section …


jks
/opt/cocca-8/keys/registry_cocca.ote.jks ****** TLSv1,TLSv1.1,TLSv1.2

Stop and Start resin /opt/cocca-8/ctlscript.sh stop resin / start

Step 5

Edit the EPP certificate settings in the CoCCA UI.

Config > EPP

Enter the path and password as appropriate, As the following figure:File:ConfigureEPP.jpg

【参考】

参考:https://wiki.cocca.org.nz/mediawiki/index.php/CoCCA_FAQ
参考:https://wiki.almworks.com/display/kb/How+to+Connect+to+Server+using+SSL+and+Client+Certificate

参考:https://stackoverflow.com/questions/8973880/connect-to-epp-server-with-php-using-ssl
参考:https://stackoverflow.com/questions/42194244/error-connecting-to-epp-server-using-openssl-s-client