OpenNCP Installation


Welcome to the OpenNCP installation overview. The purpose of this document is to give an overview of the OpenNCP components and their installation.

OpenNCP is a suite of epSOS NCP software publicly available under Open Source licensing (partly GPL v. 3 and partly ASL v. 2). The software acts as a bidirectional technical, organisational and legal interface between the existing national infrastructures and also acts as a mediator as far as the legal and regulatory aspects are concerned.

OpenNCP Community is an open group of people orchestrated by an agile software development methodology conducting effort on designing, coding, testing and delivering OpenNCP software.

JoinUp is a collaborative platform created by the European Commission and funded by the European Union via the Interoperability Solutions for Public Administrations (ISA) Programme.

Some OpenNCP software components are licensed under the GPL v. 3 license, and some under the ASL v.2 license. Developers of software components are given the responsibility to check that no other licensing rights pertain to any elements embedded or related to a newly developed component, particularly but not limited to libraries.

For connecting the OpenNCP implementation to a participating nation's national infrastructure, a separate national connector must be implemented by the NCP operator. The connector is not supplied as part of OpenNCP, because the implementations and functionalities of the national infrastructures differ among the participating nations.

epSOS participating nations and other enquirers are responsible in co-operation with the OpenNCP community, to ensure that the licenses of all open source components used in the project are compatible with the purpose and scope of the project.

System Requirements

Typical Hardware Requirements

  • 2 GHz Xeon Processor or equivalent
  • 20 GB Storage
  • 4 GB Memory

Suggested Software Requirements

  • Linux or Microsoft Windows Operating System
  • Oracle Java SE Development Kit 7 jdk7u21 or earlier (refer to page comments)
  • Apache Tomcat 6.0.x or 7.0.x
  • Relational Database (tested with MySQL, Postgres, Oracle)
  • Openswan 2.6.x for IPsec (needed in epSOS, but not part of OpenNCP as such)

Keystore storage recommendation

It's highly recommended to have each private key in a seperate keystore file (one for signature key, one for service provided and one for vpn key)

Overview of components

OpenNCP consists of the following components all of which are available for download at JoinUp.

Protocol Terminators

The core of OpenNCP is the Protocol Terminators and consists of these two components:

  • epsos-ws-server - Server Side (Country A)
  • epsos-client-connector - Client Side (Country B)

These components are packaged as web applications and are deployed to a servlet container such as Tomcat.


This component is a "Security Token Service" (STS) for issuing “Treatment Relationship Confirmation” (TRC) Assertions. It is another web application that is deployed to Tomcat. TRC-STS is used by an epSOS portal (e.g. OpenNCP portal or epsos-web), which must include the TRC-STS client for retrieving the TRC assertions from the security token service.


TSL-sync connects to Central Services and downloads the Trusted Service Lists (TSL) with NCP endpoint addresses and certificates of the other Participating Nations. It is a web application deployed to Tomcat. TSL-sync may be configured to run for example every night.


The Terminology Service Access Manager (TSAM) Synchronizer is another OpenNCP component. It is a standalone jar file with configuration files and a start script. This application may be scheduled to run for example on a daily basis and will download terminology data from the Central Services repository into the local database (LTR - Local Terminology Repository).


OpenATNA is an implementation of the Audit Trail and Node Authentication (ATNA) profile. It is is a web application and is deployed to Tomcat. The application has two main functionalities: (1) receiving the audits from NCP components and storing them into the audit repository and (2) getting access to the stored audits using a web interface.


A local database is required for storing the following information:

  • ATNA audit messages
  • epSOS Automatic Data Collection (eADC) records
  • TSAM data, i.e. code and value sets, code mappings etc.
  • Configuration settings for the OpenNCP server, client and portal

The configuration settings also include the endpoint addresses of the other NCPs, received in the form of TSLs from the central services.


There is a choice of two web portals:

  • OpenNCP Portal (deployed on Liferay Community Server)
  • epSOS-Web (deployed on Tomcat)


Communication between NCPs is secured using HTTPS over IPsec. IPsec is not part of the OpenNCP software, but it is needed for establishing VPN connections between epSOS NCPs. Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet. A common implementation of IPsec for Linux is Openswan. It must be installed on the NCP machine.

More information

For further information refer to the OpenNCP Installation Manual. It describes the installation of the OpenNCP software in more detail and provides sample configuration files along with tips and tricks for successful deployment of the NCP.


The OpenNCP Community provides support and other benefits, including: