Commit 59b50398 authored by Tobias Assmann's avatar Tobias Assmann
Browse files

create folder for client delivery, start preparing deployment stuff there

parent f7d2b4e4
#!/bin/bash
# deployment script for reqesidta
# michael rauh, tobias assmann
echo "fix setup first!"
exit 1
# setup env
ENV=stage
USER=tobias
HOST=localhost
DIR=/home/tobias/Projects/reqesidta/deploy
# Synchronize this directory with the target on $HOST.
# Exclude the dev files and rename the corresponding files on the server.
rsync -av --delete --progress \
--exclude 'docker-compose.yml' \
--exclude 'poseidas/config/POSeIDAS.xml' \
--exclude 'poseidas/db/poseidas.mv.db' \
--exclude 'sam/config/ssa-server.conf' \
--exclude 'deploy-to_*' \
--exclude '*.dodeploy' \
--exclude '*.dodeploy' \
./ $USER@$HOST:$DIR
ssh $USER@$HOST "mv $DIR/docker-compose_$ENV.yml $DIR/docker-compose.yml"
ssh $USER@$HOST "mv $DIR/poseidas/config/POSeIDAS_stage.xml $DIR/poseidas/config/POSeIDAS.xml"
ssh $USER@$HOST "mv $DIR/poseidas/db/poseidas_stage.mv.db $DIR/poseidas/db/poseidas.mv.db"
ssh $USER@$HOST "mv $DIR/ssa/config/ssa-server_$ENV.yml $DIR/ssa/config/ssa-server.conf"
# Restart / re-build the services
ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
......@@ -2,8 +2,3 @@ tls:
certificates:
- certFile: /certs/docker.reqesidta.de.cert
keyFile: /certs/docker.reqesidta.de.key
# stores:
# default:
# defaultCertificate:
# certFile: /certs/docker.reqesidta.de.cert
# keyFile: /certs/docker.reqesidta.de.key
#!/bin/bash
#
# deployment script for reqesidta eid-server project
# michael rauh, tobias assmann
#
# This file acts as a template for creating a deploy script
# for a specific target environment. Please setup the env vars
# accourding to your needs:
#
# name of the target environment
ENV=stage
# the host of the target environment
HOST=localhost
# the user on the target environment used to copy the files there and run the project
USER=tobias
# the directory on the host of the target environment where
DIR=/home/tobias/Projects/reqesidta/deploy
#
#######################################################################################
# check for needed files
#
# check for needed commands
# local
command -v rsync >/dev/null 2>&1 || { echo >&2 "rsync is needed on locahost but it's not installed. Aborting."; exit 1; }
command -v ssh >/dev/null 2>&1 || { echo >&2 "ssh is needed on localhost but it's not installed. Aborting."; exit 1; }
# remote
ssh $USER@$HOST "command -v docker >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
ssh $USER@$HOST "command -v docker-compose >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
# synchronize this directory with the target on $HOST.
# exclude the not needed files
rsync -av --delete --progress \
--exclude 'sam/config/ssa-server_TEMPLATE.conf' \
--exclude 'docker-compose_TEMPLATE.yml' \
--exclude 'deploy-to*' \
--exclude 'readme*' \
./ $USER@$HOST:$DIR
# Restart / re-build the services
#ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
echo "Deployment done, please wait until all services are fully running and proceed to EJBCA key setup."
