diff --git a/docker/Dockerfile.vlkb b/docker/Dockerfile.vlkb
new file mode 100644
index 0000000000000000000000000000000000000000..91d5150e6126bac47a470a110d9daea56cc94959
--- /dev/null
+++ b/docker/Dockerfile.vlkb
@@ -0,0 +1,68 @@
+FROM debian:bullseye-slim
+LABEL Description="vlkb tomcat9"
+
+WORKDIR /root
+ENV HOME /root
+
+
+RUN apt -y update \
+ && apt -y install sudo procps psmisc tree wget curl vim make build-essential checkinstall git \
+ libcfitsio-dev libpqxx-dev librabbitmq-dev libcsv-dev gfortran \
+ openjdk-17-jre-headless unzip \
+ rabbitmq-server openjdk-17-jre openjdk-17-jdk tomcat9 tomcat9-admin \
+ postgresql-client
+
+COPY ast_9.2.9-1_amd64.deb ./
+RUN dpkg -i /root/ast_9.2.9-1_amd64.deb && ldconfig \
+ && mkdir -p /webapps/vlkb-search && mkdir -p /webapps/vlkb-cutout && mkdir /config \
+ && mkdir -p /srv/surveys && mkdir -p /srv/cutouts
+
+ARG VLKB_VERSION
+
+COPY vlkb-${VLKB_VERSION}.deb vlkb-obscore-${VLKB_VERSION}.deb vlkbd-${VLKB_VERSION}.deb ./
+COPY vlkb-search-${VLKB_VERSION}.war /webapps/vlkb-search/
+COPY vlkb-cutout-${VLKB_VERSION}.war /webapps/vlkb-cutout/
+RUN dpkg -i vlkb-${VLKB_VERSION}.deb vlkb-obscore-${VLKB_VERSION}.deb vlkbd-${VLKB_VERSION}.deb \
+ && cd /webapps/vlkb-search && jar -xf vlkb-search-${VLKB_VERSION}.war \
+ && cd /webapps/vlkb-cutout && jar -xf vlkb-cutout-${VLKB_VERSION}.war
+
+COPY postgresql-*.jar /var/lib/tomcat9/lib
+
+# Lines with postgresql_*.jar: provide DB-driver so Tomcat loads it
+# vlkb-search vlkb-cutout do not explicitely load DB-drivers
+
+
+
+# configure instance
+
+ENV INST_DIR=/usr/local
+
+COPY vlkbd_exec.sh ${INST_DIR}/bin
+
+RUN mkdir -p ${INST_DIR}/etc/vlkb-obscore \
+ && mkdir -p ${INST_DIR}/etc/vlkbd \
+ && echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf \
+ && ldconfig
+
+# configure during docker build-time
+
+COPY config-vlkb/vlkb-obscore.datasets.conf ${INST_DIR}/etc/vlkb-obscore/datasets.conf
+COPY config-vlkb/vlkbd.datasets.conf ${INST_DIR}/etc/vlkbd/datasets.conf
+
+# created in entrypoint.sh COPY config-vlkb/servlet.cutout.properties /webapps/vlkb-cutout/WEB-INF/classes/cutout.properties
+
+COPY config-vlkb/auth.properties config-vlkb/neatoken.properties config-vlkb/iamtoken.properties /webapps/vlkb-cutout/WEB-INF/classes/
+COPY config-vlkb/auth.properties config-vlkb/neatoken.properties config-vlkb/iamtoken.properties config-vlkb/formatresponsefilter.properties /webapps/vlkb-search/WEB-INF/classes/
+
+#COPY ssl/keystore.jks /root/
+COPY ssl/server.xml ssl/server-connector-8080.xml ssl/server-connector-8443.xml /etc/tomcat9/
+
+# configure during docker run-time
+
+COPY entrypoint.sh /root
+
+# run
+
+RUN pwd && chmod +x /root/entrypoint.sh
+CMD ["sh", "-c", "/root/entrypoint.sh"]
+
diff --git a/docker/Makefile b/docker/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..3f8f87798cca0290af7ff60daca293b028d91765
--- /dev/null
+++ b/docker/Makefile
@@ -0,0 +1,72 @@
+
+VERSION ?= $(shell git describe)
+
+
+all:
+
+
+download-all: vlkb-search vlkb-cutout vlkbd vlkb-obscore vlkb
+
+vlkb-search vlkb-cutout:
+ make download PACK_FILE=$@-$(VERSION).war
+
+vlkbd vlkb-obscore vlkb:
+ make download PACK_FILE=$@-$(VERSION).rpm
+ make download PACK_FILE=$@-$(VERSION).deb
+
+
+.PHONY: download
+download: GITLAB_PROJ_ID := 79
+download: GITLAB_PROJ_NAME := $(shell basename -s .git `git config --get remote.origin.url`)
+download: VER_MAJOR := $(shell echo $(VERSION) | cut -f1 -d.)
+download: VER_MINOR := $(shell echo $(VERSION) | cut -f2 -d.)
+download: PACK_URL := "https://ict.inaf.it/gitlab/api/v4/projects/$(GITLAB_PROJ_ID)/packages/generic/$(GITLAB_PROJ_NAME)/$(VER_MAJOR).$(VER_MINOR)/$(PACK_FILE)"
+download:
+ curl -O --header "PRIVATE-TOKEN: glpat-CJZDcks7bYqE__ePn4J6" $(PACK_URL)
+
+
+ast-9.2.9.tar.gz:
+ wget https://github.com/Starlink/ast/files/8843897/ast-9.2.9.tar.gz
+
+
+
+.PHONY: build
+build:
+ docker build --build-arg VLKB_VERSION=$(VERSION) -t soda -f Dockerfile.vlkb .
+
+# the docker-login below needed a ca-cert(?) which in the middle of the certificate-chain,
+# but was not automatically downloaded and also local cert/ket pair(?) ->
+# -> see: /etc/docker/certs.d/git.ia2.ianf.it:5050/*
+#
+# docker login git.ia2.inaf.it:5050 (robert.butora C-tol szokasos-hossu)
+# to download: use image: ... in compose.yaml or
+# docker run ... git.ia2.inaf.it:5050/vialactea/vlkb-soda
+
+publish-locally-soda:
+ docker tag soda git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:$(VERSION)
+ docker push git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:$(VERSION)
+ docker image rm git.ia2.inaf.it:5050/vialactea/vlkb-soda/soda:$(VERSION)
+
+
+##docker login registry.gitlab.com --> robert.butora xC*n
+publish-remotely-to-ska:
+ docker tag soda registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:$(VERSION)
+ docker push registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:$(VERSION)
+ docker image rm registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:$(VERSION)
+
+###############################################################################
+#TAG ?= $(VERSION)
+#REMOTE_SODA_IMAGE_NAME = registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:$(TAG)
+#SODA_IMAGE_NAME = soda:$(TAG)
+# https://gitlab.com/ska-telescope/src/visivo-vlkb-soda/container_registry/3917365
+###############################################################################
+#.PHONY: publish
+#publish:
+# docker tag $(SODA_IMAGE_NAME) $(REMOTE_SODA_IMAGE_NAME)
+# docker push $(REMOTE_SODA_IMAGE_NAME)
+# docker image rm $(REMOTE_SODA_IMAGE_NAME)
+# @echo "SODA_IMAGE_NAME : "$(SODA_IMAGE_NAME)
+# @echo "REMOTE_SODA_IMAGE_NAME : "$(REMOTE_SODA_IMAGE_NAME)
+###############################################################################
+
+
diff --git a/docker/ast-9.2.9.tar.gz b/docker/ast-9.2.9.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..240e419c4ba498499507a6c370244e989a375857
Binary files /dev/null and b/docker/ast-9.2.9.tar.gz differ
diff --git a/docker/ast_9.2.9-1_amd64.deb b/docker/ast_9.2.9-1_amd64.deb
new file mode 100644
index 0000000000000000000000000000000000000000..c9b2a9fa7d2c8a41bd3b24d91af96f23d8d4437d
Binary files /dev/null and b/docker/ast_9.2.9-1_amd64.deb differ
diff --git a/docker/compose-example-ska-soda.yaml b/docker/compose-example-ska-soda.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ddc66c740ff9a95a92cf955fa35e6af3af49097e
--- /dev/null
+++ b/docker/compose-example-ska-soda.yaml
@@ -0,0 +1,39 @@
+version: '3'
+
+services:
+
+ ska:
+ container_name: ska
+ #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
+ image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
+ #image: soda:latest
+ ports:
+ - 18019:8080
+ environment:
+ - SECURITY=
+ - ACCESS_CONTEXT_ROOT=ska#datasets
+ #- RESPONSE_FORMAT=application/fits
+ #- RESPONSE_FORMAT=application/fits;createfile=yes
+ volumes:
+ - /srv/ska/surveys:/srv/surveys:z,ro
+ - /srv/ska/cutouts:/srv/cutouts:z,rw
+ restart: always
+
+
+ ska-ssl:
+ container_name: ska-ssl
+ #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
+ image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.6
+ #image: soda:latest
+ ports:
+ - 18025:8443
+ environment:
+ - SECURITY=iamtoken
+ - ACCESS_CONTEXT_ROOT=ska#datasets
+ #- RESPONSE_FORMAT=application/fits
+ #- RESPONSE_FORMAT=application/fits;createfile=yes
+ volumes:
+ - /srv/ska/surveys:/srv/surveys:z,ro
+ - /srv/ska/cutouts:/srv/cutouts:z,rw
+ restart: always
+
diff --git a/docker/compose-example-vlkb.yaml b/docker/compose-example-vlkb.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..45de84ae3ffb061e7359ffa16f7b93c65eea10ad
--- /dev/null
+++ b/docker/compose-example-vlkb.yaml
@@ -0,0 +1,50 @@
+version: '2'
+
+services:
+
+ vlkb-db:
+ container_name: vlkb-db
+ image: git.ia2.inaf.it:5050/butora/vlkb-datasets/postgres-pgsphere:latest
+ #image: registry.gitlab.com/ska-telescope/src/visivo-vlkb-soda:1.5.2
+ hostname: vlkb-db
+ ports:
+ - 5432:5432
+ #image: postgres-pgsphere:latest
+ #network_mode: "host"
+ environment:
+ - SECURITY=
+ - POSTGRES_PASSWORD=ia2vlkb
+ volumes:
+ - postgres-data:/var/lib/postgresql/data
+
+
+ vlkb:
+ container_name: vlkb
+ image: soda:latest
+ #image: git.ia2.inaf.it:5050/butora/vlkb-datasets/soda:latest
+ hostname: vlkb
+ ports:
+ - 8080:8080
+ environment:
+ - SECURITY=
+ #- SECURITY=ia2token
+ - DISCOVERY_CONTEXT_ROOT=vlkb#datasets#vlkb_search
+ - DISCOVERY_DB_URI=jdbc:postgresql://pasquale.ia2.ianf.it:5432/vialactea
+ - DB_USERNAME=vialactea
+ - DB_PASSWORD=ia2vlkb
+ - VLKBOBSCORE_PG_URI=postgresql://vialactea:ia2vlkb@pasquale.ia2.inaf.it:5432/vialactea
+ - ACCESS_CONTEXT_ROOT=vlkb#datasets
+ - URL_CUTOUTS=vlkb-devel.ia2.inaf.it:8004/cutouts
+ #- RESPONSE_FORMAT=application/fits
+ - RESPONSE_FORMAT=application/vlkb+xml
+ #- RESPONSE_FORMAT=application/fits;createfile=yes
+ volumes:
+ #- ./config-vlkb:/config:Z
+ - /srv/vlkb/surveys:/srv/surveys:z,ro
+ - /srv/vlkb/cutouts:/srv/cutouts:z,rw
+ restart: always
+
+
+volumes:
+ postgres-data:
+
diff --git a/docker/config-vlkb/auth.properties b/docker/config-vlkb/auth.properties
new file mode 100644
index 0000000000000000000000000000000000000000..c9c8aee27f0017b03a10a17896236eae4a93a018
--- /dev/null
+++ b/docker/config-vlkb/auth.properties
@@ -0,0 +1,10 @@
+rap_uri=https://sso.ia2.inaf.it/rap-ia2
+gms_uri=https://sso.ia2.inaf.it/gms
+client_id=vospace_ui_demo
+client_secret=VOSpaceDemo123
+
+groups_autoload=true
+store_state_on_login_endpoint=true
+scope=openid email profile read:rap
+
+allow_anonymous_access=true
diff --git a/docker/config-vlkb/authpolicy.properties b/docker/config-vlkb/authpolicy.properties
new file mode 100644
index 0000000000000000000000000000000000000000..1c59ef6ea99316ff778ca7dda6cb2cb3493aa9b3
--- /dev/null
+++ b/docker/config-vlkb/authpolicy.properties
@@ -0,0 +1,6 @@
+db_uri=jdbc:postgresql://127.0.0.1:5432/vialactea
