rm old stage stuff, reworked deploy stuff and readme

2bb3d3ea · Tobias Assmann · 34e84461 · 34e84461 · 34e84461 · 2bb3d3ea
Commit 2bb3d3ea authored Nov 15, 2019 by Tobias Assmann
--- a/docker/poseidas/config/POSeIDAS_stage.xml
+++ b/docker/poseidas/config/POSeIDAS_stage.xml
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<CoreConfiguration xmlns="http:/www.bos_bremen.de/2009/06/eID-Server-CoreConfig">
-  <ServerUrl>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware</ServerUrl>
-  <sessionManagerUsesDatabase>true</sessionManagerUsesDatabase>
-  <sessionMaxPendingRequests>500</sessionMaxPendingRequests>
-  <TimerConfiguration>
-    <certRenewal length="2" unit="11"/>
-    <blacklistRenewal length="2" unit="11"/>
-    <masterAndDefectListRenewal length="2" unit="11"/>
-  </TimerConfiguration>
-  <ServiceProvider entityID="providerA" enabled="true">
-    <EPAConnectorConfiguration updateCVC="false">
-      <!-- refID of the devDB from 001-->
-      <CVCRefID>ecsec</CVCRefID>
-      <PkiConnectorConfiguration>
-        <!-- At least the certificates for blacklist, master and defectList have to be EC -->
-        <blackListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</blackListTrustAnchor>
-        <masterListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</masterListTrustAnchor>
-        <defectListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</defectListTrustAnchor>
-        <policyImplementationId>govDvca</policyImplementationId>
-        <sslKeys id="default">
-          <serverCertificate>MIIEiDCCA3CgAwIBAgIDJlN5MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxLjAsBgNVBAMTJUQtVFJVU1QgTGltaXRlZCBCYXNpYyBFQUMgQ0EgMS0xIDIwMTgwHhcNMTkwNDA0MTAyNDI3WhcNMjMwNDA0MTAyNDI3WjBTMQswCQYDVQQGEwJERTEUMBIGA1UEChMLRUFDIFN5c3RlbWUxHTAbBgNVBAMTFGJlcmNhLXAxLmQtdHJ1c3QubmV0MQ8wDQYDVQQIEwZCZXJsaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXQ4WEJtKZZUIRmplenLmNVlLg2cJMVZ0xT/FsUrUWk/JXH2C4LAxlsnx/tv9rxKYXZUi2oVhz43jEPiMsXZxVUo4n8mpH6I1vqvxiwR8rgxtsPiTOf+iUeVLYIXp24WLGXV80hWy+WSOL7rFO+TgQHoFv2MU7tzvmdnLeeTUJxfpU1Ac1JYkvq0jcU8LXVoRKfC+v8VMQ8zfmGu1ZnYOGyUyWcSjNRkXjchGMNc4ADDBTFIRBUCthjb9RuVc4HV3Cm6XholZGzxAIG8O3ybmWMdxyav/wcadnLumcgD7r5qE5KH0yIo3RaO6HAN5f/W9Vzr9JjCHGAh1PWogL/SddAgMBAAGjggFiMIIBXjATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU6ejGLsU+zo1cc+1gRpXM/H/i8HUwFgYDVR0gBA8wDTALBgkqghQAUAeDdAowHwYDVR0jBBgwFoAUswxYrf8CYVl4gE/vvK5G8oYbv2kwDgYDVR0PAQH/BAQDAgWgMIHeBgNVHR8EgdYwgdMwgdCggc2ggcqGgYFsZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBMaW1pdGVkJTIwQmFzaWMlMjBFQUMlMjBDQSUyMDEtMSUyMDIwMTgsTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGRGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfbGltaXRlZF9iYXNpY19lYWNfY2FfMS0xXzIwMTguY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCkszC7hGOQIekspM6l5KPDzKMEWmjQjTJ4BnlejcVNQxUZR8KPZa0bB1yeEcVPTcmi6LQQOlHMYvVfo6tZ2SoXQ9Sbo5uh9TaDTcohcmwCBasy5Wrgaq1AqxgKG4Pgd92pHBCm1uMekBVqA8j+HOSk7ig0+fTx2vtttI6rTK2fk5Z9QOqOirh6pBh2sSah1txfjWUVVTM/LZrTmPuyfBRrGOqCb5H/wrEffxgcxoCNcd3kIm11n67GoBDagBrhOl8sL2Dj2hNET+WlrQCZitJmB91fBrucZdIndWfzf0ShWhWZnNKqKUuRuX6vHq4G8/xyK9v3VP5S4JQpO/haodxI</serverCertificate>
-          <clientCertificate>MIICqDCCAZCgAwIBAgIEWrTFLjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtkdmNhX2NsaWVudDAeFw0xODAzMjMwOTEzMThaFw0yODAzMjMwOTEzMThaMBYxFDASBgNVBAMMC2R2Y2FfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz5fB2RlgtG7cS225RTz6FixoSGKKdESdZTaGM2/fgYAYlXRa3SR8rhxLq5sbZmCjmXU5aPe9yOO9Qavx8YC5kTi1gIc4b+zVU2/Vr/XZGwjloUU3bqVCgIWhaqc3EvkznaSsv3YbBSeS9QlXDJkGVT+qp9RA4g2X47auAD2k6XRprgXXoubimGfIpswssIbPgEWPw2UbBnuhCFRHD0Yg1Y2oLTwK9Z1IaNp+7dvgt8Pskfs9alPB24x+0fiBc5BXUzKSCLGweITGkQKhTOXCmZDO67aEbCdlcpmCQJuZpS++AliFMgr12axBM225uf4wvmtCyxI9jP1HdzTus8+1twIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQByup3Q2+oHAefbkEW2R3mOc3E7wl3VqRBniN6hJ0kdzVYsbIsnf15O+moh6Yr5iBdKj7JGyKwVR9HOihdyGv8g3LuId9weiaHl/It0z5g5VFKdVJ0ziYpGFmbx5x2ikJDL+oAYvjqIJhIEtsYkDGtnWtUIp+Kq4hffg/z/1GTMVpXCWw//vnE7m0ps8QiwSNTA+iFHvrQMLIU/Vz1B0xzKvrcbb8JYPKYJsQlMYYBEsB1QUZM134ThctnsCOj9Zxbycwi1z5XnlqaQLGXut1juciXtm5TD5vP5FlBiaMEOlC/ngxDVAYbs3ln6K+JrQtd2Lp2rJN6HK3hBM3VmZwGS</clientCertificate>