exit 0;
version: "3.4"
services:
facade:
image: "traefik:v2.0"
container_name: "reqesidta_facade"
labels:
- "traefik.enable=true"
command:
--providers.docker=true
--providers.docker.exposedbydefault=false
--entryPoints.web.address=:80
--log.level=error
# change TARGET_PORT to the port your reverse proxy is facing to
ports:
- "TARGET_PORT:80"
networks:
- reqesidta_net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
poseidas:
image: "reqesidta/poseidas"
container_name: "reqesidta_poseidas"
labels:
- "traefik.enable=true"
- "traefik.http.services.poseidas.loadbalancer.server.port=8443"
- "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
- "traefik.http.routers.poseidas.entrypoints=web"
build:
context: ./poseidas
args:
JAR_FILE: POSeIDAS-exec.jar
networks:
reqesidta_net:
aliases:
- poseidas.docker.reqesidta.de
volumes:
- ./poseidas/config:/opt/poseidas/config
- ./poseidas/db:/opt/poseidas/database
ejbca:
image: "reqesidta/ejbca"
container_name: "reqesidta_ejbca"
build:
context: ./ejbca
hostname: localhost:8444
depends_on:
- postgres
environment:
DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
DATABASE_USER: ejbca
DATABASE_PASSWORD: password
networks:
reqesidta_net:
aliases:
- ejbca.docker.reqesidta.de
postgres:
image: "postgres:11.4"
container_name: "reqesidta_postgres"
environment:
POSTGRES_USER: ejbca
POSTGRES_PASSWORD: password
networks:
- reqesidta_net
ssa:
image: "reqesidta/ssa"
container_name: "reqesidta_ssa"
labels:
- "traefik.enable=true"
- "traefik.http.services.ssa.loadbalancer.server.port=8080"
- "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
- "traefik.http.routers.ssa.entrypoints=web"
build:
context: ./ssa
depends_on:
- poseidas
- ejbca
command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
networks:
reqesidta_net:
aliases:
- ssa.docker.reqesidta.de
sam:
image: "reqesidta/sam"
container_name: "reqesidta_sam"
build:
context: ./sam
networks:
reqesidta_net:
aliases:
- sam.docker.reqesidta.de
webui:
image: "reqesidta/webui"
container_name: "reqesidta_webui"
labels:
- "traefik.enable=true"
- "traefik.http.services.webui.loadbalancer.server.port=80"
- "traefik.http.routers.webui.rule=PathPrefix(`/`)"
- "traefik.http.routers.webui.entrypoints=web"
build:
context: ./webui
networks:
reqesidta_net:
aliases:
- webui.docker.reqesidta.de
networks:
reqesidta_net:
driver: bridge
FROM primekey/ejbca-ce:6.15.2.1
# Add a shell script to configure EJBCA.
COPY ejbca-config.sh /usr/local/bin/
USER root
# Replace the Organisation string with a custom one to better differentiate it
# from productions certs.
RUN sed -i "s/EJBCA Container Quickstart/EJBCA Docker dev certificate/g" \
/opt/primekey/bin/internal/after-deployed-app-create-certificate.sh
RUN chown 10001:10001 /usr/local/bin/ejbca-config.sh
RUN chmod 755 /usr/local/bin/ejbca-config.sh
USER 10001
#!/bin/sh
cd /opt/primekey/bin/ || exit
# Use the existing CA (see comment below)
CA=ManagementCA
ALIAS=ecsecCMP
CN=sam.docker.reqesidta.de
PW=testtest
# Create a CMP config
./ejbca.sh config cmp addalias $ALIAS
./ejbca.sh config cmp updatealias $ALIAS --key operationmode --value ra
./ejbca.sh config cmp updatealias $ALIAS --key authenticationmodule --value EndEntityCertificate
./ejbca.sh config cmp updatealias $ALIAS --key authenticationparameters --value $CA
