README.md 4.15 KB
Newer Older
1
2
3
# Prerequisites
On the machine this project is intended to run you need the following components:
* docker-compose command: It is used to startup the cluster of docker services the project consists of.
4
* A reverse proxy with vaild TLS Certificates connected to a specific domain. The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services. Most important for the demo is the root path (/) which will lead you to the webui for demo purposes.
5

6
7
8
# Howto Setup the project
The setup of the project consists of several steps.

9
10
11
12
## Configure POSeIDAS
In `./poseidas/config` is a pre-configured template for the configuration of POSeIDAS. It uses self-signed certificates as trust-anchors.
Edit the `poseidas/config/poseidas.xml` file accourding to your environment:
* Replace `TARGET_DOMAIN` with the real domain of the project (ServerUrl and PaosReceiverURL)
Rene Lottes's avatar
Rene Lottes committed
13
14

### Add terminal certificates
15
The database contains pre defined certificates matching the domain `docker.reqesidta.de`. If you don't want to use them, replace them with your data after deployment, see [POSeIDAS Database](#POSeIDAS-Database).
16

17
## Edit config for docker-compose
18
Edit the `docker-compose.yml` file accourding to your environment:
19
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost, aka. the deployment target itself.
20

21
## Edit config for the SSA service
22
Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
23
* Replace `TARGET_DOMAIN` with the real domain of the project.
24

25
## Edit the deploy script
26
Edit the `deploy.sh` file accourding to your environment:
27
28
29
* Replace `TARGET_HOST` with the real host of the project.
* Replace `TARGET_USER` with the user for on the host.
* Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host.
30

31
## Run the deploy script
32
Execute the `deploy.sh` script and check the startup of the services on the target host.
33
Please wait for the load of all services to reach a near idle level.
Rene Lottes's avatar
Rene Lottes committed
34

35
## EJBCA key setup script
36
Run the following command on the target host while sitting in the deployments directory:
37

38
39
40
41
42
```bash
docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
  docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \
  docker-compose up -d --no-deps --build sam
```
Rene Lottes's avatar
Rene Lottes committed
43

44
## POSeIDAS Database
45
46
47
The pre-configuration of the POSeIDAS database matches PersoSim-Profiles, which can be found in the project under `/perso_sim_profiles` and the TLS certificate which can be found under `/docker/facade/docker.reqesidta.de.cert`.

The database content must be changed, if an other terminal certificate should be used.
48

49
To make changes in the database, the docker container `reqesidta_poseidas` first must be stopped.
50
The Database can be edited for example with [DBeaver](https://dbeaver.io/).
Rene Lottes's avatar
Rene Lottes committed
51

52
Please look up the credentials for opening the database in the file `/poseidas/config/application.properties`.
53

54
The following data needs to be present in the database:
55
56
57
58
* the terminal certificate (in ISO 7816 TLV binary format)
* the private-key of the terminal certificate (PKCS 8 without password)
* the sector-id (aka. sector-key) of the terminal certificate (public key data object in binary format)
* the certificate-chain of the terminal certificate (in ISO 7816 TLV binary format)
59

60
Use the following tables for replacing the pre-configured data with your own:
Rene Lottes's avatar
Rene Lottes committed
61
* TERMINALPERMISSION
62
  * _CVC_: terminal certificate
63
64
65
  * _CVCPRIVATEKEY_: private key of the terminal certificate
  * _SECTORID_: sector-key of the terminal certificate
  * _CVCDESCRIPTION_: description of the terminal certificate
Rene Lottes's avatar
Rene Lottes committed
66
* CERTINCHAIN
67
68
  * every certificate from the certificate chain of the terminal certificate:
    * starting with the root certificate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_
69
    * if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_
70

71
This data must be referenced using a key in _REFID_.
72
The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.