create folder for client delivery, start preparing deployment stuff there

docker/deploy-to_stage.sh

-#!/bin/bash
-# deployment script for reqesidta
-# michael rauh, tobias assmann
-
-echo "fix setup first!"
-exit 1
-
-# setup env
-ENV=stage
-USER=tobias
-HOST=localhost
-DIR=/home/tobias/Projects/reqesidta/deploy
-
-# Synchronize this directory with the target on $HOST.
-# Exclude the dev files and rename the corresponding files on the server.
-rsync -av --delete --progress \
-	--exclude 'docker-compose.yml' \
-	--exclude 'poseidas/config/POSeIDAS.xml' \
-	--exclude 'poseidas/db/poseidas.mv.db' \
-	--exclude 'sam/config/ssa-server.conf' \
-	--exclude 'deploy-to_*' \
-	--exclude '*.dodeploy' \
-	--exclude '*.dodeploy' \
-	./ $USER@$HOST:$DIR
-
-ssh $USER@$HOST "mv $DIR/docker-compose_$ENV.yml $DIR/docker-compose.yml"
-ssh $USER@$HOST "mv $DIR/poseidas/config/POSeIDAS_stage.xml $DIR/poseidas/config/POSeIDAS.xml"
-ssh $USER@$HOST "mv $DIR/poseidas/db/poseidas_stage.mv.db $DIR/poseidas/db/poseidas.mv.db"
-ssh $USER@$HOST "mv $DIR/ssa/config/ssa-server_$ENV.yml $DIR/ssa/config/ssa-server.conf"
-
-# Restart / re-build the services
-ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"

docker/facade/traefik-dyn.yml

@@ -2,8 +2,3 @@ tls:
   certificates:
     - certFile: /certs/docker.reqesidta.de.cert
       keyFile: /certs/docker.reqesidta.de.key
-  # stores:
-  #   default:
-  #     defaultCertificate:
-  #       certFile: /certs/docker.reqesidta.de.cert
-  #       keyFile: /certs/docker.reqesidta.de.key

docker_for-client-delivery/deploy-to_TEMPLATE.sh

+#!/bin/bash
+#
+# deployment script for reqesidta eid-server project
+# michael rauh, tobias assmann
+#
+# This file acts as a template for creating a deploy script
+# for a specific target environment. Please setup the env vars
+# accourding to your needs:
+#
+# name of the target environment
+ENV=stage
+# the host of the target environment
+HOST=localhost
+# the user on the target environment used to copy the files there and run the project
+USER=tobias
+# the directory on the host of the target environment where
+DIR=/home/tobias/Projects/reqesidta/deploy
+#
+#######################################################################################
+
+# check for needed files
+#
+
+# check for needed commands
+# local
+command -v rsync >/dev/null 2>&1 || { echo >&2 "rsync is needed on locahost but it's not installed. Aborting."; exit 1; }
+command -v ssh >/dev/null 2>&1 || { echo >&2 "ssh is needed on localhost but it's not installed. Aborting."; exit 1; }
+# remote
+ssh $USER@$HOST "command -v docker >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
+ssh $USER@$HOST "command -v docker-compose >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
+
+# synchronize this directory with the target on $HOST.
+# exclude the not needed files
+rsync -av --delete --progress \
+	--exclude 'sam/config/ssa-server_TEMPLATE.conf' \
+	--exclude 'docker-compose_TEMPLATE.yml' \
+	--exclude 'deploy-to*' \
+	--exclude 'readme*' \
+	./ $USER@$HOST:$DIR
+
+# Restart / re-build the services
+#ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
+
+echo "Deployment done, please wait until all services are fully running and proceed to EJBCA key setup."
+
+exit 0;

