Project Build & Deployment

Project Build & Deployment

Install Java Runtime Environment

• You need Oracle Java 8 version 101+ (Letsencrypt certificate compatibility)

Install RabbitMQ server:

• RabbitMQ is a message queue framework (uses AMQP) that lets our services exchange informations and events.
• After installation RabbitMQ server should be active in the background without necessity to start it every time you want to run the project.
  • Details: https://www.rabbitmq.com/download.html (step by step with APT for Ubuntu/Debian)

Install MongoDB server:

• Before you can launch the project, MongoDB server has to be up and running on your machine.
• It stores the data in the default directory: /data/db, which (if it does not exist yet) you have to create before launching the server. You can remove all of its contents if you want to rerun clean project. After executing, Mongo server should show status 'waiting for connections on port 27017'.
  • Details: https://www.mongodb.com/download-center (step by step with APT for Ubuntu/Debian)

Clone the Config Properties repository:

• git clone the CoreConfigProperties repo to directory: {user.home}/git/symbiote/ (or any other you want, just make sure to change the path in CoreConfigService bootstrap.properties)

Clone the rest of the components:

• If you just want to deploy but not develop/commit any changes, you can get all components straight from the superproject: git clone --recursive https://github.com/symbiote-h2020/SymbioteCore.git
• If you want to download the repos for development purposes, you need to clone them individually into separate folders
  • For the symbIoTe Core you need the components:
    • CoreConfigService
    • Eureka
    • Zipkin
    • Administration
    • AuthenticationAuthorizationManager
    • Registry
    • Search
    • SemanticManager
    • CoreResourceMonitor
    • CoreResourceAccessMonitor
    • CoreInterface
    • CloudCoreInterface

Setup your the Core Authentication and Authorization Manager (CoreAAM)

Core AAM certificate

You need to create a PKCS12 keystore containing a certificate:

• self-signed
• with CA property enabled
• with the following encryption params
  • SIGNATURE_ALGORITHM=SHA256withECDSA
  • CURVE_NAME=secp256r
  • KEY_PAIR_GEN_ALGORITHM=ECDSA
• with the CN value set according to AAMConstants.java field CORE_AAM_INSTANCE_ID value (e.g. currently SymbIoTe_Core_AAM)
• with the certificate entry name "symbiote_core_aam"

This keystore will be used to self-initiliaze the AAM codes as Core AAM.

SSL certificate

To secure communication between the clients and your platform instance you need an SSL certificate(s) for your Core AAM and for your CoreInterface. Should they be deployed on the same host, the certificate can be reused in both components.

How to issue the certificate

• Issue using e.g. https://letsencrypt.org/
• A certificate can be obtained using the certbot shell tool (https://certbot.eff.org/) only for resolvable domain name.

Instructions for the Ubuntu (Debian) machine are the following:

1. Install certbot:

   sudo apt-get install software-properties-common
   sudo add-apt-repository ppa:certbot/certbot
   sudo apt-get update
   sudo apt-get install certbot python-certbot-apache
   

2. Obtain the certificate by executing

   certbot --apache certonly
   

   Apache port (80 by default) should be accessible from outside on your firewall. Select option Standalone (option 2) and enter your domain name.

3. Upon successful execution navigate to the location:

   /etc/letsencrypt/live/<domain_name>/ 
   

where you can find your certificate and private key (5 files in total, cert.pem, chain.pem, fullchain.pem, privkey.pem, README).

How to create a Java Keystore with the issued SSL certificate, required for Core AAM deployment

Create a Java Keystore containing the certificate. Use the [KeyStore Explorer](http://keystore-explorer.org/dow nloads.html) application to create JavaKeystore:

1. (optionally) Inspect obtained files using Examine --> Examine File
2. Create a new Keystore --> PKCS #
3. Tools --> Import Key Pair --> PKCS #
4. Deselect Encrypted Private Key Browse and set your private key (privkey.pem) Browse and set your certificate (fullchain.pem)
5. Import --> enter alias for the certificate for this keystore
6. Enter password
7. File --> Save --> enter previously set password --> .p12
   Filename will be used as configuration parameter of the Platform AAM component.
   server.ssl.key-store=classpath:<filename>.p12

If you do not want to use KeyStore Explorer find some helpful resources below:

• https://community.letsencrypt.org/t/how-to-get-certificates-into-java-keystore/25961/19
• http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