+db_schema=datasets
+db_user_name=vialactea
+db_password=ia2vlkb
+
+
diff --git a/docker/config-vlkb/context-cutout.xml b/docker/config-vlkb/context-cutout.xml
new file mode 100644
index 0000000000000000000000000000000000000000..4f5f504df9c52f4119d68bf48434f3afb0ae3861
--- /dev/null
+++ b/docker/config-vlkb/context-cutout.xml
@@ -0,0 +1,15 @@
+<Context docBase="/webapps/vlkb-cutout">
+
+ <Resources allowLinking="true">
+ <PostResources readOnly="false"
+ className="org.apache.catalina.webresources.DirResourceSet"
+ base="/srv/cutouts"
+ webAppMount="/cutouts"/>
+ <PostResources readOnly="true"
+ className="org.apache.catalina.webresources.DirResourceSet"
+ base="/srv/surveys"
+ webAppMount="/surveys"/>
+ </Resources>
+
+</Context>
+
diff --git a/docker/config-vlkb/formatresponsefilter.properties b/docker/config-vlkb/formatresponsefilter.properties
new file mode 100644
index 0000000000000000000000000000000000000000..b8acc01981bfba522a55bb187daebe3a2b1cecf0
--- /dev/null
+++ b/docker/config-vlkb/formatresponsefilter.properties
@@ -0,0 +1,7 @@
+
+# used to retrieve extraCards to add to FITS_header (VLKB-only)
+surveys_metadata_abs_pathname=/srv/surveys/survey_populate.csv
+
+# these URL's are used to construct cutout merge requests strings in response.xml
+cutout_url=http://vlkb-devel.ia2.inaf.it:8080/vlkb/datasets/vlkb_cutout
+merge_url=http://vlkb-devel.ia2.inaf.it:8080/vlkb/datasets/vlkb_merge
diff --git a/docker/config-vlkb/iamtoken.properties b/docker/config-vlkb/iamtoken.properties
new file mode 100644
index 0000000000000000000000000000000000000000..e0935bb1f2d6f832b04b22c9dac817eac6741e5d
--- /dev/null
+++ b/docker/config-vlkb/iamtoken.properties
@@ -0,0 +1,10 @@
+
+#jwks_url=https://iam-escape.cloud.cnaf.infn.it/jwk
+introspect=https://iam-escape.cloud.cnaf.infn.it/introspect
+client_name=02cc260f-9837-4907-b2cb-a1a2d764fb15
+client_password=AJMi3qrB6AHRp_6y55tEwU-IpJ8uZ6X4QXeQ3W4la6dc-BlkzAY1OQpAE9hb1W7-VfYl4208FUtjE2Cl3hUYLkQ
+
+resource_id=vlkb
+
+non_authn_username=anonymous
+
diff --git a/docker/config-vlkb/neatoken.properties b/docker/config-vlkb/neatoken.properties
new file mode 100644
index 0000000000000000000000000000000000000000..21793e2600441bc6122e1ce54387ad8525bbd297
--- /dev/null
+++ b/docker/config-vlkb/neatoken.properties
@@ -0,0 +1,7 @@
+
+jwks_url=https://sso.neanias.eu/auth/realms/neanias-production/protocol/openid-connect/certs
+
+resource_id=vlkb
+
+non_authn_username=anonymous
+
diff --git a/docker/config-vlkb/tomcat-users.xml b/docker/config-vlkb/tomcat-users.xml
new file mode 100644
index 0000000000000000000000000000000000000000..6587e75e97ec68e52749cd93b9e2a54f5a28e76d
--- /dev/null
+++ b/docker/config-vlkb/tomcat-users.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+ version="1.0">
+<!--
+ NOTE: By default, no user is included in the "manager-gui" role required
+ to operate the "/manager/html" web application. If you wish to use this app,
+ you must define such a user - the username and password are arbitrary. It is
+ strongly recommended that you do NOT use one of the users in the commented out
+ section below since they are intended for use with the examples web
+ application.
+-->
+<!--
+ NOTE: The sample user and role entries below are intended for use with the
+ examples web application. They are wrapped in a comment and thus are ignored
+ when reading this file. If you wish to configure these users for use with the
+ examples web application, do not forget to remove the <!.. ..> that surrounds
+ them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+ <role rolename="tomcat"/>
+ <role rolename="role1"/>
+ <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+ <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+ <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+
+ <role rolename="manager-script"/>
+ <user username="admin" password="IA2lbt09" roles="manager-script"/>
+</tomcat-users>
+
diff --git a/docker/config-vlkb/vlkb-obscore.datasets.conf b/docker/config-vlkb/vlkb-obscore.datasets.conf
new file mode 100644
index 0000000000000000000000000000000000000000..9572cd452614d5a6e0de043eaed03c2d1c168f82
--- /dev/null
+++ b/docker/config-vlkb/vlkb-obscore.datasets.conf
@@ -0,0 +1,15 @@
+
+# root of path for local access
+fits_path_surveys=/srv/surveys
+
+# obs_publisher_did = <obscore publisher> ? <generated-pubdid>
+obscore_publisher=ivo://ia2.inaf.it/vlkb/datasets
+
+# full access URL: <obscore_access_url>/<storage-path>/<file-name>
+obscore_access_url=https://vlkb-devel.ia2.inaf.it:8443/vlkb/datasets/surveys
+obscore_access_format=application/fits
+
+# logging (holds last exec only)
+# log_dir=/tmp
+# log_filename=vlkb-obscore.log
+
diff --git a/docker/config-vlkb/vlkbd.datasets.conf b/docker/config-vlkb/vlkbd.datasets.conf
new file mode 100644
index 0000000000000000000000000000000000000000..bccc41819036738345cde389866cc381c672eb2f
--- /dev/null
+++ b/docker/config-vlkb/vlkbd.datasets.conf
@@ -0,0 +1,10 @@
+
+# path to original files
+fits_path_surveys=/srv/surveys
+# path to generated cutouts
+fits_path_cutouts=/srv/cutouts
+
+# logging records last request only
+# log_dir=/tmp
+# log_filename=vlkbd.log
+
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..bc1795fc141bd99e89ed49cb5364872705648694
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,151 @@
+#!/bin/bash
+
+set +e
+LOG_FILE=/tmp/entrypoint.log
+
+{
+date
+whoami
+env
+#########################################################################
+#INST_DIR="/usr/local"
+WEBAPP_DIR=/webapps
+#CONFIG_DIR=/config
+QUEUE_NAME=dockervlkb$ACCESS_CONTEXT_ROOT
+
+echo "SECURITY : "$SECURITY
+echo "VLKBOBSCORE_PG_URI : "$VLKBOBSCORE_PG_URI
+echo "ACCESS_CONTEXT_ROOT : "$ACCESS_CONTEXT_ROOT
+echo "RESPONSE_FORMAT : "$RESPONSE_FORMAT
+echo "URL_CUTOUTS : "$URL_CUTOUTS
+echo "INST_DIR : "$INST_DIR
+echo "WEBAPP_DIR : "$WEBAPP_DIR
+#echo "CONFIG_DIR : "$CONFIG_DIR
+echo "QUEUE_NAME : "$QUEUE_NAME
+#########################################################################
+
+
+
+## configure vlkb-tools
+#mkdir -p $INST_DIR/etc/vlkb-obscore
+#cp $CONFIG_DIR/vlkb-obscore.datasets.conf $INST_DIR/etc/vlkb-obscore/datasets.conf
+if test -n "$VLKBOBSCORE_PG_URI"
+then
+ echo "pg_uri=$VLKBOBSCORE_PG_URI" >> $INST_DIR/etc/vlkb-obscore/datasets.conf
+ echo "pg_schema=datasets" >> $INST_DIR/etc/vlkb-obscore/datasets.conf
+fi
+
+
+## configure VLKB access
+if test -n "$ACCESS_CONTEXT_ROOT"
+then
+
+ if test -n "$SECURITY"
+ then
+ cd $WEBAPP_DIR/vlkb-cutout/WEB-INF/ && rm -f web.xml && cp web-cutout-$SECURITY.xml web.xml && cd -
+ fi
+
+# cp $CONFIG_DIR/{auth.properties,neatoken.properties} $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/
+ #echo "<Context docBase=\"$WEBAPP_DIR/vlkb-cutout\"/>" > /var/lib/tomcat9/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml
+ cp $WEBAPP_DIR/vlkb-cutout/META-INF/context.xml /var/lib/tomcat9/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml
+ echo "db_uri=$DISCOVERY_DB_URI" > $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/authpolicy.properties
+ echo "db_schema=datasets" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/authpolicy.properties
+ echo "db_user_name=$DB_USERNAME" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/authpolicy.properties
+ echo "db_password=$DB_PASSWORD" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/authpolicy.properties
+
+
+ echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "fits_path_cutouts=/srv/cutouts" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ if test -f /srv/surveys/survey_populate.csv
+ then
+ echo "surveys_metadata_abs_pathname=/srv/surveys/survey_populate.csv" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "fits_url_cutouts=$URL_CUTOUTS" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ fi
+ if test -n "$RESPONSE_FORMAT"
+ then
+ echo "default_response_format=$RESPONSE_FORMAT" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ fi
+
+ case $RESPONSE_FORMAT in application/x-vlkb*)
+ echo "default_sky_system=GALACTIC" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "default_spec_system=VELO_LSRK" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "show_duration=yes" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ esac
+
+ # for resolver (id & extraCards)
+ echo "db_uri=$DISCOVERY_DB_URI" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "db_schema=datasets" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "db_user_name=$DB_USERNAME" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "db_password=$DB_PASSWORD" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+
+ echo "amqp_host_name=localhost" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "amqp_port=5672" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+ echo "amqp_routing_key=$QUEUE_NAME" >> $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/cutout.properties
+
+ case $RESPONSE_FORMAT in application/x-vlkb*)
+ service rabbitmq-server start
+ $INST_DIR/bin/vlkbd_exec.sh localhost $QUEUE_NAME $INST_DIR/etc/vlkbd/datasets.conf
+ esac
+fi
+
+
+
+# configure port/SSL connector: (path is relative to the dir where compose.yaml is
+# - web.xml to run filters set above
+# * ssl: set tomcat connector with certificates (ia2 needs SECTIGO, iam needs self-signed keystore.jks)
+# * keep right jjwt*.jar libs (ia2 authlib needs v0.11, iam needs v0.12)
+# assume all files in ssl sub-dir relative to where compose.yaml is
+# set volume mapping in compose.yaml: ssl/ -> /etc/pki/tls/
+case $SECURITY in
+ ia2token)
+ #cp ssl/server-connector-8443.xml-SECTIGO-vlkb_ia2_inaf_it /etc/tomcat9/server-connector-8443.xml
+ cp /root/ssl/server-connector-8443.xml /etc/tomcat9/server-connector-8443.xml
+ # map volume instead of this: cp -r ssl/SECTIGO /etc/pki/tls/
+ rm /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.12*.jar
+ ;;
+ iamtoken)
+ #cp ssl/server-connector-8443.xml-keystore-self-signed /etc/tomcat9/server-connector-8443.xml
+ cp /root/ssl/server-connector-8443.xml /etc/tomcat9/server-connector-8443.xml
+ # map volume somedir:/etc/pki/tls with somedir/{keystore.jks,SECTIGO/*} XXX cp ssl/keystore.jks /etc/pki/tls/
+ rm /webapps/vlkb-cutout/WEB-INF/lib/jjwt-*0.11*.jar
+ ;;
+ *)
+ echo "Security not configured, runs open."
