# Prerequisites On the machine this project is intended to run you need the following components: * docker-compose command: It is used to startup the cluster of docker services the project consists of. * A reverse proxy with vaild TLS Certificates connected to a specific domain. The cluster itself knows nothing about TLS. It containes a facade service with an http endpoint only, acting as gateway to the individual services. Most important for the demo is the root path (/) which will lead you to the webui for demo purposes. # Howto Setup the project The setup of the project consists of several steps. ## Configure POSeIDAS In `./poseidas/config` is a pre-configured template for the configuration of POSeIDAS. It uses self-signed certificates as trust-anchors. Edit the `poseidas/config/poseidas.xml` file accourding to your environment: * Replace `TARGET_DOMAIN` with the real domain of the project (ServerUrl and PaosReceiverURL) ### Add terminal certificates The database contains pre defined certificates matching the domain `docker.reqesidta.de`. If you don't want to use them, replace them with your data after deployment, see [POSeIDAS Database](#POSeIDAS-Database). ## Edit config for docker-compose Edit the `docker-compose.yml` file accourding to your environment: * Replace `TARGET_PORT` with the port your reverse proxy is pointing to. This will be the port the facade will be available. The port should only be reachable form localhost, aka. the deployment target itself. ## Edit config for the SSA service Edit the `ssa/config/ssa-server.conf` file accourding to your environment: * Replace `TARGET_DOMAIN` with the real domain of the project. ## Edit the deploy script Edit the `deploy.sh` file accourding to your environment: * Replace `TARGET_HOST` with the real host of the project. * Replace `TARGET_USER` with the user for on the host. * Replace `TARGET_DIR` with the path to the directory the deployment should go to on the host. ## Run the deploy script Execute the `deploy.sh` script and check the startup of the services on the target host. Please wait for the load of all services to reach a near idle level. ## EJBCA key setup script Run the following command on the target host while sitting in the deployments directory: ```bash docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \ docker cp reqesidta_ejbca:/opt/primekey/bin/p12/sam.docker.reqesidta.de.p12 sam/ && \ docker-compose up -d --no-deps --build sam ``` ## POSeIDAS Database The pre-configuration of the POSeIDAS database matches PersoSim-Profiles, which can be found in the project under `/perso_sim_profiles` and the TLS certificate which can be found under `/docker/facade/docker.reqesidta.de.cert`. The database content must be changed, if an other terminal certificate should be used. To make changes in the database, the docker container `reqesidta_poseidas` first must be stopped. The Database can be edited for example with [DBeaver](https://dbeaver.io/). Please look up the credentials for opening the database in the file `/poseidas/config/application.properties`. The following data needs to be present in the database: * the terminal certificate (in ISO 7816 TLV binary format) * the private-key of the terminal certificate (PKCS 8 without password) * the sector-id (aka. sector-key) of the terminal certificate (public key data object in binary format) * the certificate-chain of the terminal certificate (in ISO 7816 TLV binary format) Use the following tables for replacing the pre-configured data with your own: * TERMINALPERMISSION * _CVC_: terminal certificate * _CVCPRIVATEKEY_: private key of the terminal certificate * _SECTORID_: sector-key of the terminal certificate * _CVCDESCRIPTION_: description of the terminal certificate * CERTINCHAIN * every certificate from the certificate chain of the terminal certificate: * starting with the root certificate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_ * if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_ This data must be referenced using a key in _REFID_. The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.