The following table lists the system requirements for ADSS Server:


Component

Requirement

ADSS Server

ADSS Server is a Java 11 EE application supported on these platforms (ask about support for others):

Operating Systems:
The following 64-bit operating systems are supported (32-bit on request):

  • Windows Server 2019 ,2016, 2012 R2, 2012, 2008
  • Linux (RedHat 7.4, 7.6, SUSE, CentOS 7.0, 7.6)

Hardware: 
A modern multi-core CPU such as the Xeon E3-xxxx or E5-xxxx or E55-xx or E56-xx or similar are recommended, with 16GB RAM (min 8GB RAM) and 200GB disk space. Additional RAM may be required to power signing or LTANS archive services. Roughly 0.5GB to 1GB of disk space is required to keep the trace logs per 100,000 service transactions.

Databases:
ADSS Server saves its configuration and transactional data in a database. The following databases are supported:

  • Microsoft SQL Server 2019, 2017, 2016, 2014, 2012 (Express, Standard, Web or Enterprise Edition)
  • Azure SQL Database (Database-as-a-service)
  • Oracle 19c, 12c
  • PostgreSQL v13.x, v12.x, v11.x, v10.x, v9.6.x
  • MySQL v8.x, Percona-XtraDB-Cluster v5.7.x and v8.0

About 1GB of database space is required to store the service logs from 100,000 transactions for each service unless these are regularly auto-archived or customised.

Optional Database Server

The database can be run on a separate server if preferred. This is recommended for high performance environments to allow all server resources to be directed to ADSS Server services.  

Hardware:  
A modern multi-core CPU such as the Xeon E3-xxxx or E5-xxxx or E55-xx or E56-xx or similar range are recommended, with 16GB RAM, typically 5-10GB or more of disk space will be required depending on usage and transactional data / log retention requirements.

Client systems 
(systems sending service requests to ADSS Server)

Any reasonable system. ADSS Client SDK for Java API requires JRE v1.7 or above. ADSS Client SDK for .NET requires Microsoft .NET Framework 4.5 or above.

Operator Browsers

The following browsers are supported for ADSS Server Operators:

  • Google Chrome 70.x or above
  • Mozilla Firefox 60.x or above
  • Microsoft Edge 35.x or above
  • Microsoft Internet Explorer (IE) 11.x

Optional HSMs

If required the following Hardware Security Modules are supported:

  • Thales SafeNet Luna and ProtectServer HSMs
  • nCipher nShield Solo or Connect HSMs
  • Utimaco HSMs
  • Microsoft Azure Key Vault HSM
  • Amazon AWS Cloud HSM (Supported when ADSS Server deployed on Linux)

Optional DMZ proxy
machine

A DMZ proxy server can be configured if required. The following DMZ proxy machines are supported:

  • Windows Server - Microsoft IIS 8.0 or above, Apache or IBM HTTP Server
  • Linux - Apache or IBM HTTP Server

Use a reasonable CPU, 2GB RAM,100 MB disk space


Typical Deployment Scenario

A typical ADSS Server installation schematic looks like this:



ADSS Server and the database it uses can both be installed on the same machine. 12GB RAM is recommended for such a scenario. For high performance environments, it is recommended to install them on separate systems. 

The details shown above are the minimum system requirements; these may need to be revised to meet specific usage requirements. For high throughput systems consider using multiple load-balanced ADSS Servers in a network load-balanced resilient arrangement. Multiple physical CPUs can be added although additional licenses are required for these. Virtualized systems are also supported.

ADSS Server can also be installed on the same system as the business application it services.

HSM Support for Key Wrapping

If you wish to use ADSS Server with its HSM based user key generation wrapping and export under a static or dynamic KEK then be careful with the specifications of the HSMs you order or try to reuse.

The best thing to do is to run the ADSS Server PKCS#11 Test Utility to check if the HSM supports the mechanisms needed for this and indeed other functions. HSM vendors are known to change the mechanisms that are supported in this area, and some exclude such mechanisms from the allowable list when in FIPS 140-2. If in doubt check with Ascertia support and also check with your HSM vendor that the AES_CBC_ENCRYPT_DATA mechanism is supported for key wrapping and export.


See also
Glossary
Reference to PKI Standards