./ejbca.sh config cmp updatealias $ALIAS --key allowraverifypopo --value true
./ejbca.sh config cmp updatealias $ALIAS --key ra.caname --value $CA
./ejbca.sh config cmp updatealias $ALIAS --key defaultca --value $CA
# Make script idempotent by always deleting the user first
./ejbca.sh ra delendentity -force --username $CN
# Add end entity for the server key pair
./ejbca.sh ra addendentity --username $CN --password $PW \
--dn "CN=$CN" --caname $CA --type 1 --token P12
# Add entity to admin role
./ejbca.sh roles addrolemember --role "Super Administrator Role" --caname $CA \
--with "CertificateAuthenticationToken:WITH_COMMONNAME" --value $CN
# Enable batch mode
./ejbca.sh ra setclearpwd $CN $PW
# Create p12 file (saved in p12 subfolder)
./ejbca.sh batch
# Various (currently) unused commands:
# Create a new CA. As you can't set auto-activation to true here, you will have
# to do this manually or create custom cryptotokens (see below).
# ./ejbca.sh ca init \
# --caname $CA \
# --dn "C=DE,O=ecsec GmbH,CN=ecsec Docker Root CA" \
# --tokenType soft \
# --tokenPass ecsecCATokenPass \
# --keytype ECDSA \
# --keyspec secp256r1 \
# -s SHA256withECDSA \
# -v 3650 \
# --policy null
# ./ejbca.sh cryptotoken create --autoactivate true --pin 1234 --token $TOKEN --type SoftCryptoToken
# ./ejbca.sh cryptotoken generatekey --alias signKey --keyspec secp256r1 --token $TOKEN
# ./ejbca.sh cryptotoken generatekey --alias encryptKey --keyspec 2048 --token $TOKEN
# ./ejbca.sh ca changecatoken --caname $CA --cryptotoken $TOKEN --execute
# ./ejbca.sh ca activateca $CA --code ecsecCATokenPass
# ./ejbca.sh ca changecatokensignalg --caname $CA --sigalg SHA256withECDSA
FROM governikus/zulu-openjdk:8u212
RUN mkdir -p /opt/poseidas
ENV JAVA_OPTS=""
EXPOSE 8443
WORKDIR /opt/poseidas
ARG JAR_FILE
ADD ${JAR_FILE} POSeIDAS-exec.jar
ENTRYPOINT exec java $JAVA_OPTS -jar /opt/poseidas/POSeIDAS-exec.jar $0 $@
# Setup
## yml anpassen (docker compose)
## ssa-config
## config erstellen poseidas
## datenbank poseidas
## Deployment
### EJBCA key setup script
# use thorntial to make deployment most lightweight
# should run in certified secure env
FROM governikus/zulu-openjdk:8u212
ADD *-thorntail.jar /opt/thorntail.jar
# pck12 file for signing certificate requests
COPY sam.docker.reqesidta.de.p12 /opt/sam.docker.reqesidta.de.p12
# Prevent error "SocketException: Protocol family unavailable", see:
# See https://www.sipmann.com/socketException-protocol-family-unavailable-java-docker-wildfly.html#.XZ8tvZxCSWg
ENV JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true"
EXPOSE 8080
ENTRYPOINT exec java $JAVA_OPTS $JAVA_DEBUG -jar /opt/thorntail.jar
password for pkcs12 keystore: testtest
# installs android platform
ARG WILDFLY_IMAGE=jboss/wildfly:17.0.1.Final
FROM $WILDFLY_IMAGE
# we need wsdl and cert for consuming the eID SOAP service
COPY wsdl/* /opt/jboss/
# copy the needed war into the image
COPY dist/* /opt/jboss/wildfly/standalone/deployments/
# copy the config for the server into the image
COPY config/ssa-server.conf /opt/jboss/ssa-server.conf
EXPOSE 9990
ssa-config {
sessionMaxAge: 60,
sessionCheckAgeInterval: 30,
baseUrl: "https://docker.reqesidta.de/ssa-server"
eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
samUrl: "http://sam.docker.reqesidta.de:8080"
caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
}
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://bsi.bund.de/eID/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="eID"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
targetNamespace="http://bsi.bund.de/eID/">
<wsdl:documentation>Version 2.1.2 2017-10-25
</wsdl:documentation>
<wsdl:types>
<xsd:schema>
<xsd:import schemaLocation="TR-03130eID-Server.xsd"
namespace="http://bsi.bund.de/eID/" />
</xsd:schema>
</wsdl:types>
<wsdl:message name="useIDRequest">
<wsdl:part name="parameters" element="tns:useIDRequest" />
</wsdl:message>
<wsdl:message name="useIDResponse">
<wsdl:part name="parameters" element="tns:useIDResponse" />
</wsdl:message>
<wsdl:message name="getServerInfoResponse">
<wsdl:part name="parameters" element="tns:getServerInfoResponse" />
</wsdl:message>
<wsdl:message name="getServerInfoRequest">
<wsdl:part name="parameters" element="tns:getServerInfoRequest" />
</wsdl:message>
<wsdl:message name="getResultRequest">
<wsdl:part name="parameters" element="tns:getResultRequest" />
</wsdl:message>
<wsdl:message name="getResultResponse">
<wsdl:part name="parameters" element="tns:getResultResponse" />
</wsdl:message>
<wsdl:portType name="eID">
<wsdl:operation name="useID">
<wsdl:input message="tns:useIDRequest" />
<wsdl:output message="tns:useIDResponse" />
