Merge branch 'develop' into 'master'

Develop See merge request oec/reqesidta-prototype/eid-server!7

Merge branch 'develop' into 'master'
Develop See merge request oec/reqesidta-prototype/eid-server!7
615d2566 · Rene Lottes · a08c82df · 83f679ff · 615d2566 · 615d2566
Commit 615d2566 authored Nov 21, 2019 by Rene Lottes
--- a/.gitignore
+++ b/.gitignore
-*.jar
 target/
 packer/
 *Jenkinsfile*
@@ -10,4 +9,19 @@ packer/
 *.ipr
 .idea/

+# built stuff
 */_build
+*.jar
+*.war*
+*.tgz
+
+
+#netbeans
+*/**/nbactions.xml
+
+#eclipse
+.project
+.classpath
+.settings
+*/**/.settings
+*/**/workspace
--- a/create_client_delivery.sh
+++ b/create_client_delivery.sh
+#!/bin/bash
+#
+# script to build and pack the project as archive for delivery to client
+#
+# tobias.assmann@ecsec.de
+
+PCK_DIR=for-client-delivery
+TRG_DIR=eid-server
+TRG_ARC=eid-server.tgz
+
+echo "checking java version ..."
+command -v java 2>&1 >> /dev/null || { echo "no java found"; exit 1;}
+java -version 2>&1 | awk -F '"' '/version/ {print $2}' | grep -q 1.8 || { echo "java version is not 1.8"; exit 1;}
+
+echo "build the whole project ..."
+mvn clean install || { echo "maven build failed. please check!"; exit 1; }
+
+echo "copy builded stuff to $PCK_DIR/$TRG_DIR ..."
+cp configuration-wizard/target/configuration-wizard-1.2.0-SNAPSHOT.jar $PCK_DIR/$TRG_DIR/poseidas-configuration-wizard.jar
+cp docker/sam/sam-1.2.0-SNAPSHOT-thorntail.jar $PCK_DIR/$TRG_DIR/sam/sam-1.2.0-SNAPSHOT-thorntail.jar
+cp docker/ssa/dist/ssa-server.war $PCK_DIR/$TRG_DIR/ssa/dist/ssa-server.war
+
+echo "archiving $PCK_DIR/$TRG_DIR to $PCK_DIR/$TRG_ARC ..."
+cd $PCK_DIR
+test -f $TRG_ARC && rm $TRG_ARC
+tar -cvzf $TRG_ARC $TRG_DIR
+cd ..
+
+echo "done"
+
+exit 0
--- a/docker/deploy-to_vserver-001.sh
+++ b/docker/deploy-to_vserver-001.sh
+#!/bin/bash
+
+# Synchronize this directory with the target on vserver-001.ecsec.de.
+# Exclude the dev files and rename the corresponding files on the server.
+rsync -av --delete --progress \
+	--exclude 'docker-compose.yml' \
+	--exclude 'poseidas/config/POSeIDAS.xml' \
+	--exclude 'poseidas/db/poseidas.mv.db' \
+	--exclude 'deploy-to_*.sh' \
+	--exclude '*.dodeploy' \
+	--exclude '*.dodeploy' \
+	./ reqesidta@vserver-001.ecsec.de:/home/reqesidta/docker/
+
+ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/docker-compose_vserver-001.yml /home/reqesidta/docker/docker-compose.yml"
+ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/config/POSeIDAS_vserver-001.xml /home/reqesidta/docker/poseidas/config/POSeIDAS.xml"
+ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/db/poseidas_vserver-001.mv.db /home/reqesidta/docker/poseidas/db/poseidas.mv.db"
+ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/ssa/config/ssa-server_vserver-001.conf /home/reqesidta/docker/ssa/config/ssa-server.conf"
+
+# Restart / re-build the services
+ssh reqesidta@vserver-001.ecsec.de "cd /home/reqesidta/docker && docker-compose up -d --build"
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
 ---
-version: "3.3"
-
-networks:
-  reqesidta_net:
-    driver: bridge
+version: "3.4"

 services:
+  facade:
+    image: "reqesidta/facade"
+    container_name: "reqesidta_facade"
+    labels:
+      - "traefik.enable=true"
+      # catchall and the middleware used for global http to http redirect
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+    build:
+      context: ./facade
+    command:
+      --providers.docker=true
+      --providers.file.filename=/etc/traefik/traefik-dyn.yml
+      --providers.docker.exposedbydefault=false
+      --entryPoints.web.address=:80
+      --entryPoints.web-secure.address=:443
+      --entryPoints.traefik.address=:8080
+      --api.insecure=true
+      --log.level=debug
+    ports:
+      - "80:80"
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true) remove for prod!
+      # see http://localhost:8080/dashboard/
+      - "8080:8080"
+    networks:
+      - reqesidta_net
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+
  poseidas:
    image: "reqesidta/poseidas"
    container_name: "reqesidta_poseidas"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.poseidas.loadbalancer.server.port=8443"
+      - "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
+      - "traefik.http.routers.poseidas.entrypoints=web-secure"
+      - "traefik.http.routers.poseidas.tls=true"
    build:
      context: ./poseidas
      args:
        JAR_FILE: POSeIDAS-exec.jar
-    networks:
-      reqesidta_net:
-        aliases:
-          - poseidas.docker.reqesidta.de
    environment:
      - JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
    ports:
      - "127.0.0.1:8443:8443"
-      - "127.0.0.1:5005:5005"
+      - "127.0.0.1:5005:5005" # Java Debug Port remove for prod!
+    networks:
+      reqesidta_net:
+        aliases:
+          - poseidas.docker.reqesidta.de
    volumes:
      - ./poseidas/config:/opt/poseidas/config
-      - eidas-database:/opt/poseidas/database
+      - ./poseidas/db:/opt/poseidas/database

