docker: consolidates docker build/configure and makes security conf the same...

docker: consolidates docker build/configure and makes security conf the same as in vlkb-soda + example-security added now

docker: consolidates docker build/configure and makes security conf the same...
53209c9b · Robert Butora · aff777fc · 53209c9b · 53209c9b · 53209c9b
Commit 53209c9b authored 1 year ago by Robert Butora
--- a/docker/example-security/README.tex
+++ b/docker/example-security/README.tex
+# notes on security:
+# set volume mapping in compose.yaml: security/ -> /etc/pki/tls/
+# configure port/SSL connector: (path is relative to the dir where compose.yaml is
+# * server-connector.xml : set tomcat connector with certificates
+#    -- ia2 needs SECTIGO
+#    -- iam needs self-signed keystore.jks
+# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
+# FIXME implement *.properties and server-connector.xml by paramters
+#### Security
+# SSL-certificates are site-dependent and must be regularly updated:
+# vlkb-cutout expects them in /etc/pki/tls
+#
+# map volume: ./security:/etc/pki/tls:z,ro
+#
+# ia2token: 
+#  auth.propeties
+#  authpolicy.properties
+#  server-connector.xml
+#  SECTIGO/*
+#
+# iamtoken:
+#  iamtoken.properties
+#  server-connector.xml
+#  keystore.jks
+#
--- a/docker/example-security/garrtoken/keystore.jks
+++ b/docker/example-security/garrtoken/keystore.jks
--- a/docker/example-security/garrtoken/neatoken.properties
+++ b/docker/example-security/garrtoken/neatoken.properties
+# certificates endpoint
+jwks_url=
+# account created for the service
+resource_id=
+# username for non-authenticated requests
+non_authn_username=anonymous
--- a/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ b/docker/example-security/garrtoken/server-connector-8443.xml-self-signed-keystore-jks
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyAlias="tomcat"
+                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
+                         certificateKeystorePassword="tomcatskassl"
+                         type="RSA" />
+        </SSLHostConfig>
+   </Connector>
--- a/docker/example-security/ia2token/auth.properties
+++ b/docker/example-security/ia2token/auth.properties
+rap_uri=https://sso.ia2.inaf.it/rap-ia2
+gms_uri=https://sso.ia2.inaf.it/gms
+client_id=vospace_ui_demo
+client_secret=VOSpaceDemo123
+groups_autoload=true
+store_state_on_login_endpoint=true
+scope=openid email profile read:rap
+allow_anonymous_access=true
--- a/docker/example-security/ia2token/authpolicy.properties
+++ b/docker/example-security/ia2token/authpolicy.properties
+# database for table with permissions
+db_uri=
+db_schema=
+db_user_name=
+db_password=
--- a/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
+++ b/docker/example-security/ia2token/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
+  <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+        sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
+               maxThreads="150" SSLEnabled="true">
+         <SSLHostConfig>
+            <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
+                         certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
+                         certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
--- a/docker/example-security/iamtoken/iamtoken.properties
+++ b/docker/example-security/iamtoken/iamtoken.properties
+# certificates endpoint
+#jwks_url=
+introspect=
+client_name=
+client_password=
+# account created for the service
+resource_id=
+# username for non-authenticated requests
+non_authn_username=anonymous
--- a/docker/example-security/iamtoken/keystore.jks
+++ b/docker/example-security/iamtoken/keystore.jks
--- a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyAlias="tomcat"
+                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
+                         certificateKeystorePassword="tomcatskassl"
+                         type="RSA" />
+        </SSLHostConfig>
+   </Connector>
--- a/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
+++ b/docker/example-security/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
--- a/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
+++ b/docker/example-security/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
--- a/docker/example-security/ssl/Makefile
+++ b/docker/example-security/ssl/Makefile
+keystore.jks:
+	keytool -genkey -keyalg RSA -noprompt -alias tomcat -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore keystore.jks -validity 9999 -storepass tomcatskassl -keypass tomcatskassl
+showxml:
+	xmlstarlet c14n server.xml