+ ;;
+esac
+
+
+
+#if test -f /srv/surveys/keystore.jks
+#then
+# cp /srv/surveys/keystore.jks /root/
+#fi
+#if test -f /srv/surveys/server-connector-8443.xml /etc/tomcat9/
+#then
+# cp /srv/surveys/server-connector-8443.xml /etc/tomcat9/
+#fi
+#
+if test -n "$SECURITY"
+then
+ cd /etc/tomcat9/ && ln -s server-connector-8443.xml server-connector.xml && cd -
+else
+ cd /etc/tomcat9/ && ln -s server-connector-8080.xml server-connector.xml && cd -
+fi
+
+# configure access-token validation
+if test -f /srv/surveys/iamtoken.properties
+then
+ cp /srv/surveys/iamtoken.properties $WEBAPP_DIR/vlkb-cutout/WEB-INF/classes/
+fi
+
+
+#########################################################################
+
+date
+
+} 1> $LOG_FILE 2>&1
+
+JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 CATALINA_BASE=/var/lib/tomcat9 CATALINA_HOME=/usr/share/tomcat9 CATALINA_TMPDIR=/tmp /usr/libexec/tomcat9/tomcat-start.sh &
+
+wait -n
+
diff --git a/docker/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf b/docker/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..2d7b3fd09bb0a24f3f7a1f04af33ee0ec8269d5e
Binary files /dev/null and b/docker/ssl/How to generate a self-signed SSL certificate using OpenSSL - Stack Overflow.pdf differ
diff --git a/docker/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf b/docker/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..c2e26bc3bcf6a7aadf1b8ab23fab0434464168ba
Binary files /dev/null and b/docker/ssl/How to use OpenSSL and the Internet PKI on Linux systems Enable Sysadmin.pdf differ
diff --git a/docker/ssl/Makefile b/docker/ssl/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..cdc5c8deb2b2141a315d28b58e362d658237b0f7
--- /dev/null
+++ b/docker/ssl/Makefile
@@ -0,0 +1,10 @@
+
+
+
+keystore.jks:
+ keytool -genkey -keyalg RSA -noprompt -alias tomcat -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore keystore.jks -validity 9999 -storepass tomcatskassl -keypass tomcatskassl
+
+
+showxml:
+ xmlstarlet c14n server.xml
+
diff --git a/docker/ssl/keystore.jks b/docker/ssl/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..57c469584925bdc3de5f6919123d67c5a3189560
Binary files /dev/null and b/docker/ssl/keystore.jks differ
diff --git a/docker/ssl/server-connector-8080.xml b/docker/ssl/server-connector-8080.xml
new file mode 100644
index 0000000000000000000000000000000000000000..2917f61d66eeec97c63fd9718c4530337a0a339a
--- /dev/null
+++ b/docker/ssl/server-connector-8080.xml
@@ -0,0 +1,3 @@
+ <Connector port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000" />
+
diff --git a/docker/ssl/server-connector-8443.xml b/docker/ssl/server-connector-8443.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1ad61476dbe60e77851fa636d3c40009af30232e
--- /dev/null
+++ b/docker/ssl/server-connector-8443.xml
@@ -0,0 +1,11 @@
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
+ certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
+ certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
diff --git a/docker/ssl/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it b/docker/ssl/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
new file mode 100644
index 0000000000000000000000000000000000000000..1ad61476dbe60e77851fa636d3c40009af30232e
--- /dev/null
+++ b/docker/ssl/server-connector-8443.xml-SECTIGO-vlkb.ia2.inaf.it
@@ -0,0 +1,11 @@
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
+ certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
+ certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
diff --git a/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks b/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks
new file mode 100644
index 0000000000000000000000000000000000000000..02ca4500189bcdf839f61eb03958e8284c4c9205
--- /dev/null
+++ b/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks
@@ -0,0 +1,11 @@
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxThreads="150" SSLEnabled="true" >
+ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+ <SSLHostConfig>
+ <Certificate certificateKeyAlias="tomcat"
+ certificateKeystoreFile="/etc/pki/tls/keystore.jks"
+ certificateKeystorePassword="tomcatskassl"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
diff --git a/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG b/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG
new file mode 100644
index 0000000000000000000000000000000000000000..323456aa568ff5e7589dd347879f495d63833b51
--- /dev/null
+++ b/docker/ssl/server-connector-8443.xml-self-signed-keystore-jks-ORIG
@@ -0,0 +1,11 @@
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxThreads="150" SSLEnabled="true" >
+ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+ <SSLHostConfig>
+ <Certificate certificateKeyAlias="tomcat"
+ certificateKeystoreFile="/root/keystore.jks"
+ certificateKeystorePassword="tomcatskassl"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
diff --git a/docker/ssl/server-connector.xml b/docker/ssl/server-connector.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1ad61476dbe60e77851fa636d3c40009af30232e
--- /dev/null
+++ b/docker/ssl/server-connector.xml
@@ -0,0 +1,11 @@
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.key"
+ certificateFile="/etc/pki/tls/SECTIGO/vlkb_ia2_inaf_it.crt"
+ certificateChainFile="/etc/pki/tls/SECTIGO/CA.crt"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
diff --git a/docker/ssl/server.xml b/docker/ssl/server.xml
new file mode 100644
index 0000000000000000000000000000000000000000..3ea14238c9561459974a2e3bf1c2c5d4c7730663
--- /dev/null
+++ b/docker/ssl/server.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!DOCTYPE server-xml [
+ <!ENTITY connector-config SYSTEM "server-connector.xml">
+]>
+
+<Server port="-1" shutdown="SHUTDOWN">
+ <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+ <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+ <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+ <GlobalNamingResources>
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" />
+ </GlobalNamingResources>
+
+ <Service name="Catalina">
+
+ &connector-config;
+
+ <Engine name="Catalina" defaultHost="localhost">
+ <Realm className="org.apache.catalina.realm.LockOutRealm">
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ </Realm>
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="true">
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log" suffix=".txt"
+ pattern="%h %l %u %t "%r" %s %b" />
+ </Host>
+ </Engine>
+ </Service>
+</Server>
diff --git a/docker/vlkbd_exec.sh b/docker/vlkbd_exec.sh
new file mode 100755
index 0000000000000000000000000000000000000000..f9c87f1064afd81482f72f9034972bf5a09313ad
--- /dev/null
+++ b/docker/vlkbd_exec.sh
@@ -0,0 +1,44 @@
+
+# how to all vlkbd in Makefile:
+
+# killall -q vlkbd-$(VERNUM); test $$? -eq 1
+
+
+if [ "$#" -lt 1 ]; then
+ echo -e "Run vlkbd-<version> on all CPU-cores, connecting to RabbitMQ on <amqphost>.\nUsage:\n\t $0 <amqphost> <queue_name> <datasets_conf>\n"
+ exit
+fi
+
+ncores=$(grep '^processor' /proc/cpuinfo | sort -u | wc -l)
+
+AMQPHOST=$1
+
+
+for core in $(seq 0 $(expr $ncores - 1) )
+do
+
+ # FIXME /usr/local should be configurable from engine/Makefile -> INSTALL_DIR
+ # or vlkbd_exec.sh sould be under resources and handled together with datasets.conf
+ taskset -c $core vlkbd $AMQPHOST 5672 $2 $3
+
+done
+
+ps ax | grep vlkbd
+
+
+
+# with bitmask:
+
+# usage: run on 2nd cpu ore
+#taskset 0x02 ./vlkb_amqp localhost 5672 test
+# run on 1st cpu ore
+#taskset 0x01 ./vlkb_amqp localhost 5672 test
+# Note that a bitmask uses "hexadecimal" notation.
+# "0x11" is "00010001" in a binary format, which corresponds
+# to CPU core 0 and 4.
+# CPU core 0 and 1 is represented by CPU affinity "0x3".
+# taskset $1 ./vlkb_amqp localhost 5672 test
+
+
+# use defualt exchange
+#./amqp_listen localhost 5672 "" "test"