  ejbca:
    image: "reqesidta/ejbca"
@@ -34,16 +69,14 @@ services:
    # Has to be 'localhost:port' where port matches the host port below,
    # because EJBCA creates a TLS certificate with the corresponding CN.
    hostname: localhost:8444
-    networks:
-      reqesidta_net:
-        aliases:
-          - ejbca.docker.reqesidta.de
    ports:
      - "127.0.0.1:8444:8443"
+      - "127.0.0.1:8081:8080"
    depends_on:
      - postgres
-    links:
-      - postgres
+    # DEPRECATED
+    # links:
+    #  - postgres
    environment:
      # Format: jdbc:postgresql://hostname:port/database
      DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
@@ -51,36 +84,84 @@ services:
      DATABASE_PASSWORD: password
      # Disable the need for a client certificate. Doesn't work, see readme.
      # TLS_SETUP_ENABLED: simple
+    networks:
+      reqesidta_net:
+        aliases:
+          - ejbca.docker.reqesidta.de

  postgres:
    image: "postgres:11.4"
    container_name: "reqesidta_postgres"
-    networks:
-      - reqesidta_net
    ports:
-      # Only for debugging purposes
+      # Only for debugging purposes remove for prod!
      - "127.0.0.1:5433:5432"
    environment:
      POSTGRES_USER: ejbca
      POSTGRES_PASSWORD: password
-
-  webserver:
-    container_name: "reqesidta_webserver"
-    build:
-      context: ./webserver
    networks:
      - reqesidta_net
+
+  ssa:
+    image: "reqesidta/ssa"
+    container_name: "reqesidta_ssa"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ssa.loadbalancer.server.port=8080"
+      - "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
+      - "traefik.http.routers.ssa.entrypoints=web-secure"
+      - "traefik.http.routers.ssa.tls=true"
+    build:
+      context: ./ssa
    depends_on:
      - poseidas
      - ejbca
    command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 --debug 0.0.0.0:9797
    ports:
      - "127.0.0.1:28080:8080"
-      - "127.0.0.1:29990:9990"
-      - "127.0.0.1:9797:9797"
+      #- "127.0.0.1:29990:9990"
+      - "127.0.0.1:9797:9797" # Java Debug Port, remove for prod!
+    volumes:
+      - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
+    networks:
+      reqesidta_net:
+        aliases:
+          - ssa.docker.reqesidta.de
+
+  sam:
+    image: "reqesidta/sam"
+    container_name: "reqesidta_sam"
+    build:
+      context: ./sam
+    ports:
+      - "127.0.0.1:38080:8080"
+      - "127.0.0.1:9798:5005" # Java Debug Port, remove for prod!
+    environment:
+      JAVA_DEBUG: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 # remove for prod!
+    networks:
+      reqesidta_net:
+        aliases:
+          - sam.docker.reqesidta.de
+
+  webui:
+    image: "reqesidta/webui"
+    container_name: "reqesidta_web-ui"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.webui.loadbalancer.server.port=80"
+      - "traefik.http.routers.webui.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.webui.entrypoints=web-secure"
+      - "traefik.http.routers.webui.tls=true"
+    build:
+      context: ./web-ui
+    ports:
+      - "127.0.0.1:48080:80"
    volumes:
-      - ./webserver/dist:/opt/jboss/wildfly/standalone/deployments/:rw
+      - ./web-ui/www-data://usr/local/apache2/htdocs/:rw
+    networks:
+      reqesidta_net:
+        aliases:
+          - webui.docker.reqesidta.de