Configuring the CoreAAM resources

Once one has done previous actions, you need to fix the file 'src/main/resources/bootstrap.properties' manually for each deployment using the template below or comments from the file itself.

spring.cloud.config.enabled=true
spring.application.name=AuthenticationAuthorizationManager
logging.file=logs/AuthenticationAuthorizationManager.log
  
# username and password of the AAM module (of your choice)
aam.deployment.owner.username=TODO
aam.deployment.owner.password=TODO
# name of the CAAM keystore file you need to put in your src/main/resources directory
aam.security.KEY_STORE_FILE_NAME=TODO.p12
# name of the root ca certificate entry in the Keystore you were given
aam.security.ROOT_CA_CERTIFICATE_ALIAS=symbiote_core_aam
# name of the certificate entry in the Keystore you were given
aam.security.CERTIFICATE_ALIAS=symbiote_core_aam
# symbiote keystore password
aam.security.KEY_STORE_PASSWORD=TODO
# symbiote certificate private key password
aam.security.PV_KEY_PASSWORD=TODO
#JWT validity time in milliseconds - how long the tokens issued to your users (apps) are valid... think maybe of an hour, day, week?
aam.deployment.token.validityMillis=TODO
# allowing offline validation of foreign tokens by signature trust-chain only. Useful when foreign tokens are expected to be used along with no internet access
aam.deployment.validation.allow-offline=false
# HTTPS only
# name of the keystore containing the letsencrypt (or other) certificate and key pair for your AAM host's SSL, you need to put it also in your src/main/resources directory
server.ssl.key-store=classpath:TODO.p12
# SSL keystore password
server.ssl.key-store-password=TODO
# SSL certificate private key password
server.ssl.key-password=TODO
# http to https redirect
security.require-ssl=true

You also need to copy to the src/main/resources/ directory:

1. the generated in step 2.4.1 keystore Platform AAM symbiote certificate and keys
2. the generated in step 2.4.2 keystore generated for your SSL cerfitiface

Build the components:

• Remember to change the path in ConfigService bootstrap.properties if you have changed the ConfigProperties location
• Build everything using gradle: gradle build (or gradle build -x test to skip tests)
• The default location of jars after gradle build is build/libs
  • To execute the compiled jars, do: java -jar <component_name>.jar (without moving jars, java -jar <component_name>.jar)
  • For the Search component, you may need to use: java -noverify -jar Search-<version>.jar

• Run the services in order:
  • Run ConfigService first
  • Run EurekaService second
  • Run ZipkinService third
  • Run all remaining components in whichever order you like
  • Check that they were deployed successfully in the Eureka panel: localhost:8761/

Veryfing that the components are working

Veryfing that Core AAM is working

Verify all is ok by going to:

https://<yourCAAMHostname>:<selected port>/get_available_aams

There you should see the connection green and the content are the available symbiote security endpoints (currently only your Core AAM as no platforms are registered in it yet)

Also you can check that the certificate listed there matches the one you get here:

https://<yourCAAMHostname>:<selected port>/get_component_certificate/platform/SymbIoTe_Core_AAM/component/aam

Veryfing that CoreInterface is working

Verify all is ok by going to:

https://<yourCoreInterfaceHostname>/aam/get_component_certificate/platform/SymbIoTe_Core_AAM/component/aam

There you should see the connection green and the content is Core AAM instance's certificate in PEM format.

Core AAM management

Mainly via the Administration interface or using some APIs:

e.g. To manage your local users you can use the AMQP API listening on:

rabbit.queue.manage.user.request=symbIoTe-AuthenticationAuthorizationManager-manage_user_request
rabbit.routingKey.manage.user.request=symbIoTe.AuthenticationAuthorizationManager.manage_user_request

With the following contents:

Request payload	Response
OperationType#CREATE UserManagementRequest admin credentials // for operation authorization user credentials (username, password) user details (recovery mail, federated ID)	ManagementStatus
OperationType#UPDATE UserManagementRequest admin credentials // for operation authorization user credentials // for operation authorization user credentials (password to store new password) user details (recovery mail, federated ID)	ManagementStatus
OperationType#DELETE UserManagementRequest admin credentials // for operation authorization user credentials (username to find user in repository)	ManagementStatus
OperationType#FORCED_UPDATE UserManagementRequest mandatory fields admin credentials // for operation authorization user credentials (username to resolve user, password to store new password)	ManagementStatus