-          <clientKey>MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPl8HZGWC0btxLbblFPPoWLGhIYop0RJ1lNoYzb9+BgBiVdFrdJHyuHEurmxtmYKOZdTlo973I471Bq/HxgLmROLWAhzhv7NVTb9Wv9dkbCOWhRTdupUKAhaFqpzcS+TOdpKy/dhsFJ5L1CVcMmQZVP6qn1EDiDZfjtq4APaTpdGmuBdei5uKYZ8imzCywhs+ARY/DZRsGe6EIVEcPRiDVjagtPAr1nUho2n7t2+C3w+yR+z1qU8HbjH7R+IFzkFdTMpIIsbB4hMaRAqFM5cKZkM7rtoRsJ2VymYJAm5mlL74CWIUyCvXZrEEzbbm5/jC+a0LLEj2M/Ud3NO6zz7W3AgMBAAECggEADd7IaMkyy8DP1EmyWXzKWDqYWc8dDB6yMNs0mpw3dU90lQvPWbuV3wuXR2cs11Qj/4gJvB3iyYOPQiOLHgU+oNmGpbNN4zXnnP8PFTDaft1t0QQvFiP8Q6+/X2u+bh9GF8WIdfRzYrlIWY9JsyxISYrgS/1ju8GHwVhpMNftkbGC4Zn5WnjidImG4aWz20q3GiOqirzayIJZny6a9ch4FuDi+4meuc9qAtGR6xpkRAfxirdYDSgS3P/+Y+0kPAgA1SZXmmsrGsTgoeuKl8HusVRzKCfeQqt0vTKcTUhGP0EEoyA0nC6QH6+Pklqu1wtTQ59RevC6M6rqrG4E5WCEaQKBgQDrHcQ9HoCjPp8Qf5L8dRHbKClb64gBuPyDfJ4tpVvpHHCIf9NTcJ0CBC/5ikoVrzrSwlJvGYtHgxZI+EYzn0MCFC6dxvkHeJA/bylwgw7942KzB4ieQdsmQNnLs/9nTdk06yRNkOMX4GUwQArThWsXiNeByibax4nA1GD/yptLyQKBgQDiCCSqwOoMA9Wsdc110rdQ9Uq6f78Tq0N0uNddvnxh/bY6JWYDHck+EXBvEz4cY6NTtaFqCCoophvrqllryBHEYB/ienual6N+e1XfPoUeLwtOAeqBfVd6IraSyS7jdA6fYErAMjFFgcwr6rqIpDW8AzJZNPCAteSmx7xr+rC1fwKBgGwcQNr1xqLJrayRbM4HKtHCMtpggCaCoCH50GYezhdvi1NIq6yHcLq3oDO3Yf98lqjIz8zkSwX0AfBFsUoVZmNzUkgccO/9gR6aB80DhoY54218/lX+5D0/vqYLO1qOEl1h7kx4XePhu8Wm/RNsGuU0eBvnD1y0OeRgA8Y6rJP5AoGAIdnkW+pOYwREAPMXlTi8mZRS38F4BWMV1CpGntSDXk2X9/dX4smYNQJ5mzj/iVLmyAegp/eXEMVn0xCNGdY5yvY2cD21uz5QjwW7o5aCazXSdJlW3JPAARunyi31Jr1f30CVkVkzBdzdjgo2a3ZkUccMyE1kY3JaTxwEvQsrYdMCgYEArObZilqguFcSPJ/NS4/LxT/XoMWYK7My+5Fpyd+HQchVG/ZDLC+GAhwjhylvSwmXEnJgCEggE1OlfyRqwHi4m2yOFupI4P5jd4kBcm1kM6j/MC/pvCHBu+XJ2/MM2kjqwunsVZt0M3frZ0g6T1LSW0bRC8p2Q4B1jHnmJp7Q8PU=</clientKey>
-        </sslKeys>
-        <terminalAuthService sslKeysId="default">
-          <url>https://dev.governikus-eid.de:9444/gov_dvca/ta-service</url>
-        </terminalAuthService>
-        <restrictedIdService sslKeysId="default">
-          <url>https://dev.governikus-eid.de:9444/gov_dvca/ri-service</url>
-        </restrictedIdService>
-        <passiveAuthService sslKeysId="default">
-          <url>https://dev.governikus-eid.de:9444/gov_dvca/pa-service</url>
-        </passiveAuthService>
-        <dvcaCertDescriptionService sslKeysId="default">
-          <url>https://dev.governikus-eid.de:9444/gov_dvca/certDesc-service</url>
-        </dvcaCertDescriptionService>
-      </PkiConnectorConfiguration>
-      <PaosReceiverURL>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
-      <hoursRefreshCVCBeforeExpires>48</hoursRefreshCVCBeforeExpires>
-    </EPAConnectorConfiguration>
-  </ServiceProvider>
-  <SAMConfig url="http://reqesidta_sam:8080/"></SAMConfig>
-</CoreConfiguration>
--- a/docker/poseidas/db/poseidas_stage.mv.db
+++ b/docker/poseidas/db/poseidas_stage.mv.db
--- a/docker/sam/sam.docker.reqesidta.de.p12
+++ b/docker/sam/sam.docker.reqesidta.de.p12
--- a/for-client-delivery/eid-server/deploy.sh
+++ b/for-client-delivery/eid-server/deploy.sh
 #!/bin/bash
 #
 # deployment script for reqesidta eid-server project
-# michael rauh, tobias assmann
+# tobias.assmann@ecsec.de
 #
 # This file acts as a template for creating a deploy script
 # for a specific target environment. Please setup the env vars
 # accourding to your needs:
 #
-# the target host of the deployment
-HOST=YOUR_HOST
 # the user on the target host used to copy the files there and run the project
-USER=YOUR_USER
+USER=TARGET_USER
+# the target host of the deployment
+HOST=TARGET_HOST
 # the directory on the target host where to put the project
-DIR=YOUR_DIR
+DIR=TARGET_DIR
 #
 #######################################################################################