-volumes:
-  eidas-database:
-    external: false
+networks:
+  reqesidta_net:
+    driver: bridge
--- a/docker/docker-compose_vserver-001.yml
+++ b/docker/docker-compose_vserver-001.yml
+---
+version: "3.4"
+
+services:
+  facade:
+    image: "reqesidta/facade"
+    container_name: "reqesidta_facade"
+    labels:
+      - "traefik.enable=true"
+    build:
+      context: ./facade
+    command:
+      --providers.docker=true
+      --providers.docker.exposedbydefault=false
+      --entryPoints.web.address=:80
+      --log.level=debug
+    ports:
+      - "50080:80"
+    networks:
+      - reqesidta_net
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  poseidas:
+    image: "reqesidta/poseidas"
+    container_name: "reqesidta_poseidas"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.poseidas.loadbalancer.server.port=8443"
+      - "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
+      - "traefik.http.routers.poseidas.entrypoints=web"
+    build:
+      context: ./poseidas
+      args:
+        JAR_FILE: POSeIDAS-exec.jar
+    # ports:
+    #   - "127.0.0.1:8443:8443"
+    networks:
+      reqesidta_net:
+        aliases:
+          - poseidas.docker.reqesidta.de
+    volumes:
+      - ./poseidas/config:/opt/poseidas/config
+      - ./poseidas/db:/opt/poseidas/database
+
+  ejbca:
+    image: "reqesidta/ejbca"
+    container_name: "reqesidta_ejbca"
+    build:
+      context: ./ejbca
+    hostname: localhost:8444
+    # ports:
+    #   - "127.0.0.1:8444:8443"
+    depends_on:
+      - postgres
+    environment:
+      DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
+      DATABASE_USER: ejbca
+      DATABASE_PASSWORD: password
+    networks:
+      reqesidta_net:
+        aliases:
+          - ejbca.docker.reqesidta.de
+
+  postgres:
+    image: "postgres:11.4"
+    container_name: "reqesidta_postgres"
+    environment:
+      POSTGRES_USER: ejbca
+      POSTGRES_PASSWORD: password
+    networks:
+      - reqesidta_net
+
+  ssa:
+    image: "reqesidta/ssa"
+    container_name: "reqesidta_ssa"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ssa.loadbalancer.server.port=8080"
+      - "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
+      - "traefik.http.routers.ssa.entrypoints=web"
+    build:
+      context: ./ssa
+    depends_on:
+      - poseidas
+      - ejbca
+    command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
+    # ports:
+    #   - "127.0.0.1:28080:8080"
+    # volumes:
+    #   - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
+    networks:
+      reqesidta_net:
+        aliases:
+          - ssa.docker.reqesidta.de
+
+  sam:
+    image: "reqesidta/sam"
+    container_name: "reqesidta_sam"
+    build:
+      context: ./sam
+    # ports:
+    #   - "127.0.0.1:38080:8080"
+    networks:
+      reqesidta_net:
+        aliases:
+          - sam.docker.reqesidta.de
+  
+  webui:
+    image: "reqesidta/webui"
+    container_name: "reqesidta_web-ui"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.webui.loadbalancer.server.port=80"
+      - "traefik.http.routers.webui.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.webui.entrypoints=web"
+    build:
+      context: ./web-ui
+    ports:
+      - "127.0.0.1:48080:80"
+    networks:
+      reqesidta_net:
+        aliases:
+          - webui.docker.reqesidta.de
+
+networks:
+  reqesidta_net:
+    driver: bridge
--- a/docker/ejbca/ejbca-config.sh
+++ b/docker/ejbca/ejbca-config.sh
 #!/bin/sh

-cd /opt/primekey/bin/
+cd /opt/primekey/bin/ || exit

 # Use the existing CA (see comment below)
 CA=ManagementCA
 ALIAS=ecsecCMP
+CN=sam.docker.reqesidta.de
+PW=testtest

 # Create a CMP config
 ./ejbca.sh config cmp addalias $ALIAS

 ./ejbca.sh config cmp updatealias $ALIAS --key operationmode --value ra

-./ejbca.sh config cmp updatealias $ALIAS --key authenticationmodule --value HMAC
-./ejbca.sh config cmp updatealias $ALIAS --key authenticationparameters --value testtest
+./ejbca.sh config cmp updatealias $ALIAS --key authenticationmodule --value EndEntityCertificate
+./ejbca.sh config cmp updatealias $ALIAS --key authenticationparameters --value $CA

 ./ejbca.sh config cmp updatealias $ALIAS --key allowraverifypopo --value true

 ./ejbca.sh config cmp updatealias $ALIAS --key ra.caname --value $CA
 ./ejbca.sh config cmp updatealias $ALIAS --key defaultca --value $CA

+# Make script idempotent by always deleting the user first
+./ejbca.sh ra delendentity -force --username $CN
+
+# Add end entity for the server key pair
+./ejbca.sh ra addendentity --username $CN --password $PW \
+  --dn "CN=$CN" --caname $CA --type 1 --token P12
+
+# Add entity to admin role
+./ejbca.sh roles addrolemember --role "Super Administrator Role" --caname $CA \
+  --with "CertificateAuthenticationToken:WITH_COMMONNAME" --value $CN
+
+# Enable batch mode
+./ejbca.sh ra setclearpwd $CN $PW
+
+# Create p12 file (saved in p12 subfolder)
+./ejbca.sh batch
+
 # Various (currently) unused commands:

 # Create a new CA. As you can't set auto-activation to true here, you will have

--- a/docker/facade/Dockerfile
+++ b/docker/facade/Dockerfile
+# facade for reqesidta
+FROM traefik:v2.0
+
+# needed stuff for tls
+# see also docker-compose.yml
+COPY docker.reqesidta.de.* /certs/
+COPY traefik-dyn.yml /etc/traefik/
--- a/docker/facade/docker.reqesidta.de.cert
+++ b/docker/facade/docker.reqesidta.de.cert
+-----BEGIN CERTIFICATE-----
+MIIFHTCCAwWgAwIBAgIUZZUID13TrpYE3dnBHTvHPBrA8uowDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTZG9ja2VyLnJlcWVzaWR0YS5kZTAeFw0xOTEwMjMxMTQ4
+NTlaFw0yMTEwMjIxMTQ4NTlaMB4xHDAaBgNVBAMME2RvY2tlci5yZXFlc2lkdGEu
+ZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1FxJXoFME26/1WIOD
+9qBYEheMq8+LTBiwDn/ocf7MK4tQoYBaVmtoTUz+On9enS3+6OrdlkgYS9UIB2Xg
+tmHL8zSIHtanbA6+sFDPoAEzsyrLqxN9gTQhXaonKBtqb6yYGsMWM7HsOIkgRyMB
+lq3Zq0F3AEpNzUtQrNja7+YDenkJncHCGr43BNk2RgwskdCWrVsyqkQmTYPO9z92
+CP0HKtbUhpAFxPFABPea02b/kUqykm9vSFZVtDSnDOI+LKoZyMtRTwUn5xd72Wrk
+rRXN4Dz+fY4PuwCfMV87kOTTiegFAHuZuMzuvg8fBKpzK8/LWoa/bk+Qt/Cpspvd
+C9/6SMbMaHinW8NhckL+OuBYDLWgDzCdJ3mMmaulpBbRQ9kxvLAWfcEoWuS5z+WD
+Id61BZMTvQW8aCMppHb6tu/EQAVnRtPDKyvyyZ4hMPc/xP4gJxlNPQQj0r2U1RyD
+fCH7eBXoTuXWE9JFmjggTF8QJ9ZKXM2dI8cwAcjIjvz36r+TkHxSM9HdXuLonjms
+CqTetwc/Ce/wC1+lCLIvxMnDED5glyZwAtKPmgaYIRGBjg4HS+8v/CEJ4PnBQwAD
+GyVEj4VQCjOi3ngPdismrbE/TY3dkmSFfMHTrmFQppyXJ8Pa1Y9/b8wlRVEN3bxU
+L25z9cpFvTdWPYXdsHrOiStC4wIDAQABo1MwUTAdBgNVHQ4EFgQU+cf0+g9VD59p
+LZ2C5XVk1KRloXEwHwYDVR0jBBgwFoAU+cf0+g9VD59pLZ2C5XVk1KRloXEwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAfdEXugT44mvgHnyt9wzd
+t/bpOPYTUvbIF12UiYBuXVTvU9nJToTi0xJ2YhlHqnI9lwhFLsxPivZ1Pa/NsasE
+Ln54ZiLO8NLxOQxAsHFNXHzS3pHQttAbT/kQwR6mpaXaeoRDq9LFPrvp3OkQ/Hpc
+3x7lbYoB2xCO3QNtmOMtmWRbkbBqL8h4kAoKKAkz94japEB50tXPf6mcprVh5jq
+Fw8AOpzGe1KWzA5V3xlWGlDyGxRHTeUQUmGudgAWnBKO8Y7+LMzSZ8QfUDgKNQm8
+hxWYmm/M+2WUxN19z9FZAeXsDeePgkjf7foZ7QRni/edZYOnxNt0LvgihUjg78uA
+4poCkk5PRfcVOc3Rrz1oYtFa8bKDFrahTGv+ycVeh0oyj2SLFA8RUOoYCYCxW2yb
+p3C3Dob4nUP+JUKSDtkbs5O3b8I7TXbEzG1HRHj9vE0eniLJspAxxM56cMQbj9xs
+0NRhtGNSnkV862iXQcoTqmttMRbir3hKaN+T+requdpRa3aME7GO8BxjegUTMd6u
+DUfZhLst8lpQWOSLua2sB09RCchV/SqP/yphWD42Vkd1obSiLDJWlZpmtTDRD8yI
+en//S06mYagA93yuu9JFUwp35iVdVc6R3EAJf/oZSwLOn4S0vVXsVMG+4KQudXna
+Q9NVFxPpHUvcgC4Geyx362k=
+-----END CERTIFICATE-----
--- a/docker/facade/docker.reqesidta.de.key
+++ b/docker/facade/docker.reqesidta.de.key
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC1FxJXoFME26/1
+WIOD9qBYEheMq8+LTBiwDn/ocf7MK4tQoYBaVmtoTUz+On9enS3+6OrdlkgYS9UI
+B2XgtmHL8zSIHtanbA6+sFDPoAEzsyrLqxN9gTQhXaonKBtqb6yYGsMWM7HsOIkg
+RyMBlq3Zq0F3AEpNzUtQrNja7+YDenkJncHCGr43BNk2RgwskdCWrVsyqkQmTYPO
+9z92CP0HKtbUhpAFxPFABPea02b/kUqykm9vSFZVtDSnDOI+LKoZyMtRTwUn5xd7
+2WrkrRXN4Dz+fY4PuwCfMV87kOTTiegFAHuZuMzuvg8fBKpzK8/LWoa/bk+Qt/Cp
+spvdC9/6SMbMaHinW8NhckL+OuBYDLWgDzCdJ3mMmaulpBbRQ9kxvLAWfcEoWuS5
