# Prerequisites
On the machine this project is intended to run you need the following components:
* docker-compose command: It is used to startup the cluster of docker services the project consists of.
* A reverse proxy with vaild TLS Certificates connected to a specific domain. The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services. Most important for the demo is the root path (/) which will lead you to the webui for demo purposes.

# Howto Setup the project
The setup of the project consists of several steps.

## Configure POSeIDAS on your local machine
You can use the [configuration-wizard](#use-the-configuration-wizard) or use a pre configured [test configuration](#use-the-pre-configured-template).

### Use the configuration-wizard
To configure the POSeIDAS use the configuration-wizard. Start it with Java8: `java -jar poseidas-configuration/wizard.jar`. Open your browser at http://localhost:8080/config-wizard/ and follow the instructions.

During configuration make sure to use the default path `/opt/poseidas/database` for the database location. This path will be mounted as a volume to `./poseidas/db` for easy access to the database-file.

Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/config`. This path will be mounted as a volume to `/opt/poseidas/config`. The `eidasmiddleware.properties` is not needed.

### Use the pre configured template
In `./poseidas/config` is a pre configured template for testing purposes. It uses self-signed certificates as trust-anchors.

### Add terminal certificates
A emtpy database will be created at first startup. It must be filled after deployment, see [POSeIDAS Database](#POSeIDAS-Database).

## Deployment to the hosting server
To deploy the project to a server some preparations are needed first.  

### Edit config for docker-compose
Edit the `docker-compose.yml` file accourding to your environment:
* Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost , aka. the server itself.

### Edit config for the SSA service
Edit the `ssa/config/ssa-server.conf` file accourding to your environment:
* Replace `TARGET_DOMAIN` with the real domain of the project.

### Edit the deploy script
Edit the `deploy.sh` file accourding to your environment:
* Replace `TARGET_HOST` with the real host of the project.
* Replace `TARGET_USER` with the user for on the host.
* Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host.

### Run the deploy script
Execute the `deploy.sh` script and check the startup of the services on the target host.

## EJBCA key setup script
Run the following command on the server while sitting in the projects directory:

```bash
docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
  docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \
  docker-compose up -d --no-deps --build sam
```

### POSeIDAS Database
To setup the database, the docker container first must be stopped. The Database can be edited for example with [DBeaver](https://dbeaver.io/). Make sure to add the terminal certificate, private-key, sector-id and certificate-chain with the corresponding _REFID_ used in the config file (_CVCRefID_).

Add these to the following tables:
* TERMINALPERMISSION
  * Terminal certificate
  * private-key
  * sector-id
  * terminal description
* CERTINCHAIN
  * every certificate of the certificate-chain