</wsdl:operation>
<wsdl:operation name="getServerInfo">
<wsdl:input message="tns:getServerInfoRequest" />
<wsdl:output message="tns:getServerInfoResponse" />
</wsdl:operation>
<wsdl:operation name="getResult">
<wsdl:input message="tns:getResultRequest" />
<wsdl:output message="tns:getResultResponse" />
</wsdl:operation>
</wsdl:portType>
<wsp:Policy wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<!-- Transport Layer Binding was removed in Version 1.5 -->
<!-- Message Level -->
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireIssuerSerialReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<sp:Policy>
<sp:MustSupportRefIssuerSerial />
</sp:Policy>
</sp:Wss10>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:binding name="eIDSOAP" type="tns:eID">
<wsp:PolicyReference URI="#SigOnly" />
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="useID">
<soap:operation soapAction="http://bsi.bund.de/eID/useID" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="getServerInfo">
<soap:operation soapAction="http://bsi.bund.de/eID/getServerInfo" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="getResult">
<soap:operation soapAction="http://bsi.bund.de/eID/getResult" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="eID">
<wsdl:port name="eIDSOAP" binding="tns:eIDSOAP">
<soap:address location="http://www.bsi.bund.de/eid/server/2.0" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema"
xmlns:tns="http://bsi.bund.de/eID/" xmlns:Q1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" targetNamespace="http://bsi.bund.de/eID/"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="2.1.2 2017-10-25">
<import namespace="urn:oasis:names:tc:dss:1.0:core:schema"
schemaLocation="oasis-dss-core-schema-v1.0-os.xsd" />
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
schemaLocation="saml-schema-assertion-2.0.xsd" />
<complexType name="SessionType">
<sequence>
<element name="ID">
<simpleType>
<restriction base="hexBinary">
<minLength value="16" />
</restriction>
</simpleType>
</element>
</sequence>
</complexType>
<element name="useIDResponse" type="tns:useIDResponseType" />
<complexType name="useIDResponseType">
<sequence>
<element name="Session" type="tns:SessionType" />
<element name="eCardServerAddress" type="anyURI" minOccurs="0" />
<element name="PSK" type="tns:PreSharedKeyType" />
<element ref="dss:Result" />
</sequence>
</complexType>
<complexType name="PersonalDataType">
<sequence>
<element name="DocumentType" type="tns:DocumentType"
minOccurs="0" />
<element name="IssuingState" type="tns:ICAOCountry"
minOccurs="0" />
<element name="DateOfExpiry" type="date" minOccurs="0" />
<element name="GivenNames" type="string" minOccurs="0" />
<element name="FamilyNames" type="string" minOccurs="0" />
<element name="ArtisticName" type="string" minOccurs="0" />
<element name="AcademicTitle" type="string" minOccurs="0" />
<element name="DateOfBirth" type="tns:GeneralDateType"
minOccurs="0" />
<element name="PlaceOfBirth" type="tns:GeneralPlaceType"
minOccurs="0" />
<element name="Nationality" type="tns:ICAOCountry" minOccurs="0" />
<element name="BirthName" type="string" minOccurs="0" />
<element name="PlaceOfResidence" type="tns:GeneralPlaceType"
minOccurs="0" />
<element name="ResidencePermitI" type="string" minOccurs="0" />
<element name="RestrictedID" type="tns:RestrictedIDType"
minOccurs="0" />
</sequence>
</complexType>
<complexType name="GeneralPlaceType">
<choice>
<element name="StructuredPlace" type="tns:PlaceType" />
<element name="FreetextPlace" type="string" />
<element name="NoPlaceInfo" type="string" />
</choice>
</complexType>
<complexType name="PlaceType">
<sequence>
<element name="Street" type="string" minOccurs="0" />
<element name="City" type="string" />
<element name="State" type="string" minOccurs="0" />
<element name="Country" type="tns:ICAOCountry" />
<element name="ZipCode" type="string" minOccurs="0" />
</sequence>
</complexType>
<simpleType name="DocumentType">
<restriction base="string">
<pattern value="[A-Z ]{2}" />
</restriction>
</simpleType>
<simpleType name="ICAOCountry">
<restriction base="string">
<pattern value="[A-Z ]{1,3}" />
</restriction>
</simpleType>
<complexType name="AgeVerificationRequestType">
<sequence>
<element name="Age">
<simpleType>
<restriction base="int">
<minInclusive value="0" />
</restriction>
</simpleType>
</element>
</sequence>
</complexType>
<complexType name="VerificationResultType">
<sequence>
<element name="FulfilsRequest" type="boolean" />
</sequence>
</complexType>
<element name="useIDRequest" type="tns:useIDRequestType" />
<complexType name="useIDRequestType">