readme.md 4.24 KB
Newer Older
1
2
3
# Prerequisites
On the machine this project is intended to run you need the following components:
* docker-compose command: It is used to startup the cluster of docker services the project consists of.
4
* A reverse proxy with vaild TLS Certificates connected to a specific domain. The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services. Most important for the demo is the root path (/) which will lead you to the webui for demo purposes.
5

6
7
8
9
# Howto Setup the project
The setup of the project consists of several steps.

## Configure POSeIDAS on your local machine
10
11
You can use the [configuration-wizard](#use-the-configuration-wizard) or use a pre configured [test configuration](#use-the-pre-configured-template).

Rene Lottes's avatar
Rene Lottes committed
12
### Use the configuration-wizard
Rene Lottes's avatar
Rene Lottes committed
13
14
15
16
To configure the POSeIDAS use the configuration-wizard. Start it with Java8: `java -jar poseidas-configuration/wizard.jar`. Open your browser at http://localhost:8080/config-wizard/ and follow the instructions.

During configuration make sure to use the default path `/opt/poseidas/database` for the database location. This path will be mounted as a volume to `./poseidas/db` for easy access to the database-file.

Rene Lottes's avatar
Rene Lottes committed
17
Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/config`. This path will be mounted as a volume to `/opt/poseidas/config`. The `eidasmiddleware.properties` is not needed.
Rene Lottes's avatar
Rene Lottes committed
18

Rene Lottes's avatar
Rene Lottes committed
19
20
21
22
### Use the pre configured template
In `./poseidas/config` is a pre configured template for testing purposes. It uses self-signed certificates as trust-anchors.

### Add terminal certificates
23
A emtpy database will be created at first startup. It must be filled after deployment, see [POSeIDAS Database](#POSeIDAS-Database).
24
25
26
27
28
29
30
31
32
33

## Deployment to the hosting server
To deploy the project to a server some preparations are needed first.  

### Edit config for docker-compose
Edit the `docker-compose.yml` file accourding to your environment:
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost , aka. the server itself.

### Edit config for the SSA service
Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
34
* Replace `TARGET_DOMAIN` with the real domain of the project.
35
36
37

### Edit the deploy script
Edit the `deploy.sh` file accourding to your environment:
38
39
40
* Replace `TARGET_HOST` with the real host of the project.
* Replace `TARGET_USER` with the user for on the host.
* Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host.
41
42
43

### Run the deploy script
Execute the `deploy.sh` script and check the startup of the services on the target host.
Rene Lottes's avatar
Rene Lottes committed
44

45
46
## EJBCA key setup script
Run the following command on the server while sitting in the projects directory:
47

48
49
50
51
52
```bash
docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
  docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \
  docker-compose up -d --no-deps --build sam
```
Rene Lottes's avatar
Rene Lottes committed
53
54

### POSeIDAS Database
55
56
To make changes in the database, the docker container first must be stopped.
The Database can be edited for example with [DBeaver](https://dbeaver.io/).
Rene Lottes's avatar
Rene Lottes committed
57

58
59
60
61
62
63
64
65
66
67
If the preconfigured database is used please look up the credentials for openingn in the file `/poseidas/config/application.properties`. If the database is configured by yourself, you have set the credentials via the [configuration-wizard](#use-the-configuration-wizard).

You need to add the following data into the database:
* terminal certificate
* private-key
* sector-id (only relevant if the client is using PersoSim)
* certificate-chain
This data must be inserted using the key _REFID_. The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.

Use the following tables for adding the data:
Rene Lottes's avatar
Rene Lottes committed
68
* TERMINALPERMISSION
69
70
71
72
  * _CVC_: terminal certificate
  * _CVCPRIVATEKEY_: private-key
  * _SECTORID_: sector-id
  * _CVCDESCRIPTION_: terminal description
Rene Lottes's avatar
Rene Lottes committed
73
* CERTINCHAIN
74
75
76
  * every certificate of the certificate-chain
    * starting with the root certitifcate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_
    * if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_