docker_for-client-delivery/docker-compose_TEMPLATE.yml

+version: "3.4"
+
+services:
+  facade:
+    image: "traefik:v2.0"
+    container_name: "reqesidta_facade"
+    labels:
+      - "traefik.enable=true"
+    command:
+      --providers.docker=true
+      --providers.docker.exposedbydefault=false
+      --entryPoints.web.address=:80
+      --log.level=error
+    # change TARGET_PORT to the port your reverse proxy is facing to
+    ports:
+      - "TARGET_PORT:80"
+    networks:
+      - reqesidta_net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  poseidas:
+    image: "reqesidta/poseidas"
+    container_name: "reqesidta_poseidas"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.poseidas.loadbalancer.server.port=8443"
+      - "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
+      - "traefik.http.routers.poseidas.entrypoints=web"
+    build:
+      context: ./poseidas
+      args:
+        JAR_FILE: POSeIDAS-exec.jar
+    networks:
+      reqesidta_net:
+        aliases:
+          - poseidas.docker.reqesidta.de
+    volumes:
+      - ./poseidas/config:/opt/poseidas/config
+      - ./poseidas/db:/opt/poseidas/database
+
+  ejbca:
+    image: "reqesidta/ejbca"
+    container_name: "reqesidta_ejbca"
+    build:
+      context: ./ejbca
+    hostname: localhost:8444
+    depends_on:
+      - postgres
+    environment:
+      DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
+      DATABASE_USER: ejbca
+      DATABASE_PASSWORD: password
+    networks:
+      reqesidta_net:
+        aliases:
+          - ejbca.docker.reqesidta.de
+
+  postgres:
+    image: "postgres:11.4"
+    container_name: "reqesidta_postgres"
+    environment:
+      POSTGRES_USER: ejbca
+      POSTGRES_PASSWORD: password
+    networks:
+      - reqesidta_net
+
+  ssa:
+    image: "reqesidta/ssa"
+    container_name: "reqesidta_ssa"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ssa.loadbalancer.server.port=8080"
+      - "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
+      - "traefik.http.routers.ssa.entrypoints=web"
+    build:
+      context: ./ssa
+    depends_on:
+      - poseidas
+      - ejbca
+    command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
+    networks:
+      reqesidta_net:
+        aliases:
+          - ssa.docker.reqesidta.de
+
+  sam:
+    image: "reqesidta/sam"
+    container_name: "reqesidta_sam"
+    build:
+      context: ./sam
+    networks:
+      reqesidta_net:
+        aliases:
+          - sam.docker.reqesidta.de
+
+  webui:
+    image: "reqesidta/webui"
+    container_name: "reqesidta_webui"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.webui.loadbalancer.server.port=80"
+      - "traefik.http.routers.webui.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.webui.entrypoints=web"
+    build:
+      context: ./webui
+    networks:
+      reqesidta_net:
+        aliases:
+          - webui.docker.reqesidta.de
+
+networks:
+  reqesidta_net:
+    driver: bridge

docker_for-client-delivery/ejbca/Dockerfile

+FROM primekey/ejbca-ce:6.15.2.1
+
+# Add a shell script to configure EJBCA.
+COPY ejbca-config.sh /usr/local/bin/
+
+USER root
+
+# Replace the Organisation string with a custom one to better differentiate it
+# from productions certs.
+RUN sed -i "s/EJBCA Container Quickstart/EJBCA Docker dev certificate/g" \
+  /opt/primekey/bin/internal/after-deployed-app-create-certificate.sh
+
+RUN chown 10001:10001 /usr/local/bin/ejbca-config.sh
+RUN chmod 755 /usr/local/bin/ejbca-config.sh
+
+USER 10001

