Introduction
Welcome to the OpenNCP installation overview. The purpose of this document is to give an overview of the OpenNCP components and their installation.
...
epSOS participating nations and other enquirers are responsible in co-operation with the OpenNCP community, to ensure that the licenses of all open source components used in the project are compatible with the purpose and scope of the project.
System Requirements
Typical Hardware Requirements
- 2 GHz Xeon Processor or equivalent
- 20 GB Storage
- 4 GB Memory
Suggested Software Requirements
- Linux or Microsoft Windows Operating System
- Oracle Java SE Development Kit 7 jdk7u21 or earlier (refer to page comments)
- Apache Tomcat 6.0.x or 7.0.x
- Relational Database (tested with MySQL, Postgres, Oracle)
- Openswan 2.6.x for IPsec (needed in epSOS, but not part of OpenNCP as such)
Keystore storage recommendation
It's highly recommended to have each private key in a seperate keystore file (one for signature key, one for service provided and one for vpn key)
Overview of components
OpenNCP consists of the following components all of which are available for download at JoinUp.
Protocol Terminators
The core of OpenNCP is the Protocol Terminators and consists of these two components:
...
These components are packaged as web applications and are deployed to a servlet container such as Tomcat.
TRC-STS
This component is a "Security Token Service" (STS) for issuing “Treatment Relationship Confirmation” (TRC) Assertions. It is another web application that is deployed to Tomcat. TRC-STS is used by an epSOS portal (e.g. OpenNCP portal or epsos-web), which must include the TRC-STS client for retrieving the TRC assertions from the security token service.
TSL-sync
TSL-sync connects to Central Services and downloads the Trusted Service Lists (TSL) with NCP endpoint addresses and certificates of the other Participating Nations. It is a web application deployed to Tomcat. TSL-sync may be configured to run for example every night.
TSAM-sync
The Terminology Service Access Manager (TSAM) Synchronizer is another OpenNCP component. It is a standalone jar file with configuration files and a start script. This application may be scheduled to run for example on a daily basis and will download terminology data from the Central Services repository into the local database (LTR - Local Terminology Repository).
OpenATNA
OpenATNA is an implementation of the Audit Trail and Node Authentication (ATNA) profile. It is is a web application and is deployed to Tomcat. The application has two main functionalities: (1) receiving the audits from NCP components and storing them into the audit repository and (2) getting access to the stored audits using a web interface.
Database
A local database is required for storing the following information:
...
The configuration settings also include the endpoint addresses of the other NCPs, received in the form of TSLs from the central services.
Portals
There is a choice of two web portals:
- OpenNCP Portal (deployed on Liferay Community Server)
- epSOS-Web (deployed on Tomcat)
IPsec
Communication between NCPs is secured using HTTPS over IPsec. IPsec is not part of the OpenNCP software, but it is needed for establishing VPN connections between epSOS NCPs. Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet. A common implementation of IPsec for Linux is Openswan. It must be installed on the NCP machine.
More information
For further information refer to the OpenNCP Installation Manual (deprecated, since 2015-10-29). It describes the installation of the OpenNCP software in more detail and provides sample configuration files along with tips and tricks for successful deployment of the NCP.
Support
The OpenNCP Community provides support and other benefits, including:
...