# Prerequisites On the machine this project is intended to run you need the following components: * docker-compose command: It is used to startup the cluster of docker services the project consists of. * A reverse proxy with vaild TLS Certificates connected to a specific domain. The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services. Most important for the demo is the root path (/) which will lead you to the webui for demo purposes. # Howto Setup the project The setup of the project consists of several steps. ## Configure POSeIDAS on your local machine You can use the [configuration-wizard](#use-the-configuration-wizard) or use a pre configured [test configuration](#use-the-pre-configured-template). ### Use the configuration-wizard To configure the POSeIDAS use the configuration-wizard. Start it with Java8: `java -jar poseidas-configuration/wizard.jar`. Open your browser at http://localhost:8080/config-wizard/ and follow the instructions. During configuration make sure to use the default path `/opt/poseidas/database` for the database location. This path will be mounted as a volume to `./poseidas/db` for easy access to the database-file. Save the created `POSeIDAS.xml` and `application.properties` to `./poseidas/config`. This path will be mounted as a volume to `/opt/poseidas/config`. The `eidasmiddleware.properties` is not needed. ### Use the pre configured template In `./poseidas/config` is a pre configured template for testing purposes. It uses self-signed certificates as trust-anchors. ### Add terminal certificates A emtpy database will be created at first startup. It must be filled after deployment, see [POSeIDAS Database](#POSeIDAS-Database). ## Deployment to the hosting server To deploy the project to a server some preparations are needed first. ### Edit config for docker-compose Edit the `docker-compose.yml` file accourding to your environment: * Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost , aka. the server itself. ### Edit config for the SSA service Edit the `ssa/config/ssa-server.conf` file accourding to your environment: * Replace `TARGET_DOMAIN` with the real domain of the project. ### Edit the deploy script Edit the `deploy.sh` file accourding to your environment: * Replace `TARGET_HOST` with the real host of the project. * Replace `TARGET_USER` with the user for on the host. * Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host. ### Run the deploy script Execute the `deploy.sh` script and check the startup of the services on the target host. ## EJBCA key setup script Run the following command on the server while sitting in the projects directory: ```bash docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \ docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \ docker-compose up -d --no-deps --build sam ``` ### POSeIDAS Database To make changes in the database, the docker container first must be stopped. The Database can be edited for example with [DBeaver](https://dbeaver.io/). If the preconfigured database is used please look up the credentials for openingn in the file `/poseidas/config/application.properties`. If the database is configured by yourself, you have set the credentials via the [configuration-wizard](#use-the-configuration-wizard). You need to add the following data into the database: * terminal certificate * private-key * sector-id (only relevant if the client is using PersoSim) * certificate-chain This data must be inserted using the key _REFID_. The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_. Use the following tables for adding the data: * TERMINALPERMISSION * _CVC_: terminal certificate * _CVCPRIVATEKEY_: private-key * _SECTORID_: sector-id * _CVCDESCRIPTION_: terminal description * CERTINCHAIN * every certificate of the certificate-chain * starting with the root certitifcate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_ * if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_