Commit 72713707 authored by Rene Lottes's avatar Rene Lottes
Browse files

Merge branch 'feature/end-user-doc' of...

Merge branch 'feature/end-user-doc' of git.ecsec.de:oec/reqesidta-prototype/eid-server into feature/end-user-doc
parents f6bb10ec aabdd780
*.jar
target/
packer/
*Jenkinsfile*
......@@ -12,7 +11,10 @@ packer/
# built stuff
*/_build
docker/ssa/dist/*
*.jar
*.war*
*.tgz
#netbeans
*/**/nbactions.xml
......@@ -22,4 +24,4 @@ docker/ssa/dist/*
.classpath
.settings
*/**/.settings
/bin/
*/**/workspace
#!/bin/bash
#
# script to build and pack the project as archive for delivery to client
#
# tobias.assmann@ecsec.de
TRG_DIR=docker_for-client-delivery
TRG_ARC=eid-server.tgz
echo "checking java version ..."
command -v java 2>&1 >> /dev/null || { echo "no java found"; exit 1;}
java -version 2>&1 | awk -F '"' '/version/ {print $2}' | grep -q 1.8 || { echo "java version is not 1.8"; exit 1;}
echo "build the whole project ..."
mvn clean install || { echo "maven build failed. please check!"; exit 1; }
echo "copy builded stuff to $TRG_DIR ..."
cp configuration-wizard/target/configuration-wizard-1.2.0-SNAPSHOT.jar $TRG_DIR/poseidas-configuration-wizard.jar
cp docker/sam/sam-1.2.0-SNAPSHOT-thorntail.jar $TRG_DIR/sam/sam-1.2.0-SNAPSHOT-thorntail.jar
cp docker/ssa/dist/ssa-server.war $TRG_DIR/ssa/dist/ssa-server.war
echo "archiving $TRG_DIR to $TRG_ARC ..."
tar -cvzf $TRG_ARC $TRG_DIR
echo "done"
exit 0
version: "3.4"
services:
facade:
image: "reqesidta/facade"
container_name: "reqesidta_facade"
labels:
- "traefik.enable=true"
build:
context: ./facade
command:
--providers.docker=true
--providers.docker.exposedbydefault=false
--entryPoints.web.address=:80
--log.level=debug
ports:
- "80:80"
networks:
- reqesidta_net
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
poseidas:
image: "reqesidta/poseidas"
container_name: "reqesidta_poseidas"
labels:
- "traefik.enable=true"
- "traefik.http.services.poseidas.loadbalancer.server.port=8443"
- "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
- "traefik.http.routers.poseidas.entrypoints=web"
build:
context: ./poseidas
args:
JAR_FILE: POSeIDAS-exec.jar
# ports:
# - "127.0.0.1:8443:8443"
networks:
reqesidta_net:
aliases:
- poseidas.docker.reqesidta.de
volumes:
- ./poseidas/config:/opt/poseidas/config
- ./poseidas/db:/opt/poseidas/database
ejbca:
image: "reqesidta/ejbca"
container_name: "reqesidta_ejbca"
build:
context: ./ejbca
hostname: localhost:8444
# ports:
# - "127.0.0.1:8444:8443"
depends_on:
- postgres
environment:
DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
DATABASE_USER: ejbca
DATABASE_PASSWORD: password
networks:
reqesidta_net:
aliases:
- ejbca.docker.reqesidta.de
postgres:
image: "postgres:11.4"
container_name: "reqesidta_postgres"
environment:
POSTGRES_USER: ejbca
POSTGRES_PASSWORD: password
networks:
- reqesidta_net
ssa:
image: "reqesidta/ssa"
container_name: "reqesidta_ssa"
labels:
- "traefik.enable=true"
- "traefik.http.services.ssa.loadbalancer.server.port=8080"
- "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
- "traefik.http.routers.ssa.entrypoints=web"
build:
context: ./ssa
depends_on:
- poseidas
- ejbca
command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
# ports:
# - "127.0.0.1:28080:8080"
# volumes:
# - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
networks:
reqesidta_net:
aliases:
- ssa.docker.reqesidta.de
sam:
image: "reqesidta/sam"
container_name: "reqesidta_sam"
build:
context: ./sam
# ports:
# - "127.0.0.1:38080:8080"
networks:
reqesidta_net:
aliases:
- sam.docker.reqesidta.de
networks:
reqesidta_net:
driver: bridge
# Setup
## yml anpassen (docker compose)
## ssa-config
## Configure POSeIDAS
To configure the POSeIDAS use the configuration-wizard. Start it with Java8: `java -jar poseidas-configuration/wizard.jar`. Open your browser at http://localhost:8080/config-wizard/ and follow the instructions.
During configuration make sure to use the default path `/opt/poseidas/database` for the database location. This path will be mounted as a volume to `./poseidas/db` for easy access to the database-file.
Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/config`. This path will be mounted as a volume to `/opt/poseidas/config`.