docker_for-client-delivery/ejbca/ejbca-config.sh

+#!/bin/sh
+
+cd /opt/primekey/bin/ || exit
+
+# Use the existing CA (see comment below)
+CA=ManagementCA
+ALIAS=ecsecCMP
+CN=sam.docker.reqesidta.de
+PW=testtest
+
+# Create a CMP config
+./ejbca.sh config cmp addalias $ALIAS
+
+./ejbca.sh config cmp updatealias $ALIAS --key operationmode --value ra
+
+./ejbca.sh config cmp updatealias $ALIAS --key authenticationmodule --value EndEntityCertificate
+./ejbca.sh config cmp updatealias $ALIAS --key authenticationparameters --value $CA
+
+./ejbca.sh config cmp updatealias $ALIAS --key allowraverifypopo --value true
+
+./ejbca.sh config cmp updatealias $ALIAS --key ra.caname --value $CA
+./ejbca.sh config cmp updatealias $ALIAS --key defaultca --value $CA
+
+# Make script idempotent by always deleting the user first
+./ejbca.sh ra delendentity -force --username $CN
+
+# Add end entity for the server key pair
+./ejbca.sh ra addendentity --username $CN --password $PW \
+  --dn "CN=$CN" --caname $CA --type 1 --token P12
+
+# Add entity to admin role
+./ejbca.sh roles addrolemember --role "Super Administrator Role" --caname $CA \
+  --with "CertificateAuthenticationToken:WITH_COMMONNAME" --value $CN
+
+# Enable batch mode
+./ejbca.sh ra setclearpwd $CN $PW
+
+# Create p12 file (saved in p12 subfolder)
+./ejbca.sh batch
+
+# Various (currently) unused commands:
+
+# Create a new CA. As you can't set auto-activation to true here, you will have
+# to do this manually or create custom cryptotokens (see below).
+# ./ejbca.sh ca init \
+	# --caname $CA \
+	# --dn "C=DE,O=ecsec GmbH,CN=ecsec Docker Root CA" \
+	# --tokenType soft \
+	# --tokenPass ecsecCATokenPass \
+	# --keytype ECDSA \
+	# --keyspec secp256r1 \
+	# -s SHA256withECDSA \
+	# -v 3650 \
+	# --policy null
+
+# ./ejbca.sh cryptotoken create --autoactivate true --pin 1234 --token $TOKEN --type SoftCryptoToken
+# ./ejbca.sh cryptotoken generatekey --alias signKey --keyspec secp256r1 --token $TOKEN
+# ./ejbca.sh cryptotoken generatekey --alias encryptKey --keyspec 2048 --token $TOKEN
+# ./ejbca.sh ca changecatoken --caname $CA --cryptotoken $TOKEN --execute
+# ./ejbca.sh ca activateca $CA --code ecsecCATokenPass
+# ./ejbca.sh ca changecatokensignalg --caname $CA --sigalg SHA256withECDSA

docker_for-client-delivery/poseidas/Dockerfile

+FROM governikus/zulu-openjdk:8u212
+
+RUN mkdir -p /opt/poseidas
+
+ENV JAVA_OPTS=""
+
+EXPOSE 8443
+
+WORKDIR /opt/poseidas
+
+ARG JAR_FILE
+ADD ${JAR_FILE} POSeIDAS-exec.jar
+
+ENTRYPOINT exec java $JAVA_OPTS -jar /opt/poseidas/POSeIDAS-exec.jar $0 $@
+

docker_for-client-delivery/readme.md

+# Setup
+## yml anpassen (docker compose)
+## ssa-config
+
+## config erstellen poseidas
+## datenbank poseidas
+
+## Deployment
+### EJBCA key setup script

docker_for-client-delivery/sam/Dockerfile

+# use thorntial to make deployment most lightweight
+# should run in certified secure env
+FROM governikus/zulu-openjdk:8u212
+
+ADD *-thorntail.jar /opt/thorntail.jar
+
+# pck12 file for signing certificate requests
+COPY sam.docker.reqesidta.de.p12 /opt/sam.docker.reqesidta.de.p12
+
+# Prevent error "SocketException: Protocol family unavailable", see:
+# See https://www.sipmann.com/socketException-protocol-family-unavailable-java-docker-wildfly.html#.XZ8tvZxCSWg
+ENV JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true"
+
+EXPOSE 8080
+
+ENTRYPOINT exec java $JAVA_OPTS $JAVA_DEBUG -jar /opt/thorntail.jar

docker_for-client-delivery/sam/readme.md

+password for pkcs12 keystore: testtest

docker_for-client-delivery/ssa/Dockerfile

+
+# installs android platform
+ARG WILDFLY_IMAGE=jboss/wildfly:17.0.1.Final
+FROM $WILDFLY_IMAGE
+
+# we need wsdl and cert for consuming the eID SOAP service
+COPY wsdl/* /opt/jboss/
+
+# copy the needed war into the image
+COPY dist/* /opt/jboss/wildfly/standalone/deployments/
+
+# copy the config for the server into the image
+COPY config/ssa-server.conf /opt/jboss/ssa-server.conf
+
+EXPOSE 9990

docker_for-client-delivery/ssa/config/ssa-server_TEMPLATE.conf

+ssa-config {
+	sessionMaxAge: 60,
+	sessionCheckAgeInterval: 30,
+	baseUrl: "https://docker.reqesidta.de/ssa-server"
+	eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
+	samUrl: "http://sam.docker.reqesidta.de:8080"
+	caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
+}