+z+WDId61BZMTvQW8aCMppHb6tu/EQAVnRtPDKyvyyZ4hMPc/xP4gJxlNPQQj0r2U
+1RyDfCH7eBXoTuXWE9JFmjggTF8QJ9ZKXM2dI8cwAcjIjvz36r+TkHxSM9HdXuLo
+njmsCqTetwc/Ce/wC1+lCLIvxMnDED5glyZwAtKPmgaYIRGBjg4HS+8v/CEJ4PnB
+QwADGyVEj4VQCjOi3ngPdismrbE/TY3dkmSFfMHTrmFQppyXJ8Pa1Y9/b8wlRVEN
+3bxUL25z9cpFvTdWPYXdsHrOiStC4wIDAQABAoICAGJboa7OeckNuci8xtIKRpUP
+XpMdTqEON+qINZj/MbGbhRPKZHisr7H7KnJ7O2scXDs0Lz0jvwzTQ2YU/pTK+ttX
+wZSdi2FsI6YXBg1/jqeSDRCKXw+v+ayVvzF9a0aoWUpUXtnUQjNXkcNiX/Ug7lRn
+3CrSkYkolFvBRhfEbV4+SzeZ4/+VnvMrQv9jlIEwwebVSc9/A3z6ZTkoueNWhng6
+IG1WmStJCPAIwqPpZuww8i2Ds9rxo1Lxihehu9ChWdKfaS9EiDxgHDU8pf6GtG0Z
+ocPkvWgUHomyt8DmAX9xXPSC1A3O7gAqx3h3uKnTTnadY3MUJL+FU1WoamyJXhV
+wIX1smQAOQk7yM7NhMDzVKS1cYCB6TaJoOVrHuLeBFkkNEKoNx2wyg7XVxvCg2r5
+yX1MwfdVv/B4nnRPvQGA0ANAYoZfrufuD4sh5FD9x7J+MOa6yp8vA/xyv8vucGMz
+N6yrgQ3c+Om8tcyw4pvINE3k5FxI7Z7bHr0/UXPhUzRlxNithWVrtN84IBpWv2Sg
+meiugspttVOn5GGUga2hQ6pdVJ0tNwHjgA/xjrr/WMk97uMZYOs7LxS96Wy96LCe
+eGFXpb2WQGAwjv/lCqnbY/UOxcutJI9taRXHND8lJeFq8jjDJtrrDI5ZYC5FuoOa
+slZOpgL0Sgco+/o/tGZhAoIBAQDeqCV6qvATTAstlXS7Sa/tDYoQC95TQZONWrOI
+sr0TwyFzOA/CtCfX4Nbwf93GDWD0+hEOgDRFGjYSQrgKJsYd9E6enBMiHfgsUVSp
+B8ZEj2kMf92JqqFoH6huWhxVmWSPqzEImz6avzfZ+X44fSMS0hOE7MjlNUTUskCa
+PQaUrowmUwGx6mdRwlfCk4ALQNhc3xd3wH7wuK6SgfpcpI2SDddCUWIhQnyS9ZKf
+4eLqWbO+vQ7OGU0+dMntfaUp8DgyN9MVD8eQ1AimvpPpppgQ9sJv5rj0brpyxFPp
+11SWyU2MzNYPafVydAwPk6/8nQpi9MSAizkVzOVt/ELFuDhfAoIBAQDQNWi31WnS
+oMBbKMHsTaCsHaD01DY3p52MODZ1Opxk91FErvOCvY/UvqzAV9gXrIY57tRvwbZW
+0j+2zcjjJVOlJfscOSKKwc5VrFryjQqAoP+c1Utepij3nH0q3Tk4zGkzE3cv3ogu
+1bstXL4Mhext0gdtG03zEiorz48/hnix7VD+kBUWAw57LKCHbGOzB6hXO62m/OQV
+VP61iJmRboV5O3h+z6DA8HrcBEC5jPcrkuUCE4rly6M7i3B3RDXnKDqKv2/ILvOy
+r6GK71/2ZQxIBs5dL1U+BFvB5SuRhM3vClOg70giGupWRqjBto2LgHr/cf3Zibm4
+CnivGNSTY5P9AoIBABNsTaCuyrSUPKFkWUOBQRSHytRthJ50qP96uxCgrvfLXN6l
+NFLCznr5hSaDsP/26M9WBSjjrCufBrp/EXjpOv0f87/IU671OFH9YkpAgF44uGw7
+t0KsHNptcI7302LwN6KEx4k9qa9sIN4l8onQ+L9KjiNZWIkOJYv8ZMBPtIRB2b36
+Hbq8fPjX4Dn8Df5tULKBT5XFuA0dvzTOm917CVKFXJLPcKUAHMfhHkJOPTI+Uvy/
+l0wJTwC0xWyvOjo3V1+iGQrMTpdmt757/4ExZDCOphWG5fmEs0URtVQ/0YQ52UcA
+E2hS0POEBg1Rz9dUh7RsL7wa6Qbq0dTPXa/LyzcCggEAKLJn15cFakA1mRvsW84I
+m9vmvDRGrLY8m03Zhyx/qVSWNACmZGW9GW5zwdzpxibYzbYbHAUXKP1LquWqYIvJ
+P7yeyrN4Rvr+48wess5SwTW3AObIJqX/1/ZkmN5I8wsxfORPJbIvmEf6oDFCjJwY
+zJaDERaHM/3W9F1LuLUGHnEupbNwC69pQzZD4nSTQEk85GAr3zoLMwg8CSu8KKsb
+t8iiEtduqofW2+6Q4DPnlELQNImxWp1lOJxWzVkt2BMK7lfg95YF2GVwBAIqFbVG
+o0WBTMGVvduIO+wZigYVYqX4FrrutIviRh7lmYefPydL42ZaogzDmm+hi0glNPH/
+2QKCAQBQwzW2M4I3OL4HvCSyqDcw9VoWtjEsNF9Ajh3g+tVF+oyS2R57RiQWI7Gw
+GIIuYmtP3WYlL2g6pYIiy5SX7fZYBa7mxWrt8sMQ2BuxIqYK0sSO/RFOKePrUOiO
+cm+q9MzOVrgZwjgM5NQGpU9HGp68tWe/U3SFrmQbwqQX7Sj7BXlyxpQfFvN0MdUB
+TgMCKNJgFToCmF4yma7fgN0UBsNK3oibxlH3p9BIDxq1o6rejTkR8lR4jStyHD26
+691V3Y4ACS9K/GX+lOIwc/iRni3UTKFlBE/VQoyTamahDPspe69iXyoN/BLhagHz
+zdr/HFODIyfEKzEpfTbTIDSFcSSn
+-----END PRIVATE KEY-----
--- a/docker/facade/docker.reqesidta.de.p12
+++ b/docker/facade/docker.reqesidta.de.p12
--- a/docker/facade/traefik-dyn.yml
+++ b/docker/facade/traefik-dyn.yml
+tls:
+  certificates:
+    - certFile: /certs/docker.reqesidta.de.cert
+      keyFile: /certs/docker.reqesidta.de.key
--- a/docker/poseidas/config/POSeIDAS.xml
+++ b/docker/poseidas/config/POSeIDAS.xml
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <CoreConfiguration xmlns="http:/www.bos_bremen.de/2009/06/eID-Server-CoreConfig">
-  <ServerUrl>https://localhost:8443/eidas-middleware</ServerUrl>
+  <ServerUrl>https://docker.reqesidta.de/POSeIDAS/eidas-middleware</ServerUrl>
  <sessionManagerUsesDatabase>true</sessionManagerUsesDatabase>
  <sessionMaxPendingRequests>500</sessionMaxPendingRequests>
  <TimerConfiguration>
@@ -9,8 +9,9 @@
    <masterAndDefectListRenewal length="2" unit="11"/>
  </TimerConfiguration>
  <ServiceProvider entityID="providerA" enabled="true">
-    <EPAConnectorConfiguration updateCVC="true">
-      <CVCRefID>providerA</CVCRefID>
+    <EPAConnectorConfiguration updateCVC="false">
+      <!-- refID of the devDB from 001-->
+      <CVCRefID>ecsec</CVCRefID>
      <PkiConnectorConfiguration>
        <!-- At least the certificates for blacklist, master and defectList have to be EC -->
        <blackListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</blackListTrustAnchor>
@@ -35,8 +36,9 @@
          <url>https://dev.governikus-eid.de:9444/gov_dvca/certDesc-service</url>
        </dvcaCertDescriptionService>
      </PkiConnectorConfiguration>
-      <PaosReceiverURL>https://localhost:8443/eidas-middleware/paosreceiver</PaosReceiverURL>
+      <PaosReceiverURL>https://docker.reqesidta.de/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
      <hoursRefreshCVCBeforeExpires>48</hoursRefreshCVCBeforeExpires>
    </EPAConnectorConfiguration>
  </ServiceProvider>
+  <SAMConfig url="http://reqesidta_sam:8080/"></SAMConfig>
 </CoreConfiguration>
--- a/docker/poseidas/config/POSeIDAS_vserver-001.xml
+++ b/docker/poseidas/config/POSeIDAS_vserver-001.xml
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<CoreConfiguration xmlns="http:/www.bos_bremen.de/2009/06/eID-Server-CoreConfig">
+  <ServerUrl>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware</ServerUrl>
+  <sessionManagerUsesDatabase>true</sessionManagerUsesDatabase>
+  <sessionMaxPendingRequests>500</sessionMaxPendingRequests>
+  <TimerConfiguration>
+    <certRenewal length="2" unit="11"/>
+    <blacklistRenewal length="2" unit="11"/>
+    <masterAndDefectListRenewal length="2" unit="11"/>
+  </TimerConfiguration>
+  <ServiceProvider entityID="providerA" enabled="true">
+    <EPAConnectorConfiguration updateCVC="false">
+      <!-- refID of the devDB from 001-->
+      <CVCRefID>ecsec</CVCRefID>
+      <PkiConnectorConfiguration>