+echo "check for correct replacement ..."
+! grep TARGET_ ./docker-compose.yml || { echo >&2 "Found text to be replaced in docker-compose.yml. Aborting."; exit 1; }
+! grep TARGET_ ./ssa/config/ssa-server.conf || { echo >&2 "Found text to be replaced in ssa-server.conf. Aborting."; exit 1; }
+! test $HOST = "TARGET_HOST" || { echo >&2 "Found text TARGET_HOST to be replaced in deploy.sh. Aborting."; exit 1; }
+! test $USER = "TARGET_USER" || { echo >&2 "Found text TARGET_USER to be replaced in deploy.sh. Aborting."; exit 1; }
+! test $DIR = "TARGET_DIR" || { echo >&2 "Found text TARGET_DIR be replaced in deploy.sh. Aborting."; exit 1; }
+
+echo "check target environment ..."
+ssh $USER@$HOST "cd $DIR >/dev/null 2>&1" || { echo >&2 "Could not reach $DIR as user $USER on $HOST Aborting."; exit 1; }
+
 echo "check for needed commands ..."
 command -v rsync >/dev/null 2>&1 || { echo >&2 "rsync is needed on localhost but it's not installed. Aborting."; exit 1; }
 command -v ssh >/dev/null 2>&1 || { echo >&2 "ssh is needed on localhost but it's not installed. Aborting."; exit 1; }
@@ -29,10 +39,10 @@ rsync -av --delete --progress \
 	--exclude 'readme.md' \
 	./ $USER@$HOST:$DIR