A emtpy database will be created at first startup. Further reading in [POSeIDAS Database](#POSeIDAS-Database)
## fist deployment (docker-compose up)
### EJBCA key setup script
### POSeIDAS Database
To setup the database, the docker container first must be shut down. The Database can be edited for example with [DBeaver](https://dbeaver.io/). Make sure to add the terminal certificate, private-key, sector-id and certificate-chain with the corresponding _REFID_ used in the config file (_CVCRefID_).
ssa-server.war
\ No newline at end of file
......@@ -7,40 +7,32 @@
# for a specific target environment. Please setup the env vars
# accourding to your needs:
#
# name of the target environment
ENV=stage
# the host of the target environment
HOST=localhost
# the user on the target environment used to copy the files there and run the project
USER=tobias
# the directory on the host of the target environment where
DIR=/home/tobias/Projects/reqesidta/deploy
# the target host of the deployment
HOST=YOUR_HOST
# the user on the target host used to copy the files there and run the project
USER=YOUR_USER
# the directory on the target host where to put the project
DIR=YOUR_DIR
#
#######################################################################################
# check for needed files
#
# check for needed commands
# local
command -v rsync >/dev/null 2>&1 || { echo >&2 "rsync is needed on locahost but it's not installed. Aborting."; exit 1; }
echo "check for needed commands ..."
command -v rsync >/dev/null 2>&1 || { echo >&2 "rsync is needed on localhost but it's not installed. Aborting."; exit 1; }
command -v ssh >/dev/null 2>&1 || { echo >&2 "ssh is needed on localhost but it's not installed. Aborting."; exit 1; }
# remote
ssh $USER@$HOST "command -v docker >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
ssh $USER@$HOST "command -v docker-compose >/dev/null 2>&1" || { echo >&2 "docker is needed on $HOST but it's not installed. Aborting."; exit 1; }
# synchronize this directory with the target on $HOST.
# exclude the not needed files
echo "copy files to server ..."
rsync -av --delete --progress \
--exclude 'sam/config/ssa-server_TEMPLATE.conf' \
--exclude 'docker-compose_TEMPLATE.yml' \
--exclude 'deploy-to*' \
--exclude 'readme*' \
--exclude 'deploy.sh' \
--exclude 'poseidas-configuration-wizard.jar' \
--exclude 'readme.md' \
./ $USER@$HOST:$DIR
# Restart / re-build the services
echo "Start services on server ..."
#ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
echo "Deployment done, please wait until all services are fully running and proceed to EJBCA key setup."
echo "Deployment done, please wait until all services are fully running and proceed with EJBCA key setup."
exit 0;
exit 0
# Setup
## yml anpassen (docker compose)
## ssa-config
# Prerequisites
On the machine this project is intended to run you need the following components:
* docker-compose command: It is used to startup the cluster of docker services the project consists of.
* A reverse proxy with vaild TLS Certificates: The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services.
## Configure POSeIDAS
# Howto Setup the project
The setup of the project consists of several steps.
## Configure POSeIDAS on your local machine
You can use the [configuration-wizard](#use-the-configuration-wizard) or use a pre configured [test configuration](#use-the-pre-configured-template).
### Use the configuration-wizard
......@@ -16,11 +20,36 @@ Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/conf
In `./poseidas/config` is a pre configured template for testing purposes. It uses self-signed certificates as trust-anchors.
### Add terminal certificates
A emtpy database will be created at first startup. Further reading in [POSeIDAS Database](#POSeIDAS-Database)
A emtpy database will be created at first startup. It must be filled after deployment, see [POSeIDAS Database](#POSeIDAS-Database).
## Deployment to the hosting server
To deploy the project to a server some preparations are needed first.
### Edit config for docker-compose
Edit the `docker-compose.yml` file accourding to your environment:
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost , aka. the server itself.
### Edit config for the SSA service
Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
* Replace `DOMAIN` with the real domain of the project.
### Edit the deploy script
Edit the `deploy.sh` file accourding to your environment:
* Replace `YOUR_HOST` with the real host of the project.
* Replace `YOUR_USER` with the user for on the host.
* Replace `YOUR_DIR` with the path to the directory the deployment should go to on the host.
### Run the deploy script
Execute the `deploy.sh` script and check the startup of the services on the target host.
## fist deployment (docker-compose up)
## EJBCA key setup script
Run the following command on the server while sitting in the projects directory:
### EJBCA key setup script
```bash
docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \
docker-compose up -d --no-deps --build sam
```
### POSeIDAS Database
To setup the database, the docker container first must be stopped. The Database can be edited for example with [DBeaver](https://dbeaver.io/). Make sure to add the terminal certificate, private-key, sector-id and certificate-chain with the corresponding _REFID_ used in the config file (_CVCRefID_).
ssa-config {
sessionMaxAge: 60,
sessionCheckAgeInterval: 30,
baseUrl: "https://docker.reqesidta.de/ssa-server"
baseUrl: "https://DOMAIN/ssa-server"
eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
samUrl: "http://sam.docker.reqesidta.de:8080"
caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment