2019-05-08

Instal RM

Export some dependencies like org.dom4j and javax.jms.api in jboss-deployment-structure.xml

egis_rm_paymentrecon-dept_web
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
	<deployment>
		<resources>
			<resource-root path="lib/bcprov-jdk15on-1.51.jar" use-physical-code-source="true"/>
		</resources>
		<dependencies>
			<!-- for quartz -->
			<module name="com.mysql" export="true"/>
		</dependencies>
	</deployment>
</jboss-deployment-structure>

egis_rm_paymentrecon-portal_web
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2">
	<deployment>
		<dependencies>
			<!-- for castor, don't know which XML serializer is configured -->
			<!-- therefore, include both from JDK and Xerces -->
			<system export="true">
				<paths>
					<path name="com/sun/org/apache/xml/internal/serialize" />
				</paths>
			</system>

			<module name="org.apache.xalan" export="true" />
			<module name="org.apache.xerces" export="true" />
			<module name="org.dom4j" export="true" />

			<!-- for quartz -->
			<module name="com.mysql" export="true" />
		</dependencies>
	</deployment>
</jboss-deployment-structure>

Add application user for role keyservice_admin by calling bin/add-user.bat

Update standalone.conf to add RM config path

1	set "JAVA_OPTS=%JAVA_OPTS% -Dhk.gov.ogcio.egis.rm.common.PROPERTIES_FILEPATH=D:\rm -Djboss.bind.address=0.0.0.0 -Dspring.profiles.active=uat"

Generate key store

keytool -genkey -keystore xxx_master.jks -keyalg RSA -keysize 2048 -alias my-alais -validity 3650 -storepass yyy.xxx@2017
*** CN=Companies Registry, OU=Companies Registry, O=Companies Registry, L=Hong Kong, ST=Hong Kong, C=HK ***
keytool -list -v -keystore xxx_master.jks

Copy xxx\rm2\keys\sit\xxx_master.jks to d:/keystore

Generate master password in DB
java -cp C:\Users\xxx01\Desktop\Forrest\workspace\RM2-Keyservice\bin;C:\Users\xxx01\Desktop\Forrest\workspace\RM2-Common\bin hk.gov.ogcio.egis.rm.keyservice.utils.KeystoreInstallSuite /d:/keystore/xxx_master.jks JKS yyy.xxx@2017 my-alais yyy.xxx@2017 SHA256 RSA/ECB/OAEPWithSHA1AndMGF1Padding

INSERT INTO PASSWORD_STORE(PASSWORD_STORE_ID, USER_ID, USAGE_TYPE, PASSWORD, SIGNATURE, LAST_UPDATE_DT) VALUES ('0', 'MASTER_PASSWORD', 'INTERNAL', 'xzn+q7+DcT/Z2eTHVDDO9WRia4R/CHP23cU2bA9Eatgh6xA6Ah5qaK6CTf93ILT+C8ezhDMAe0/IdU916ExB8+iXozYKNnBp5/g4YpvzGYDcsYM6GnH5KA3YZY6EchRjXw1P576m5jQdMY6bQmcdEg7bB1JwufkISneQV1SnpuKev9G4O2oTHamyvaGuAxtj1lWm5we4AmBgGD6hF75ZAdu/IKL2n5h1BflT61jcSCrTYW0yCkWR0JFoN+x7eM3WGBZcw/BDWpIAfxVR6O0hJTkw6S6SDM6kheusfpzc36wcBrxP2yG/Jp+TZVWpSKDxCkLaM+i68K8wonEkQO0nBQ==', 'DeKWX8F/81JGQWeKowS5KsWNu2Poid7w+nDyC3IFRkdjNxAO+yqgKt9GX6QjAa3C61PtbMvPKxzfRjqZZeCx5aUbN+S4FCjKW8b4y8EZxI1TOSc31W6Je2McBxSRqqNPbB382W4lP+K7BXFIC0MS5PGtx+ES28k+rfLJcoRHzlhHKgkXUSIknPfWzLOzGJsg3DFynDXMoH3Jc7lZ2QRWZ2lmfqHm1rPGBfpg6W3YFzFDxJaA/U36A4xrGsYBja3v7+QLQFH7CtvF7XBWAN3HZpBylY8z/5MhMvwo+sj0dVc7z7Q2RLTd1ID0E2C6jI1CKLfLc2SKnho8phzT8xX8rg==', now());

