Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. SandBox preconfigured x-road servers use kubernetes service names as service urls inside the cluster. This means that access between preconfigured components is only available inside the same namespace as x-road central server. In order to allow access from outside the namespace, we needed to change all server configuration (manually) in Cenrtal Server Admin GUI ( https://cs.im.sandbox-playground.com:4000/ user: xrd, pass: secret).

    1. Change the central server URL to sandbox-xroad-cs.sandbox-im.svc.cluster.local

    2. Change the security server addresses to sandbox-xroad-ss#.sandbox-im.svc.cluster.local

    3. Change the TSA, OCSP addresses to *.sandbox-im.svc.cluster.local

    4. The configuration changes should automatically be synced to security servers via x-road globalconfiguration

  2. In order for the security servers to be able to send messages to each other, they need to know the location of the TSA service in order to add timestamps to messages. In case the security servers do not have a TSA server configured (even though it is declared in the global configuration).

    1. For each security server admin service

      1. Log in as user:xrd pass: secret

      2. Add new TSP with full url

  3. Register management-api (& messaging-api) subsystem(s) in SS3 admin

    1. Remember to disable HTTPS between the security server and the service application (management-api) .

    2. Add REST services under Services (Add REST button) with proper service codes


      messaging-api - http://messaging-api.im.sandbox-playground.com:8090/openapi?format=json
      management-api - http://management-api.im.sandbox-playground.com:8080/v3/api-docs

    3. Click on the created service codes (open the accordion for each) and add access rights to SANDBOX:ORG:CLIENT:TEST (in the modal, just search with default empty fields, it will show up)

    4. Make request, to SS2 pubsub management-api:

      1. In postman, add header "X-Road-Client":"SANDBOX/ORG/CLIENT/TEST"

      2. make requests to https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/GOV/PROVIDER/TEST/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions

  4. Register new X-Road Member (SS4) in CS

    1. Log into CS at https://cs.im.sandbox-playground.com:4000/ as xrd/secret -> Clients -> [ADD MEMBER]

    2. Member Details:

      1. Member name: Client2

      2. Member class: ORG

      3. Member code: CLIENT2

      4. [NEXT]

    3. Download X-Road Instance Internal Configuration Anchor from CSS from -> Global Configuration -> Internal Configuration -> Anchor -> [RE-CREATE] + [DOWNLOAD]

  5. Log into SS4 at https://niis-ss.ss04.im.sandbox-playground.com:4000/

    1. Initialize configuration wizard is shown.

    2. Apply X-Road Instance Internal Configuration Anchor File from (from 4.c)
      https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> [UPLOAD] -> anchor from  step 4.c -> [CONFIRM] -> [CONTINUE]

    3. Initial configuration for Security Server instance

      1. Member class, select class defined in CS setup step 4.b (eg. ORG)

      2. Member code, select class defined in CS setup step 4.b (eg. CLIENT2)

      3. Security Server Code (eg. SS4)

      4. [CONTINUE]

      5. Input software token PIN & Confirm PIN (eg. 0123456789Aa) -> [SUBMIT]

      6. "Please enter soft token PIN" -> [LOG IN] -> Token PIN (from step 5.c.v) -> [LOG IN]

    4. Create SIGN key

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]

      2. Key label: none -> [NEXT]

      3. Keytype and format

        1. Usage: SIGNING

        2. Client: SANDBOX:ORG:CLIENT2

        3. Certificate Service: Test CA

        4. CSR Format: DER

        5. [CONTINUE]

      4. [GENERATE CSR] -> [DONE]

    5. Create AUTH key

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]

      2. Key label: none -> [NEXT]

      3. Keytype and format

        1. Usage: AUTHENTICATION

        2. Certificate Service: Test CA

        3. CSR Format: DER

        4. [CONTINUE]

      4. [GENERATE CSR] -> [DONE]

    6. Use fake CA UI to sign the CSRs

      1. http://cs.im.sandbox-playground.com:9998/

      2. Sign SIGNING CSR

        1. [Browse] -> select CSR created in step 5.d -> Type: Autodetect from file name -> [Sign]

      3. Sign AUTHENTICATION CSR

        1. [Browse] -> select CSR created in step 5.e -> Type: Autodetect from file name -> [Sign]

    7. Import SIGN and AUTHENTICATION certificates

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.3

      2. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.4

    8. Activate the authentication certificate

      1. Keys and certificates -> Click on key name (Test CA ##) -> Press [ACTIVATE] in cert popup

      2. NB! Takes time for the certificate activation to be propagated to CS and global configuration

    9. Register Security Server

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> Auth Key and Certificate -> [Register]

      2. Security server DNS name or IP address: x-road-niis-ss.ss04-sandbox-im.svc.cluster.local -> [ADD]

    10. Setup Timestamping service

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> SETTINGS -> Timestamping Services -> [ADD] -> select "Test TSA" -> [ADD]

  6. Register PUBSUB subsystem in SS4

    1. Log into https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret

    2. Clients -> [ADD SUBSYSTEM] ->  Subsystem Code: PUBSUB -> [ADD SUBSYSTEM]

    3. Clients -> [REGISTER]
      NB! May time until registration is complete and subsystem gets registered

  7. Register PubSub APIs as services in newly created PUBSUB subsystem

    1. open https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret

    2. Clients -> PUBSUB subsystem -> Services -> [ADD REST]

      1. http://messaging-api.ss04.im.sandbox-playground.com:8090/openapi?format=json

      2. http://management-api.ss04.im.sandbox-playground.com:8080/v3/api-docs

    3. Add access for client subsystem SANDBOX:ORG:CLIENT:TEST

      1. Clients -> PUBSUB subsystem -> Service Clients ->  [ADD SUBJECT]

      2. Select "Client" (SANDBOX:ORG:CLIENT:TEST) -> [NEXT]

      3. Tick both API services -> [ADD SELECTED]

    4. Activate services

      1. Clients -> PUBSUB subsystem -> Services

      2. Toggle both API services to active

  8. Should be able to query pubsub services now through SS2 (SANDBOX:ORG:CLIENT:TEST)

    1. Code Block
      curl \
        --location 'https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/ORG/CLIENT2/PUBSUB/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions' \
        --header 'X-Road-Client: SANDBOX/ORG/CLIENT/TEST' \
        --insecure

...