-# Restart / re-build the services
-echo "Start services on server ..."
+echo "Build and start services on server ..."
 ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
+echo $?

-echo "Deployment done, please wait until all services are fully running and proceed with EJBCA key setup."
+echo "Deployment done, please wait until all services are fully running without heavy load and then proceed with EJBCA key setup."

 exit 0
--- a/for-client-delivery/eid-server/docker-compose.yml
+++ b/for-client-delivery/eid-server/docker-compose.yml
@@ -11,7 +11,7 @@ services:
      --providers.docker.exposedbydefault=false
      --entryPoints.web.address=:80
      --log.level=error
-    # change TARGET_PORT to the port your reverse proxy is facing to
+    # change value to the port your reverse proxy is forwarding to
    ports:
      - "TARGET_PORT:80"
    networks:

--- a/for-client-delivery/eid-server/poseidas/db/.gitkeep
+++ b/for-client-delivery/eid-server/poseidas/db/.gitkeep
--- a/for-client-delivery/eid-server/poseidas/db/poseidas.mv.db
+++ b/for-client-delivery/eid-server/poseidas/db/poseidas.mv.db
--- a/for-client-delivery/eid-server/readme.md
+++ b/for-client-delivery/eid-server/readme.md
@@ -31,13 +31,13 @@ Edit the `docker-compose.yml` file accourding to your environment:

 ### Edit config for the SSA service
 Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
-* Replace `DOMAIN` with the real domain of the project.
+* Replace `TARGET_DOMAIN` with the real domain of the project.

 ### Edit the deploy script
 Edit the `deploy.sh` file accourding to your environment:
-* Replace `YOUR_HOST` with the real host of the project.
-* Replace `YOUR_USER` with the user for on the host.
-* Replace `YOUR_DIR` with the path to the directory the deployment should go to on the host.
+* Replace `TARGET_HOST` with the real host of the project.
+* Replace `TARGET_USER` with the user for on the host.
+* Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host.

 ### Run the deploy script
 Execute the `deploy.sh` script and check the startup of the services on the target host.

--- a/for-client-delivery/eid-server/sam/sam.docker.reqesidta.de.p12
+++ b/for-client-delivery/eid-server/sam/sam.docker.reqesidta.de.p12
--- a/for-client-delivery/eid-server/ssa/config/ssa-server.conf
+++ b/for-client-delivery/eid-server/ssa/config/ssa-server.conf
 ssa-config {
 	sessionMaxAge: 60,
 	sessionCheckAgeInterval: 30,
-	baseUrl: "https://DOMAIN/ssa-server"
+	baseUrl: "https://TARGET_DOMAIN/ssa-server"
 	eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
 	samUrl: "http://sam.docker.reqesidta.de:8080"
 	caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"