+        <!-- At least the certificates for blacklist, master and defectList have to be EC -->
+        <blackListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</blackListTrustAnchor>
+        <masterListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</masterListTrustAnchor>
+        <defectListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</defectListTrustAnchor>
+        <policyImplementationId>govDvca</policyImplementationId>
+        <sslKeys id="default">
+          <serverCertificate>MIIEiDCCA3CgAwIBAgIDJlN5MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxLjAsBgNVBAMTJUQtVFJVU1QgTGltaXRlZCBCYXNpYyBFQUMgQ0EgMS0xIDIwMTgwHhcNMTkwNDA0MTAyNDI3WhcNMjMwNDA0MTAyNDI3WjBTMQswCQYDVQQGEwJERTEUMBIGA1UEChMLRUFDIFN5c3RlbWUxHTAbBgNVBAMTFGJlcmNhLXAxLmQtdHJ1c3QubmV0MQ8wDQYDVQQIEwZCZXJsaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXQ4WEJtKZZUIRmplenLmNVlLg2cJMVZ0xT/FsUrUWk/JXH2C4LAxlsnx/tv9rxKYXZUi2oVhz43jEPiMsXZxVUo4n8mpH6I1vqvxiwR8rgxtsPiTOf+iUeVLYIXp24WLGXV80hWy+WSOL7rFO+TgQHoFv2MU7tzvmdnLeeTUJxfpU1Ac1JYkvq0jcU8LXVoRKfC+v8VMQ8zfmGu1ZnYOGyUyWcSjNRkXjchGMNc4ADDBTFIRBUCthjb9RuVc4HV3Cm6XholZGzxAIG8O3ybmWMdxyav/wcadnLumcgD7r5qE5KH0yIo3RaO6HAN5f/W9Vzr9JjCHGAh1PWogL/SddAgMBAAGjggFiMIIBXjATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU6ejGLsU+zo1cc+1gRpXM/H/i8HUwFgYDVR0gBA8wDTALBgkqghQAUAeDdAowHwYDVR0jBBgwFoAUswxYrf8CYVl4gE/vvK5G8oYbv2kwDgYDVR0PAQH/BAQDAgWgMIHeBgNVHR8EgdYwgdMwgdCggc2ggcqGgYFsZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBMaW1pdGVkJTIwQmFzaWMlMjBFQUMlMjBDQSUyMDEtMSUyMDIwMTgsTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGRGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfbGltaXRlZF9iYXNpY19lYWNfY2FfMS0xXzIwMTguY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCkszC7hGOQIekspM6l5KPDzKMEWmjQjTJ4BnlejcVNQxUZR8KPZa0bB1yeEcVPTcmi6LQQOlHMYvVfo6tZ2SoXQ9Sbo5uh9TaDTcohcmwCBasy5Wrgaq1AqxgKG4Pgd92pHBCm1uMekBVqA8j+HOSk7ig0+fTx2vtttI6rTK2fk5Z9QOqOirh6pBh2sSah1txfjWUVVTM/LZrTmPuyfBRrGOqCb5H/wrEffxgcxoCNcd3kIm11n67GoBDagBrhOl8sL2Dj2hNET+WlrQCZitJmB91fBrucZdIndWfzf0ShWhWZnNKqKUuRuX6vHq4G8/xyK9v3VP5S4JQpO/haodxI</serverCertificate>
+          <clientCertificate>MIICqDCCAZCgAwIBAgIEWrTFLjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtkdmNhX2NsaWVudDAeFw0xODAzMjMwOTEzMThaFw0yODAzMjMwOTEzMThaMBYxFDASBgNVBAMMC2R2Y2FfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz5fB2RlgtG7cS225RTz6FixoSGKKdESdZTaGM2/fgYAYlXRa3SR8rhxLq5sbZmCjmXU5aPe9yOO9Qavx8YC5kTi1gIc4b+zVU2/Vr/XZGwjloUU3bqVCgIWhaqc3EvkznaSsv3YbBSeS9QlXDJkGVT+qp9RA4g2X47auAD2k6XRprgXXoubimGfIpswssIbPgEWPw2UbBnuhCFRHD0Yg1Y2oLTwK9Z1IaNp+7dvgt8Pskfs9alPB24x+0fiBc5BXUzKSCLGweITGkQKhTOXCmZDO67aEbCdlcpmCQJuZpS++AliFMgr12axBM225uf4wvmtCyxI9jP1HdzTus8+1twIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQByup3Q2+oHAefbkEW2R3mOc3E7wl3VqRBniN6hJ0kdzVYsbIsnf15O+moh6Yr5iBdKj7JGyKwVR9HOihdyGv8g3LuId9weiaHl/It0z5g5VFKdVJ0ziYpGFmbx5x2ikJDL+oAYvjqIJhIEtsYkDGtnWtUIp+Kq4hffg/z/1GTMVpXCWw//vnE7m0ps8QiwSNTA+iFHvrQMLIU/Vz1B0xzKvrcbb8JYPKYJsQlMYYBEsB1QUZM134ThctnsCOj9Zxbycwi1z5XnlqaQLGXut1juciXtm5TD5vP5FlBiaMEOlC/ngxDVAYbs3ln6K+JrQtd2Lp2rJN6HK3hBM3VmZwGS</clientCertificate>