docker_for-client-delivery/ssa/wsdl/TR-03130eID-Server.wsdl

+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+	xmlns:tns="http://bsi.bund.de/eID/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+	xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="eID"
+	xmlns:wsp="http://www.w3.org/ns/ws-policy"
+	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+	xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+	targetNamespace="http://bsi.bund.de/eID/">
+	<wsdl:documentation>Version 2.1.2 2017-10-25
+	</wsdl:documentation>
+	<wsdl:types>
+		<xsd:schema>
+			<xsd:import schemaLocation="TR-03130eID-Server.xsd"
+				namespace="http://bsi.bund.de/eID/" />
+		</xsd:schema>
+	</wsdl:types>
+	<wsdl:message name="useIDRequest">
+		<wsdl:part name="parameters" element="tns:useIDRequest" />
+	</wsdl:message>
+	<wsdl:message name="useIDResponse">
+		<wsdl:part name="parameters" element="tns:useIDResponse" />
+	</wsdl:message>
+	<wsdl:message name="getServerInfoResponse">
+		<wsdl:part name="parameters" element="tns:getServerInfoResponse" />
+	</wsdl:message>
+	<wsdl:message name="getServerInfoRequest">
+		<wsdl:part name="parameters" element="tns:getServerInfoRequest" />
+	</wsdl:message>
+	<wsdl:message name="getResultRequest">
+		<wsdl:part name="parameters" element="tns:getResultRequest" />
+	</wsdl:message>
+	<wsdl:message name="getResultResponse">
+		<wsdl:part name="parameters" element="tns:getResultResponse" />
+	</wsdl:message>
+	<wsdl:portType name="eID">
+		<wsdl:operation name="useID">
+			<wsdl:input message="tns:useIDRequest" />
+			<wsdl:output message="tns:useIDResponse" />
+		</wsdl:operation>
+		<wsdl:operation name="getServerInfo">
+			<wsdl:input message="tns:getServerInfoRequest" />
+			<wsdl:output message="tns:getServerInfoResponse" />
+		</wsdl:operation>
+		<wsdl:operation name="getResult">
+			<wsdl:input message="tns:getResultRequest" />
+			<wsdl:output message="tns:getResultResponse" />
+		</wsdl:operation>
+	</wsdl:portType>
+	<wsp:Policy wsu:Id="SigOnly">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<!-- Transport Layer Binding was removed in Version 1.5 -->
+				<!-- Message Level -->
+				<sp:AsymmetricBinding>
+					<wsp:Policy>
+						<sp:InitiatorToken>
+							<wsp:Policy>
+								<sp:X509Token
+									sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+									<wsp:Policy>
+										<sp:RequireIssuerSerialReference />
+										<sp:WssX509V3Token10 />
+									</wsp:Policy>
+								</sp:X509Token>
+							</wsp:Policy>
+						</sp:InitiatorToken>
+						<sp:RecipientToken>
+							<wsp:Policy>
+								<sp:X509Token
+									sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+									<wsp:Policy>
+										<sp:RequireIssuerSerialReference />
+										<sp:WssX509V3Token10 />
+									</wsp:Policy>
+								</sp:X509Token>
+							</wsp:Policy>
+						</sp:RecipientToken>
+						<sp:AlgorithmSuite>
+							<wsp:Policy>
+								<sp:Basic256Sha256 />
+							</wsp:Policy>
+						</sp:AlgorithmSuite>
+						<sp:Layout>
+							<wsp:Policy>
+								<sp:Strict />
+							</wsp:Policy>
+						</sp:Layout>
+						<sp:IncludeTimestamp />
+						<sp:OnlySignEntireHeadersAndBody />
+					</wsp:Policy>
+				</sp:AsymmetricBinding>
+				<sp:Wss10>
+					<sp:Policy>
+						<sp:MustSupportRefIssuerSerial />
+					</sp:Policy>
+				</sp:Wss10>
+				<sp:SignedParts>
+					<sp:Body />
+				</sp:SignedParts>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+	<wsdl:binding name="eIDSOAP" type="tns:eID">
+		<wsp:PolicyReference URI="#SigOnly" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="useID">
+			<soap:operation soapAction="http://bsi.bund.de/eID/useID" />
+			<wsdl:input>
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+		<wsdl:operation name="getServerInfo">
+			<soap:operation soapAction="http://bsi.bund.de/eID/getServerInfo" />
+			<wsdl:input>
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+		<wsdl:operation name="getResult">
+			<soap:operation soapAction="http://bsi.bund.de/eID/getResult" />
+			<wsdl:input>
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
+	<wsdl:service name="eID">
+		<wsdl:port name="eIDSOAP" binding="tns:eIDSOAP">
+			<soap:address location="http://www.bsi.bund.de/eid/server/2.0" />
+		</wsdl:port>
+	</wsdl:service>
+</wsdl:definitions>