Add support for HKPOST_TRIAL cert for testing in webserver.properties

Payment and Payment Reconciliation

generate privateKeyEntry (friendly3)
  openssl pkcs12 -export -inkey my.hksarg-privateKey.key -in sit.xxx.cr.hksarg.crt -name friendly3 -out friendly3.p12
  keytool -importkeystore -srckeystore friendly3.p12 -srcstoretype pkcs12 -alias friendly3 -destkeystore xxx_egis.jks

 UAT renew:
   keytool -v -list -keystore xxx_egis.jks -alias friendly3 -storepass yyy.xxx@2017
   keytool -delete -keystore xxx_egis.jks -alias friendly3 -storepass yyy.xxx@2017
   openssl pkcs12 -export -inkey my.hksarg-privateKey.key -in uat.my.cr.hksarg.crt -name friendly3 -out friendly3.p12
   keytool -importkeystore -srckeystore friendly3.p12 -srcstoretype pkcs12 -alias friendly3 -destkeystore xxx_egis.jks

Generate trustedCertEntry (epayment_signing)
  keytool -genkey -keystore payment_signing.jks -keyalg RSA -keysize 2048 -validity 3650 -storepass yyy.xxx@2017
  keytool -import -v -alias payment_signing -file UAT_2016_epayment_signing-b64.cer -keystore xxx_egis.jks -storepass yyy.xxx@2017

Generate trustedCertEntry (trust1)
  #keytool -genkey -keystore xxx_egis.jks -keyalg RSA -keysize 2048 -validity 3650 -storepass yyy.xxx@2017
  keytool -import -trustcacerts -v -alias trust1 -file iscca256.cer -keystore xxx_egis.jks -storepass yyy.xxx@2017
  keytool -import -trustcacerts -v -alias rootca -file rootca256.cer -keystore xxx_egis.jks -storepass yyy.xxx@2017
  #keytool -delete -alias mykey -keystore trust_store3.jks -storepass yyy.xxx@2017 // as xxx_egis is created and mykey does not exist

Add below item as below in KMU
 * key entry : friendly3
 * cert entry : payment_signing
 * cert entry : trust1
Add passphase boci-key and ppsb-key with usage=paymentRecon

Keystore

1 2	D:\keystore\xxx_master.jks comes from rm2\keys\sit\xxx_master.jks D:\keystore\xxx_egis.jks comes from rm2\keys\sit\xxx_egis.jks

Install unlimited strength JCE policy files named local_policy.jar and US_export_policy.jar at \lib\security

paymentclient_web -> IApp1/2, paymentrecon-portal_web, paymentrecon-dept_web -> GApp1/2

JOB_RM_PAY_BACKGROUND_RECOVERY
JOB_RM_PAYRECON_PAYMENT_RECON_01_PPSB
JOB_RM_PAYRECON_PAYMENT_RECON_02_BOCI
JOB_RM_PAYRECON_PSDR_EXPORTER

JOB_RM_PAYRECON_PSDR_IMPORTER

<jms-queue name="BackgroundRecoveryQueue" entries="queue/BackgroundRecoveryQueue"/>
<jms-queue name="PSDRExporterScheduleJobQueue" entries="queue/PSDRExporterScheduleJobQueue"/>
<jms-queue name="PSDRImporterScheduleJobQueue" entries="queue/PSDRImporterScheduleJobQueue"/>
<jms-queue name="PaymentReconScheduleJobQueue" entries="queue/PaymentReconScheduleJobQueue"/>