+          <clientKey>MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPl8HZGWC0btxLbblFPPoWLGhIYop0RJ1lNoYzb9+BgBiVdFrdJHyuHEurmxtmYKOZdTlo973I471Bq/HxgLmROLWAhzhv7NVTb9Wv9dkbCOWhRTdupUKAhaFqpzcS+TOdpKy/dhsFJ5L1CVcMmQZVP6qn1EDiDZfjtq4APaTpdGmuBdei5uKYZ8imzCywhs+ARY/DZRsGe6EIVEcPRiDVjagtPAr1nUho2n7t2+C3w+yR+z1qU8HbjH7R+IFzkFdTMpIIsbB4hMaRAqFM5cKZkM7rtoRsJ2VymYJAm5mlL74CWIUyCvXZrEEzbbm5/jC+a0LLEj2M/Ud3NO6zz7W3AgMBAAECggEADd7IaMkyy8DP1EmyWXzKWDqYWc8dDB6yMNs0mpw3dU90lQvPWbuV3wuXR2cs11Qj/4gJvB3iyYOPQiOLHgU+oNmGpbNN4zXnnP8PFTDaft1t0QQvFiP8Q6+/X2u+bh9GF8WIdfRzYrlIWY9JsyxISYrgS/1ju8GHwVhpMNftkbGC4Zn5WnjidImG4aWz20q3GiOqirzayIJZny6a9ch4FuDi+4meuc9qAtGR6xpkRAfxirdYDSgS3P/+Y+0kPAgA1SZXmmsrGsTgoeuKl8HusVRzKCfeQqt0vTKcTUhGP0EEoyA0nC6QH6+Pklqu1wtTQ59RevC6M6rqrG4E5WCEaQKBgQDrHcQ9HoCjPp8Qf5L8dRHbKClb64gBuPyDfJ4tpVvpHHCIf9NTcJ0CBC/5ikoVrzrSwlJvGYtHgxZI+EYzn0MCFC6dxvkHeJA/bylwgw7942KzB4ieQdsmQNnLs/9nTdk06yRNkOMX4GUwQArThWsXiNeByibax4nA1GD/yptLyQKBgQDiCCSqwOoMA9Wsdc110rdQ9Uq6f78Tq0N0uNddvnxh/bY6JWYDHck+EXBvEz4cY6NTtaFqCCoophvrqllryBHEYB/ienual6N+e1XfPoUeLwtOAeqBfVd6IraSyS7jdA6fYErAMjFFgcwr6rqIpDW8AzJZNPCAteSmx7xr+rC1fwKBgGwcQNr1xqLJrayRbM4HKtHCMtpggCaCoCH50GYezhdvi1NIq6yHcLq3oDO3Yf98lqjIz8zkSwX0AfBFsUoVZmNzUkgccO/9gR6aB80DhoY54218/lX+5D0/vqYLO1qOEl1h7kx4XePhu8Wm/RNsGuU0eBvnD1y0OeRgA8Y6rJP5AoGAIdnkW+pOYwREAPMXlTi8mZRS38F4BWMV1CpGntSDXk2X9/dX4smYNQJ5mzj/iVLmyAegp/eXEMVn0xCNGdY5yvY2cD21uz5QjwW7o5aCazXSdJlW3JPAARunyi31Jr1f30CVkVkzBdzdjgo2a3ZkUccMyE1kY3JaTxwEvQsrYdMCgYEArObZilqguFcSPJ/NS4/LxT/XoMWYK7My+5Fpyd+HQchVG/ZDLC+GAhwjhylvSwmXEnJgCEggE1OlfyRqwHi4m2yOFupI4P5jd4kBcm1kM6j/MC/pvCHBu+XJ2/MM2kjqwunsVZt0M3frZ0g6T1LSW0bRC8p2Q4B1jHnmJp7Q8PU=</clientKey>
+        </sslKeys>
+        <terminalAuthService sslKeysId="default">
+          <url>https://dev.governikus-eid.de:9444/gov_dvca/ta-service</url>
+        </terminalAuthService>
+        <restrictedIdService sslKeysId="default">
+          <url>https://dev.governikus-eid.de:9444/gov_dvca/ri-service</url>
+        </restrictedIdService>
+        <passiveAuthService sslKeysId="default">
+          <url>https://dev.governikus-eid.de:9444/gov_dvca/pa-service</url>
+        </passiveAuthService>
+        <dvcaCertDescriptionService sslKeysId="default">
+          <url>https://dev.governikus-eid.de:9444/gov_dvca/certDesc-service</url>
+        </dvcaCertDescriptionService>
+      </PkiConnectorConfiguration>
+      <PaosReceiverURL>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
+      <hoursRefreshCVCBeforeExpires>48</hoursRefreshCVCBeforeExpires>