docker_for-client-delivery/ssa/wsdl/TR-03130eID-Server.xsd

+<?xml version="1.0" encoding="UTF-8"?>
+<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema"
+	xmlns:tns="http://bsi.bund.de/eID/" xmlns:Q1="urn:oasis:names:tc:SAML:1.0:assertion"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" targetNamespace="http://bsi.bund.de/eID/"
+	elementFormDefault="qualified" attributeFormDefault="unqualified"
+	version="2.1.2 2017-10-25">
+
+    <import namespace="urn:oasis:names:tc:dss:1.0:core:schema"
+		schemaLocation="oasis-dss-core-schema-v1.0-os.xsd" />
+	<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+		schemaLocation="saml-schema-assertion-2.0.xsd" />
+	<complexType name="SessionType">
+		<sequence>
+			<element name="ID">
+				<simpleType>
+					<restriction base="hexBinary">
+						<minLength value="16" />
+					</restriction>
+				</simpleType>
+			</element>
+		</sequence>
+	</complexType>
+	<element name="useIDResponse" type="tns:useIDResponseType" />
+	<complexType name="useIDResponseType">
+		<sequence>
+			<element name="Session" type="tns:SessionType" />
+			<element name="eCardServerAddress" type="anyURI" minOccurs="0" />
+			<element name="PSK" type="tns:PreSharedKeyType" />
+			<element ref="dss:Result" />
+		</sequence>
+	</complexType>
+	<complexType name="PersonalDataType">
+		<sequence>
+			<element name="DocumentType" type="tns:DocumentType"
+				minOccurs="0" />
+			<element name="IssuingState" type="tns:ICAOCountry"
+				minOccurs="0" />
+			<element name="DateOfExpiry" type="date" minOccurs="0" />
+			<element name="GivenNames" type="string" minOccurs="0" />
+			<element name="FamilyNames" type="string" minOccurs="0" />
+			<element name="ArtisticName" type="string" minOccurs="0" />
+			<element name="AcademicTitle" type="string" minOccurs="0" />
+			<element name="DateOfBirth" type="tns:GeneralDateType"
+				minOccurs="0" />
+			<element name="PlaceOfBirth" type="tns:GeneralPlaceType"
+				minOccurs="0" />
+			<element name="Nationality" type="tns:ICAOCountry" minOccurs="0" />
+			<element name="BirthName" type="string" minOccurs="0" />
+			<element name="PlaceOfResidence" type="tns:GeneralPlaceType"
+				minOccurs="0" />
+			<element name="ResidencePermitI" type="string" minOccurs="0" />
+			<element name="RestrictedID" type="tns:RestrictedIDType"
+				minOccurs="0" />
+		</sequence>
+	</complexType>
+	<complexType name="GeneralPlaceType">
+		<choice>
+			<element name="StructuredPlace" type="tns:PlaceType" />
+			<element name="FreetextPlace" type="string" />
+			<element name="NoPlaceInfo" type="string" />
+		</choice>
+	</complexType>
+	<complexType name="PlaceType">
+		<sequence>
+			<element name="Street" type="string" minOccurs="0" />
+			<element name="City" type="string" />
+			<element name="State" type="string" minOccurs="0" />
+			<element name="Country" type="tns:ICAOCountry" />
+			<element name="ZipCode" type="string" minOccurs="0" />
+		</sequence>
+	</complexType>
+	<simpleType name="DocumentType">
+		<restriction base="string">
+			<pattern value="[A-Z ]{2}" />
+		</restriction>
+	</simpleType>
+	<simpleType name="ICAOCountry">
+		<restriction base="string">
+			<pattern value="[A-Z ]{1,3}" />
+		</restriction>
+	</simpleType>
+	<complexType name="AgeVerificationRequestType">
+		<sequence>
+			<element name="Age">
+				<simpleType>
+					<restriction base="int">
+						<minInclusive value="0" />
+					</restriction>
+				</simpleType>
+			</element>
+		</sequence>
+	</complexType>
+	<complexType name="VerificationResultType">
+		<sequence>
+			<element name="FulfilsRequest" type="boolean" />
+		</sequence>
+	</complexType>