Commit 40d9dbed authored by Tobias Assmann's avatar Tobias Assmann
Browse files

improve deployment and docu stuff based on customer feedback

parent 5b192b12
......@@ -15,7 +15,6 @@ packer/
*.war*
*.tgz
#netbeans
*/**/nbactions.xml
......
#!/bin/bash
#
# script to build and pack the project as archive for delivery to client
# script to build and pack the project as archive for deployment
#
# tobias.assmann@ecsec.de
......@@ -16,7 +16,7 @@ echo "build the whole project ..."
mvn clean install || { echo "maven build failed. please check!"; exit 1; }
echo "copy builded stuff to $PCK_DIR/$TRG_DIR ..."
cp configuration-wizard/target/configuration-wizard-1.2.0-SNAPSHOT.jar $PCK_DIR/$TRG_DIR/poseidas-configuration-wizard.jar
cp docker/poseidas/POSeIDAS-exec.jar $PCK_DIR/$TRG_DIR/poseidas/POSeIDAS-exec.jar
cp docker/sam/sam-1.2.0-SNAPSHOT-thorntail.jar $PCK_DIR/$TRG_DIR/sam/sam-1.2.0-SNAPSHOT-thorntail.jar
cp docker/ssa/dist/ssa-server.war $PCK_DIR/$TRG_DIR/ssa/dist/ssa-server.war
......
......@@ -6,44 +6,34 @@ On the machine this project is intended to run you need the following components
# Howto Setup the project
The setup of the project consists of several steps.
## Configure POSeIDAS on your local machine
You can use the [configuration-wizard](#use-the-configuration-wizard) or use a pre configured [test configuration](#use-the-pre-configured-template).
### Use the configuration-wizard
To configure the POSeIDAS use the configuration-wizard. Start it with Java8: `java -jar poseidas-configuration/wizard.jar`. Open your browser at http://localhost:8080/config-wizard/ and follow the instructions.
During configuration make sure to use the default path `/opt/poseidas/database` for the database location. This path will be mounted as a volume to `./poseidas/db` for easy access to the database-file.
Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/config`. This path will be mounted as a volume to `/opt/poseidas/config`. The `eidasmiddleware.properties` is not needed.
### Use the pre configured template
In `./poseidas/config` is a pre configured template for testing purposes. It uses self-signed certificates as trust-anchors.
## Configure POSeIDAS
In `./poseidas/config` is a pre-configured template for the configuration of POSeIDAS. It uses self-signed certificates as trust-anchors.
Edit the `poseidas/config/poseidas.xml` file accourding to your environment:
* Replace `TARGET_DOMAIN` with the real domain of the project (ServerUrl and PaosReceiverURL)
### Add terminal certificates
A emtpy database will be created at first startup. It must be filled after deployment, see [POSeIDAS Database](#POSeIDAS-Database).
The database contains pre defined certificates. If you don't want to use them, replace them with your data after deployment, see [POSeIDAS Database](#POSeIDAS-Database).
## Deployment to the hosting server
To deploy the project to a server some preparations are needed first.
### Edit config for docker-compose
## Edit config for docker-compose
Edit the `docker-compose.yml` file accourding to your environment:
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost , aka. the server itself.
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost, aka. the deployment target itself.
### Edit config for the SSA service
## Edit config for the SSA service
Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
* Replace `TARGET_DOMAIN` with the real domain of the project.
### Edit the deploy script
## Edit the deploy script
Edit the `deploy.sh` file accourding to your environment:
* Replace `TARGET_HOST` with the real host of the project.
* Replace `TARGET_USER` with the user for on the host.
* Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host.
### Run the deploy script
## Run the deploy script
Execute the `deploy.sh` script and check the startup of the services on the target host.
Please wait for the load of all services to reach a near idle level.
## EJBCA key setup script
Run the following command on the server while sitting in the projects directory:
Run the following command on the target host while sitting in the deployments directory:
```bash
docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
......@@ -51,21 +41,22 @@ docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
docker-compose up -d --no-deps --build sam
```
### POSeIDAS Database
To make changes in the database, the docker container `reqesidta_poseidas` first must be stopped.
## POSeIDAS Database
The pre-configuration of POSeIDAS matches PersoSim-Profiles, which can be found in the project under `/perso_sim_profiles`.
The database must be edited, if own certificates should be used.
To make changes in the database, the docker container `reqesidta_poseidas` first must be stopped.
The Database can be edited for example with [DBeaver](https://dbeaver.io/).
If the preconfigured database is used please look up the credentials for opening in the file `/poseidas/config/application.properties`.
If the database is configured by yourself, you have set the credentials via the [configuration-wizard](#use-the-configuration-wizard).
Please look up the credentials for opening the database in the file `/poseidas/config/application.properties`.
The following data needs to be present in the database:
* terminal certificate
* private-key
* terminal certificate (in ISO 7816 TLV binary format)
* private-key (PKCS 8 without password)
* sector-id (only relevant if the client is using PersoSim)
* certificate-chain
* certificate-chain (in ISO 7816 TLV binary format)
Use the following tables for adding the data:
Use the following tables for replacing the pre-configured data with your own:
* TERMINALPERMISSION
* _CVC_: terminal certificate
* _CVCPRIVATEKEY_: private-key
......@@ -76,5 +67,5 @@ Use the following tables for adding the data:
* starting with the root certitifcate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_
* if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_
This data must be inserted using a key in _REFID_.
This data must be referenced using a key in _REFID_.
The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.
......@@ -3,9 +3,8 @@
# deployment script for reqesidta eid-server project
# tobias.assmann@ecsec.de
#
# This file acts as a template for creating a deploy script
# for a specific target environment. Please setup the env vars
# accourding to your needs:
# This file acts as a deploy script for a specific target environment.
# Please setup the env vars accourding to your needs:
#
# the user on the target host used to copy the files there and run the project
USER=TARGET_USER
......@@ -35,7 +34,6 @@ ssh $USER@$HOST "command -v docker-compose >/dev/null 2>&1" || { echo >&2 "docke
echo "copy files to server ..."
rsync -av --delete --progress \
--exclude 'deploy.sh' \
--exclude 'poseidas-configuration-wizard.jar' \
--exclude 'readme.md' \
./ $USER@$HOST:$DIR
......
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CoreConfiguration xmlns="http:/www.bos_bremen.de/2009/06/eID-Server-CoreConfig">
<ServerUrl>https://docker.reqesidta.de/POSeIDAS/eidas-middleware</ServerUrl>
<ServerUrl>https://TARGET_DOMAIN/POSeIDAS/eidas-middleware</ServerUrl>
<sessionManagerUsesDatabase>true</sessionManagerUsesDatabase>
<sessionMaxPendingRequests>500</sessionMaxPendingRequests>
<TimerConfiguration>
......@@ -35,7 +35,7 @@
<url>https://dev.governikus-eid.de:9444/gov_dvca/certDesc-service</url>
</dvcaCertDescriptionService>
</PkiConnectorConfiguration>
<PaosReceiverURL>https://docker.reqesidta.de/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
<PaosReceiverURL>https://TARGET_DOMAIN/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
<hoursRefreshCVCBeforeExpires>48</hoursRefreshCVCBeforeExpires>
</EPAConnectorConfiguration>
</ServiceProvider>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment