2018年8月9日 | 分类: 【域名】, 【技术】




CoCCA SRS的负责人 Garth Miller 建议从 FRED 系统入手:

如果你只是出于学习研究的目的,想测试EPP、WHOIS、RDAP等,我建议你试试 https://fred.nic.cz/ 。不少TLD也选择了它作为域名管理系统。





CoCCA代表国家代码管理员理事会(Council of County Code Administrators)。CoCCA建立于2004年,是一个互联网基础设施支持公司,由一系列ccTLD管理组织联合组成。

这个我们创建并维护的注册局软件是业内部署最广泛的ccTLD注册局解决方案。目前,CoCCA SRS被用于54个ccTLD和6个gTLD。






构成:CoCCA注册局开发包 CoCCAtools-v2.2.9.zip

构成:CoCCA注册商开发包 CoCCARegistrarTools-v1.1.2_Production.zip & CoCCARegistrarSRC-v1.1.2.zip & RegistrarInstall_v1.1.2.pdf



1. PostgreSQL 8.1或更高版本


2. java 1.5或更高版本


3. Resin 3.1.1更高版本



wget https://master.dl.sourceforge.net/project/coccaopenreg/CoCCA%20Registry%20-%20Stable/V2.2.9/CoCCAtools-v2.2.9.zip && unzip CoCCAtools-v2.2.9.zip

Notes on Security �

In a production environment the registry should be behind a firewall and the registry database should be on an internal network.

* the firewall should only allow access from a known IP via port 700 and 443 for EPP registrars and 443 only for registrars only using the GUI. A combination hardware appliance and use of the OS firewall is recommended. The database server should only allow connections from the EPP and backup servers.

* registrars using the GUI should be provided with two-factor authentication keys.

Only trusted parties should have access to the registry via secure certificates, trusted IP’s and a user name and password PLUS a two factor authentication for GUI access. If you only grant access to a handful of trusted parties with whom you have an contract or are accredited security is simply addressed. Make sure the client accounts and registry staff have the correct level of access to avoid any accidental bulk changes / deletions.

If you have a registrar that is “hacking” or creating other mischief you really have a problem. We use best practice in designing the code and subscribe to and check all releases against – http://www.scanalert.com/ for known issues or coding flaws.

Automated incremental backups every 10-15 min as well as a full daily backup to a backup server is highly recommended. CoCCA offers an off-site backup server to members if they wish to use this facility. Grabing a “snap shot” each time you do the zone generation is also not a bad idea…

Regularly update the OS and the registry code – Aotea makes updates available once a month or more to members, mostly to add features but also to address any security issues that have been identified.

Database preparation �

1. Create two databases, one for a dns server and one for the main registry functionality. I’ll use epp and pdns for the names respectively. From a terminal window on a *nix system, you can try

createdb epp
createdb pdns

2. Create the pdns role if it doesn’t exist. The SQL statement for this is

create role pdns;

Binary File Installation �
EPP Server �

We assume a directory structure like that in the download. If it is not the same, paths will need to be changed where applicable.

1. Edit the configuration file (CoCCAtools/EPP Server/epp/conf/epp.conf.xml).
1. The db-object-pool element will need to be changed to connect to the database created previously
2. The secure-store element will need to be changed to use your keystore
3. Setup classpath to include all files in the lib directory
4. Start the server (from command line)

java -server -Xmx512m cx.cocca.epp.EppServer conf/epp.conf.xml > log/epp.log

where ‘conf/epp.conf.xml’ is the configuration file and log/epp.log is the log file. We’ve provided a script, CoCCAtools/EPP Server/epp/epp-run.sh, that sets the classpath, starts the server.
2. Web Interface
1. Configure resin to use ssl
1. Create a keystore file. The following command (run from the command line) is sufficient. When asked for your first and last name, give the domain name you will be using for the site.

keytool -genkey -keyalg RSA -keystore server.keystore

2. Add the following to the $RESIN_HOME/conf/resin.conf file. If you are using a basic resin setup, add it beneath the tag. Change the path and password to the location of the server.keystore file you just created and the password you provided while creating the keystore file respectively.

path/server.keystore password

2. Configure the registry application to recognize the epp server’s ssl certificate. You will not need to do this if you’ve replaced the epp server’s keystore with one containing a valid SSL certificate provided by a Certificate Authority (Thawte, Verisign, etc.)
1. Add the following to the $RESIN_HOME/conf/resin.conf file. Add them anywhere beneath the resin tag, but not in a place enclosed by another tag.

edit the path in the second line to wherever the cocca.tools.keystore is located on your machine (“path to CoCCATools”/EPP Server/epp/cert/cocca.tools.keystore)

3. Edit resin.conf file to include database elements similar to the following. You can put these elements inside a specific element (e.g. ), or just before the element.


postgres pass


postgres pass

the url, user, and password elements will need to be changed to connect to the databases you’ve setup. The jndi-name elements must be kept the same.
4. add postgres driver to server’s lib directory

cp CoCCAtools/Web\ App/lib/dependencies/postgresql-8.2-506.jdbc3.jar $RESIN_HOME/lib

5. Deploy the provided registry.war file. This can be by placing it in the resin_home/webapps directory.
6. Start Resin
7. Login to the application (at https://localhost/registry/index.jsp … replacing localhost with the name of the server you installed it on). You’ll be asked to give information necessary to running the system. Once that is complete, you’ll be up and running!

If you have questions concerning the changes to the resin.conf file, please look at the sample_resin.conf included in the download. Specifically, look at the lines enclosed by the following:
********************** Begin – required for CoCCATools *****************
… and …
********************** End – required for CoCCATools *******************




查证:https://epp.whois.ai/login.jsp 使用的证书颁发机构 thawte DV SSL CA – G2.


用于创建和管理证书的是Java keytool,位于 /opt/cocca-8/java/bin


We create the keystore and CSR with the following command:(example generate Certificate for .OTE CoCCA)

./keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore registry_cocca_ote.jks -dname “CN=registry.cocca.ote,OU=Naming and Numbering, O=CoCCA Registry Systems , L=Aculand, ST=Aculand, C=NZ” && ./keytool -certreq -alias server -file registry_cocca_ote.csr -keystore registry_cocca_ote.jks

( create password when prompted – it prompts for 2, use the same for both.. )

Step 2

send the CSR file away for signing, example digicert

Step 3

When the authority sends you files back import the intermediate certificate and the singed certificate for your domain as :

./keytool -import -trustcacerts -alias intermediate -file DigiCertCA.crt -keystore registry_cocca_ote.jks ( enter password )

./keytool -import -trustcacerts -alias server -file registry_cocca_ote.crt -keystore registry_cocca.ote.jks

( enter password ) Copy the keystore to /opt/cocca-8/keys

Step 4

Edit the webserver ( resin ) to point to the new keystore


look for this section …

/opt/cocca-8/keys/registry_cocca.ote.jks ****** TLSv1,TLSv1.1,TLSv1.2

Stop and Start resin /opt/cocca-8/ctlscript.sh stop resin / start

Step 5

Edit the EPP certificate settings in the CoCCA UI.

Config > EPP

Enter the path and password as appropriate, As the following figure:File:ConfigureEPP.jpg